From isn at c4i.org Tue Nov 1 01:06:35 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 1 01:15:09 2005 Subject: [ISN] Postcard From SGS 2005: Wargaming Science Message-ID: http://www.gamasutra.com/features/20051031/carless_01.shtml By Simon Carless Gamasutra October 31, 2005 In the first half of a dual-speaker keynote on the first day of the Serious Games Summit in Washington, DC, Dr. Peter Perla, the Director for Interactive Research at the U.S. Government-funded Center for Naval Analyses, and a veteran wargaming expert with over 30 years of hobby and professional experience, kicked off the conference with his look at the concept of "wargaming science." Perla, whom noted author and game designer Larry Bond has called "the leading wargaming expert in the United States" is the author of important reference tome The Art of Wargaming, published by the Naval Institute Press. Perla started his lecture by noting that a colleague at the Naval War College, though a noted eccentric who suggested that the Department of Defense pursue research into using pigeon brains as the basis of robotic control systems, had challenged Perla to write a Vol.2 to his book, called The Science of Wargaming. This brought up an important point for Perla, as he recalled his internal response to this request: "Wargaming isn't a science- it's an art, it's a craft, but it's not a science." However, his colleague's response was that much of what a physician does could be considered an art, but it obviously also referenced science in a major way - would you trust any doctor who didn't have a good grasp of science? This made Perla think seriously about scientific elements of wargames, and try to map out some scientific concepts that would map to "serious games" of any type. Wargaming - An Overview Firstly, Perla took a broad overview to define wargaming, arguing that a traditional definition: "Any type of warfare modeling, including exercises, campaign analysis, computer simulation without players," is not necessarily the best. He proffered an alternative definition, even broader still, suggesting: "A warfare model or simulation that does not involve the operations of actual forces, in which the flow of events affects and is affected by decisions made during the course of those events by players representing the opposide sides." The important point, it was argued, is that "We create a synthetic universe in which our players have to live," however that occurs. So, when trying to get scientific with wargaming, what parameters can we possibly define to help us do this? Perla laid out what he described as the essential "wargame dimensions," as follows: time, space, forces, effects, information, and command. In this case, he explained, forces means both military force and forces in broader sense, including friction and momentum. That's the abstract, but getting to understand how it acts is equally important, and Perla referenced a book named Understanding Information Warfare, which proposed a construct that defined 3 domains of real war - physical, informational, and cognitory. In this model, the physical domain feeds information, which goes through human perception into the cognitory - filtered into people's thoughts. Perla explained, quite simply, that "science defines, constructs, and proves connections between the game and reality," and the measure of a game's realism is how well that relationships within the player's algorithms map with real domains. The Four Wise Men Next, Perla segued into important influences on any scientific model, whom he referred to as "our four wise men." These included Prussian general Carl von Clausewitz, author of the seminal tome Vom Kriege ("On War"), published in 1832, whom the speaker referred to both as "the most influential military philosopher in the West" and as "our mandatory dead philosopher," as well as Booz-Allen and Hamilton researcher Mark Herman, who has been extremely influential in proposing the entropy-based warfare model. Perla also cited Martin Van Creveld's work on command and uncertainty and Paul Vebber's research into network effects as being extremely important to any model. Perla went on to discuss the conceptual keys to real-life operational warfare, key to an understanding of what should be modeled. These include friction of various kinds (destruction, disruption, and chance), entropy (the inherent energy that's unavailable for carrying out the mission, and increasingly important), and circumstances in which entropy leads to uncertainity, which military command systems exist to overcome. In addition, what needs to be carefully monitored is the way that command counters friction/direction - essentially, it was suggested, in war, success is often a relatively better control of entropy. Perla urged: "As game designers, our task is to find a way to represent this." Needless to say, with a near-infinite amount of possible outcomes to any action, this isn't easy, but Perla suggested ways in which simulations could create system of interlinked topologies - essentially, both information, operational, and command topologies. As for realism in wargames, Perla has a simple answer: "The true measure of realism of a game is the degree of agreement between how the players relate to the game's universe through the game system's topologies and how real combatants relate to the domains of real war." In other words, it's whether players identify clearly with the problems and can relate them to real life in a practical manner, rather than any other glitz factor, that makes the most sense. Conclusion In concluding, Perla tried to frame his debate in broader ways that would help all people trying to make "serious games" of any kind. Going back to first principles, he pointed out that anyone wanting to make such a game should identify the basic scientific principles behind the concept, and then identify the philosophers who have thought most widely and deeply in that field. Only then, after asking what basic concepts your game must represent and how you can make them tangible in your game universe, can you go ahead and use your artistic skills to make the game. In the end, Perla argued, better science will better make for better art, ending on a slide pastiching Alton Brown's factual and science-infused Food Network show, and urging the audience to consider "Good Games" in the same way as "Good Eats." Copyright ? 2004 CMP Media Inc. All rights reserved. From isn at c4i.org Tue Nov 1 01:06:51 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 1 01:15:45 2005 Subject: [ISN] Bluetooth scanning goes mainstream Message-ID: http://www.tomsnetworking.com/Sections-article145.php Humphrey Cheung 10/31/05 In the last week, Network Chemistry and Airmagnet both released free Windows utilities that scan for Bluetooth devices. Several years ago, NetStumbler, a free 802.11 wireless scanning utility, ushered in the "wardriving" era. With the release of these easy-to-use utilities, are we now on the verge of a "BlueDriving" age? I interviewed Andrew Lockhart, BlueScanner's author and lead security analyst for Network Chemistry, to find out how he made the program and if we should worry about Bluetooth vulnerabilities. Lockhart was hired three months ago by Network Chemistry as their lead security analyst. In addition to writing BlueScanner, he has written a white paper on Bluetooth vulnerabilities and was the author of the O'Reilly book "Network Security Hacks". He told us that BlueScanner wasn't that hard to write, with the program coded from scratch in C++ and most of the Bluetooth scanning handled by Microsoft's Bluetooth API and drivers. He told us that Bluetooth functionality is already there in Windows, adding, "We just provide the interface to make it more friendly." Bluetooth scanning is nothing new, as Linux scanners have been available for a few years. Earlier in the year, TomsNetworking brought you a two part series on how to build a "BlueSniper" long-range Bluetooth gun. But this the first time that someone has written a "Netstumbler like" program for finding Bluetooth devices with Windows-based systems. BlueScanner easily finds Bluetooth devices that have been placed in "discoverable" mode and displays the device name, physical address, device type (such as cellphone or computer) and available services. Unlike NetStumbler, BlueScanner does not have GPS tracking, but you can type in the location that you are scanning from. For example, if you were using BlueScanner to search for devices in a multiple story building, you would start at the first floor and type in location of "First Floor". In inital testing of BlueScanner, Lockhart found Bluetooth devices in places that he expected and some that he didn't, saying, "I initially didn't expect to find many devices. Sure there were many in the airports, where you have a lot of business people, but I didn't expect them to be in restaurants. I also found large amounts in just random places." Lockhart even used BlueScanner at the Defcon computer security convention in Las Vegas and found quite a few devices. While you could assume that Defcon attendees would not have vulnerable Bluetooth devices, Lockhart says, "I found quite a few phones that would appear to vulnerable and some people didn't bother to rename the model number." I played with BlueScanner in the TG Publishing office and also in the press room of Blizzcon.Blizzard's recent gaming convention focusing on World of Warcraft. In our office, BlueScanner immediately found several devices including my Blackberry and another editor's T610 phone. Surprisingly, it also picked up a hands-free Bluetooth headset in a BMW car parked about 75 feet away. I didn't expect a Bluetooth signal to go that far and penetrate several walls. At Blizzcon, BlueScanner found six devices in thirty seconds. So why release such a program to the public? Back in the NetStumbler days there were some people who believed the Wi-Fi-scanning program could help hackers break into their computers. Lockhart isn't concerned about ill-intentioned people using BlueScanner, saying, "We are only here to increase awareness and the nefarious people already knew about this stuff way way long ago." He also told us that he wants people to realize just how many devices are in the environment. Lockhart also said that he has found many Bluetooth devices in conference rooms and around the office. He has even sent messages to people's phones telling them that their Bluetooth is on. Some people were shocked and Lockhart adds, "They didn't know where this message was coming from. The phone beeps and they pull it out and see something on the screen." What's next for Lockhart? He is pretty tight-lipped about future improvements of BlueScanner, but he has been playing around with a $17,000 Bluetooth sniffer that can pull raw Bluetooth data from the air. While the price tag may seem high, Lockhart told us that he has seen the sniffers sell for as low as $1600 on Ebay. With the sniffer, he has discovered that a popular brand of phone / PDA syncs via Bluetooth in clear text. Lockhart told us the model, but said, "Please don't tell anyone because I want to call the company first." So is it time to start worrying about Bluetooth? "The normal person doesn't have to worry much, but it could be a concern for high-profile people," says Lockhart. He explained that it might be possible to monitor a person by tracking their phone, but the average person is probably OK if they keep the phone in non-discoverable mode. Lockhart summed it up simply by saying, "If you carry sensitive data, you may want to check if you have Bluetooth in discoverable mode and if you don't need Bluetooth, just turn it off. Just use common sense." -=- Related Links Network Chemistry's BlueScanner http://www.bluescanner.org/ Airmagnet's BlueSweep http://www.airmagnet.com/products/bluesweep.htm Building Your Own Bluesniper Rifle Part 1: http://www.tomsnetworking.com/Sections-article106-page1.php Part 2: http://www.tomsnetworking.com/Sections-article135.php From isn at c4i.org Tue Nov 1 01:07:04 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 1 01:16:13 2005 Subject: [ISN] Foreign Office satellite phone goes AWOL Message-ID: http://www.vnunet.com/vnunet/news/2145185/foreign-office-500-bill-stolen Robert Jaques vnunet.com 31 Oct 2005 The Foreign Office has been saddled with a ?500,000 telephone bill after a satellite phone belonging to a British diplomat was stolen in Baghdad, according to UK press reports. The phone may have been used to make calls from Yemen and Saudi Arabia, with some potentially relating to terrorist activity. Reports suggest that UK intelligence agents are believed to be working through the dialled numbers in an attempt to trace the recipients. It is thought that the phone was sent from the UK to a senior diplomat in Baghdad two years ago via a courier, but that it never reached its destination and was not reported as missing. An investigation was initiated only when the Foreign Office became suspicious about calling behaviour. Foreign Secretary Jack Straw was reported to be "furious" and has ordered an inquiry into how such a security blunder could have occurred in such a volatile region. But those less keen to criticise government inefficiency are pointing out one clear upside: the phone's billing record could be a veritable Who's Who? of terrorists. From isn at c4i.org Tue Nov 1 01:07:51 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 1 01:16:42 2005 Subject: [ISN] Web Banking Undergoing Security Upgrade Message-ID: Forwarded from: *Hobbit* If the consumer's machine is already compromised by successful phishing, how does checking a source IP address or requiring a token help in the slightest? The transaction is still at risk and the details are still leaking out. A transaction relayed through the compromised machine is still going to originate from the same network space. This is nuts. The only way to deal with this, aside from the human problem, is to begin with a platform that doesn't provide such a rich environment for worms and spyware to reside. _H* From isn at c4i.org Tue Nov 1 01:08:17 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 1 01:17:12 2005 Subject: [ISN] Linux Security Week - October 31st 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 31st, 2005 Volume 6, Number 45n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Keychain: Openssh Key Management," "Two Factor Authentication Systems," and "Putting Patch Management in Perspective." --- ## EnGarde Secure Linux 3.0 - Download Now! ## * Linux 2.6 kernel featuring SELinux Mandatory Access Control * Guardian Digital Secure Network features free access to all system and security updates (to be available shortly through an updated release) * Support for new hardware, including 64-bit AMD architecture * Web-based management of all functions, including the ability to build a complete web presence with FTP, DNS, HTTP, SMTP and more. * Apache v2.0, BIND v9.3, MySQL v5.0(beta) * Completely new WebTool, featuring easier navigation and greater ability to manage the complete system * Integrated firewall with ability to manage individual firewall rules, control port forwarding, and creation of IP blacklists * Built-in UPS configuration provides ability to manage an entire network of battery-backup devices * RSS feed provides ability to display current news and immediate access to system and security updates * Real-time access to system and service log information LEARN MORE: http://www.guardiandigital.com/products/software/community/esl.html --- LINUX ADVISORY WATCH This week, advisories were released for mozilla, module-assistant, eric, sudo, libgda2, imlib, koffice, net-snmp, lynx, RTF, Netpbm, cURL, Zope, phpMyAdmin, ethereal, pam, and fetchmail. The distributors include Debian, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120679/150/ --- Hacks From Pax: SELinux And Access Decisions Hi, and welcome to my second of a series of articles on Security Enhanced Linux. My previous article detailed the background of SELinux and explained what makes SELinux such a revolutionary advance in systems security. This week, we'll be discussing how SELinux security contexts work and how policy decisions are made by SELinux. SELinux systems can differ based on their security policy, so for the purposes of this article's examples I'll be using an EnGarde Secure Linux 3.0 system, which by default uses a tightly configured policy that confines every included application. http://www.linuxsecurity.com/content/view/120622/49/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Keychain - Openssh Key Management 27th, October, 2005 Ever since networking came out, one important issue, to a various extent over the time, has been how to give the legitimate users the right access - authentication, which is one of the three basic elements in security: authentication, authorization and access control. http://www.linuxsecurity.com/content/view/120675 * Security Book Contest 27th, October, 2005 We are giving away the following titles: Rootkits: Subverting the Windows Kernel, Real Digital Forensics, Cryptography in the Database, Extrusion Detection, Secure Coding in C and C++, Data Protection and Information Lifecycle Management. http://www.linuxsecurity.com/content/view/120669 * Help's A Firewall Away 24th, October, 2005 Flash back to December 2002. Barely in his 20s, self-taught network engineer and help-desk staffer Joel Bomgaars is frustrated because firewalls prevent him from accessing PCs of users needing help. At his cubical at systems integrator Business Communications Inc., he has an epiphany: Instead of accessing the user's computer, have the user request help by going to a Web site. That would clear the firewall hurdles, because firewalls only block incoming messages. The idea worked, and Bomgaars was able to connect with a user within 10 seconds. http://www.linuxsecurity.com/content/view/120644 * Two Factor Authentication Systems? 27th, October, 2005 I've been given a project to undertake that involves setting our internal network systems up to have two factor authentication. I need suggestions to take in front of our CIO that shows how the security model works, cost vs benefit/features, and the different options. At this point, the name brand is RSA and I'm pressed to find any others even though I've done looking around. http://www.linuxsecurity.com/content/view/120674 * VOIP may be vulnerable to barrage of threats 25th, October, 2005 Is enterprise VoIP (voice over IP) due for a security wakeup call or are the threats mostly exaggerated? It depends on who's talking. http://www.linuxsecurity.com/content/view/120650 * Hotrod Your Linksys WAP with Linux 26th, October, 2005 A lot of Linux geeks are master scroungers, because Linux is so adaptable that old AMDs, classic Pentiums and even 386es and 486es can be put to use in some way. It's a shame to throw away old equipment when it can be repurposed as networking devices like firewalls, authentication servers and routers. But as fun as it is to recycle, I'll wager I'm not the only who has gazed upon shiny new devices like the Linksys WRT54G and sighed "Wouldn't that be a great device for my network! It is small, cheap, and uses little power. http://www.linuxsecurity.com/content/view/120663 * OSSEC HIDS v0.4 available - log analysis, rootkit detection and integrity checking 27th, October, 2005 Version 0.4 of the OSSEC HIDS is now available. OSSEC HIDS is an Open source Host-based intrusion detection software. It performs log analysis, integrity checking, rootkit detection and health monitoring. http://www.linuxsecurity.com/content/view/120670 * Gartner event focuses on security 24th, October, 2005 With many keeping one eye on Hurricane Wilma churning off the coast, 6,000 IT executives last week heard Gartner analysts offer their vision on everything from security trends to wireless network directions. The Gartner Symposium and IT Expo 2005 also brought out 190 vendors and included keynote presentations from Microsoft CEO Steve Ballmer, HP CEO Mark Hurd and Dell CEO Michael Dell. http://www.linuxsecurity.com/content/view/120643 * Putting Patch Management in Perspective 25th, October, 2005 Whether scanning and patching .vulnerable. systems, or urgently reacting to a vendor.s patch release, many organizations have become more and more reactive when it comes to dealing with electronic security. http://www.linuxsecurity.com/content/view/120651 * Check List For Linux Security 27th, October, 2005 Linux is an amazing operating system considering how it was originally created. It was a modest program written for one person as a hobby - Linus Torvald of Finland. It has grown into a full-fledge 32-bit operating system. It is solid, stable and provides support for an incredible number of applications. It has very powerful capabilities and runs very fast and rarely crashes. http://www.linuxsecurity.com/content/view/120673 * Are open source databases more secure? 28th, October, 2005 If a recent Evans Data Corp. survey is any indication, IT administrators are increasingly worried about security holes in mainstream database products and are looking at open source alternatives. But John Andrews, president of the Santa Cruz, Calif.-based research firm, said that doesn't mean open source is necessarily better. http://www.linuxsecurity.com/content/view/120682 * Advanced Linux LDAP authentication 28th, October, 2005 In an earlier look at LDAP, we set up a simple LDAP-based authentication system. We configured client machines to retrieve authentication information from a server running OpenLDAP. Now let's go further by enabling encryption and looking at how to make user modifications through LDAP. http://www.linuxsecurity.com/content/view/120683 * The Story of Snort: Past, Present and Future 25th, October, 2005 Last week we met with Martin Roesch, the creator of Snort, the de facto standard for intrusion detection/prevention. Presented here is the entire story of Snort in his words that covers seven years of development that made this tool one of the most important security software titles ever developed. http://www.linuxsecurity.com/content/view/120656 * Skype Buffer Overflow Vulnerability 25th, October, 2005 It looks like that Skype can be made to execute arbitrary code through a buffer overflow when the software is called upon to handle malformed URLs that are in form of callto:// and skype://. http://www.linuxsecurity.com/content/view/120657 * The Story of Snort: Past, Present and Future 25th, October, 2005 Martin Roesch, the creator of Snort, the de facto standard for intrusion detection/prevention, presents the story of Snort that covers seven years of development that made this tool one of the most important security software titles ever developed. In this audio session you'll get all the details on how Snort was initially conceived as well as how it is expected to develop further now after Check Point http://www.linuxsecurity.com/content/view/120647 * Nessus fork emerges 26th, October, 2005 With news settling in that the makers of the network vulnerability scanner Nessus will not open source the next version of the software, the team behind the soon-to-be-renamed GNessUs project is growing fast and attracting attention. http://www.linuxsecurity.com/content/view/120665 * FAQ: Identity fraud uncovered 24th, October, 2005 Doing a thorough job means thinking about concepts like hard drive wiping, file system encryption and phishing detection--not everyday fare for many of us. To help you protect yourself from identity fraudsters, CNET News.com has compiled the following list of frequently asked questions and their answers. http://www.linuxsecurity.com/content/view/120642 * The hacker as terrorist? 24th, October, 2005 If Congress approves the controversial anti-terror bill that Pres. Gloria Macapagal Arroyo is eagerly pushing to become a law, hacking or cracking would soon be considered as an act of terrorism. http://www.linuxsecurity.com/content/view/120645 * VoIP Security Alliance Delivers VoIP Security Framework 25th, October, 2005 The Voice over IP Security Alliance (VOIPSA), today released the first comprehensive description of security and threats in the field of VoIP. The results, known as the VoIP Security Threat Taxonomy, provide the industry with a clear view of VoIP threats, the vulnerabilities and a context for balancing trade-offs. http://www.linuxsecurity.com/content/view/120646 * Inside hackers' kindergarten 25th, October, 2005 A rash of website defacements demonstrates that hackers can enter corporate, government and education websites at will, according to cyber-security expert Ken Low. http://www.linuxsecurity.com/content/view/120649 * Sweating In the Hot Zone 26th, October, 2005 Imagine what life would be like if your product were never finished, if your work were never done, if your market shifted 30 times a day. The computer-virus hunters at Symantec don't have to imagine. http://www.linuxsecurity.com/content/view/120664 * Are You Ready To Be Hacked? 26th, October, 2005 "The Air Force and the Pentagon are extremely attractive targets and so the publicity acts as a draw for hackers," said Frost & Sullivan industry analyst for network security Rob Ayoub. "As far as a lot of smaller companies go, there's always a risk but they have a reasonable amount of security through obscurity." http://www.linuxsecurity.com/content/view/120662 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Nov 1 01:05:52 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 1 01:17:29 2005 Subject: [ISN] Evasion bug bites virus shields Message-ID: http://news.com.com/Evasion+bug+bites+virus+shields/2100-1002_3-5924738.html By Joris Evers Staff Writer, CNET News.com October 31, 2005 A flaw in several virus scanners could let a malicious file evade detection, a security researcher has warned. But some in the industry dispute that it's a bug. By adding some data to a file, an attacker could trick virus scanners into letting a malicious executable file pass through, security researcher Andrey Bayora wrote in an advisory [1]. The problem lies in the scanning engine, which won't detect files that have the extra data. Bayora refers to that extra data as the "Magic Byte." The problem affects numerous antivirus products, including software from Trend Micro, McAfee, Computer Associates and Kaspersky Lab, according to Bayora, who works as a computer security consultant in Israel. His advisory also lists several products that are not affected, including software from Symantec, F-Secure and BitDefender. "This is one of the most significant antivirus vulnerabilities of recent times as it affects the majority of scanner software," Bayora wrote in an article on his Web site that details the issue [2]. Bayora originally disclosed details of the flaw on Oct. 24. Since then, the topic has been the topic of lively discussions on the popular Full Disclosure mailing list. The issue is further evidence that researchers are increasingly looking for holes in security products [3]. Protective technology is commonly installed on PCs, servers, network gateways and mobile devices. As security software becomes more widespread, it becomes a more attractive target to cybercriminals [4], experts have said. But in this case, what Bayora calls out as a vulnerability in virus scanning engines, some in the industry see as inherent to signature-based protection of antivirus software. "It's not a real security vulnerability, as this is the way antivirus scanners work: If someone creates a new malware, the antivirus industry will create a new signature for it," said Andreas Marx, an antivirus software expert at the University of Magdeburg in Germany. "This way always leaves a detection and protection gap." The signatures in antivirus software are like a dictionary of known viruses. The virus-scanning process looks for matches against that dictionary. If a new threat is found, a signature is added. Bayora actually created a variant of a virus, said Ken Williams, a representative of Computer Associates. "Modifying a virus to the point where it is no longer detectable does not qualify as a vulnerability. Most viruses are modified in this way over time on a regular basis, and CA treats this as a new virus variant," he said in a statement. But Kaspersky and Trend Micro do see the Magic Byte issue as a software flaw and are offering updates to fix it. "A patch for affected products is currently being tested and should be available within a week," Kaspersky said in a notice on its Web site. Trend Micro has addressed the "potential vulnerability" in the latest version of its virus pattern files, a representative said in an e-mailed statement. According to Trend Micro, the problem in its product is limited to one specific type of potential virus file that typically would be blocked in most enterprises e-mail systems and would need to be executed manually. Bayora in a posting to a security mailing list identified that file type as a batch, or .bat, file. McAfee did not respond to requests seeking comment for this story. [1] http://www.securityelf.org/magicbyteadv.html [2] http://www.securityelf.org/magicbyte.html [3] http://news.com.com/Antivirus+insecurity+at+Black+Hat+confab/2100-7355_3-5805750.html [4] http://news.com.com/Security+tools+face+increased+attack/2100-1002_3-5754773.html From isn at c4i.org Tue Nov 1 01:06:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 1 01:17:47 2005 Subject: [ISN] Seeing No Evil Message-ID: http://www.cio.com/archive/110105/evil.html By Matt Villano November 1, 2005 CIO Magazine In a mock courthouse earlier this year, the smack of a gavel opened a case for the ages. Behind one bench, the defendants: Internet service providers, on trial for not providing adequate security to their customers. Behind the other bench, the plaintiffs: fictional companies ravaged by distributed denial of service (DDoS) attacks. The jury: hundreds of IT security professionals, packed into a conference room at the Gartner IT Security Summit to watch it all unfold. The plaintiffs argued that ISPs could do much more to improve security by scanning subscriber computers, monitoring traffic and shutting down suspicious network uses. The defendants claimed that performing such scans would violate user privacy and that it would be impossible to distinguish malicious traffic from legitimate e-mails. Accusations flew. The plaintiffs equated ISP intransigence to that of a homeowner whose property is dangerous but doesn't buy a fence to keep others out. In response, the defendants said people should stay away from dangerous property; that safety is a responsibility that falls squarely on the individual. Next, in a rhetorical ploy, defense lawyers asked jurors if any of them would be willing to stay at a hotel that offered Internet access in exchange for the right to scan all computers for security vulnerabilities. Not one member of the audience raised a hand. Around and around the two sides went, attacking each other like packs of wolves. The interchange got so heated at times that people almost forgot it was fake. Someday soon, however, this scenario could be real. As security threats such as DDoS attacks, identity theft and phishing continue to plague the Internet, ISPs find themselves under increasing pressure from business and consumers to eradicate risks before they get to the end users. Because ISPs control the pipes through which information is delivered, many customers, including CIOs, insist that service providers must play a more active role in securing the traffic that they deliver. "Right now, all ISPs provide is entry to the Internet, period," says Stephen Warren, CIO of the Federal Trade Commission. "Believe me, it's in their best interests to get all the crap off their lines." As Warren implies, the time for action is now. If water utilities can be required by state and local governments to deliver water that is clean and acceptable to drink, why can't ISPs be required to deliver data that is safe and threat-free? Such requirements would hold ISPs accountable for cleaning up their networks and force them to monitor traffic as it passes through their pipes for maliciousness of all kinds. Regulating ISPs in this way also would relieve at least some of the security burden from CIOs, freeing up more time, money and resources for other areas. But so far, those types of government regulations and industrywide policies governing ISP security do not yet exist. In part, that's because ISPs came of age in the Wild West ethos of the Internet, and providers generally have been unwilling to spend the extra money and resources to secure the middle of the information pipe for all of their users. In addition, many ISPs think that if they become security cops or anything more than traffic carriers, they will be legally liable in the event of security breaches. They are also concerned about censorship issues and blocking legitimate e-mails that look like spam. How valid are these concerns? Should ISP security be regulated much like utilities (and to a lesser extent, the airlines) are now? Are industrywide polices governing security even feasible? These were among the questions that jurors considered as they deliberated over a verdict at the Gartner mock trial. CIOs struggling to secure their own networks must stand among those who consider these questions and look for answers. After all, what's at stake is the viability of the Internet as a medium for commerce, communication and business connectivity into the 21st century and beyond. "Security is something that everybody is accountable for?everybody including the ISPs," says Michael Vatis, an attorney at Steptoe & Johnson, a law firm in New York. "There has to be a better way to approach this than how we're doing it today." The Wild Wild West Much of the ISP industry's unregulated growth can be traced to the Telecommunications Act of 1996, the first major overhaul of telecommunications law in 62 years. The goal of the law was to create a free-market economy in which any single communications company could compete in any marketplace. According to Jonathan Zittrain, cofounder of Harvard Law School's Berkman Center for Internet and Society, the law and subsequent other FCC rulings opened the way for outfits promising to provide Internet service. All one needed to become an ISP was some cash, a few servers, the bandwidth to host real estate and a marketing plan to bring in customers. David McClure, president and CEO of the U.S. Internet Industry Association, estimates the number of ISPs today to be more than 400. As ISPs grew helter-skelter, there was very little effort to standardize security on any level. The only real attempt came in 2003, when Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (Can-Spam) Act, which established requirements for sending commercial e-mail, spelled out penalties for spammers and companies whose products are advertised in spam, and gave consumers the right to ask spammers to cease and desist. The law has been less than successful so far. Ask any CIO about what keeps her up at night and the general answer is security. Since 2003, the number of security threats has skyrocketed, with the typical suspects being viruses, spam, phishing scams and spyware. The new kid on the block, the DDoS attack, complicates matters even more. In this scenario, hackers use computer worms to take over vulnerable computers on corporate networks around the world. Then they tie the computers together through an Internet relay chat (IRC) server called a botnet. Unified as one, the rogues (or zombies, as they're sometimes called) set their sights on one particular corporate Web server, and simultaneously bombard it with data requests until the burden brings it down. These networks are responsible for 50 percent to 80 percent of all denial of service spam, according to various estimates. Even among CIOs who spend millions on security, actions to prevent these threats breed nervousness. How do you know your firewall is equipped with the latest intrusion prevention signatures? How do you stop other threats such as viruses and spam? Most important, how do you protect yourself against spyware programs that infect vulnerable endpoints and turn them into zombie computers that launch DDoS attacks upon command? Just when CIOs think they've got everything under control, the hackers outsmart them and devise new ways to compromise a network's security. "We are constantly bombarded," says Dewitt Latimer, deputy CIO at Notre Dame University, where the challenges of an inherently open academic network have him constantly on edge. "I find myself wishing that ISPs would help us out a little bit, if for no other reason than to eliminate a fraction of the security problems we worry about on a day-to-day basis." Latimer adds that he assumes anything that is not on a private network is insecure. But what if some of these issues were resolved before traffic ever arrived at the network door? Since all external traffic must, at some point, be transported over the Internet, many CIOs say there's no better way to secure it than by securing the pipes themselves. Because ISPs serve as the conduit for all traffic into and out of a network, CIOs say these providers should be scanning subscriber computers for viruses, monitoring traffic for active hack attacks, and shutting down suspected network users immediately to protect the safety and sanctity of the connection for everyone else. Why ISPs Are So Hands-Off Richi Jennings, an analyst with Ferris Research in San Francisco, says that many ISPs wash their hands of these issues because such security measures are neither cost-effective nor conducive to revenue generation. For ISPs to be successful, they need volume, and resources spent on filtering malware or scanning subscriber computers ultimately affect the bottom line, Jennings says. A perfect example of this philosophy is the ISP help desk. File a spam complaint with an ISP and Jennings notes it can be days before you receive a response, if you receive one at all. In most cases, he says, the response is automated. Sure, the ISP could be filing complaints away and pursuing them at a later time, but Jennings says that despite recently publicized lawsuits in which ISPs sued spammers for violating the Can-Spam Act and older state laws, most violations fly under the radar, even after they're reported. "Rather than expend resources to try and stop all of these threats, most ISPs are taking the opposite approach and doing nothing," Jennings says. "It's just not a priority." Kevin Dickey, deputy CIO and CISO for Contra Costa County, Calif., recently experienced this firsthand. After an attempted DDoS attack on the county network, Dickey asked his ISP for incident reporting logs. Though many ISPs keep these logs, Dickey's did not. So it was very difficult for him to identify and fix the hole the hackers had used to launch the attack (eventually he did patch it). Dickey declines to name the ISP because he says he's generally happy with it, but admits that the entire experience shocked him into realizing that security wasn't as much of a priority for the ISP as he had been led to believe. Lawyers wonder if one reason ISPs shy away from security is a legal one. According to Benjamin Wright, a Dallas attorney who participated in the mock trial and specializes in Internet law, ISPs don't want to guarantee security because that could conceivably put them at risk for a negligence or invasion of privacy lawsuit. Wright alleges that scanning subscriber computers could violate privacy laws even after the packet leaves the desktop. Also, what happens if an ISP conducts a scan and blocks 100 threats but misses one? Zittrain says that if ISPs start taking responsibility for more than just carrying traffic, they could be making themselves legally liable. No lawsuits have been filed for this kind of negligence so far, but Zittrain says that an ISP knowingly permitting a zombie computer to remain on its network, which then wreaks havoc, could find itself sued. However, he doubts ISPs can be held legally accountable unless they have promised to protect their customers completely. "That's precisely why they're not promising complete protection," Zittrain says. Scanning isn't the only legal quagmire. Even if ISPs could scan all incoming e-mail, it's nearly impossible for them to distinguish between, for example, a computer being used in a DDoS attack and legitimate Internet traffic such as the Weatherbug, which automatically checks National Weather Service servers every five minutes for regional weather updates. And just as ISPs can get themselves into hot water for blocking legitimate e-mail from a network, Zittrain says, they also can cause trouble when they are overzealous in monitoring legitimate e-mail going out of a network. "If a customer is sending out 25 messages a day and suddenly blasts 500, that's a red light that maybe they have a spam zombie in place," says Don Blumenthal, Internet Lab Coordinator at the FTC. "Of course it also might be that the customer has just become [Parent-Teacher Association] president and is using his work computer to send out some personal e-mails. You just never know." Down the road, perhaps the biggest security challenge could come from the increased use of encryption. For instance, Vista, the new Microsoft operating system that is expected to debut next year, streamlines point-to-point encryption across the Internet. As a result, ISPs and security vendors alike may have trouble determining which e-mail packets are legitimate and which are malicious, possibly giving hackers unmitigated opportunities to wreak havoc everywhere. The ISPs say it's not as if they don't care about security. But because they operate in a free-market economy, the decision to provide security is one each provider makes individually. America Online, Comcast, EarthLink and SBC - the four largest ISPs by number of subscribers, according to a June 2005 market report from JupiterResearch - all provide users with some rudimentary security services in the form of standard e-mail filtering and antispyware protection. EarthLink, SBC and some other ISPs also attempt to prevent virus and worm outbreaks by blocking traffic through Port 25, the server port used for simple mail transfer protocol, or SMTP, transmissions. (For more on how this works, read "The First Line of Defense". [1]) Many other ISPs provide additional security to specific corporate customers at extra cost. And then there are those ISPs that don't bother with security at all. ISP executives say a more standardized approach to security would be cost-prohibitive - and it might not be what their business customers want anyway. "When you're dealing with security, there's simply too much at stake for us to offer a one-size-fits-all solution that works for everybody," says Stan Barber, vice president of engineering operations for Verio, an ISP and a subsidiary of NTT Communications. "What's important for one company might not be important for another, and we need features that can scale." You don't need to be a mathematician to see that this patchwork coverage puts everyone at risk. With bits and bytes traveling from one ISP's network to another, who's to say that a security threat stopped by one ISP filter won't escape another network that doesn't filter or does it inadequately? Gregg Mastoras, senior security analyst for North America with the network security solutions provider Sophos, says that once a threat gets past one ISP, it essentially has gotten past them all. Mastoras adds that since information on the Internet knows no borders, everyone is at risk. If the security that ISPs currently offer is really as good as they say it is, this wouldn't be a problem. Yet one just needs to look at the news today to know that corporations are getting hit hard by all manners of malfeasant code. The problem, says Mastoras, is that nothing exists to standardize security across the ISP industry, making everyone in the industry susceptible to the lowest common denominator. How to Protect Yourself in the OK Corral ISPs may not be able to get away with this free-market approach for long, if only because pressure from government, industry and consumer groups is growing. This May, the FTC said it would soon ask ISPs to make sure that their customers' computers haven't been hijacked by spammers with plans to create botnets. Though ISPs are not required to comply, the FTC suggested that service providers should identify computers on their networks that are sending out large amounts of e-mail and quarantine them if they are found to be zombies. One final recommendation from the FTC: Internet providers should route all customer e-mail through their own servers (as opposed to allowing individual users to route e-mails through their own servers). ISP executives are optimistic that the industry can regulate itself. Dave Jevans, chairman of the Anti-Phishing Working Group, says a number of ISPs have already banded together to discuss security best practices. If the industry can't improve security on its own, there's always the possibility of regulating it through state or federal legislation, but that's something that most in the ISP industry firmly oppose. Howard Schmidt, president and CEO of R&H Security Consulting and a former official with the Department of Homeland Security, agrees that legislation is not the answer, saying that most ISPs would simply pass the cost of compliance along to users in the form of increased monthly and annual fees. For Schmidt, there is another way. He suggests that government facilitate change simply by wielding its own purchasing power. If, for instance, government agencies offered ISPs a 10 percent premium to provide reliable security services across the board, Schmidt believes the agencies could get ISPs to comply in exchange for the extra cash. This change, in turn, could have a trickle-down effect that improves the situation for business customers and CIOs alike. "With the government being a large purchaser of IT services, they have the ability to say, "Here's what I'm willing to pay for,' and actually pay for it," Schmidt says. "Having controls built in as part of government projects gives you the side benefit of making it happen for private companies." In the meantime, the SANS Institute, a private security education organization, is planning to evaluate ISPs on the way they handle security and release an ISP Security Report Card this month. Alan Paller, director of research for SANS, says this card will outline the steps CIOs can take to seek a greater level of security from their ISPs. (For more on this, see "ISP Essentials," this page.) In addition, Jennings, the Ferris Research analyst, says CIOs should combine whatever basic protections their ISPs offer with a customized security infrastructure comprising hardware and software for a multilayered approach that incorporates two or three antivirus engines (at the perimeter and on the desktop machines), a firewall, intrusion prevention software and any other functions that specifically suit an organization's needs. One area in which Paller says CIOs can advocate for better security from ISPs is through their service-level agreements, or SLAs. Traditionally, these performance contracts with the ISPs loosely have covered issues such as uptime and maintenance or support. However, Paller suggests that CIOs should consider at least trying to get their ISPs to agree to incorporate security metrics such as virus scanning, DDoS monitoring and incident reporting, as well. SLA clauses, however, are no panacea. Bob Paarlberg, CIO at Royster-Clark, an agri-business company, says that putting security into an SLA will do nothing but lull CIOs into complacency?not exactly a state that engenders secure networks. "Our SLA is that we don't sign a long-term agreement," Paarlberg quips. "If you do a good job for us this month, you earn the business from us next month. That's it." Ultimately, Paarlberg contends, the best way to get ISPs to tackle security is to force them to bake-in additional security by law. Just look at what happened in the airline industry. Years ago, scanning passengers for security threats was the responsibility of individual airports. The result, of course, changed our nation forever: Terrorists took advantage of the weak points in the system, and successfully orchestrated the attacks of Sept. 11, 2001. In the aftermath, the federal government created the Transportation Security Administration to set policy for securing air travel nationwide. Today, whether you're traveling from Baltimore, Md., or Billings, Mont., you and everyone else on your flight are screened the same way, and by and large, the system is a lot safer than it was before. "At the end of the day, ISPs need to be held accountable for more of these violations," Paarlberg says. "If they're going to continue to bring threats to our doorsteps, something must be done." -=- Matt Villano is a freelance writer and editor based in Half Moon Bay, Calif. Send your comments to Executive Editor Alison Bass at abass@cio.com. [1] http://www.cio.com/archive/110105/evil_sidebar.html From isn at c4i.org Wed Nov 2 10:14:47 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 2 10:22:31 2005 Subject: [ISN] U.S. mulls new digital-signature standard Message-ID: http://news.zdnet.com/2100-1009_22-5924982.html By Anne Broache, and Declan McCullagh CNET News.com Published on ZDNet News November 1, 2005 GAITHERSBURG, Md. -- A team of Chinese scientists shocked the data security world this year by announcing a flaw in a widely used technique used to create and verify digital signatures in e-mail and on the Web. Now the U.S. government is trying to figure out what to do about it. The decade-old algorithm, called the Secure Hash Algorithm, or SHA-1, is an official federal standard and is embedded in every modern Web browser and operating system. Any change will be expensive and time-consuming--and a poor choice by the government would mean that the successor standard may not survive another 10 years. "We're going to have to make a decision fairly soon about where to push people," said John Kelsey of the National Institute of Standards and Technology (NIST), which convened a workshop here on the topic Monday. Even though NIST is only technically responsible for government standards-setting, Kelsey noted, "we're likely to get a lot of other people to head in that direction as well." The findings by the researchers at China's Shangdong University, which they described in an interview with CNET News.com in March, are still of more theoretical than practical interest. But as computing speed accelerates, their discovery eventually will make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature--unless a different, more secure "hash" algorithm is adopted. NIST is weighing two broad options: selecting a newer variant of SHA-1 believed to be more secure, or undertaking the much longer process of soliciting public suggestions for an entirely new algorithm that can be used for digital signatures. (The agency followed the second path before deciding on the Rijndael algorithm, used for data encryption rather than signatures.) Complicating the decision-making process is a belief among computer scientists that even the newer algorithms related to SHA-1 may suffer from similar flaws. Variants on SHA-1--originally devised by the National Security Agency--exist and are growing in popularity. NIST has announced a set of algorithms known generally as SHA-2 (sometimes called SHA-256, SHA-384, or SHA-512), but they haven't been subject to as much public scrutiny as SHA-1, which makes some researchers nervous. Orr Dunkelman, a doctoral student at Technion University in Israel, said "I have a strong suspicion that in the next five years, SHA-256 might be considered broken." Last year, flaws also were reported in MD5, a similar algorithm widely used on the Internet. SHA-1 yields a 160-bit output, which is longer than MD5's 128-bit output and is considered more secure. NIST's hash-bash To computer scientists, the SHA and MD5 algorithms are known as hash functions. They take all kinds of input, from an e-mail message to an operating-system kernel, and generate what's supposed to be a unique fingerprint. Changing even one letter in the input file should result in a completely different fingerprint. Security applications rely on these fingerprints being unique. But if a malicious attacker could generate the same fingerprint with a different input stream, the cloned fingerprint--known as a hash collision--would certify that software with a back door is safe to download and execute. That would help a crook who wanted to falsely sign an e-mail instructing that someone's bank account be emptied. Or a digitally signed contract could, in theory, be altered but appear valid. There's no need to panic, said Steven Bellovin, a professor of computer science at Columbia University, who described the flaws in SHA-1 as still theoretical. But "even if we decide that SHA-1 is good enough for today, someday we are going to have to deploy new hash functions," Bellovin said. Complicating that deployment is the dizzying scope of the upgrade project. Hundreds of protocols including TLS/SSL (used by Web browsers), SSH (used for remote logins) and IPsec (used in virtual private networks, or VPNs) eventually would have to be reworked to support the new standard. Then Internet users would have to be convinced to upgrade. "You cannot deploy a new algorithm of any sort all over the place all at once," Bellovin said. "The Internet is far too large." He said that newer applications based on NIST's successor algorithm should be able to "switch-hit" and support the older algorithms when talking to older computers. Although the U.S. government and most companies may gradually switch from SHA-1--including PGP Corp., which sells desktop encryption software--it won't be practical to abandon it anytime soon, said Niels Ferguson, a cryptographer who works for Microsoft. "You have to be able to read old files and talk to people who haven't updated their PCs in seven years," he said. NIST has announced plans to ditch SHA-1 by 2010. But it is still far from making a decision. "We really have no strong preconceptions at this point about what we want to do," said Bill Burr, manager of NIST's computer security division. From isn at c4i.org Wed Nov 2 10:15:09 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 2 10:22:54 2005 Subject: [ISN] Rise of the data security tsar Message-ID: http://www.computerweekly.com/Home/Articles/2005/11/01/212664/Riseofthedatasecuritytsar.htm By Helen Beckett 1 November 2005 When an issue becomes so grave that it threatens the national way of life, a "tsar" is ushered in by the prime minister to fix it. Something similar is happening in the corporate world, where security bouncers are being appointed to ensure the company infrastructure is protected from internal and external attack. The chief information security officer (CISO) goes under a variety of titles, but they are the person who carries the can for keeping businesses secure and the regulators happy. They are more common in the US, where growing pressure to comply with corporate governance legislation such as Sarbanes-Oxley has spawned a new population of CISOs. However, the UK is fast following suit and the progress of the forthcoming Companies Bill will produce a fresh population of security chiefs. "Everyone is very concerned that customer files and corporate accounting information is protected and that someone is accountable," says Brian Collins, professor of information systems at Cranfield University. "The UK is treating data ownership more seriously, and security is becoming part of a risk management and data ownership strategy." The Companies Bill may be the stimulus for reviewing how accounting data is treated. But strategies for managing security have been evolving since the days when firewalls were seen as the ultimate panacea. The role has certainly grown beyond the scope of an individual, or even a team, whose purpose is to outwit external attacks over IP networks. Company directors are waking up to the fact that exposing customer data to a security breach will not just harm the brand; it could put them out of business. Public services organisations are just getting a handle on the implications of the Freedom of Information Act - when to keep information and when to dispose of it. And a further challenge is the increasing number of internal security breaches at UK organisations, according to the Department of Trade & Industry's 2004 Security Survey. According to analyst firm Gartner, the bodies of technical expertise set up in the 1990s to protect internet users are no longer the appropriate stewards of security. "By 1996, everything you wanted to have done on a firewall had been done," says Gartner research vice-president Jay Heiser. "We are done with that. Security expertise is becoming a lot more tactical and is part of broader business risk." According to Gartner, the maturation of technology makes it safe to put security into the hands of a high-level risk manager who is the intermediary between the business and IT. It predicts that by 2008, 65% of the Global 2000 companies will employ a CISO to operate a centralised security programme. "There is an arms race of security technology going on today. Companies need [the CISO] to make educated choices because each organisation has different needs that call for different approaches," says Paul Proctor, research vice-president at Gartner. However, others question whether a risk assessor could take on as complex an issue as security as another part their portfolio. "Personally, I cannot see a business person or a professional manager being able to sort this one out," says David Roberts, chief executive of user group the Corporate IT Forum. "There is a point at which the focus of security moves from wires and bits and bytes to the words on pieces of paper," says Roberts. "But the bottom line is that in order to assess risk and formulate policy, one must understand the complexities of the technology." The argument for having a business manager in charge is also flawed because it assumes security technology is mature, says Collins. "There are lots of threats for which the CISO does not have an instant set of tools," he says. "It is an overstatement to say that technology is mature." Technology for totally eliminating spam is not there, for example, nor is there a single tool to monitor the configuring and patching of all devices. Although there is no consensus about who should be in charge, there is agreement about the need for a change in mindset. The move towards viewing IT security as an intrinsic part of the corporate infrastructure has partly been a response to wider global events. "Y2K prompted people to think about the holistic impact of IT. Also, after 9/11 the concept of the critical national infrastructure started to mature," says Collins. As a result of this holistic thinking, the emphasis on evaluating risk, as well as being a technical hotshot, is filtering into security roles in all kinds of organisations. At the high-end, Zurich Financial Services has discovered this approach can yield big savings. And the good news for smaller companies is that they do not have to employ someone on an enormous salary to be risk savvy. This is demonstrated by the approach of Brian Shorten, information risk manager at Cancer Research UK, who explains the framework for security provision at the charity. "As with all risk, you look at what the assets are, the threat to them and the cost of something adversely affecting them," he says. Security accounts for between 1% and 2% of Cancer Research UK's IT budget, and the charity always favours pragmatism over technical sophistication purely for the sake of it, says Shorten. "If you need to check the identity of people entering an office area, such as in one of Cancer Research UK's shops, there are several solutions. One is to buy smartcards. The more effective and cheaper alternative would be to install a reception desk and ask everyone to sign in and out," he says. Simon Janes, former Scotland Yard detective and consultant at security specialist Ibas, says the job description for security chiefs needs to get broader. Risk is just one of many aspects of the job that they will need to master, he says. "The job description is wider in scope than IT security. It has to include legal domains and physical security too," he says. He advises the next generation of security chiefs to install procedures for incident handling, to cope with the surge of internal, physical breaches of security that are occurring as storage devices get smaller and more mobile. Managing physical security tends to fall between the IT and human resources departments and could be a weak link. "You have to ensure that you comply with the law when you are investigating an incident, otherwise evidence can be thrown out in court," he says. Janes also believes that success in the security realm is more likely if the role is a dedicated one. "The police force knows this and has dedicated teams for handling armed robbery and drugs," he says. Because of the interdependence of different functions, one of the critical tasks of the CISO is to get conversations going across different divisions. The most critical of these is the conversation with the HR department. "One of the roles of the security officer is to educate the HR department about the dangers of IT abuse. The law is out of date and it is not an easy function to get hold of. Defining what employees can and cannot do needs discussion and this is something that IT should lead," says Roberts. Meanwhile, as firms are starting to evaluate risk more closely before spending money on security investments, most of the budget is spent after an incident, according to Collins. "The budget is moving towards spend on the management of incidents. Because of the negative impact on brand value, security breaches can affect capitalisation of market value," he says. Roberts says, "Whoever gets to be security tsar in the new era will have to be a multi-dimensional person. They will need to talk to HR, the business, IT and finance, and certainly the legal team. But if they do not have the underlying understanding that will enable them to spot the vulnerabilities, all the words in the world will not make a difference." Case study: Zurich Financial Services Zurich Financial Services overhauled its security strategy as part of a larger consolidation that saw two datacentres and 20 global chief information officers merge into one operation. The cost of running IT was reduced from ?2bn to about ?1bn. Security had previously consisted of a very small team that was distributed worldwide among the regional IT departments. "There were no synergies and no collaboration. It was virtually impossible to agree on anything," says Stefan Vogt, head of IT risk at Zurich Financial Services. Post reorganisation, the firm decided to take an insurance approach to its information security. "Our business is calculating the risk of things going wrong and putting money on that risk," says Vogt. "What is different between that and making sure that a relatively large IT infrastructure is secure? We are a classic IT information shop that has grown into an information risk management business." This means that the configuration of firewalls or provisioning the day-to-day management of secure clients is no longer the day job. Instead, that revolves around reporting on risk and creating policy. There are two components to this - the risk strategy and risk management. The former is akin to the pilot boat. "We are like a small boat ahead of the parent ship, spotting icebergs," says Vogt. The twin priorities for 2005 have been to achieve operational efficiency and raise the awareness of information security. To achieve operational efficiency, it was essential to find a way of reporting risk. This had originally been done through a traffic light system, but a dashboard approach offered the company a more comprehensive way of flagging different risks. The traffic light system works by periodicially assessing risks and giving them either a green, amber or red light, depending on the level of risk. The dashboard approach gives an overall view of operational and security landscapes inside companies and allows proactive monitoring. A key aspect of the new risk management regime was to quantify the risk. "I expressed this in dollars as a figure we could expect to lose if a certain aspect of security were to fail," says Vogt. "People challenged these figures of course, but were usually unable to come up with an alternative. And the figure promoted discussion, which is healthy. It is better to have the discussion than the old default of 'let's install another firewall'." From isn at c4i.org Wed Nov 2 10:15:27 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 2 10:23:25 2005 Subject: [ISN] Warcraft game maker in spying row Message-ID: http://news.bbc.co.uk/1/hi/technology/4385050.stm By Mark Ward Technology Correspondent BBC News website 31 October 2005 Game maker Blizzard has been accused of spying on the four million players of World of Warcraft. Net activists branded software used to spot cheats "spyware" because it gathers information about the other programs running on players' PCs. In its defence Blizzard said nothing was done with the information gathered by the anti-cheat software. And many players seem happy to have the software running if it cuts the amount of cheating in the game world. Home invasion The watchdog program, called The Warden by Blizzard, has been known about among players for some time. It makes sure that players are not using cheat software which can, for example, automatically play the game and build up a character's qualities. However, knowledge of it crossed to the mainstream thanks to software engineer Greg Hoglund who disassembled the code of The Warden and watched it in action to get a better idea of what it did. He found that it performed a quick analysis on other programs running on a PC to see if their characteristics match known cheating programs. But Mr Hoglund found that The Warden also scans the text in the title bars of any Window for any other program. Writing in his blog about what he found Mr Hoglund said: "I watched The Warden sniff down the e-mail addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs." Mr Hoglund noted that the text strings in title bars could easily contain credit card details or social security numbers. Digital rights group The Electronic Frontier Foundation (EFF) branded The Warden "spyware" and said its use constituted "a massive invasion of privacy". The EFF said that it was not acceptable simply to take Blizzard's word that it did nothing with the information it gathered. It added that the Blizzard could get away with using The Warden because information about it was buried in licence agreements that few people read. Fair play Blizzard took to the forums on the central community site for World of Warcraft to defend itself and correct what it saw as "misinformation" about its actions. It said that The Warden did not gather any personally identifiable information about players only data about the account being used. It also re-iterated that the only thing done with data gathered was to look for evidence of hack or cheat programs. For their part many gamers seem happy to tolerate The Warden even though they acknowledged that it eroded their privacy to an extent. Jason Justice, speaking on behalf of members of the Low Red Moon guild, said many in its ranks supported the programs used by Blizzard if it kept the cheats out of the game. "The concern most have is that the program has the capability to read text from open programs, potentially compromising the privacy of some sensitive programs." "If someone is afraid of the program reading sensitive information from their programs, one possible solution is simply to not run any additional programs while playing World of Warcraft," he said, "which is certainly advisable from a performance standpoint to begin with." He told the BBC News website: "It is entirely Blizzard's responsibility to protect their intellectual property and the fairness of the game experience, and if they have code sophisticated enough to detect when a cheater is running illegal programs on their computer, they're doing a right good job of it." Paul Younger, one of the administrators on WoW community site worldofwar.net, said: "With cheating being a real concern to Blizzard I feel they have few options other than to check what people are running on their machines." "Blizzard have learnt since Diablo II that cheating can seriously hamper the enjoyment of a game," he said. Warcraft players debating the issue on the worldofwar.net forums seemed happy to have The Warden keeping an eye on what they are doing. Many said they trusted Blizzard not to exploit the information being gathered. Some pointed out that it would be hard for Blizzard to gather more useful information than they already have given that most use a credit card to pay the monthly fee to keep playing the game. For those worried by what The Warden does, Mr Hoglund has produced a program called The Governor that reports on what it is watching. From isn at c4i.org Wed Nov 2 10:15:43 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 2 10:23:52 2005 Subject: [ISN] SEC halts traders' $7.8M hacking scheme Message-ID: http://money.cnn.com/2005/11/01/markets/scandal_sec_bizwire/ November 1, 2005 NEW YORK (CNN/Money) - The Securities and Exchange Commission charged an Estonian financial services firm and two of its employees with stealing confidential information from Business Wire and walking away with at least $7.8 million in illegal profits. The complaint alleges that the defendants stole confidential information from the Business Wire Web site, a disseminator of news releases and regulatory filings for companies and groups, and traded in advance of more than 360 confidential press releases issued by more than 200 U.S. public companies. The defendants named in the complaint are Oliver Peek, Kristjan Lepik, and the investment bank Lohmus Haavel & Viisemann. Peek is employed by Lohmus and works for its investment services team, Lepik is a partner at the firm. According to the complaint, Lohmus became a client of Business Wire to gain access to Business Wire's secure client site. Once the defendants had access, they used a "spider" software program, which provided unauthorized access to confidential information of other Business Wire clients contained in press releases which had yet to be made available to the general public. "No one," Business Wire Chairman and CEO Lorry Lokey said in a statement, "gained access to our news release file prior to distribution to the media and investment community. Some of the SEC statements in its complaint have been misinterpreted." Certain individuals gained access to a screen shot of limited background information, the company acknowledged but this information did not include the content of news releases. According to the SEC, the defendants used several U.S. brokerage accounts to buy long or sell short the stocks of the companies whose confidential press release information they stole, and also to purchase options to increase their profits before the information had been disseminated by Business Wire. "Our action today demonstrates that we will seek out and stop securities fraud wherever we find it. Whether in an old-fashioned boiler room or, as in this case, in the high-tech environs of the Internet, such conduct will be met with a swift and vigorous enforcement response," Linda Chatman Thomsen, Director of the SEC's Division of Enforcement, said in a statement. "We acted today to stop a clever and pernicious securities fraud and to preserve funds for investors. This case highlights that even when fraudsters invent new ways to violate the securities laws, the Commission will track them down and stop them, wherever they are located," Daniel M. Hawke, Associate District Administrator of the Commission's Philadelphia District Office, said in the statement. The defendants violated Section 10(b) of the Exchange Act, the SEC said. The U.S. District Court for the Southern District of New York issued a temporary restraining order to freeze the defendants' assets. From isn at c4i.org Wed Nov 2 10:15:58 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 2 10:24:31 2005 Subject: [ISN] If it seems goofy, it probably is Message-ID: http://www.jsonline.com/enter/tvradio/nov05/367404.asp Tim Cuprisin Nov. 1, 2005 Listeners to WXSS-FM (103.7) the last couple of days have been wondering what's going on with a supposed hacking of the Web site for the teen-skewing station better known as Kiss FM. If you went to www.1037kissfm.com on Tuesday, you saw a picture of a piece of paper with the hand-scrawled message reading: "I've got your 10 grand . . . I'll be in contact." Listeners heard stories of $10,000 being held for "ransom" and the supposed suspension of one of the morning gang, Wes McKane. Relax, it's just another wacky radio stunt. "It's called 'The Fugitive,' " explains program director Brian Kelly. "The first listener to find the fugitive will win $10,000." Kiss did a less elaborate version of the contest last year. By late Tuesday afternoon, Kiss deejays were dropping more hints about the competition, although the Web site remained held captive by the "note." And while we're talking stunts, Kiss' sister station, WMYX-FM (99.1), aired a wacky holiday radio stunt last year, broadcasting a bogus spot for a bogus power cooperative claiming that a ban on Christmas lights would feature fines levied "per bulb." The first rule of radio listening is that if you hear something that sounds weird, switch to another radio station. If they're not talking about it, it's likely to be happening only on that first station. Of course, the goal of these wacky radio stunts is to keep you listening. That's also the goal of radio contests. THE RULES FOR WACKINESS: The Federal Communications Commission has pretty loose guidelines about such stunts. FCC guidelines deal specifically with "broadcasting false information concerning a crime or a catastrophe," according to guidelines you can find at ftp.fcc.gov/cgb/consumerfacts/falsebroadcast.html. They're allowed, unless the broadcaster knows they're false, it's known before the stunt is aired that it will cause "substantial public harm" and the stunt actually does "directly cause substantial public harm." Interestingly, these rules date back to an incident that occurred 67 years ago this very week, the Oct. 30, 1938, Orson Welles broadcast of a version of H.G. Wells' "War of the Worlds" that was made to sound like a news broadcast. It led to panic from radio listeners who thought Martians had actually invaded. If those folks had just turned to another station, they wouldn't have been quite so scared. [...] From isn at c4i.org Wed Nov 2 10:16:14 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 2 10:25:02 2005 Subject: [ISN] Hackers shut down Stanhope website Message-ID: http://www.smh.com.au/news/national/hackers-shut-down-stanhope-website/2005/11/01/1130720534395.html November 1, 2005 Computer hackers have shut down the website ACT Chief Minister Jon Stanhope used to release a draft of the proposed anti-terrorism laws. Police are investigating the incident. Mr Stanhope infuriated Prime Minister John Howard and angered Labor leaders by releasing the initial draft legislation on October 14, breaking Council of Australian Governments' confidentiality. Mr Stanhope said at the time he did so in order to get expert advice on the implications of the bill. When an attempt was made today to access the website, http://www.chiefminister.act.gov.au, the user was deferred to another website, one favoured by computer hackers, with the message: Fatal Error was here ohh yeahh let's go! Mr Stanhope said he did not know who was behind the incident but hoped it was not a deliberate attempt to deny public access of the document. "Of course, it's no coincidence that this site has been hacked at this time, but as to who, or why, I don't have a single clue," he said. "I would like to think it was someone acting outrageously rather than a deliberate intent to remove public access to the only copy of the terror bill that is available." Mr Stanhope said the site and the draft terror bill had been accessed by thousands of Australians over the the past few weeks. Another attack by the same person today took down the Federal Government's National Program for Sustainable Irrigation website. According to a hacker website, the defacements were done by a hacker known as "Fatal Error", who claimed 26 attacks in the past two months. Fatal Error's past efforts included attacks on the West Australian Government's Seniors Card website and the Caloundra City Council's mapping service site in Queensland. From isn at c4i.org Wed Nov 2 10:13:07 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 2 10:25:32 2005 Subject: [ISN] Oracle DB Worm Code Published Message-ID: http://www.eweek.com/article2/0,1895,1880648,00.asp By Ryan Naraine November 1, 2005 An anonymous hacker has released the first public example of an Oracle database worm. The proof-of-concept code was published on the Full-disclosure mailing list [1] with the subject line "Trick or treat Larry," an obvious taunt aimed at Oracle Corp.'s chief executive Larry Ellison. Security experts have already picked apart the code and confirmed that the worm can squirm through Oracle databases with default user accounts and passwords. Alexander Kornbrust, founder and CEO of Red-Database-Security, described the publication of the proof-of-concept as "a serious wake up call" and warned that the code can be easily modified to cause major damage. "This version of the worm is not dangerous but anyone can use this as a framework and inject a more malicious payload," Kornbrust said in an interview with Ziff Davis Internet. Kornbrust, renowned for his research work around security in Oracle products, published his own analysis [2] of the worm code and made it clear that the use of default usernames and passwords can leave database administrators as sitting ducks for a malicious attack. He said the worm uses UTL_TCP to send a command to the listener on each IP address in the same net range as the IP the database is on. If a database is found, the worm creates a private database link and tries to connect on that link using known default username/password schemes. "At the moment, it just creates a table in the [remote] database if the attack is successful. But, it can be programmed to do much more than that. It's quite easy to replace this payload with a more dangerous payload," Kornbrust said. He said the code appeared deliberately "incomplete" to serve as a red flag for database admins who neglect to change the default passwords. For an attack to be successful, the worm requires the user to have local access. It is not capable of replicating itself. "This proof-of-concept absolutely works and, in this particular case, Oracle is innocent," Kornbrust said, stressing that customers are responsible for using strong password schemes in database products. "In this environment, it is not acceptable to have databases with default defaults. This worm proves that." "From my experience, most customers still use default passwords. They may have them changed in some databases, but I'd say at least 60 percent of all customers have at least a few databases with default passwords," he added. "If someone combines a Windows worm with an Oracle worm, we'll see a huge attack with enormous damage. The Windows worm can be jumping from one workstation to another workstation worldwide and using an Oracle worm as a payload," Kornbrust said. Ted Julian, vice president of Strategy at Application Security, Inc., said the complicated nature of managing multiple databases in a typical enterprise setting creates lucrative opportunities for worm authors. "In a big company, it's safe to assume that 100 percent of admins are running some databases with default usernames and passwords. It's just impossible to keep up with literally thousands of databases," Julian said in an interview. Julian, like Kornbrust, expects to see an Oracle database worm squirming one day. "Eventually, we'll see someone modify the exploits and launch an attack. This proof-of-concept shows that it's getting easier and easier." "What if you put in a payload to create an admin account? What if that account is set up to mail information back to an IRC server about all the databases that are infected. What if that account is just set up to hijack data in an automated fashion? That would be a stealthy way of using an exploit to gather data," Julian added. Or, a more overt attack scenario could see an attacker use a worm to send a query to a vulnerable database and extract all the results. "The sky is the limit in that regard, [it] depends on what kind of payload the attacker users." In the interim, Kornbrust has a few protection recommendations for enterprise DB administrations: * Change your default passwords in every database (test/development/education/production) * Revoke the privilege "CREATE DATABASE LINK" from the (default) CONNECT role (up to Oracle 10g Rel. 1) * Revoke the public grant from the package utl_tcp if not needed. * Revoke the public grant from utl_inaddr if not needed. * Protect your TNS listener with a strong password. On Oracle 10g, always disable local OS authentication and use a strong password instead. * Change the TNS listener default port from 1521 to a different port. -=- [1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038290.html [2] http://www.red-database-security.com/advisory/oracle_worm_voyager.html From isn at c4i.org Wed Nov 2 10:14:30 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 2 10:25:58 2005 Subject: [ISN] EUSecWest/London Call for Papers and PacSec/Tokyo announcements Message-ID: Forwarded from: Dragos Ruiu url: http://eusecwest.com url: http://pacsec.jp (PacSec/Tokyo Announcement below...) EUSecWest/core06 CALL FOR PAPERS -------------------------------- London Security Summit February 20/21 2006 LONDON, United Kingdom -- Applied technical security will be the focus of a new annual conference from the organizers of CanSecWest, and PacSec, which is sponsored by the U.K. Ministry of Defence - where the eminent figures in the international security industry will get together with leading European researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in central London at the Victoria Park Plaza hotel on February 20 and 21. The EUSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and to collaborate and socialize with their peers in one of the world's hubs of IT activity - downtown London. In addition to the usual one hour tutorials, panel sessions and highly entertaining 5 minute "lightning" talks, this conference will also feature a new session called "Elevator Focus Groups". Featuring several short sessions, these commercial presentations will showcase new, significantly used, or dramatically innovative products in the information security realm. Each selected vendor will have a short 10 minute presentation ("elevator pitch"), after which 10 minutes of audience Q&A and interactive discussion amongst the expert security practitioners attending will follow. In this session both the audience and the vendors can get valuable feedback from world leading experts. The attendees can get user evaluations and learn from sharing experiences about real world security applications and the practical uses of the products - the "focus group." Hence the name: Elevator Focus Groups. The EUSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, lightning talk proposals, and elevator focus candidate products for selection by the EUSecWest technical review committee. Please make your proposal submissions before December 1st 2006. Slides for the papers must be submitted by February 1st 2006. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to core06@eusecwest.com. Only slides will be needed for the February paper deadline, full text does not have to be submitted. The EUSecWest/core06 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. Please include the plain text version of this information in your email as well as any file, pdf, or html attachments. Please forward the above information to core06@eusecwest.com to be considered for placement on the speaker roster, have your lightning talk scheduled, or submit your product for inclusion in the focus groups. Advance discount registration is now available for EUSecWest at http://eusecwest.com. =================================================== PacSec/core05 Conference Tokyo November 14-16 ----------------------------------------------------------- We would like to announce the final list of Security Masters Dojo courses that will be offered on the 14th at Aoyama Diamond Hall. Seats are available for all courses currently, but course registration is limited to only ten students each. The hands-on courses offered will be: Sinan 'noir' Eren & Nicolas Waisman - Immunity Win32 Reliable Heap Explotation Gerardo Richarte - Core Security Technologies Assembly for Exploit Writing Marty Roesch - Sourcefire Advanced IDS Deployment and Optimization Maximillian Dornseif & Thorsten Holtz - Aachen University Advanced Honeypot Tactics Philippe Biondi - EADS Mastering the Network with SCAPY We would also like to announce the final lineup of talks and apologize that the presentation from "sowhat" of the Chinese Xfocus group will be delayed to CanSecWest in April due to travel documentation issues. The final talks for PacSec in two weeks on November 15/16 will be: Andrea Barisani - Gentoo Building a modern LDAP based security framework. Cedric "Sid" Blancher - EADS WiFi traffic injection based attacks Javier Burroni - CORE SDI Using Neural Networks for remote OS identification Maximillian Dornseif - Laboratory for Dependable Distribute Systems Watching hackers hack - attack visualization van Hauser - thc Attacking the IPv6 protocol suite Adam Jacobs - Oracle Commercial Software and How Can We Fix It? Chris Jordan - Endeavor Security Writing Better Intrusion Prevention Signatures Hiroshi Shinotsuka - Symantec Advances in Trojan Threats Window Snyder - formerly Microsoft A new perspective on internal security. Ilja van Sprundel - Suresec Unix Kernel Auditing Marc Uemura - PWC Fault Redundant IPV6 Wireless Firewalls Yuji Ukai - eeye Real-Time OS Based Embedded Systems Using the JTAG Emulator Christian Wieser - Oulu University Secure Programming Group VoIP: SIP robustness and RTP security Registration: --------------- Seats are still available for PacSec, and registration is open at: https://pacsec.jp/register.html Security Masters Dojo/Tokyo registration is now open at: https://pacsec.jp/courses.html Contact core05@pacsec.jp for registration support or corporate sponsorship inquiries. -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 14-16 2005 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Thu Nov 3 09:42:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 3 09:49:55 2005 Subject: [ISN] Cisco flaw puts Wi-Fi networks at risk Message-ID: http://news.com.com/Cisco+flaw+puts+Wi-Fi+networks+at+risk/2100-7349_3-5929059.html By Joris Evers Staff Writer, CNET News.com November 2, 2005 A security bug in Cisco Systems' wireless LAN controllers could enable an attacker to send malicious traffic to a secured Wi-Fi network. The problem affects large Wi-Fi networks, not the average home installation. It occurs when Cisco 1200, 1131 and 1240 series Wi-Fi access points are controlled by Cisco 2000 and 4400 series Airespace Wireless LAN Controllers, according to a security advisory released Wednesday by the networking equipment maker. Wi-Fi access points are the devices that let people connect to wireless service. Controllers are used by operators of large Wi-Fi networks, which typically include many access points, to centrally control functions such as security policies, intrusion prevention and radio frequency management. The security problem affects only Wi-Fi installations that use the 2000 and 4400 controllers, Cisco said. Access points that do not link to those model systems are not affected, it added. The access points, even when configured to handle encrypted network traffic only, may accept unencrypted incoming traffic, according to Cisco. An attacker could exploit the flaw to send malicious traffic to a wireless network that is designed to be secure, the company said. It could also allow unauthorized access. A successful attack would require the attacker to use the hardware address--known as the Media Access Control number--of a device already authenticated to the network, mitigating the risk of an attack. Cisco has a software update available for the WLAN controller to fix the vulnerability. The flaw is rated a "moderate risk" by the French Security Incident Response Team, FrSIRT, a security monitoring and research firm. The news of the Wi-Fi security flaw comes a day after Cisco reported a security issue related to its intrusion prevention system, or IPS, security software. The problem exists because of an error in the configuration file of Cisco's Internetwork Operating System IPS, the company said in an advisory. At risk are installations of the Cisco IPS configured by version 2.1 of the IPS Management Center, Cisco said. The flaw might result in an incomplete analysis of network traffic secured by the Cisco IOS IPS device, which could allow some attacks to go unnoticed, according to Cisco. The flaw is also rated "moderate" risk by FrSIRT. From isn at c4i.org Thu Nov 3 09:44:42 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 3 09:50:20 2005 Subject: [ISN] Black Hat Federal and Europe CFP and Registration now open Message-ID: Forwarded from: Jeff Moss Hello Information Security News readers, Things have been busy at Black Hat, and I would like to make some brief announcements about our Call For Papers (CFP), Registration, RSS + Pod casts, and legal battles. BLACK HAT FEDERAL 2006 Trainings and Briefings January 23rd to the 26th Sheraton Crystal City, Washington D.C. - Call For Papers is now open. - Registration for the Trainings and Briefings are open. BLACK HAT EUROPE 2006 Trainings and Briefings February 28th to March 3rd Grand Hotel Krasnapolsky, Amsterdam, the Netherlands - Call For Papers is now open. - Registration for the Trainings and Briefings are open. BLACK HAT RSS FEED The RSS feed from Black Hat can be used to keep you up to date with announcements, presentations, and new speech content. Check it out: http://www.blackhat.com/BlackHatRSS.xml BLACK HAT JAPAN 2005 PODCASTS The presentations from the recent Black Hat Japan Briefings are now on-line. We are also experimenting with new ways to share our content with the community, and the first of these is to release some of the audio recordings as ?pod casts? in .m4a format through our RSS feed. BLACK PAGE UPDATE Early next week you will see my first written statement regarding the Cisco/ISS incident that occurred at the summer Black Hat in Las Vegas. The issues brought up last summer are important to the entire security community and I invite the community to read and reflect on my thoughts, as well as those of other security experts. http://www.blackhat.com/html/bh-blackpage/bh-blackpage.html IN MORE DETAIL: FEDERAL 2006 CALL FOR PAPERS Black Hat is proud to return to Washington D.C. after its last Briefings in 2003. For 2006 there will be expanded training offerings, focused presentations, and a convenient central location two metro stops from the Pentagon. Black Hat Federal 2006 is a unique show specifically crafted to look at issues important to those charged with protecting critical networks and information from the most sophisticated adversaries. Submissions should be very technical and specific to threats and defenses that surround the challenging security problems facing hosts and networks today. We hope to offer a federal perspective on security issues and new directions to further security trade craft. The Federal Government faces different threat models than the corporate community, with adversaries having different motivations, resources, and tools. Submissions should reflect this difference, with suggested topics including the current state of root kits and their detection, network IDS evasion & detection, covert communications, reverse engineering / anti-reverse engineering, defeating biometric systems, and the current state of the exploit development life cycle. http://blackhat.com/html/bh-federal-06/bh-fed-06-cfp.html BLACK HAT FEDERAL 2006 REGISTRATION Black Hat Federal 2006 Briefings and Trainings registration is now open. The Briefings offer two tracks over two days with 22 presentations. There will be 11 Trainings classes, with new offerings such as Saumil Shah's "The Exploit Laboratory - Buffer Overflows For Beginners," and Matt Hargett's "Binary Static Analysis: From the Inside-Out." Class sizes for all trainings are limited to ensure each student receives individual attention. Register early before classes fill up and to receive an early discount. http://www.blackhat.com/html/bh-registration/bh-registration.html#Fed EUROPE 2006 CALL FOR PAPERS The Black Hat Briefings 2006 Europe CFP is opened. Submit your cutting edge, vendor neutral security research today. Black Hat Europe '06 takes place February 28th to March 3rd at the Grand Hotel Krasnapolsky, Amsterdam, the Netherlands. http://blackhat.com/html/bh-europe-06/bh-eu-06-cfp.html BLACK HAT EUROPE 2006 REGISTRATION OPEN Black Hat Europe 2006 Briefings and Trainings registration is now open. The Briefings offer two tracks over two days with 25 presentations. There will be 10 Training classes with new offerings and an updated SensePost class "Hacking by Numbers: Combat Edition." Due to limited class size, many of our classes fill up quickly. Register early to ensure training availability and to take advantage of our early bird registration discount. http://www.blackhat.com/html/bh-registration/bh-registration.html#eu WHAT IS THE BLACK HAT BRIEFINGS? The Black Hat Briefings fill the need for computer security professionals to better understand the security risks and potential threats to their information infrastructures and computer systems. Black Hat accomplishes this by assembling a group of vendor-neutral security professionals and having them present candidly about the problems businesses face and their solutions to those problems. No gimmicks - just straight talk by people who make it their business to explore the ever-changing security space. IMPORTANT DATES - January 23-26: Federal Briefings 2006 & Training, Sheraton Crystal City, Washington, DC - February 28-March 3: Europe 2006 Briefings & Training, Grand Hotel Krasnapolsky, Amsterdam, the Netherlands - July 29-August 3: USA 2006 Briefings & Training, Caesars Palace, Las Vegas Please visit http://www.blackhat.com/ for more complete information. Jeff Moss From isn at c4i.org Thu Nov 3 09:41:49 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 3 09:50:36 2005 Subject: [ISN] Invasion of the Stock Hackers Message-ID: http://www.businessweek.com/technology/content/nov2005/tc20051103_565150.htm By Amy Borrus, with Mike McNamee in Washington, Brian Glow in Atlanta, and Adrienne Carter in Chicago. BusinessWeek Online November 3, 2005 Arriving home from a five-week trip to Belgium and India on Aug. 14, a jet-lagged Korukonda L. Murty picked up his mail -- and got the shock of his life. Two monthly statements from online brokerage E*Trade Financial (ET) showed that securities worth $174,000 -- the bulk of his and his wife's savings -- had vanished. During July 13-26, stocks and mutual funds had been sold, and the proceeds wired out of his account in six transactions of nearly $30,000 apiece. Murty, a 64-year-old nuclear engineering professor at North Carolina State University, could only think it was a mistake. He hadn't sold any stock in months. "I'M SHOCKED". Murty dialed E*Trade the moment its call center opened at 7 a.m. A customer service rep urged him to change his password immediately. Too late. E*Trade says the computer in Murty's Cary (N.C.) home lacked antivirus software and had been infected with code that enabled hackers to grab his user name and password. The cybercriminals, pretending to be Murty, directed E*Trade to liquidate his holdings. Then they had the brokerage wire the proceeds to a phony account in his name at Wells Fargo Bank. The New York-based online broker says the wire instructions appeared to be legit because they contained the security code the company e-mailed to Murty to execute the transaction. But the cyberthieves had gained control of Murty's e-mail, too. E*Trade recovered some of the money from the Wells Fargo account and returned it to Murty. In October, the Indian-born professor reached what he calls a satisfactory settlement with the firm, which says it did nothing wrong. Still, Murty suffered many sleepless nights. "I'm shocked. We didn't know people could play these kinds of tricks." TARGET-RICH. Increasingly, they can -- and do. In the latest, most pernicious twist yet on Internet securities fraud, online brokerage accounts are being looted by hackers who exploit the weaknesses of investors' computers rather than the firms' systems. It's a new scam, but it's mushrooming. Six months ago, Securities & Exchange Commission investigators say, such schemes weren't even on their radar screen; now, the agency is knee-deep in them. Alarmed, the SEC and FBI are hot on the trail of the cyberperps, with dozens of investigations in progress. To head off more attacks, the SEC is posting a warning on its Web site with tips on safeguarding online trading accounts. "It's a new and growing area that is more intricate and more complicated than other Internet-related securities frauds," warns John Reed Stark, the SEC's chief of Internet enforcement. So far, the reported losses from online brokerage accounts are modest: no more than $20 million stolen in the past year. But Web investing is a target-rich environment for thieves: Consumers have $1.7 trillion worth of assets with online brokerages, says TowerGroup, a financial research and consulting firm. "And it is still evolving." LOOK TO EASTERN EUROPE. As with the Murtys, brokerages often help customers recover their money, or reimburse them for losses. But the hit on the industry could be enormous, especially if hacker attacks drive investors off-line. "The real cost of security lapses is the loss of confidence," says Ravi Ganesan, CEO of TriCipher Inc., a San Mateo (Calif.) developer of authentication systems. That's why brokers are offering customers an array of free or discounted security measures. "If we want our company to continue to be successful, people have got to feel safe and secure when they come here," says E*Trade President R. Jarrett Lilien. Home PC users are frighteningly vulnerable. The spread of high-speed and wireless connections has made it easier than ever for hackers to barge in. Even so, an October, 2004, survey by America Online and the National Cyber Security Alliance found 84% of computer users keep sensitive personal information, including financial data, on their home PCs. To hijack brokerage accounts, hackers have raised their game to a new level. These invasions, law enforcers say, involve hacking or phishing to extract customers' information, combined with identity theft and securities fraud in complex scams executed by gangs. "Generally, it's two or three people working together," says an FBI expert. "The usual profile is people with graduate degrees in finance or banking." The FBI, Secret Service, and private security firms believe most online stock thieves are based in Eastern Europe. ONUS ON CUSTOMERS. Fortunately, some customers spot hacker intrusions before financial disaster strikes. George Rodriguez, 41, was working from his Waxhaw (N.C.) home at 9:31 a.m. on May 5 when a series of e-mail messages from Ameritrade (AMTD ) started flashing across his computer screen. Within minutes his holdings in Home Depot, Ford Motor, Duke Power, and Pfizer were all sold. Some $60,000 worth of blue-chip stocks were drained from an account that Rodriguez had traded actively in the dot-com days but largely ignored since 2001. What saved Rodriguez: The crooks somehow failed to change the e-mail address for trade confirmations. "If they had done that, or if I had been on vacation, I could have been wiped out," says Rodriguez, a partner at real estate investors Waterstone Capital Advisors in Charlotte, N.C. Ameritrade "said they would cancel the orders 'as a courtesy,'" he says, so he didn't lose any money. Says a spokeswoman for the Omaha broker: "The unfortunate events that happened to [Rodriguez] are an issue that Ameritrade and the financial industry have to deal with." Still, brokers say customers must protect themselves. Crooks "are sniffing the information from the customers' computers, not getting it from our networks," says David S. Kalt, chief executive of online broker OptionsXpress Holdings. Federal investigators agree with this. "The integrity of brokerage firm computers seems to be flawless," says an FBI source. TAKE THE LEAD. But even if investors are careless, online brokers know that e-trading could dry up if users get spooked. That's why Ameritrade offers customers a program that scans a PC for malicious code when they log on to the Internet. E*Trade in April began offering ID tokens, devices that generate a new six-digit log-in code every 60 seconds, to investors with $50,000 or more in their accounts. More than 10% of daily log-ons to E*Trade use the devices. In January, E*Trade will unveil still newer trading safeguards that President Lilien promises "will make our secure ID program look old-fashioned." Online brokers could take a page from banks, which next year will be required to use state-of-the-art safeguards. Many cyberexperts believe that, instead of blaming customers, the brokerage and high-tech industries need to take the lead educating customers and supplying them with the gear and software they need to make their trading secure. Says Robert K. West, CEO of Echelon One, cybersecurity consultants in Mason, Ohio: "In a society that can't set the clocks on its VCRs, it's nuts to expect people to keep up with all these patches and firewalls." Hackers, of course, are hoping investors stay in the dark. From isn at c4i.org Thu Nov 3 09:42:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 3 09:50:54 2005 Subject: [ISN] Symantec Shares Decline on Weak Forecast Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/11/02/AR2005110201945.html The Associated Press November 2, 2005 NEW YORK -- Symantec Corp. stock fell Wednesday, a day after the software maker cut its financial forecast and announced the surprise retirement of its chief financial officer. Shares of Symantec fell $4.63, or 19 percent, to close at $19.37 on the Nasdaq Stock Market. The Cupertino, Calif., company, blaming weakness in its consumer and enterprise security segments, reduced its revenue forecast for fiscal 2006 by $130 million to $5 billion. "It should be noted that consumer sell-through during the quarter appears to have slowed as compared with prior Septembers," said Greg Meyers, retiring chief financial officer, during the company's conference call Tuesday. "This slowing is most likely a combination of the late release of our 2006 consumer products in the quarter, a lack of high profile threat activity and competitive pressures across the various consumer channels." Symantec's lowered outlook and Meyers' retirement prompted at least seven analysts to downgrade their ratings on Symantec's shares. Susquehanna Financial Group's Gregg Moskowitz, who slashed his rating on Symantec's shares to "neutral" from "positive," questioned the timing of Meyers' departure, coming on the heels of Symantec's merger with Veritas this summer. Other analysts downplayed Symantec's lowered fiscal 2006 guidance, saying it was conservative and more appropriate for a maturing technology company. "The stock will likely see near term weakness but we would buy the dip as we believe fiscal 2006 adjustments are more transitory and could actually prove conservative while our long term investment thesis remains intact," said J.P. Morgan analyst Adam Holt. Moskowitz could not be reached to determine if he owns shares in Symantec or if Susquehanna Financial has an investment-banking relationship with the company. Holt does not own shares in Symantec. J.P. Morgan makes a market in the securities of Symantec. Maguire does not own shares in Symantec. Merrill makes a market in the securities of Symantec. ? 2005 The Associated Press From isn at c4i.org Thu Nov 3 09:42:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 3 09:51:12 2005 Subject: [ISN] Audit: DHS beset by weak information security Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27340-1.html By Alice Lipowicz Staff Writer 11/02/05 Despite improvements, the Homeland Security Department still has weak information security programs overall, according to a new report from DHS Inspector General Richard L. Skinner. The IG's audit [1] found that many of the department's IT systems remain uncertified and unaccredited, while plans to correct weaknesses are undeveloped. The report also said contingency plans have not been developed and tested for all systems, and added that tools used to measure progress are neither complete nor current. "We recommend that DHS continue to consider its information security program a significant deficiency for [fiscal] 2005," the IG concluded. DHS officials agreed with the recommendations, and have developed remediation plans for fiscal 2006, according to the report. Skinner evaluated DHS. compliance with the Federal Information Security Management Act of 2002, which focuses on program management, implementation and evaluation of the security of unclassified and national security IT systems. The department has made progress on several fronts, including developing so-called Plans of Action and Milestones, as well as a Trusted Agent FISMA tool to collect and track data related to FISMA compliance. DHS also performed a comprehensive inventory of its IT systems, identifying 795 operational systems as of Aug. 25. That's more than double the 295 systems it reported the previous year, the report said. However, DHS does not yet have a process to update its inventory annually. Other deficiencies in DHS. IT security cited in the report included: * Self-assessments have been performed on only 46 percent of contractor systems used on behalf of DHS. * The Transportation Security Administration and the Secret Service have no contingency plans for network security, and the Citizenship and Immigration Services agency, the Coast Guard and the Secret Service have no contingency plans for database security. * Fifteen out of 16 certification and accreditation packages reviewed at DHS were incomplete, with some key security documents either not prepared, in draft, or failing to meet appropriate guidelines. * The Customs and Border Protection, CIS and Emergency Preparedness and Response agencies and the Federal Law Enforcement Training Center did not submit weekly reports to the DHS Computer Security Incident Response Center as required, based on a 10-week evaluation period. [1] http://www.dhs.gov/interweb/assetlibrary/OIG_05-46_Sep05.pdf From isn at c4i.org Thu Nov 3 09:42:24 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 3 09:51:29 2005 Subject: [ISN] British teen cleared in 'e-mail bomb' case Message-ID: http://news.zdnet.com/2100-1009_22-5928471.html By Tom Espiner ZDNet (UK) November 2, 2005 A British teenager has been cleared of launching a denial-of-service attack against his former employer, in a ruling that delivers another blow to the U.K's Computer Misuse Act. At Wimbledon Magistrates Court in London, District Judge Kenneth Grant ruled Wednesday that the teenager had not broken the CMA, under which he was charged. The defendant, who can't be named for legal reasons, was accused of sending 5 million e-mail messages to his ex-employer that caused the company's e-mail server to crash. The teenager greeted the news with relief, although an appeal by the prosecution is still possible. "I feel very happy. This has been going on for two years. At the moment, this is no longer hanging over my head," the teenager told ZDNet UK. The CMA, which was introduced in 1990, does not specifically include a denial-of-service attack as a criminal offense, something some members of the U.K. parliament want changed. However, it does explicitly outlaw the "unauthorized access" and "unauthorized modification" of computer material. Section 3 of the act, under which the defendant was charged, concerns unauthorized data modification and tampering with systems. A denial-of-service attack is one in which a flood of information requests is sent to a server, bringing the system to its knees and making it difficult to reach. The defendant was not called into the witness box during the trial, so it was never confirmed whether an attack had taken place. The defense counsel argued that sending a flood of unsolicited e-mails did not constitute unauthorized access or modification, as the targeted company's e-mail server was set up for the purpose of receiving e-mail messages. Judge Grant told the court that "the computer world has considerably changed since the 1990 act," and that there was little legal precedent to refer back to. He then ruled that denial-of-service attacks were not illegal under the CMA. In a written ruling, Judge Grant stated: "In this case, the individual e-mails caused to be sent each caused a modification which was in each case an 'authorized' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by section 3 (of the CMA)." "On the narrow issue of an authorized or unauthorized modification, I concluded that no reasonable tribunal could conclude that the modification caused by the e-mails sent by the defendant were unauthorized within the meaning of section 3," Grant added. Peter Sommer, an expert witness for the defense, called for the law to be revised in light of the trial. "This is an interesting result, which highlights the need for reform of the CMA," Sommer, a senior research fellow in the London School of Economics' Information Systems department, said. Tom Espiner of ZDNet UK reported from London. From isn at c4i.org Thu Nov 3 09:45:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 3 09:51:46 2005 Subject: [ISN] Security UPDATE -- IE 7.0 and Windows Vista Bring More Secure Communications -- November 2, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Quest Software http://list.windowsitpro.com/t?ctl=183DF:4FB69 BindView http://list.windowsitpro.com/t?ctl=183DD:4FB69 ==================== 1. In Focus: IE 7.0 and Windows Vista Bring More Secure Communications 2. Security News and Features - Recent Security Vulnerabilities - Problems with Microsoft's October Security Updates - Voice over IP Security Taking Shape 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Endpoint Compliance Without Client Software ==================== ==== Sponsor: Quest Software ==== Join us for a free Webcast that explains how organizations with heterogeneous enterprises can "Get to One" solution for systems management through Microsoft Systems Management Server (SMS). For most organizations, heterogeneous enterprises are a fact of life, but they present significant systems management challenges particularly for Unix, Linux and Mac systems. Fortunately, through natively implementing standards on non-Windows systems, those systems can participate in the systems management infrastructure offered by SMS. This Webcast will explain how an integrated architecture can streamline processes, save money, reduce complexity, increase security, and enable compliance for Windows, Unix, Linux, and Mac systems. Register to attend our Webcast on November 9, 2005 at 1:00 PM EDT http://list.windowsitpro.com/t?ctl=183DF:4FB69 ==================== ==== 1. In Focus: IE 7.0 and Windows Vista Bring More Secure Communications by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Microsoft's IEBlog is published by the development team that works on Internet Explorer (IE). As such, the blog contains interesting information about what we might see in future versions of the browser. http://list.windowsitpro.com/t?ctl=183EF:4FB69 On October 22, the IE development team published an article that outlines a few changes Microsoft is making with Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Current versions of IE support SSL 2.0, SSL 3.0, and TLS 1.0, all of which can be enabled or disabled (select Internet Options from the Tools menu, go to the Advanced tab, and scroll down to the Security section). In IE 6.0, SSL 2.0 and SSL 3.0 are enabled and TLS 1.0 is disabled--at least that's the configuration in my default installations. However, SSL 3.0 and TLS 1.0 are much more secure than SSL 2.0; therefore, Microsoft has decided that in IE 7.0, SSL 2.0 will be disabled by default and SSL 3.0 and TLS 1.0 will be enabled by default. Many Web sites use SSL 2.0, so the changes in IE might cause connection problems for users unless sites begin offering SSL 3.0 before IE 7.0 enters widespread use. Another major change is the way certificates will be handled. IE 7.0 will initially block access to sites whose certificates weren't issued by a trusted root or whose certificates have expired or been revoked. Under the first two conditions, the browser will offer the user the option of connecting anyway but not if the certificate has been revoked. In addition, the browser won't show nonsecure content on sites whose pages use both secure and nonsecure content unless the user explicitly unblocks the nonsecure content. Windows Vista will also bring changes to secure communications. With Vista, we'll finally see the use of 256-bit Advanced Encryption Standard (AES) to secure HTTP traffic. Vista will also use the Online Certificate Status Protocol (OSCP) for speedier certificate status checking and will implement some extensions to TLS that are outlined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3546. http://list.windowsitpro.com/t?ctl=183ED:4FB69 Web site administrators need to be aware of these upcoming features in IE and Vista and take the necessary steps towards compatibility. Otherwise you're bound to run into problems in the future, particularly with certificates used on systems that host virtual domains, due to server name parsing and other issues. You can learn more about these issues in IEBlog. You can also read a long list of comments and concerns from the blog's readers and post your own comments. If you want to learn more about the cryptography in Windows Vista, a video of an interview with Tomas Palmer and Tolga Acar (cryptography program managers at Microsoft) is available at MSDN. http://list.windowsitpro.com/t?ctl=183E5:4FB69 If you're interested in information about Outlook Express (which incidentally has been renamed Windows Mail) in Windows Vista, be sure to read Windows Mail developer Bryan Starbuck's blog for plenty of insight regarding antispam features and more. You can also watch another video interview at MSDN with the developers and testers of Windows Mail in which they discuss the new mail client. http://list.windowsitpro.com/t?ctl=183E6:4FB69 ==================== ==== Sponsor: BindView==== Are You Prepared for the PCI-Data Security Standard? If your organization handles credit card transactions with any of the major credit card companies, you need to assess and document your adherence to the PCI-data security standard. Failure to comply with the standard carries stiff penalties including fines, and the restriction of future transaction handling ability by negligent firms. Join BindView for a live Webcast where you will get an overview of the PCI- Data Security Standard; how the standard's 12 major requirements impact IT; and how automated solutions can help demonstrate compliance with these requirements to satisfy an audit. Register at: http://list.windowsitpro.com/t?ctl=183DD:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=183E0:4FB69 Problems with Microsoft's October Security Updates Earlier this month, Microsoft published Security Bulletins MS05-050 and MS05-051 as part of its regular monthly security patch release schedule. In some instances, systems might still be vulnerable after installing a patch or administrators might find that various important services don't start. Find out more in this news article on our Web site. http://list.windowsitpro.com/t?ctl=183EA:4FB69 Voice over IP Security Taking Shape The Voice over IP Security Alliance (VOIPSA) released its security framework, which the alliance hopes will help the industry identify and mitigate potential threats to VoIP technology. http://list.windowsitpro.com/t?ctl=183E8:4FB69 ==================== ==== Resources and Events ==== What Does It Mean to Be Compliant? We've all heard about legal and regulatory requirements, but there are other types of compliance that might also affect you--specifically email compliance. In this free Web seminar, you'll get insights into compliance and policy issues that you need to know about, as well as suggestions on what to look for when implementing your compliance strategy, and more. Register today! http://list.windowsitpro.com/t?ctl=183DE:4FB69 Get Ready for the SQL Server 2005 Roadshow in Europe--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now. http://list.windowsitpro.com/t?ctl=183DA:4FB69 Get the Maximum Return on Software Investments by Optimizing Every Dollar Spent on Software Inaccurate information about software usage causes many organizations to either overspend and buy licenses they don't use, or underspend and deny some end users access to the software they need. Attend this free Web seminar and get a 5-step plan for quickly implementing a license management program today! http://list.windowsitpro.com/t?ctl=183DC:4FB69 Accelerate Time to Recovery with Minimal Data Loss Learn how to meet RPO (Recovery Point Objectives) and RTO (Recovery Time Objectives) with a continuous, or real-time backup system. In this free, on-demand Web seminar, you'll discover how to roll back data to any point in time--not just to the last snapshot or backup! http://list.windowsitpro.com/t?ctl=183DB:4FB69 Exploit the Opportunities of a Wireless Fleet With the endless array of mobile and wireless devices and applications, it's hard to decide what you can do with the devices beyond providing mobile email access. It's even tougher to know how to keep it all secure. Join industry guru Randy Franklin Smith in this free Web seminar and discover what you should do to leverage your mobile and wireless infrastructure, how to pick devices that are right for you, and more! http://list.windowsitpro.com/t?ctl=183D9:4FB69 ==================== ==== Featured White Paper ==== Software Packaging Workflow Best Practices Managing desktop software configurations doesn't have to be a manual process resulting in unplanned costs, deployment delays, and client confusion. In this free whitepaper, you'll learn how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. Download your copy now and discover the value of standardizing the software packaging process. http://list.windowsitpro.com/t?ctl=183D8:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Martin Roesch on Snort's Past, Present, and Future by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=183EC:4FB69 Ever wonder how the intrusion detection and prevention system Snort got started and where it might be going in the future? Snort creator Martin Roesch tells you all about it in an 18-minute audio interview. http://list.windowsitpro.com/t?ctl=183E9:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=183EB:4FB69 Q: How can I determine the logged-on user's distinguished name (DN)? Find the answer at http://list.windowsitpro.com/t?ctl=183E7:4FB69 Security Forum Featured Thread: Allow POP Email but Not Internet Access A forum participant has several clients with Windows 2000 boxes that need to get POP email on TCP ports 110 and 25. The users aren't supposed to have Internet access, but the machines need to get automatic antivirus software updates via the Internet. Join the discussion at http://list.windowsitpro.com/t?ctl=183D7:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Monthly Online Pass = Quick Answers Sign up for a VIP Monthly Online Pass and get online access to ALL the articles, tools, and helpful resources published in SQL Server Magazine, Windows IT Pro, Exchange and Outlook Administrator newsletter, Windows Scripting Solutions newsletter, and Windows IT Security newsletter. You'll have 24/7 access to a database of more than 25,000 articles that will give you all the answers you need, when you need them. BONUS--Includes the latest issue of Windows IT Pro each month. Sign up now for just US$29.95 per month: http://list.windowsitpro.com/t?ctl=183E1:4FB69 The Exchange & Outlook Administrator Newsletter If you haven't already subscribed to the Exchange & Outlook Administrator newsletter, you're missing out on key information related to preventing serious messaging problems and downtime. This newsletter encompasses tools and solutions you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now: http://list.windowsitpro.com/t?ctl=183E3:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Endpoint Compliance Without Client Software ENDFORCE announced version 2.5 of its ENDFORCE Enterprise endpoint security policy enforcement solution. ENDFORCE Enterprise now includes a clientless Web agent that assesses unmanaged endpoints. Businesses can direct unmanaged endpoint users to a Web site where their system downloads an ActiveX component and undergoes a one-time assessment before gaining access to the network. Version 2.5 also gives companies the ability to send alerts to individuals and third-party monitoring systems, such as HP OpenView, based on compliance state changes and enforcement actions. For more information, go to http://list.windowsitpro.com/t?ctl=183F0:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=183EE:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=183E4:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Nov 4 12:10:31 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 4 12:14:46 2005 Subject: [ISN] California Man Charged with Botnet Offenses Message-ID: http://www.eweek.com/article2/0,1895,1881621,00.asp By Paul F. Roberts November 3, 2005 Botnets are big business - at least according to authorities who announced the first U.S. case against an alleged computer hacker, who authorities believe netted $60,000 in cash and a BMW from a personal army of zombie computers. Federal authorities arrested a 20-year-old California man Thursday and charged him with running a network of 400,000 compromised computers called a "botnet," including computers used by the U.S. government for national defense. Jeanson James Ancheta, of Downey, Calif., was arrested by FBI agents Thursday morning and charged with spreading a Trojan horse program, called "rxbot," and using it to build a network of around 400,000 infected computers. He is also charged with illegally uploading advertising software ("adware") onto compromised systems. Among Ancheta's alleged victims were computers at the Weapons Division of the U.S. Naval Air Warfare Center, and machines belonging to the U.S. Department of Defense's Defense Information Systems Agency, according to a statement from Debra Wong Yang, U.S. Attorney for the Central District of California. Huge networks of compromised computers, known as "bots," have become a pressing problem in recent months. Security company Symantec Corp. said that its researchers identified an average of 10,352 bots a day in the first half of 2005, compared to around 5,000 a day in December 2004, according to the company's most recent Internet Threat Report. The arrest in California follows a similar crackdown in the Netherlands that netted individuals believed to control a network of 1.5 million infected computers worldwide. It is the first known prosecution of a botnet operator in the United States, according to the statement. Ancheta is alleged to have modified and distributed a Trojan horse program called rxbot. Once the Trojan was installed on victims' computers, he allegedly used IRC (Internet Relay Chat) to communicate and control the systems, even advertising use of the botnets for DoS (denial of service) attacks and spam. Symantec believes that the increase in bot networks is directly related to an increase in DoS attacks and online extortion attempts, the company reported. Ancheta was also a member of affiliate networks used by unnamed "advertising service companies," who paid him around $60,000 to install their advertising software on the machines he controlled, the statement alleges. The case was investigated by the FBI as well as the Naval Criminal Investigative Service and Defense Criminal Investigative Service. Authorities are charging Ancheta with 17 counts, including conspiracy, transmission of code to a protected computer, to a government computer, and multiple counts of fraud and money laundering. Authorities are also seeking more than $60,000 in cash and a BMW automobile that they allege are illicit gains from the botnet activity. From isn at c4i.org Fri Nov 4 12:10:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 4 12:15:07 2005 Subject: [ISN] Sony to offer patch for 'rootkit' DRM Message-ID: http://www.theregister.co.uk/2005/11/03/sony_rootkit_drm/ By Andrew Orlowski in San Francisco 3rd November 2005 Updated: Sony BMG said today it will offer a patch for one of its own exploits - one that comes bundled with its music CDs. The code cloaks itself and by intercepting and redirecting low level windows system calls, forces the audio through a custom player, and restricts the number of CD burns that can be made. As Sys Internals' Mark Russinovich discovered this week [1], removing the Sony code using standard anti-malware tools leaves the user with an inoperable CD drive. Russinovich also pointed out that because the cloaking technique it used to hide itself was so crude, malware authors could hide their own nefarious programs on users hard disks using Sony's DRM software. However, the patch that Sony will offer doesn't remove the 'rootkit' DRM: it only makes the hidden files visible. Macintosh and Linux users are unaffected by the DRM kit, which only works on Windows PCs. It isn't quite the "bombs" [2] the RIAA once suggested it was developing to deter music downloads, but it's in the same spirit. And here's the patch [3] from First 4 Internet Ltd, the British company that developed the DRM software . "This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs." [our emphasis] The note continues: "This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers." But wait! Don't do that just yet... Anti-malware company F-Secure discusses the Sony DRM [4] software here. F-Secure says its rootkit detection software will spot the hidden files, but strongly advises users not to remove it using its Blacklight software, and instead advises users to contact Sony. "If you find this rootkit from your system, we recommend you don't remove it with our products. As this DRM system is implemented as a filter driver for the CD drive, just blindly removing it might result in an inaccessible CD drive letter," advises F-Secure. It is alarming how little outrage there is from ordinary PC users. While Register readers are well versed in the restrictions of DRM and the dangers of malware, there's little sign the public shares this knowledge. Incredibly, the Sony DRM malware has been out on the market for eight months and is bundled on 20 CD titles. Sony said it hadn't received a single complaint until this week. So, disturbingly, most people either haven't run into serious problems yet, or even more disturbingly, don't find the Sony DRM particularly onerous. We pray it's not the latter. However, Sony's decision to offer a 'patch' that fails to remove the DRM code suggests it isn't too concerned by the howls of outrage heard this week from sophisticated PC users. And with this level of apathy, the music giants will be emboldened to try these techniques again. And again. And again. ? [1] http://www.theregister.co.uk/2005/11/01/sony_rootkit_drm/ [2] http://www.theregister.co.uk/2003/05/04/riaa_attacking_our_culture/ [3] http://updates.xcp-aurora.com/ [4] http://www.europe.f-secure.com/weblog/#00000691 From isn at c4i.org Fri Nov 4 12:09:21 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 4 12:15:40 2005 Subject: [ISN] Microsoft patches break some Web sites Message-ID: http://www.networkworld.com/news/2005/110305-microsoft-patches.html By Jeremy Kirk IDG News Service 11/03/05 Two patches released by Microsoft earlier this year for its Internet Explorer browser may cause some Web sites not to load properly. The bulletins, MS05-038 and MS05-052, removed "unsafe functionality" and change how the browser handles ActiveX controls for security reasons, Stephen Toulouse, a program manager in Microsoft's security unit, wrote on Thursday on the Microsoft Security Center Response Blog. After installing MS05-038, first published Aug. 9 on the Microsoft Download Center, Web pages containing Component Object Model (COM) objects called monikers may not work as expected. MS05-052, published Oct. 11, added an additional check for a specific interface for ActiveX controls before allowing a COM object to run in Internet Explorer. But it also blocks some Web pages containing ActiveX controls, Microsoft said. Users who are missing certain registry subkeys may also experience problems with this patch, Microsoft said. Microsoft has published instructions on how to resolve the MS05-038 issues [1]. Instructions for the two possible problems with MS05-052 can be found here [2] and here [3]. [1] http://support.microsoft.com/kb/906294 [2] http://support.microsoft.com/kb/909889 [3] http://support.microsoft.com/kb/909738 From isn at c4i.org Fri Nov 4 12:10:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 4 12:16:09 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-44 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-10-27 - 2005-11-03 This week : 47 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A security issue has been reported in First4Internet XCP DRM software used to playback Sony copy-protected music CDs, which can be exploited by malicious, local users to hide certain actions on a vulnerable system from the Administrator. Reference: http://secunia.com/SA17408 -- Apple has released a security update for Mac OS X, which fixes some vulnerabilities. A complete list and details about the vulnerabilities fixed can be found in the referenced Secunia advisory. Reference: http://secunia.com/SA17368 -- Some vulnerabilities have been reported in PHP, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system. Additional details about the vulnerabilities can be found in the referenced Secunia advisory. Reference: http://secunia.com/SA17371 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA17305] Skype Multiple Buffer Overflow Vulnerabilities 2. [SA17371] PHP Multiple Vulnerabilities 3. [SA16502] PCRE Quantifier Values Integer Overflow Vulnerability 4. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 5. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 6. [SA16560] Windows Registry Editor Utility String Concealment Weakness 7. [SA17358] Novell ZENworks Patch Management SQL Injection Vulnerability 8. [SA17366] phpBB "register_globals" Deregistration Bypass Vulnerabilities 9. [SA17351] GNUMP3d Cross-Site Scripting and Directory Traversal Vulnerabilities 10. [SA17384] Linux Kernel Potential Buffer Overflow Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17409] Serv-U FTP Server Potential Denial of Service Vulnerability [SA17394] CheckMark MultiLedger DUNZIP32.dll Buffer Overflow Vulnerability [SA17387] ASP Fast Forum "error" Cross-Site Scripting Vulnerability [SA17385] Snitz Forums 2000 "post.asp" Cross-Site Scripting Vulnerability [SA17383] Ringtail CaseBook Cross-Site Scripting and Username Enumeration [SA17379] Hyper Estraier Windows Unicode Filename Handling Vulnerability [SA17361] F-Secure Products Web Console Directory Traversal Vulnerability [SA17408] Sony CD First4Internet XCP DRM Software Security Issue UNIX/Linux: [SA17389] NetBSD Update Fixes Multiple Vulnerabilities [SA17377] Gentoo update for ethereal [SA17362] Gentoo update for mantis [SA17360] Debian update for lynx-ssl [SA17405] MailWatch for MailScanner Two Vulnerabilities [SA17403] Red Hat update for curl [SA17401] Red Hat update for openssl096b [SA17400] Red Hat update for wget [SA17398] Red Hat update for openssl [SA17397] Cisco Management Center for IPS Sensors Security Issue [SA17392] Avaya Multiple Ethereal Vulnerabilities [SA17391] Ubuntu update for libgda2-1 / libgda2-3 [SA17381] Fedora update for openssl096b [SA17376] OpenVPN Format String and Denial of Service Vulnerabilities [SA17369] Gentoo update for xli / xloadimage [SA17367] Debian update for gallery [SA17364] Red Hat update for kernel [SA17363] Gentoo update for tikiwiki [SA17390] Ubuntu update for sudo [SA17382] Ntop Red Hat Initialisation Script Insecure Temporary File Creation [SA17380] IBM "chcons" Command Buffer Overflow Vulnerability [SA17368] Mac OS X Update Fixes Multiple Vulnerabilities [SA17370] Ethereal IRC Protocol Dissector Denial of Service [SA17402] HP OpenVMS Unspecified Denial of Service Vulnerability [SA17399] Mandriva update for wget [SA17384] Linux Kernel Potential Buffer Overflow Vulnerabilities [SA17365] Gentoo update for pam Other: [SA17413] Cisco IOS System Timers Potential Arbitrary Code Execution [SA17406] Cisco Wireless LAN Controllers Encryption Bypass Vulnerability Cross Platform: [SA17378] Subdreamer Login SQL Injection Vulnerabilities [SA17366] phpBB "register_globals" Deregistration Bypass Vulnerabilities [SA17396] News2Net "category" SQL Injection Vulnerability [SA17375] Invision Gallery "st" SQL Injection Vulnerability [SA17374] MG2 Disclosure of Password Protected Images [SA17373] oaboard SQL Injection Vulnerabilities [SA17371] PHP Multiple Vulnerabilities [SA17404] Simple PHP Blog Cross-Site Scripting Vulnerabilities [SA17395] Sun Java System Communications Express Configuration File Disclosure [SA17393] Invision Gallery Image Script Insertion Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17409] Serv-U FTP Server Potential Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-02 A vulnerability has been reported in Serv-U, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17409/ -- [SA17394] CheckMark MultiLedger DUNZIP32.dll Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-10-31 Juha-Matti Laurio has reported a vulnerability in CheckMark MultiLedger, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17394/ -- [SA17387] ASP Fast Forum "error" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-31 syst3m_f4ult has reported a vulnerability in ASP Fast Forum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17387/ -- [SA17385] Snitz Forums 2000 "post.asp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-01 h4xorcrew has discovered a vulnerability in Snitz Forums 2000, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17385/ -- [SA17383] Ringtail CaseBook Cross-Site Scripting and Username Enumeration Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-11-01 A weakness and a vulnerability has been reported in Ringtail CaseBook, which can be exploited by malicious people to gain knowledge of certain information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17383/ -- [SA17379] Hyper Estraier Windows Unicode Filename Handling Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2005-10-31 A vulnerability has been reported in Hyper Estraier, which can be exploited by malicious users to cause a DoS (Denial of Service) or to gain knowledge of certain sensitive information. Full Advisory: http://secunia.com/advisories/17379/ -- [SA17361] F-Secure Products Web Console Directory Traversal Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-11-02 A vulnerability has been reported in F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/17361/ -- [SA17408] Sony CD First4Internet XCP DRM Software Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-11-02 A security issue has been reported in First4Internet XCP DRM software used to playback Sony copy-protected music CDs, which can be exploited by malicious, local users to hide certain actions on a vulnerable system from the Administrator. Full Advisory: http://secunia.com/advisories/17408/ UNIX/Linux:-- [SA17389] NetBSD Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2005-11-02 Some vulnerabilities have been reported in NetBSD, which can be exploited by malicious, local users to gain escalated privileges, or by malicious users to cause a DoS (Denial of Service) and compromise a vulnerable system, or by malicious people to bypass certain security restrictions and compromise a user's system. Full Advisory: http://secunia.com/advisories/17389/ -- [SA17377] Gentoo update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-10-31 Gentoo has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17377/ -- [SA17362] Gentoo update for mantis Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2005-10-28 Gentoo has issued an update for mantis. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17362/ -- [SA17360] Debian update for lynx-ssl Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-28 Debian has issued an update for lynx-ssl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17360/ -- [SA17405] MailWatch for MailScanner Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data Released: 2005-11-02 Two vulnerabilities have been reported in MailWatch for MailScanner, where one has an unknown impact, and the other potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17405/ -- [SA17403] Red Hat update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-02 Red Hat has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17403/ -- [SA17401] Red Hat update for openssl096b Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-02 Red Hat has issued an update for openssl096b. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17401/ -- [SA17400] Red Hat update for wget Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-02 Red Hat has issued an update for wget. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17400/ -- [SA17398] Red Hat update for openssl Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-02 Red Hat has issued an update for openssl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17398/ -- [SA17397] Cisco Management Center for IPS Sensors Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-11-02 A security issue has been reported in Cisco Management Center for IPS Sensors (IPS MC), which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17397/ -- [SA17392] Avaya Multiple Ethereal Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-31 Avaya has acknowledged some vulnerabilities in Ethereal included in some products, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17392/ -- [SA17391] Ubuntu update for libgda2-1 / libgda2-3 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-31 Ubuntu has issued updates for libgda2-1 and libgda2-3. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17391/ -- [SA17381] Fedora update for openssl096b Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-01 Fedora has issued an update for openssl096b. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17381/ -- [SA17376] OpenVPN Format String and Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-01 Two vulnerabilities have been reported in OpenVPN, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17376/ -- [SA17369] Gentoo update for xli / xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-31 Gentoo has issued updates for xli and xloadimage. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17369/ -- [SA17367] Debian update for gallery Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-11-02 Debian has issued an update for gallery. This fixes a security issue, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17367/ -- [SA17364] Red Hat update for kernel Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-28 Red Hat has issued an update for kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), or by malicious people to disclose certain sensitive information and cause a DoS. Full Advisory: http://secunia.com/advisories/17364/ -- [SA17363] Gentoo update for tikiwiki Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-28 Gentoo has issued an update for tikiwiki. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17363/ -- [SA17390] Ubuntu update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-31 Ubuntu has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17390/ -- [SA17382] Ntop Red Hat Initialisation Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-31 nnposter has reported a vulnerability in Ntop, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17382/ -- [SA17380] IBM "chcons" Command Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2005-10-31 A vulnerability has been reported in AIX, which has an unknown impact. Full Advisory: http://secunia.com/advisories/17380/ -- [SA17368] Mac OS X Update Fixes Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2005-11-01 Apple has issued an update for Mac OS X. This fixes some vulnerabilities and a security issue, which can be exploited by malicious, local users to bypass certain security restrictions or to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/17368/ -- [SA17370] Ethereal IRC Protocol Dissector Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2005-10-31 Daniel Gryniewicz has reported a vulnerability in Ethereal, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17370/ -- [SA17402] HP OpenVMS Unspecified Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2005-11-02 A vulnerability has been reported in OpenVMS, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17402/ -- [SA17399] Mandriva update for wget Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-11-02 Mandriva has issued an update for wget. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17399/ -- [SA17384] Linux Kernel Potential Buffer Overflow Vulnerabilities Critical: Not critical Where: Local system Impact: Unknown Released: 2005-11-01 Two vulnerabilities have been reported in the Linux Kernel, with an unknown impact. Full Advisory: http://secunia.com/advisories/17384/ -- [SA17365] Gentoo update for pam Critical: Not critical Where: Local system Impact: Security Bypass Released: 2005-10-28 Gentoo has issued an update for pam. This fixes a security issue, which potentially can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17365/ Other:-- [SA17413] Cisco IOS System Timers Potential Arbitrary Code Execution Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-11-03 A vulnerability has been reported in Cisco IOS, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17413/ -- [SA17406] Cisco Wireless LAN Controllers Encryption Bypass Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-11-03 A vulnerability has been reported in Cisco WLAN (Wireless LAN) Controllers, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17406/ Cross Platform:-- [SA17378] Subdreamer Login SQL Injection Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, System access, Security Bypass Released: 2005-10-31 RST/GHC has reported some vulnerabilities in Subdreamer, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17378/ -- [SA17366] phpBB "register_globals" Deregistration Bypass Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, System access Released: 2005-10-31 Stefan Esser has reported some vulnerabilities in phpBB, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, bypass certain security restrictions, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17366/ -- [SA17396] News2Net "category" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-02 Mousehack has discovered a vulnerability in News2Net, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17396/ -- [SA17375] Invision Gallery "st" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-01 almaster has reported a vulnerability in Invision Gallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17375/ -- [SA17374] MG2 Disclosure of Password Protected Images Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-31 Preben Nylokken has discovered a vulnerability in MG2, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/17374/ -- [SA17373] oaboard SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-01 Abducter has discovered two vulnerabilities in oaboard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17373/ -- [SA17371] PHP Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2005-10-31 Some vulnerabilities have been reported in PHP, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17371/ -- [SA17404] Simple PHP Blog Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-02 Nenad Jovanovic has discovered some vulnerabilities in Simple PHP Blog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17404/ -- [SA17395] Sun Java System Communications Express Configuration File Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-02 A vulnerability has been reported in Sun Java Communications Express, which can be exploited by malicious users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/17395/ -- [SA17393] Invision Gallery Image Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-02 Tatercrispies has reported a vulnerability in Invision Gallery, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17393/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Nov 4 12:10:55 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 4 12:16:41 2005 Subject: [ISN] Teen hacker escapes punishment Message-ID: http://www.vnunet.com/vnunet/news/2145513/teen-hacker-escapes-punishment Ken Young vnunet.com 03 Nov 2005 A judge has ruled that there was no case to answer after presiding over the trial of a teenager who allegedly flooded his former employer's email system with five million messages. The ruling has called into question the effectiveness of the Computer Misuse Act (CMA) in prosecuting such cases. The judge at Wimbledon Magistrates' Court ruled that the alleged actions did not fall foul of the CMA, even though the company involved claimed that the boy's actions had caused its email servers to crash. The unnamed teenager was charged under Section 3 of the CMA, which covers the more serious offence of unauthorised modification of a computer system. The defence argued that, since the firm's email server was set up for the express purpose of receiving emails, sending a flood of unsolicited emails could not be considered an act of unauthorised modification. Judge Grant told the court that "the computer world has considerably changed since the 1990 Act", and that there is little legal precedent to refer back to. He then went on to rule that denial of service attacks are not illegal under the CMA. In a written ruling, Judge Grant said: "In this case the individual emails each caused a modification which was in each case an 'authorised' modification. "Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by section 3 [of the CMA]." The CMA, introduced in 1990, explicitly outlaws the 'unauthorised access' and 'unauthorised modification' of computer material. Section 3 concerns unauthorised data modification and tampering with systems. The defendant was not called into the witness box during the trial, so was unable to confirm whether or not the attack had taken place. From isn at c4i.org Mon Nov 7 03:10:17 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 7 03:16:56 2005 Subject: [ISN] Retailers under pressure to tighten security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105954,00.html By Jaikumar Vijayan NOVEMBER 04, 2005 COMPUTERWORLD CHICAGO -- Privacy concerns and proposed laws governing the use of sensitive personal information are making it more important for retailers to be able to demonstrate due diligence when it comes to information security practices, according to IT managers at the Retail Data Security Forum here this week. An inability to do so could expose companies to serious damage to their reputations, financial losses and customer churn, they said. "The brand can suffer real consequences" from a security breach, said Brian Kilcourse, chief strategist at the Retail Systems Alert Group, the Newton, Mass.-based organizer of this week's forum. "In the eyes of the customer, if their data is compromised, the retailer is legally and ethically bound to report that breach." The issue is particularly urgent given that a survey by the Retail Systems Alert Group shows that retailers are amassing a growing amount of information on their customers, Kilcourse said. Increasingly, retailers are associating demographic information and transaction-level details to customer profiles -- even though they don't appear to be using the data to deliver specialized services for customers, he said. While many retailers have worked to ensure the security and integrity of the data, queries to it in many cases are not well controlled, and the data itself is not encrypted, he said. Similarly, forensic data related to the creation and retrieval of customer information is not captured, Kilcourse said. Information security executives understand what needs to be done to fix such issues, said the IT security director at a major Midwestern franchise chain, who requested anonymity. "The problem is the executive sponsorship" for the investments needed to bolster security, he said. While high-profile data compromises such as those involving ChoicePoint Inc. and BJs Wholesale Club last year have raised awareness of the stakes involved, there still is an unwillingness to invest in security "without a clear demonstrable ROI," he said. Even so, retailers have done a relatively good job of protecting consumer data so far, said Bob Belair, a partner with the Washington-based law firm of Oldaker, Biden & Belair. The key now is being able to show that companies have done all they can to protect their consumer data, he said. That means having a formal information security plan that embodies protections commensurate with the sensitivity of the information at risk, he said. Such a plan has to be dynamic to a changing threat environment and should include processes for periodic reviews and audits. There also needs to be clear accountability and processes for training and educating those who handle consumer data, he said. "You do all these things and a hacker still breaks in, chances are you are not liable because you have acted in a reasonable manner," Belair said. There are four initial steps companies can take to mitigate the risk of a data security breach, Michele DeMaree, president of DeMaree Consulting Inc., said during a presentation at the show. The first is to identify key data assets and determine what information needs to be protected. The second is to create cross functional teams to deal with privacy, security, legal and compliance issues. The third step is to begin assessing risk by measuring the frequency of policy violations against customer data and other information assets. And finally, companies need to educate data owners about risks. From isn at c4i.org Mon Nov 7 03:10:38 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 7 03:17:26 2005 Subject: [ISN] The Security Shuffle Message-ID: http://www.govtech.net/magazine/channel_story.php/97157 By Jim McKay November 04, 2005 Department of Homeland Security (DHS) Secretary Michael Chertoff will put his stamp on the DHS through a major reorganization of the troubled agency, which is scheduled for October. State and local officials hope the changes will both improve federal disaster response and promote better intergovernmental communications. The overhaul includes eliminating the position of the director for emergency preparedness and response, who oversees the Federal Emergency Management Agency (FEMA), and creating a new emergency preparedness division meant to focus exclusively on preparedness activities. In addition, FEMA will report directly to the secretary and be the department's response division. The reorganization also creates a new Office of Intelligence and Analysis, tasked with disseminating information to appropriate federal, state and local partners. But how much will the country, and specifically state and local public safety officials, benefit from the DHS reorganization? In August, during a break from meetings with DHS staff, Arizona Director of Homeland Security Frank Navarrete expressed guarded optimism. "We're hearing the right words, and the sense of direction seems to be positive," Navarrete said. "Quite frankly [Chertoff] is taking on some pretty significant changes to streamline the operation, and make us all more efficient and effective." Those changes include improving the way information is shared with state and local officials -- which has improved somewhat since 9/11, with the advent of the Homeland Security Information Network (HSIN) and as a result of Joint Terrorism Task Forces. But officials charged with protecting local communities continue to express frustration that intelligence is too often tardy and lacking detail by the time it reaches states. More Specifically ... The DHS convened two days of meetings in August with state and local officials to discuss Chertoff's six-point agenda for reorganization. The agenda focuses on preparing the nation for a devastating attack by securing transportation modes, improving cargo screening technology, improving border protection with technology, and enhancing information sharing with state and local government officials. This will include supporting data fusion centers emerging in a number of states, revising the Homeland Security Advisory System, creating a new Office of Intelligence and Analysis, and consolidating preparedness efforts. The six-point agenda stemmed from an extensive department review undertaken by Chertoff soon after his appointment in March. The agency sustained a barrage of criticism that, in its two-year existence, it plodded toward a vague mission with an unfocused, poorly coordinated staff of 180,000 employees. The summit included state homeland security directors and emergency managers from around the country who listened to Chertoff and his staff, and provided feedback on the upcoming changes. "We recognize that information sharing is not perfect yet," said Valerie Smith, assistant press secretary of the DHS. "As the secretary pointed out in his speech on July 13, information sharing -- or better information sharing -- with state, local and tribal partners, is going to be one of the six most important priorities for the year ahead, and he did say he would announce more specifics in the next few weeks and months." The DHS attempted to address this issue by creating the HSIN and a series of local Joint Terrorism Task Forces. But these moves haven't completely cured the problem. The HSIN links the Homeland Security Operations Center to state homeland security offices, public safety departments, emergency operations centers and offices of the National Guard via computer-based communications. Joint Terrorism Task Forces focus on homeland security intelligence matters. The FBI has a Joint Terrorism Task Force in each of the 56 FBI field offices throughout the country, as well as 10 stand-alone, formalized task forces in its largest satellite offices known as resident agencies, according to the FBI. Sharing Intelligence It is hoped that the new Office of Intelligence and Analysis will promote better communications among federal, state and local governments -- but some local officials are not holding their breath. A handful of police chiefs, frustrated at hearing about homeland security alerts on CNN rather than from the federal government, are developing an informal network to share intelligence, saying the federal government's intelligence gathering and sharing networks just weren't working -- they weren't providing the real-time intelligence locals need to respond. The idea developed during the second of the two London bombings this summer. Los Angeles Police Chief William Bratton, in Chicago for a meeting of police chiefs, was awakened at 3:30 a.m. by one of his deputies who was dispatched to London to share intelligence with local officials about the first bombings. The deputy happened to be there when the second bombings occurred and relayed the information to Bratton immediately. The next day at the meeting, Bratton and chiefs from five other cities discussed the idea of an informal network. "We saw firsthand at the meeting in Chicago on the day of the London bombings the fact that there were five cities in that room and we were able to, very quickly, work with information coming to us from London, basically kick information around: 'This is what I'm going to do in Los Angeles. What are you, Chuck Ramsey, going to do in Washington [D.C.]? What are you, Phil Cline, going to do in Chicago?"' Bratton said. The idea is to quickly get information into the hands of officials in the cities determined to be the most likely targets of a terrorist attack, Bratton said. "Then let the local officials make determinations, while the federal government is making a determination if they want to go up [to orange alert] nationally, or in a specific industry like transportation." That gives local officials more time to make decisions based on the intelligence received from the federal government, matched with intelligence gathered by local law enforcement. The concept caught fire -- soon the DHS got wind of it and offered its help, Bratton said. "When they heard about what we were attempting to do at the local level, [the DHS], along with the FBI, reached out, offering services to help the facilitation of information and the raw data that is still public-safety sensitive." Bratton and the DHS have come to the agreement that the network will include 16 Urban Area Security Initiative (UASI) cities -- possibly 17, since Las Vegas has received so many terrorist threats -- that will receive sensitive homeland security intelligence notices directly from the DHS. From those cities, the information will trickle down to others in the region. The UASI cities were identified by the DHS as particularly vulnerable based largely on population density, critical infrastructure and threat information. "For example, I work closely in my region with the sheriff's department and the 44 cities in the Los Angeles County area," Bratton said. "So information that I'm getting, I'm sharing with my 16 colleagues in the major cities -- I'd then very quickly be in a position to move that information down into my region." The police chiefs and the DHS are in the process of deciding who in each city will be the point of contact, and the preferred method of communication. "In our case, we use BlackBerries," Bratton said. "Somebody else might use some other type of notification." Ideally the DHS will send notifications more quickly, because the notification wouldn't be subject to the vetting and editing process that is the trend of formal DHS communications to date. The idea is that the DHS will pass along threat information as it's received, letting local public safety officials decide the seriousness of each threat and how to react. "What we'd be looking for is pretty raw data, quickly, with the clear understanding that this is raw data, and then each city would make the determination if it's something pertinent to them in a sense that, before the whole country goes up to orange alert, is this something going on that we have to make a quick decision on?" Bratton said. Las Vegas Sheriff Bill Young said he gets notifications from the federal government about threats to his city, "quite a bit after the fact." Young believes the DHS would comply with local officials' needs if it could. "I look at this as a technological fix," he said. "DHS would want to give it to every police chief in America if there was a mechanism to do so. What is that mechanism? It's going to end up being some kind of notification system and a service of some sort. I think it will ultimately end up in the FBI's hands because they work more closely with law enforcement." The group will also ask the DHS to consider funding closed circuit video teleconferencing capabilities in each of the cities, allowing officials to communicate through video feeds. Bratton acknowledged the difficulty for federal officials to communicate with some 16,000 law enforcement agencies in the country, which is why developing relationships is so important. "Really it might sound very simplistic," he said. "But interestingly enough, we haven't yet moved to the stage where we do this as a routine matter of course. We don't need all 16,000 agencies to be in the network on some of this information right away, so you need to have these various spheres of networking." Relating to Cyber State and local officials are also concerned by the lack of connectivity between the federal government and the states on cyber-security issues, as well as a general lack of interest in the issue. Officials at state and local levels are hopeful that the addition of an assistant secretary for cyber and telecommunications security within the DHS will put a spotlight on cyber-security, which many say has been ignored. Evidence of the lack of focus on cyber-security lies in the recent revolving door of cyber-security chiefs at the DHS, including a few that lasted one year or less. "It's our sense that they left because of the frustration from not seeing a very concerted effort moving on these kinds of things," said Tom Jarrett, president of the National Association of State Chief Information Officers (NASCIO). "I've tried to say in testimony that critical infrastructure by its very nature is critical, whether it's roads or airports or rivers or network infrastructure. It's as critical as anything that we have, and there's got to be much more of a focus toward it than what we've seen in the past." The new assistant secretary will be responsible for identifying and assessing the vulnerability of critical telecommunications infrastructure and assets; providing timely, actionable and valuable threat information; and leading the national response to cyber and telecommunications attacks, according to a DHS press release. Jarrett said he thinks the higher profile position on cyber-security within the DHS just might increase emphasis on the issue. "We in the states, and at NASCIO as well, will be watching the changes very closely," Jarrett said. "We're hoping that it's going to really change. I'm not so sure the connection [with the DHS] has been very good, and the discussions have never been very good. That's been an issue for us in the states, and of course, something NASCIO has focused on at least on the cyber-side of things, which is our primary concern." The DHS's Smith said the new position should mean more attention to cyber-security. "It does reflect that cyber-security is a priority within the department, something that will receive strong resources." The reorganization as a whole could develop a focus on issues that Jarrett believes have gotten lost in the shuffle. "A lot of people ask, 'Have we started to forget what happened on 9/11?' I'm fearful that we have, from a larger perspective, both from a physical security side and the cyber-security side. I'm concerned about that." Jarrett would also like to see the position of CIO within the DHS given more authority, but that may be wishful thinking because the reorganization calls for no changes in the reporting structure. "I'm hearing it doesn't sound like it's going to be, but we're hopeful that they look at that and try to change that because we believe it's needed," he said. Smith, however, said states and locals should benefit greatly from the reorganization, citing the consolidation of the State and Local Government Coordination Office and the Office of Legislative Affairs as one big perk. "That single office will have lead responsibility to create consistent, efficient, useful communications with all government officials," she said. "It streamlines things operationally." Another consolidation that should benefit states and locals is combining all preparedness efforts under a single directorate led by an Under Secretary for Preparedness. That will mean training, grants and medical preparedness -- under a new chief medical officer -- as well as cyber-security and infrastructure protection will fall under this position. Smith said consolidating all preparedness efforts beneath the Under Secretary for Preparedness should create more accessibility for state and local officials. "The same is true for reorganization across the board," she said. "Consolidating our intelligence functions into one office, all our preparedness functions into one office, even having one chief medical officer overseeing all medical response issues, will give our partners a better understanding of where responsibilities rest." Copyright? 2005 e.Republic, Inc. All rights reserved. From isn at c4i.org Mon Nov 7 03:09:11 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 7 03:17:44 2005 Subject: [ISN] Cisco IOS Hacker Finds Work at Juniper Message-ID: http://www.eweek.com/article2/0,1895,1882028,00.asp By Paul F. Roberts November 4, 2005 Updated: Security researcher Michael Lynn, made famous for exposing a major hole in Cisco's software, is now employed at Cisco rival, Juniper. Michael Lynn, the security researcher who made international headlines in July for blowing the whistle about a major hole in Cisco Systems Inc.'s software, has found employment at Cisco's chief rival, Juniper Networks Inc. A Juniper spokesman confirmed that Lynn works for the Sunnyvale, California, networking equipment maker, three months after he lost his job as a researcher at Internet Security Systems Inc. when he disregarded company requests to spike a presentation at the Black Hat Briefings Conference in Las Vegas about vulnerability in Cisco's IOS (Internetwork Operating System). Cisco issued a patch for the hole Lynn discovered on Wednesday. Cisco did not respond to requests for comment in time for this story. An ISS spokesman said the company had "nothing to add" to the story. Lynn was the subject of intense media attention and a lawsuit after his planned discussion of the vulnerability IOS at Black Hat, an annual hacker convention, turned into a stand-off between Cisco, Lynn and show organizers. Initially, Cisco forced conference organizers to physically remove notes on the IOS hole from conference proceedings and convinced Lynn's employer ISS to cancel the talk. Lynn agreed with the plan, then abruptly changed his mind, and resigned his position at ISS and presented information on the hole to a rapt audience. Lynn's talk prompted Cisco and ISS to get a California court to issue an injunction and temporary restraining order against Lynn and Black Hat Inc., demanding that Lynn and Black Hat stop disseminating information on the IOS hole, which Cisco alleged was illegally obtained. Lynn, Cisco and ISS reached an agreement shortly after the talk, with Lynn promising never to discuss the hole or present at Black Hat again, and to return all research materials relating to the hole to Cisco. Lynn then disappeared from view. In its patch Wednesday, Cisco acknowledged that IOS was vulnerable to what are known as heap-based overflows, in which portions of memory on Cisco routers are overwritten with malicious code. While Lynn's defiance of Cisco and ISS made him a folk hero within the hacking and security researcher community, many speculated that he could have trouble finding work, especially at security research companies like ISS that emphasize confidentiality. With Lynn now gainfully employed at Juniper, those concerns turn out to be unfounded. A company spokesman declined to say what Lynn's job was, or how long he had been working at the company, citing a company policy not to discuss individual roles and responsibilities. Bruce Schneier, founder and CTO of CounterPane Security Inc., said that Juniper may have picked the right man for the job, even if Lynn is a former hacker. "Smart companies hire the best person for a job," said Schneier. "Sometimes the best person for the job is a former hacker. And sometimes the best person for a job is someone who stood up for what's right against some pretty big companies." From isn at c4i.org Mon Nov 7 03:09:31 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 7 03:18:01 2005 Subject: [ISN] Book Review: The CISO Handbook: A Practical Guide to Securing Your Company Message-ID: http://books.slashdot.org/books/05/11/04/039222.shtml [ http://www.amazon.com/exec/obidos/ASIN/0849319528/c4iorg - WK] Author: Michael Gentile, Ronald Collette, Thomas August Pages: 314 Publisher: Auerbach Publications Rating: 9 Reviewer: Ben Rothke ISBN: 0849319528 Summary: A most practical guide The CISO Handbook: A Practical Guide to Securing Your Company lives up to its title as being a practical guide to security. The book is antithetical approach to the products equal security approach, and takes a pragmatic approach to security. The authors have extensive real-world experience and approach information security from a holistic perspective. They clearly understand what it takes to build an information security program. One of the biggest mistakes in security is that it is seen as plug and play. Buy a security product, install in, and like magic, you have this thing called data security. But that only works in the world of product brochures and marketing material, not in the real world. The book does not approach security from a plug and play perspective, but as an endeavor that requires a multi-year effort to come to fruition. The five chapters deal with security from its true source, namely that of risk. The chapters are: Assess, Plan, Design, Execute and Report. These five areas encompass all of information security and those firms that have built an information security infrastructure all done it by focusing on these five areas. The first area, Access, is all about risk management. Many companies will purchase security products without even knowing what their specific risks are, and have often not performed a comprehensive risk analysis. Without a comprehensive risk analysis, any security product will simply operate in a vacuum. The benefits of a risk assessment and analysis are that they ensure that an organization is worrying about the right things and dealing with real, as opposed to perceived threats. The ultimate outcome of a risk analysis should be to see if the organization can benefit from the security product. Chapter 1 ends with an assessment checklist of various areas that go into a risk assessment. One of the questions in the checklist that you likely will not see anywhere else is "describe the political climate at your company". Too many security people think only about the technology and neglect the political implications of a security system. Not taking into consideration the politics is a surefire way to potentially doom a project. Similar questions detailed in the checklist will give the reader a good feel for how secure their organization truly is; as opposed to the often perceived view of being much more secure. Chapter 2 is aptly titled Plan. The planning phase is meant to combine the issues of assessment and to integrate options to mitigate those risks. The way in which a specific security technology or methodology is implemented is dependent on the organization. Rather than using a cookie-cutter approach, effective planning ensures that the security technologies chosen support your security program. Far too many organizations make the mistake of simply buying products without giving enough consideration into the myriad details of how they will be deployed, managed and used. Chapter 2 emphasizes the need for planning, and the book as a whole emphasizes the need for the use of a methodology when dealing with information security. For many security technologies, the challenges of are not so much with the technology, but rather with ensuring that the technology meets business requirements, is scalable and reliable, etc. Building a comprehensive information security program is likely to be more complex than previous experience of typical IT projects. As well as project management, technical and operational aspects, there are many policy, legal and security issues which must be taken into consideration. By following a structured methodology based on practical experience, many of the potential traps and pitfalls can be avoided. The risks to the business and the project are reduced and those that remain are quantified at an early stage. The planning checklist at the end of chapter 2 will helps by ensuring that the solutions identified are deployed in the context of a well designed information security program. It can also be used as a wake-up call to management that often seriously underestimates the amount of time and manpower required to create an effective information security program. One of the added benefits of planning is that it makes it much easier to integrate new regulatory requirements into the security program. A well-planned network can retrofit new requirements much more quickly and efficiently. This is a critical need given the increasing amount of new regulations that will come into play in the coming years, in addition to current regulations such as HIPAA, Sarbanes-Oxley and much more. Chapters 3, 4 and 5 progress in a similar manner with the topics of Design, Execute, and Report. Each chapter details the essentials of the topic and shows how it is critical to the efficacy of an successful information security program. What the reader may find missing from the book is particulars of the various security technologies. But that is the very function of the book, to show that information security is not primarily about the products, rather the underlying infrastructure on which those products reside on. Any product that is not deployed in a methodology similar to that of The CISO Handbook is likely to find itself lacking. The product might be there and hum along; but the security that it provides will likely be negligible. The uniqueness of The CISO Handbook is that is shows how to design and implement an effective security program based on real world scenarios, as opposed to product reviews and vendor evaluations. The CISO Handbook: A Practical Guide to Securing Your Company is indeed a most practical guide, as its title suggests. It is quite helpful to anyone in a security organization, whether they are the CISO, system administrator, or in a different capacity. From isn at c4i.org Mon Nov 7 03:10:00 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 7 03:18:19 2005 Subject: [ISN] Linux Advisory Watch - November 4th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 4th, 2005 Volume 6, Number 45a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for lynx, OpenSSL, gnump3d, netpbmfree, gallery, phpmyadmin, SELinux PAM Local, TikiWiki, mantis, Ethereal, XLI, libgda, ImageMagick, kernel, and wget. The distributors include Debian, Gentoo, and Red Hat. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- Hacks From Pax: SELinux And Access Decisions Pax Dickinson Security Contexts SELinux makes access decisions by checking the security context of the subject (a process, sometimes associated with a user) against the action attempted (e.g. a file read) and the security context of the targeted object (such as a file or network port). These contexts are divided into three parts: a user identity, a role, and a domain or type. In the current SELinux policy, access is not restricted based on user identities, so we'll focus on roles and domains in this article. User Roles On an SELinux system, unlike a standard Linux system, root has no special privileges inherent to the account. SELinux privileges are denoted by a user's role. A standard user is assigned a role of user_r, which gives no special privileges. System administrator accounts are assigned a role of staff_r, which permits what is known as a "role transition" to the sysadm_r role. The sysadm_r role is the equivalent of the root account on a non-SELinux system, it has unfettered access to the system. A staff user transitions to the sysadm_r role by using the newrole command, as shown below. newrole -r sysadm_r The user is then prompted for his or her password, successful entry of which will result in transition to the new role. You can view your current role by issuing an id -Z command. Domains and Types Domains and types are synonyms, typically the term "domain" is used when referring to processes and the term "type" is used referring to files. Types are the primary method used by SELinux to make authorization decisions. The strict policy defines relatively few users and roles, but contains hundreds of types. Types are assigned by the security policy based on the path of the file in question, and the policy also transitions processes into an appropriate domain based on the context of the executed file and the domain of the process executing the file. For example, the Apache webserver executable file has a type of httpd_exec_t. When that file is executed by the init process at bootup, the policy forces the new process to transition into the httpd_t domain. The httpd_t domain has the ability to read web content denoted by the httpd_content_t type, but not to change it or access any other domains not required for proper webserver operation. You can view the type of a given file by using the -Z option of ls, and you can view the domain a process is running in by using the -Z option of ps. These -Z options are specific to SELinux and will not function on a non-SELinux system. Read Entire Article: http://www.linuxsecurity.com/content/view/120622/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New lynx packages fix arbitrary code execution 27th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120671 * Debian: New OpenSSL packages fix cryptographic weakness 27th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120672 * Debian: New lynx-ssl packages fix arbitrary code execution 27th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120676 * Debian: New gnump3d packages fix several vulnerabilities 28th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120680 * Debian: New netpbm-free packages fix arbitrary code execution 28th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120686 * Debian: New gallery packages fix privilege escalation 2nd, November, 2005 Updated profile. http://www.linuxsecurity.com/content/view/120701 * Debian: New phpmyadmin packages fix several vulnerabilities 2nd, November, 2005 Updated profile. http://www.linuxsecurity.com/content/view/120703 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: SELinux PAM Local password guessing attack 28th, October, 2005 A vulnerability in the SELinux version of PAM allows a local attacker to brute-force system passwords. http://www.linuxsecurity.com/content/view/120681 * Gentoo: TikiWiki XSS vulnerability 28th, October, 2005 TikiWiki is vulnerable to cross-site scripting attacks. http://www.linuxsecurity.com/content/view/120684 * Gentoo: Mantis Multiple vulnerabilities 28th, October, 2005 Mantis is affected by multiple vulnerabilities ranging from information disclosure to arbitrary script execution. http://www.linuxsecurity.com/content/view/120685 * Gentoo: Ethereal Multiple vulnerabilities in protocol dissectors 30th, October, 2005 Ethereal is vulnerable to numerous vulnerabilities, potentially resulting in the execution of arbitrary code or abnormal termination. http://www.linuxsecurity.com/content/view/120689 * Gentoo: XLI, Xloadimage Buffer overflow 30th, October, 2005 XLI and Xloadimage contain a vulnerability which could potentially result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120690 * Gentoo: libgda Format string vulnerabilities 2nd, November, 2005 Two format string vulnerabilities in libgda may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120712 * Gentoo: QDBM, ImageMagick, GDAL RUNPATH issues 2nd, November, 2005 Multiple packages suffer from RUNPATH issues that may allow users in the "portage" group to escalate privileges. http://www.linuxsecurity.com/content/view/120713 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: kernel security update 27th, October, 2005 Updated kernel packages that fix several security issues and a page attribute mapping bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120677 * RedHat: Moderate: curl security update 2nd, November, 2005 Updated curl packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120707 * RedHat: Important: wget security update 2nd, November, 2005 Updated wget packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120708 * RedHat: Important: openssl security update 2nd, November, 2005 Updated OpenSSL packages that fix a remote denial of service vulnerability are now available for Red Hat Enterprise Linux 2.1 This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120709 * RedHat: Moderate: openssl096b security update 2nd, November, 2005 Updated OpenSSL096b compatibility packages that fix a remote denial of service vulnerability are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120710 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Nov 7 03:10:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 7 03:18:40 2005 Subject: [ISN] Microsoft To Release Just One Patch Tuesday Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=173403261 By Gregg Keizer TechWeb News November 4, 2005 Microsoft will release one critical security bulletin next Tuesday, Nov. 8, in its monthly patch program, the company said Thursday. The bulletin, which by Microsoft's numbering system will be dubbed "MS05-053," affects Windows, said the developer's advance notification posted [1] on the Microsoft site. "The maximum total severity rating for this month is Critical, so please update systems as soon as possible when the bulletin is available this coming Tuesday," wrote Stephen Toulouse, the head of Microsoft's Security Response Center (MSRC), on the group's blog Thursday. Other than that, Microsoft was mum, but according to vulnerability researchers at eEye Digital Security, there are currently at least eight flaws in Windows that have not been fixed, including ones reported to the Redmond, Wash.-based developer as long ago as March 29, 2005. Microsoft also said that on Tuesday it would release a pair of high-priority, but non-security-related updates to Windows, as well as reissue its Windows Malicious Software Removal Tool. If November's patch schedule goes according to plan, it will be a dramatic drop-off from the nine security bulletins rolled out in October; those bulletins fixed a total of 14 vulnerabilities. It might also give MSRC a chance to catch its breath. Since the October bulletins' release, the security center has notified users that one patch broke some Web sites when viewed with Internet Explorer, clarified one Windows 2000 patch, and explained why another was buggy. As is usual, Microsoft will host a follow-up Webcast next week, Nov. 9, to answer questions about the fixes. [1] http://www.microsoft.com/technet/security/bulletin/advance.mspx From isn at c4i.org Mon Nov 7 03:11:09 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 7 03:18:57 2005 Subject: [ISN] India to set up internal security center Message-ID: http://www.upi.com/InternationalIntelligence/view.php?StoryID=20051104-044356-4715r 11/4/2005 NEW DELHI, Nov. 4 (UPI) -- India is starting an internal security center similar to the U.S. Department of Homeland Security to coordinate intelligence and law-enforcement agencies. "The proposal, which has been doing the rounds of security agencies, has now received the nod from both Intelligence Bureau and the Research and Analysis Wing and has come back to the Interior Ministry," said a report in The Times of India newspaper Friday. It said the proposal was prepared by experts working at the Indian Institute of Technology in the northern Indian city of Kanpur. The proposed center would maintain a database for all citizens, with records of their profession, birthplace, residential address and foreign visits. "The center will deal with the internal security issues like those requiring scientific, technical and analytical expertise," an Intelligence Bureau official said. "The blueprint of the proposed center says it would focus on number of key areas which impact a nation's capacity to combat the modern-day terrorism like processing counter-intelligence inputs, cyber security, border and transportation and protection of vital security." The Indian government has taken serious note of the failure of its intelligence and security agencies to have advance information about the serial bomb blasts in New Delhi on Oct. 30 that killed over 60 people and injured 210. ? Copyright 2005 United Press International, Inc. All Rights Reserved From isn at c4i.org Tue Nov 8 03:16:43 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 8 03:29:06 2005 Subject: [ISN] How to Get a Job in the Infosec Field Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105902,00.html Security Manager's Journal By C.J. Kelly NOVEMBER 07, 2005 COMPUTERWORLD My decision to stay in my current job for quality-of-life reasons provoked emotional responses from several readers. Some of those who wrote to me about that column [QuickLink 57182 [1]] had made similar decisions. But a few, after reading about how I turned down multiple job offers, asked, "Where are all these jobs you keep talking about?" I felt compelled to do a little research on the information security job market and present the results here. First, I did an unscientific survey of the publicly posted jobs. In my case, most of the jobs I've had have come from personal referrals, so when I'm looking, the first thing I do is contact my network of friends and colleagues. However, I have found that searching the job boards gives me a sense of the types of jobs that are out there, who's hiring and approximate salary ranges. I set out to answer five questions with this research: 1. How many security jobs are out there? 2. What types of security jobs are out there? 3. What requirements do employers have for certifications and degrees? 4. What parts of the country have more security jobs than others? 5. What are the salary ranges? Whenever I'm contacted by a recruiter looking for security professionals, I point him in the direction of the International Information Systems Security Certification Consortium Inc., or (ISC)2, which offers the Certified Information Systems Security Professional (CISSP) certification. When I checked its site, the (ISC)2 had over 80 security job postings, many with multiple positions, for the month of October. The positions ran the gamut from salespeople to technical security engineers, executives and consultants. The companies advertising for security professionals were located all over the map, including Canada, England, Saudi Arabia and California. Eighty didn't seem like a very big number, though, so I surfed to some of the major job boards. Each job board has its own way of making searching easier, but by searching for "CISSP" for October, I got the following results: Dice, 645 matches; HotJobs, 1,000; CareerBuilder, 713; Monster, over 800 matches. There were plenty of job postings from the Big Four consulting houses looking for security types to do audit work, traveling 100% of the time for $40 per hour or less. For a qualified security professional, that's practically minimum wage. Working for one of the Big Four looks good on your resume, gives you a lot of experience (primarily in IT audit) and makes you an expert in dealing with airports, hotels and rental car companies. I would exclude the big consulting companies. They charge exorbitant prices, but very little of that goes to the consultant who does the job. I also think companies would do better hiring full-time security people and internal auditors. (No offense to you Information Systems Audit and Control Association types; I am also a member!) The biggest problem with searching was finding the right security job description for me. There's no real agreement on what constitutes a security engineer as opposed to a security analyst or a security architect. Executive positions (director level and above) aren't always posted, but those that are seem to be fairly clear about requirements. Types of Jobs The answer to the question about the types of jobs out there: You need to know what you are best at and look for jobs that match your skill set. There are plenty of opportunities, though many of them are ill defined. Many companies don't really know what they want and need, so you have to keep knocking on doors until you find one that swings open enthusiastically. As for certifications and degrees, my first conclusion is that you should finish that bachelor's degree if you haven't already done so. Not too long ago, technical people were hired based on a particular skill set, not necessarily on formal education. But the trend now is toward demanding that sheepskin, and a bachelor's degree seems to be the minimum requirement for a large number of posted jobs. In many cases, a master's degree is desired. I also found that employers want degrees to be supplemented by a string of technical certifications. The bar seems to be rising. The CISSP is a very popular and highly regarded certification, but the SANS Institute also offers an excellent certification series that's highly respected. As Linux becomes more mainstream, Red Hat certifications are growing in importance. Microsoft offers the MCSE+ security certification. And let's not forget Cisco. There are many certification programs, but these are on the short list. They are all valuable, each with a different emphasis. The trick is to find the openings that fit your certifications and skills, and just keep knocking on those doors. In the U.S., the West and East Coasts appear to have more security jobs than other parts of the country, and they pay more -- sometimes two to three times as much. Just remember that the cost of living matches those increased pay scales. I noticed that the job boards all have ways of doing area or metro searches, so with a little practice you should become fairly proficient at searching various locales for particular kinds of jobs. As for salaries, they've been all over the map in recent years, and employers seem to be hesitant to post anything specific about them. Just remember to value yourself and your skills in advance so that when you are contacted by a prospective employer, you will be confident in your market value. Remember, it's not about the money. It's about doing what you love where you love to do it. What do you think? This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly at yahoo.com, or join the discussion in our forum: QuickLink a1590 [2] To find a complete archive of our Security Manager's Journals, go to www.computerworld.com/secjournal [1] http://www.computerworld.com/q?57182 [2] http://www.computerworld.com/q?a1590 From isn at c4i.org Tue Nov 8 03:17:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 8 03:29:23 2005 Subject: [ISN] Beware Your Trail of Digital Fingerprints Message-ID: http://www.nytimes.com/2005/11/07/business/07link.html By TOM ZELLER Jr. November 7, 2005 IT hardly ranks in the annals of "gotcha!" but right-wing blogs were buzzing for at least a few days last week when an unsigned Microsoft Word document was circulated by the Democratic National Committee. The memo referred to the "anti-civil rights and anti-immigrant rulings" of Samuel A. Alito Jr., a federal appeals court judge who has been nominated to the Supreme Court by President Bush. The stern criticisms of Judge Alito rubbed some commentators the wrong way (Chris Matthews of MSNBC called it "disgusting" last Monday). But whatever the memo's rhetorical pitch, right-leaning bloggers revealed that it contained a much more universal, if unintended, message: It pays to mind your metadata. Technically, metadata is sort of the DNA of documents created with modern word-processing software. By default, it is automatically saved into the deep structure of a file, hidden from view, with information that can hint at authorship, times and dates of revisions (along with names of editors) and other tidbits that, while perhaps useful to those creating the document, might be better left unseen by the wider world. (If you use Microsoft Word, open a document, go to the File menu and choose Properties. You should see some metadata. Third-party programs are available that will crack open even more.) According to some technologists, including Dennis M. Kennedy, a lawyer and consultant based in St. Louis, (denniskennedy.com), metadata might include other bits of information like notes and questions rendered as "comments" within a document ("need to be more specific here," for example, or in the case of my editors, "eh??"), or the deletions and insertions logged by such features as "track changes" in Microsoft Word. "If you take the time to educate yourself a little and know the issues," Mr. Kennedy said, "you can avoid problems pretty easily." With the Alito memo - which was distributed on a not-for-attribution basis, with no authors named - the D.N.C. was a little sloppy. Mike Krempasky, a conservative blogger at RedState.org, mined the document's metadata and came up with juicy, code-cryptic tidbits like this (bold added for emphasis): {lcub}o:Author>prendergastc{lcub}/o:Author{rcub} Or this: {lcub}o:Company>DNC{lcub}/o:Company{rcub} "The technical wizards at the Democratic National Committee never got the 'don't forward Word documents' memo," Mr. Krempasky wrote, eventually identifying "prendergastc" as Chris Prendergast and "adlerd," which also showed up in the metadata, as Devorah Adler - both members of the D.N.C. The metadata also coughed up a file creation date of July 7, 2005, which the detectives at RedState.org identified as being "just after O'Connor resigned." None of these amounted to earth-shattering revelations, of course, but taken together they offered a level of detail into the Alito memo that the D.N.C. had not intended. Josh Earnest, a spokesman for the Democratic committee, pointed out that the origins of the document were never really a secret, even if it was circulated as background material that was not intended to be sourced. "Based on the fact that the D.N.C. was known to be circulating the document," Mr. Earnest said, "I'm not sure that RedState is breaking any news here." Still, metadata and other document gaffes have tripped up other organizations, sometimes with more embarrassing results. Just two weeks before the Alito memo, the United Nations issued a long-awaited report on Syria's suspected involvement in the assassination of Lebanon's former prime minister, Rafik Hariri. It was a damning report for Syria by any standard, but recipients of a version of the report that went out on Oct. 20 were able to track the editing changes, which included the deletion of names of officials allegedly involved in the plot, including the Syrian president's brother and brother-in-law. A similar gaffe embarrassed the network software company SCO Group in 2004, when it filed suit against DaimlerChrysler for violations of their software agreement. A carelessly distributed Microsoft Word version of the suit revealed, among other things, that the company had spent a good deal of time aiming the suit at Bank of America instead. "It just sort of made it look like they were looking for the easiest target," Mr. Kennedy said. At about the same time, California's attorney general, Bill Lockyer, floated a letter calling peer-to-peer file-sharing software - long the bane of the entertainment industry's interests - "a dangerous product." But a peek at the document's properties revealed that someone dubbed "stevensonv" had a hand in its creation. Vans Stevenson, a senior vice president with the Motion Picture Association of America, said later that he had offered input on the document but had not written it. "California AG Plays Sock Puppet to the MPAA," was one blogger's response. The issue increasingly nags at the legal system, as lawyers become aware of the advantages of requesting discovery of the metadata buried in word-processed documents (or debate the ethics of scrubbing the metadata from a file before turning it over to the other side). "If I get a piece of paper, all I see is a piece of paper," Mr. Kennedy said. "With an electronic document, there's potentially a lot more there." He noted that at a recent conference on electronic discovery, an Oregon lawyer complained that judges there tended to rebuff requests for the electronic versions of printed documents, saying the printed versions are enough. But for most other instances - and certainly for cases like the Alito memo - the solutions are simple. Sort of. Saving a copy of a document in "rich text format" (RTF), or as a simple text file first (options in the Save menu), and then converting it into the common "portable document format" (PDF) before circulating it is a good tack, Mr. Kennedy said. Still, some debate remains as to whether traces of metadata from word-processing programs like Microsoft Word are carried through to the PDF file. For those who want to be extra safe, several third-party tools will scrub metadata and other information from documents, although with each new advance in software design, the number of potential pitfalls grows. "It only gets more complicated," Mr. Kennedy said, making sure to point out that all kinds of documents - from spreadsheets to PowerPoint files - contain oodles of metadata. "It seems every time I turn around I run into something new." Odds are that Derrick A. Max, the head of two business groups that favored President Bush's plans to privatize Social Security, wishes he could say the same. On request last spring from the Senate Democratic Policy Committee, he e-mailed testimony on the topic. The unscrubbed Word document apparently included editing and advice from an associate commissioner of the Social Security Administration. "The real scandal here," Mr. Max told The Los Angeles Times after Democrats expressed outrage over the White House's fingerprints on the testimony, "is that after 15 years of using Microsoft Word, I don't know how to turn off 'track changes.' " From isn at c4i.org Tue Nov 8 03:17:13 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 8 03:29:42 2005 Subject: [ISN] Pizza chain caught without fully baked security Message-ID: http://news.com.com/Pizza+chain+caught+without+fully+baked+security/2100-7349_3-5938572.html By Joris Evers Staff Writer, CNET News.com November 7, 2005 Papa John's has beefed up security for its Web-based e-mail system after the pizza chain learned that internal e-mail and customer data had been exposed. The leak at the Louisville, Ky.-based pizza chain made internal corporate e-mail and thousands of customer comments available to anyone with a Web browser. The customer comments were submitted between Sept. 29 and Nov. 7 and included names, addresses, phone numbers and e-mail addresses of customers. "It looks like there is no password protection on Papa John's internal Web e-mail system," said Richard Smith, an Internet privacy expert who reviewed the issue at the request of CNET News.com. "This sort of Web site privacy leak happens more than it should." Papa John's [1] on Monday added password protection to its Web-based e-mail system and the online customer suggestion database, after it was notified of the leak by CNET News.com. The company's action came hours after information exposing the system's insecurity was published to the popular Full Disclosure security mailing list [2]. "Today we learned that customer feedback over the last five weeks...could be viewed by a user who would have to enter a very specific, unpublished URL," said Chris Sternberg, a Papa John's spokesman. "We're not certain that anybody has accessed this information," Sternberg said. "We don't think the ability to access this information breached our disclosure policy, but we don't want it accessed by anyone outside the Papa John's system, so we have taken steps to fix this." The consumer information that was disclosed did not include credit card numbers or other sensitive data, which limits the risk of fraud, said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif. "There is no reason to expect that this will lead to identity fraud, as the exposed information is not of the type used by financial companies to grant access to capital," he said. "In the most extreme case, a fraudster could call one of the listed individuals and pretend to be a Papa John's employee, asking for a credit card number or bank number." While the Web-based system now requires a password, some of the information is still available in the cache of Google's search engine. For example, one internal Papa John's e-mail discusses the company's challenges in re-establishing itself in Mexico and Puerto Rico after the departure of a key employee. [1] http://www.papajohns.com/ [2] http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0156.html From isn at c4i.org Tue Nov 8 03:17:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 8 03:30:06 2005 Subject: [ISN] Black Hat Organizer Unbowed Message-ID: http://www.wired.com/news/privacy/0,1848,69488,00.html By Kim Zetter Nov. 07, 2005 On Wednesday, Cisco Systems released a patch for what has become known as the Black Hat Bug: a serious vulnerability in the operating system running Cisco routers, which drive traffic through much of the internet and control critical infrastructure systems. Cisco's move closes the book on a controversy that began last July, when Mike Lynn, a computer security researcher speaking at the Black Hat security conference in Las Vegas, demonstrated that an attacker could use the bug to crash Cisco routers or control them remotely. Before Lynn's talk concluded, the dark conference room was already lit with the glow of cell phones from audience members urging their IT departments to immediately patch their Cisco routers. Lynn was lauded by much of the security community for disclosing the problem. But for his troubles, he and Black Hat organizers were slapped with legal injunctions. Lynn had been asked by his employer, Internet Security Systems, to reverse-engineer the Cisco router to find the flaw, and both Cisco and ISS initially sanctioned his Black Hat presentation. But two days before the talk, Cisco demanded that slides of the presentation be removed from the conference book and CD-ROM. And after the talk, the FBI began investigating Lynn for allegedly stealing trade secrets. The legal wrangling finally ended this week, and the FBI case against Lynn has closed. Lynn spoke with Wired News in July to tell his side of the story. Now Black Hat founder Jeff Moss talks about what happened from his perspective and why companies continue to repeat the mistakes of their predecessors in trying to suppress the full disclosure of security bugs and punish security researchers. Wired News: Describe how events unfolded at Black Hat. Jeff Moss: We realized something bad was happening on ... Monday morning (July 25). One of the Cisco representatives, Mike Caudill, came by and said, "Hey, can I see the printed material (for the conference)?" I said, "Well, we don't give our books out until Tuesday at 4 p.m." (before the conference opens). "I'll let you look, but we'll need the book back." So he flips to Mike Lynn's presentation and basically says "Holy crap! This isn't supposed to be in here. ISS told us only an abstract was going to be printed in the book." I said, "How can we accept a speaker with only an abstract? Of course there's going to be slides." Now it's about 20 hours until we started handing out the bags with the books and the CDs in it, and Cisco gets on the phone to their legal department and gets everybody all spun up.... (Cisco claims that Lynn is revealing proprietary source code in some of the slides and wants them removed. After Moss agrees, Cisco's people spend hours ripping out Lynn's presentation from thousands of conference books and reburning CD-ROMs.) If Cisco is saying there's proprietary Cisco source code in there, it's hard for me to evaluate that (just hours before the show). If it's true and it is really proprietary and really would be breaking the law ... I would want to remove it. Mike Lynn said don't worry about it. If they want to remove it, remove it. The printed materials in the book had more details than what Mike had on his PowerPoint slides. He was thinking that with those details removed, he'd be able to give his talk, because he wouldn't be revealing any of the stuff that Cisco was concerned about. And then it became clear that it really wasn't specifically that source code, it was pretty much the whole talk in general that Cisco was really nervous about. WN: But they agreed that he would speak anyway, right? Moss: (By) Tuesday around 2 p.m., Cisco had pulled all of the material out of the books. The (revised) CDs were starting to show up, and it looked like everything was fine. Cisco was happy, ISS was happy, and it looked like we dodged that bullet. As soon as the show was over, and we're cleaning up the show and everything looks like it's done, all of a sudden FBI agents call me on the phone and want to talk to me. It turns out that while Black Hat and Mike Lynn were negotiating with Cisco and ISS, somebody at ISS in Atlanta calls the local FBI field office in Atlanta and claims theft of trade secrets. So while we're negotiating in good faith and trying to resolve this, behind the scenes ISS has fired up the FBI on Mike Lynn. WN: Debates about full disclosure have been going on for years, and a number of companies have created firestorms from trying to suppress information about flaws or punishing researchers, such as Dmitri Sklyarov, who got into trouble with Adobe. Why haven't companies learned the lessons about trying to suppress information? Moss: There must be something that's fundamental in human nature. Or people are coming into the business too quickly and don't have any sense of history. It doesn't portray a positive image that these are talented professionals pursuing security research, and it doesn't do any of us service. WN: You've said that you felt Mike Lynn followed all of the proper procedures that a researcher should follow for responsible disclosure of vulnerabilities. And yet Cisco and his own company turned on him. Moss: It's disturbing because you can play in your mind how this can happen to any person working for any company. And if that starts happening, it's just going to be a big stifling of innovation, and it's going to drive researchers underground. Or they're just going to only post on full-disclosure lists under fake handles. WN: Some companies purchase vulnerability information about their products from independent researchers and have them sign non-disclosure agreements preventing them from telling anyone outside the company about the flaws. What do you make of bartering crucial information like that? I'm reminded of the federal agents who thanked Lynn after his Black Hat presentation for giving them information about their systems that Cisco didn't give them. Moss: Yes, that was what was really frustrating. If Cisco is not even telling the feds, then where does the greater good end and the profits begin? Mike Lynn, under the full-disclosure model that I subscribe to, informed Cisco, and Cisco had plenty of time (before his presentation) and released the patch.... Free research was done on Cisco's products. It was a third party that invested time and money, and Cisco got a benefit out of it. Well, everybody got a benefit out of it because it made a better product and they fixed the problem in its current form. And all everybody (else) gets out of it is a lot of misery and legal bills. In my ideal world the vendor, Cisco, would be thanking Mike for improving their product and apologizing to the community for not finding the problem themselves. WN: There has long been debate in the security community about making companies legally responsible for releasing products with security flaws. Should software companies be held responsible for failing to disclose or act on information they discover about vulnerabilities in products after releasing them? Moss: I'm opposed to creating more laws. We have so many of them, and they're so poorly enforced. But I think what we need is some sort of guidance ... not necessarily a law forcing the companies to disclose a bug, but ... some sort of protection for the bug finder. Is (bug research and disclosure) considered protected speech, sort of like the First Amendment? (Should there be) an exception under Digital Millennium Copyright Act for reverse-engineering for security purposes? It would be really nice to have some kind of uniformity. (So that) people know, if you're doing security research in the United States, this is how the game is played legally. There's not that kind of clarity yet. And nobody wants to be the DMCA test case. WN: Researchers often hold onto really big disclosures so they can present them at conferences and make a splash. Should conferences serve this function for revealing information like that? Moss: I think the function of conferences is a very important one. Researchers want to get a chance to be face to face with their peers and share information and then to show off and push other people. It advances the state of the art a bit. I was asked by somebody in some three-letter (government) agency if I planned to change anything about the show (after the problems this year). Because they were concerned that if I had to neuter the content or had to fundamentally change the way the show ran to try to avoid these problems in the future, it would impact the quality of the content. And they didn't want that to happen. They viewed the content as valuable, and they were frightened that the Cisco-ISS deal would have somehow affected what researchers do. I said no, that I can't see changing anything. I think what we offer the public is valuable. I think people in the government realize it's valuable, otherwise the show wouldn't be so successful. One of my concerns is that if you start punishing these researchers or publicly threaten them with lawsuits, they'll just go underground, and that really then doesn't offer the company any chance to communicate with them or learn from them. Why risk getting sued by telling a company about a bug? Some researchers now just think that it's too much effort. They have to play politician now (with the companies) when all they want to do is play researcher.... There are some vulnerability-assessment tools that have come out ... that (uncover) five or six vulnerabilities (in software) that have never been announced. The (product) vendors don't know about them. The people who write the tools are just busy writing them, and they don't want to spend time holding the hand of all these manufacturers. That's kind of interesting, because the first chance that these vendors have of knowing there's a problem with their product is when somebody calls them up and says, "Hey, I just downloaded this tool and found five problems (in your product)." WN: What benefits have come from the Ciscogate incident? Moss: There were so many people sitting in that session who immediately picked up the phone to call their IT departments and told them to immediately patch all of their gear right now. That was kind of funny because nobody ever messes with their Cisco gear. It sort of works and nobody ever touches it. In one fell swoop, it forced everybody to update their gear and not only fixed the Mike Lynn (bug), but it fixed all of the previous Cisco bugs that nobody had bothered to patch. So by Mike demonstrating (the problem), I think it made everyone wake up ... and realize, hey, we've got to treat routers just like we treat computers, and we've got to start patching and staying on top of these patches. From isn at c4i.org Tue Nov 8 03:17:59 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 8 03:31:07 2005 Subject: [ISN] Air Force raises bar on desktop security Message-ID: http://www.fcw.com/article91318-11-07-05-Web By Frank Tiboni Nov. 7, 2005 The Air Force plans to test its new Microsoft standard desktop computer configuration at five field sites later this month. The service wants to install the configuration on 70 percent of its computers by June 2006 and on the rest by the end of 2006, Air Force and industry officials said. The Air Force will distribute Microsoft software with standard security configurations servicewide to improve network security and management. Military and civilian agencies are watching the testing because they could use the software governmentwide early next year. Many security problems associated with Microsoft software occur when users do not properly configure their systems. As part of this initiative, the Air Force is standardizing desktop PCs that are set up with all appropriate controls in place. "We are very pleased with our early test results and look forward to significant advances in network operations and security as the Air Force standard desktop configuration is implemented across our enterprise during 2006," said Rob Thomas, deputy chief of the Office of the Secretary of the Air Force, Chief of Warfighting Integration and Chief Information Officer. The Air Force has tested various versions of the standard desktop PC configuration in labs at many locations since May. The results identified minor incompatibilities with a number of government-developed software applications, and the Air Force is correcting those problems, a service spokeswoman wrote in an e-mail. Developers at the five field sites will study implementation processes and correct further hardware and software compatibility problems. After the Air Force writes a test report and makes necessary corrections, its leaders will approve servicewide implementation, the service spokeswoman said. Government agencies can use the standard desktop PC configuration after the Air Force tests it and service leaders approve its implementation. Agency officials can use any part of the configuration, "from the configuration settings up to the actual image that will be installed on the workstations, consistent with their licensing status regarding the 19 applications and plug-ins that comprise the image," the spokeswoman said. The Air Force's preconfigured bundle of Microsoft software includes the Windows XP operating system, Office suite, Internet Explorer, and portions of Windows Server 2003 and other applications. The service calls it a software image. "My personal assessment is that [the Office of Management and Budget] and the CIO Council may wait until after the results of the initial testing to finalize their strategy for potential deployment of the standard configurations across other agencies," said John Gilligan, the service's former CIO who helped develop the initiative. He is now a vice president and deputy director at SRA International's defense business unit. The testing is important because attacks come within days of vulnerability and patch announcements and agencies cannot maintain their computer defenses if they cannot quickly patch, said Alan Paller, director of research at the SANS Institute, a nonprofit organization that monitors computer security. From isn at c4i.org Tue Nov 8 03:16:13 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 8 03:31:34 2005 Subject: [ISN] Passwords reset after breach of Navy-Marine Corps network Message-ID: http://www.govexec.com/story_page.cfm?articleid=32737 By Daniel Pulliam dpulliam @ govexec.com November 7, 2005 A recent breach of the Navy Marine Corps Intranet did not jeopardize personal or organizational information, but required some passwords to be changed, according to a Navy spokesman. Passwords for certain users on the unclassified portion of the NMCI network were reset as part of a "prudent network security response" to an intrusion by an unauthorized user, said Lt. Cmdr. Ron Steiner, a public affairs officer for the Naval Network Warfare Command in Norfolk, Va. There is a separate classified NMCI network that was not affected by this incident. The network intrusion occurred around Oct. 20 on a legacy server that was not properly configured, Steiner said. "Based upon that, they found it prudent that we should take the extra precaution and change . . . [the] passwords," Steiner said. "In our opinion, the system worked as we expected it to." Because the Navy was able to track and see where the intruder went inside the system, officials are confident that "there was no big compromise of any information," Steiner said. The ports used by the unauthorized intruder have since been blocked and taken offline, Steiner said. If the intruder is caught, the case will be handed over to Naval Criminal Investigative Service, he added. The breach also didn't affect the IT 21 networking system, which serves the Navy's ships, and the overseas network ONE-NET, according to a message sent to NMCI users last month. From isn at c4i.org Tue Nov 8 03:16:28 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 8 03:31:59 2005 Subject: [ISN] Vast security risk from Flash hole Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4740 By Matthew Broersma Techworld 07 November 2005 Macromedia has warned of a critical bug in its Flash Player - one of the most widely used pieces of software on the desktop - that could allow attackers to take over a system. eEye, the security research firm co-credited with discovering the bug, said it had demonstrated "reliable exploitation" using the bug in the Internet Explorer browser, but other browsers are also said to be just as open to attack. Macromedia also credited Sec Consult with the discovery. The flaw affects all Windows versions of Flash Player 6.x and Flash Player 7.0.19.0 and earlier, but has already been addressed in Flash Player 8 (8.0.22.0), according to eEye. Macromedia recommended upgrading to Flash Player 8 but also released an update to Flash Player 7 fixing the bug. Flash Player 8 isn't supported by older operating systems such as Windows 95 and Windows NT. The bug is due to missing validation of the frame type identifier read from a SWF file, which could be used to force the player to use attacker-supplied values as function pointers, according to eEye. Exploitation via a malicious SWF file could allow an attacker to execute malicious code with the same privileges as the user running Flash Player. "There was a problem with bounds validation for indexes of certain arrays in Flash Player 7 and earlier, leaving open the possibility that a third party could inject unauthorised code that would have been executed by Flash Player," Macromedia said in its advisory. Secunia, which operates a vulnerabilities database, gave the bug a "highly critical" rating. As of Monday morning, Secunia said the flaw had been confirmed using Opera and Internet Explorer browsers. From isn at c4i.org Wed Nov 9 01:05:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 9 01:11:24 2005 Subject: [ISN] Another QuickTime flaw found Message-ID: http://news.zdnet.com/2100-1009_22-5940081.html By Dawn Kawamoto, CNET News.com Published on ZDNet News November 8, 2005 Less than three weeks after Apple Computer issued an update to patch four security flaws in its QuickTime media player, a new "critical" problem has been discovered. The unpatched vulnerability could allow remote execution of code, according to an advisory published Monday by eEye Digital Security. It affects various versions of Apple QuickTime running on all types of operating systems, the company said, but did not specify which versions in particular were at risk. eEye said it notified Apple of the flaw on Oct. 31, when it outlined vulnerabilities that were not addressed in Apple's update of Oct. 12. And although Apple issued a security advisory Nov. 3 regarding its patch and the four flaws, that advisory did not address the new flaw eEye discovered, said Mike Puterbaugh, eEye's senior product marketing director. "We don't feel this flaw could result in an Internet worm, as it does require end-user interaction (such as clicking on a link to a malicious Web site or chat session). The affected component is, however, enabled by default," Puterbaugh said. This newly discovered flaw could allow an attacker to pose as the logged-in user and launch remotely executable code. An intruder, for example, could access and do everything that a user could do on his computer. If the user had administrator rights, the hacker could also access everything that the administrator could. "The Apple flaw works with their latest version of QuickTime," said Steve Manzuik, eEye product manager. "The only similarity with the earlier flaws is it's in QuickTime." The new issue affects a different QuickTime function than the four earlier flaws, which included a missing movie attribute that could be interpreted as an extension. The absence of the actual extension is not detected, resulting in a "dereference of a null pointer." Another of the earlier four flaws included an integer overflow that could be remotely exploited through a specially crafted video file. eEye has declined to provide more specifics in its security advisories until the vendor has issued a patch. That policy is designed to prevent hackers from reverse engineering the problem to launch an attack while the vendor works to fix the flaw. Apple's earlier patch, version 7.0.3, addressed vulnerabilities found in QuickTime 6.5.2 and 7.0.1 for the Mac OS X operating system and some versions running on Windows. One of those flaws allowed a malicious attacker to launch a denial-of-service attack, while the other three flaws allowed an attacker to remotely execute code and take over users' computers. Apple told CNET News.com that it was not prepared to comment at this time. Manzuik said that on Monday Apple acknowledged receipt of eEye's advisory, but gave no indication of when, or if, it plans to patch the flaw. "It is something they will undoubtedly have to patch," he added. From isn at c4i.org Wed Nov 9 01:05:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 9 01:11:47 2005 Subject: [ISN] ASU streamlining tech security policies Message-ID: http://www.asuwebdevil.com/issues/2005/11/08/news/694815 By Brian Indrelunas November 8, 2005 Officials say ASU needs more streamlined computer-security policies, and students can help update or rewrite those policies online. Speaking at a panel discussion Thursday, Detective Terry Lewis of the ASU Department of Public Safety said he came across many different procedures for dealing with possible computer crimes when he seized approximately 20 hard drives during a Secret Service investigation in June 2002. "There's no one coordination or policy for all the different IT departments," Lewis said. "I got yelled at because I stepped on some toes, but I needed to get those hard drives right away." Investigators said they found illegal software installed on the seized machines that logged all information typed into the computers. The man arrested in connection with the case may have accessed personal information belonging to 29 ASU students and employees, The State Press reported in 2003. Some of the computers were seized from the Computing Commons, which is run by Information Technology, but computers were also taken from other campus departments with their own IT staffs. Forensics expert Bill Kalaf said ASU should come up with specific processes to be followed, and employees should document any actions they take. Joe Askins, the director of security planning for central IT, is one of a number of people looking at how to improve ASU's technological security. One possibility, Askins said, is to write a set of specific procedures to accompany the security policies included in ASU's Computer, Internet and Electronic Communications policy. But that policy went into effect in September 2000 and has undergone little revision since. "Obviously, security threats and vulnerabilities, requirements and everything else and tools have changed in the past five years," Askins said. Instead, a new set of security policies may be on the way, he added. Computer security is one of eight focus areas in ASU's long-range technology plan, which is being developed in an open, online environment. University Technology Officer Adrian Sannier is drafting the plan on a site that uses the same technology as Wikipedia, an online encyclopedia that allows any user to edit its pages. Anyone who creates an account on the site can analyze strengths, weaknesses, opportunities and threats regarding ASU's computer security or the other sections. "We want to make this as open a project as possible so it gets the best results," Askins said. Askins and other designated moderators are working with the submitted information to draw up an assessment of ASU's computer security. From there, a plan will be developed. "We're all working toward Adrian's goal of having a somewhat completed [plan] by the end of the calendar year," Askins said. The online collaboration site, known as a wiki, can be accessed through Sannier's Web site, http://adrian.sannier.net. From isn at c4i.org Wed Nov 9 01:04:13 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 9 01:12:07 2005 Subject: [ISN] Sony digital boss - rootkit ignorance is bliss Message-ID: http://www.theregister.co.uk/2005/11/09/sony_drm_who_cares/ By Andrew Orlowski in San Francisco 9th November 2005 The President of Sony BMG's global digital business division Thomas Hesse has weighed into the storm over the 'rootkit'-style copy restriction software introduced on some recent audio CDs. Sony's software installs itself by stealth, conceals itself, then intercepts low level Windows systems calls. Removing it causes the CD drive to be rendered inoperable. The only cure is to reformat the disk and reinstall Windows. What responsibility did Hesse feel for the havoc his CDs had caused? "Most people, I think, don't even know what a rootkit is, so why should they care about it?" he huffed. I think we can take that as: "No responsibility at all." (Hesse made his comments on NPR radio on Friday - you can hear them here, 1m:50s [1] into the short report.) But IT departments beg to differ. A support manager at an IT department in a medium sized corporation told us that a CD-borne infection of Sony DRM is already causing his team headaches. A major antivirus vendor diagnosed the problem as a nasty case of DRM, he told us, but the problem didn't end there. The Sony 'root kit' causes the antivirus software to go haywire, popping up alerts at the rate of one a second. Three systems have so far been flattened, he said. The original culprit was a Van Zant CD - from Sony BMG. And it gets worse. On Sunday Mark Russinovich of Sysinternals.com, whose forensics last week identified the DRM as a 'rootkit' style infection, has been taking a look at the patch subsequently issued by First4Internet, the British company which wrote the crippleware. All the patch does is force XP to issue Windows commands (eg, "net stop") that disable the driver. Because XP is a multithreaded OS, this is a brute force procedure that can cause the system to crash if resources are in contention. Russinovich also notes that the Sony DRM software still contains vulnerabilities that expose a system to a potential blue screen of death. Instead of exiting gracefully and returning standard Windows system errors, the DRM exits disgracefully. Which, we suggest, is exactly what Sony's Herr Hesse should be considering right now. Have you had problems with Sony in your IT support department? Write and let us know. ? [1] http://www.npr.org/templates/story/story.php?storyId=4989260 From isn at c4i.org Wed Nov 9 01:04:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 9 01:12:36 2005 Subject: [ISN] Air Force raises bar on desktop security Message-ID: Forwarded from: Dragos Ruiu On Tuesday 08 November 2005 00:17, InfoSec News wrote: > http://www.fcw.com/article91318-11-07-05-Web > > By Frank Tiboni > Nov. 7, 2005 > > The Air Force plans to test its new Microsoft standard desktop > computer configuration at five field sites later this month. The > service wants to install the configuration on 70 percent of its > computers by June 2006 and on the rest by the end of 2006, Air Force > and industry officials said. > > The Air Force will distribute Microsoft software with standard > security configurations servicewide to improve network security and > management. Military and civilian agencies are watching the testing > because they could use the software governmentwide early next year. > > Many security problems associated with Microsoft software occur when > users do not properly configure their systems. As part of this > initiative, the Air Force is standardizing desktop PCs that are set up > with all appropriate controls in place. Ok I have to call this one. Be very careful. This is a very dual edged sword. There is great strength in standardized configurations. But you have to be _very_ careful that you get it right. Because you are essentially setting up a monoculture. And if you get it wrong, and there are flaws, it means an attacker who does get a vulnerability can rip through your entire network like lightning. Mistakes in that central configuration could be disastrous. It also makes it a lot easier to test out exploits if there is only one configuration variant to worry about. To harken back to biological examples, it means a single virus can take out the entire population. I don't know about you, but the thought of an attacker owning the 70%-100% of the U.S. Air Force in one swoop makes me a tad nervous. All your eggs in one basket as it were. Putting on my pen tester hat, the weakness of this approach is that it removes one of the most difficult steps in remote penetration: the enumeration and identification of the system configuration you are attacking. You only need one set of offsets in your exploits, and you can just get a copy of the standard configuration, and test it leisurely in your single pc lab. When you get it right, you can take down the target hard, as a complete surprise. Sure, when individual sysadmins get to muck wth the configurations they can introduce weakneses and mess up all kinds of stuff. But there are some real dangers to setting up a centrally controlled homogenous monoculture too. You may be doing the exact opposite of strengthening the network - instead locking everyone into a common level of mediocrity. That variability in configuration, that can introduce weakness in the population, can also bring some measure of safety and provide one more hurdle for digital attackers to overcome. I used to work for many years at Hewlett Packard, where they had this thing they call COE - common operating environment. As I can tell you from using that system - no matter how well they sell you on the wonders of central administration, it ain't all a bed of roses. When it sucks, it sucks hard. That's why my group used Macintoshes. :-) This standard configuration approach puts a lot of responsibility on a single group. And humans are never infallible. We make mistakes. We should plan for and accept those mistakes... and this approach does not seem to account for this. Of course this all depends on what is called a "security configuration" and ymmv. "Configuration" is a sufficiently nebulous term that this could mean all sorts of things from a rule saying that everyone must turn on windows update, to a standardized os/driver config that would make traget enumeration for attack a walk in the park. But my intial reaction to this is not one of "Phew, they are finally going to patch all their systems" but rather "Ruh-roh, they are locking the entire Air Force into a single, easy to attack, configuration." And I don't know if I feel so comfortable about that when we are talking about computers for people equipped with nuclear explosives. just one man's opinion, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 14-16 2005 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Wed Nov 9 01:04:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 9 01:13:11 2005 Subject: [ISN] Data on 3,000 Consumers Stolen With Computer Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/11/08/AR2005110801573.html By Jonathan Krim Washington Post Staff Writer November 9, 2005 Social Security numbers and other information about more than 3,000 consumers were stolen recently from TransUnion LLC, one of three U.S. companies that maintain credit histories on individuals, in the latest of many security breaches that have focused congressional attention on identity theft and fraud. The data were housed in a desktop computer that was stolen last month from a regional sales office in California, TransUnion said. On Oct. 21, the company sent 3,623 notices to consumers alerting them to the breach and offering free monitoring of their credit reports for a year. Colleen Tunney, vice president of corporate affairs for Chicago-based TransUnion, said the computer was probably the object of the burglary, not the data. She said the information on the computer required a password to access. Tunney said the company is investigating why such information would be stored on an individual computer in a regional office rather than on a secure corporate network. TransUnion and the industry's other major companies, Experian North America Inc. and Equifax Credit Information Services Inc., are best known as the keepers of credit reports relied upon by businesses when consumers apply for loans, jobs, rental housing and other services. But the agencies also are large data brokers, competing in some areas with ChoicePoint Inc., LexisNexis and other large information-sellers that have reported data breaches involving hundreds of thousands of consumers. Congress is considering bills that would set national rules for notifying consumers whose data might have been compromised. The data industry supports a standard that would require notification only if a company decides there is a substantial risk that a breach would result in fraud or identity theft. Consumer advocates and state attorneys general support a stiffer requirement of notification in almost all cases. Tunney said notification in this case was "the right thing to do." She declined to say if the notification would have been required if Congress passes legislation favored by industry. The breach was reported this week by the Privacy Times newsletter. ? 2005 The Washington Post Company From isn at c4i.org Wed Nov 9 01:05:19 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 9 01:13:45 2005 Subject: [ISN] IG finds FEMA disaster relief databases not secured Message-ID: Forwarded from: William Knowles http://www.gcn.com/vol1_no1/daily-updates/37525-1.html By Alice Lipowicz Contributing Staff Writer 11/08/05 The Federal Emergency Management Agency is not adequately protecting its core databases containing sensitive disaster relief information, according to a new report from Homeland Security Department inspector general Richard L. Skinner. A redacted copy [1] of the report was posted at the inspector general's Web site today. FEMA - which comprises the bulk of DHS' Emergency Preparedness and Response directorate - has made some improvements in its IT security, including establishing a process to manage change and a contingency plan, the report said. However, FEMA has not implemented effective access controls and continuity of operations safeguards, nor has it conducted contingency plan training or testing. The inadequacies were found in information security controls for the National Emergency Management Information System (NEMIS), FEMA's core database system for managing disaster relief funding and resources. "Due to these database security exposures, there is an increased risk that unauthorized individuals could gain access to critical EP&R [Emergency Preparedness and Response] database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data," Skinner wrote in the report. "In addition, EP&R may not be able to recover NEMIS following a disaster." FEMA officials agreed with most of the audit findings and were taking corrective action, according to the report. However, 56 deficiencies remained unaddressed, Skinner wrote in a summary. In addition, FEMA has not fully aligned its IT security program with the department's policies and practices, the report said. Security controls have not been tested in more than a year, a contingency plan has not been tested, security control costs have not been integrated into the lifecycle of the system, and system and database administrators have not received specialized security training, according to the report. NEMIS was developed by Anteon International Corp. of Fairfax, Va., and became operational in 1998. The system replaced FEMA's legacy IT infrastructure with a fully integrated architecture consisting of more than 31 networked servers installed nationwide, according to a fact sheet posted on Anteon's Web site. CIS database security also lacking Separately, the DHS inspector general released another report [2] stating that the Citizenship and Immigration Services agency has not developed adequate database security controls for its Central Index System, including access controls, configuration management procedures and continuity of operations safeguards. The Central Index System was established in 1985 to assist in enforcing immigration laws. It contains biographical and status information on about 55 million people, including permanent residents, naturalized citizens, apprehended aliens and others. -=- Alice Lipowicz is a staff writer for Government Computer News' sister publication, Washington Technology. [1] http://www.dhs.gov/interweb/assetlibrary/OIGr_05-43_Sep05.pdf [2] http://www.dhs.gov/interweb/assetlibrary/OIGr_05-42_Sep05.pdf *====================================================================* "Communications are the nervous system of the entire SAC organization, and their protection is therefore, of the greatest importance. I like to say that without communications, all I control is my desk, and that is not a very lethal weapon." --- General T.S. Power U.S.A.F ---------------------------------------------------------------------- erehwon@c4i.org http://www.c4i.org/erehwon/ *====================================================================* From isn at c4i.org Wed Nov 9 01:06:08 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 9 01:14:32 2005 Subject: [ISN] LayerOne 2006 CFP Released Message-ID: Forwarded from: Layer One LayerOne 2006 - Call for Papers April 15 & 16, 2006 Los Angeles, California At the Pasadena Hilton http://layerone.info What is LayerOne? Currently in its 3rd year, LayerOne is computer security and technology conference held in the Los Angeles area. The purpose of LayerOne is to bring together the many different types of folks who make up the security community for a 2 day discussion of the technologies that impact our professional and personal lives. Who should attend LayerOne? Just about anyone who is concerned with computer, information, and Internet security and the issues arising from it. Developers, System Administrators, Lawyers, IT managers, Students, Hackers, Engineers, Privacy Advocates, Hardware Hackers, Open Source fans, and garden variety Geeks will all find something of interest at LayerOne. Previous speakers have included the likes of Dan Kaminsky (Doxpara Research), Dave Hulton (Toorcon), Danny O'Brien (NTK), and Bruce Potter (Shmoo Group). Call for Papers. LayerOne is now officially accepting papers and presentations for consideration at our 2006 show. We are looking for people to speak on a broad range of topics, so all submissions will be considered. At the moment we're interested in hearing from potential speakers with the following interests: * Data Forensics * Reverse Engineering * VoIP (security and development) * Emerging Security Trends * Regulatory Issues (SOX, PCI, ISO 17799, etc) * Firmware/Embedded Systems Hacking Please note that we'd love to see as broad a range of topics this year as we did last year, so don't consider this to be a strict guideline on what we'd like people to be submitting. If you've got something that you think will fit, by all means send it in. To see a list of topics from 2005, please visit our website. Please be sure to include the following information in your submission: * Presentation name * A one-sentence synopsis of your presentation * A longer one to three paragraph synopsis or short outline of what you plan on covering * Names of and URLs to presenter(s) * A short (single-paragraph) biography of the presenter(s) Once everything's ready to go, send your submission to cfp [at] layerone [dot] info no later than March 31, 2006. All papers submitted by then will receive either an acceptance or rejection notice no later than April 5th, 2006. Speaker selection is expected to be finalized on this date. Although we only have one speaking track, please bear in mind that speaking slots are limited to one hour. How you use that time is entirely up to you - but most people tend to divide it between presentation and a Q&A session. If you think your presentation will run longer please advise us when you turn in your proposal and we will do our best take your needs into consideration. If the presentation is based on code or a particular technique the presenter must be one of the developers of the code/technique and be prepared to perform a demonstration. We look forward to reading over your submissions, which we are sure will be outstanding. Once again, if you have any questions or submissions please email cfp [at] layerone [dot] info. Thank you for your interest, and we look forward to seeing you there. From isn at c4i.org Thu Nov 10 01:23:52 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 10 01:34:44 2005 Subject: [ISN] IU teaming with feds to 'know' hacker 'enemies' Message-ID: Forwarded from: William Knowles http://www.idsnews.com/subsite/story.php?id=32389 By Allie Townsend Indiana Daily Student November 09, 2005 Security monitors developed by IU Pervasive Technology Labs are currently being used by the Federal Department of Defense as a tool to beat terrorist hackers. The mantra, "Know Your Enemy," is the drive behind the development of these security monitors by the international HoneyNet Project, a non-profit organization committed to maintaining and developing internet security and giving free access to the public. Starting in 1999 as a loose band of security researchers, the HoneyNet Project has now spread to a global effort for understanding and stopping potential attempts to influx computer networks funded in part by the National Intelligence Council. The IU Pervasive Labs are entering their fourth year as members of the HoneyNet team, designing key components to some of the Project's biggest developments -- many of which are being used by the federal government. "It is my understanding that (the government) is doing pilot studies now on some of HoneyNet's projects," said Researcher for the Advanced Network Management Lab Ed Balas. "Some of the other components have been used by the FBI in different investigations." According to project.honeynet.org, HoneyNet's primary purpose is to capture extensive information about cyber threats through a highly controlled network -- one that can control and monitor all activity that happens within it. A need for this information came after hackers and other network intruders started to impose threats on a personal and national level. "We started seeing a good number of worms and we just started to look strongly into security," Balas said. "We needed to know what should be done to keep networks running efficiently." One of the components born in the IU labs is Sebek. Designed by Balas, Sebek is an operating system enhancement developed to watch intruders once they break into a system. Information such as this could allow the government to track an intruder and mislead them with false information. Knowledge, stresses Balas, is the biggest defense against cyber-invaders. "What we are doing won't stop anything from happening," Balas said. "What it does is help us understand the risks. There is a lot of doubt in the security world, but what you want to know is how to apply the knowledge that you find." ? 2000 Indiana Daily Student *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Nov 10 01:24:39 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 10 01:41:06 2005 Subject: [ISN] Security is executive's chief fear Message-ID: http://www.computerweekly.com/Articles/2005/11/09/212875/Securityisexecutive'schieffear.htm By Tash Shifrin 9 November 2005 More than two-thirds of company executives believe reliable network security is the single most critical factor in successful implementation of converged IP networks, new research has revealed. The research by the Economist Intelligence Unit and telecoms firm AT&T surveyed 236 senior executives from companies in 50 countries. It found that security is seen as a more critical aspect of network performance than cost, complexity or business disruption. Some of the most important benefits of convergence, such as closer electronic collaboration with customers and remote working, are also seen as key areas of network vulnerability. More than 60% of those surveyed reported that processing customer data online exposed their businesses to electronic security breaches, more than any other type of vulnerability. But 62% nevertheless expected to implement IP networks across all or most of their businesses within three years. The survey found that 89% of respondents feared viruses and worms as the top electronic security threat. But company executives expected the threat from hackers and industrial espionage to grow over the same time frame. From isn at c4i.org Thu Nov 10 01:24:52 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 10 01:41:53 2005 Subject: [ISN] Homeland Security Funds Advanced Cyber-Security Projects Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=173600460 By J. Nicholas Hoover InformationWeek Nov. 8, 2005 With a shrinking budget, the Advanced Research Projects Agency's cyber-security arm has to leverage internal expertise with that of academia and industry to get research done and have products commercialized. All last week, scores of American border agents were furiously typing Blackberry messages to their Canadian counterparts. They weren't sharing hockey scores. The 40 agents were taking part in a secure-messaging project, just one of many technology projects coming out of the Homeland Security Department's Advanced Research Projects Agency's cyber-security arm. Right now, the Department of Homeland Security doesn't even allow laptops to have wireless access when employees travel. But the agency, a colleague of the Internet-inventing Defense Advanced Research Projects Agency, is planning for implementation of secure hand-held devices with text, audio and video. With spam prevention. At ARPA, cyber-security doesn't just mean fighting off pesky viruses. Instead, the group focuses on more the larger threats of terrorism, organized crime and economic espionage. Other ARPA projects in the works include: -- a Web-based tool for network administrators to perform self-assessments of their systems' cyber security. -- a tool that automatically tracks down and eliminates bots and bot networks. -- a secure repository of information that would give researchers and affected companies attack traffic data including packet traces, attack topology, intrusion detection, and firewall log data within a week of a large scale attack. -- an overhaul of the domain name system to integrate security against certain types of attacks into the infrastructure of the Internet. Sweden is already implementing these specifications. -- more secure protocols for the Internet's routing infrastructure. Partners like Cisco Systems and Juniper Networks are working on these, but vendors can't agree on solutions and ISPs don't yet have customers clamoring for them. The agency's work is limited by a paltry $16.7 million budget for 2006, down from $18 million this year. Still, its cyber-security group leverages internal expertise with that of academia and industry to get research done and have products commercialized and implemented as quickly as possible. Agency-wide cuts have forced a transition from pure research to more applied research. "We're very focused on working with venture capitalists and commercial interests to make sure implementation happens," says Douglas Maughan, the cyber-security group's program director. He says some of the projects, like the domain name system overhaul, are ready to go live. "We've got some clothes on the emperor and it's definitely time to put him out into the street." One of the agency's newest big concerns is thin clients. The government has plans in the works for widespread deployments, and the National Security Agency, along with a private partner, has recently developed a relatively secure Linux-based thin client called NetTop2. However, attackers have already found ways to circumvent the operating system and gain access to servers, so more advanced security measures are needed. From isn at c4i.org Thu Nov 10 01:22:55 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 10 01:42:39 2005 Subject: [ISN] Hacking copiers, software focus raised at document management conference Message-ID: http://www.networkworld.com/news/2005/110905-hacking-copiers.html By Network World staff Network World 11/09/05 You might think you've heard about every possible security vulnerability in your network, but what about your copiers? "Network-connected output devices are becoming an absolute primary target of people, foreign and domestic, who are penetrating networks," according to Jim Joyce, senior vice president for office services at Xerox Global Services. "The reason for that is many of them are large devices with large disk drives, with a fair amount of memory and are network connected and are not secure. This laptop [I'm using for this presentation] is probably 10x more secure than any of the output devices we have in our environments today." Joyce, speaking Tuesday at the two-day Office Document Solutions conference in Boston, was among a number of presenters who implored makers of printers, copiers, scanners and other such devices to start thinking about more than just selling boxes to customers. Joyce said during an interview after his speech that Xerox has poured some $20 million in recent years into technologies to better manage office and document systems and is putting a particular emphasis on security these days. He noted that some machines, such as multifunction devices, might have several operating systems in them that could provide security holes if not protected. Look for Xerox in the months to come to deliver more in the way of technologies that would enable document systems to be able to identify content so that companies can better prevent intellectual property and other confidential data from getting swiped. Xerox's Palo Alto Research Center has been working on such technologies, Joyce said. [...] From isn at c4i.org Thu Nov 10 01:23:10 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 10 01:43:21 2005 Subject: [ISN] Security Expert Pokes More Holes in Oracle Patch Message-ID: http://www.eweek.com/article2/0,1895,1884696,00.asp By Paul F. Roberts November 9, 2005 A noted computer security expert who has clashed with Oracle Corp. in the past is warning customers that a cumulative security patch from the company may overlook a critical hole that could leave Oracle databases open to remote attack. David Litchfield of NGSS (Next Generation Security Software Ltd.) posted a warning on the Bugtraq security discussion list Tuesday claiming that Oracle's October CPU (Critical Patch Update) failed to install software components on some Oracle systems. The omission could cause Oracle administrators to believe that their systems are patched, when they are in fact vulnerable to attacks, he said. This is the second such charge Litchfield has leveled against Oracle in recent months, the result of what Litchfield claims are lax patch creation and testing procedures at the Redwood Shores, California database maker. Oracle did not respond to requests for comment in time for the article. However, company Chief Security Officer Maryann Davidson has been critical of researchers like Litchfield in the past, accusing them of being indiscreet and a "problem" for software vendors. NGSS researchers discovered a number of problems with Oracle's October CPU, a collection of 23 patches for 85 security vulnerabilities in Oracle's database, server and enterprise application software. Litchfield warned of those problems on Oct. 19 [1] in another Bugtraq posting, and reported them to Oracle. The new warning stems from an analysis of Oracle's attempts to patch a vulnerability for a component called Oracle Text (CTXSYS) on Oracle 8.1.7.4 databases, an older version of the company's database product. A problem with the script that installs the patch prevents updated PL/SQL software packages that fix the vulnerability from being copied to the system running Oracle, Litchfield wrote on Bugtraq. PL/SQL is an extension of SQL for use on Oracle databases. "Even if you have Oracle Text installed, the patch installer will not install the update PL/SQL packages," he wrote. Database administrators who run Oracle Text and have applied the October CPU patch could still be vulnerable to attackers, who could use the hole to elevate low-level database accounts to DBA?or high-level administrator?accounts, Litchfield said. If the vulnerable database is part of a Web application that is exposed to the Internet via a Web portal, or another avenue, a remote attacker could exploit the Oracle Text hole without needing a database user name or password, Litchfield said. NGSS recommends manually running the script, ctxcpu.sql, which applies the patch. Litchfield has become something of a gadfly for Oracle, calling attention to the company's backlog of unpatched holes and accusing the company of releasing sloppy patches that don't adequately address security holes that are reported in its products, or that fail to work. Despite his criticisms, Litchfield said recently that Oracle has made efforts to improve its security operation in recent months. The most recent CPU was a vast improvement over the previous quarter's patches, with the company increasing the quality of its patches, and patching more holes than those reported by independent researchers. [1] http://www.eweek.com/article2/0,1895,1874134,00.asp From isn at c4i.org Thu Nov 10 01:24:26 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 10 01:47:05 2005 Subject: [ISN] Report: Punish poor information security setups Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27391-1.html By Alice Lipowicz Staff Writer 11/08/05 Congress may want to consider penalizing organizations and companies that have poor information security policies that contribute to a major loss of sensitive information, according to a new Congressional Research Service report [1] on cybersecurity. Other policy questions Congress may choose to consider are whether computer product vendors should report quickly all serious, newly discovered vulnerabilities to the Homeland Security Department, and whether computer service providers and businesses should be required to report to DHS any "major security vulnerabilities that have been newly exploited by cybercriminals," the report said. The CRS report, "Terrorist Capabilities for Cyberattack," states that security experts disagree about whether global terrorists are capable of launching a successful cyberattack against U.S. civilian critical infrastructure, and whether such an attack would seriously disrupt the U.S. economy. However, tighter physical security may be encouraging terrorists to turn to cybersecurity, either by developing new computer skills themselves or by aligning with cybercriminals, the CRS report said. Those new capabilities may be used in an online terrorist attack with the intent of crippling IT infrastructures, or to finance a more conventional terrorist attack against facilities or people. There is evidence that terrorists are gaining understanding of IT and have expanded their recruitment of people skilled in computer sciences, engineering and mathematics, the report said. Several recent terrorist events appear to have been funded partially through online credit-card fraud. Whether it is linked with terrorism, cybercrime is increasing dramatically. The report cites research by IBM Corp. stating that during the first half of 2005, criminal-driven computer security attacks increased by 50 percent, most frequently targeting government agencies and industries in the United States. Policy issues for Congress include evaluating whether counterrorism efforts ought to be linked more closely with international efforts to prevent cybercrime, the CRS report said. Also, there are policy questions about whether the Defense and Homeland Security departments ought to collaborate more closely to strengthen the computer security of civilian agencies and infrastructure. The report identifies five pieces of legislation before Congress related to improving national computer security: H.R. 285, 744, 1817 and 3109 and S. 768. [1] http://www.opencrs.com/rpts/RL33123_20051020.pdf From isn at c4i.org Thu Nov 10 01:24:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 10 01:48:20 2005 Subject: [ISN] Antivirus firms target Sony 'rootkit' Message-ID: http://news.com.com/Antivirus+firms+target+Sony+rootkit/2100-1029_3-5942265.html By John Borland Staff Writer, CNET News.com November 9, 2005 Antivirus companies are releasing tools this week to identify, and in some cases remove, copy protection software contained on recent Sony BMG Music Entertainment CDs. The software has been identified as a potential security risk. The Sony software, found on several of the company's recent albums, is triggered by playing one of the CDs in a PC. From the CD drive, the software installs itself deeply inside a hard drive and hides itself from view. This cloaking technique could be used by virus writers to hide their own malicious software, security experts have said. There is a range of opinion among security companies about how much risk the software poses, from those who consider it no worse than an adware pest to those who view it as potentially dangerous spyware. Symantec said Wednesday that its antivirus software would identify the Sony software, but would not remove it. Instead, it will point to Sony's own Web site, where users can get instructions for uninstalling the software or download a patch that will expose the hidden components. "We're trying to reinforce here that we're not talking about a virus, or malicious code, we're talking about technology that could be misused," Symantec Senior Director Vincent Weafer said. "We're trying to work co-operatively." However, Computer Associates, which has a security division, said on Monday it had found further security risks in the Sony software and was releasing a tool to uninstall it directly. According to Computer Associates, the Sony software makes itself a default media player on a computer after it is installed. The software then reports back the user's Internet address and identifies which CDs are played on that computer. Intentionally or not, the software also seems to damage a computer's ability to "rip" clean copies of MP3s from non-copy protected CDs, the security company said. "It will effectively insert pseudo-random noise into a file so that it becomes less listenable," said Sam Curry, a Computer Associates vice president. "What's disturbing about this is the lack of notice, the lack of consent, and the lack of an easy removal tool." A Sony representative said the company's technical staff was looking into the issues identified by Computer Associates, but had no immediate comment. The furor over the Sony software comes nearly eight months after the copy protection technique, created by British company First 4 Internet, was first released on a commercial disc in the United States. Computer developer and author Mark Russinovich sparked debate over the software last week by posting on his blog an account of how he had discovered the First 4 Internet software hiding deep in his hard drive. The software used a tool called a "rootkit" to hide its presence, a technique more typically used by virus writers to hide traces of their work. Sony and First 4 Internet quickly released on their Web site a patch that would uncloak the copy protection software. But CD buyers must go through a more elaborate process -- e-mailing the company's customer service department -- to get instructions for uninstalling the software. From isn at c4i.org Thu Nov 10 01:23:26 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 10 01:48:28 2005 Subject: [ISN] Interz0ne 5 Security Conference - Call for Papers Message-ID: Interz0ne 5 Security Conference - Call for Papers / Participation Interz0ne 5 is now accepting Papers and Presentations for available presentation time slots during this year's convention. Interz0ne is an annual Hacker / Security professional convention, in its 5th year running. Interz0ne is proud to bring the latest topics to the Information Technology community. Our commitment to cutting-edge issues yields up-to-date, highly technical lectures and important industry topics such as anonymity, privacy, e-Voting, forensics, legislation, regulation and freedom of speech. All submissions are to be emailed to contact (at) interz0ne.com by December 24th, 2005. Details: SPEAKERS: Submissions must be of the latest technologies or methodologies. We will not rehash lectures given previously unless they have been extremely updated. Priority considerations will be given to: * Cryptography and Privacy * Advanced Attack Methods (Zero-day Exploits, Reverse Engineering, Stealth Application Exploits) * Zero Day Defenses and Application Security * Hardware and Protocol Attacks * Anonymity Concepts and Tools * Forensics and Tracking * Physical Security * "101" style lectures (coding, hacking, wireless, etc.) * Voice over IP (VoIP) * Communications Infrastructure/Satellite Hacking * Society, Culture, and Community topics All Lectures should be timed to 60 minute slots inclusive of a Q&A session. Longer time slots are negotiable, but must greatly merit the extra time. Submission inclusion of relative tools, white papers, or source code will help in the selection process. Submissions must include: * Title and short synopsis of topic. * Valid email and phone number for contact * Bio of presenter stating qualifications to give topic lecture. (This will be published on interz0ne website and in any printed con/press material) * Any other info deemed pertinent in us considering your subject. Those submitting please note: * Interz0ne will provide projectors (laptop compatible) and whiteboards, all other special equipment requirements will be considered on a case by case basis. * All lectures to be Vendor neutral. (Please see "OTHER PARTICIPATION".) * By presenting at Interz0ne 5, you grant Interz0ne permission to reproduce, distribute, and/or advertise your lecture as seen fit. * Please do not delay in submitting. Presentations are evaluated and selected in order received. * The newest research and latest of vulnerabilities gets highest consideration in selection. * Finalists qualify for consideration to instruct at the new GrayArea Security School (www.GrayArea.Info) in both Atlanta (Mar. 2006) and the San Francisco Bay Area in Oct.2006. * All deadlines must be met to remain in consideration for time slots. * Those traveling to present will be given time slot considerations. * Once scheduled for a time slot, it will not be changed. OTHER PARTICIPATION: Vendors and Sponsors: Interz0ne insists that the Interz0ne presentations be Vendor-neutral, but are willing to negotiate with potential Sponsors and Vendors for space and exposure at the convention. These negotiations are on a "first contact, first considered" basis and may fill up early. Feel free to contact for information on various Sponsorship levels or for available Vendor space. Email: contact (at) interz0ne.com DEADLINES and important dates: Call For Papers issued 01 Oct.05 Call For Papers ends 24 Dec.05 Last Acceptance Notifications 30 Dec.05 C.O.B. Final Due Date for Papers / Slides (tools, source code and materials) 15 Jan.06 Doors Open For Convention TBA (March 2006) Advance Thanks to those that choose to participate in helping keep Interz0ne the Quality Hacker/Security Convention to attend!! We look forward to seeing you there!! From isn at c4i.org Fri Nov 11 03:35:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 11 03:45:31 2005 Subject: [ISN] Vulgar hacker hits school Web site Message-ID: http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/11/10/BAGGCFLUCA1.DTL Nanette Asimov Chronicle Staff Writer November 10, 2005 San Francisco school officials are trying to figure out who hacked into a high school Web site, posted a student's face over vulgar and mocking images, then added racist and gang-related captions using the student's name. Normally, the Washington High Web site features the usual school fare: club news, athletic schedules, student triumphs and information for parents. But on Wednesday, school officials realized that someone had replaced all the school information with a set of photo montages apparently intended to humiliate a single student. David Campos, the district's legal counsel, said the site was ordered shut down as soon as the invasion was discovered. That didn't happen instantly. For hours, the mean-spirited images lingered on the site as frustrated administrators prepared to take legal steps against the company unless it cut off public access. "If I have to stay here till midnight to get this shut down, I will," said Principal Andrew Ishibashi of Washington High. Finally, at about 3 p.m., the site was closed down. But questions remained, such has how the hacking happened, why it took so long to shut down the site, and how the software security breach might be patched. The hacker used the breach to post the "N" word on the school's site, as well as gang references. "Hacking into a computer is against the law. Everything else is freedom of speech," said an inspector with the San Francisco Police Department's Gang Task Force. "It doesn't sound like gang involvement. It sounds like one guy trying to make fun of another guy." But Web technology has transformed what once might have been a heartless practical joke within school walls into a far more extreme brand of public humiliation. Milder versions have been dubbed cyber-bullying. The school will provide counseling for the victim of the hacking, school officials said. The incident is the district's second computer-related glitch with bad consequences in less than three weeks. On Oct. 20, the personal information of tens of thousands of California children -- names, state achievement test scores, identification numbers and status in gifted or special-needs programs -- became open to public view through a security loophole in San Francisco and dozens of other districts statewide using a popular education software system. In that case, San Francisco administrators were able to shut down access to the system, called OARS -- Online Assessment Reporting System -- almost immediately. From isn at c4i.org Fri Nov 11 03:36:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 11 03:47:42 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-45 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-11-03 - 2005-11-10 This week : 68 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in Macromedia Flash Player, which can be exploited by malicious people to compromise a user's system. All users are advised to update their flash player, please see SA17430 for additional details. Additionally, Secunia has issued advisories for both Internet Explorer and Opera as both products ship with a vulnerable version of the Flash Player. Users of these products should make sure that their Flash Player is updated and in case of a re-install make sure to update the Flash Player afterwards. References: http://secunia.com/SA17430 http://secunia.com/SA17481 http://secunia.com/SA17437 -- A vulnerability has been reported in VERITAS NetBackup, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Reference: http://secunia.com/SA17503 -- Microsoft has released their monthly Security Updates for November, which fixes vulnerabilities in the handling of WMF/EMF files. Users of Microsoft products are advised to check Windows Update for available updates. Reference: http://secunia.com/SA17498 -- Piotr Bania has reported some vulnerabilities in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Please refer to the referenced Secunia advisory for details. Reference: http://secunia.com/SA17428 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA17430] Macromedia Flash Player SWF File Handling Arbitrary Code Execution 2. [SA17428] Apple QuickTime Multiple Vulnerabilities 3. [SA15852] XML-RPC for PHP PHP Code Execution Vulnerability 4. [SA17408] Sony CD First4Internet XCP DRM Software Security Issue 5. [SA17498] Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution 6. [SA17481] Internet Explorer Macromedia Flash Player SWF Arbitrary Code Execution 7. [SA17413] Cisco IOS System Timers Potential Arbitrary Code Execution 8. [SA17371] PHP Multiple Vulnerabilities 9. [SA17434] Clam AntiVirus CAB/FSG File Handling Vulnerabilities 10. [SA17429] IBM Lotus Domino Denial of Service and Unspecified Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17498] Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution [SA17481] Internet Explorer Macromedia Flash Player SWF Arbitrary Code Execution [SA17461] Avaya Products Microsoft Windows WMF/EMF Multiple Vulnerabilities [SA17450] ZoneAlarm Personal Firewall Program Control Feature Bypass UNIX/Linux: [SA17501] Debian update for clamav [SA17486] Slackware update for koffice [SA17480] SUSE Updates for Multiple Packages [SA17477] Debian update for gpsdrive [SA17475] Slackware update for elm [SA17473] GpsDrive "friendsd2" Format String Vulnerability [SA17455] MagpieRSS Snoopy "_httpsrequest()" Command Injection Vulnerability [SA17451] Mandriva update for clamav [SA17448] Gentoo update for clamav [SA17445] UnixWare update for lynx [SA17444] Slackware update for lynx [SA17434] Clam AntiVirus CAB/FSG File Handling Vulnerabilities [SA17507] HP-UX Trusted Mode remshd Security Bypass Vulnerability [SA17500] Fedora update for libgda [SA17497] Debian update for libungif4 [SA17494] Debian update for chmlib [SA17492] Sylpheed LDIF Import Buffer Overflow Vulnerability [SA17490] Fedora update for php [SA17488] Ubuntu update for libungif [SA17485] Slackware updates for curl/wget [SA17483] Slackware update for imapd [SA17482] Gentoo update for giflib [SA17465] Linux-ftpd-ssl FTP Server Response Buffer Overflow Vulnerability [SA17462] giflib GIF File Handling Two Vulnerabilities [SA17452] Debian update for openvpn [SA17449] Gentoo update for gnump3d [SA17447] Gentoo update for openvpn [SA17442] Red Hat update for libungif [SA17438] Fedora update for libungif [SA17436] libungif GIF File Handling Two Vulnerabilities [SA17487] Slackware update for apache/mod_ssl [SA17459] Asterisk "folder" Disclosure of Sound Files [SA17432] Blue Coat Products OpenSSL SSL 2.0 Rollback Vulnerability [SA17506] HP-UX envd Privilege Escalation Vulnerability [SA17502] VERITAS Cluster Server for UNIX Buffer Overflow Vulnerability [SA17499] Fedora update for lm-sensors [SA17495] Ubuntu update for fetchmail [SA17469] SUSE update for pwdutils/shadow [SA17467] F-Secure Anti-Virus Internet Gatekeeper/Linux Gateway Privilege Escalation [SA17446] Gentoo update for fetchmail [SA17439] AIX "swcons" Command Buffer Overflow Vulnerability [SA17504] Linux Kernel sysctl Interface Unregistration Denial of Service [SA17472] Debian update for thttpd [SA17454] thttpd "syslogtocern" Insecure Temporary File Creation Other: Cross Platform: [SA17493] OSTE File Inclusion Vulnerability [SA17479] PHPKIT Multiple Vulnerabilities [SA17440] b2evolution XML-RPC PHP Code Execution Vulnerabilities [SA17437] Opera Macromedia Flash Player SWF Arbitrary Code Execution [SA17435] CuteNews "template" Local File Inclusion Vulnerability [SA17430] Macromedia Flash Player SWF File Handling Arbitrary Code Execution [SA17428] Apple QuickTime Multiple Vulnerabilities [SA17476] phplist Multiple Vulnerabilities [SA17471] toendaCMS Disclosure of Sensitive Information [SA17457] ibProArcade Module "user" SQL Injection Vulnerability [SA17456] Phorum "forum_ids[]" SQL Injection Vulnerability [SA17453] Tonio Gallery "galid" SQL Injection Vulnerability [SA17433] BLOG:CMS PunBB Multiple Vulnerabilities [SA17429] IBM Lotus Domino Denial of Service and Unspecified Vulnerabilities [SA17503] VERITAS NetBackup "vmd" Shared Library Buffer Overflow Vulnerability [SA17478] Sun Java JRE Deserialization Denial of Service Vulnerability [SA17458] XMB "username" Cross-Site Scripting Vulnerability [SA17443] Invision Power Board Cross-Site Scripting Vulnerabilities [SA17431] Cerberus Helpdesk Disclosure of Attachments ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17498] Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-08 Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17498/ -- [SA17481] Internet Explorer Macromedia Flash Player SWF Arbitrary Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-07 A vulnerability has been reported in Macromedia Flash Player included in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17481/ -- [SA17461] Avaya Products Microsoft Windows WMF/EMF Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-09 Avaya has acknowledged some vulnerabilities in various products, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17461/ -- [SA17450] ZoneAlarm Personal Firewall Program Control Feature Bypass Critical: Not critical Where: Local system Impact: Security Bypass Released: 2005-11-09 Debasis Mohanty has discovered a weakness in various ZoneAlarm products, which can be exploited to bypass security features provided by the product. Full Advisory: http://secunia.com/advisories/17450/ UNIX/Linux:-- [SA17501] Debian update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-08 Debian has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17501/ -- [SA17486] Slackware update for koffice Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-07 Slackware has issued an update for koffice. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17486/ -- [SA17480] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-07 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's or a vulnerable system. Full Advisory: http://secunia.com/advisories/17480/ -- [SA17477] Debian update for gpsdrive Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-09 Debian has issued an update for gpsdrive. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17477/ -- [SA17475] Slackware update for elm Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-08 Slackware has issued an update for elm. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17475/ -- [SA17473] GpsDrive "friendsd2" Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-08 Kevin Finisterre has reported a vulnerability in GpsDrive, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17473/ -- [SA17455] MagpieRSS Snoopy "_httpsrequest()" Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-07 A vulnerability has been reported in MagpieRSS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17455/ -- [SA17451] Mandriva update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-08 Mandriva has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17451/ -- [SA17448] Gentoo update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-07 Gentoo has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17448/ -- [SA17445] UnixWare update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-09 SCO has issued an update for lynx. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17445/ -- [SA17444] Slackware update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-07 Slackware has issued an update for lynx. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17444/ -- [SA17434] Clam AntiVirus CAB/FSG File Handling Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-04 Some vulnerabilities have been reported in Clam AntiVirus (clamav), which can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17434/ -- [SA17507] HP-UX Trusted Mode remshd Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-11-09 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17507/ -- [SA17500] Fedora update for libgda Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-08 Fedora has issued an update for libgda. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17500/ -- [SA17497] Debian update for libungif4 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-09 Debian has issued an update for libungif4. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17497/ -- [SA17494] Debian update for chmlib Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-08 Debian has issued an update for chmlib. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17494/ -- [SA17492] Sylpheed LDIF Import Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-09 A vulnerability has been reported in Sylpheed, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17492/ -- [SA17490] Fedora update for php Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2005-11-09 Fedora has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17490/ -- [SA17488] Ubuntu update for libungif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-08 Ubuntu has issued an update for libungif4g. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17488/ -- [SA17485] Slackware updates for curl/wget Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-07 Slackware has issued updates for curl and wget. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17485/ -- [SA17483] Slackware update for imapd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-07 Slackware has issued an update for imap. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17483/ -- [SA17482] Gentoo update for giflib Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-07 Gentoo has issued an update for giflib. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17482/ -- [SA17465] Linux-ftpd-ssl FTP Server Response Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-08 kcope has reported a vulnerability in Linux-ftpd-ssl, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17465/ -- [SA17462] giflib GIF File Handling Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-07 Two vulnerabilities have been reported in giflib, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17462/ -- [SA17452] Debian update for openvpn Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-07 Debian has issued an update for openvpn. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17452/ -- [SA17449] Gentoo update for gnump3d Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-11-07 Gentoo has issued an update for gnump3d. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and directory traversal attacks. Full Advisory: http://secunia.com/advisories/17449/ -- [SA17447] Gentoo update for openvpn Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-07 Gentoo has issued an update for openvpn. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17447/ -- [SA17442] Red Hat update for libungif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-04 Red Hat has issued an update for libungif. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17442/ -- [SA17438] Fedora update for libungif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-04 Fedora has issued an update for libungif. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17438/ -- [SA17436] libungif GIF File Handling Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-04 Two vulnerabilities have been reported in libungif, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17436/ -- [SA17487] Slackware update for apache/mod_ssl Critical: Less critical Where: From remote Impact: Manipulation of data, Cross Site Scripting, Security Bypass Released: 2005-11-07 Slackware has issued an update for apache/mod_ssl. This fixes a vulnerability, which can be exploited by malicious people to conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/17487/ -- [SA17459] Asterisk "folder" Disclosure of Sound Files Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-08 Assurance.com.au has reported a vulnerability in Asterisk, which can be exploited by malicious users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17459/ -- [SA17432] Blue Coat Products OpenSSL SSL 2.0 Rollback Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-11-04 Blue Coat has acknowledged a vulnerability in some products, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17432/ -- [SA17506] HP-UX envd Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-09 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17506/ -- [SA17502] VERITAS Cluster Server for UNIX Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-09 A vulnerability has been reported in VERITAS Cluster Server for UNIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17502/ -- [SA17499] Fedora update for lm-sensors Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-08 Fedora has issued an update for lm-sensors. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17499/ -- [SA17495] Ubuntu update for fetchmail Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-11-09 Ubuntu has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of certain sensitive information. Full Advisory: http://secunia.com/advisories/17495/ -- [SA17469] SUSE update for pwdutils/shadow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-07 SUSE has issued updates for pwdutils and shadow. These fix a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17469/ -- [SA17467] F-Secure Anti-Virus Internet Gatekeeper/Linux Gateway Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-07 A vulnerability has been reported in F-Secure Anti-Virus Internet Gatekeeper for Linux and F-Secure Anti-Virus Linux Gateway, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17467/ -- [SA17446] Gentoo update for fetchmail Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-11-07 Gentoo has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of certain sensitive information. Full Advisory: http://secunia.com/advisories/17446/ -- [SA17439] AIX "swcons" Command Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2005-11-04 A vulnerability has been reported in AIX, which has an unknown impact. Full Advisory: http://secunia.com/advisories/17439/ -- [SA17504] Linux Kernel sysctl Interface Unregistration Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2005-11-09 A vulnerability has been reported in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17504/ -- [SA17472] Debian update for thttpd Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-11-07 Debian has issued an update for thttpd. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17472/ -- [SA17454] thttpd "syslogtocern" Insecure Temporary File Creation Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-11-07 Javier Fernandez-Sanguino Pena has reported a vulnerability in thttpd, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17454/ Other: Cross Platform:-- [SA17493] OSTE File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-08 khc has reported a vulnerability in OSTE, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17493/ -- [SA17479] PHPKIT Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2005-11-08 Christopher Kunz has reported some vulnerabilities in PHPKIT, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks, disclose sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17479/ -- [SA17440] b2evolution XML-RPC PHP Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-07 Two vulnerabilities have been reported in b2evolution, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17440/ -- [SA17437] Opera Macromedia Flash Player SWF Arbitrary Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-07 A vulnerability has been reported in Macromedia Flash Player included in Opera, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17437/ -- [SA17435] CuteNews "template" Local File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-11-04 rgod has discovered a vulnerability in CuteNews, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17435/ -- [SA17430] Macromedia Flash Player SWF File Handling Arbitrary Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-05 A vulnerability has been reported in Macromedia Flash Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17430/ -- [SA17428] Apple QuickTime Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-04 Piotr Bania has reported some vulnerabilities in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17428/ -- [SA17476] phplist Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2005-11-08 Some vulnerabilities have been reported in phplist, which can be exploited by malicious users to conduct SQL injection attacks and disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and disclose sensitive information. Full Advisory: http://secunia.com/advisories/17476/ -- [SA17471] toendaCMS Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-08 Bernhard Mueller has reported a security issue and a vulnerability in toendaCMS, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17471/ -- [SA17457] ibProArcade Module "user" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-07 B~HFH has reported a vulnerability in the ibProArcade module for Invision Power Board and vBulletin, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17457/ -- [SA17456] Phorum "forum_ids[]" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-07 Janek Vind "waraxe" has reported a vulnerability in Phorum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17456/ -- [SA17453] Tonio Gallery "galid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-07 Abducter has reported a vulnerability in Tonio Gallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17453/ -- [SA17433] BLOG:CMS PunBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Spoofing, Exposure of sensitive information Released: 2005-11-04 Some vulnerabilities have been reported in BLOG:CMS, which potentially can be exploited by malicious people to conduct spoofing attacks, disclose certain information, and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17433/ -- [SA17429] IBM Lotus Domino Denial of Service and Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2005-11-04 Some vulnerabilities have been reported in Lotus Domino, which potentially can be exploited by malicious users to cause a DoS (Denial of Service), or with unknown impact. Full Advisory: http://secunia.com/advisories/17429/ -- [SA17503] VERITAS NetBackup "vmd" Shared Library Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-11-09 A vulnerability has been reported in VERITAS NetBackup, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17503/ -- [SA17478] Sun Java JRE Deserialization Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-11-07 Marc Schoenefeld has reported a vulnerability in Sun Java Runtime Environment (JRE), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17478/ -- [SA17458] XMB "username" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-07 HACKERS PAL has discovered a vulnerability in XMB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17458/ -- [SA17443] Invision Power Board Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-07 benjilenoob has reported some vulnerabilities in Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17443/ -- [SA17431] Cerberus Helpdesk Disclosure of Attachments Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-04 cumhur onat has reported a vulnerability in Cerberus Helpdesk, which can be exploited by malicious users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17431/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Nov 11 03:37:12 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 11 03:48:15 2005 Subject: [ISN] Hacker held for illegally obtaining money using spyware Message-ID: http://www.japantoday.com/e/?content=news&cat=2&id=354976 November 11, 2005 TOKYO - Tokyo police have arrested a 34-year-old computer hacker Thursday on suspicion of transferring some 210,000 yen from a jewelry company's bank account to his own after illegally obtaining the firm's Internet banking identification number and password, police officials said. Kiichi Hirayama from the city of Chiba is believed to have transferred a total of some 11.4 million yen from the bank accounts of 10 companies, using software called spyware to steal data from their computers, according to the Metropolitan Police Department. ? 2005 Kyodo News From isn at c4i.org Fri Nov 11 03:37:25 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 11 03:48:41 2005 Subject: [ISN] Students allegedly hacked computer, changed grades Message-ID: http://abclocal.go.com/wls/story?section=local&id=3625324 November 10, 2005 Four teenagers from suburban Oak Lawn have been suspended from school for allegedly hacking into a computer system to change their grades. A teacher at Oak Lawn High School discovered the scheme two weeks ago. She noticed the grades for one student did not match up with the grades in the school computer system. Officials later discovered that three juniors and one senior allegedly broke into the district's system and changed their grades. They have been suspended for 10 days. When the students return to school, they will be stripped of their computer privileges. From isn at c4i.org Fri Nov 11 03:38:04 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 11 03:49:12 2005 Subject: [ISN] NIFS 2005 - National Infrastructure Fortification Strategies Message-ID: When Disaster Strikes, 40 Percent of Unprepared Companies will Not Recover - Government Challenged to Respond Surveys coming out of Michigan State University and others have shown that most companies do not have an emergency plan to cope with a flood, fire or even a long-term power outage, no less the aftermath of a terrorist attack. Experts agree that a hollistic plan would include a public/private partnership approach to preparedness and response. NIFS 2005 - National Infrastructure Fortification Strategies A Public-Private Leadership Conference & Expo Miami, Florida * December 5-7, 2005 Supported by: Department of Homeland Security www.ncsi.com * 888-603-8899 You CANNOT AFFORD to miss this Conference & Expo if you are concerned with physical or cyber infrastructure protection! It's TIMELY... RELEVANT... and ENCOMPASSING. Senior leadership and technical advisors will interact and develop collaborative strategies on governance, policy, and technology. Visit our website at www.ncsi.com for the full conference agenda. Don't be left liable. Don't assume "disaster" can't happen to you. What if it does...are you prepared? Attend this conference and get inside information you won't hear anywhere else from leaders responsible for preventing and reacting to national emergencies such as: - Ted M. Falgout, Executive Director, Port Fourchon, Louisiana - Colonel Robert B. Stephan, USAF (ret.), Assistant Secretary for Infrastructure Protection, U.S. Department of Homeland Security - Dr. John Gannon, Conference Chairman and Vice President for Global Analysis, BAE Systems (Former Chairman, National Intelligence Council and former CIA Deputy Director for Intelligence) - Howard A. Schmidt, CISSP, CISM, President & CEO R&H Security Consulting, LLC., (Former Vice-Chair, President's Critical Infrastructure Protection Board and White House Cyber Security Advisor) Click here for a complete list of confirmed speakers, www.ncsi.com/nifs05/agenda.shtml. For more information and to register, please go to www.ncsi.com/nifs05/attendee_reg.shtml or contact Julie Kirkpatrick at 888-603-8899. Conference DEADLINE is approaching, please act now. ? 2004 National Conference Services, Inc. 6440-C Dobbin Road, Columbia, MD 21045 From isn at c4i.org Fri Nov 11 03:38:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 11 03:49:32 2005 Subject: [ISN] 'Bots' for Sony CD software spotted online Message-ID: http://news.com.com/Bots+for+Sony+CD+software+spotted+online/2100-1029_3-5944643.html By John Borland Staff Writer, CNET News.com November 10, 2005 A first wave of malicious software written to piggyback on Sony BMG Music Entertainment CD copy protection tools has been spotted online, computer security companies said Thursday. Sony's software, installed when playing one of the record label's recent copy-protected CDs in a computer, hides itself on hard drives using a powerful programming tool called a "rootkit." But the tool leaves the door open behind it, allowing other software--including viruses--to be deeply hidden behind the rootkit cloak [1]. The first version of a Trojan horse spotted early Thursday, which aims to give an attacker complete remote control over an infected computer, didn't work well. But over the course of the day, several others emerged that apparently fixed early flaws. "This is no longer a theoretical vulnerability; it is a real vulnerability," said Sam Curry, vice president of Computer Associates' eTrust Security Management division. "This is no longer about digital rights management or content protection, this is about people having their PCs taken over." Sony's use of the rootkit software has sparked a firestorm of criticism online and off over the company's techniques, highlighting concerns that remain over record labels' increasingly ambitious attempts to control the ways consumers can use purchased music. Last week, plaintiffs' attorney Alan Himmelfarb filed a class action suit against Sony BMG in Los Angeles federal court, asserting that the company had violated state and federal statues on unauthorized computer tampering. The company's actions also constituted fraud, trespass and false advertising, the suit contends. Other attorneys say they are considering other suits. Several Italian consumer groups also have said they are looking into the prospect of taking legal action against Sony, although the relevant discs were distributed by the record label's U.S. division and not intended for overseas sale. Sony's use of the rootkit stems from record companies' growing concerns that unrestricted music copying is undermining their sales, and they have been looking for a technological way to limit the number of copies that people can make of each CD they buy. Sony BMG has experimented with several different ways to do this. The current controversy focuses on just one of those tools, created by a British company called First 4 Internet. The First 4 Internet software is included on a handful of CDs [2], including recent releases from My Morning Jacket and Southern rockers Van Zant. When the albums are put in a computer's CD drive, they ask a listener to click through a consent form, and then install the rootkit copy-protection software on the hard drive. A rootkit is a tool that takes a high level of control over a computer, potentially even preventing the original computer user from performing certain tasks. In this case, the First 4 Internet hides itself from view in the computer's guts. One Trojan horse discovered by security companies Thursday is a variant of a pre-existing software distributed by spam e-mail, among other techniques. One version of the e-mail claims to be from a business publication and says it is using a photograph of the recipient for a soon-to-be published article, according to security company BitDefender. Clicking on the alleged photograph installs the malicious software, which then connects automatically to the Internet Relay Chat chat network, opening up a channel to control the infected computer. In a new version of the program, the software hides itself using Sony's rootkit tool and then tries to connect to a server on the chat network. The first version of the Trojan was unable to function after hiding itself, security company F-Secure said. However, several other variants have been found that are able to successfully take over control of a computer after hiding under the Sony software. All virus companies are rating the danger as fairly low so far, since the Trojans seem to be spreading slowly. Most antivirus companies are releasing versions of their software that identify or remove the Sony software. A patch on the Sony Web site [3] will uncloak the copy protection tools, but computer users must contact Sony's customer service for instructions [4] on removing it altogether. Neither Himmelfarb nor a Sony BMG spokesman could immediately be reached for comment. A Sony BMG representative contacted last week noted that the software could be easily uninstalled by contacting the company's customer support service for instructions. [1] http://news.com.com/Sony+CD+protection+sparks+security+concerns/2100-7355_3-5926657.html [2] http://news.com.com/Are+these+the+Sony+rootkit+CDs/2100-1029_3-5944549.html [3] http://cp.sonybmg.com/xcp/ [4] http://cp.sonybmg.com/xcp/english/uninstall.html From isn at c4i.org Fri Nov 11 03:35:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 11 03:49:53 2005 Subject: [ISN] Rainbow warriors crack password hashes Message-ID: http://www.theregister.co.uk/2005/11/10/password_hashes/ By Robert Lemos SecurityFocus 10th November 2005 A trio of entrepreneurial hackers hope to do for the business of password cracking what Google did for search and, in the process, may remove the last vestiges of security from many password systems. Over the past two years, three security enthusiasts from the United States and Europe set a host of computers to the task of creating eleven enormous tables of data that can be used to look up common passwords. The tables - totaling 500GB - form the core data of a technique known as rainbow cracking, which uses vast dictionaries of data to let anyone reverse the process of creating hashes - the statistically unique codes that, among other duties, are used to obfuscate a user's password. Last week, the trio went public with their service. Called RainbowCrack Online, the site allows anyone to pay a subscription fee and submit password hashes for cracking. "Usually people think that a complex, but short, password is very secure, something like $FT%_3^," said Travis, one of the founders of RainbowCrack Online, who asked that his last name not be used. "However, you will find that our tables handle that password quite easily." While security professionals have questions whether a business can be created by offering access to rainbow tables, the endeavor does highlight the weaknesses in security of password-only authentication. History has shown that password systems are imminently breakable. In August, a group of Chinese researchers found further breaks in a common hash function, the Secure Hash Algorithm or SHA-1, used by the U.S. government. In September, researchers from the University of California at Berkeley published a paper that demonstrated that the sound of a person typing can reveal the content, including passwords. Those technical breaks do not even account for the human factor: People tend to pick simple passwords and disclose them frequently. In fact, many viruses and worms have successfully spread by trying to log into administrator accounts using a small list of common passwords. Because of the problems, the U.S. government is requiring that banks move towards two-factor authentication, where the typical password security is augmented by a biometric or a physical security device. Some security researchers maintain that even adding a second type of security check is not enough. The latest attack focuses on the hash functions used to verify passwords. Because operating systems cannot keep a copy of the password on the disk without weakening system security, the software instead saves a statistically unique code generated from the pasword. While the code, or hash, is computationally easy to create, reversing the process to recover the password is nearly impossible, given a correctly implemented hash function. Rainbow tables side step the difficulty in cracking a single password by instead creating a large data set of hashes from nearly every possible password. To break a password, the attacker merely looks up the hash to find the password that produces that code. "Creating the tables takes much more time than cracking a single hash, but then you can use the tables over and over again," said Philippe Oechslin, CEO of Swiss information-technology firm Objectif S?curit? and the inventor of rainbow tables. "The advantage of rainbow tables is that once you have the tables it is faster than a brute force (attack) and it needs less memory than a full dictionary (attack) of the function." The theory behind rainbow tables extends research by Martin Hellman and Ronald Rivest done in the early 1980s on the performance trade-offs between processing time and the memory needed for cryptoanalysis. In a paper published in 2003, Oechlin refined the techniques and showed the attack could reduce the time to attack 99.9 per cent of Microsoft's LanMan password scheme to 13.6 seconds from 101 seconds. Further refinements have reduced the number of false positives produced by the system. "This is something that you are never supposed to be able to do with (a good implementation of) crypto - generate every single possible combination," said Dan Moniz, a member of the Shmoo group, a coalition of security researchers and the manager of the groups own rainbow table project. RainbowCrack Online will offer 11 tables covering six different hash algorithms, including LanMan, MD5, MySQL 323, and SHA-1. Offering the tables in an online service is not about helping attackers, but about helping system administrators secure their systems, said RainbowCrack's Travis. "Attackers already have tables like these, (so) RainbowCrack serves as a tool to judge what is and what is not a secure password policy," he said. Making money with rainbow tables is not a new idea. A handful of efforts have been started and then stalled. Zhu Shuanglei, who created the open-source tool that RainbowCrack Online uses to generate its tables, has generated a 64GB LanMan table and advertises it for sale for $400. The Shmoo group created its own rainbow table to crack Microsoft's LanManager tables that offered them for free through BitTorrent, and at the DEF CON hacking convention, Shmoo's Moniz saw several versions of the LanManager tables for sale. People with free computer time would calculate the tables hoping to make a little money, he said. The experience has Shmoo's Moniz questioning whether there will be demand for a service like RainbowCrack Online. Bruce Schneier, a well-known cryptographer and chief technology officer of network monitoring service Counterpane Internet Security, agrees. "There could be a criminal business in it," he said. "But I don't see the legitimate business demand for rainbow tables." To some extent, RainbowCrack Online applies Google's business model to cracking encryption. Like Google, RainbowCrack Online give web access to a large database of information. Both services go through a lot of effort and a lot of memory to give users a quick answer to a query. And both services could be reproduced, barring patent hurdles. Yet, while searching the web has obvious utility, the usefulness of rainbow tables is questionable, because good programming can make the tables require several magnitudes more memory, rendering the technique essentially useless. Specifically, adding several unpredictable bytes at the beginning of a password before hashing, a technique known as salt, can add several orders of magnitude of complexity to any cryptanalysis of the result. "Remember that rainbow tables only work for inferior functions that use no salt or initialization vector," Objectif S?curit?'s Oechslin said. "If programmers were more careful, there would be no market for a rainbow Google." RainbowCrack Online's founders disagree. The lion's share of cryptographic hash functions are not well implemented and thus could be broken with their tables quite easily, RainbowCrack's Travis said. Counterpane's Schneier agrees. "All we have is anecdotal evidence about development practices, but I would agree that a lot of systems are weak," Schneier said. "The biggest problems that we as cryptographers have to face is bad implementations." For such insecure password implementations, rainbow-table services may be the sign that it's time to reconsider security. Copyright ? 2005, SecurityFocus From isn at c4i.org Fri Nov 11 03:39:04 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 11 03:50:21 2005 Subject: [ISN] No Fed Security Laws, Hurrah!! Message-ID: http://www.wired.com/news/politics/0,1283,69525,00.html By Ryan Singel Nov. 10, 2005 Despite the seemingly unending torrent of citizens' data pouring into the hands of identity thieves, Congress is unlikely to pass any data-security bills by the end of the year, according to Hill watchers. And consumer advocates say that's a good thing. After the nationwide uproar when ChoicePoint admitted it sold 145,000 dossiers to Nigerian identity thieves, 20 states followed California's lead and passed laws requiring companies to notify citizens when their data had been compromised. Now, companies are already acting as if the country had a national notification law, said Gail Hillebrand, a senior attorney at Consumers Union [1]. In addition, Hillebrand said the strict state laws are more consumer-friendly than any proposals in Congress. "I would rather see Congress fail to act than pass a weak federal bill that gives less notice than consumers are already getting due to stronger state laws," Hillebrand said. Chris Hoofnagle, director of the Electronic Privacy Information Center West [2], echoed Hillebrand's assessment, adding that as new state laws go into effect in the beginning of 2006, federal lawmakers will face pressure from states that don't want their legislation overridden by Congress. "Consumers will get a better deal with no federal bill this year," Hoofnagle said. In particular, Hoofnagle and Hillebrand point to portions of several congressional bills that would require notification only if the company determines it is likely that identity theft will happen. By contrast, California requires businesses or agencies to notify anyone whose name and Social Security number, or credit card number, was acquired by an unauthorized person. Though banks and data brokers have long opposed federal privacy legislation in favor of self-regulation, both industries are now asking Congress to step in to create a single national standard and cap the limits on their liability in case of a breach. Congress' progress toward a final bill has been stalled by the sheer number of proposed bills and the number of committees that claim jurisdiction over consumer rights, financial institutions and data brokers. Just last week, a House consumer-protection subcommittee approved, by a party-line vote, a bill [3] by Florida Republican Cliff Stearns, while a House financial-services subcommittee will hear testimony on a separate bill [4] Wednesday. It is unlikely that Congress will be able to decide on a single bill before it recesses in December, though the issue is expected to remain a priority when Congress reconvenes. Also at issue in the debate are state laws that allow consumers to pre-emptively "freeze" their credit reports so identity thieves cannot open new accounts without knowing a security code. For instance, New Jersey's new law, which goes into effect Jan. 1, allows residents to freeze their credit for free and then pay a $5 dollar fee to each credit bureau to open the report when they apply for a line of credit. Notification laws help, but credit freezes protect you from thefts you don't even know about, according to Abigail Caplovitz, legislative advocate for New Jersey Public Interest Research Group [5]. "We now live in the identity-theft world," Caplovitz said. "We need credit bureaus to change how they do business." [1] http://www.consumersunion.org/ [2] http://www.epic.org/west/ [3] http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=h4127ih.txt [4] http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=h3997ih.txt [5] http://www.njpirg.org/ From isn at c4i.org Tue Nov 15 01:26:43 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 15 01:43:12 2005 Subject: [ISN] Study shows students cause computer issues Message-ID: http://thetartan.org/news/2005/11/14/computer by Matthew McKee November 14, 2005 According to a recent survey published by the Chronicle of Higher Education, you are your computer's worst enemy. The survey reported that out of 319 studied incidents, recklessness and apathy caused roughly 40 percent of computer security problems. This means that many network security problems such as viruses, data loss, and remote hacker control of a personal computer arise from a common source that causes more problems than malicious hacking: student negligence. Students push aside their responsibilities to follow network policies, and this creates far too many problems that network security administrators want to prevent. Joel Smith, the vice-provost and chief information officer for Computing Services at CMU, said that most responsibility falls "in the hands of the users themselves." He said that the lack of student adherence to network guidelines causes the "vast majority of incidents of intrusion." Although CMU did not participate in the Chronicle's survey, its findings may have fallen in line with other universities across the country. Smith emphasized that with an open environment of computing, "incidents of intrusion" become much harder to control. Student use of the Internet presents a "real challenge" for Smith and his colleagues to monitor. "The campus network is not like a corporate structure where everything is rigidly controlled," he said, "[so] this is a joint effort between students and Computing Services." However, he qualified this statement by saying, "We are still in an era of computing responsibility.... A lot of weight still falls on the individual." This weight at CMU means precautions that users must take - unless they want to see their network connections turned off. Conor McGrath, the University of Chicago's manager for network security, says that his university pursues network security a bit differently. They distribute a compact disc containing a "connectivity package" and require students to firewall their machines. The laundry list of precautions for this institution proves much shorter than the to-do list CMU gives its residents. McGrath does not want to cross the line of student privacy, but at the same time, security has become such a major issue that his office has taken responsibility for the security of the dorm networks "to a certain point." McGrath, like Smith, admitted that the "vast majority" of incidents stemmed from user carelessness, but, he said, "Students are worried about being students. They're not trying to become computer security experts." He said his office currently wants to develop programs to raise user awareness and reduce the number of security incidents, but he sees a problem in convincing students to turn away from merely skipping policies and ignoring advice. He identified a "click-through culture" that needs a dramatic reduction. Both McGrath and Smith brought up the necessity of good dialogue between students and computing security officials that will help promote student responsiveness to security problems. McGrath said, "A computer is not as easy to use as a toaster. Unfortunately, students want to treat their computers as appliances." From isn at c4i.org Tue Nov 15 01:26:55 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 15 01:43:53 2005 Subject: [ISN] FBI's cyber division wins key backing in Congress Message-ID: http://www.govexec.com/story_page.cfm?articleid=32810 By Greta Wodele National Journal's Technology Daily November 14, 2005 An FBI squad charged with catching computer hackers and designing gadgets found financial backing this year from Senate appropriators, who won support to restore $20 million in fiscal 2006 funding for the agents. "Cyber investigations have been deemed an FBI top priority mission by the FBI and by this committee," the Senate Appropriations panel wrote in its report on the measure to fund the Justice Department, among others. "As such, the committee was surprised to learn the FBI imposed funding decreases on the cyber division, particularly to the special technologies and applications section, disproportionate to its mission priority and impact on counter-terrorism efforts." The section engineers support hundreds of counter-terrorism, counter-intelligence and criminal investigations involving digital or electronic information, according to the FBI. They also develop new tools and technologies for various FBI projects, ranging from computer-intrusion investigations to hostage rescue teams. The FBI director has slashed $35 million from the squad over the last five years. This year, Senate appropriators decided to stop the gouging, directing the agency to restore the $35 million in cuts. But when the committee met with House colleagues to craft a compromise spending bill, the lawmakers settled on $20 million "because of competing interests," the panel's spokeswoman said. The $20 million is in addition to the division's estimated $65 million annual budget, according to appropriations staffers. An FBI official argued that the Senate appropriators' $35 million figure is misleading because it included funding provided in emergency spending measures from previous years. "The amount referenced in the mark can be characterized by line items that were funded for one year, rather than into perpetuity," the official said, adding that the cuts also were due to government-wide rescissions and the director's decision to transfer money to higher priorities. "A program manager may be disappointed that their program was cut, but they are taking it along with everybody else," said the official, explaining that the agency used some of the funding to compensate employees for a cost-of-living adjustment in their salaries and hire personnel because Congress did not provide enough money this year for compensation benefits. The House last week overwhelmingly approved the final version of the spending bill, and the Senate is likely to follow suit this week. From isn at c4i.org Tue Nov 15 01:27:32 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 15 01:46:29 2005 Subject: [ISN] China's latest boom industry: spying on British businesses Message-ID: http://business.guardian.co.uk/story/0,16781,1639928,00.html Richard Norton-Taylor and Nils Pratley November 11, 2005 The Guardian The president enjoyed all the pomp and protocol that traditionally come with a state visit, reflecting the importance of the man, and the emerging superpower that he represents. But as China's Hu Jintao tucked into his filet de sole pompadour during the banquet at Buckingham Palace on Tuesday, and again as he flew back to Beijing yesterday after his three-day visit, Britain's security services were left pondering a more delicate issue: how many of the president's entourage had been left behind? While on the diplomatic and commercial level relations between the two countries appear to be flourishing, with British ministers and businesses eager to cash in on China's booming economy, the security services are concerned about what is happening under the surface. MI5 has become increasingly anxious about an increase in spying by the Chinese. Officials are unsure how widespread it is, and what impact it is having. The agency believes that "at least 20 foreign intelligence services are operating to some degree against UK interests", and say the Chinese and Russians concern them most. The Chinese, security sources said yesterday, have become supreme opportunists, hoovering up information on the "grains of sand" principle: picking up the smallest pieces of information whether relating to business, industry or security and closely analysing them back home. Justin King, managing director of C2i, a UK counter-espionage consultancy, said yesterday that businesses were all too aware of what is happening, particularly when they hire Chinese staff. "The Chinese are desperate to find out everything about how western companies operate and how they are structured. It is old-fashioned human intelligence gathering - it's thousands of years old and it works. Employers should plan for the fact that there is a strong likelihood information, even if it is low-level stuff, will be fed back to China." Whitehall officials cited examples: * After the deaths last year of 21 Chinese cocklers at Morecambe Bay, the Chinese government sent over what was described as a "police delegation" to help identify the dead men and offer any other assistance to their British counterparts. However, the delegation was suspiciously big, leaving MI5 worried that it contained spies. "MI5 took certain measures to counter them," said a well-placed Whitehall source. * After 58 Chinese stowaways were found dead in the back of a lorry in Dover, the Chinese government again sent a large delegation to help Kent police identify the men before the trial last year. A member of the team was later found logging on to the police national computer. It is unclear what he found out. * One British company anxious to develop its business with China recently invited a delegation to visit its factory in the UK. The Chinese authorities sent a delegation, but only a few of them turned up. The rest were believed to have travelled around Britain inviting themselves to defence and research establishments. Security sources say if a British company creates a fuss about visitors who fail to turn up, the Chinese threaten to cancel the company's licence to trade. The Chinese are interested in particular in scientific and hi-tech developments. "The Chinese economy is booming but what they are short of is information technology and modern processing, manufacturing and design skills," said Mr King. When Chinese nationals work in the west, he added, "our clients' experience is that they have mixed loyalties". Mr King said: "We have come across cases where Chinese nationals are working at the heart of British companies' IT security departments with access to entire databases. To my mind, that is a business risk too far." In Britain, China is said to be focusing on niche products, including security and surveillance systems, and especially dual use equipment - items that have a civil as well as military use. But the FBI is also growing anxious about the impact of Chinese spies within the US. In February the bureau's assistant director of counter-intelligence, David Szady, urged US businesses to help the service stop the theft of business and technology secrets. He cited Russia, Iran, Cuba and North Korea but focused mainly on China, saying there were about 3,000 front Chinese companies in the US. Security sources say the speed and effectiveness with which the US conducted the 1991 Gulf war was a "wake-up call" for the Chinese. Mr Szardy said US companies should "partner up" with FBI agents to protect security. But some would always get through, he said. "Even as we increase our numbers of agents, we can't possibly totally stop it. If you have a little national asset, whatever it is ... they want that little thing that you produce. And they need it to make their missile fly straight or so they can compete in electronic warfare." From isn at c4i.org Tue Nov 15 01:27:57 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 15 01:47:28 2005 Subject: [ISN] Book Excerpt: Identity Thieves (Chapter 7 from Dan Verton's latest book, The Insider) Message-ID: http://www2.csoonline.com/exclusives/column.html?ID=14346 [InfoSec News hoped to have recieved a review copy of "The Insider" from the publisher, but the author, Dan Verton "wasn't willing to incur the expense for email lists whose members have already read multiple reviews in various publications that they all get." So here's is an excerpt of an excerpt, of what I've seen of "The Insider" online. - WK] -=- The infamous outlaw Jesse James likely spins in his grave each time somebody utters the following statistic: bank robberies are actually on the decline, with banks reporting only $70 million in losses in 2001 from robberies and average losses from those robberies totaling less than $5,000 per incident between 1996 and 2001. The decline of traditional-style bank robberies is a direct result of improvements in technology and the application of those technologies to the new banking environment. Today, banks are open, airy places, well-lighted and equipped with silent alarms, networked surveillance cameras, tainted "bait money" that enables law enforcement officers to track the thieves that manage to get away, and a massive electronic infrastructure that no longer requires bank tellers to have access to large stores of cash to conduct financial transactions. But have bank robberies really declined in recent years? The answer to that question really depends on how you define bank robbery. In the modern age of electronic banking, Internet technologies have transformed the banking experience to such a significant degree that the concept of bank robbery can no longer be defined as its traditional form. Today, the traditional bank robbery, in which an armed robber physically enters a bank to carry out a "a stick-up," has been replaced by a growing multitude of fraud schemes, including check fraud, credit card fraud, automated clearing house (ACH) fraud, Internet commerce fraud, phishing scams, loan fraud, securities fraud, embezzlement, and identity theft. The modern American bank has recognized the security risks associated with the new electronic frontier and, as a result, has deployed all the state-of-the-art electronic security devices that one would expect to find in a security conscious enterprise - firewalls, intrusion detection devices, password management systems, and powerful encryption technologies. Yet banks and financial institutions continue to lose millions of dollars every year to trusted insiders who understand where the weaknesses are in the system. In fact, insiders accounted for approximately 70%, or $2.4 billion, of the $3.4 billion that banks lost as a result of both internal and external fraud and hacker incidents in 2004. During the previous year, 24% of all FBI investigations and eventual convictions were related to insider fraud. In 2003, the FBI investigated nearly 7,300 cases of insider fraud in the banking and finance sector. Those investigations led to 2,397 convictions or pretrial diversions, leaving a whopping two-thirds of all reported cases unsolved.81 The FBI has also been tracking so-called "problem institutions" throughout the banking and finance industry. These organizations are defined as having "financial, operational or managerial weaknesses" that threaten their continued viability. [...] From isn at c4i.org Tue Nov 15 01:28:10 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 15 01:48:12 2005 Subject: [ISN] Bots may get cloak of encryption Message-ID: http://news.com.com/Bots+may+get+cloak+of+encryption/2100-7349_3-5952102.html By Joris Evers Staff Writer, CNET News.com November 14, 2005 WASHINGTON -- In their quest to retain control over hijacked PCs, cybercriminals will add encryption to their malicious software to avoid detection and removal, one expert predicted Monday. In the near future, bots will include encryption to hide their presence from security and network sniffing tools often used to detect their presence, said Adam Meyers, an information assurance engineer at SRA International speaking at the Computer Security Institute conference here. "We will see encrypted sessions, and as things become encrypted, we'll have a more difficult time investigating botnets," Meyers said. Once it is installed on a PC, bot software typically connects to Internet Relay Chat to listen for commands. The IRC traffic can be a giveaway to the presence of bot software on a PC and can be spotted by security software such as intrusion detection systems (IDS) or protocol analyzers, for example Ethereal. "Bot creators will try to evade IDSes that might be looking for IRC connections and to avoid things like Ethereal," Meyers said. "They will do pretty much anything to obfuscate what they are doing. It is a constant change-off; with new techniques it will take some time for people on the investigatory side to get on the same page." Bots are a serious computer security problem, and law enforcement seems to just be catching up to it. Earlier this month, authorities announced the first bot-related arrest in the U.S. In October, police in the Netherlands said three men suspected of hijacking about 1.5 million PCs were arrested. A computer that has bot software installed--for example through a malicious Web site or Trojan horse--is called a zombie. A network of zombies is referred to as a botnet. The zombies can be controlled remotely by the attacker, who can send commands while the owner is oblivious to what's happening. Botnets are often rented out by their owners, called bot herders, to relay spam and launch phishing scams to steal sensitive personal data for fraud. Botnets have also been used in blackmail schemes, where the criminals threaten online businesses with a denial-of-service attack on their Web site to extort money. The bot writers have a choice of a variety of encryption technologies, according to Meyers. They could use SSH, SSL (Secure Sockets Layer), ROT-13 or a proprietary method, Meyers said. Such a bot would be harder to craft than today's bots, but worthwhile, he said. "The longer they keep their bot in place, the better it is for them, the more money they are going to make," Meyers said. Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue Nov 15 01:28:20 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 15 01:48:55 2005 Subject: [ISN] Hacker admits stealing usernames Message-ID: http://www.chinadaily.com.cn/english/doc/2005-11/15/content_494599.htm By Guan Xiaofeng China Daily 2005-11-15 A hacker, who sold usernames stolen from China's most popular online messaging service has been detained in Shenzhen, South China's Guangdong Province. According to police, the hacker, from Guangxi, has admitted stealing and selling usernames for years. The messaging system, QQ, is so popular that usernames now have to be at least nine characters long. The hacker stole prestige usernames, usually of five or six characters, and then sold them on the web. A normal QQ username of six characters could fetch more than 1,000 yuan (US$123), he said. One victim surnamed Zhang in Chongqing had his username stolen several times. Zhang told police that after his QQ username of five digits was stolen in May, he got it back from the Tencent company which runs the system. Several days later it was stolen again. After Zhang recovered his name for the second time, the hacker appeared online to tell Zhang to give up the name because he could easily decode the password and steal it again whenever he wanted. Zhang begged the hacker to leave his username alone by claiming it was for a public welfare undertaking. "The theft of virtual property is becoming more common," said Jiang Xihui, a law professor from the Chinese Academy of Social Sciences. Zhang said the stealing of virtual property, such as QQ usernames, cyber games' "equipment" or email addresses, should not be considered as less serious than the stealing of physical property. "Virtual property should be regarded as property because its owners spend time, labour and money on it," Zhang said. "A real cash value can be placed on virtual property by working out how much it would fetch if it was sold or auctioned in real life." Yu Zhigang, a law professor from the China University of Political Science and Law, agreed that virtual property should be protected. According to Yu, at the moment there are no specific laws dealing with virtual property rights. However, he said, current laws are adequate to deal with the theft of virtual property. Yu, who has been engaged in virtual property research for years, said the Supreme Court should issue a judicial explanation addressing the issue of virtual property theft. Earlier this year, three cyber thieves were sentenced to one-and-a-half year's imprisonment each by a local court in Jinhua, a city in Zhejiang Province. The three men looted accounts of cyber game players and then sold their virtual "weapons" to other players. The total value placed on the property they stole and traded was put at 1 million yuan (US$123,000). In court, the three were found guilty of damaging computer systems. Yu believes they should have been convicted of theft. From isn at c4i.org Tue Nov 15 01:27:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 15 01:49:22 2005 Subject: [ISN] WhiteHat: Sydney's CBD a haven for Wardrivers Message-ID: http://www.zdnet.com.au/news/security/soa/WhiteHat_Sydney_s_CBD_a_haven_for_Wardrivers/0,2000061744,39221970,00.htm By Munir Kotadia ZDNet Australia 11 November 2005 Security firm WhiteHat has found that out of 751 wireless networks discovered in Sydney's central business district, 75 percent were unencrypted. Speaking at a hacking workshop in Sydney on Friday, WhiteHat's chief executive Jason Hart explained how he and a colleague drove around the CBD for 30 minutes on Thursday with a laptop to scan for wireless networks. To conduct the 'Wardrive', Hart used a standard IBM laptop loaded with NetStumbler and Kismet -- both of which are freeware WLAN detection tools. Of the 751 wireless networks discovered, 75 percent were unencrypted and 35 percent were broadcasting their default station ID (SSID), which Hart said is a sign that they were 'rogue' access points unknown to administrators of the systems on which they resided. Hart said he was not surprised by the results of the test: "No, it is not a surprise. But my concern is how many companies are aware that those access points are within their business? Probably in the majority of cases [administrators] do not know about them." According to Hart, the test demonstrated that although companies spend millions of dollars buying security products to protect their business, far too many still 'leave the back door open'. He advises administrators to 'sweep' their buildings for wireless networks at least once a month but preferably once a week. "It should be part of somebody's job description to sweep the building. It doesn't cost anything except a bit of time -- and you are minimising risk within the business. Download NetStumbler and walk about your building," added Hart. From isn at c4i.org Tue Nov 15 01:27:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 15 01:49:44 2005 Subject: [ISN] Just don't ask me my mother's maiden name Message-ID: http://www.cbc.ca/news/viewpoint/vp_binks/20051111.html Georgie Binks CBC News Viewpoint November 11, 2005 Usually I spend my days as a freelance writer tied to my computer. My kids and neighbours know who I am; the mailman feels confident about leaving letters in my mailbox. The dog keeps any unwanted intruders out - it's quite simple. But last summer, I faced three different security situations away from my home which left me frustrated, humiliated and, oddly enough, no longer feeling secure. During a visit to Vancouver, I discovered I had forgotten my bank card in Toronto. After undergoing a cross-examination by my bank that included giving my mother's maiden name, recent transactions and money totals in each account, I had a new card. But to get it fully functional, I was forced to call the bank four more times and undergo another personal-identity interrogation, driven to patience only by the knowledge that a thief had easily lightened my bank account of $200 US south of the border in June. My second encounter was at Ozzfest, a heavy-metal concert I attended with my son in the United States. After undergoing a full-body search and being disarmed of plastic water bottles and blankets, but thankfully not my migraine pills, I wandered into a parking lot where many bands were playing. The lot was full of stones and rocks - which I could have thrown at anybody if I'd wanted. Security people just shrugged embarrassed when I confronted them about it. My final security stunner started out with your basic airport experience. I flashed all my photo ID to anyone who was interested (and many who were not), because my fear of flying has been replaced by a fear of not flying. Five days later, I watched as people waiting for travelling relatives strolled into the baggage area and wandered up stairs. I marveled at how they outwitted security - it was simple, when people walked out, others walked in. Such common security woes keep North Americans from their money, off planes and out of concerts, but do little to keep us safe from thieves or terrorist threats. The Fifth Estate showed the glaring reality of that this week, with its expose on the lack of effective security in airports. Marcus Shields, a computer security expert, says society is subjected to "movie plot security," a term coined by security guru Bruce Schneier. "An awful lot of the security measures you see in everyday life are not being done by institutions because they are terribly effective, but because they need to be seen to be doing something," says Shields, enterprise product manager with Soltrus, which is owned by VeriSign, a computer security company. "What you see in larger bureaucracies is increasingly intrusive measures, which at the least subject people to delays, and at the worst serious personal humiliation." The problem is much of this security starts to feel like a huge invisible straitjacket, meant to keep us safe from one another, but actually making modern life more impossible. The balance, says Shields, who was prevented last summer from photographing his daughter at a splash pool by security guards worried he would send pictures of her and other children over the internet, is: "How much inconvenience is it reasonable for the average person to put up with to gain a certain level of security back, and are those measures effective?" He adds, "In the computer industry, we have a push from governments and bureaucracies these days to collect personal information, but at the same time our mandate is to keep personal data private." The other problem is that many systems such as internet banking, there to make life easier, become more complicated if security is beefed up. Shields says, "The more complex and intrusive a security system gets, the less secure it becomes. That's because users either won't be able to figure it out and give up, or else they will find some way of end-running the system." He says if people have to remember a bunch of passwords, they end up putting them on sticky notes on their computers, which defeats the purpose of security. My worry is that while adults of higher intelligence can usually fight their way through bureaucracies, etcetera, what about those not as mentally apt, or young people? How are they ever going to learn to navigate their way through the ever-burgeoning security systems these days? Shields believes there are two answers. One is that people will rebel against this first wave of "movie plot security." Secondly, he thinks that security will have to become more sophisticated. Right now, he says, much security is relatively cheap and can be run by unskilled operators. Shields says, "I'm hoping we see the Israeli approach. The airline, El Al, constantly targeted by terrorists, doesn't ask you stupid questions. They have highly trained officers in plain clothes. It's expensive, but it's also the most effective form of security, much more so than this 'let's frisk everyone at the door' kind of thing." I'm now taking part in my own personal battle against "movie plot" security. When a bank clerk phoned me the other day and asked for my security information before he would continue to speak to me, I told him he could hang up if he didn't believe it was me. When I won that round, I asked if the conversation was being recorded and he answered, "Yes." Good, I answered, because I told him I was also recording the conversation for a story I was writing. It was nice to hear the nervousness in his voice for once - kind of like the way I feel when I am cross-examined incessantly for "security" reasons. I wonder if he felt any safer, or did he feel like the criminal Big Brother thinks we all are? From isn at c4i.org Wed Nov 16 02:17:50 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 16 02:28:39 2005 Subject: [ISN] Consumers punish firms over data security breaches Message-ID: http://www.theregister.co.uk/2005/11/15/data_security_breach_survey/ By John Leyden 15th November 2005 Consumer data security breaches are leading to customer revolt and an average cost per incident of $14m, according to a brace of surveys out this week. One in five US consumers quizzed by Ponemon Institute [1] said they immediately terminated their accounts with vendors that lost their information. An additional 40 per cent polled by the organisation's National Survey on Data Security Breach Notification considered taking their business elsewhere after receiving notifications of information mishandling. The survey polled 9,000 consumers, 12 per cent of whom had received notices of information security breaches. A parallel study conducted by Ponemon estimates an average cost of $14m per security breach incident, with costs ranging as high as $50m. The survey, Lost Customer Information: What Does a Data Breach Cost Companies?, is among the first to look at data from actual cases of lost customer data. Covering 14 separate incidents, the research encompasses 1.4m compromised data records and an estimated total of $200m in resulting losses. Total cost estimates include the actual cost of internal investigations, outside legal defense fees, notification and call center costs, PR and investor relations efforts, discounted services offered, lost employee productivity, and the effect of lost customers. Both studies show customers are punishing companies that lose their confidential and private information. However the second corporate study suggests a lower number of consumers take their business elsewhere following consumer data security breaches. This study suggests an average loss of 2.5 per cent of all customers, ranging as high as 11 per cent, as compared to 20 per cent defection after security screw-ups suggested by the consumer survey. Corporations no longer have the option of hoping that US customers will not find out about mishandled information. Currently, 21 US states have laws requiring that customers or employees be notified when protected personal information has been breached. A series of high-profile consumer data security breaches involving US firms including data mining firm ChoicePoint, payment processing firm CardSystems Solutions and others have pushed the issue up the political agenda. Security firms such as PGP Corporation are cited by Ponemon as emphasising the need for wider use of encryption technologies in safeguarding customer data. Ponemon's studies can be downloaded from PGP's website here [2] (registration required). ? [1] http://www.ponemon.org/ [2] http://www.pgp.com/ponemon From isn at c4i.org Wed Nov 16 02:14:58 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 16 02:28:59 2005 Subject: [ISN] CMP Buys Black Hat Message-ID: http://www.lightreading.com/document.asp?doc_id=84296&WT.svl=wire1_1 NOVEMBER 15, 2005 MANHASSET, N.J. -- CMP Media, a marketing solutions company serving the technology, healthcare and entertainment markets, announced today that it has acquired Black Hat Inc., a producer of information security conferences and training that includes Black Hat Briefings and Conferences. Jeff Moss, founder and owner, will continue to run Black Hat and will join CMP Media as Director of Black Hat. Combining CMP's current portfolio of Computer Security Institute (CSI), Secure Enterprise magazine and the Security Pipeline website with Black Hat, will position CMP Media as the strongest platform in the computer security media market. "Black Hat has been one of the most successful conferences in computer security, with incredible growth over the past five years," said Chris Keating, vice president of CMP's security media group. "Its approach to security, focusing on attacks and countermeasures, complements CSI's methodology of a broader approach to computer security." Black Hat was launched in 1997 by Jeff Moss to provide advanced education to security professionals within global corporations and federal agencies. Moss' mission was to mix the best minds of the computer underground with the leading security professionals. The result was a unique conference known for providing new and exclusive research from the top technologists in the world. Black Hat continued to grow and now offers briefings as well as customized training and consulting services to provide unmatched knowledge about upcoming security trends to three continents. "This move will enable Black Hat to take advantage of growth opportunities we couldn't pursue as a small company, such as international expansion, while enabling me to keep doing what I love the most -- working with speakers and building the conference programs," Jeff Moss added. Black Hat and CSI will remain separate entities within CMP; both will report to Chris Keating. Black Hat's flagship conference, Black Hat USA, will take place in Las Vegas July 2006. Black Hat also produces Black Hat Europe and Black Hat Asia. CMP's flagship event -- CSI's 32nd Annual Conference is currently taking place November 14-16 in Washington, D.C. and its CSI NetSec '06 will be held June 12-14, 2006 in Scottsdale, AZ. "Security, vulnerabilities and disasters are a daily concern for IT professionals at organizations around the globe. The security industry accounts for $46 billion in 2005 according to Forrester," noted CMP Media president and CEO, Steve Weitzner. "CMP's goal is to meet the needs of our customers and audiences. Black Hat deepens our security audience reach and reinforces our commitment to offering the strongest platform in the computer security media market." From isn at c4i.org Wed Nov 16 02:15:16 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 16 02:29:28 2005 Subject: [ISN] 19 Ways to Build Physical Security into a Data Center Message-ID: http://www.csoonline.com/read/110105/datacenter.html By Sarah D. Scalet CSO Magazine November 2005 At information-intensive companies, data centers don't just hold the crown jewels; they are the crown jewels. Protecting them is a job for whiz-bang technologists, of course. But just as important, it's a job for those with expertise in physical security and business continuity. That's because all the encryption and live backups in the world are a waste of money if someone can walk right into the data center with a pocket knife, a camera phone and bad intentions. There are plenty of complicated documents that can guide companies through the process of designing a secure data center?from the gold-standard specs used by the federal government to build sensitive facilities like embassies, to infrastructure standards published by industry groups like the Telecommunications Industry Association, to safety requirements from the likes of the National Fire Protection Association. But what should be the CSO's high-level goals for making sure that security for the new data center is built into the designs, instead of being an expensive or ineffectual afterthought? Read below to find out how a fictional data center is designed to withstand everything from corporate espionage artists to terrorists to natural disasters. Sure, the extra precautions can be expensive. But they're simply part of the cost of building a secure facility that also can keep humming through disasters. 1.) Build on the right spot. Be sure the building is some distance from headquarters (20 miles is typical) and at least 100 feet from the main road. Bad neighbors: airports, chemical facilities, power plants. Bad news: earthquake fault lines and (as we've seen all too clearly this year) areas prone to hurricanes and floods. And scrap the "data center" sign. 2.) Have redundant utilities. Data centers need two sources for utilities, such as electricity, water, voice and data. Trace electricity sources back to two separate substations and water back to two different main lines. Lines should be underground and should come into different areas of the building, with water separate from other utilities. Use the data center's anticipated power usage as leverage for getting the electric company to accommodate the building's special needs. 3.) Pay attention to walls. Foot-thick concrete is a cheap and effective barrier against the elements and explosive devices. For extra security, use walls lined with Kevlar. 4.) Avoid windows. Think warehouse, not office building. If you must have windows, limit them to the break room or administrative area, and use bomb-resistant laminated glass. 5.) Use landscaping for protection. Trees, boulders and gulleys can hide the building from passing cars, obscure security devices (like fences), and also help keep vehicles from getting too close. Oh, and they look nice too. 6.) Keep a 100-foot buffer zone around the site. Where landscaping does not protect the building from vehicles, use crash-proof barriers instead. Bollard planters are less conspicuous and more attractive than other devices. 7.) Use retractable crash barriers at vehicle entry points. Control access to the parking lot and loading dock with a staffed guard station that operates the retractable bollards. Use a raised gate and a green light as visual cues that the bollards are down and the driver can go forward. In situations when extra security is needed, have the barriers left up by default, and lowered only when someone has permission to pass through. 8.) Plan for bomb detection. For data centers that are especially sensitive or likely targets, have guards use mirrors to check underneath vehicles for explosives, or provide portable bomb-sniffing devices. You can respond to a raised threat by increasing the number of vehicles you check?perhaps by checking employee vehicles as well as visitors and delivery trucks. 9.) Limit entry points. Control access to the building by establishing one main entrance, plus a back one for the loading dock. This keeps costs down too. 10.) Make fire doors exit only. For exits required by fire codes, install doors that don't have handles on the outside. When any of these doors is opened, a loud alarm should sound and trigger a response from the security command center. 11.) Use plenty of cameras. Surveillance cameras should be installed around the perimeter of the building, at all entrances and exits, and at every access point throughout the building. A combination of motion-detection devices, low-light cameras, pan-tilt-zoom cameras and standard fixed cameras is ideal. Footage should be digitally recorded and stored offsite. 12.) Protect the building's machinery. Keep the mechanical area of the building, which houses environmental systems and uninterruptible power supplies, strictly off limits. If generators are outside, use concrete walls to secure the area. For both areas, make sure all contractors and repair crews are accompanied by an employee at all times. 13.) Plan for secure air handling. Make sure the heating, ventilating and air-conditioning systems can be set to recirculate air rather than drawing in air from the outside. This could help protect people and equipment if there were some kind of biological or chemical attack or heavy smoke spreading from a nearby fire. For added security, put devices in place to monitor the air for chemical, biological or radiological contaminant. 14.) Ensure nothing can hide in the walls and ceilings. In secure areas of the data center, make sure internal walls run from the slab ceiling all the way to subflooring where wiring is typically housed. Also make sure drop-down ceilings don't provide hidden access points. 15.) Use two-factor authentication. Biometric identification is becoming standard for access to sensitive areas of data centers, with hand geometry or fingerprint scanners usually considered less invasive than retinal scanning. In other areas, you may be able to get away with less-expensive access cards. 16.) Harden the core with security layers. Anyone entering the most secure part of the data center will have been authenticated at least three times, including: a. At the outer door. Don't forget you'll need a way for visitors to buzz the front desk. b. At the inner door. Separates visitor area from general employee area. c. At the entrance to the "data" part of the data center. Typically, this is the layer that has the strictest "positive control," meaning no piggybacking allowed. For implementation, you have two options: (1) A floor-to-ceiling turnstile. If someone tries to sneak in behind an authenticated user, the door gently revolves in the reverse direction. (In case of a fire, the walls of the turnstile flatten to allow quick egress.) (2) A "mantrap." Provides alternate access for equipment and for persons with disabilities. This consists of two separate doors with an airlock in between. Only one door can be opened at a time, and authentication is needed for both doors. d. At the door to an individual computer processing room. This is for the room where actual servers, mainframes or other critical IT equipment is located. Provide access only on an as-needed basis, and segment these rooms as much as possible in order to control and track access. 17.) Watch the exits too. Monitor entrance and exit?not only for the main facility but for more sensitive areas of the facility as well. It'll help you keep track of who was where when. It also helps with building evacuation if there's a fire. 18.) Prohibit food in the computer rooms. Provide a common area where people can eat without getting food on computer equipment. 19.) Install visitor rest rooms. Make sure to include bathrooms for use by visitors and delivery people who don't have access to the secure parts of the building. E-mail Senior Editor Sarah D. Scalet at sscalet @ cxo.com. From isn at c4i.org Wed Nov 16 02:17:17 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 16 02:29:52 2005 Subject: [ISN] A T-Shirt-and-Dagger Operation Message-ID: Forwarded from: William Knowles http://www.nytimes.com/2005/11/13/weekinreview/13shane.html By SCOTT SHANE November 13, 2005 WASHINGTON - A DOCUMENTARY on Italian television on Tuesday accuses American forces of using white phosphorus shells in the assault on Falluja last year not just for nighttime illumination, their usual purpose, but to burn to death Iraqi insurgents and civilians. The mainstream American news media, whose reporters had witnessed the fighting and apparently seen no evidence of this, largely ignored the claim. But on the Internet home page of the Open Source Center, a new American intelligence unit that keeps an eye on the global flood of nonsecret information, a report on the documentary was featured prominently. "We posted it because it was getting significant play on the Web and in foreign media, which means it could influence public opinion," said Douglas J. Naquin, director of the center. The Web site - open to government workers and contractors - included links to the video and to foreign news reports about it from the BBC in London to The Daily Times in Pakistan. In the jargon-happy world of spying, Humint is human intelligence, or the recruitment of foreign agents; Sigint is signals intelligence, or eavesdropping; Imint is imagery intelligence, or satellite photography. But those costly disciplines are best for obtaining well-hidden nuggets: plans for the next Qaeda attack, or the state of North Korea's nuclear program. By contrast, Osint, or open-source intelligence, is a low-cost way to try to understand the Islamic militancy that fuels Al Qaeda or to track subtle shifts in the public statements of Kim Jong Il, the eccentric North Korean dictator. It gleans insights not just from foreign newspapers and television, as its less ambitious predecessor did, but from the ballooning riches of the Web and such diverse sources as Palestinian rap and Indonesian T-shirts. The creation of the center, announced last week, might seem like it comes late in the game, given that the Web has been a resource for years. Indeed it reflects a growing consensus that open-source intelligence has been neglected, in part because it lacks the attraction of stolen secrets. "Collecting intelligence these days is at times less a matter of stealing through dark alleys in a foreign land to meet some secret agent than one of surfing the Internet under the fluorescent lights of an office cubicle," Stephen Mercado, a C.I.A. analyst, wrote last year in the agency's in-house journal, Studies in Intelligence. The presidential commission on intelligence regarding weapons of mass destruction agreed, recommending last summer a major expansion of the open-source collection. John E. Pike, who follows American intelligence agencies at a Web site, GlobalSecurity.org, that itself is a rich compilation of open-source material, noted that the use of public information had grown since the 1940's, when the government's Foreign Broadcast Information Service began translating media. He said the greatest challenge for the center, which replaces F.B.I.S., would be to select what is most revealing. "It's like drinking from Niagara Falls," he said. Some might question what can be learned from inflammatory T-shirt slogans or Web scribblings. But officials say such easily collected items help fill in the intelligence mosaic, allowing agents and eavesdroppers in the other intelligence spheres to focus on the truly hard-to-get secrets. Open-source officers scan technical journals for evidence of suspicious work on toxins or germs that might be used in an attack. They follow trade publications to identify companies capable of supplying parts to illicit nuclear programs. They lurk in foreign-language chat rooms, hunting for insights into shifting public opinion. The center's officers have found that Farsi, the language of Iran, is among the top five languages used by bloggers, who can be quite informative. Snapshots posted on Iranian blogs show how young women are following or flouting ruling clerics' strictures on head coverings and skirt lengths - not exactly a code-cracker, but one gauge of the public mood. "There's not much difference between working with a disgruntled military officer as a clandestine agent and reading what a disgruntled military officer posts on a blog," Mr. Naquin said. The center's Web site has a page cataloging the 93 public appearances this year of Mr. Kim by date, location and companions. It archives his statements and video going back a decade, and devotes a section to his health. The mercurial autocrat's nuclear ambitions make any hints about his intentions and future of intense interest to United States policymakers. Similar pages track Osama bin Laden and Abu Musab al-Zarqawi, whose savvy use of the news media makes them natural open-source targets. Even as Mr. Zarqawi, leader of Al Qaeda in Iraq, has eluded capture, his group has issued daily Web reports on its attacks, often with video. Some of the posted information, albeit unvetted, would be a coup for any secret agent. On Friday, for instance, a Web communiqu? described in detail the hotel bombings in Jordan, giving the nationality, gender and noms de guerre of the attackers. *====================================================================* "Communications are the nervous system of the entire SAC organization, and their protection is therefore, of the greatest importance. I like to say that without communications, all I control is my desk, and that is not a very lethal weapon." --- General T.S. Power U.S.A.F ---------------------------------------------------------------------- erehwon@c4i.org http://www.c4i.org/erehwon/ *====================================================================* From isn at c4i.org Wed Nov 16 02:18:07 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 16 02:32:21 2005 Subject: [ISN] Sony Numbers Add Up to Trouble Message-ID: http://www.wired.com/news/technology/0,1282,69573,00.html By Quinn Norton Nov. 15, 2005 More than half a million networks, including military and government sites, were likely infected by copy-restriction software distributed by Sony on a handful of its CDs, according to a statistical analysis of domain servers conducted by a well-respected security researcher and confirmed by independent experts Tuesday. Sony BMG has been on the run for almost two weeks with the public relations debacle of its XCP copy-restriction software, which has installed an exploit-vulnerable rootkit with at least 20 popular music titles on PCs all over the world. While the company has committed to withdrawing the CDs from production, and is said to be pulling them from the shelves, the biggest problem remaining for the company, and perhaps the internet as well, is how many Sony-compromised machines are still out there. That's a number only Sony knows for sure -- and isn't releasing. One person, however, is getting closer to a global figure: Dan Kaminsky, an independent internet security researcher based in Seattle. Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher. Each installation of Sony's rootkit not only hides itself and rewrites systems drivers, it also communicates back to Sony and the creators of the software, British company First 4 Internet and Phoenix-based SunnComm Technologies, who handled the Mac side for Sony. Sony did not respond to phone calls seeking comment. First 4 Internet declined to comment for this story. Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP. His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it. Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- connected.sonymusic.com, updates.xcp-aurora.com and license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently. If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it. The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net. The damage spans 165 countries, with the top five countries being Spain, the Netherlands, Great Britain, the United States and Japan, which, with more than 217,000 DNS servers reporting knowledge of Sony-related addresses, takes the top spot. Could the traffic be from human visitors? Kaminsky doesn't think so. "Having First 4 Internet at the scale of 700,000 or 800,000 name servers knowing about it -- it's just not that popular a site." Kaminsky doesn't speculate on how many machines may actually be compromised. "My approach is entirely statistical -- the only people who know are the people who put together the software themselves. The problem is they don't have to tell us the truth." Adam Stubblefield, an assistant research professor of computer science at Johns Hopkins University, has inspected Kaminsky's methodology, and noted security researcher Ed Felten of Princeton University is currently reproducing his work. Stubblefield expresses confidence. "Dan has done a very careful job of collecting the data, and thought through all the possibilities for false positives, and filtering out all the data points," Stubblefield said. "He's produced a lower bound on the number of (positive DNS servers)." Should the average person write software that took control of a computer at the system level without a user's knowledge and distributed that software across the world, there are plenty of laws that would put him behind bars. But what happens when Sony does this, ostensibly to protect its intellectual property? Jennifer Granick, executive director of Stanford Law School's Center for Internet and Society and Wired News legal columnist, sees this as a question of how well-written Sony's end-user license agreement is, a topic of much conversation in the media lately. But either way, she noted over IM, "If the EULA did not advise the user that s/he was installing software on the machine that would collect information and/or open the machine to vulnerabilities, then the software arguably violates 18 USC 1030(a)(5)(A)." That's a criminal charge. But Granick doesn't see criminal prosecution of Sony any time soon. "The (Department of Justice) is not going to charge Sony.... They have never charged a big corporation with a computer crime." In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security. That's another interesting point of Kaminsky's work, because it shows networks that are part of national security and civil infrastructure faithfully reporting their existence back to Sony, along with as-yet-unknown information about the compromised computers. Granick see this playing out in civil litigation. Cases are already pending in California, New York and Italy. But with Sony backpedaling on the XCP CDs and Microsoft offering a patch for compromised machines, what more needs to be done? Kaminsky says withdrawing the CDs or offering signatures to anti-spyware programs is simply not enough. "The problem is Sony has done a significant amount of damage, and it's not enough to stop doing damage," he said. "(This is) something that needs to be remedied. Microsoft's approach only helps those who are very well-patched. Sony needs to figure out ways to get rid of it." From isn at c4i.org Wed Nov 16 02:18:19 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 16 02:32:56 2005 Subject: [ISN] Thai hackers can escape through legal loopholes Message-ID: http://www.bangkokpost.com/Database/16Nov2005_data83.php DON SAMBANDARAKSA 16 November 2005 Thai law still does not recognise the ``stealing'' of data, allowing cyber criminals go unpunished when caught, according to Rom Hiranpruk, assistant president of the National Science and Technology Development Agency (NSTDA). He also noted that it was a misconception that most cybercrime is carried out by someone on the outside attacking an organisation's systems. In fact, two-thirds of security incidents come from internal sources, he said. Dr Rom was speaking at a press event to announce the 5th Annual Cyber Defence Initiative Conference 2005 (CDIC 2005), which will be held at the Bangkok Convention Centre, Sofitel Central Ladprao on 23-24 November. The event is jointly hosted by Software Park Thailand, the National Intelligence Agency, the Thai Webmaster Association and security specialists ACIS Professional Centre. Dr Rom used the example of a high-profile case a few years back regarding TrueType fonts, which was only accepted by the courts at all because TrueType fonts have some programming logic in them. This was deemed by the courts as being a computer program _ something which was protected by law. He also said that Thailand was sorely lacking in a national security infrastructure, most notably a certificate authority (CA) for digital signatures. Without the passage of cyber laws, there is no business case for any commercial CA operators. Without CAs, banks and financial institutions that should now be relying on digital signatures will not be able to expand or interact with confidence. Mr Somya Patanaworapan from the National Intelligence Agency told the media that information warfare was now a major threat to the stability of the country. Misinformation from organizations such as PULO had to be filtered out to protect the public, he claimed. ``The only way to control them is to keep tabs on their leaders,'' Somya explained, noting that when you close down one web site another derivative will pop up. For instance, the latest variant of PULO is the Pattana-Malayu Human Rights Organization (PMHRO), which tries to conceal damaging separatist talk amid human rights rhetoric. Somya said that the Internet was only one small channel of disseminating information _ PMHRO regularly distributes video CDs throughout the south to spread its message. Meanwhile, Police Colonel Yanaphon Youngyuen, director of the Department of Special Investigation's Hi-Tech Crime Bureau, also noted that most crime was in fact internal, and that there were few laws in place to prosecute. He also explained how real cyber-crime was quite different from the popularised image of the ``hacker geek'' stereotype. A lot of cyber crime dealt in information _ pimping, girlfriend-for-rent and spam spoofing _ or where a competitor sends out commercials in a rival's name so that their email is eventually blacklisted. Yanaphon spoke of one case where an engineer moved from Orange to DTAC and then to AIS, leaving back doors in the computer systems as he moved. The person then used this to gather insider information for project bidding. Prinya Hom-Anek, from ACIS, a leading local security consultant and trainer, said that there was a growing need to keep information as forensic evidence due to the passage of the Sarbanes-Oxley Act in the US. Any company dealing with US partners automatically needs to comply. All four experts will be speaking at the two-day CDIC 2005. Details: www.acisonline.net/cdic2005 From isn at c4i.org Wed Nov 16 02:17:30 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 16 02:33:37 2005 Subject: [ISN] Brunei News Website Hacked Message-ID: http://www.brudirect.com/DailyInfo/News/Archive/Nov05/161105/nite02.htm By M K Anwar November 16, 2005 Bandar Seri Begawan - One of Brunei Darussalam's private and popular news web sites, brudirect.com, went off the Internet for a few hours yesterday as some cyber crooks hacked into the portal and posted an obscene message. People who tried to access the web site were directed to a web page with messages carrying profanity the hackers had set up. Calling themselves "Noizebox" and a crew of four naming themselves "fishstiqz", "bytemonk", "d10r" and "n00v", these hackers claimed that they could `juggle assembly of different architecture" (security programs). The site set up by the hackers also contained an encrypted message. A simple program easily decrypted what was a threatening message, which said that an IT company and BruNet were next. The hackers have certainly sent alarms bells ringing especially for companies who have their own web sites. According to sources, IT experts at government ministries said they are monitoring their web sites or networks closely should these hackers try to interfere with any of the portals. The way the message was presented also showed that the hackers had a grudge against another group of hackers that won a hacking competition recently in Singapore. The hackers bragged about their hacking abilities and said they are truly the elite in this field. Mr Ignatius Stephen, Director of Brudirect, said he lodged a police report on the hacking of the web site. In the report, Mr Ignatius said that he believed the hackers disabled BruNet at about 9 Monday night and hijacked the domain name (brudirect.com) and replaced it with their content. The brudirect web site was down for around five hours and it took them all morning to track the site and redirect it to their own server. The web site was up and running by 2pm. Under the Computer Misuse Act 2000, anyone found guilty of unauthorised interception or obstruction of computer services can be fined not more than $10,000 or jailed not more than three years or even both for the first offence. A second or subsequent offence carries a fine of not more than $20,000 or not more than five years in jail or even both. If any damage is done, the guilty party is liable to a fine of not more than $50,000 and a jail term not exceeding seven years or both. "We hope that the culprits will be caught and punished because BruNet is a government property which has been violated," said Mr Ignatius. He also said that hacking is a serious cyber crime in view of the security aspect involved in protecting the banks or financial institutions, e-government projects and the security forces sites. Courtesy of Borneo Bulletin From isn at c4i.org Thu Nov 17 02:25:10 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 17 02:33:28 2005 Subject: [ISN] Experts: Sony Plan Widens Security Hole Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/11/15/AR2005111501457.html By BRIAN BERGSTEIN The Associated Press November 15, 2005 BOSTON -- The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony's suggested method for removing the program actually widens the security hole the original software created, researchers say. Sony apparently has moved to recall the discs in question, but music fans who have listened to them on their computers or tried to remove the dangerous software they deposited could still be vulnerable. "This is a surprisingly bad design from a security standpoint," said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. "It endangers users in several ways." The "XCP" copy-protection program was included on at least 20 CDs, including releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion. When the discs were put into a PC _ a necessary step for transferring music to iPods and other portable music players _ the CD automatically installed a program that restricted how many times the discs' tracks could be copied, and made it extremely inconvenient to transfer songs into the format used by iPods. That antipiracy software _ which works only on Windows PCs _ came with a cloaking feature that allowed it to hide files on users' computers. Security researchers classified the program as "spyware," saying it secretly transmits details about what music the PC is playing. Manual attempts to remove the software can disable the PC's CD drive. The program also gave virus writers an easy tool for hiding their malicious software. Last week, virus-like "Trojan horse" programs emerged that took advantage of the cloaking feature to enter computers undetected, antivirus companies said. Trojans are typically used to steal personal information, launch attacks on other computers and send spam. Stung by the controversy, Sony BMG and the company that developed the antipiracy software, First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that uninstalls XCP. But the uninstaller has created a new set of problems. To get the uninstall program, users have to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet. According to the Princeton analysis, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet. "The consequences of the flaw are severe," Felten and Halderman wrote in a blog posting Tuesday. "It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get." Sony BMG spokesman John McKay did not return calls seeking comment. First 4 Internet was not making any comment, according to Lynette Riley, the office manager who answered the company's phone Tuesday evening in England. Mark Russinovich, the security researcher who first discovered the hidden Sony software, is advising users who played one of the CDs on their computer to wait for the companies to release a stand-alone uninstall program that doesn't require filling out the online form. "There's absolutely no excuse for Sony not to make one immediately available," he wrote in an e-mail Tuesday. Other programs that knock out the original software are also likely to emerge. Microsoft Corp. says the next version of its tool for removing malicious software, which is automatically sent to PCs via Windows Update each month, will yank the cloaking feature in XCP. Sony BMG said Friday it would halt production of CDs with XCP technology and pledged to "re-examine all aspects of our content protection initiative." On Monday night, USA Today's Web site reported that Sony BMG would recall the CDs in question. ? 2005 The Associated Press From isn at c4i.org Thu Nov 17 02:25:24 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 17 02:34:13 2005 Subject: [ISN] Iowa State IT Students To Try Their Luck Against Hackers Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=173603268 By Tony Kontzer InformationWeek Nov. 16, 2005 Iowa State University will be victimized by hackers this weekend, and school officials are just fine with that. That's because the hackers will be applying their demonic talents to help educate a new generation of network security professionals during the Big 12 School's 2005 Cyber Defense Competition. The contest, one of a handful of such events across the country, will pit 11 teams of four to six Iowa State students against each other in a battle to see who's best at fending off a variety of network intrusions. The idea is to simulate the conditions young networking geeks will encounter as future IT professionals. "Hopefully, the network teams keep the network up and running, and stay one step ahead of the hackers, just like in the real world," says Nate Evans, a senior computer science and German major who's student director of the competition. The security matchup is different from other similar events in a number of ways. Students will focus on protecting business information rather than the warfare intelligence that students guard during competitions at the military academies. And whereas participants in competitions at the University of Texas at Austin are asked to secure an already assembled network a day earlier, Iowa State's students were given all the hardware they need weeks in advance, and they set up their own network with security in mind. Additionally, the whole competition unfolds in Iowa State's Internet Scale Event and Attack Generation Environment, a state-of-the-art security testing facility funded by the U.S. Department of Justice to the tune of $500,000, with another $700,000 on the way. (A team from the University of Illinois at Urbana-Champaign is planning to visit Iowa State to get a glimpse of the facility and to learn more about ISU's event.) The competition works like this: The student teams set up their networks to support a range of business-related tasks, such as checking E-mail or browsing the Web, and a neutral team of students act as users, using a dedicated workstation to perform those computing tasks. Then, the team of hackers--about a dozen volunteers from the IT security community, most of whom represent private companies that are members of the FBI's local InfraGard chapter--start launching the attacks they've been working on independently for weeks. "They're given a connection to the network, and we tell them 'do your worst,'" says Evans. The winning team--on which each member is given a $100 gift certificate for the school book store--is determined by a team of judges based on the team's effectiveness in fending off the stream of attacks over an 18-hour period starting Friday night. The competition could soon become part of a more coordinated national program. The Iowa State event was born from a National Science Foundation workshop two years ago at which attendees from academia and private industry discussed plans for a national competition that would function like a March Madness for students interested in IT security. That ambitious goal is still a ways off, but Iowa State is taking steps in that direction. It plans to open the competition to students from other schools in its region beginning with an event next spring. Plus, the school wants to expand its reach with tentative plans to host a competition that would pit teams of industry, government, and academic IT pros against each other. From isn at c4i.org Thu Nov 17 02:25:36 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 17 02:35:02 2005 Subject: [ISN] DOD to hold security stand-down Message-ID: http://www.fcw.com/article91462-11-16-05-Web By Frank Tiboni Nov. 16, 2005 The Defense Department will hold a "security stand-down" Nov. 29 to focus on information assurance and network security. Military and civilian employees at the major commands, services and agencies will focus on better protecting DOD data and systems. One step will involve changing passwords, said Air Force Lt. Gen. Charlie Croom, director of the Defense Information Systems Agency and commander of the Joint Task Force for Global Network Operations (JTF-GNO). He spoke Nov. 16 during a luncheon sponsored by the Washington, D.C., chapter of AFCEA International. Croom said DOD will stand down on security the same way the services do when one of their aircraft crashes or experiences problems. He said the department will focus on enterprise security. Strategic Command (Stratcom), the major command that oversees the operation and protection of the military's networks, issued the security stand-down order the week of Nov. 7. DOD employees will conduct certain activities to strengthen and become more aware of network security, said Tim Madden, a spokesman for JTF-GNO. He declined to elaborate. Croom said DOD networks are being intruded on. "The enemy is among us," he said. He added that some DOD officials are concerned about the amount of hardware and software manufactured overseas and whether they might incorporate malicious code. He said one way to fight the problem is to require companies to assure DOD that their products are safe and for the military to monitor them closely. Croom said Marine Corps Gen. James Cartwright, Stratcom's commander, told him to start directing actions on the networks. Croom said he has begun taking a proactive role to strengthen network security instead of collecting information about and getting status reports on DOD's data systems. The security stand-down comes three months after Federal Computer Week reported that China has been hacking into U.S. military networks and obtaining military secrets, including future command and control information. DOD officials are now considering new policy and acquisition initiatives to improve information assurance. From isn at c4i.org Thu Nov 17 02:25:48 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 17 02:35:55 2005 Subject: [ISN] Provo patching security after hackers sack site Message-ID: http://www.harktheherald.com/modules.php?op=modload&name=News&file=article&sid=68932 Rashae Ophus Johnson DAILY HERALD November 16, 2005 It posed more of a nuisance than a security hazard when someone hacked into Provo's city Web site Saturday, but it prompted renewed vigilance in patching vulnerabilities elsewhere on the city network. "We didn't feel like we were much of a target -- why would anyone want to hack into the Provo city Web site?" said Robert Ridge, director of information systems. "Now that it's happened, I guess it's a higher priority than we thought." The city's Web server is not connected to any computers with access to private information such as personnel files, Ridge said. Technology staff traced the breach to an old version of the Samba software program that never was removed from that computer after the city quit using it. When the vendor released notification of a vulnerability and offered a "patch," city technology staff didn't know Samba still lingered on the one server and thus overlooked the warning. Hackers write programs that crawl the Internet, searching for systems with newly publicized vulnerabilities, and one such person -- apparently a subscriber of a high-speed cable provider in Canada -- infiltrated Provo's site Saturday morning. "This is a constant cat-and-mouse game," Ridge said. "It's always a race to whether they find the vulnerability and exploit it first, or we patch it first." The hacker replaced Provo's Web pages with different pages and posted a sarcastic message of something like, "So sorry, you've been hacked." City technology staff spent a few hours reverting the pages back to the originals, and www.provo.org was operating properly again by 4 p.m. Saturday. "It was purely a nuisance. They got no information or other gain. They didn't leave their name so they didn't even get any notoriety," Ridge said. "All they did is deny the people of Provo and the people of the world access to our Web site." Ridge said Provo city's servers don't store much private information beyond some personnel records, but his staff still is scouring the servers for other possible breaches. "This has been kind of a wake-up call, and now we think we know of other things we can do to strengthen our security," Ridge said. With no resulting damage, "I guess in a way they did us a favor in making us be more vigilant." From isn at c4i.org Thu Nov 17 02:26:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 17 02:36:51 2005 Subject: [ISN] Wireless woes exaggerated, says study Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=4801 By John E. Dunn Techworld 16 November 2005 The number of wireless security vulnerabilities in the real world is vanishingly small, research from Qualys has suggested. That was the finding of latest annual Laws of Vulnerabilities report written by Qualys CTO Gerhard Eschelbeck. Despite worries about wireless security, only one in 20,000 of the vulnerabilities uncovered by scans of the company's customer base related to wireless systems. The figure can be considered significant because it was drawn from analysis of 32 million live networks scans and 21 million uncovered instances of vulnerabilities. The research also showed (PDF) [1] that external network patching "half-life" has improved from last year's figure of 21 days to this year's 19 days. The half-life is defined at the time it takes company's to patch at least 50 percent of their systems, thus reducing exposure to security threats. Internal network patching has also come down from 62 days to 48 days during the same period. In total, 90 percent of such exposure is caused by only 10 percent of the critical holes. On a less positive note, the time it takes for exploits to appear for vulnerabilities is also shrinking. Fully 80 percent of the most dangerous holes are exploited within the current half-life period. The overwhelming majority of automated attacks do their damage in the first 15 days. "2005 has been the year of improvements for patching and updating vulnerable systems. This is heavily driven by the fact that vendors like Microsoft and others are now are issuing regular advisories with patch updates, which ends up speeding the prioritisation and remediation efforts within organizations," said Eschelbeck. As with last year, Microsoft dominates the top ten critical vulnerabilities, both for internal and external networks. Not surprisingly given the company's desktop dominance, the report detects a marked move towards security holes affecting clients rather than servers, with the former accounting for 60 percent of new vulnerabilities uncovered. [1] http://www.qualys.com/docs/laws_of_vulnerabilities.pdf From isn at c4i.org Thu Nov 17 02:23:50 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 17 02:37:52 2005 Subject: [ISN] Employee gadgets pose security risk to companies Message-ID: http://news.zdnet.com/2100-1009_22-5954642.html By Joris Evers CNET News.com Published on ZDNet News November 15, 2005 WASHINGTON -- The many gadgets carried around by workers today pose a real security risk to organizations and require action, session attendees at a security conference agreed Tuesday. Smart phones, handheld computers, thumb drives, digital cameras, iPods and other MP3 players can all connect to computers. That's fine when used at home, but when connected to a work PC, the devices can pose a serious risk, said Norm Laudermilch, chief security officer at Trust Digital, a McLean, Va., mobile security vendor. Connecting the gadgets to work PCs could lead to a number of unwanted scenarios, Laudermilch said. For example, malicious code that crept onto the device at home could enter the corporate network unseen by the firewall or intrusion detection software, he said. Also, a disgruntled employee could copy confidential information to the device and walk out with it. Classified information on a mobile device could be a business risk even when used by loyal workers, when their gadget is lost or stolen, for example. Laudermilch spoke at the annual Computer Security Institute conference here. When he asked the room filled with security professionals if they thought mobile devices were an issue, the vast majority raised their hands. The advent of mobile devices has changed the way security professionals should think about securing their networks, Laudermilch said. That's because networks change all the time, with different types of devices being added and removed, he said. "Things change very quickly when devices are so small and just walk onto your network," Laudermilch said. "Your network perimeter is where your data is. I don't care if it is somebody walking in Paris, or somebody sitting at home. The security perimeter has drastically changed." He also highlighted challenges in securing the portable gear. For one, they all run different operating systems. "We have all been training about the right things and wrong things to do with the Windows operating system," Laudermilch said. For smart phones alone there are at least four common systems: Palm, Windows, BlackBerry and Symbian. Also complicating security is that new devices come out constantly, with different features. When it comes to phones, operators install their own software image on the hardware, Laudermilch said. An upcoming class of software can help organizations manage devices on their network, or block the gadgets from connecting altogether. Many of the applications also encrypt data on devices, for security in case of loss or theft. Trust Digital sells such products, as do a host of other companies. Gartner says mobile data security is a tiny market, but such products are needed to protect user privacy and fulfill audits, according to the analysts. Small incumbent vendors dominate the space, Gartner said in a July report. "Mobile security today is a buzzword. Tomorrow, six months or a year from now, it is going to be just security. Everything is going mobile," Laudermilch said From isn at c4i.org Thu Nov 17 02:24:45 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 17 02:43:15 2005 Subject: [ISN] REVIEW: "Cyber Spying", Ted Fair/Michael Nordfelt/Sandra Ring Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKCBRSPY.RVW 20050614 "Cyber Spying", Ted Fair/Michael Nordfelt/Sandra Ring, 2005, 1-931836-41-8, U$39.95/C$57.95 %A Ted Fair %A Michael Nordfelt %A Sandra Ring %C 800 Hingham Street, Rockland, MA 02370 %D 2005 %G 1-931836-41-8 %I Syngress Media, Inc. %O U$39.95/C$57.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1931836418/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1931836418/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1931836418/robsladesin03-20 %O Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 439 p. %T "Cyber Spying" Chapter one seems to be a search for grounds to justify spying on your family. The reasons seem to boil down to a) everybody likes to snoop, b) you should spy on your spouse (because everybody likes sex), and c) it's always OK to spy on your kids (you're just looking out for them, after all). (Somehow it is easy to believe that the authors all met at the CIA.) We are supposed to learn about the basics of spying, in chapter two, but instead get vague advice on planning, plus hypothetical stories. A kind of terse review of the parts of computers is in chapter three: chapter four provides slightly more usable information about network operations. Chapter five starts out with an extremely simplistic set of instructions for navigating around your computer (if I am going to get spied on, maybe I *do* want it to be these guys), moves into a list of recommended utilities, and also discusses some issues that don't seem to fit the level of the other material at all. (If you don't know how to run Windows Explorer, how are you going to know the difference between an Ethernet hub and an Ethernet switch?) Areas to obtain data from a computer are listed in chapter six. Oddly, there is much "low hanging fruit" that is not mentioned, while a number of the items suggested can be defeated quite easily. Web browsing, in chapter seven, repeats a great deal of material from five and six. Email, in chapter eight, also reiterates a lot of earlier content. Instant messaging and clients are discussed in chapter nine. Chapter ten reviews other spying techniques and more advanced computer technologies. Some elementary means to make spying more difficult are mentioned in chapter twelve. Once again, the lack of a stated audience makes it very difficult to assess whether this book does its job. It certainly isn't for professionals: neither security nor law enforcement people will get much out of this work. For people who want to spy on their spouses or significant others, well, I have no sympathy if they waste their money that way. If parents are planning to spy on children, I would suggest that there are other, better, means of protecting your kids online, and if you really need to know the content that is provided in this text, then your kids are probably going to be able to get around you anyway. For the tin-foil hat crowd, you may be comforted to find that CIA staff can't do any better than this. (On the other hand, maybe it's a conspiracy to make us all *think* that the CIA is that dumb ...) copyright Robert M. Slade, 2005 BKCBRSPY.RVW 20050614 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Science is organized knowledge. Wisdom is organized life. - Immanuel Kant http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Fri Nov 18 02:16:00 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 18 02:26:33 2005 Subject: [ISN] Operators of Web site admit role in online identity theft ring Message-ID: http://www.newsday.com/news/local/wire/newjersey/ny-bc-nj--identitytheft1117nov17,0,5398320.story?coll=ny-region-apnewjersey November 17, 2005 NEWARK, N.J. (AP) - Six more people pleaded guilty Thursday to operating a Web site that investigators claimed was one of the largest online centers for trafficking in stolen identity information and credit cards. With others who pleaded guilty in recent weeks, that brings to 12 people who acknowledged roles with the site, www.shadowcrew.com, which had about 4,000 members who dealt with at least 1.5 million stolen credit card numbers and caused more than $4 million in losses, federal prosecutors said. "The losses incurred were to the issuing banks and MasterCard, Visa, American Express, who reimbursed those who were victimized by these crimes," Assistant U.S. Attorney Kevin O'Dowd said. Eight of those who pleaded guilty were among 19 in the United States and abroad who were indicted in October 2004 after federal agents gained control of the site during a yearlong undercover investigation by the Secret Service and other agencies. Of the remaining 11, five are fugitives and six still have charges pending. The other four who pleaded guilty were among eight people charged by a federal complaint. Among those pleading guilty Thursday was Andrew Mantovani, 23, of Scottsdale, Ariz., who prosecutors said acknowledged his role as co-founder and administrator of the Shadowcrew site. He said techniques such as "phishing" and spamming were used to illegally obtain credit and bank card information, which he used to buy goods on the Internet. Phishing scams use e-mails that appear to come from banks or other financial institutions to induce recipients to verify their accounts by typing personal details - credit card information, for example - into a Web site disguised to appear legitimate. Mantovani also admitted that in September 2004 he illegally acquired about 18 million e-mail accounts with associated user names, passwords, dates of birth and other personal identification. Mantovani pleaded guilty to a conspiracy count and a count of unlawful transfer of identification to facilitate criminal conduct. Each carries up to five years in prison. The others pleaded guilty to a conspiracy count. U.S. District Judge William J. Martini scheduled sentencings for February and March. The Shadowcrew site once boasted discussion groups, in English and Russian, including one on "novelty identification, 2nd ID, Passports, and the like." Another focused on "hacking, SPAM, online anonymity tools and programs in general." -=- On the Net: U.S. Attorney's Office: http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/break.html From isn at c4i.org Fri Nov 18 02:16:16 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 18 02:26:57 2005 Subject: [ISN] Real Story of the Rogue Rootkit Message-ID: http://www.wired.com/news/privacy/0,1848,69601,00.html By Bruce Schneier Nov. 17, 2005 It's a David and Goliath story of the tech blogs defeating a mega-corporation. On Oct. 31, Mark Russinovich broke the story in his blog: Sony BMG Music Entertainment distributed a copy-protection scheme with music CDs that secretly installed a rootkit on computers. This software tool is run without your knowledge or consent -- if it's loaded on your computer with a CD, a hacker can gain and maintain access to your system and you wouldn't know it. The Sony code modifies Windows so you can't tell it's there, a process called "cloaking" in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can't be removed; trying to get rid of it damages Windows. This story was picked up by other blogs (including mine), followed by the computer press. Finally, the mainstream media took it up. The outcry was so great that on Nov. 11, Sony announced it was temporarily halting production of that copy-protection scheme. That still wasn't enough -- on Nov. 14 the company announced it was pulling copy-protected CDs from store shelves and offered to replace customers' infected CDs for free. But that's not the real story here. It's a tale of extreme hubris. Sony rolled out this incredibly invasive copy-protection scheme without ever publicly discussing its details, confident that its profits were worth modifying its customers' computers. When its actions were first discovered, Sony offered a "fix" that didn't remove the rootkit, just the cloaking. Sony claimed the rootkit didn't phone home when it did. On Nov. 4, Thomas Hesse, Sony BMG's president of global digital business, demonstrated the company's disdain for its customers when he said, "Most people don't even know what a rootkit is, so why should they care about it?" in an NPR interview. Even Sony's apology only admits that its rootkit "includes a feature that may make a user's computer susceptible to a virus written specifically to target the software." However, imperious corporate behavior is not the real story either. This drama is also about incompetence. Sony's latest rootkit-removal tool actually leaves a gaping vulnerability. And Sony's rootkit -- designed to stop copyright infringement -- itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library's license agreement. But even that is not the real story. It's an epic of class-action lawsuits in California and elsewhere, and the focus of criminal investigations. The rootkit has even been found on computers run by the Department of Defense, to the Department of Homeland Security's displeasure. While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be. And lawsuits are never the whole story. This saga is full of weird twists. Some pointed out how this sort of software would degrade the reliability of Windows. Someone created malicious code that used the rootkit to hide itself. A hacker used the rootkit to avoid the spyware of a popular game. And there were even calls for a worldwide Sony boycott. After all, if you can't trust Sony not to infect your computer when you buy its music CDs, can you trust it to sell you an uninfected computer in the first place? That's a good question, but -- again -- not the real story. It's yet another situation where Macintosh users can watch, amused (well, mostly) from the sidelines, wondering why anyone still uses Microsoft Windows. But certainly, even that is not the real story. The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us. Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit. Those are amazing infection numbers, making this one of the most serious internet epidemics of all time -- on a par with worms like Blaster, Slammer, Code Red and Nimda. What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home. But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case. McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device. The company admits on its web page that this is a lousy compromise. "McAfee detects, removes and prevents reinstallation of XCP." That's the cloaking code. "Please note that removal will not impair the copyright-protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP." Thanks for the warning. Symantec's response to the rootkit has, to put it kindly, evolved. At first the company didn't consider XCP malware at all. It wasn't until Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 15, it is still wishy-washy about it, explaining that "this rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software." The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization. You might expect Microsoft to be the first company to condemn this rootkit. After all, XCP corrupts Windows' internals in a pretty nasty way. It's the sort of behavior that could easily lead to system crashes -- crashes that customers would blame on Microsoft. But it wasn't until Nov. 13, when public pressure was just too great to ignore, that Microsoft announced it would update its security tools to detect and remove the cloaking portion of the rootkit. Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions. And Sysinternals, of course, which hosts Russinovich's blog and brought this to light. Bad security happens. It always has and it always will. And companies do stupid things; always have and always will. But the reason we buy security products from Symantec, McAfee and others is to protect us from bad security. I truly believed that even in the biggest and most-corporate security company there are people with hackerish instincts, people who will do the right thing and blow the whistle. That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst. Microsoft I can understand. The company is a fan of invasive copy protection -- it's being built into the next version of Windows. Microsoft is trying to work with media companies like Sony, hoping Windows becomes the media-distribution channel of choice. And Microsoft is known for watching out for its business interests at the expense of those of its customers. What happens when the creators of malware collude with the very companies we hire to protect us from that malware? We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything. Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea? These questions are the real story, and we all deserve answers. -=- Bruce Schneier is the CTO of Counterpane Internet Security and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can contact him through his website. From isn at c4i.org Fri Nov 18 02:16:28 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 18 02:27:23 2005 Subject: [ISN] DOD to automate deployment of security patches Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37584-1.html By Dawn S. Onley GCN Staff 11/17/05 The Defense Department recently made it mandatory for computer users to deploy automated security tools across the department to better protect networks from viruses. The Communication Tasking Order, a policy directive released Nov. 3 by the commander of the Strategic Command, orders Defense agencies to "immediately initiate" the machine-to-machine patches to automatically repair vulnerabilities as soon as software patches become available. The order sets a phased timeline for compliance and allows for operational necessities, according to Timothy Madden, spokesman for the Joint Task Force for Global Network Operations. JTF-GNO is charged with operating and defending the Global Information Grid - the Defense Department's classified and unclassified network. The new directive requires that all patches be installed immediately using commercial and government tools currently available, with an eye toward standardization in the future. "There are various tools available now, both in the commercial sector and in the government, that are capable of providing such remediation," Madden said. "The JTF-GNO is directing the use of such tools across the GIG, and that such tools must be standardized by a certain time." Air Force Lt. Gen. Charles Croom, director of the Defense Information Systems Agency, said automated patch rollout would boost the network security posture across DOD. Croom called the current process manual-intensive. "When there's a vulnerability identified in a particular piece of software, they [software companies] push those patches to us and we push those patches to the services and require implementation," Croom said. "Obviously, the trick is how fast can you get them and how fast can you implement them? And so, I think you see us focusing on the techniques, tactics and procedures to do that better." Croom, who also serves as commander of JTF-GNO, said the new policy would make the implementation of patches an instant process. "We don't do the patches instantly. But we get viruses instantly, so even days are too long to implement patches, and for us it takes days and weeks," Croom said. "The vision for the future is you get the person out of the loop and you get machine-to-machine ability so you have the patches automatically distributed and loaded on whatever piece of equipment needs to be patched." From isn at c4i.org Fri Nov 18 02:16:41 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 18 02:27:51 2005 Subject: [ISN] Prosecutors' office approves arrest of computer hacker Message-ID: http://www.shanghaidaily.com/art/2005/11/18/214955/Prosecutors__039__office_approves_arrest_of_computer_hacker.htm Xu Fang 2005-11-18 THE Pudong New Area Prosecutors' Office yesterday ratified the arrest of Liu Kefan, a computer hacker with a master's degree, charging him with threatening a company to pay for his unsolicited services. Liu allegedly made use of his computer knowledge to intrude into the computer system of a Shanghai-based software company many times. He demanded 1.5 million yuan (US$185,185) in consultation fees and threatened to disclose security holes in the company's software products, prosecutors said. Liu, a 31-year-old Sichuan Province native, was a technology manager at a Shenzhen technology firm before he was caught. With his master's degree and good skills, he was quite reputable among young practitioners in the software industry. When Liu showed his company's product to a client in December 2004, the client said it wasn't as good as its competitor's. The client gave him the Website account and password for comparison. Liu allegedly used the password to access other systems and overcame all technical barriers. Excited and surprised, Liu intruded into the company's interior system and tracked its commerce for more than six months, prosecutors said. "At first, I didn't think of anything," Liu allegedly said. But as he studied the system further, Liu thought of helping the company fix security flaws with its software. He decided 1.5 million yuan was an appropriate fee. "Software security is the most important. The company's fame and my intellectual property are both worth the price," he allegedly said. Threatening e-mail On September 20, Liu sent an e-mail to the company's general manager, Wan Dong, asking for cooperation. "All the information in your system can be seen. Your company is just like a car loaded with powder. It's time to unload the powder and makes repairs to the main parts of the car," Liu allegedly wrote in the e-mail. Wan didn't take it seriously at first though he realized Liu was a professional. After being ignored, Liu threatened to reveal the security flaws to company's competitors and users. He also changed the password for some of the firm's clients on September 29, according to prosecutors. The clients called the company to find out what happened. Wan suspected it was Liu. Worried about the firm's reputation, Wan agreed to discuss terms with Liu. Liu was caught by police while waiting to negotiate with Wan. According to Criminal Law, those who threaten others to buy either commodities or services will be given a maximum sentence of three years. From isn at c4i.org Fri Nov 18 02:14:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 18 02:28:17 2005 Subject: [ISN] Can you afford to lose your data? Message-ID: http://www.theglobeandmail.com/servlet/story/RTGAM.20051117.wsrcyberinsur17/BNStory/Business/ By GRANT BUCKLER November 17, 2005 Thursday's Globe and Mail A fire in your company's data centre destroys computers and data critical to your business. Your property insurance probably covers the wrecked equipment and the value of the data it contained. But if the same data is lost due to a computer virus or a hacker attack -- or if a customer sues you because private data was accidentally made public -- chances are you are not covered. Though more and more of the information on which businesses depend is kept in electronic form, and the risks to that data are numerous and well publicized, the insurance industry has paid relatively little attention so far to protecting customers against losses due to computer viruses, hackers, programming errors and catastrophic system failures. "The industry has pretty much languished over how to deal with the whole idea of property loss over data," says Michael McQuaid, vice-president of corporate risk at insurance broker Insurers Financial Group in Richmond Hill, Ont. You can purchase special insurance designed to protect your business against data loss and related risks. But getting the best deal on such insurance -- or getting it at all -- requires that you understand the value of your data and the risks you face and that you take proper precautions to guard against system break-ins, viruses and data falling into the wrong hands. Standard commercial property insurance usually covers data loss that results from loss or damage to physical property covered by the policy. So if a computer room is destroyed in a fire or flood, the equipment and the data it contains is covered -- but not otherwise. "You must have physical loss to tangible property," Mr. McQuaid says. Most property insurance policies today make this explicit by excluding data unless it is lost due to a "named peril," like a fire or flood. One way around this is to persuade your insurer to "endorse" your policy to remove the data exclusion. But Mr. McQuaid says relatively few insurers are willing to add such endorsements to property policies today. You can, however, purchase standalone insurance against data loss or misuse. American International Group Inc. of New York offers Information Asset Coverage that will pay the cost of restoring lost data from backups or, if that can't be done, the cost of reconstructing the data, however possible. It also covers the cost of lost business due to loss of data. Designed for companies with $10-million or more in annual revenues, policies are available with coverage limits from $1-million to $25-million (U.S.) per incident, up to a maximum of $25-million (U.S.) for the life of the policy, says Nick Economidis, vice-president and product manager for technology at AIG. Chubb Insurance Co. of Canada in Toronto launched a product in April that protects against viruses, theft of proprietary information and unauthorized access to data. Depending on the amount of coverage purchased, policies will pay claims of up to $1-million for incidents caused by factors inside the insured company and up to $10,000 per occurrence to a $50,000-per-year maximum for incidents caused by outside factors. The more restricted payouts for incidents caused by outside factors are because such incidents -- like virus attacks -- could lead to claims from many policy holders at the same time, says Andrew Steen, vice-president of technology insurance specialty at Chubb Canada. Rosaleen Citron, chief executive at WhiteHat Inc., a Burlington, Ont., computer security management company, says too few companies think about insuring their data. Many take the attitude that, if attacked, they will simply absorb the cost, she says, but that is a risky strategy. "If I were a big company, I would certainly be looking at cyber-insurance." However, it's not as simple as just buying a policy. The first issue is: What insurance do you need? And that depends on the value of the data and the risk. Putting a value on data is tricky, Mr. McQuaid says, but it ultimately comes down to what it would cost your business if the data were lost. Would the loss be a day's sales? A six-month delay in launching a new product? Half your customers switching to the competition? Would the business even survive if certain data were lost? And how would you recreate the data? Having assessed the risks as best you can, the next step is to do everything possible to guard against them. Aside from the fact that insurance money can't really compensate for loss of critical business data, you may not even get insurance if you haven't taken reasonable security precautions, and you will probably pay less if your security practices are sound. The exact requirements vary from one organization to another, but the basics include an accepted standard of network security, clearly stated and regularly updated security policies, prompt installation of critical software updates and encryption of sensitive data. You may also need to look at contracts with other companies, Mr. McQuaid suggests -- those that have access to your data as part of services they provide to you, for instance. Are those partners taking adequate precautions? And who is responsible if your data is lost or improperly disclosed due to an error on their part? In evaluating an applicant's security protection, insurers often look at an International Standards Organization standard called ISO 17799. "That basically is a framework which defines best practices for network security," says Narender Mangalam, director of network security and underwriting at AIG. ISO 17799 does not tell you exactly what to do, notes Tom Slodichak, chief security officer at WhiteHat. It outlines a number of areas, such as physical security, access controls and encryption. Calling it "a very high standard," Mr. Mangalam says AIG treats ISO 17799 as a guideline, not a list of must-have items. The quality of a company's security protection determines not just whether it's eligible for insurance but what coverage it can get at what cost. Mr. Economidis says AIG's underwriters use a rating system to determine what premiums a client pays. Mr. Steen says Chubb offers a minimum level of coverage to all customers, but "more coverage would be available and at a more cost-effective price" for those with better security in place. Charles Salameh, president of Bell Security Solutions Inc., a unit of Bell Canada that provides security consulting services to businesses, says a company that does computer security well can save 3 to 5 per cent on insurance premiums. "It's no different than driving for six years without getting into an accident," Mr. Salameh says. BSSI, which assesses potential insurance clients' computer-security risks for Itasca, Ill.-based insurance firm Arthur J. Gallagher & Co., also provides consulting services to help companies seeking insurance against data loss and network intrusions get better deals. Options for insuring data are limited but increasing. "I do believe the market will step up to this," Mr. McQuaid says. Either standard property policies will include more coverage for data loss, he predicts, or a wider range of specialized policies will become available. From isn at c4i.org Fri Nov 18 02:15:28 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 18 02:28:45 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-46 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-11-10 - 2005-11-17 This week : 69 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in First4Internet XCP's uninstallation ActiveX control, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the "CodeSupport.ocx" ActiveX control that is installed via Internet Explorer when the user un-installs the XCP DRM software by visiting the vendor's website. The ActiveX control is marked safe-for-scripting and supports several potentially dangerous methods like "RebootMachine", "InstallUpdate", and "IsAdministrator". This may be exploited to install arbitrary code on the user's system. Additional information may be found in the referenced Secunia advisories below. Reference: http://secunia.com/SA17610 http://secunia.com/SA17408 -- A vulnerability has been reported in Lynx, which can be exploited by malicious people to compromise a user's system. The vendor has released a new version, which address this issue. Reference: http://secunia.com/SA17372 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA17430] Macromedia Flash Player SWF File Handling Arbitrary Code Execution 2. [SA17498] Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution 3. [SA17553] Cisco ISAKMP IKE Message Processing Denial of Service 4. [SA17514] RealPlayer/RealOne/HelixPlayer "rm" and "rjs" File Handling Buffer Overflow 5. [SA17503] VERITAS NetBackup "vmd" Shared Library Buffer Overflow Vulnerability 6. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 7. [SA17509] Nortel CallPilot Multiple Vulnerabilities 8. [SA13893] AWStats "configdir" Parameter Arbitrary Command Execution 9. [SA15852] XML-RPC for PHP PHP Code Execution Vulnerability 10. [SA17428] Apple QuickTime Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17610] Sony CD First4Internet XCP Uninstallation ActiveX Control Vulnerability [SA17583] Freeftpd USER Command Buffer Overflow Vulnerability [SA17611] Macromedia Breeze Communication Server/Live Server Denial of Service [SA17582] AudienceView "TSerrorMessage" Cross-Site Scripting Vulnerability [SA17565] Internet Explorer Image Control Status Bar Spoofing Weakness UNIX/Linux: [SA17576] Fedora update for lynx [SA17559] SUSE Updates for Multiple Packages [SA17556] Red Hat update for lynx [SA17549] Gentoo scorched3d Multiple Vulnerabilities [SA17546] Mandriva update for lynx [SA17592] Fedora update for gdk-pixbuf [SA17591] Fedora update for gtk2 [SA17588] Red Hat update for gtk2 [SA17586] Debian update for linux-ftpd-ssl [SA17584] Debian update for phpsysinfo [SA17581] Openswan ISAKMP IKE Message Processing Denial of Service [SA17562] Ubuntu update for gtk2-engines-pixbuf / libgdk-pixbuf2 [SA17554] Sun Solaris in.iked ISAKMP IKE Message Processing Denial of Service [SA17551] Debian update for abiword [SA17544] Pnmtopng "alphas_of_color" Buffer Overflow Vulnerability [SA17540] Gentoo update for sylpheed [SA17538] Red Hat update for gdk-pixbuf [SA17531] Red Hat update for php [SA17529] Gentoo update for linux-ftpd-ssl [SA17589] UnixWare update for openssl [SA17587] LiteSpeed Web Server WebAdmin Cross-Site Scripting Vulnerability [SA17563] PEAR Installer Arbitrary Code Execution Vulnerability [SA17558] Debian update for acidlab [SA17552] ACID Cross-Site Scripting and SQL Injection Vulnerabilities [SA17572] Debian update for uim [SA17545] HP-UX xterm Unspecified Unauthorized Access Vulnerability [SA17539] Fedora update for sysreport [SA17535] Red Hat update for lm_sensors [SA17534] Sudo Perl Environment Cleaning Privilege Escalation Vulnerability [SA17532] Red Hat update for cpio [SA17530] MigrationTools Insecure Temporary File Usage Vulnerability [SA17528] Campsite MySQL Password Exposure Mail Transfer Security Issue [SA17541] Fedora update for kernel Other: [SA17608] Nortel Switched Firewall ISAKMP IKE Message Processing Denial of Service [SA17568] Juniper JUNOS/JUNOSe ISAKMP IKE Message Processing Denial of Service [SA17553] Cisco ISAKMP IKE Message Processing Denial of Service [SA17601] Belkin Wireless G Router Web Management Authentication Bypass [SA17550] Cisco ASA Failover Denial of Service Weakness Cross Platform: [SA17605] AlstraSoft Affiliate Network Pro Multiple Vulnerabilities [SA17603] AlstraSoft Template Seller Pro File Inclusion and SQL Injection [SA17574] PollVote "pollname" File Inclusion Vulnerability [SA17567] Secgo Crypto IP Gateway/Client ISAKMP IKE Message Processing Vulnerability [SA17561] iCMS "page" File Inclusion Vulnerability [SA17542] CodeGrrl Products "siteurl" File Inclusion Vulnerability [SA17612] Macromedia Flash Communication Server MX Denial of Service [SA17596] OnContent // CMS "pid" SQL Injection Vulnerability [SA17590] phpwcms Disclosure of Sensitive Information and Cross-Site Scripting [SA17580] Help Center Live "file" Local File Inclusion Vulnerability [SA17579] phpPgAds Multiple Vulnerabilities [SA17577] MyBulletinBoard Multiple Vulnerabilities [SA17575] Xoops WF-Downloads Module "list" SQL Injection Vulnerability [SA17573] Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability [SA17569] Ekinboard Topic Title Script Insertion Vulnerability [SA17566] StoneGate Firewall and VPN ISAKMP IKE Message Processing Denial of Service [SA17548] Wizz Forum Multiple SQL Injection Vulnerabilities [SA17543] PHP-Nuke "query" SQL Injection Vulnerability [SA17536] Peel "rubid" SQL Injection Vulnerability [SA17533] Pearl Forums SQL Injection and Local File Inclusion Vulnerabilities [SA17578] phpMyAdmin HTTP Response Splitting Vulnerability [SA17560] PHP GEN Cross-Site Scripting Vulnerabilities [SA17547] Walla TeleSite Cross-Site Scripting Vulnerability [SA17537] Dev-Editor Virtual Root Directory Restriction Bypass [SA17613] Macromedia Contribute Publishing Server Weak Password Encryption [SA17571] Opera Image Control Status Bar Spoofing Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17610] Sony CD First4Internet XCP Uninstallation ActiveX Control Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-16 A vulnerability has been reported in First4Internet XCP's uninstallation ActiveX control, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17610/ -- [SA17583] Freeftpd USER Command Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-17 barabas mutsonline has discovered a vulnerability in freeftpd, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17583/ -- [SA17611] Macromedia Breeze Communication Server/Live Server Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-16 A vulnerability has been reported in Breeze Communication Server and Breeze Live Server, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17611/ -- [SA17582] AudienceView "TSerrorMessage" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-16 syst3m_f4ult has reported a vulnerability in AudienceView, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17582/ -- [SA17565] Internet Explorer Image Control Status Bar Spoofing Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-11-16 Claudio "Sverx" has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs displayed in the status bar. Full Advisory: http://secunia.com/advisories/17565/ UNIX/Linux:-- [SA17576] Fedora update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-15 Fedora has issued an update for lynx. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17576/ -- [SA17559] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-14 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to disclose system information, cause a DoS (Denial of Service) and potentially to compromise a vulnerable or a user's system. Full Advisory: http://secunia.com/advisories/17559/ -- [SA17556] Red Hat update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-14 Red Hat has issued an update for lynx. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17556/ -- [SA17549] Gentoo scorched3d Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-15 Gentoo has acknowledged some vulnerabilities in scorched3d, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17549/ -- [SA17546] Mandriva update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-14 Mandriva has issued an update for lynx. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17546/ -- [SA17592] Fedora update for gdk-pixbuf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-16 Fedora has issued an update for gdk-pixbuf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17592/ -- [SA17591] Fedora update for gtk2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-16 Fedora has issued an update for gtk2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17591/ -- [SA17588] Red Hat update for gtk2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-15 Red Hat has issued an update for gtk2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17588/ -- [SA17586] Debian update for linux-ftpd-ssl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-15 Debian has issued an update for linux-ftpd-ssl. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17586/ -- [SA17584] Debian update for phpsysinfo Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-11-15 Debian has issued an update for phpsysinfo. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and manipulate certain information. Full Advisory: http://secunia.com/advisories/17584/ -- [SA17581] Openswan ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-15 Two vulnerabilities have been reported in openswan-2, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17581/ -- [SA17562] Ubuntu update for gtk2-engines-pixbuf / libgdk-pixbuf2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-16 Ubuntu has issued an update for gtk2-engines-pixbuf / libgdk-pixbuf2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17562/ -- [SA17554] Sun Solaris in.iked ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-15 Sun has acknowledged a vulnerability in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17554/ -- [SA17551] Debian update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-15 Debian has issued an update for abiword. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17551/ -- [SA17544] Pnmtopng "alphas_of_color" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-15 A vulnerability has been reported in pnmtopng, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17544/ -- [SA17540] Gentoo update for sylpheed Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-15 Gentoo has issued an update for sylpheed. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17540/ -- [SA17538] Red Hat update for gdk-pixbuf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-15 Red Hat has issued an update for gdk-pixbuf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17538/ -- [SA17531] Red Hat update for php Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2005-11-11 Red Hat has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17531/ -- [SA17529] Gentoo update for linux-ftpd-ssl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-14 Gentoo has issued an update for ftpd. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17529/ -- [SA17589] UnixWare update for openssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-11-16 SCO has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17589/ -- [SA17587] LiteSpeed Web Server WebAdmin Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-17 Ziv Kamir has discovered a vulnerability in LiteSpeed Web Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17587/ -- [SA17563] PEAR Installer Arbitrary Code Execution Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-11-16 A vulnerability has been reported in PEAR, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17563/ -- [SA17558] Debian update for acidlab Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-11-15 Debian has issued an update for acidlab. This fixes some vulnerabilities, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17558/ -- [SA17552] ACID Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-11-15 Some vulnerabilities have been reported in ACID, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17552/ -- [SA17572] Debian update for uim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-15 Debian has issued an update for uim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17572/ -- [SA17545] HP-UX xterm Unspecified Unauthorized Access Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-11-15 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17545/ -- [SA17539] Fedora update for sysreport Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-11 Fedora has issued an update for sysreport. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17539/ -- [SA17535] Red Hat update for lm_sensors Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-11 Red Hat has issued an update for lm_sensors. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17535/ -- [SA17534] Sudo Perl Environment Cleaning Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-11 A vulnerability has been reported in Sudo, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17534/ -- [SA17532] Red Hat update for cpio Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2005-11-11 Red Hat has issued an update for cpio. This fixes a vulnerability, which can be exploited by by malicious, local users to disclose and manipulate information. Full Advisory: http://secunia.com/advisories/17532/ -- [SA17530] MigrationTools Insecure Temporary File Usage Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-11-15 Jason Hoover has discovered a vulnerability in MigrationTools, which can be exploited by malicious, local users to disclose potentially sensitive information or to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17530/ -- [SA17528] Campsite MySQL Password Exposure Mail Transfer Security Issue Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-11 john has reported a security issue in Campsite, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17528/ -- [SA17541] Fedora update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2005-11-11 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17541/ Other:-- [SA17608] Nortel Switched Firewall ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-16 A vulnerability has been reported in Nortel Switched Firewall, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17608/ -- [SA17568] Juniper JUNOS/JUNOSe ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-14 A vulnerability has been reported in JUNOS and JUNOSe, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17568/ -- [SA17553] Cisco ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-14 A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17553/ -- [SA17601] Belkin Wireless G Router Web Management Authentication Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-11-16 Andrei Mikhailovsky has reported a vulnerability in Belkin Wireless G Router, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17601/ -- [SA17550] Cisco ASA Failover Denial of Service Weakness Critical: Not critical Where: From local network Impact: DoS Released: 2005-11-15 Amin Tora has reported a weakness in Cisco ASA (Adaptive Security Appliances), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17550/ Cross Platform:-- [SA17605] AlstraSoft Affiliate Network Pro Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, System access Released: 2005-11-16 Robin Verton has reported some vulnerabilities in AlstraSoft Affiliate Network Pro, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17605/ -- [SA17603] AlstraSoft Template Seller Pro File Inclusion and SQL Injection Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2005-11-16 Robin Verton has reported two vulnerabilities in AlstraSoft Template Seller Pro, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17603/ -- [SA17574] PollVote "pollname" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-15 rUnViRuS has reported a vulnerability in PollVote, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17574/ -- [SA17567] Secgo Crypto IP Gateway/Client ISAKMP IKE Message Processing Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-14 Secgo has acknowledged a vulnerability in Secgo Crypto IP Gateway/Client, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17567/ -- [SA17561] iCMS "page" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-14 r0t has reported a vulnerability in iCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17561/ -- [SA17542] CodeGrrl Products "siteurl" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-14 Robin Verton has discovered a vulnerability in various CodeGrrl products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17542/ -- [SA17612] Macromedia Flash Communication Server MX Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-16 A vulnerability has been reported in Macromedia Flash Communication Server MX, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17612/ -- [SA17596] OnContent // CMS "pid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-16 r0t has reported a vulnerability in OnContent // CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17596/ -- [SA17590] phpwcms Disclosure of Sensitive Information and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-11-16 Stefan Lochbihler has reported some vulnerabilities in phpwcms, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/17590/ -- [SA17580] Help Center Live "file" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-16 HACKERS PAL has discovered a vulnerability in Help Center Live, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17580/ -- [SA17579] phpPgAds Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2005-11-15 Some vulnerabilities and a weakness have been reported in phpPgAds, which can be exploited by malicious people to disclose system information, and conduct HTTP response splitting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17579/ -- [SA17577] MyBulletinBoard Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, DoS Released: 2005-11-15 syini666 has reported some vulnerabilities in MyBulletinBoard, which can be exploited by malicious people to cause a DoS (Denial of Service), manipulate certain information, and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17577/ -- [SA17575] Xoops WF-Downloads Module "list" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-15 rgod has reported a vulnerability in the WF-Downloads module for Xoops, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17575/ -- [SA17573] Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-15 rgod has discovered a vulnerability in Xoops, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17573/ -- [SA17569] Ekinboard Topic Title Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-15 trueend5 has discovered a vulnerability in Ekinboard, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17569/ -- [SA17566] StoneGate Firewall and VPN ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-14 StoneSoft has acknowledged a vulnerability in StoneGate Firewall and VPN, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17566/ -- [SA17548] Wizz Forum Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-15 HACKERS PAL has discovered some vulnerabilities in Wizz Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17548/ -- [SA17543] PHP-Nuke "query" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-16 sp3x has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17543/ -- [SA17536] Peel "rubid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-14 r0t has reported a vulnerability in Peel, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17536/ -- [SA17533] Pearl Forums SQL Injection and Local File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-11-15 Abducter has discovered some vulnerabilities in Pearl Forums, which can be exploited by malicious people to conduct SQL injection attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/17533/ -- [SA17578] phpMyAdmin HTTP Response Splitting Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Cross Site Scripting Released: 2005-11-16 Toni Koivunen has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct HTTP response splitting attacks. Full Advisory: http://secunia.com/advisories/17578/ -- [SA17560] PHP GEN Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-16 Some vulnerabilities have been reported in PHP GEN, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17560/ -- [SA17547] Walla TeleSite Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-16 Rafi Nahum and Pokerface have reported a vulnerability in Walla TeleSite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17547/ -- [SA17537] Dev-Editor Virtual Root Directory Restriction Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-11-11 A security issue has been discovered in Dev-Editor, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17537/ -- [SA17613] Macromedia Contribute Publishing Server Weak Password Encryption Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-11-16 A security issue has been reported in Macromedia Contribute Publishing Server, which potentially can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17613/ -- [SA17571] Opera Image Control Status Bar Spoofing Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-11-16 Claudio "Sverx" has discovered a weakness in Opera, which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs displayed in the status bar. Full Advisory: http://secunia.com/advisories/17571/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Nov 18 02:15:47 2005 From: isn at c4i.org (InfoSec News) Date: Fri Nov 18 02:30:06 2005 Subject: [ISN] Exploit code puts Windows XP and 2000 at risk Message-ID: http://news.com.com/Exploit+code+puts+Windows+XP+and+2000+at+risk/2100-1002_3-5958846.html By Dawn Kawamoto Staff Writer, CNET News.com November 17, 2005 Exploit code has been published that could take advantage of flaws in Windows XP SP1 and Windows 2000 SP4, according to a warning issued Thursday by Microsoft. Although the exploit code could be used to launch a denial-of-service attack in machines running XP SP1 and Windows 2000 with all service pack versions, the threat is only moderately severe, said Stephen Manzuik, a product manager at security research company eEye Digital Security. "On a scale of 10, it would be about a 4 or 5 on severity," said Manzuik. "All it will do is crash some machines and not crash others." The exploit code could allow an attacker to launch a remote denial-of-service attack on Windows 2000 machines using all service pack versions, but would require a user authentication on Windows XP SP1 computers, Manzuik said. The exploit poses only a moderate risk because it requires a user to log on for Windows XP, and in the case of Windows 2000, the attacker would have to get remote access to the Remote Procedure Code (RPC) port. That port is often behind a firewall, making it difficult to penetrate remotely, Manzuik noted. Microsoft has yet to develop a security patch for this exploit, but it recommended that users enable their firewalls and download security updates, according to its security advisory. The exploit code was published by Winny Thomas of Nevis Labs in India, who reverse-engineered a patch Microsoft issued in October, according to a posting on FrSIRT's Web site. The patch, MS05-047, dealt with a plug-and-play feature in the Windows software. While working on an exploit for MS05-047, I came across a condition where a specially crafted request to upnp-getdevicelist would cause services.exe to consume memory to a point where the target machines virtual memory gets exhausted. This exploit is not similar to the MS05-047 exploit I published earlier," Thomas noted in his posting. The October patch did not lead to the vulnerability in Windows, a Microsoft representative said, adding that Microsoft encourages people to "apply the MS05-047 update and all recent security updates released by Microsoft." Microsoft, however, reiterated its concerns over security researchers who publish details on how to exploit vulnerabilities before the software vendor has had time to create a patch. "Microsoft is concerned that this new report of a vulnerability in Windows 2000 SP4 and Windows XP SP1 was not disclosed responsibly, potentially putting computer users at risk," the company said. "We continue to encourage responsible disclosure of vulnerabilities." Some security researchers, however, note that Microsoft has been known to take at least 200 days or more to issue a security patch, once the company has been notified of a problem. From isn at c4i.org Mon Nov 21 01:43:01 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 21 01:49:38 2005 Subject: [ISN] Feds: Hacker hurt flood-relief efforts Message-ID: http://www.philly.com/mld/dailynews/news/local/13198711.htm By JIM SMITH smithjm @ phillynews.com Nov. 18, 2005 Federal authorities contend that a computer hacker disrupted his former employer's relief work after the Indian Ocean tsunamis that killed thousands. The alleged hacker, Nicholas Giovanni, who had worked as a "Webmaster" for International SOS Assistance Inc., a private firm headquartered in Trevose, Bucks County, yesterday was charged with "computer intrusion" by a federal grand jury in Philadelphia. Giovanni, a former New Jersey resident, "chose to launch an attack [on his former employer's computer] during one of the worst natural disasters in the history of civilization," said U.S. Attorney Patrick L. Meehan, announcing the new criminal case. "Because of his actions, people who were reaching out for help via the Internet couldn't get it," the area's top federal lawman added. Meehan said the company "is set up so people" in a disaster zone "can access vital medical-assistance information online. "You had people in the midst of an unimaginable catastrophe desperately seeking online information and not being able to get it because the system was down," added Meehan. Giovanni had worked for the victimized firm as a "senior developer and Webmaster" for about five years, until Nov. 9, 2004. He lost his job just weeks before the deadly wave struck. Before his termination, he allegedly created a "Trojan Horse" in the company's computer system. This enabled him to secretly access the system before and after his dismissal, when he moved to California, according to the grand jury indictment. Before the tsunami struck, Giovanni "altered the main SOS Web site, adding a 'skull and crossbones' graphic to the upper left corner of the page," the indictment charged. The day the tsunami struck, drowning victims from Somalia to Thailand, he allegedly "completely disabled access to the vital functions of the SOS Web site," the grand jury noted. The company got its Web site up and running quickly, but had to spend more than $100,000 to unravel the hacker's handiwork, according to the indictment. Giovanni, 37, of Dublin, Calif., and his San Francisco lawyer, Ed Swanson, could not be reached for comment yesterday. From isn at c4i.org Mon Nov 21 01:41:58 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 21 01:50:08 2005 Subject: [ISN] Internet security an issue for Vietnam Message-ID: http://english.vietnamnet.vn/tech/2005/11/513109/ Viet Nam News 18/11/2005 Global victims of hackers and computer viruses spent over US$100bil in 2004 to recover the financial losses caused by these modern forms of pestilence, according to a computer security expert. Furthermore, a new computer virus appears every seven seconds, according to Nguyen The Dong, director of Athena Computer Emergency Response Centre (CERC). He said that 97% of Vietnamese offices and organisations were vulnerable to attacks. "In Vietnam, there is a lack of security awareness among top management at enterprises, and computer hacking remains the biggest danger," said Dong at the "White Hat Hacker Convention," which was held on Tuesday in HCM City to increase local awareness about potential network security disturbances. The convention was jointly held by the Sai Gon Computer Times, Athena CERC and the Information and Communication Technologies Partnership Club. One difficulty facing, enterprises is in differentiating "white hat" hackers, who help IT managers find and repair their network's faults, from "black hat" hackers, who use their computers to engage in illegal activities and cause headaches for private individuals, companies and organisations. "There is a fine line between the two kinds of hackers. We would like to ask hackers to keep in mind the harmful effects their games can have on the community," Dong said. Athena CERC carried out a survey on network and information security among 415 enterprises in HCM City, Binh Duong and Dong Nai provinces. Of the participants, 28% were foreign-invested enterprises, 54% were privately run and 18% were State-owned. "Ninety-seven per cent of respondents said their networks had received junk email, 91% had been infected by viruses and 97% felt their networks were vulnerable to hackers," Dong said. He went on to say that all the enterprises surveyed had their own IT managers with a basic awareness of how to protect their information and prevent attacks. "However, most of the companies do not possess concrete or long-term plans to protect their networks and are not prepared with professional solutions in the event their networks are assaulted," he said. "In addition, top management at most domestic enterprises have yet to realise the gravity of the situation and so haven't paid enough attention to or truly invested in information protection." Network security expert Pham Trong Diem from Nam Truong Son, an electronic security firm, said that in 2001, only 0.3% of emails around the world were infected with a virus, but three years later, the figure had reached 30%. "Furthermore," he said, "the frequency of hacker attacks has been increasing. There were 1,334 attacks in 1994, a number which soared to 137,529 recorded hacks in 2003. That number will continue to rise." At present, there are around 700 unofficial programmes used by hackers to break into website and network systems. "Businesses tend to use a defensive rather than an offensive approach, which does not work," Diem said. "If IT managers wait until a virus has already penetrated their network, it's far too late." According to Dong, there is no one perfect security solution. It is a long process, involving a detailed overview and investment. "Anti-virus and anti-spyware programmes should be continuously updated. IT managers have to keep themselves up-to-date on the latest viruses and hacker activities," Diem advised. From isn at c4i.org Mon Nov 21 01:42:22 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 21 01:50:35 2005 Subject: [ISN] Senate committee passes spyware bill Message-ID: http://www.infoworld.com/article/05/11/18/HNsenatespyware_1.html By Grant Gross IDG News Service November 18, 2005 WASHINGTON - A U.S. Senate committee has approved a bill that would outlaw the practice of remotely installing software that collects a computer users' personal information without consent. In addition to prohibiting spyware, the Spyblock (Software Principles Yielding Better Levels of Consumer Knowledge) Act would also outlaw the installation of adware programs without a computer user's permission. The Senate Commerce, Science and Transportation Committee approved the bill Thursday. Spyblock, sponsored by Senator Conrad Burns, a Montana Republican, would prohibit hackers from remotely taking over a computer and prohibit programs that hijack Web browsers. The bill would protect antispyware software vendors from being sued by companies whose software they block. "I am pleased that a majority of the committee agrees with me that Congress must act to protect the right of consumers to know when potentially dangerous Spyware is being downloaded onto their computers," Burns said in a statement. "As the Spyblock Act moves forward to the Senate floor, I hope we can continue making it a stronger bill by making sure the private sector has all the right tools it needs to successfully slow the spread of malicious spyware." The Spyblock Act now moves to the full Senate for consideration. The U.S. House of Representatives passed two antispyware bills in October 2004 and again in May, but the Senate has so far failed to act on spyware legislation. The Spyblock Act would allow the U.S. Federal Trade Commission and state attorneys general to seek civil penalties against spyware and adware distributors. From isn at c4i.org Mon Nov 21 01:42:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 21 01:51:03 2005 Subject: [ISN] Another View: Telework and continuity plans go hand in hand Message-ID: http://www.gcn.com/24_33/opinion/37567-1.html By Thomas Blitz Special to GCN 11/21/05 Nothing focuses attention like a disaster. Whether natural or man-made, calamitous events this year have underscored the necessity of being prepared. Hurricane Katrina demonstrated the need for continuity of vital government services and what can happen if services are interrupted. Continuity of operations relies more than ever on enabling government employees and contractors to work from any location - whether that means remote work centers, office space provided by another agency, a contractor's site, or a hotel room or home. The critical ingredient for continuity-of-operations planning (COOP) is a telecommunications system and data network that enables secure, remote use of the same IT resources that would be accessed from the main office. Teleworking from any offsite location brings immediate and well-documented benefits to an organization. But the value of telework extends beyond simply giving employees work-life benefits or reducing operating costs. It also enables continuous vital government services during a state of social emergency. Public Law 106-346, Sec. 359, passed in 2000, directed all executive branch agencies to establish a telework policy. The Federal Emergency Management Agency (FEMA)'s Federal Preparedness Circular 65 for COOP includes alternate work facilities and interoperable communications as key elements for operational continuity. FEMA's June 15, 2004, update to FPC-65 requires agencies to "give consideration to other options, such as telecommuting locations, work-at-home, virtual offices, and joint or shared facilities." The director of the Office of Management and Budget reinforced that instruction in a memorandum June 30, 2005. To implement telework, agencies must use approved processes and best practices. This includes providing employees with adequate technology and training employees and managers how to do their work within the telework framework. There are many resources to help implement telework and secure business continuity. A standard source is the Interagency Telework Web site at www.telework.gov, which is jointly operated by the Office of Personnel Management and the General Services Administration. Another is "Exploring Telework as a Business Continuity Strategy: A Guide to Getting Started" from the Telework Advisory Group for WorldatWork (ITAC), available at: www.workingfromanywhere.org Security measures are also essential to enabling telework, especially when it involves remote use of IT applications and sensitive or confidential information. Disruption of IT-based services or improper use of information in the system from cyberattacks, or accidental loss or theft of a notebook or portable storage device, remain real concerns. Telework security is an extension of security for all federal information systems covered under the Federal Information Security Management Act of 2002. Here again, there are many resources available. FISMA directs the National Institute of Standards and Technology to handle technical details for cybersecurity ( www.nist.gov ) NIST publications categorize security standards (such as FIPS-199), provide guidelines (SP 800-60), and describe security controls (SP 800-53, soon to become FIPS-200). SP 800-53 is useful for specifying and purchasing security technologies and for its description of dozens of security controls for identification and authentication, access-control, audit and accountability, and system and communications protection. Telework security involves both electronic and physical security. Authentication and encryption technology, for example, does both - protecting information as it is electronically moved to and from remote teleworkers and protecting information on physical devices used to transport or compute information off-site. By implementing telework now, federal agencies can get immediate business benefits and establish practical means to ensure continuity of operations during an emergency. Thomas Blitz is president of Pointsec Mobile Technologies Inc., USA of Mokena, Ill. From isn at c4i.org Mon Nov 21 01:42:48 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 21 01:51:37 2005 Subject: [ISN] Fewer computers infected with virus Message-ID: http://news.xinhuanet.com/english/2005-11/18/content_3801253.htm 2005-11-18 TIANJIN, Nov. 18 (Xinhuanet) -- About 80 percent of China's computers have been infected with virus in 2005, 8 percent lower than last year. This is the first time of drop for the PC virus infection ratio in China over the past five years, said sources with the Eighth International Conference of the Association of Anti Virus Asia Researchers (AVAR) here Friday. According to a latest survey conducted by the Ministry of Public Securities, China's companies, institutions and government offices have more access to the information technology this year. They all strengthened the work concerning information network safety and are rewarded with a drop of virus infection ratio, said Zhang Jian, deputy director of the National Computer Virus Emergency Response Center. The survey also said that China is not hit by serious virus so far this year. According to the analysis of types of computer virus, the worm virus infection ratio is obviously higher than others, accounting for 74 percent. Zhang said that China still lacks professionals of network safety maintenance. He urged the governments at all levels to provide more training chances for the related workers and specialists and increase investment for the development of anti-virus technologies and software. Enditem From isn at c4i.org Mon Nov 21 01:43:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 21 01:52:13 2005 Subject: [ISN] Linux Advisory Watch - November 18th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 18th, 2005 Volume 6, Number 47a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for awstats, kdelibs, acidlab, AbiWord, uim, ftpd-ssl, phpsysinfo, phpgroupware, lynx, rar, sylpheed, gtk, egroupware, cpio, lm_sensors, and gdk-pixpuf. The distributors include Debian, Gentoo, Mandriva, and Red Hat. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- SELinux Administration, Part II By: Pax Dickinson Policy booleans are sections of policy that can be switched on or off, providing a basic level of policy configurability at runtime without requiring the recompilation of the entire security policy. For example, you might be running a webmail application on your server that requires the webserver process to be able to connect to your mail server ports and read mail files out of user's home directories. Rather than adding those permissions to the security policy where they would reduce security for those not running webmail, a policy developer would create a boolean that the local administrator could enable only if it is required. This helps maintain a high level of security and follows the principle of least privilege. To view a list of the policy booleans in your running policy and their current states, use the sestatus command. This command will list your current enforcing mode and the enforcing mode from the /etc/selinux/config file among other information, and a list of all policy booleans and whether they are active or inactive. You can view the current status of a single boolean by using the command getsebool and passing it the name of the boolean you want to view the state of. Booleans are set using the setsebool command, and passing it the name of the boolean you want to set followed by a 1 or 0 to set the boolean active or inactive respectively. Some sample booleans from the EnGarde Secure Linux SELinux policy are httpd_webmail and user_ping. The httpd_webmail boolean is used for the exact situation used as an example above, while the user_ping boolean determines whether or not regular users are able to send ping packets over the network. Booleans can be as simple as a single allow statement, or can enable or disable large swathes of the policy depending on their purpose. Our SELinux journey is almost done. Next time, we'll discuss policy development basics and see how we can troubleshoot policy denials and write new SELinux policy or modify existing policy to allow our SELinux system to get its jobs done while maintaining a high level of security. Until then, farewell and remember to stay secure. Read Entire Article: http://www.linuxsecurity.com/content/view/120700/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New awstats packages fix arbitrary command execution 10th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120778 * Debian: New kdelibs packages fix backup file information leak 10th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120779 * Debian: New acidlab packages fix SQL injection 14th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120802 * Debian: New AbiWord packages fix arbitrary code execution 14th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120807 * Debian: New uim packages fix privilege escalation 14th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120808 * Debian: New ftpd-ssl packages fix arbitrary code execution 15th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120809 * Debian: New phpsysinfo packages fix several vulnerabilities 15th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120810 * Debian: New phpgroupware packages fix several vulnerabilities 17th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120833 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: PHP Multiple vulnerabilities 13th, November, 2005 PHP suffers from multiple issues, resulting in security functions bypass, local Denial of service, cross-site scripting or PHP variables overwrite. http://www.linuxsecurity.com/content/view/120797 * Gentoo: Lynx Arbitrary command execution 13th, November, 2005 Lynx is vulnerable to an issue which allows the remote execution of arbitrary commands. http://www.linuxsecurity.com/content/view/120798 * Gentoo: RAR Format string and buffer overflow vulnerabilities 13th, November, 2005 RAR contains a format string error and a buffer overflow vulnerability that may be used to execute arbitrary code. http://www.linuxsecurity.com/content/view/120799 * Gentoo: linux-ftpd-ssl Remote buffer overflow 13th, November, 2005 A buffer overflow vulnerability has been found, allowing a remote attacker to execute arbitrary code with escalated privileges on the local system. http://www.linuxsecurity.com/content/view/120800 * Gentoo: Scorched 3D Multiple vulnerabilities 15th, November, 2005 Multiple vulnerabilities in Scorched 3D allow a remote attacker to deny service or execute arbitrary code on game servers. http://www.linuxsecurity.com/content/view/120814 * Gentoo: Sylpheed, Sylpheed-Claws Buffer overflow in LDIF 15th, November, 2005 Sylpheed and Sylpheed-Claws contain a buffer overflow vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120815 * Gentoo: GTK+ 2, GdkPixbuf Multiple XPM decoding vulnerabilities 16th, November, 2005 The GdkPixbuf library, that is also included in GTK+ 2, contains vulnerabilities that could lead to a Denial of Service or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120827 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated lynx packages fix critical vulnerability 12th, November, 2005 An arbitrary command execution vulnerability was discovered in the lynx "lynxcgi:" URI handler. An attacker could create a web page that redirects to a malicious URL which could then execute arbitrary code as the user running lynx. The updated packages have been patched to address this issue. http://www.linuxsecurity.com/content/view/120796 * Mandriva: Updated egroupware packages to address phpldapadmin, phpsysinfo vulnerabilities 16th, November, 2005 The updated packages have new versions of these subsystems to correct these issues. http://www.linuxsecurity.com/content/view/120829 * Mandriva: Updated php packages fix multiple vulnerabilities 17th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120832 * Mandriva: Updated autofs packages fix problem with LDAP 16th, November, 2005 A problem with how autofs was linked with the LDAP libraries would cause autofs to segfault on startup. The updated package has been fixed to correct this problem. http://www.linuxsecurity.com/content/view/120830 * Mandriva: Updated acpid package fixes various bugs 16th, November, 2005 A number of bugs have been fixed in this new acpid package: Correct an error in the initscript, to look for lm_battery.sh rather than battery.sh. http://www.linuxsecurity.com/content/view/120831 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: lynx security update 11th, November, 2005 An updated lynx package that corrects a security flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120795 * RedHat: Low: cpio security update 10th, November, 2005 An updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120785 * RedHat: Low: lm_sensors security update 10th, November, 2005 Updated lm_sensors packages that fix an insecure file issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120786 * RedHat: Moderate: php security update 10th, November, 2005 Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120787 * RedHat: Moderate: php security update 10th, November, 2005 Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120788 * RedHat: Important: gdk-pixbuf security update 15th, November, 2005 Updated gdk-pixbuf packages that fix several security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120817 * RedHat: Important: gtk2 security update 15th, November, 2005 Updated gtk2 packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120818 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Nov 23 02:05:05 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 23 02:12:57 2005 Subject: [ISN] Cyber attacks shift to network devices, apps Message-ID: http://www.networkworld.com/news/2005/112205-cyber-attackers.html By Robert McMillan and Cara Garretson IDG News Service 11/22/05 After years of writing viruses and worms for operating systems and software running on Internet servers, hackers found some new areas to target in 2005, according to a report on security trends published Tuesday. Over the past year, attackers have switched their focus to network devices and applications, specifically back-up software and even the security software designed to protect computers, according to the 2005 SANS Top 20 list of the most critical Internet security vulnerabilities, says Alan Paller, director of research with the SANS Institute, a training organization for computer security professionals. "There has been a 90-degree turn in the way attackers are coming after you," Paller says. Most organizations have adopted means to automatically patch vulnerabilities in operating systems, he says, but not in applications. "Those applications don't have automated patching, so we're back to the Stone Age.?" And by exploiting flaws in networking gear, hackers are finding their way onto corporate networks. "Other, more sophisticated attackers, looking for new targets, found they could use vulnerabilities in network devices to set up listening posts where they could collect critical information that would get them into the sites they wanted," he added. This new focus on client applications and networking products has happened because so many server-side and operating system bugs have been fixed, says Gerhard Eschelbeck, CTO and vice president of engineering with Qualys, and a contributor to this year's list. "A lot of the low-hanging fruit has been identified now," he says. "We really reached a tipping point earlier this year, where people started to look aggressively at client-side applications." Security researchers also started looking at vulnerabilities in networking products, thanks in part to a controversial presentation by security researcher Michael Lynn at this year's Black Hat 2005 conference in Las Vegas. Cisco sued Lynn after he discussed security problems in the Internetwork Operating System (IOS) software that is used by Cisco's routers. This is the first year that networking products have appeared on the SANS list, with Cisco vulnerabilities taking three of the 20 slots. The list also includes nine common application vulnerabilities, two Unix problems and six Windows issues, all of which "deserve immediate attention from security professionals," according to SANS. One way to prevent such security flaws is to demand that vendors deliver hardened products to begin with, Paller says. For example, the The U.S. Air Force gave Microsoft a large sum of money to develop a secure version of Windows that is now running at two sites. "The Air Force decided it couldn't afford to keep buying broken software from Microsoft," he says. "We think that action is the herald of what will one day... turn the tide, with the government leading by example. It doesn't take much of that to turn vendors into security vendors." The SANS Top 20 list, published annually since 2000 (see last year's list [1]), is compiled by representatives from a variety of computer security organizations, including the U.S. Computer Emergency Response Team, the British Government's National Infrastructure Security Co-Ordination Centre and the SANS Internet Storm Center. The list is designed to give security professionals a quick sense of the industry's consensus on which commonly targeted security vulnerabilities require their most immediate attention. It has traditionally focused on Windows and Unix vulnerabilities, as well as problems with some server-side applications. Robert McMillan is a correspondent with the IDG News Service. [1] http://www.networkworld.com/news/2004/101804sans.html From isn at c4i.org Wed Nov 23 02:05:21 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 23 02:13:27 2005 Subject: [ISN] System security is job one for new DOD CIO Grimes Message-ID: http://www.gcn.com/24_33/news/37603-1.html By Dawn S. Onley GCN Staff 11/21/05 Just two hours after he was sworn in as the new Defense CIO, John Grimes sat at a table in his Pentagon office, getting used to the constant rings of his BlackBerry. Grimes said he never owned a BlackBerry in his last job as vice president of Raytheon Intelligence and Information Systems in Washington. But as DOD's top IT leader, Grimes might get more traction from his personal digital assistant than his office phone and notebook computer combined. "I show up here and in 30 seconds I have one and it has not stopped," Grimes said, pointing to the new device. "I have had continuous messages." In June, President Bush nominated Grimes to be CIO and assistant secretary of Defense for networks and information integration. The Senate confirmed him on Oct. 28 and he was officially sworn in on Nov. 14. In his first interview as CIO, Grimes said if he had to pick the greatest challenge for Defense networks, it would have to be security. "The information systems have to be secure. Probably of all the things we have right now facing us in the information world, security is key," Grimes said. "When someone uses the system, they believe in the integrity of the data and that nobody has unauthorized access to it. That's probably the most critical thing we have facing us because of the continuous threat to networks by those that want to be mischievous." But Grimes said securing Defense networks is an "expensive proposition" and predicted that there would never come a time when DOD can claim that its networks are threat-free. "There's no way we'll probably ever get 100 percent assurance of a fully protected system," Grimes said. "In fact, we call it the Achilles' heel right now, this information assurance of networks." He also applauded the work of John Stenbit, former Defense CIO, for pushing, and in some instances conceptualizing, the key net-centric transformational programs across the DOD - including the Global Information Grid-Bandwidth Expansion, Transformational Satellite and Net-Centric Enterprise Services initiatives. Stenbit retired in March 2004 and currently sits on several boards. Linton Wells, dep- uty CIO, served as acting CIO until Grimes was confirmed. "John Stenbit actually did a great job of codifying the net-centric enablers and those programs are somewhat institutionalized now in what we call power to the edge," Grimes said. Grimes previously served as deputy assistant secretary for counterintelligence and security countermeasures at Defense, and held the title of deputy assistant secretary for Defense-wide command, control and communications. He also worked for the National Security Council as senior director of the White House Situation Support Staff. The avid golfer is a graduate of the University of Arizona and holds a master's degree from Shippensburg University in Pennsylvania. From isn at c4i.org Wed Nov 23 02:06:38 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 23 02:14:48 2005 Subject: [ISN] GNU project founder foils UN security Message-ID: http://www.theinquirer.net/?article=27834 By Nick Farrell 21 November 2005 FOUNDER of the GNU project, Richard Stallman, got in trouble at the UN World Summit on the information society in Tunis for putting tin foil around his RF ID. Stallman is no fan of RF IDs because they hold personal data as securely as a sieve holds water. He was miffed that RF ID cards were being used despite promises at the last UN conference in 2003 that they wouldn't be. He bought an entire roll of aluminium foil and wore his foil-shielded pass prominently and unwrapped it to go through any of the check-points. During his keynote speech Stallman gave a moment's talk about the RF ID issue, and passed his roll of aluminium foil around the room for others to use. Soon everyone was shielding their passes and afterwards Stallman was taken aside by UN security who refused to let him leave the room to talk to press, because he was flouting their security measures. Apparently it took a fairly high level shouting before Stallman was allowed to continue with his series of speeches. You can read all about it in an eye witness bog by Stallman's mate Bruce Perens here [1]. ? [1] http://perens.sourcelabs.com/ From isn at c4i.org Wed Nov 23 02:05:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 23 02:15:28 2005 Subject: [ISN] Sober worm offshoot trades on Paris Hilton, FBI Message-ID: http://news.com.com/Sober+worm+offshoot+trades+on+Paris+Hilton%2C+FBI/2100-7349_3-5967601.html By John Borland Staff Writer, CNET News.com November 22, 2005 There is no Easter Bunny, and that's not a real Paris Hilton video in your e-mail box. Nor is the FBI likely to be e-mailing you to ask you questions about visiting illegal Web sites. A new variant of the Sober worm made the network rounds Tuesday, attempting to entice people into clicking on attachments purporting to be threats from the law enforcement agency or videos clips of the hotel heiress and her reality TV co-star Nicole Richie. Antivirus companies said the worm gained some traction over the weekend and on Monday. It's a minor modification of the "Sober" virus that has flared up several times over the past year. But this latest variant, graded as a medium-level threat, appeared to be trailing off as security providers have responded. "This one is virulent and will reproduce itself easily but does not have much of a payload," said David Perry, the global director of education at antivirus company Trend Micro. "For the time being, this particular strain is probably done." Some antivirus companies said the worm was still spreading fast, however. In a blog posting, security company F-Secure said Internet companies have seen "several millions of infected emails" over the course of hours. "The numbers we're now seeing...are just huge," wrote F-Secure Chief Research Officer Mikko Hypponen. "This is the largest email worm outbreak of the year, so far." One version of the e-mail carrying the worm appears to be a letter from the FBI saying the agency has found evidence that the computer user has been visiting illegal Web sites. It asks the recipient to click on the attachment to answer questions. The FBI released a warning on Tuesday saying it never sends unsolicited e-mails. "The FBI takes this matter seriously and is investigating," the agency said in its statement. "Users are instructed to delete the e-mail without opening it." Another version of the e-mail used a message purporting to be from the Central Intelligence Agency. A third, a German-language variant, contained a threatening message from a German law enforcement agency. A separate version purports to offer a download manager for "video clips, pictures and more" of Hilton and Richie. All operate the same way, once the attachment is activated, however. If activated, the worm drops several files onto a computer and searches for e-mail addresses stored in address books or elsewhere in memory and sends copies of itself to those destinations. If it finds Microsoft's anti-spyware and antivirus software running, it turns the protections off. Several other variants of a different virus, dubbed "Mytob," are also making the rounds. The e-mails carrying them purport to be a message from an e-mail service provider or from support staff providing notification about a changed password or suspended account. Antivirus companies rate the danger of this worm as "low," but as always, advise against clicking on unknown attachments to e-mails. From isn at c4i.org Wed Nov 23 02:05:50 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 23 02:16:17 2005 Subject: [ISN] Foreign powers are main cyberthreat, U.K .says Message-ID: http://news.zdnet.co.uk/0,39020330,39237451,00.htm Tom Espiner ZDNet UK November 22, 2005 Foreign governments are the primary threat to the UK's critical national infrastructure (CNI) because of their hunger for information, according to a government body. The National Infrastructure Security Co-ordination Centre (NISCC), which is in charge of defending the CNI, claimed on Tuesday the most significant electronic threats to the critical national infrastructure are content-based, targeted, Trojan horse email attacks from the Far East. "Foreign states are probing the CNI for information," said Roger Cummings, the director of NISCC. The CNI is made up of financial institutions; key transport, telecoms and energy networks; and government organisations. NISCC is working with its equivalents in the countries concerned to try to "shut the attacks down", according to Cummings. NISCC cannot name the countries concerned as this may "ruin diplomatic efforts to halt the attacks". The attackers appears to be aiming to gather commercially or economically valuable information, according to NISCC. "We call it the 'malicious marketplace'," said Cummings. "Exploit writers can make money by selling exploits. Who are the most capable organisations to make use of exploits? Foreign states are the most capable actors ? they are currently sitting up at the top of the marketplace," he added. Cummings went on to dissect the 'malicious marketplace', in which he claimed the most significant element is foreign states, whose target is information. Below them are criminals who are trying to compromise the CNI in order to sell information. Hackers motivated by kudos or money have "a variable capability", but are more serious than terrorists, who currently have a "low capability", and pose the smallest threat, Cummings claimed. However, there is a risk these groups will increasingly work together. "The risk from criminals [to the CNI] increases when they get into bed with hackers. The capability of terrorists will increase if they employ hackers," said Cummings. "We are concerned that the malicious marketplace will make available exploits that can do us damage," he added. Although foreign states are currently the most capable of launching attacks, NISCC expected criminal capability to "expand and start to bump against foreign states," Cummings said. Cyberterrorism is a controversial subject within the security industry. Some experts, such as Bruce Schneier, have claimed the threat doesn't exist. Speaking in April, Schneier said that some organisations have been abusing the term in an attempt to fuel their budgets. Cummings said people needed to be aware of the threat from terrorism, but stressed that he didn't want to hype the threat or alarm people. "We are constantly aware that terrorists can attack us in a whole host of ways. There is concern that terrorists can acquire exploits through the 'malicious marketplace'. We would say there is hype around cyberterrorism, but we need to remain eternally vigilant," Cummings said. The UK government should be applauded for developing a more proactive approach to this issue, according to the Communications Electronics Security Group (CESG). "The government is being proactive, and this is paying dividends. All information is worth protecting ? potentially as it could mean people's lives. Where the squaddies are tomorrow needs to be kept secret; you can't put a price on human life," said Chris Ulliot, head of vulnerability research, CESG. Cummings and Ulliot were speaking at SANS Institute's launch of its Top 20 Critical Internet Vulnerability Listing at the Department of Trade and Industry in London. From isn at c4i.org Wed Nov 23 02:06:01 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 23 02:17:00 2005 Subject: [ISN] SANS compiles Top 20 security vulns list Message-ID: http://www.theregister.co.uk/2005/11/22/sans_top_20_vuln_list/ By John Leyden 22nd November 2005 Bugs in anti-virus scanners and web-based applications joined flaws in Microsoft and Cisco networking products in a list of the 20 most serious vulnerabilities discovered this year. The list [1] - compiled by the SANS Institute in co-operation with security vendors such as Qualys and government agencies in the UK and US - highlights the 20 most critical vulnerabilities currently facing organisations. Vulnerabilities that are easy to exploit and where a large number of unpatched systems existed were highlighted in the report. In addition to identifying vulnerabilities in Windows and UNIX systems, this year's Top-20 list also includes cross-platform applications and networking products for the first time. Various flaws in Internet Explorer and Microsoft Windows Services (such as Plug and Play) make the top 20 list. These are joined by anti-virus product glitches and back-up software. Vulnerabilities to Oracle database and application software products also make the SANS Top 20 list. The flaws are all well-documented. The idea of the Top 20 is to draw people's attention towards particularly serious problems that might have been overlooked. Starting earlier this year, the SANS Institute moved from an annual to quarterly update of its list, now into its fifth year, to reflect the faster evolution of internet threats. It's still doing the annual round-up though with this year's Top 20 launched in Europe at a high profile event in London on Tuesday featuring speakers from SANS, the DTI and the National Infrastructure Security Coordination Centre (NISCC) [2]. ? [1] http://www.sans.org/top20 [2] http://www.niscc.gov.uk/ From isn at c4i.org Wed Nov 23 02:06:23 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 23 02:17:46 2005 Subject: [ISN] Group: Comment period for protection plan too short Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27482-1.html By Alice Lipowicz Staff Writer 11/21/05 The Homeland Security Department is not giving enough time for the public and for industry members to comment on its draft National Infrastructure Protection Plan, according to OMB Watch, a Washington-based government watchdog group. The department released the 175-page document [1] Nov. 2. It offers a comprehensive plan for involving private-sector owners and operators of infrastructure in 17 distinct sectors, such as water, power, food and transportation, in the nation's homeland security. DHS allowed 15 days for requesting a copy and 30 days for public comment, until Dec. 5. However, that may be too little time. "The time constraints on viewing and commenting on it do not allow for substantive public review or response," said OMB Watch in a press release. "Given the extensive nature of the report, as well as the importance of the subject matter, it seems clear that additional time should be allotted to allow for greater public input." OMB Watch said in the release that DHS rejected its request to extend the comment period by 60 days. Several IT executives also are critical of the limited time allowed for comment. The protection plan has "a tight time frame," said Peter Allor, director of intelligence for Internet Security Systems Inc. of Atlanta, and director of operations for the IT Information Sharing and Analysis Center, which was set up to work with DHS for information-sharing with the IT industry. "It will be a challenge to have to work within those constraints." Several IT industry leaders are asking for an extension to Feb. 5, 2006, according to Larry Clinton, chief operating officer of the Internet Security Alliance, a nonprofit organization fostering IT security. Both Clinton and Allor are members of an executive advisory board of the newly formed IT Sector Coordinating Council. The council was formed at DHS' direction to represent the IT industry in policy discussions with the department. Membership in the coordinating council is open to executives in companies in the IT industry, who are invited to sign up at the group's Web site [2]. Initial working groups are focused on administration, strategy and coordination with federal planning. The coordinating council will hold its first meeting in early 2006 to approve a charter, governance and structure, a news release issued Nov. 14 said. [1] http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/05-21984.htm [2] https://www.it-isac.org/ From isn at c4i.org Thu Nov 24 02:11:01 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 24 02:20:47 2005 Subject: [ISN] Interior wants OMB to referee dispute over its IT security Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37643-1.html By Mary Mosquera GCN Staff 11/23/05 Interior secretary Gale Norton disagrees with her department's inspector general that the department does not meet federal security requirements and has asked the Office of Management and Budget to clarify its interpretation of those requirements. Interior certified and accredited more than 98 percent of its systems in fiscal 2005 to comply with the Federal Information Security Management Act. During the year, Interior also made progress in consolidating 13 networks into a single departmental enterprise services network, with strong network perimeter security controls. The three remaining bureau networks are undergoing consolidation now, she said in a letter to OMB director Joshua Bolten last month. "While IT security is not perfect, risks and vulnerabilities still remain, and improvements need to be made, the policies and processes to address those risks are adequate, improvements have been and will continue to be made, and therefore, DOI substantially complies with FISMA," Norton said in the letter. OMB could not comment on Interior's request, an OMB spokesman said. "We continue to work with every agency to improve security. We are currently completing our analysis for the FISMA report to be released in March," OMB spokesman Alex Conant said. Norton said some of the reporting criteria on risk management were ambiguous, leading to subjective judgment and individual perspectives. The quality of Interior's certification and accreditation process is, at a minimum, satisfactory, said Interior CIO Hord Tipton in a redacted version of his FISMA evaluation. Tipton's office also worked under the burden of producing 4.5 million pages of documentation related to the long-running Cobell v. Norton lawsuit, which has forced Interior to cut off some of its systems from the Internet. The plaintiffs claim that Interior's IT security is weak and that hackers can easily penetrate the Individual Indian Trust financial records. "The CIO believes the IG's responses to several of the questions in the FY 2005 reporting template exceed the basic requirements of FISMA and do not take into account improvements made during the year in response to the testing the IG conducted," Norton said. Despite progress, Interior IG Earl Devaney said the department has significant weaknesses in its network security, plans for corrective actions and milestones, and certification and accreditation. The IG's penetration testing demonstrated that Interior's network infrastructure was vulnerable to unauthorized access from internal and external threats. "(It) allowed us to compromise some of DOI's most sensitive information," Devaney said in the public version of his evaluation. Devaney rated Interior.s certification and accreditation program as poor. Overall, Interior lacks an effective departmentwide strategy to implement and oversee its various policies and procedures, he said. From isn at c4i.org Thu Nov 24 02:11:14 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 24 02:21:18 2005 Subject: [ISN] Points scammer felt like family failure Message-ID: http://www.theage.com.au/news/national/points-scammer-felt-like-family-failure/2005/11/23/1132703251329.html By Daniella Miletic November 24, 2005 Personal pride, skill and a tall shadow cast by his successful father, led Austin Nicholas Perrott to the centre of a sophisticated scam in which he amassed more than 17.6 million frequent-flyer points without getting on a plane - a role he was jailed for yesterday. Perrott, portrayed by his lawyer as a man who did not scheme for riches but wanted to maintain the appearance of moderate prosperity, was jailed yesterday for his deception. Growing up in a home that set a high "standard of success", he had a strained relationship with his father - leading architect, Les Perrott, whose involvement in the designs of the Rialto, the Hilton Hotel and the former Gas and Fuel towers helped shape Melbourne's city skyline. When his siblings, too, became highly successful, Perrott believed he was a failure by comparison. The County Court heard it was with a mixture of pride, skill and distraction (his wife's illness) that Perrott began to capitalise on a loophole he discovered in Qantas' mainframe computer. Perrott was working as a customer services supervisor with Singapore Airlines when he stumbled on an "irregularity" in the computer system. He found that passenger lists for flights that had departed and landed remained "active" and that he could add names to those lists. Friends at Qantas gave Perrott the regularly changing passwords to the airline's system. In February 1996, with more than 15 years' experience in the airline industry, Perrott embarked on a 61/2-year scam that accrued 17.6 million frequent flyer points from nine airlines, including Qantas, British Airways and American Airlines. Only 4.3 million points were redeemed. Perrott used the points for accommodation on a trip to the US with his wife and his three children, as well as on domestic flights. Unsuspecting family and friends also paid him for air tickets. While discrepancies between points and dollar values across the airlines make it difficult to get a precise sum for Perrott's fraud, the court was told the amount Perrott gained was less than $85,000. It was money used to keep their Balwyn home and their daughter in private school. In November 2002, Qantas updated its computer system, inadvertently fixing the loophole. The same month, an internal investigation by Air New Zealand, which found Perrott was a Gold Elite member, revealed his "extraordinarily large amounts of points" were accrued through a terminal at Melbourne. The Victoria Police fraud investigation division was called in. Perrott's father died shortly afterwards. Perrott, of Middle Park, had pleaded guilty to nine counts of obtaining financial advantage by deception. Judge Roy Punshon sentenced him to two years and eight months' jail, with two years and two months suspended for two years. Perrott will serve six months in prison. Judge Punshon said he took into account Perrott had suffered considerable shame and he had lost his career. From isn at c4i.org Thu Nov 24 02:08:34 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 24 02:21:59 2005 Subject: [ISN] Dark Cloud Hovers Over Black Hat Message-ID: http://www.wired.com/news/privacy/0,1848,69655,00.html By Jennifer Granick Nov. 23, 2005 Last week Black Hat, the Vegas security conference that was at the center of the Ciscogate controversy last summer, was purchased by CMP Media. The sale has the internet hens clucking about whether ownership by a larger, wealthier corporation will protect Black Hat from future legal challenges, or make it more susceptible to pressure from companies wanting to control vulnerability disclosures. The more worrisome question is why Black Hat and other purveyors of security information must worry so much about what they disclose. For better or worse, the settlement I negotiated with Cisco in its case against researcher Michael Lynn kept some important legal issues from reaching a courtroom, and these unsettled questions cast a long shadow over security research today. As a brief background, Michael, my client, worked for ISS, a company that provides security products and services. While there, Michael's job was to study Cisco products, to figure out how they worked and to analyze them for security flaws. Cisco did not give ISS or its employees Cisco source code and ISS had no nondisclosure agreement, or NDA, with Cisco. Michael had the typical NDA with ISS that he would not reveal confidential information obtained during the course of his employment there. When Michael discovered the now-famous Cisco flaw, ISS initially was pleased to have Michael tout the success at Black Hat. Michael's presentation demonstrated for the first time that it was possible to execute remote code on Cisco routers, and encouraged systems administrators running vulnerable versions to upgrade fast. But in the weeks leading up to the conference, Cisco and ISS butted heads over what information Michael would reveal about the router code. The day before the conference, Cisco and ISS cut a deal and informed Black Hat that it had to cut Michael's presentation out of the conference materials. Michael, concerned that important information was being suppressed, gave an edited version of his talk anyway, and by that afternoon, Cisco and ISS had jointly filed a federal lawsuit against Michael and Black Hat. Among other claims, the lawsuit alleged that Michael and Black Hat misappropriated trade secrets by revealing Cisco code in his presentation. In California, where Cisco is located and the lawsuit was filed, misappropriation means "acquisition by improper means, or disclosure without consent by a person who used improper means to acquire the knowledge." Improper means "includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means." Importantly, "Reverse engineering or independent derivation alone shall not be considered improper means" under the law. Michael didn't steal anything, and he never had access to confidential Cisco source code. He took the binary distributed with every Cisco router, decompiled it into machine code and used some pointers to the machine code to illustrate the claims made in his presentation. Machine code is probably copyright-protected, but copyright's fair-use doctrine allows some copying for the purpose of critique and study. California law makes it clear that people are allowed to study products on the market, and that a trade secret loses its special status when a company sells it to the public. When a company distributes confidential information to insiders, it can assure that that information remains protected by requiring the employee or contractor to sign an NDA. Since Michael was not under an NDA with Cisco, he and Black Hat should have been in the clear. (At some point, Cisco and ISS lawyers claimed that Michael's NDA with ISS prevented him from reporting information he learned on the job about Cisco products, but arguing that Cisco flaws are ISS confidential information is a real stretch.) But what about the Cisco End User License Agreement that ships with the router code? That's where things get interesting, and troubling for Black Hat's future. Almost every piece of software today comes with a click-through EULA that purports to regulate how customers can use the product, including a limitation on reverse engineering. Companies have argued that the EULA has the exact same effect as an NDA -- essentially letting every single customer in on a "secret" that they're legally obliged to protect. If courts adopt this view, instead of keeping insiders loyal, trade-secret law can help companies force the public not to discuss published information. And if EULAs do confer trade-secret protection, that might mean magazines, newspapers and conferences have a duty to screen information to make sure it wasn't obtained by prohibited reverse engineering. In a variety of cases, courts have held that the press has a right to disseminate information of a public concern even if it was illegally obtained. In the Pentagon Papers case, The New York Times battled the Nixon White House over its right to publish a secret Department of Defense report on U.S. involvement in Vietnam that had been leaked by DOD employee Daniel Ellsberg. The Times won and the documents were published, calling the government version of the nation's decision to go to war into question. In Barnicki v. Vopper, the Supreme Court said that a radio station could not be sued for playing a tape of an illegally intercepted telephone call between two union leaders involved in a matter of public interest, even though it knew that the person who recorded the call did so illegally, in violation of the Wiretap Act. Those are good decisions. But one of the only cases that addressed the issue of trade-secret publishers went the other way. In a lawsuit filed by the DVD Copy Control Association against a California man who posted the DeCSS DVD-decryption code on his website, the California Supreme Court held that the First Amendment doesn't mean courts can't stop people from publishing trade secrets when the publisher knows or has reason to know that the information was acquired by improper means. That case is different from the Pentagon Papers case and Barnicki because the court found that DeCSS wasn't a matter of public interest. Of course, most security vulnerabilities are, especially those that affect the machines that form the backbone of the internet. Today, it's unclear how a court would rule in a trade-secret case where Cisco sued ISS for violating the prohibition against reverse engineering. The rule should be that EULAs don't make published information secret, under any circumstance. The contrary would be dangerous for Black Hat, Michael, future bug finders and computer security. And while trade-secret law can prohibit accomplices and co-conspirators from publishing stolen data, reporters who merely know that information was improperly obtained should have a free-speech right to publish -- especially if the information reaches a matter of public interest, like the safety and security of the foundation of the internet. - - - Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. From isn at c4i.org Thu Nov 24 02:10:02 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 24 02:23:51 2005 Subject: [ISN] ITL Bulletin for November 2005 Message-ID: Forwarded from: Elizabeth Lennon ITL Bulletin for November 2005 SECURING MICROSOFT WINDOWS XP SYSTEMS: NIST RECOMMENDATIONS FOR USING A SECURITY CONFIGURATION CHECKLIST Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Organizations can strengthen the security of their local Windows XP workstations, mobile computers, and telecommuter systems when their system administrators apply information technology (IT) security configuration checklists as part of an established security program. NIST's Information Technology Laboratory has issued guidance to assist the trained and experienced system administrators who are responsible for the administration and security of Windows XP systems that are used in a variety of environments including the small office, the home office, and managed enterprise settings. Checklists of security settings are useful tools that have been developed to guide IT administrators and security personnel in selecting effective security settings that will reduce the risks of Internet connections and protect systems from attacks. A checklist, sometimes called a security configuration guide, lockdown guide, hardening guide, security technical implementation guide, or benchmark, is basically a series of instructions for configuring an IT product to an operational environment. Checklists can be effective in reducing vulnerabilities to systems, especially for small organizations with limited resources. IT vendors often create checklists for their own products, but other organizations such as consortia, academic groups, and government agencies have also developed them. The NIST Checklist Program Working with other government agencies, with IT product vendors, and with private industry, NIST is managing a program to make checklists readily available and to encourage the exchange of information about checklists. The Cyber Security Research and Development Act of 2002 designated NIST "to develop and revise, as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government." NIST's checklist program supports the development, test, review, and dissemination of information about security configuration checklists for IT products, such as operating systems, database systems, web servers, e-mail servers, firewalls, routers, intrusion detection systems, virtual private networks servers, biometric devices, smart cards, telecommunication switching devices, and web browsers. For more information about this effort, see NIST Special Publication (SP) 800-70, Security Configuration Checklists Program for IT Products, the June 2005 bulletin in the ITL bulletin series, and the checklists website: http://csrc.nist.gov/checklists/index.html. Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist NIST's Information Technology Laboratory has published Special Publication (SP) 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist: Recommendations of the National Institute of Standards and Technology. The guide assists IT professionals, and particularly Windows XP system administrators and information security personnel, in securing Windows XP Professional systems running Service Pack 2 (SP2). Released in August 2004, Service Pack 2 contains changes that affect the security of Windows XP Professional systems and is considered a major upgrade to those systems. The recommendations in the guide do not apply to Windows XP Home systems running Service Pack 2. NIST plans to develop separate guidance for these systems. Written by Murugiah Souppaya, Karen Kent, and Paul M. Johnson, NIST SP 800-68 discusses the security components offered by Windows XP Professional SP2 and provides guidance on installing, backing up, and patching Windows XP systems. It also discusses security policy configurations, presents an overview of the settings in accompanying security templates, and provides information on how to apply additional security settings that are not included in the security templates. Tested and secure settings are recommended for popular office productivity applications, web browsers, e-mail clients, personal firewalls, anti-virus software, and spyware detection and removal utilities on Windows XP systems to protect these systems against viruses, worms, Trojan horses, and other types of malicious code. The Windows XP checklist guide is available in electronic format from the NIST Computer Security Resource Center at http://csrc.nist.gov/itsec/. Also available from this web page is NIST SP 800-43, The Systems Administration Guidance for Windows 2000 Professional, which recommends tested secure settings and includes configuration templates and security checklists for Windows 2000 Professional systems. NIST SP 800-43 provides detailed information about the security features of the Windows 2000 Professional system, security configuration guidelines for popular applications, and security configuration guidelines for the operating system. Operational Environments NIST has identified four types of operational environments to help developers to target their checklists to the security baselines that are associated with the different environments. Users can select the checklists that are most appropriate for their operating environments. NIST SP 800-68 recommends secure settings for Windows XP workstations in these four types of operational environments. * Small Office/Home Office (SOHO), sometimes called Standalone, describes small, informal computer installations that are used for home or business purposes. SOHO encompasses a variety of small-scale environments and devices, ranging from laptops, mobile devices, or home computers, to telecommuting systems located on broadband networks, to small businesses and small branch offices of a company. These environments, which generally focus on functionality and ease of use, may be less secure than the others, and may be supported by less experienced system administrators. * Enterprise environments are sometimes referred to as managed environments that are structured in terms of hardware and software configurations. These environments, consisting of centrally managed workstations and servers, are usually protected from Internet threats by firewalls and other network security devices. Generally, a skilled staff supports users and provides security from initial system deployment through system maintenance. The structure and the staff contribute to the implementation and maintenance of consistent security practices. * Specialized Security-Limited Functionality environments are at high risk of attack or data exposure, and therefore security takes precedence over usability. These environments include computers that are usually limited in their functionality to specific specialized purposes and that may contain highly confidential information, such as personnel records, medical records, and financial information. These computers also may perform vital organizational functions such as accounting and payroll processing. Providing sufficiently strong protection for these systems often involves a substantial tradeoff between security and functionality based on the premise that more than strictly necessary functionality provides more opportunity for exploitation. This can result in a significant reduction in system functionality and a higher risk of applications breaking, thus causing increased costs for system support. Because of the tradeoffs and complexities, a security-limited environment is not recommended for most SOHO users who are managing their own systems but may want better security. In most cases, the specialized security-limited functionality environment is not suitable for widespread enterprise usage. * Legacy environments contain older systems or applications that often use older, less secure communication mechanisms. Other systems operating in a legacy environment may need less restrictive security settings so that they can communicate with legacy systems and applications. Using legacy services increases the potential risk of security breaches, as does lowering the security profile of other systems that need to interact with legacy systems. Legacy environments may exist within the SOHO and the enterprise environments, and in rare cases, within specialized security-limited functionality environments as well. Security Templates The guide for Windows XP systems includes security templates to enable system administrators to apply the security recommendations rapidly. The templates are text-based configuration files that specify values for security-relevant system settings, and that involve Windows XP policy areas, including password policy, account lockout policy, auditing policy, user rights assignment, system security options, event log policy, system service settings, and file permissions. The NIST template for Specialized Security-Limited Functionality environments represents the consensus settings from the Center for Internet Security (CIS), Defense Information Systems Agency (DISA), Microsoft, NIST, the National Security Agency (NSA), and the United States Air Force (USAF). The other NIST templates are based on Microsoft's templates and recommendations. The templates and additional settings have been tested for their impact on both security and functionality. The NIST Windows XP Security Templates were developed to strengthen the security of Windows XP workstation configurations. However, since every system and environment is unique, system administrators should perform their own testing. Specific settings may have to be modified because they might reduce the functionality or usability of a system, interfere with legacy applications, or conflict with local policies. The templates should be thoroughly tested on representative systems before widespread deployment, and a full system backup should be performed before the recommendations are applied. To apply the templates to systems, administrators can use the Security Configuration and Analysis Microsoft Management Console (MMC) snap-in for a local system, compare a template's settings to the existing settings on a system, and identify discrepancies. In a Windows XP domain environment, the Group Policy Editor can be used to distribute security settings quickly from templates to computers in an Active Directory Organizational Unit (OU). Also the Group Policy Management Console (GPMC) can be used to manage Group Policy for multiple domains, and to import, edit, and apply security templates to Windows systems throughout an enterprise. NIST Recommendations System administrators should begin the process of securing Windows XP workstations from a clean formatted state. The installation process should be performed on a secure network segment or off the organization's network until the security configuration is completed, all patches are applied, and strong passwords are set for all accounts. After systems have been installed and securely configured, they should be regularly monitored and patched when software vulnerabilities are identified, and when new patches, policies, and procedures are issued. The recommendations include measures for testing and configuring common Windows applications, such as office productivity tools, web browsers, e-mail clients, personal firewalls, anti-virus software, and spy-ware detection and removal utilities. This list is not intended to be a complete list of applications to install on Windows XP, nor does NIST endorse particular products. The configuration settings for applications focus on deterring viruses, worms, Trojan horses, and other malicious code. The recommendations can help to protect Windows XP systems from malicious code when the applications are being used. The settings and recommendations assist organizations in making their Windows XP systems more secure, and provide system administrators with the information necessary to modify the settings and to comply with local policy or special situations. The baseline recommendations and settings provide a high level of security for Windows XP Professional systems when used in conjunction with a sound and comprehensive local security policy and other relevant security controls. The recommendations are also appropriate for managed environments that are configuring and deploying laptops for mobile users and desktop computers for telecommuters. NIST recommends that the IT professionals using the Windows XP checklist review all of the material provided in the guide, as well as the recommended references. Decisions to install and patch the operating system, to use and modify the security templates, and to apply additional controls should be made in accordance with the principles of sound system administration. Using Checklists as Security Controls The Federal Information Security Management Act (FISMA) requires that federal agencies carry out a risk-based approach to information security. To support agencies in conducting their information security programs, FISMA called for NIST to develop federal standards for the security categorization of federal information and information systems according to risk levels, and for minimum security requirements for information and information systems in each security category. Two Federal Information Processing Standards (FIPS) have been developed. FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems, issued in February 2004, assists agencies in categorizing their information and information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. Soon to be issued in final form, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, helps agencies provide appropriate levels of information security based on levels of risk. In applying the provisions of FIPS 200, agencies will categorize their systems as required by FIPS 199, and then select an appropriate set of security controls from NIST SP 800-53, Recommended Security Controls for Federal Information Systems, to satisfy their minimum security requirements. Organizations using the Windows XP security guide, its security templates, and its other general prescriptive recommendations should be able to meet the baseline system configuration requirements for Windows XP systems. The controls are consistent with the management, operational, and technical security controls described in NIST SP 800-53, and they provide a high level of security for Windows XP systems when used in conjunction with sound local security policies. Organizations should: * Protect each system based on the potential impact to the system of a loss of confidentiality, integrity, or availability. * Reduce the opportunities that attackers have to breach a system by limiting functionality according to the principle of least privilege and resolving security weaknesses. * Select security controls that provide a reasonably secure solution while supporting the needed functionality and usability. * Use multiple layers of security so that if one layer fails or otherwise cannot counteract a certain threat, other layers might prevent the threat from successfully breaching the system. * Conduct risk assessments to identify threats against systems and determine the effectiveness of existing security controls in counteracting the threats. Perform risk mitigation to decide whether and what additional measures should be implemented. * Document procedures for implementing and maintaining security controls, and maintain other security-related policies and documentation that affect the configuration, maintenance, and use of systems and applications, such as acceptable use policy, configuration management policy, and IT contingency plans. * Test all security controls to determine what impact they have on system security, functionality, and usability, and address any significant issues. * Monitor and maintain systems on a regular basis so that security issues can be identified and mitigated promptly. Actions that may be needed include acquiring and installing software updates; monitoring event logs; providing remote system administration and assistance; monitoring changes to operating system and software settings; protecting and sanitizing media; responding promptly to suspected incidents; performing vulnerability assessments; disabling and deleting unused user accounts; and maintaining hardware. More Information The NIST publications mentioned in this bulletin, as well as other publications needed for the secure management of systems, are available in electronic format from the NIST Computer Security Resource Center at http://csrc.nist.gov/publications. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Thu Nov 24 02:10:16 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 24 02:24:17 2005 Subject: [ISN] Schneier on security Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39237490,00.htm Tom Espiner ZDNet UK November 23, 2005 Q&A: Security guru Bruce Schneier gives his take on cyberterrorism, biometrics, ID cards and the erosion of our freedoms As one of the world's foremost authorities on security issues, Bruce Schneier has been a voice of reason in an industry where hyperbole is often rife. Schneier, who has written several books on security and is the founder of Counterpane Internet Security, has previously criticised those who claim that cyberterrorism is a serious threat. So, with the SANS Institute warning that hackers are changing their tactics and NISCC claiming that foreign governments pose a serious threat to the UK's critical infrastructure, we caught up with Schneier to get his take on the security landscape today. Q: What do you think about the claim that foreign governments are a serious threat to the critical national infrastructure of a country, through government-led hacking? A: In general, these threats are overstated. Is there a danger to the critical national infrastructure from spying? Well, a lot of reports you read tend to be very muddled as to the details. Do you think the threat from cyberterrorism is still over-hyped? Yes. The US government gives a lot of money to fight terrorism, so cyberterrorism is hyped. I hear people talk about the risks to critical infrastructure from cyberterrorism, but the risks come primarily from criminals. But at the moment, criminals aren't as 'sexy' as terrorists. We should not ignore criminals and I think we're under-spending on crime. If you look at ID theft and extortion - it still goes on. Criminals are after money. Hacking does seem to be more financially motivated now. Is there a 'malicious marketplace', as SANS claims? There is definitely a marketplace for vulnerabilities, exploits and old computers. It's a bad development but there are definitely conduits between hackers and criminals. Roger Cummings [director of NISCC] said on Tuesday there is a danger that the links between criminals and hackers, and hackers and terrorists, will become stronger... Well if we were making a movie then that's what we'd do. I think that the terrorist threat is over-hyped and the criminal threat is under-hyped. What do you think about governments using the threat of terrorism to collect information on citizens, and the implications of that on police powers? It's very scary. This is a very complex issue - one I've written books about. My view is that we're faced with multiple threats. The worry is that while we are trying to defend ourselves against one threat [terrorism], we are actually making ourselves less secure. People are scared, and because they're scared they're handing over powers to the government and giving up their liberties. The threat of terrorism in the UK has led to national e-card debates and biometric passport discussions. What are your views on biometrics in this context? They're good for what they're good for, and bad for what they're bad for. They have their uses and they have places where they're not useful. The all-important issue is that we think we're in danger and think that by using biometrics we'll suddenly be safe. We should use them where they're valid. How about ID cards? In general, ID cards are a complete waste of money - a former MI5 director said that. It's all very well for me to say that, but it's nice to know Stella Rimington feels that way too. The ID card debate in the UK is all about population control - it's about controlling immigration, not terrorism. It is unfortunate the UK isn't having that debate properly. So what will be the outcome? There will be a massive erosion of freedoms in our culture. We are losing sight of the future. I know that's not good news - it's not fun, but it's true. We'll be less secure as a result, because we'll be in more danger from terrorists. There'll be an increase in the risk from terrorists we are creating - and we'll be giving the police state powers. We waste money on electioneering that could be spent on actual security - investing in intelligence and better emergency response. How can anyone feel safe in a world created by George Bush? From isn at c4i.org Thu Nov 24 02:10:30 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 24 02:24:33 2005 Subject: [ISN] Military assessing possible threat posed by Sony security software Message-ID: http://www.estripes.com/article.asp?section=104&article=33184 By Charlie Coon Stars and Stripes Mideast edition November 23, 2005 It seems innocent enough. A Sony BMG music CD bought at a Power Zone, when inserted into a computer, requires the Sony player be downloaded in order to play the music. But the software also includes anti-piracy software and a "root kit" that secretly enables Sony to track usage and alter the computer's operating system. This surreptitious software allows hackers to access data stored on the computer and introduce viruses. Military network analysts are assessing a possible security threat that could result if the software is installed on government computers, according to Tom Ryan, an information assurance manager with the 5th Signal Command based in Mannheim, Germany. "It's not so much [a threat] on the classified network because everything on it is already encrypted," Ryan said. "But as far as [operational security], on the unclassified side it's possible for somebody to pull down enough information to put together some really sensitive stuff." Ryan said that the command is about to install a security patch developed by Defense Information Systems Agency. "You have a certain amount of time to comply with installing those security patches," Ryan said, adding that the current patch needs to be installed by Dec. 14. About 2 million Sony BMG music CDs have been sold with the anti-piracy software embedded on the discs, which makes computers running Windows products more vulnerable to hackers. The CDs, released under 52 different titles, install a program on Windows-based computers that limits the number of copies that can be made, such as is done with MP3 files. Tim Madden, a spokesman for Joint Task Force Global Network Operations, a component of U.S. Strategic Command that oversees the operation and protection of military networks, downplayed the risk to Department of Defense computer security. "It doesn't pose any threat," Madden said. "You can't install [the software] because of security configurations on DOD computers. "If somebody were to get [an affected CD] and put it on a government computer, it asks them to install [the software], but they can't because they don't have the permissions." When asked if someone could bring an infected computer from home and hook it up to a military network, Madden said, "there are a lot of 'what ifs.'" "This has not been an issue for DOD computers because of the blocks that have been put in place," Madden said. "Whatever processes and procedures we may do to manage that is something we're not going to talk about publicly." The Army and Air Force Exchange Service, which operates Power Zones and other stores that sell CDs, is offering customers a full refund for opened or unopened packages. Army Lt. Col. Dave Accetta, a spokesman for AAFES Europe, said stores are complying with the Sony recall and pulling the affected CDs from its shelves. "It is a voluntary recall, but we want to make sure customers are aware and are not placing computer systems at risk," he said. The software does not affect stereo equipment, just computers, according to Sony and AAFES. Sony is being sued by the state of Texas, which contends that the electronics giant violated the state's new spyware law. "Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," said Greg Abbott, the Texas attorney general. ? Information on the recall and the software can be found at www.sonybmg.com. Click on "Information on xcp content protection." The Associated Press contributed to this report. From isn at c4i.org Thu Nov 24 02:09:24 2005 From: isn at c4i.org (InfoSec News) Date: Thu Nov 24 02:24:46 2005 Subject: [ISN] 2005 SANS Top 20 List of Vulnerabilities -- November 23, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free Utility: Find Performance Bottlenecks http://list.windowsitpro.com/t?ctl=1A4AB:4FB69 Provide Secure Remote Access http://list.windowsitpro.com/t?ctl=1A4AC:4FB69 ==================== 1. In Focus: 2005 SANS Top 20 List of Vulnerabilities 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Bolsters Antiphishing Efforts with Third-Party Data - Windows Genuine Advantage Now Supports Mozilla-based Browsers - CMP Buys Black Hat 3. Instant Poll 4. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 5. New and Improved - Web Filter Gets New Features ==================== ==== Sponsor: Diskeeper ==== Free Utility: Find Performance Bottlenecks Disk Performance Analyzer for Networks is a free utility that remotely scans your systems looking for fragmentation-related disk performance bottlenecks. Disk fragmentation is a major source of slowdowns, freeze-ups and headaches; with Disk Performance Analyzer you can stamp out these little fires before they flare up into five-alarm blazes. Disk Performance Analyzer will save you time and reduce help desk traffic by enabling you to find and fix these problems before they find (and fix) your users and you. Get the free Disk Performance Analyzer for Networks now! http://list.windowsitpro.com/t?ctl=1A4AB:4FB69 ==================== ==== 1. In Focus: 2005 SANS Top 20 List of Vulnerabilities by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Since 2000, The SANS (SysAdmin, Audit, Network, Security) Institute has maintained a list of what it considers to be the vulnerabilities that administrators should be most aware of. The list can be looked at as a summary of concerns to address if you don't have time to immediately address all known vulnerabilities in the universe. The reason you might use the Top 20 List as your short list is that typically the most critical vulnerabilities are the ones used by intruders to launch attacks--which often turn out to be widespread. This week, SANS published the annual version of its SANS Top 20 Most Critical Internet Vulnerabilities list. The list is divided into sections that cover problems related to Windows platforms, Unix platforms, cross-platform products, and networking products. According to Rohit Dhamankar, project manager for the SANS Top 20 (and lead security architect at 3Com division TippingPoint), "Vulnerabilities on this list meet four requirements: (1) they affect a large number of users, (2) they have not been patched on a substantial number of systems, (3) they allow computers to [be] controlled by a remote, unauthorized user, (4) sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them." If you look at the report, you might think "Top 20" is a bit of a misnomer. The report has 20 categories of vulnerabilities, and in any given category, you might find 10 or more individual vulnerabilities. Thus, the Top 20 report includes dozens upon dozens of critical vulnerabilities. For example, vulnerabilities in the PHP scripting language might expand into countless application vulnerabilities. In another example, peer-to-peer (P2P) file-sharing software is cited as a vulnerability. How many different types of P2P software are there these days? I lost count some time ago. You're probably getting the picture: The report isn't exactly a guide to quickly fixing the top 20 vulnerability problems. That said, it does reveal some of the major vulnerability trends of this year. SANS says that in the past, the majority of attacks targeted Windows, UNIX (I assume they include Linux in the UNIX category), Web services, email services, and similar Internet services. However, this year, a different trend has emerged. According to SANS, more attacks this year have been aimed at critical core services, such as backup applications, antivirus software, and "other security tools." Another trend pointed out in the report "is public recognition of the critical vulnerabilities that are found in network devices such as routers and switches that form the backbone of the Internet." As for Windows platforms, the report points out 11 critical vulnerabilities in system services, 10 in Microsoft Internet Explorer (IE), 11 in various system libraries, 3 in Microsoft Office and Outlook Express, as well as the risk of using weak password schemes in the OS and related services, such as SQL Server. That's at least 32 vulnerabilities plus an entire password infrastructure to address. Hopefully, you've addressed all these problems as they've become known to the public over the past year. If not, the quickest way to find out if you're vulnerable to most of the items in the report is of course to use a decent vulnerability scanner. Be sure to check the report (first URL below) to determine whether it mentions vulnerabilities that you haven't addressed that might affect your network. You can also check out our news story on the SANS Top 20 list on our Web site (second URL below). http://list.windowsitpro.com/t?ctl=1A4C2:4FB69 http://list.windowsitpro.com/t?ctl=1A4B2:4FB69 ==================== ==== Sponsor: Panda Software ==== Provide Secure Remote Access It may be tempting to deploy a WiFi wireless access point or offer PDAs or laptops to your roaming employees so they can work from virtually anywhere. In this free white paper you'll get the important security implications you should consider before you do so. http://list.windowsitpro.com/t?ctl=1A4AC:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=1A4B1:4FB69 Microsoft Bolsters Antiphishing Efforts with Third-Party Data Microsoft announced that three companies will help bolster its Phishing Filter and SmartScreen technologies. Each of the three companies--Cyota, Internet Identity, and MarkMonitor--will regularly provide Microsoft with data that helps identify known phishing sites. http://list.windowsitpro.com/t?ctl=1A4B7:4FB69 Windows Genuine Advantage Now Supports Mozilla-based Browsers Downloading certain types of software from Microsoft's Web site has typically been limited to those who use Microsoft Internet Explorer (IE). But not anymore. The Windows Genuine Advantage team created a new ActiveX control that works with browsers based on code developed by the Mozilla Foundation. http://list.windowsitpro.com/t?ctl=1A4B8:4FB69 CMP Buys Black Hat Black Hat, operator of popular conferences related to information security, has been acquired by CMP Media. Jeff Moss, Black Hat founder, will continue as director of Black Hat for CMP. http://list.windowsitpro.com/t?ctl=1A4BA:4FB69 ==================== ==== Resources and Events ==== Get the Most from Reporting Services In this free Web seminar, you'll learn about innovative ways to extend your reports, reporting from XML-based data, delivering reports with the new Report Viewer, supercharging reports with SQL Server 2005 CLR stored procedures, and more! Register today: http://list.windowsitpro.com/t?ctl=1A4AE:4FB69 Free Tools to Stop Internet Attacks Your network users' negligent or inappropriate activity is often the entry point for Internet criminals to access your systems. In this free Web seminar, you'll learn how to effectively implement policy, user training, and technology to mitigate Internet risks. You will take away free tools to help you analyze threats and create Acceptable-Use Policies (AUPs). Register now at http://list.windowsitpro.com/t?ctl=1A4AD:4FB69 Get the Most from Your Infrastructure by Consolidating Servers and Storage Improved utilization of existing networking resources and server hardware lets you allocate money and time where they're needed most. In this free Web seminar, learn to optimize your existing infrastructure with the addition of server and storage consolidation software and techniques. You'll get the jumpstart you need to evaluate the suitability and potential of your computing environment for the added benefits that consolidation technology can provide. http://list.windowsitpro.com/t?ctl=1A4AA:4FB69 Do You Know What "High Availability" Really Means? In this free guide learn what high availability really means and the different strategies that you can use to improve your email systems' availability and resiliency. Download this FREE guide now and get prepared to choose the appropriate solutions to protect your messaging data at the lowest cost; with the highest reliability. http://list.windowsitpro.com/t?ctl=1A4B0:4FB69 Win the NEW, full-color LCD Display iPod (for Mac or PC) Download a Windows IT Pro podcast on Windows IT Pro Radio by your favorite author, editor or industry figure. You'll automatically be entered to win! http://list.windowsitpro.com/t?ctl=1A4C0:4FB69 Win A $100 American Express Gift Certificate! We invite you to take 3 minutes and tell us your opinion about the email security products and services you currently use--or wish you could use. Take the Email Security Products Survey today at http://list.windowsitpro.com/t?ctl=1A4BC:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: Which of the following devices and/or software do you monitor? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 15 votes: - 20% Windows - 13% Network devices such as firewalls, gateways, VPN appliances, and wireless Access Points - 0% Important applications such as Exchange Server and IIS - 67% Two or more of the above - 0% None of the above New Instant Poll: What's the best defense against malware? Go to the Security Hot Topic and submit your vote for - Establish a Guest account for risky activities - Connect user workstations only to trusted accounts - Maintain and regularly use anti-malware software - Educate all users about malware risks - My pop-up blocker is sufficient http://list.windowsitpro.com/t?ctl=1A4BD:4FB69 ==================== ==== Featured White Paper ==== Learn about the capabilities offered by the integration of Microsoft SMS 2003 and Afaria In this free white paper, you'll learn about new functionality and benefits of Microsoft SMS specifically targeted to improving management of remote and mobile devices, challenges of managing frontline systems, how the combined solution creates value around the successful use of technology at the front lines of business and more. http://list.windowsitpro.com/t?ctl=1A4A9:4FB69 ==================== ==== Hot Release ==== Meet the challenges of Microsoft Exchange Discover a unified solution to get a handle on the growth of your email and unstructured data and address compliance and government mandates. In this free white paper you'll learn to overcome the management and storage challenges that Microsoft Exchange can bring. http://list.windowsitpro.com/t?ctl=1A4AF:4FB69 ==================== ==== 4. Security Toolkit ==== Security Matters Blog: Security Work to Go by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1A4BF:4FB69 Laptops are great tools, particularly when it comes to security work, because they're portable. But what about an ultraportable computer? Check out this blog article to learn about an incredibly powerful full- function PC that you can literally put in your pocket. http://list.windowsitpro.com/t?ctl=1A4B9:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1A4BE:4FB69 Q: How can I dump out the mailbox permissions on a Microsoft Exchange Server box or bulk change multiple users' attributes at once? Find the answer at http://list.windowsitpro.com/t?ctl=1A4BB:4FB69 Security Forum Featured Thread: Errors in Generic Host Services and LSA Shell services A forum participant's Windows Server 2003, Enterprise Edition system is rebooting at frequent intervals due to some sort of remote procedure call (RPC) error. Whenever it restarts, the system generates errors related to LSASS and Generic Host Services. After the system is back up and running for about 5 to 10 minutes, those services stop. Know what the problem might be? Join the discussion at: http://list.windowsitpro.com/t?ctl=1A4A8:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Monthly Online Pass = Quick Answers Sign up for a VIP Monthly Online Pass and get online access to ALL the articles, tools, and helpful resources published in SQL Server Magazine, Windows IT Pro, Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security. You'll have 24/7 access to a database of more than 25,000 articles that will give you all the answers you need, when you need them. BONUS--Includes the latest issue of Windows IT Pro each month. Sign up now for just US$29.95 per month: http://list.windowsitpro.com/t?ctl=1A4B3:4FB69 Need Answers to Your Tough Security Questions? The Windows IT Security newsletter can help. Subscribe now and discover fundamentals on building and maintaining a secure enterprise. Each issue features in-depth product coverage of the best security tools available, expert advice on the best way to implement various security components, and much more. Paid subscribers also get searchable access to the full online security article database (more than 1900 articles). Subscribe today: http://list.windowsitpro.com/t?ctl=1A4B6:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Web Filter Gets New Features 8e6 Technologies announced new features for its R3000 Internet filtering appliance. The R3000 can now block the use of Google Web Accelerator (Accelerator can have the effect of circumventing Internet filtering) and enforce Yahoo! SafeSearch mode (even if end users deactivate SafeSearch from their browsers). R3000 users can now use wildcards in specifying sites to block; and the R3000's X-Strikes feature, which lets administrators set criteria for restricting a user's Internet access after repeated attempts to access "unacceptable" Internet sites, has been enhanced. For more information, go to http://list.windowsitpro.com/t?ctl=1A4C3:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=1A4C1:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=1A4B5:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Mon Nov 28 03:40:11 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 28 04:31:55 2005 Subject: [ISN] Symantec refuses to sell audit tool outside the US Message-ID: http://www.theregister.co.uk/2005/11/25/symantec_l0phtcrack_export_controversy/ By John Leyden 25th November 2005 Exclusive - Symantec has stopped selling a password auditing tool to customers outside the US and Canada, citing US Government export regulations. A Reg reader who works for a large UK supermarket was this month unable to buy a copy of LC 5, a tool developed by @stake prior to its recent acquisition by Symantec. LC 5 is the commercial version of a password auditing / breaking tool better known as L0phtCrack. "A month ago I could have bought it from the @stake web site, that website has gone and the product has not appeared on the Symantec web site. I inquired if I could purchase the product, only to be told that it will only be sold to US and Canadian customers," our correspondent informs us. "I guess I'll just have to go back to using John the Ripper." Symantec's restrictions recall the dark days of the crypto wars when users outside the US were not entitled to buy products featuring strong ciphers. These rules, relaxed by the Clinton administration and following a long running campaign by cryptography experts and net activists, are once again rearing their head. Symantec's response to our reader (below) suggests the policy was imposed on it by the US government. Unfortunately, due to strict US Government export regulations Symantec is only able to fulfill new LC5 orders or offer technical support directly with end-users located in the United States and commercial entities in Canada, provided all screening is successful. Commodities, technology or software is subject to U.S. Dept. of Commerce, Bureau of Industry and Security control if exported or electronically transferred outside of the USA. Commodities, technology or software are controlled under ECCN 5A002.c.1, cryptanalytic. You can also access further information on our web site at the following address: http://www.symantec.com/region/reg_eu/techsupp/enterprise/index.html Beyond confirming that "the statement you have received from your reader is correct", Symantec declined to field questions on the rationale for its policy and whether it applies to other products. Any US government policy to impose export regulations on security technologies would be futile since, to cite only one reason, many security firms are based outside the US and therefore unaffected by such regulations. ? From isn at c4i.org Mon Nov 28 03:36:00 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 28 04:32:30 2005 Subject: [ISN] Cyber terror inevitable Message-ID: http://www.geelonginfo.com.au/readarticle.asp?articleid=17908 MICHAEL AUCIELLO November 25, 2005 A CYBER terrorism attack is not a case of if, but when, according to a Monash University academic. Chris Beggs told an information warfare and security conference at Deakin University yesterday that an internet-based attack was only a matter of time away. ``It's not too far off,'' he said. ``It's only a matter of time, I believe, that a cyber-terrorism attack will occur.'' The cyber-terrorism sessional academic yesterday put his case forward for a proposed cyber-terrorism capability framework. Mr Beggs' proposal included seven criteria which all need to be satisfied for an attack to be officially classified as a cyber-terrorist attack. The criteria includes: POLITICAL motivation; TERRORIST leaders with advanced information and a communication technology (ICT) skill set; TERRORISTS with advanced hacking tools and techniques; ACCESS to new advanced ICTs; ADVANCED knowledge of SCADA (intelligence) systems; TERRORIST insiders within the organisation of selected target; and FUNDING Mr Beggs said all seven criteria had to be satisfied for an act to be considered a real cyber-terrorist attack. He cited an example of a former council worker in Queensland who in 2001 hacked into a sewerage system 46 times and released a million litres of sewerage into local rivers and waterways. Mr Beggs said the man, who carried out the operation via a wireless laptop, had satisfied all criteria except for being politically motivated. The act was therefore not considered to be a proper cyber-terrorist attack and should just ``serve to act as a warning'' about the potential for such an act to be carried out on home soil. He said the criteria would be used to assess a terrorist group's capability to orchestrate a cyber-terrorism attack. ``The more capabilities acquired, the higher possibility of pulling off an attack,'' he said. He said the threat of a cyber attack became more imminent as terrorists learned more about information and communication systems. He said US authorities had warned ``Al-Qaeda has far more interest in cyber-terrorism than first thought''. ``These attacks could destroy infrastructure systems such as phone systems, power systems, water, gas or nuclear power plants,'' he said. Mr Beggs said terrorist groups were already using the internet for a range of reasons, including planning, propaganda, hacking, communication, fundraising, recruiting and training. From isn at c4i.org Mon Nov 28 03:38:12 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 28 04:32:59 2005 Subject: [ISN] Scientists, be on guard ... ET might be a malicious hacker Message-ID: http://education.guardian.co.uk/higher/research/story/0,9865,1650649,00.html Ian Sample science correspondent November 25, 2005 The Guardian As if spotty teenagers releasing computer viruses on to the internet from darkened rooms were not enough of a headache. According to a scientific report, planet Earth's computers are wide open to a virus attack from Little Green Men. The concern is raised in the next issue of the journal Acta Astronautica by Richard Carrigan, a particle physicist at the US Fermi National Accelerator Laboratory in Illinois. He believes scientists searching the heavens for signals from extra-terrestrial civilisations are putting Earth's security at risk, by distributing the jumble of signals they receive to computers all over the world. The search for extra-terrestrial intelligence (Seti) project, based at the University of California in Berkeley, uses land-based telescopes to scour the universe for electromagnetic waves. Just as stray radio and TV broadcasts are now zooming away from Earth at the speed of light, the Seti scientists hope to pick up stray signals, or even intentional interplanetary broadcasts, emitted from other civilisations. All signals picked up by Seti are broken up and sent across the internet to a vast band of volunteers who have signed up for a Seti screensaver, which allows their computers to crunch away at the signals, when they are not at their desks. So far, the only signals detected are bursts of radiation from stars and a murmur of background noise left over from the big bang. But, says Dr Carrigan, improved telescopes and faster computers mean scientists are ever more likely to detect a signal from extra-terrestrials. In his report, entitled Do potential Seti signals need to be decontaminated?, he suggests the Seti scientists may be too blase about finding a signal. "In science fiction, all the aliens are bad, but in the world of science, they are all good and simply want to get in touch." His main concern is that, intentionally or otherwise, an extra-terrestrial signal picked up by the Seti team could cause widespread damage to computers if released on to the internet without being checked. Computer scientists argue that to hack a computer, or write a virus that will infect it, requires a knowledge of how the computer and the software it is running work: a computer on Earth is going to be as alien to the aliens as they would be to us. But Dr Carrigan says there is still a risk. Rather than dismiss his concerns, Dr Carrigan wants the Seti scientists to build safety features into their network to act as a quarantine so any potentially damaging signals can be trapped before they infect the internet. From isn at c4i.org Mon Nov 28 03:37:53 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 28 04:33:19 2005 Subject: [ISN] Fear, petty details slow Iraq hi-tech comms drive Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/11/24/AR2005112400216.html By Deepa Babington Reuters November 24, 2005 KHAN BANI SAAD, Iraq (Reuters) - Newly fitted with the latest communications equipment, a U.S.-Iraqi coordination office north of Baghdad was ready to connect with similar facilities all over the country at the touch of a button. Instead, the U.S. contractor who installed the network returned a few days later to find that Iraqi officials had covered the brand new equipment in plastic and left it untouched, afraid of mishandling and ruining it. "I kept trying to call them and I was baffled as to why I couldn't get through," said James, a contractor hired by the U.S. military to set up the coordination office, who declined to give his last name. "They were just afraid of breaking it." As the United States tries to bring greater sophistication to Iraqi police and army communications -- an essential tool in battling the insurgency -- it is finding that the latest foreign technology from around the world gets bogged down by quirks in local custom and petty hierarchies in Iraq's bureaucracy. Connecting joint U.S.-Iraqi coordination centers through a secure private network is part of a broader effort by the United States to get officials across Iraq to share intelligence and other essential information quickly and confidentially. Since the U.S.-led invasion in March 2003, the centers have communicated through patchy radio or Voice over Internet phones and used the Yahoo! email service to exchange reports. The centers needed a more reliable method of sharing information, but as the U.S. contractor found out, there is more to it than simply installing the latest technology and handing out instruction manuals. "I guess for them this is going from barely crawling to running," he said, as a convoy of Humvees trundled through town to escort him to a center that needed help using the Internet. In one instance, the contractor said he gave a list of 200 key contact numbers to an official at one center, expecting it to be posted around the facility so that everyone on the staff could have the numbers at their fingertips. Instead, the official kept the list to himself -- apparently in an effort to hold on to the small amount of power it allowed him to wield over the rest of the staff. HI-TECH HITCHES Training local officials is another challenge. James trained some workers at one center, but they didn't share that knowledge with anyone else on the staff, he said. In a makeshift training session at a barren center in the small town of Khan Bani Saad north of Baghdad on Wednesday, it was clear Iraqi officials there had a steep learning curve ahead of them. Six of them huddled over a new computer with paper clipboards as the U.S. contractor tried to explain through an interpreter how to use a new virtual private network. One Iraqi worker clicked furiously on the icon to launch the application, while others struggled to type out an email. The training began over from scratch. "The subject of an email should give you an idea of the rest of the email," James, the contractor, explained, as the Iraqis nodded. "It should be short and descriptive." Emails that look as if they contain sensitive information should be reported at once to the head of the center, he said. Innocuous looking messages from Najaf or Mosul could be deleted. Despite his staff's limited know-how, the head of the center, Colonel Mohsen Abbas, was happy about the new equipment and the computing wizardry it promised. "Earlier they had old computers and another problem was some of the guys didn't know how to work those computers," said Abbas, who received a private tutorial afterwards. "This new computer is amazing for me." ? 2005 Reuters From isn at c4i.org Mon Nov 28 03:37:34 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 28 04:33:57 2005 Subject: [ISN] Security awareness speakers put face on terrorism Message-ID: Forwarded from: William Knowles http://www.al.com/redstone/index.ssf?/base/news/1132827506165260.xml&coll=1 By KARI HAWKINS Staff writer The Redstone Rocket November 24, 2005 As a government employee, you've heard it all before * lock your computer screen, protect your computer password, shred unwanted government documents, be careful about what is discussed in unclassified phone calls and e-mails, and practice vigilance in all matters related to workplace security. But when you put a personal face on security issues, a whole new dimension is added. Two speakers who presented to thousands of government employees in Bob Jones Auditorium during Redstone Arsenal's Security Awareness Week added the "personal factor" to the security precautions employees are routinely reminded of in the workplace. For Brian Miller, the community programs branch chief at the Defense Security Service Academy, Security Education and Awareness Directorate, Defense Security Service, that "personal factor" came through to his audiences in the faces of two Soldiers * his sons-in-law * and their families, who were shown on the auditorium's video screen. It also came through in a picture of the rows and rows of tombstones marking the gravesites of heroes buried at Arlington National Cemetery and in a picture of Walter Reed Hospital where veterans are cared for after being injured in the line of duty. "Whatever you do all comes back to the Soldiers, Sailors, Airmen and Marines that we have deployed abroad," Miller said. "They are defending our way of life and we need to do whatever we can to protect them. When you do anything to jeopardize security it bothers me." For Don Sadowy, that "personal factor" was evident in his experiences as a member of the New York Police Department Bomb Squad, as a World Trade Center survivor and as a foremost expert on Islamic Fundamentalist Terrorism. Sadowy currently works as a special deputy for the U.S. Marshal's Office in the Southern District of New York. "9-11 was our Pearl Harbor to this generation," Sadowy said. "We must all be vigilant. Don't keep security concerns to yourself. Look around and evaluate, and be aware." Miller spoke to audiences on matters pertaining to Security Awareness in the Workplace while Sadowy addressed Counterterroism, both related to the theme "Awareness Today for a Secure Tomorrow * Are You Doing Your Part?" They spoke to employees of Integrated Materiel Management Center, Acquisition Center and primary organizational elements; Research Development and Engineering Center; Space and Missile Defense Command; Program Executive Office for Aviation, PEO for Missiles and Space, and Missile Defense Agency. Both men shared the same message * U.S. adversaries are getting smarter and more desperate in their attempts to undermine freedom around the world, and they will use any means * from looking through the garbage of government employees to reading thousands of unclassified government e-mails * to gain bits of information that can help them plan their next destructive act. Miller, an Army retiree who has worked for the Defense Intelligence Agency, told his audiences that he wasn't concerned about their politics or whether they agree with the war in Iraq. What he is concerned about is their allegiance to their country. "You come to work because you've got to have food on your table and a roof over your head," he said. "But you've also got to come to work because you believe in your country and what you do. It all comes back to the war fighter." Basic computer security skills, such as locking computer screens when not in use, are important because espionage is everywhere. "Is the reality that everyone who works for the federal government is a trusted employee?" Miller asked. "Think of all those who have committed espionage over the last 30 years. They didn't cut a hole in the fence and come in. They were you and me. They were insiders that had access to government systems." Viruses that can destroy computer systems are often brought into the workplace by unaware employees who carry them on a personal disk, Miller said. "If you want to bring something from home into the workplace, see your security manager," he warned. "A personal disk can do damage to a computer system and it can do it very, very quickly." Miller also warned employees to not use personal information, such as birthdates and anniversaries, as passwords. Once a password is chosen, it should be properly secured as should all sensitive information. "Dumpster diving is alive and well," Miller said. "You'd be surprised the amount of information you can get from someone's trash. Unclassified information can be most damaging in the hands of adversaries who can put pieces of information together like a child puts together a puzzle." He urged employees to shred information, to use burn bags when available, to properly protect classified information, to secure materials properly, to report unaccounted for or lost items, and to use proper communication devices. "Our adversaries listen to what you talk about. They listen to unclassified calls," Miller said. "They get most of their information from employees who work in unclassified areas. You are their primary targets because you are more accessible * Some of you working in unclassified environments have more information than you understand." Federal employees who have financial problems, who use illicit drugs, who abuse alcohol, who are facing personal issues (marriage, divorce, adoption, etc.) or who travel abroad are all vulnerable to being recruited to participate in espionage. Federal employees working at Redstone Arsenal are, indeed, recruiting targets for the enemy. "Bad people can get on the Arsenal and do bad things. Huntsville is a very, very significant site for foreign intelligence sources," Miller said. "What you do every day in support of the security office is absolutely necessary. Every employee should provide security assistance * When you see things unusual you have an obligation to report them." In everything federal employees do, they should be vigilant in their security awareness, said Sadowy, who, as one of the few Americans who have graduated from the Israeli Bomb Disposal School in Jerusalem, stressed that the prevention of terrorism acts, especially suicide bombings, require the awareness of all citizens. "I want to give you insight into what we're dealing with and what we may have to deal with here in the states," Sadowy said, mentioning the recent suicide bombings of hotels in Jordan. "I'm not here to make anyone a bomb technician. I want to give you a view of the big picture of what is coming at us. This has been an evolving field since 1984-85. We develop countermeasures to deal with problems that are current, that are today. By next week, the bad guys are shifting gears, changing directions. Countermeasures don't underestimate the enemy, but they have to be able to change." Terrorists often choose explosives to wreak havoc and death rather than chemical, radiological and biological weapons because of easy availability and because "they want to kill as many people as they can, not just one here and one there. They want to kill large groups of us," Sadowy said. Explosives also bring the combat time to zero, with a terrorist showing up in a crowded area and then exploding a deadly bomb with no warning, making it difficult for friendly forces to deal with the threat. With no combat time and with terrorists finding ways to conceal explosives and blend into crowds, terrorists are usually an unanticipated threat no matter where they strike. "They are going to wear their hair like us, their clothes like us," Sadowy said. "They want to blend in, they want to fit. They want to keep a low profile." A recent U.S. trial of an Arabic terrorist emphasized for Sadowy the difficulty of recognizing the threat. The terrorist had lived in the U.S. for 20 years, becoming a U.S. citizen and working as a government employee for 16 years. He had an American wife and three children. Despite all that, the terrorist told authorities "when called upon by my Muslim brothers, I will step forward and leave everything else behind," Sadowy said. "A man like this may not carry out an attack, but they will do everything they can to support the one who will carry a bomb, hijack an airplane and kill us." Terrorists use whatever means to execute their plan. They may carry an innocent-looking TV crate or a PC computer box into a public area, under which bombs are concealed. They may hide explosives under two inches of bird droppings in a dirty birdcage. "The profile of a suicide bomber is not clearly defined," Sadowy said. "But there are some suspicious signs. They may have on irregular dress for the time of year or there may be protrusions under their clothes. There are things to look for in their human nature." Things like always checking or patting their body, irregular or heavy luggage or baggage, hands hidden in pockets or luggage, irregular glances, hidden communications with others, a pale face from a recent shave, not cooperating or reacting to calls from law enforcement, movement without purpose or walking in a determined manner to a target, speaking with an Arab accent and just a "gut feeling that something is unusual" are all telltale signs of a possible terrorist, he said. "If you see something and you have a gut feeling, tell somebody," Sadowy urged. "This country is at war and it's a different kind of war that we need to be prepared to fight. I think we are still a big target, whether in New York or at a military base that supports our troops. We have to be vigilant and take security seriously." ? 2005 The Redstone Rocket. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Nov 28 03:36:33 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 28 04:34:19 2005 Subject: [ISN] Linux Advisory Watch - November 25th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 25th, 2005 Volume 6, Number 48a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for phpgroupware, egroupware, fetchmail, gnump3d, common-lisp-controller, xmail, unzip, netpbm, mantis, fetchmail-ssl, sylpheed, ipmenu, horde3, zope, Smb4k, mtab, phpSysInfo, eix, php, drakxtools, binutils, and fuse. The distributors include Debian, Gentoo, Mandriva. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- Administration Notes Knowing that your servers are up-to-date is a good way to help ensure that you will have an uninterrupted holidays. What else can assure you that operations will run smoothly during time off? There are many pieces to the equation that are important. One of the most significant aspects is using servers that are properly configured and hardened. In addition, proper server administration procedures must be followed. While many intrusions are a result of vulnerable packages, a large number of them can also be attributed to improper software configuration and administration. This burden falls on the administrator. What can be done to reduce the risk of improper software configuration? The easiest way, is to look for a pre configured or specialized security distribution. Because I am a long time contributor to EnGarde Secure Linux, I am biased in this recommendation. However, I personally feel that using a distribution such as EnGarde will dramatically improve your organization's security stance with very little time, effort, and money invested. You'll find that with EnGarde, administration becomes easy. I have used it for years and now I find myself becoming lazy when it comes to using other systems. I find myself not wanting to do anything manually. Administration has become easy and now it is possible to concentrate on more intellectually stimulating projects. A specialized distribution is ideal for administrators with multiple systems to maintain in a critical environment. More information can be found out about EnGarde at: www.engardelinux.org If you've only installed Linux and Apache to host a personal Web site, or you are just looking to learn the inter workings of security and administration. I recommend finding a good Linux security book. An interesting book that I recently had the pleasure of reading is titled Linux Security Toolkit, by David Bandel. It covers host security, network security, firewalls & specialized security software, and Linux security auditing. It is easy to read and suitable for administrators wishing to concentrate on security. Like most books published today, it is not suitable for the seasoned administrator. Although the book is well written, it is not full of cutting edge knowledge. If you're looking to learn more about security, I recommend taking a look. It is available used through Amazon.com at a very reasonable price. ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New phpgroupware packages fix several vulnerabilities 17th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120833 * Debian: New egroupware packages fix several vulnerabilities 17th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120842 * Debian: New fetchmail packages fix potential information leak 18th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120845 * Debian: New gnump3d packages fix several vulnerabilities 19th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120855 * Debian: New common-lisp-controller packages fix arbitrary code injection 21st, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120859 * Debian: New xmail packages fix arbitrary code execution 21st, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120860 * Debian: New fetchmail packages fix potential information leak 21st, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120861 * Debian: New unzip packages fix unauthorised permissions modification 21st, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120862 * Debian: New netpbm packages fix arbitrary code execution 21st, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120865 * Debian: New mantis packages fix several vulnerabilities 22nd, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120866 * Debian: New fetchmail-ssl packages fix potential information leak 22nd, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120870 * Debian: New sylpheed packages fix arbitrary code execution 22nd, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120873 * Debian: New ipmenu packages fix insecure temporary file creation 23rd, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120877 * Debian: New sylpheed-claws packages fix arbitrary code execution 23rd, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120878 * Debian: New horde3 packages fix cross-site scripting 23rd, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120879 * Debian: New zope2.7 packages fix arbitrary file inclusion 24th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120884 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Smb4k Local unauthorized file access 18th, November, 2005 A vulnerability has been identified that allows unauthorized access to the contents of /etc/sudoers and /etc/super.tab files. http://www.linuxsecurity.com/content/view/120849 * Gentoo: GNUMP3d Directory traversal and insecure temporary 21st, November, 2005 Two vulnerabilities have been identified in GNUMP3d allowing for limited directory traversal and insecure temporary file creation. http://www.linuxsecurity.com/content/view/120864 * Gentoo: FUSE mtab corruption through fusermount 22nd, November, 2005 The fusermount utility from FUSE can be abused to corrupt the /etc/mtab file contents, potentially allowing a local attacker to set unauthorized mount options. http://www.linuxsecurity.com/content/view/120872 * Gentoo: phpSysInfo Multiple vulnerabilities 22nd, November, 2005 phpSysInfo is vulnerable to multiple issues, including a local file inclusion leading to information disclosure and the potential execution of arbitrary code. http://www.linuxsecurity.com/content/view/120874 * Gentoo: eix Insecure temporary file creation 22nd, November, 2005 eix has an insecure temporary file creation vulnerability, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120875 * Gentoo: Horde Application Framework XSS vulnerability 22nd, November, 2005 The Horde Application Framework is vulnerable to a cross-site scripting vulnerability which could lead to the compromise of the victim's browser content. http://www.linuxsecurity.com/content/view/120876 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated php packages fix multiple vulnerabilities 17th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120832 * Mandriva: Updated file package fixes segfault 18th, November, 2005 A bug in the file program would cause it to segfault on the x86_64 architecture on certain files. This update corrects the problem. http://www.linuxsecurity.com/content/view/120852 * Mandriva: Updated drakxtools packages fix various bugs 18th, November, 2005 A number of bugs have been fixed in this new drakxtools package. http://www.linuxsecurity.com/content/view/120853 * Mandriva: Updated gdk-pixbuf/gtk+2.0 packages fix vulnerability 18th, November, 2005 A heap overflow vulnerability in the GTK+ gdk-pixbuf XPM image rendering library could allow for arbitrary code execution. http://www.linuxsecurity.com/content/view/120854 * Mandriva: Updated binutils packages fix vulnerabilities 23rd, November, 2005 Integer overflows in various applications in the binutils package may allow attackers to execute arbitrary code via a carefully crafted object file. The updated packages have been patched to help address these problems. http://www.linuxsecurity.com/content/view/120883 * Mandriva: Updated fuse packages fix vulnerability 24th, November, 2005 Thomas Beige found that fusermount failed to securely handle special characters specified in mount points, which could allow a local attacker to corrupt the contents of /etc/mtab by mounting over a maliciously-named directory using fusermount. http://www.linuxsecurity.com/content/view/120891 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Nov 28 03:36:52 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 28 04:34:30 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-47 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-11-17 - 2005-11-24 This week : 73 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Secunia has issued a rare Extremely Critical alert regarding a vulnerability in Internet Explorer. The vulnerability, which was first disclosed 6 months ago was only believed to be a Denial of Service weakness, however, additional research has shown that this vulnerability can be exploited to execute arbitrary code on a vulnerable system. Based on this and the fact that Proof of Concept exploit code has been released, Secunia issued an Extremely Critical alert. More details can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA15546 -- Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to compromise a user's system. This vulnerability can only be exploited on Unix / Linux based environments. Reference: http://secunia.com/SA16907 VIRUS ALERTS: During the last week, Secunia issued 1 MEDIUM RISK and 1 HIGH RISK virus alert. Please refer to the grouped virus profiles below for more information: Sober.X - HIGH RISK Virus Alert - 2005-11-23 11:46 GMT+1 http://secunia.com/virus_information/23836/sober.x/ Sober.X - MEDIUM RISK Virus Alert - 2005-11-22 16:24 GMT+1 http://secunia.com/virus_information/23836/sober.x/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 2. [SA16907] Opera Command Line URL Shell Command Injection 3. [SA17437] Opera Macromedia Flash Player SWF Arbitrary Code Execution 4. [SA17610] Sony CD First4Internet XCP Uninstallation ActiveX Control Vulnerability 5. [SA17430] Macromedia Flash Player SWF File Handling Arbitrary Code Execution 6. [SA17565] Internet Explorer Image Control Status Bar Spoofing Weakness 7. [SA17622] Mambo "register_globals" Emulation Layer Overwrite Vulnerability 8. [SA17571] Opera Image Control Status Bar Spoofing Weakness 9. [SA17639] Sony CD SunnComm MediaMax Uninstallation ActiveX Control Vulnerability 10. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17639] Sony CD SunnComm MediaMax Uninstallation ActiveX Control Vulnerability [SA17667] NetObjects Fusion Potential Information Disclosure Vulnerability [SA17652] e-Quick Cart SQL Injection Vulnerabilities [SA17650] Cerberus FTP Server Denial of Service Vulnerability [SA17640] Eudora WorldMail IMAP Server Directory Traversal Vulnerability [SA17635] Hitachi Groupmax Mail Denial of Service Vulnerability [SA17634] Hitachi Products Cross-Site Scripting and Denial of Service [SA17633] MailEnable Buffer Overflow and Directory Traversal Vulnerabilities [SA17696] Ezyhelpdesk Multiple SQL Injection Vulnerabilities UNIX/Linux: [SA17645] SCO OpenServer update for Multiple Packages [SA17666] Trustix update for multiple packages [SA17657] Mandriva update for gdk-pixbuf [SA17654] Debian update for mantis [SA17710] Avaya Products GdkPixbuf XPM Image Multiple Vulnerabilities [SA17703] Horde MIME Viewers Script Insertion Vulnerabilities [SA17698] Gentoo update for phpsysinfo [SA17686] PHP Labs Survey Wizard "sid" SQL Injection Vulnerability [SA17680] Fedora update for openswan [SA17679] Ubuntu update for netpbm [SA17678] Debian update for sylpheed [SA17671] Debian update for netpbm-free [SA17668] IPsec-Tools ISAKMP IKE Message Processing Denial of Service [SA17662] Ubuntu update for inkscape [SA17656] Debian update for gnump3d [SA17647] GNUMP3d Insecure Temporary File Creation and Directory Traversal [SA17646] Gentoo update for gnump3d [SA17643] Debian update for egroupware [SA17632] Astaro WebAdmin SSL 2.0 Rollback and PPTP Denial of Service [SA17704] VHCS Error Page Cross-Site Scripting and Domain Forward Hijack [SA17702] Gentoo update for horde [SA17648] Ubuntu update for kernel [SA17699] Gentoo eix Insecure Temporary File Creation [SA17695] Gentoo update for fuse [SA17691] FUSE "fusermount" Mountpoint Handling Vulnerability [SA17682] Debian update for ipmenu [SA17661] Fedora update for perl [SA17637] Debian update for xmail [SA17636] Gentoo update for smb4k [SA17631] Debian update for fetchmail [SA17630] WHM AutoPilot "c" Cancel Hosting Security Bypass Vulnerability [SA17653] Debian update for unzip Other: [SA17644] Google Mini Search Appliance Multiple Vulnerabilities [SA17629] UTStarcom F1000 Wi-Fi Handset Multiple Vulnerabilities [SA17628] Hitachi WirelessIP5000 IP Phone Multiple Vulnerabilities [SA17670] Cisco PIX Spoofed TCP SYN Packets Denial of Service Cross Platform: [SA17674] FreeMED XML_RPC PHP Code Execution Vulnerability [SA17706] PHP-Post Cross-Site Scripting and Script Insertion Vulnerabilities [SA17697] Omnistar Live SQL Injection Vulnerabilities [SA17694] WSN Forum "id" SQL Injection Vulnerability [SA17692] Tunez SQL Injection and Cross-Site Scripting Vulnerabilities [SA17690] AFFCommerce Shopping Cart Multiple SQL Injection Vulnerabilities [SA17687] PHP Labs Top Auction SQL Injection Vulnerabilities [SA17685] OTRS SQL Injection and Cross-Site Scripting Vulnerabilities [SA17684] Symantec Firewall/VPN/Gateway ISAKMP Message Processing Denial of Service [SA17683] 1-2-3 Music Store "AlbumID" SQL Injection Vulnerability [SA17675] Joomla! SQL Injection and Cross-Site Scripting Vulnerabilities [SA17665] CommodityRentals "user_id" SQL Injection Vulnerability [SA17664] PHP-Fusion SQL Injection Vulnerabilities [SA17660] phpComasy "id" SQL Injection Vulnerability [SA17659] Jetty JSP Source Code Disclosure Vulnerability [SA17658] IBM WebSphere Application Server for z/OS Double-Free Vulnerability [SA17651] Inkspace SVG Importer Buffer Overflow Vulnerability [SA17649] phpMyFAQ "add content" Script Insertion Vulnerabilities [SA17642] XMB "Your Current Mood" Script Insertion Vulnerability [SA17641] Novell NetMail IMAP Buffer Overflow Vulnerability [SA17638] Nuke ET "query" SQL Injection Vulnerability [SA17707] PmWiki "q" Cross-Site Scripting Vulnerability [SA17689] kPlaylist "searchfor" Cross-Site Scripting Vulnerability [SA17681] IPUpdate "memmcat" Buffer Overflow Vulnerability [SA17677] Struts Error Message Cross-Site Scripting Vulnerability [SA17669] Advanced Poll "popup.php" Cross-Site Scripting Vulnerability [SA17655] Exponent CMS image gallery Module Script Insertion and Full Path Disclosure [SA17700] Novell ZENworks Remote-Diagnostics Access Control Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17639] Sony CD SunnComm MediaMax Uninstallation ActiveX Control Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-18 J. Alex Halderman has reported a vulnerability in SunnComm MediaMax's uninstallation ActiveX control, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17639/ -- [SA17667] NetObjects Fusion Potential Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-23 A vulnerability has been reported in NetObjects Fusion, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/17667/ -- [SA17652] e-Quick Cart SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-21 BiPi_HaCk has reported some vulnerabilities in e-Quick Cart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17652/ -- [SA17650] Cerberus FTP Server Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-23 A vulnerability has been reported in Cerberus FTP Server, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17650/ -- [SA17640] Eudora WorldMail IMAP Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2005-11-18 A vulnerability has been reported in Eudora WorldMail IMAP Server, which can be exploited by malicious users to bypass certain security restrictions and to gain access to potentially sensitive information. Full Advisory: http://secunia.com/advisories/17640/ -- [SA17635] Hitachi Groupmax Mail Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-18 A vulnerability has been reported in Hitachi Groupmax Mail, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17635/ -- [SA17634] Hitachi Products Cross-Site Scripting and Denial of Service Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2005-11-18 Some vulnerabilities have been reported in various Hitachi products, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17634/ -- [SA17633] MailEnable Buffer Overflow and Directory Traversal Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-18 Secunia Research has discovered some vulnerabilities in Mail Enable Professional/Enterprise, which can be exploited by malicious users to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17633/ -- [SA17696] Ezyhelpdesk Multiple SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-23 r0t has reported some vulnerabilities in Ezyhelpdesk, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17696/ UNIX/Linux:-- [SA17645] SCO OpenServer update for Multiple Packages Critical: Extremely critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2005-11-18 SCO has issued a maintenance pack for OpenServer. This fixes various vulnerabilities in Mozilla, zip, libpng, zlib, libtiff, bzip2, openssh, php, perl, gzip, CUPS, wu-ftpd, cdrecord and squid, which can be exploited by malicious people to cause a DoS (Denial of Service), spoof the content of websites, gain knowledge of potentially sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, manipulate certain data, or compromise a user's system, and by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17645/ -- [SA17666] Trustix update for multiple packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Privilege escalation, DoS, System access Released: 2005-11-22 Trustix has issued updates for multiple packages. These fix some vulnerabilities, where the most critical ones can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a user's system or vulnerable system. Full Advisory: http://secunia.com/advisories/17666/ -- [SA17657] Mandriva update for gdk-pixbuf Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-11-21 Mandriva has issued an update for gdk-pixbuf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), and potentially to compromise a user's system or vulnerable system. Full Advisory: http://secunia.com/advisories/17657/ -- [SA17654] Debian update for mantis Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2005-11-22 Debian has issued an update for mantis. This fixes some vulnerabilities, which can be exploited by malicious people to disclose sensitive information, conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17654/ -- [SA17710] Avaya Products GdkPixbuf XPM Image Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-23 Avaya has acknowledged some vulnerabilities in various products, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17710/ -- [SA17703] Horde MIME Viewers Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-23 Daniel Schreckling has reported some vulnerabilities in Horde, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17703/ -- [SA17698] Gentoo update for phpsysinfo Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2005-11-23 Gentoo has issued an update for phpsysinfo. This fixes a vulnerability, which can be exploited by malicious people to manipulate certain information. Full Advisory: http://secunia.com/advisories/17698/ -- [SA17686] PHP Labs Survey Wizard "sid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-23 r0t has reported a vulnerability in PHP Labs Survey Wizard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17686/ -- [SA17680] Fedora update for openswan Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-22 Fedora has issued an update for openswan. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17680/ -- [SA17679] Ubuntu update for netpbm Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-22 Ubuntu has issued an update for netpbm. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17679/ -- [SA17678] Debian update for sylpheed Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-23 Debian has issued an update for sylpheed. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17678/ -- [SA17671] Debian update for netpbm-free Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-22 Debian has issued an update for netpbm-free. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17671/ -- [SA17668] IPsec-Tools ISAKMP IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-22 A vulnerability has been reported in IPsec-Tools, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17668/ -- [SA17662] Ubuntu update for inkscape Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2005-11-21 Ubuntu has issued an update for inkscape. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17662/ -- [SA17656] Debian update for gnump3d Critical: Moderately critical Where: From remote Impact: Unknown, Privilege escalation Released: 2005-11-21 Debian has issued an update for gnump3d. This fixes two vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, and by malicious people with an unknown impact. Full Advisory: http://secunia.com/advisories/17656/ -- [SA17647] GNUMP3d Insecure Temporary File Creation and Directory Traversal Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation Released: 2005-11-18 Ludwig Nussel has reported two vulnerabilities in GNUMP3d, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, and by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/17647/ -- [SA17646] Gentoo update for gnump3d Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation Released: 2005-11-21 Gentoo has issued an update for gnump3d. This fixes two vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, and by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/17646/ -- [SA17643] Debian update for egroupware Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-11-18 Debian has issued an update for egroupware. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, manipulate certain information, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17643/ -- [SA17632] Astaro WebAdmin SSL 2.0 Rollback and PPTP Denial of Service Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-11-18 Astaro has issued an update for Astaro Security Linux. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17632/ -- [SA17704] VHCS Error Page Cross-Site Scripting and Domain Forward Hijack Critical: Less critical Where: From remote Impact: Hijacking, Cross Site Scripting Released: 2005-11-23 A vulnerability and a security issue have been reported in VHCS, which can be exploited by malicious users to hijack other users' domain forwards and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17704/ -- [SA17702] Gentoo update for horde Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-23 Gentoo has issued an update for horde. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17702/ -- [SA17648] Ubuntu update for kernel Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2005-11-22 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) and to disclose certain sensitive information, or by malicious people to disclose certain sensitive information, bypass certain security restrictions, and to cause a DoS. Full Advisory: http://secunia.com/advisories/17648/ -- [SA17699] Gentoo eix Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-23 Eric Romang has reported a vulnerability in eix, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17699/ -- [SA17695] Gentoo update for fuse Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-23 Gentoo has issued an update for fuse. This fixes a vulnerability, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17695/ -- [SA17691] FUSE "fusermount" Mountpoint Handling Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-23 Thomas Biege has reported a vulnerability in FUSE, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17691/ -- [SA17682] Debian update for ipmenu Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-23 Debian has issued an update for ipmenu. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17682/ -- [SA17661] Fedora update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-21 Fedora has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17661/ -- [SA17637] Debian update for xmail Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-21 Debian has issued an update for xmail. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17637/ -- [SA17636] Gentoo update for smb4k Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-21 Gentoo has issued an update for smb4k. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17636/ -- [SA17631] Debian update for fetchmail Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-11-18 Debian has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of certain sensitive information. Full Advisory: http://secunia.com/advisories/17631/ -- [SA17630] WHM AutoPilot "c" Cancel Hosting Security Bypass Vulnerability Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-11-18 Agna Zilchi has discovered a vulnerability in WHM AutoPilot, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17630/ -- [SA17653] Debian update for unzip Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-11-21 Debian has issued an update for unzip. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17653/ Other:-- [SA17644] Google Mini Search Appliance Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-11-21 H D Moore has reported some vulnerabilities in Google Mini Search Appliance, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially to compromise a vulnerable appliance. Full Advisory: http://secunia.com/advisories/17644/ -- [SA17629] UTStarcom F1000 Wi-Fi Handset Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Manipulation of data, Exposure of system information, DoS Released: 2005-11-17 Shawn Merdinger has reported some vulnerabilities in UTStarcom F1000 Wi-Fi Handset, which can be exploited by malicious people to gain access to potentially sensitive information, to modify certain information, and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17629/ -- [SA17628] Hitachi WirelessIP5000 IP Phone Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS Released: 2005-11-17 Shawn Merdinger has reported some vulnerabilities in Hitachi WirelessIP5000, which can be exploited by malicious people to gain access to potentially sensitive information, to modify certain information, and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17628/ -- [SA17670] Cisco PIX Spoofed TCP SYN Packets Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2005-11-23 Konstantin V. Gavrilenko has reported a vulnerability in Cisco PIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17670/ Cross Platform:-- [SA17674] FreeMED XML_RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-23 A vulnerability has been reported in FreeMED, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17674/ -- [SA17706] PHP-Post Cross-Site Scripting and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-23 trueend5 has discovered some vulnerabilities in PHP-Post, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/17706/ -- [SA17697] Omnistar Live SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-23 r0t has reported some vulnerabilities in Omnistar Live, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17697/ -- [SA17694] WSN Forum "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-23 r0t has discovered a vulnerability in WSN Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17694/ -- [SA17692] Tunez SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-11-23 r0t has discovered two vulnerabilities in Tunez, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17692/ -- [SA17690] AFFCommerce Shopping Cart Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-23 r0t has reported some vulnerabilities in AFFCommerce Shopping Cart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17690/ -- [SA17687] PHP Labs Top Auction SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-23 r0t has reported some vulnerabilities in PHP Labs Top Auction, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17687/ -- [SA17685] OTRS SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-11-23 Some vulnerabilities have been reported in OTRS (Open Ticket Request System), which can be exploited by malicious people to conduct SQL injection, script insertion, and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17685/ -- [SA17684] Symantec Firewall/VPN/Gateway ISAKMP Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-11-22 Symantec has acknowledged a vulnerability in various Symantec products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17684/ -- [SA17683] 1-2-3 Music Store "AlbumID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-23 r0t has reported a vulnerability in 1-2-3 Music Store, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17683/ -- [SA17675] Joomla! SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-11-22 Some vulnerabilities have been reported in Joomla!, which can be exploited by malicious people to conduct SQL injection or cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17675/ -- [SA17665] CommodityRentals "user_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-23 r0t has reported a vulnerability in CommodityRentals, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17665/ -- [SA17664] PHP-Fusion SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2005-11-21 Robin Verton has reported some vulnerabilities in PHP-Fusion, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17664/ -- [SA17660] phpComasy "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-21 r0t has discovered a vulnerability in phpComasy, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17660/ -- [SA17659] Jetty JSP Source Code Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-21 A vulnerability has been reported in Jetty, which can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17659/ -- [SA17658] IBM WebSphere Application Server for z/OS Double-Free Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-11-22 A vulnerability has been reported in WebSphere Application Server for z/OS, which has an unknown impact. Full Advisory: http://secunia.com/advisories/17658/ -- [SA17651] Inkspace SVG Importer Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-21 Joxean Koret has reported a vulnerability in Inkspace, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17651/ -- [SA17649] phpMyFAQ "add content" Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-21 Tobias Klein has reported some vulnerabilities in phpMyFAQ, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17649/ -- [SA17642] XMB "Your Current Mood" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-11-18 trueend5 has discovered a vulnerability in XMB, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17642/ -- [SA17641] Novell NetMail IMAP Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-18 A vulnerability has been reported in Novell NetMail, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17641/ -- [SA17638] Nuke ET "query" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-21 Lostmon has reported a vulnerability in Nuke ET, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17638/ -- [SA17707] PmWiki "q" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-23 Moritz Naumann has reported a vulnerability in PmWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17707/ -- [SA17689] kPlaylist "searchfor" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-23 r0t has discovered a vulnerability in kPlaylist, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17689/ -- [SA17681] IPUpdate "memmcat" Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-11-22 A vulnerability has been reported in IPUpdate, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17681/ -- [SA17677] Struts Error Message Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-22 Irene Abezgauz has discovered a vulnerability in Struts, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17677/ -- [SA17669] Advanced Poll "popup.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-22 ][GB][ has discovered a vulnerability in Advanced Poll, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17669/ -- [SA17655] Exponent CMS image gallery Module Script Insertion and Full Path Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-11-22 Hans Wolters has reported a weakness and a vulnerability in the image gallery module for Exponent CMS, which can be exploited by malicious users to disclose system information and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17655/ -- [SA17700] Novell ZENworks Remote-Diagnostics Access Control Weakness Critical: Not critical Where: From local network Impact: Security Bypass Released: 2005-11-23 A weakness has been reported in Novell ZENworks, which potentially can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17700/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Nov 28 03:38:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Nov 28 04:34:36 2005 Subject: [ISN] Security Breach At Investment Company Compromises Personal Information Of Customers Message-ID: http://www.wfmy.com/news/topstory_article.aspx?storyid=52617 Timothy Gehret Reporter WFMY News 2 11/25/2005 Greensboro, NC -- Millions of names, addresses, social security numbers, and bank account numbers could be in dangerous hands. Officials with Scottrade, an investment company with an office in Greensboro say a security breach compromised the information of some of its account holders. A letter to customers says a hacker broke into the E-secure system which transfers money from customer's bank accounts to their investment accounts. The letter says the breach happened October 25th. One local Scottrade customer, who wishes to remain anonymous, says he got the later on November 25th. "Who knows when the information will drop off from whoever hacked into the system," the man says. "Who knows if information is up on a chat room right now being sold to the highest bidder." Scottrade officials say despite access to the information, they aren't certain the hacker actually took the information. The breach does not affect all of Scottrade's customers. This only affects those who use the E-secure system to transfer money from their bank account to their investment account. From isn at c4i.org Tue Nov 29 01:46:09 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 29 01:52:48 2005 Subject: [ISN] Expert: Cyber-crime Yields More Cash than Drugs Message-ID: http://www.pcmag.com/article2/0,1895,1893610,00.asp By Souhail Karam Reuters 11.28.05 RIYADH - Global cyber-crime generated a higher turnover than drug trafficking in 2004 and is set to grow even further with the wider use of technology in developing countries, a top expert said on Monday. No country is immune from cyber-crime, which includes corporate espionage, child pornography, stock manipulation, extortion and piracy, said Valerie McNiven, who advises the U.S. Treasury on cyber-crime. "Last year was the first year that proceeds from cyber-crime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 billion," McNiven told Reuters. "Cyber-crime is moving at such a high speed that law enforcement cannot catch up with it." For example, Web sites used by fraudsters for "phishing"?the practice of tricking computer users into revealing their bank details and other personal data?only stayed on the Internet for a maximum of 48 hours, she said. Asked if there was evidence of links between the funding of terrorism and cyber-crime, McNiven said: "There is evidence of links between them. But what's more important is our refusal or failure to create secure systems, we can do it but it's an issue of costs." McNiven, a former e-finance and e-security specialist for the World Bank, was speaking in Riyadh on the sidelines of a conference on information security in the banking sector. Developing countries which lack the virtual financial systems available elsewhere are easier prey for cyber-crime perpetrators, who are often idle youths looking for quick gain. "When you have identity thefts or corruption and manipulation of information there (developing countries), it becomes almost more important because ... their systems start getting compromised from the get-go," she said. "Another area that begins to expand is human trafficking and pornography because both of these become so much available once you have a communication ability," McNiven said. Copyright Reuters 2005 From isn at c4i.org Tue Nov 29 01:46:20 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 29 01:54:38 2005 Subject: [ISN] Uninformed staff pose security threat: Expert Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,106565,00.html By Brian Eaton NOVEMBER 28, 2005 ITWORLDCANADA TORONTO -- All it takes is one employee to unknowingly compromise a network's hard outer shell. And when that happens, all other security measures could simply melt away, said Clemens Martin, founder of the Hacker Research Lab at the University of Ontario Institute of Technology (UOIT). "The reality is many businesses are operating under a false sense of security," said Martin, who is also director of IT Programs at UOIT. "All too often, we see corporate networks that become compromised by an 'igloo effect' of sorts." The good news is that many corporate executives are becoming increasingly aware of this risk. Most business leaders polled as part of a recent Fusepoint/Sun Microsystems/Leger Marketing survey stated that the greatest threat to their data security was not likely to come from a malicious external attack, but rather from the hands of an uninformed employee. Martin also believes the private and public sectors have similar security concerns. He said that in both sectors the infrastructure used is similar, and malicious attackers are keen to infiltrate both. There is a common interest among the "bad guy community" to get inside networks in both sectors, and attacks designed to fool uninformed or undereducated employees and public servants are becoming more sophisticated, Martin said. Depending on an individual's e-mail settings, and security products in use, an e-mail may just have to be clicked on -- without any attachments whatsoever being opened -- for the attacker to get in, he said. "If you look at HTML-formatted e-mails, just like a Web page, there can be embedded code that can download," Martin said. "There is a risk, but there is also protection." Martin pointed to products from Cupertino, Calif.-based Symantec, but also noted that security software and conventional insurance are two different things. "You can buy an insurance policy for almost anything," Martin said. "But you can't buy insurance to hedge against IT security risks because the problems are not understood as well as earthquakes or fires or car theft. Those [problems] have been well studied over years and years." Most IT security problems are studied in computer science departments, he said. From isn at c4i.org Tue Nov 29 01:46:40 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 29 01:55:32 2005 Subject: [ISN] Inside Symantec's security bunker Message-ID: http://news.com.com/Inside+Symantecs+security+bunker/2100-7355_3-5973864.html By Tom Espiner Special to CNET News.com November 28, 2005 In one of the rolling hills above Winchester, England, is a decommissioned nuclear bunker that houses Symantec's U.K. Security Operations Center. The facility, built at enormous cost to British taxpayers at the end of the Cold War in the early 1990s, is now owned by the security company. The popular image of a bunker is a dank, rat-infested hole in the ground, but luckily for Symantec's team, the interior looks surprisingly like any other office. The facility is home to Symantec's U.K. Managed Security Services team, whose main task is to filter and monitor data fed back from customers' intrusion prevention systems, firewalls and intrusion detection systems. The Winchester team analyzes some 1.5 billion lines of code per day, said Jeff Ogden, Symantec's director of managed security services for Europe, the Middle East and Africa. "We spend our lives gathering and analyzing information and intelligence," he said. "This is an enormous amount of information, and we're trying to pull it into a coherent state." The managed security services team is located in a room glassed off from the main bunker, which has 15 workstations ranged in three rows of five. Four large flat-screen monitors, mounted on the wall, face the workstations. Sky News plays constantly in the background to help the team monitor the geopolitical situations that may affect the info-threat landscape. Tight security Access to the bunker is closed--even other Symantec personnel cannot enter the building without prior clearance. Any visits must be announced at least 24 hours in advance. Symantec customers must sign nondisclosure agreements before visiting. Once inside, all employees must log in at a special workstation and must log out when leaving. Three external cameras have a 360-degree view of the building. A digital recorder keeps 30 days of backup. The bunker runs round the clock, staffed by a minimum of four and a maximum of 15 analysts. Even the atmosphere inside is highly managed. It is pressurized to 1.5 pounds per square inch greater than outside air pressure, so air is constantly being forced out--handy if someone decides to drop an atomic bomb in the vicinity. In the event of a nuclear attack, the air can be filtered through charcoal, and there are still safeguards in place against a gas attack. The bunker has features like a security alarm--two strips of black plastic with glowing red insides--that's activated if any unauthorized visitor steps inside the glassed-off internal perimeter, where the analysts work away. Get too close to the alarm and it bleeps and registers an intruder. If anyone gets past that, there's one last line of defense to deal with. "That's when I appear with a baseball bat," said Gordon May, Symantec's facilities manager. Globally, there are 120 million desktops and servers using Symantec's products, which all feed back samples of malicious code. The company uses basic agent technology to collect the information, or customers can choose to send in the information manually. "We deploy a small agent onto the customer collection point--the firewall, or the syslog server. The agent is a small piece of software that collects, compresses, signs and encrypts the data before forwarding it to us," Ogden said. The data process Once the data has been collected, it is sent to Symantec where it is analyzed and, if there is any danger of attack, a report is speedily sent to the client. "If the situation is critical or an emergency, we pick the phone up and say to the customer 'You could be under attack,'" Ogden said. All customer information is stored centrally and run through two filters: a "progressive threat model," which decides whether the code is a threat, and an "expert query engine." The expert query engine decides what the threat is targeting, where it's coming from and what the threat is. This code is then analyzed by a Symantec engineer and the incident classified according to its threat level: * Informational: The client has been scanned by hackers, but no more action is required * Warning: The client has been scanned and a vulnerability has been detected by hackers * Critical: The client has been scanned, and vulnerable machines are being targeted * Emergency: There is a possibility of code being deposited on vulnerable machines During ZDNet UK's visit to the facility, an attempted distributed denial-of-service attack, launched using a botnet in Romania, was detected. "We profile the threat by finding out where it's being launched from, who it's being aimed at and what it's trying to achieve," Ogden said. On a wider network The Security Operations Center's Winchester facility is part of Symantec's global network of information monitoring stations. Customer data is monitored in five centers. The other four are located in Sydney, Australia; Munich, Germany; Alexandria, Va.; and San Antonio. The security operation centers work closely with Symantec's seven security response centers, located around the globe, in locations including the U.S., Canada, Ireland, Japan and Australia. Where the primary role of the operations center is to identify attacks against customers, the response centers work on a higher level and collate information from a wider variety of sources. Along with monitoring viruses directly detected by customers, Symantec scans 25 percent of global e-mail traffic for malicious code. It has a number of "honeypot" e-mail boxes, which are accounts provided by ISPs. They are not used, so anything that ends up there is usually spam, Trojan horses, viruses or other forms of malicious software. An attack quarantine system linked to the honeypot network captures such malicious code. "It is a virtual network that simulates servers, and so looks like a real network," said Art Wong, vice president of security response and managed security services at Symantec. Symantec maintains a list of all the vulnerabilities found across its network, called Bugtraq. Wong said that it's both a clearing house and a database of vulnerabilities. This list is shared with other security vendors to speed up the process of issuing patches. The threat of botnets As a leading security vendor, Symantec is well-positioned to identify future threats. Some of the biggest offenders on the radar at the moment are botnets, which are extensive networks of compromised computers controlled by hackers. These botnets are usually used to launch distributed denial-of-service attacks, which effectively flood Web servers or e-mail boxes with traffic. The growth of botnets is a major problem, with a 100 percent increase in the U.K. since 2004, according to Symantec. The company believes that right now, the U.K. contains the highest number of botnets in the world. "Just over a third of the botnets we've seen are in the U.K.," said Wong, quoting figures from Symantec's Internet Security Report VIII, published in September 2005. This is higher than the U.S., which has traditionally had more botnets. The high incidence of botnets in the U.K. probably has to do with the recent explosion in broadband usage and the fact that most U.K. home users wouldn't know if their computer was compromised, Wong suggested. "Maybe there's a slightly lower awareness level in Britain of botnets," he said. "The IP addresses could come from legitimate machines that have been compromised by hackers. Maybe the machines don't have patches, or are not running up-to-date anti-malware products. Plus, if you have 10,000 machines in a botnet, it's difficult to track back to each IP address." Taking control On average, it takes eight minutes for a new machine to be compromised when hooked up to the Web for the first time, according to Symantec tests on a Microsoft Windows PC not running XP Service Pack 2 or antivirus software. There is a particular danger for businesses using the same network as a compromised machine, because once one machine has been infected behind the firewall, hackers can use it to infect others. "If attackers manage to infect a machine within an organization, they can profile additional machines within that subnet. Executable code can be injected onto other machines to profile the users," Ogden said. Symantec does not tell those people with compromised IP addresses that their computers are being controlled by hackers, due to the sheer scale of the problem. "A botnet can consist of thousands of machines, and we just don't have the time to contact everyone. Our first priority is our customers," Ogden said. However, when it comes to serious incidents, Symantec does support the police. But the company is keen to point out that it doesn't supply any direct details on customers. "The information we supply to our customers belongs to them, and it's up to them to provide information to law enforcement agencies regarding any suspect activity. When companies are targeted, it's the customer who initiates giving information about the offending individuals," Ogden said. It also supports the police in its efforts to counter botnets. "In the U.K., the National Hi-Tech Crime Unit has been proactive in trying to close down botnet activity. We welcome any initiative which closes down botnets," Ogden said. "We have had some contact with the authorities in the past, and it works quite successfully." If a company is the subject of an attack, Symantec recommends it goes to the police. Symantec will only go so far with chasing potential criminals. If an attack has been unsuccessful, they are unlikely to be hunted down, Ogden said. "If we have controlled and closed down a particular threat to a customer, there's not a great deal of benefit in tracking down the individuals who mounted the attack," he said. Tom Espiner of ZDNet UK reported from London. Copyright ?1995-2005 CNET Networks, Inc. From isn at c4i.org Tue Nov 29 01:45:38 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 29 02:00:55 2005 Subject: [ISN] Inadequate laws hobble privacy chief Message-ID: http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1133133016362&call_pageid=968350072197&col=969048863851 By MICHAEL GEIST Nov. 28, 2005 In a year dominated by almost daily privacy and security violations that have placed the personal information of millions at risk, a privacy breach that affected just one person ranks as 2005's most shocking incident. With the recent disclosure that a national magazine obtained Canadian privacy commissioner Jennifer Stoddart's phone records with relative ease, the inadequacies of Canada's current privacy law framework and the desperate need for reform to provide Canadians the privacy protection they deserve has been exposed. Two weeks after the story hit the newsstands, the Maclean's investigation continues to resonate throughout the privacy community. Requiring only easily obtainable, publicly available information and a couple of hundred dollars, a U.S-based Internet data broker supplied a reporter with the Commissioner's detailed records of her home phone and BlackBerry cellphone usage, including precise information on who she called and when. Although major telecommunications providers such as Bell sought to characterize themselves as "victims" of fraudulent activity and claim that a rapid response to the incident is proof that Canada's privacy laws are working as intended, the reality is that the current legislative framework is simply ill-equipped to deal effectively with such incidents. The potential for a phone-records privacy breach, which the telecommunications providers claim occurred due to "subterfuge and misrepresentation," should have been well known to the Canadian carriers. Reports suggest that the Ontario privacy commissioner raised concerns about the potential disclosure of phone records to U.S.-based data brokers in a complaint to the Canadian Radio-television and Telecommunications Commissioner (CRTC), Canada's telecommunications regulator, seven years ago. Nothing was done in response. In fact, this summer the Electronic Privacy Information Center, a U.S. privacy advocacy group, identified 40 online data brokers who brazenly advertise the availability of personal phone records. The privacy information centre has filed complaints with U.S. regulators, yet telecommunications companies have opposed their proposals to beef up the security surrounding customers' phone records. In light of the privacy breach, the public might naturally expect that the privacy commissioner of Canada has the powers to address the issue. She does not. The investigation will naturally focus on both the telecommunications providers that disclosed the phone records as well as the U.S.-based data broker that obtained and later sold the information. The privacy commissioner has little recourse against the telecommunications providers. Although she can investigate the incident, without possessing order-making power, the commissioner is reduced to issuing a non-binding "finding" that must be pursued in federal court in order to levy any financial penalties. Indeed last week it was the CRTC that was better able to immediately address the issue. Within days of the report, it sent a letter to the telecommunications providers demanding an internal investigation and imposing a strict 10-day deadline to furnish a host of information, including descriptions of the safeguards that were in place when the breaches occurred, explanations of how the companies verify customer identity, and new measures being taken to improve security. The situation with respect to the U.S.-based data broker is even bleaker. Last week the privacy commissioner declined to investigate a complaint against another U.S. data broker, arguing that Canada's privacy laws do not provide sufficient powers to investigate out-of-country operators. The implications of that decision are stunning, suggesting that Canadians enjoy no privacy protection for personal information that is disclosed to non-Canadian entities. Although the commissioner's interpretation of the limits of the law are subject to challenge ? there is a good argument that the jurisdictional limitations on investigation should not act as a barrier to issuing a finding against a foreign entity ? it is increasingly clear that Canadian law is not up to the challenge of providing effective privacy protection in a world of global data flows that do not respect national borders. Tackling this challenge will not be easy, particularly as the commissioner is asked to address a growing number of concerns including spam, spyware, and the threat of secret disclosures compelled by U.S. law enforcement. A starting point, however, is to provide the commissioner with order making power, the unquestioned ability to name the names of privacy violators, and the resources necessary to meet her mandate. While a statutory review of Canada's national privacy legislation is slated for 2006, there is no need to wait for the review. With an imminent national election call, Canada's political leaders should be required to answer a simple question: How are they prepared to reform Canadian law to provide meaningful privacy protection in the Internet era? -=- Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at http://www.michaelgeist.ca. From isn at c4i.org Tue Nov 29 01:45:57 2005 From: isn at c4i.org (InfoSec News) Date: Tue Nov 29 02:05:24 2005 Subject: [ISN] Military Declares War on Industrial Espionage Message-ID: http://english.chosun.com/w21data/html/news/200511/200511280028.html Nov. 28, 2005 The Defense Security Command says it will boost intelligence personnel to ferret out industrial spies trying to leak military technology overseas. We will launch a security investigation team with a range of professional expertise operating around the clock to curb industrial espionage, which expropriates military secrets and defense industry technologies, and to counter increasingly intelligent security leaks, the head of the DSC's planning division, Col. Lee Hwa-seok, said Monday. The DSC has reportedly transferred some agents from counterespionage to an industrial espionage unit. Given the growing risk of hacking attacks and cyber terrorism, the DSC is also planning to task more staff with countering them and monitor overall defense intelligence. From isn at c4i.org Wed Nov 30 01:29:03 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 30 01:42:50 2005 Subject: [ISN] IT security staff could face licensing Message-ID: http://www.computerweekly.com/Articles/2005/11/29/213197/ITsecuritystaffcouldfacelicensing.htm By Bill Goodwin 29 November 2005 IT security professionals have voiced concern over proposals to use legislation designed for wheel clampers and bodyguards to regulate security consultants. The Security Industry Association (SIA), a quango that regulates workers in physical security industries, said Home Office ministers were considering whether IT security should be governed by legislation. Research is under way to help them decide whether IT security consultants will need licences to practice. "The exercise is to scope the security industry and see how wide the legislation is to be," said an SIA spokesman. If IT security professionals are classed as security consultants they will have to undergo identity and criminal record checks, and reach minimum qualifications. But independent security consultant Chris Sundt said government regulation could harm, rather than help, the profession. "There is a risk the SIA will come up with a licensing regime that creates more problems than it solves. If the criteria are weak, people will have a label saying they are qualified security professionals. It will give a false sense of security," he said. From isn at c4i.org Wed Nov 30 01:29:41 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 30 01:46:24 2005 Subject: [ISN] Fuzzy logic behind Bush's cybercrime treaty Message-ID: http://news.com.com/2010-1071_3-5969719.html By Declan McCullagh November 28, 2005 If you believe President Bush, a "cybercrime" treaty about to be voted on by the U.S. Senate is needed to thwart online vandals and track down Internet miscreants. Bush claims the treaty, formally approved by a Senate committee this month, will "deny safe havens to criminals, including terrorists, who can cause damage to U.S. interests from abroad, using computer systems." But in reality, the Convention on Cybercrime will endanger Americans' privacy and civil liberties--and place the FBI's massive surveillance apparatus at the disposal of nations with much less respect for individual liberties. For instance, if the U.S. and Russia ratify it, President Vladimir Putin would be able to invoke the treaty's powers to unmask anonymous critics on U.S.-based Web sites and perhaps even snoop on their e-mail correspondence. This is no theoretical quibble: The onetime KGB apparatchik has squelched freedom of speech inside Russia and regularly muzzles journalists and critics. There's an easy fix. The U.S. Senate could attach an amendment to the treaty saying the FBI may aid other nations only if the alleged "crime" in their country also is a crime here. The concept is called dual criminality, and the treaty lets nations choose that option. Requiring dual criminality would let the FBI investigate actual transnational crimes, such as computer intrusions and virus creation. But trumped-up offenses, like a blogger "questioning President Putin," would not trigger U.S. aid. Unfortunately, neither the Bush administration nor the Senate Foreign Relations Committee has been willing to make that change, calling it too "rigid." "This is in the interest of U.S. law enforcement, which aggressively utilizes these treaties to gain evidence abroad and would be hamstrung by a rigid dual-criminality provision in all cases," said a Nov. 8 report prepared by committee chairman Sen. Richard Lugar, R-Ind. "Therefore, the United States will be able to use this (treaty) to obtain electronic evidence in cases involving money laundering, conspiracy, racketeering, and other offenses under U.S. law that may not have been criminalized in all other countries." No wonder that U.S. Internet service providers are worried about becoming surveillance arms for despotic regimes. One lobbyist told me the industry doesn't believe the Bush administration's assurances that the treaty's awesome powers will never be misused. (Remember that this is the same administration that said the same thing about the Patriot Act--and has been proven wrong.) Mutual assistance: Internet surveillance Fully half of the treaty, drafted by the Council of Europe, deals with mutual assistance. (The Council is a quasi-governmental group of 46 nations, including European nations, Russia, the U.S., Canada, Japan and Mexico.) The text spells out exactly what that means in practice. Included on the list: Internet providers must cooperate with electronic searches and seizures without reimbursement; the FBI must conduct electronic surveillance "in real time" on behalf of another government; U.S. businesses can be slapped with "expedited preservation" orders preventing them from routinely deleting logs or other data. In a letter to the Senate, the American Civil Liberties Union spelled out some of the problems. "France and Germany have laws prohibiting the advertisement for sale of Nazi memorabilia or even discussing Nazi philosophy, activities that are protected in the United States under the First Amendment," the letter said. "These countries could demand assistance from the United States to investigate and prosecute individuals for activities that are constitutionally protected in this country." Other potential problems with the treaty include requiring that participating nations outlaw Internet-based copyright infringement as a "criminal offense" even if it's not done for a profit, and prohibiting, in some cases, the "distribution" of computer programs that can be used for illicit purposes. It's true that there are some positive elements of the treaty that promise to help reduce cybercrime. But the lack of dual criminality is a real concern, especially when it's easily fixed with an amendment. Now's the time to let your senators know what you think. Copyright ?1995-2005 CNET Networks, Inc. From isn at c4i.org Wed Nov 30 01:33:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 30 01:47:18 2005 Subject: [ISN] Authorities: Hacker Broke Into Emergency Communications System Message-ID: http://www.nbc4.com/news/5431542/detail.html November 30, 2005 WASHINGTON -- Authorities said a computer hacker has broken into the emergency communications system in Prince George's County. So far, no emergency has been adversely affected by the hacker, News4 reported. But people at the Station 9 firehouse said they are very concerned that somebody who needs help may not get it. Authorities said the breach happened early on Friday morning after a radio transmission said to hold Fire Station 9's units and return all other units on a full box alarm consisting of seven different fire stations. A fire chief figured out that it was a fake, and transmitted the message across the radio network. There is only one recording of the incident so far, News4 reported, but firefighters at Station 9 said it's happened at least three other times. Also in the last couple of weeks, the same man gave an ambulance crew responding to an emergency some bogus information. Authorities said they encourage anyone who has information on who is behind it all to contact them right away. Fire officials in Prince George's County said if they catch the person, he will be prosecuted to the fullest extent of the law. From isn at c4i.org Wed Nov 30 01:35:16 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 30 01:48:03 2005 Subject: [ISN] Cybercrime takes to a new level Message-ID: http://www.brunei-online.com/bb/wed/nov30b6.htm November 30, 2005 KOTA KINABALU - The trend in cybercrime has changed from mostly hacking of organisations' computer system in some four to five years ago to unauthorised access of their resources like records, database, information as well as money for monetary gain, Bernama reported. Head of Internet Crime Investigation Unit of the Royal Malaysia Police in Bukit Aman, DSP Mahfuz Abdul Majid said the police now received more serious cases like loss of resources like data, information and money from some organisations' computer system as well as unauthorised access to some government department records. "The number of cases is not many but it is increasing," he told reporters on the sidelines of a one-day Cyberlaw Workshop, here Monday. Among the cases found during their investigation was the unauthorised access of certain land offices data, possibly through the help of insiders who helped syndicates to change the ownership of a particular land title before selling it to another individual. The syndicates took advantage of the recent undertaking by some land offices to computerise their data for their own gain with the help of insiders, he said. Besides, syndicates with the help of hackers also blackmailed some website owners for money which were seldom reported as they would usually ask for RM5,000 to be paid to them to prevent their website and data from being distorted by the syndicate. "They usually pay the syndicate instead of reporting it to the authority as the money they were asking was not that much and it was less of a hassle," he said. The increasing number of service providers of the Voice Over Internet Protocol (VOIP) which allowed users to get a lower calling rate by communicating through Internet line could also spark some interest among syndicates and their hackers' partners to tap the line for their monetary gain. Copyright ? 2005 Brunei Press Sdn Bhd. All right reserved From isn at c4i.org Wed Nov 30 01:29:29 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 30 01:49:38 2005 Subject: [ISN] Hacking of voting machines put on hold Message-ID: http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/11/29/BAG8TFVC2M1.DTL Chronicle Staff Report November 29, 2005 Sacramento -- A state-sanctioned attempt at hacking one brand of electronic voting machines will not occur Wednesday, Secretary of State Bruce McPherson said Monday at what's billed as the nation's first summit on voting machine testing. The hacker, a computer security expert from Finland, needs more time to prepare before trying to show that the latest voting machine model made by Diebold Election Systems is vulnerable to attacks by hackers. "We have imposed the strictest voting system tests in the country. We think this should be part of it too," McPherson said about the attempted hack. California and its 58 local election officials face a Jan. 1 deadline to comply with requirements imposed by the federal Help America Vote Act of 2002. Among them is creation of a statewide database of voters and allowing disabled persons to vote unaided. The state requires all electronic voting machines have a paper-ballot backup to record votes for the June 2006 primary. Diebold's new voting machine system had its certification for use yanked in May 2004 by then Secretary of State Kevin Shelley. It has failed to win it back. Last May, Harri Hursti, a computer security expert from Finland who has been asked by Secretary of State Bruce McPherson to attempt to infiltrate one of the voting machines made by Diebold, successfully hacked a Diebold voting machine in Florida, changed election results and inserted a new program that flashed the message "Are we having fun yet?" on the machine's screen. The 1 1/2 day summit, with representatives of 23 states and 18 local California election officials among its attendees, is designed to help the state create the best approach to testing voting machines for reliability and accuracy. A public hearing is scheduled for February to synthesize the summit's results. From isn at c4i.org Wed Nov 30 01:28:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 30 01:50:17 2005 Subject: [ISN] MP calls for UK e-crime tsar Message-ID: http://software.silicon.com/security/0,39024655,39154645,00.htm By Tom Espiner 29 November 2005 An MP has called for the creation of a cyber-security tsar and a national agency to combat the growing threat of cyber crime. Mark Pritchard, Conservative MP for The Wrekin, used an adjournment debate last Wednesday to call for more action to address the impact that cyber crime may have on the UK's critical national infrastructure (CNI). The agency should be a unified national cyber-security agency, which would be a single point of cyber-security information, guidance and advice for the nation," Pritchard argued. Pritchard said: "The rise in aggressive viruses and cyber-security threats is a clear and present danger to Britain's national security. It is also a threat to Britain's economic well-being." The MP also claimed that the UK's CNI was threatened by terrorist organisations. He said: "It is interesting that the imprisoned al-Qaeda members have admitted that their organisation has been attempting to - and no doubt is still attempting to - develop cyber threats to strike western governments." However, some security experts - including Bruce Schneier - aren't convinced that cyber terrorism is a serious threat. Speaking last week, Schneier said: "I think that the terrorist threat is over-hyped, and the criminal threat is under-hyped. "I hear people talk about the risks to critical infrastructure [CNI] from cyber terrorism but the risks come primarily from criminals. It's just criminals at the moment aren't as 'sexy' as terrorists." The CNI includes energy, transport, finance, telecoms and aviation, which constantly rely on an exchange of information, according to Pritchard, who suggested that the nuclear industry could be a target. Pritchard said: "A penetration of any of those networks would be a serious threat to national security, not least when it comes to the potential to access Britain's 14 nuclear power stations." He also claimed that cyber attacks had a detrimental effect on consumer confidence. He quoted a figure of 200,000 cases of internet-based identity fraud, at a cost to the UK economy of at least ?16m. Online credit fraud has also increased by 29 per cent, he added. In response, the government said Pritchard was making sensible suggestions, and stressed the need for secure networks but said it had no plans to regulate internet use. Barry Gardiner, parliamentary under-secretary of State for Trade and Industry, said: "It is not the government's role to manage the internet, or regulate how business is conducted through it. There is a role for government and business to work together in a non-regulatory way." The government also pointed to its creation of the National Infrastructure Security Coordination Centre and said it had recently allocated ?30m to protect government information. From isn at c4i.org Wed Nov 30 01:28:54 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 30 01:50:53 2005 Subject: [ISN] More attack code for Windows flaws Message-ID: http://www.smh.com.au/news/breaking/more-attack-code-released-for-windows-flaws/2005/11/29/1133026443579.html By Sam Varghese November 29, 2005 A French research group has released proof-of-concept code for a critical vulnerability in Microsofts Windows which can be exploited to cause a denial of service. Proof-of-concept code demonstrates a method of exploiting a vulnerability. Though in itself not an exploit, it can help in developing one. A patch for this flaw was released by Microsoft in October; the same patch took care of two other unrelated vulnerabilities. The French group FrSIRT said in its advisory that the code it had released was aimed at a flaw in Microsoft's Distribution Transaction Coordinator. The coordinator is a remote procedure call interface that provides methods for different processes to complete transactions with each other, often over a network. The advisory did not say which versions of Windows would be affected by an exploit based on this code. When Microsoft released its advisory back in October it listed Windows 2000, Windows XP Service Pack 1, and Windows Server 2003 as being affected. eEye Digital Security, which discovered the problem and informed Microsoft, rated the severity as high, allowing remote execution of code. Comment has been sought from Microsoft. From isn at c4i.org Wed Nov 30 01:29:19 2005 From: isn at c4i.org (InfoSec News) Date: Wed Nov 30 01:51:36 2005 Subject: [ISN] Spitzer Gets on Sony BMG's Case Message-ID: http://www.businessweek.com/technology/content/nov2005/tc20051128_573560.htm By Arik Hesseldahl NOVEMBER 29, 2005 New York's Attorney General has turned his attention to Sony BMG's copyright-protection fiasco Sony BMG Music Entertainment is getting a lot of unwanted attention for its use of copyright-protection software that left CD users open to computer viruses. It began with the bloggers, who shed light on the matter, and has spread to the scads of consumers who have used the Internet to urge a boycott of Sony BMG CDs. A Homeland Security Dept. official has weighed in, accusing Sony BMG of undermining computer security. And Texas Attorney General Greg Abbott has alleged, in a suit filed Nov. 21, that Sony BMG violated his state's antispyware laws. Now, the Sony BMG debacle has drawn the scrutiny of New York Attorney General Eliot Spitzer. BUYER, BEWARE. Spitzer's office dispatched investigators who, disguised as customers, were able to purchase affected CDs in New York music retail outlets -- and to do so more than a week after Sony BMG recalled the disks. The investigators bought CDs at stores including Wal-Mart (WMT ), BestBuy (BBY ), Sam Goody, Circuit City (CC ), FYE, and Virgin Megastore, according to a Nov. 23 statement from Spitzer's office. Sony BMG says it shipped nearly 5 million CDs containing the software, of which 2.1 million had been sold. The company says 52 individual titles are affected. Spitzer's office urged consumers not to buy the disks, and if they do buy them, not to play them in computers. The disks should be returned to the place of purchase for a refund, Spitzer advises. MORE PRESSURE. "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year," Spitzer said in a written statement. "I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony." Sony BMG spokesman John McKay says the company has "commenced a mail-in exchange program and is committed to getting all copies of the 52 affected titles off store shelves. We appreciate the attorney general's reinforcement of our efforts, and on Wednesday [Nov. 23] we sent a follow-up message to remind them to remove XCP content-protected CDs from their inventory." A spokeswoman for Wal-Mart did not return a call seeking comment. A Best Buy spokesman said the company has instructed its stores to remove the CDs from stock and to provide exchanges to customers. Attention from the aggressive New York attorney general adds to pressure on Sony BMG to resolve a fiasco that came to the public's attention on Oct. 31, when computer-systems expert Mark Russinovich posted a message on his blog revealing that Sony BMG had placed antipiracy software on music CDs that made customers' PCs vulnerable to hacker attacks (see BW 11/17/05, "Sony's Copyright Overreach" [1]). SEEKING FINES. Sony BMG programmed the disks with a software-code set known as a rootkit that secretly installs itself onto a PC's hard drive when the CD is loaded. And computer-security experts have raised questions over whether Sony BMG, a venture of Sony (SNE ) and Germany's Bertelsmann AG, could have known about the rootkit sooner (see BW Online, 11/29/05, "Sony BMG's Costly Deafness" [2]). Spitzer's consumer warning came days after Texas Attorney General Abbott filed the suit against the company in Travis County, Texas. Abbott is seeking fines against Sony BMG of $100,000 per violation. A spokesman for Spitzer's office in New York City declined to comment on the attorney general's plans beyond the consumer warning, other than to say the office is "looking into" the matter. In April, Spitzer's office had brought suit against Intermix Media, a Los Angeles-based firm. The suit followed a six-month investigation that culminated in allegations that Intermix had installed advertising software on home computers without having given those consumers ample notice. Intermix agreed to settle the suit and was required to pay $7.5 million. The company also had to accept a ban on the distribution of adware programs in the future. In July, Spitzer secured a $10 million settlement from Sony's Sony BMG Music Entertainment record label to settle a probe into an alleged "payola" scheme. Spitzer's office said in July that it had uncovered evidence that the label had offered inducements, expensive gifts, and expensive travel packages to get music played on the radio. SALES DRAG. Meanwhile, the rootkit blunder continues to inspire consumer outrage and affect sales of artists who produced the affected CDs. The ranking of Van Zant's Get Right with the Man CD plummeted on Amazon.com's (AMZN ) bestseller list in the wake of Sony BMG snafu (see BW 11/22/05, "Sony's Escalating 'Spyware' Fiasco". [3]) And when Sony BMG started pulling CDs, it didn't have enough replacements lined up, says Ross Schilling, of Van Zant's Nashville-based manager, Vector Management. Sony BMG had promised the CD would be swapped out with non-rootkit CDs. Instead, the rootkit CDs simply were pulled, Schilling says. "It's obviously very bothersome," he says. "HARMING THE ARTIST." That means Van Zant's CD and others were not on the shelves for the busiest shopping weekend of the year. Sony BMG has told Van Zant to expect a 50% to 80% decrease in sales when the new numbers come out on Nov. 30. That's in a week that should have seen a 50% to 80% increase in sales. The week of Nov. 9 to 16, Van Zant's sales actually jumped a point, a spurt Schilling attributes to exposure from the Country Music Awards. Now that retailers are pulling the CD, there's potential for a 50,000- to 60,000-unit loss, Schilling says. "I believe they [Sony] went in with good intentions, but it turned into an unprecedented situation," Schilling says. "It certainly is harming the artist.... There's going to have to be some commitment made on Sony's side to their artists." To say nothing of the assurances Sony BMG may need to make to consumers and a couple of states' attorneys general. [1] http://www.businessweek.com/technology/content/nov2005/tc20051117_444162.htm [2] http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm [3] http://www.businessweek.com/technology/content/nov2005/tc20051122_343542.htm