From isn at c4i.org Wed Feb 1 07:24:22 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:24:22 -0600 (CST) Subject: [ISN] 'Electronic Discovery' Industry Blooming Message-ID: http://www.casperstartribune.net/articles/2006/01/31/ap/hitech/d8fep9do0.txt By BRIAN BERGSTEIN January 31, 2006 EDEN PRAIRIE, Minn. - Even just a few years ago, lawyers in corporate lawsuits sometimes agreed not to poke around in their opponents' e-mails. Instead they'd confine themselves to paper memos and other documents on file as they pursued evidence. Now, however, with so much work done via e-mail, instant messaging and other online platforms, "nothing's in the file cabinets anymore," said Michele Lange, staff attorney for legal technologies at Kroll Ontrack Inc. Instead, the memos, presentations and other scraps of corporate intelligence are increasingly finding their way into vast "electronic discovery" centers like the one Kroll Ontrack operates here near Minneapolis. Day and night, rows of whirring, blinking computers sock away enormous batches of digital records sent by companies involved in lawsuits. Other files are discovered deep in hard drives _ wedged between everything from personal e-mails to pornography _ by Kroll Ontrack forensic teams whose code names keep their missions secret. All this once was an arcane backwater of the legal-services field. Electronic discovery was commonly performed by local computer experts who played golf with law firm procurement officers. But several factors _ including the inexpensive abundance of data storage, high-profile lawsuits and strict new laws such as Sarbanes-Oxley that demand thorough corporate archiving _ are making electronic discovery a lucrative and competitive slice of information technology. The overall market is worth close to $2 billion and growing at about 35 percent a year, says Michael Clark, who analyzes the field at EDDix LLC. The number of companies offering computer-related evidence gathering appears to have doubled in the past two or three years, with several hundred now hanging a shingle. This surge has led Kroll Ontrack to quadruple the size of its data-crunching center in less than 18 months, from a half-petabyte of storage to two petabytes. That's 2 million gigabytes. Consider that the Internet Archive, which aims to store almost every public Web page ever to appear, currently totals one petabyte. Rival e-discovery vendor Fios Inc. had 48 employees three years ago. This year, the Portland, Ore.-based company expects to employ more than 120, with revenue of $30 million _ nearly double its 2004 figure. Increasingly, e-discovery customers are not just law firms enmeshed in big corporate cases. More and more, companies are working proactively with e-discovery vendors, getting a handle on their data troves so they can meet regulatory requirements _ or just in case they are sued. After all, 90 percent of U.S. corporations are engaged in some type of litigation, according to research by the law firm Fulbright & Jaworski LLP. The average company bigger than $1 billion is wrestling with 147 lawsuits. "The big risk for companies is too much data that there's really no business need for, being kept in ways that if they had to go looking for it, would be uneconomic," said e-discovery pioneer John Jessen, who founded Electronic Evidence Discovery Inc. in 1987. (It began after Jessen, who had a small computer business in his basement, was able to find a seemingly absent mailing list on a defendant's PC.) Partial credit for the recent e-discovery boom goes to two 2005 cases involving investment banks. In one, former UBS AG equities trader Laura Zubulake won a $29 million award in a federal gender discrimination suit in which she had requested that the bank turn over all internal communications about her. The bank produced 350 pages of documents, but Zubulake knew there were more _ she had retained some herself. The case set several precedents about how e-discovery ought to proceed and who should pay for it. In one key ruling, the judge slapped UBS for failing to recognize that the missing e-mails likely would end up being relevant to future litigation. Later, financier Ron Perelman won $1.6 billion from Morgan Stanley & Co. after a judge said the firm had failed to turn over e-mails and other digital evidence in a lawsuit stemming from its role in the 1998 sale of Perelman's Coleman camping gear company to Sunbeam Corp. The case is being appealed, but still proving instructive. "In litigation today, if e-discovery is done wrong, it can have huge implications," said Jonathan Redgrave, a partner at Redgrave Daley Ragan & Wagner LLP who specializes in electronic document issues. In addition to these cases and laws such as Sarbanes-Oxley that tighten record-retention requirements, new changes in rules of civil procedure set strict standards for what companies should do with their files the moment they are sued. "Some of those standards are fairly onerous even to sophisticated, highly litigious businesses," said Gerald Massey, head of Fios. Complicating matters, other rules _ including European data-privacy laws and the new Fair and Accurate Credit Transactions Act _ require companies to go in the opposite direction and dispose of certain kinds of records. Much of what e-discovery companies do is similar _ but offered under different names or pricing schemes. Generally, a vendor gets raw material from corporate computers and backup tapes, then dives in _ with specialized software rather than humans _ to remove duplicate files or records that have no bearing on a case, while zeroing in on those that might. Later the vendors can be asked to testify how the searches were conducted. Sometimes the findings are virtual smoking guns, like the infamous e-mail in which investment banker Frank Quattrone endorsed a recommendation that colleagues destroy files. Other times evidence comes not from what's in a file, but from its "metadata" _ the automatically applied labels that explain such things as when a file was made, reviewed, changed or transferred. >From there, even the end product comes in digital form. The evidence found by electronic discovery firms can be put on secure Web sites for legal teams to pore over, mark up and redact if necessary. This kind of service often runs well into six figures, but there will be pressure to bring that down as cost-conscious companies replace law firms as the direct clients. And that figures to change the sprawling field. Some think software providers and tech-services giants will step in and begin baking electronic discovery capabilities into other data-retention products. For example, storage systems can include "litigation hold" functions that let a company instantly preserve certain records if necessary. "The ultimate buyers of a company like ours have only just begin to emerge in our space," said Massey at Fios. "The names we'll associate with the services we provide in three, four, five years from now will be like IBM and EMC and Oracle." From isn at c4i.org Wed Feb 1 07:24:35 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:24:35 -0600 (CST) Subject: [ISN] The case of the sneaky daughter and the wireless card Message-ID: http://www.networkworld.com/columnists/2006/012306nutter.html By Ron Nutter NetworkWorld.com 01/23/06 My 16 year old daughter has wireless Internet access with her notebook computer. My wife and I control the signal by putting the modem on a timer, thus not allowing her to access the Internet after 12:00 am. She's a high-school student and we want her off the Internet after midnight. However, she's learned to access other available Wi-Fi signals, so us turning off the modem does no good whatsoever. Other than confiscating her wireless card, is there any way we can keep her off the Internet after her curfew? Is there a way to block incoming signals to our home? Or is there a way to program her computer blocking her access to Wi-Fi other than our secured network? --Dan Meyerson If her notebook computer is running XP Home, one option would be to enable logging in by username. Give her username enough to do what she needs do to but restrict her from making any changes such as selecting alternate access points. Depending on how the wireless card driver is written, this might be enough to prevent her from changing to another access point. This assumes that the SSID of your access point is unique and not running the default used by the manufacturer when it was made. This will also give you another possible option. Use the XP's Scheduled Tasks function to run batch files to disable (and then re-enable) the wireless card at set times. It is possible to use one script to run automatically when she logs in and check to see if the network card needs to be enabled or disabled based on time. Another option is to put a hub or switch between the access point and put that hub/switch on a timer. When the power is shut off to the hub/switch, she will still see the access point but can't go anywhere. If you need to use the access point within the house when you don't want your daughter to be able to use it, check within the firmware of the access point to see what kind of access control is available to control when a given workstation can and cannot access the Internet. Not all access points have this, so you may need to change access point vendors if your current access point doesn't allow this. If you have a friend who is an Amateur Radio operator and has experience with the Oscar satellites, he may have another option for you. Some of the newer satellites can operate in the 2.4 Ghz range. See if he has a signal source for this frequency range. What you are looking for is a signal source that is weak enough to not disturb your neighbors wireless access but to effectively make your daughters notebook "deaf" to hearing other access points. This signal source would need to be placed in a location close to where the notebook is normally used in order to be effective. It could be placed on a timer to only have power during the hours when you want to restrict wireless access. From isn at c4i.org Wed Feb 1 07:24:49 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:24:49 -0600 (CST) Subject: [ISN] Honeywell Investigates Security Breach Message-ID: http://www.durantdemocrat.com/articles/2006/01/31/ap/hitech/d8ffvnug4.txt February 1, 2006 MORRISTOWN, N.J. - Honeywell International is offering credit monitoring and identity theft insurance to approximately 19,000 current and former employees whose personal information _ including Social Security numbers and bank account information _ was posted on an Internet Web site. The company notified employees about the breach within a day of learning of it on Jan. 20, according to spokesman Robert C. Ferris. "The company immediately contacted the relevant service provider, had the page removed from the Internet and is continuously monitoring the Internet to ensure that the Web page and any copies of it remain taken down," said Ferris. He said the company was working with federal and state investigators to determine who posted the data. Ferris said he didn't know whether the posting was the work of a disgruntled employee or resulted from an administrative error or other cause. "Honeywell will aggressively pursue those responsible for this breach," Ferris said. In a Jan. 24 letter to employees, the company's vice president of global security, John E. McClurg, said the Identity Theft and Fraud Division of insurer AIG would help them protect themselves. "They will provide you with a tool kit of resources and hands-on support to address any issues you encounter," he said. The Morristown-based industrial and aerospace conglomerate employs about 120,000 people worldwide. Incidents like the Honeywell security breach are on the rise as thieves and pranksters take aim at corporate America, according to Ron Teixeira, executive director of the National Cyber Security Alliance, a Washington, D.C.-based nonprofit dedicated to educating individuals and corporations about cyber safety. "There are a number of reasons why this could have happened. When it's put out on the Web, hackers do that to show they could get access to the information and show the company their security was lacking. Other times, hackers are actually thieves or try to sell the information to thieves to commit ID theft. "Any time your info is posted on a Web site, you never know who's using it and what they're using it for," said Teixeira. ? Durant Democrat From isn at c4i.org Wed Feb 1 07:25:00 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:25:00 -0600 (CST) Subject: [ISN] Data Loss Mailing List Announcement Message-ID: Forwarded from: lyger In what has become a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, bank account numbers, and more. Data Loss is a mail list that covers topics such as news releases regarding large-scale data loss, data theft, and identify theft incidents. Discussion about incidents, indictments, legislation, and recovery of lost or stolen data is encouraged. To subscribe to Data Loss, send a mail to: dataloss-subscribe at attrition.org To unsubscribe from this list, send a mail to: dataloss-unsubscribe at attrition.org From isn at c4i.org Wed Feb 1 07:24:03 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:24:03 -0600 (CST) Subject: [ISN] State takes new look at computer security Message-ID: http://kennebecjournal.mainetoday.com/news/local/2383457.shtml By SUSAN M. COVER Staff Writer January 31, 2006 AUGUSTA -- The state is taking steps to limit access to critical computer systems in response to a report that showed deficiencies in security. The Office of Program Evaluation and Government Accountability released a report Monday that revealed weaknesses in the way the state runs its computer systems. Part of the report, which was given to lawmakers and others in a closed session last month, indicated that the state needs to make sure only those who have proper credentials can get access to critical information. However, the state system was not affected by hackers who tapped into Rhode Island's state Web site and got access to credit card numbers, said Richard Thompson, chief information officer for the state. The company that manages the Rhode Island site also works for the Maine government Web site. The breach, which occurred in December, was made public Friday. Thompson said he had staff working all weekend, but they did not find any record that Maine's site had been illegally accessed. "We are convinced, at least as of today, we are in good shape," he said. Rep. A. David Trahan, R-Waldoboro, said he's heard from people who are concerned about the security of state computer systems. "The urgency of this is greater now because of what just happened," he said. A review of state computer security procedures conducted by Jefferson Wells International found that "system access controls do not measure up to industry standards." Also, the state has not adequately put in writing what steps it would take if a major computer system fails or if offices could not be used because of a terrorist threat, according to the report. Thompson, who is in the process of reorganizing how state agencies purchase and manage computer systems, said at least some of the criticism is due to a lack of paperwork. "The weaknesses Jefferson Wells identified was, 'We can't tell you what we've got' ," he said. "It wasn't that we didn't have enough security." Other parts of the report detailed a piecemeal approach in state government when it comes to purchasing new computers. State agencies, often using federal government money, move ahead on an individual basis without consulting other agencies. And although Thompson is in charge of the executive branch computer systems, he does not have jurisdiction over the Legislature or judicial branch. Also, it's difficult for the program evaluation office to find out how much is being spent on computers and computer software because it is scattered throughout state government, said Beth Ashcroft, director of the evaluation office. "The goal here from (the program evaluation office) perspective is to shine a light on information technology and how it's being managed," she said. "Right now, there's no good way to get a handle on that." Another inefficiency is that it's hard to combine data from different agencies and some data is duplicated in several systems, she said. The program evaluation oversight committee, which is made up of 12 legislators, will meet again to discuss what action it can take to address some of the concerns in the report. Copyright ? 2005 Blethen Maine Newspapers Inc. From isn at c4i.org Wed Feb 1 07:25:14 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:25:14 -0600 (CST) Subject: [ISN] Boston Globe in credit card data snafu Message-ID: http://money.cnn.com/2006/01/31/news/companies/security_bostonglobe.reut/ January 31, 2006 SAN FRANCISCO (Reuters) - Two Massachusetts newspapers owned by The New York Times Co., the Boston Globe and Worcester Telegram & Gazette, said Tuesday they had mistakenly sent out slips of paper with the credit card data of up to nearly a quarter million subscribers. The credit card numbers were printed on routing slips attached to 9,000 bundles of newspapers sent to retailers and carriers last weekend, according to the newspapers. "Immediate steps have been taken internally at the Globe and Telegram & Gazette to increase security around credit card reporting," Richard H. Gilman, publisher of the Boston Globe, said in a statement. The credit card data of up to 240,000 subscribers may have been exposed, they said. The blunder comes amid heightened concern over the security of consumer data in the wake of several incidents of lost or stolen personal records involving companies such as data broker ChoicePoint Inc., Bank of America Corp. and shoe retailer DSW Inc. So far, the newspapers had not received any reports of misuses of the credit cards, and American Express, Discover, MasterCard and Visa had been advised of the situation, said Boston Globe spokesman Al Larkin. Exposure of the data occurred because the Telegram & Gazette, which helps circulate both papers under a shared distribution system, printed the routing slips on recycled paper containing internal reports with subscriber credit card numbers, Larkin said. "We've put a stop to that," Larkin said of the practice of reusing paper. The Globe's circulation was 450,000, according to Larkin. He did not have a daily number for the Telegram & Gazette, but said the Sunday edition had a circulation of 81,000. The newspapers were trying to locate and recover as many of the slips as possible, but believed that most had already been thrown away. The publications had set up a hotline, 1-888-665-2644, for subscribers to check if their data was sent out. The papers are part of The New England Media Group, which is owned by The New York Times Co. From isn at c4i.org Wed Feb 1 07:25:26 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:25:26 -0600 (CST) Subject: [ISN] Spyware probe couple deported to Israel Message-ID: http://www.theregister.co.uk/2006/01/31/spyware_suspect_deportation/ By John Leyden 31st January 2006 Spyware-for-hire suspects Michael and Ruth Haephrati arrived in Israel on Monday to face industrial espionage charges following their extradition from Britain. The couple, alleged masterminds behind a spyware-linked industrial espionage program, face trial in their native Israel after dropping an appeal against deportation. Investigators allege the dynamic duo developed and sold customised spyware or Trojan horse packages designed to evade detection by security tools to three private investigation companies in Israel - Modi'in Ezrahi, Zvi Krochmal, and Philosof-Balali, The Jerusalem Post reports. This spyware code was allegedly installed on victims' PCs by private detectives from a diskette or via email, as part of a spying scam that ran for up to two years. The malware sent stolen documents to an FTP site, allowing unscrupulous firms to swipe confidential documents from rivals. Each software installation allegedly netted the Haephratis ?2,000. Firms suspected of using the malware include Mayer Motors (an importer of Volvo and Honda cars) against Champion Motors (an Audi and Volkswagen dealership), satellite television company Yes is accused of spying on rival cable TV outfit HOT, while Israeli mobile phone firms Pelephone and Cellcom are accused of spying Haaretz reports. The Haephratis are two of 22 people arrested in Israel and the UK in connection with the case, some of who are currently on trial in Israel's Tel Aviv District Court. ? From isn at c4i.org Fri Feb 3 04:28:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:28:29 -0600 (CST) Subject: [ISN] Black Hat USA CFP opens, Europe early bird reminder, Federal news Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello InfoSec News readers, A bunch of announcements from Black Hat. It was easier to bundle them all together instead of send them out bit by bit, so everything from Black Hat Federal coverage to the CFP opening for the summer USA conference is included. Here we go! Black Hat Europe 2006 Final Reminder: Speaker selection for Black Hat Europe 2006 has been finalized. This is our sixth conference in Amsterdam, and we have an impressive line up. Register now and save - our early bird rate closes February 8. http://www.blackhat.com/html/bh-europe-06/bh-eu-06-speakers.html Black Hat Europe 2006 Discount Book Offer: BreakPoint Books, our official bookseller is currently taking pre-orders of select titles for 15% off the suggested retail price which can be picked up at the conference. Orders must be placed by February 8, 2006. Download order form: http://www.blackhat.com/images/bh-europe-06/bh-eu-06-ad.pdf Black Hat USA 2006 Call for Papers opens! The Black Hat USA 2006 Call for Papers opens February 1. Don't hesitate to submit your presentations. Unleash you best kung-fu for the greatest chance of being selected. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-cfp.html Black Hat USA 2006 Hotel: Reserve your hotel early. The Black Hat room block at Caesars Palace is now accepting reservations. The block has sold out 6 weeks prior to the start of the show the last few years, so please make your room arrangements early. Reservations must be made directly through Caesars: http://www.caesars.com/reservations/main.aspx?hotelid=14&specialgroupc ode=SCBL06 Black Hat Federal 06 presentations now on-line: The presentations from the Black Hat Federal '06 show are currently on-line. In addition to PDFs, appropriate source code and white papers are also present. http://www.blackhat.com/html/bh-media-archives/bh-archives-2006.html#f ederal Black Hat Federal 2006 news: Black Hat Federal generated a large amount of interest from the press and blog world. The presentations were more paranoid in nature, dealing with topics from root kits to reverse engineering and physical memory forensics. Read the stories at Slashdot, Washington Post, SecurityFocus, the Register, Government Computer News, and others. * http://it.slashdot.org/article.pl?sid=06/01/27/1327228 * http://www.securityfocus.com/brief/118 * http://blogs.washingtonpost.com/securityfix/2006/01/a_letter_from_b.ht ml * http://www.gcn.com/vol1_no1/daily-updates/38107-1.html * http://www.gcn.com/vol1_no1/daily-updates/38098-1.html * http://www.theregister.co.uk/2006/01/30/good_worms_nematodes_blackhatc onference/ * http://taosecurity.blogspot.com/#113839241238734087 We carry links to these and more on our RSS feed. http://www.blackhat.com/BlackHatRSS.xml Thanks everyone, Jeff Moss -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBQ+GFqkqsDNqTZ/G1AQJTgwf/e0uFtSkjISmGCueGBkKymVzx8ZQD7Tm6 kqoY0sC88F4Fn3e+xrPYMUE6XR3Db7u2spa/foK3WQJ1Wb3Wu3D3Guy1sSuTcKAt u+7tLgpzDCTpWNpYeULub2khW7qvuD+psWrgB1Qj5atTyHTpOHExfUUDUJmoIzpa X+t8/z7Msh23PPsgTfPwEV5hll51umLziDnh4L0e3p6KvN8YlGI+X+t4hn/DYQNG AjEcpAlQI7xuXnsdCmliec0KbUzSFDB5QZoCuZ6dnKRHAlXBaUT58p+SDcF8nOOS 0qSdd+Q9NftA6Ehsiyv0pW0Hst5IZoAnGWZGxwKrKMHWE0iojOVwlA== =XBlJ -----END PGP SIGNATURE----- From isn at c4i.org Fri Feb 3 04:29:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:29:56 -0600 (CST) Subject: [ISN] Linux Advisory Watch - February 3rd 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 3rd, 2006 Volume 7, Number 5a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. Due to several changes in our advisory archiving scripts, Linux Advisory Watch did not go out last week. This has caused an unusually high number of advisories. The purpose of this week's newsletter is to 'catch up' and ensure that every advisory has been published. We apologize for any inconvenience. Advisories were released for petris, unzip, tetex-bin, koffice, fetchmail, gpdf, tuxpaint, albatross, mantis, antiword, smstools, sudo, ClamAV, kdelibs, crawl, CUPS, trac, libapache-auth-ldap, flyspray, wine, mailman, lsh-utils, ImageMagick, drupal, hylafax, libextractor, unalz, limbmail-audit-perl, pdftohtml, mod_auth_pgsql, poppler, tetex, kdegraphics, ethereal, httpd, openssh, mozilla, firefox, Gallery, LibAST, Paros, MyDNS, xorg-x11, UUlib, SSLeay, mdkonline, gthumb, libgphoto, net-snmp, apache2, thunderbird, bzip2, gzip, libast, gd, and phpMyAdmin. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- A Linux Security Look To The Future By: Pax Dickinson It's much the same story as last year, Windows worms and viruses continually propagate, crossbreed, and multiply while Linux remains above the fray. Sober and the other "newsmaking" viruses all infect and attack Windows while all Linux admins get out of it are a few hits to our Snort rulesets. Yes, there are worms attacking Linux, and Linux, like any other system, is certainly not immune. Linux is, however, more resistant. One reason is made clear when the internet is compared to a biosphere. Linux is a mutt. Every Linux distribution does things slightly differently, Linux runs on very varied hardware, many Linux users compile their own software. Things just aren't as standardized in the Linux world, which is viewed as a flaw by many pundits, though it has many benefits when it comes to security. A Linux security flaw may only affect a certain distribution or application, and most distributions and applications lack the massive marketshare to provide enough sustenance for a worm to really get going. Meanwhile, the applications that do possess large marketshare, such as Apache, tend to be generally secure due to their source code availability. Windows, on the other hand, lacks this genetic diversity. One copy of Windows XP is exactly like the next, and the source is closed so previously unknown flaws are discovered all the time. Yes, Windows does have a greater marketshare making it a bigger target, but I'd wager that if the marketshares of Windows and Linux were even Windows would still have more vulnerabilities. In nature, populations that lack genetic diversity run the risk of being decimated by a virulent disease, and the internet is no different. There's a reason we use biological metaphors like "worm" and "virus" to describe malware. Linux also benefits by tending to not be a primary target for malware authors because they have such a juicy target in Windows. Of course, keeping systems patched has been and will remain key, luckily most Linux distributions available today tend to be very polished in this area, with tools such as apt-get, yum, and portage providing easy application and system upgrades. So much for the good. Looking to the future, things go from bad to beyond ugly. We Linux users should realize how good we have it right now and recognize that the current security situation will not remain so benevolent for us. In an environment of dumb worms and viruses targeted at the least common denominator, Linux is well prepared to hold fast and remain generally secure. However, sinister trends are developing now that may end this state of complacency and need to be addressed. Crime related to spam, spyware, and other online illegalities is said by some experts to have recently passed international drug trafficking in dollars earned, and malicious hacking that used to be performed for fun is now a big business. Websites once hacked only so the culprit could deface them and show off are now penetrated in order to steal customer data and engage in identity theft. Botnets of more than a million compromised hosts are not unknown, used to send spam, host child pornography, and perform distributed DoS attacks. An underground market for botnets has made the creation of viruses and trojans into a thriving business opportunity for the unscrupulous. Read Entire Article: http://www.linuxsecurity.com/content/view/121230/49/ ---------------------- EnGarde Secure Community 3.0.3 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New petris packages fix buffer overflow 27th, January, 2006 Steve Kemp from the Debian Security Audit project discovered a buffer overflow in petris, a clone of the Tetris game, which may be exploited to execute arbitary code with group games privileges. http://www.linuxsecurity.com/content/view/121285 * Debian: New unzip packages fix unauthorised permissions modification 27th, January, 2006 The unzip update in DSA 903 contained a regression so that symbolic links that are resolved later in a zip archive aren't supported anymore. This update corrects this behaviour. http://www.linuxsecurity.com/content/view/121286 * Debian: New tetex-bin packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in tetex-bin, the binary files of teTeX, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121287 * Debian: New koffice packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in koffice, the KDE Office Suite, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121288 * Debian: New fetchmail packages fix denial of service 27th, January, 2006 Daniel Drake discovered a problem in fetchmail, an SSL enabled POP3, APOP, IMAP mail gatherer/forwarder, that can cause a crash when the program is running in multidrop mode and receives messages without headers. http://www.linuxsecurity.com/content/view/121289 * Debian: New gpdf packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in gpdf, the GNOME version of the Portable Document Format viewer, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121290 * Debian: New tuxpaint packages fix insecure temporary file creation 27th, January, 2006 Javier Fern=EF=BF=BDndez-Sanguino Pe=EF=BF=BDa from the Debian Security Aud= it project discovered that a script in tuxpaint, a paint program for young children, creates a temporary file in an insecure fashion. http://www.linuxsecurity.com/content/view/121291 * Debian: New albatross packages fix arbitrary code execution 27th, January, 2006 A design error has been discovered in the Albatross web application toolkit that causes user supplied data to be used as part of template execution and hence arbitrary code execution. http://www.linuxsecurity.com/content/view/121292 * Debian: New Perl packages fix arbitrary code execution 27th, January, 2006 Jack Louis discovered an integer overflow in Perl, Larry Wall's Practical Extraction and Report Language, that allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via specially crafted content that is passed to vulnerable format strings of third party software. http://www.linuxsecurity.com/content/view/121293 * Debian: New mantis packages fix several vulnerabilities 27th, January, 2006 Several security related problems have been discovered in Mantis, a web-based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/121294 * Debian: New antiword packages fix insecure temporary file creation 27th, January, 2006 Javier Fern=EF=BF=BDndez-Sanguino Pe=EF=BF=BDa from the Debian Security Aud= it project discovered that two scripts in antiword, utilities to convert Word files to text and Postscript, create a temporary file in an insecure fashion. http://www.linuxsecurity.com/content/view/121295 * Debian: New smstools packages fix format string vulnerability 27th, January, 2006 Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary code with root privileges. http://www.linuxsecurity.com/content/view/121296 * Debian: New sudo packages fix privilege escalation 27th, January, 2006 It has been discovered that sudo, a privileged program, that provides limited super user privileges to specific users, passes several environment variables to the program that runs with elevated privileges. In the case of include paths (e.g. for Perl, Python, Ruby or other scripting languages) this can cause arbitrary code to be executed as privileged user if the attacker points to a manipulated version of a system library. http://www.linuxsecurity.com/content/view/121297 * Debian: New ClamAV packages fix heap overflow 27th, January, 2006 A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system runnig ClamAV. In addition, other potential overflows have been corrected. http://www.linuxsecurity.com/content/view/121298 * Debian: New kdelibs packages fix buffer overflow 27th, January, 2006 Maksim Orlovich discovered that the kjs Javascript interpreter, used in the Konqueror web browser and in other parts of KDE, performs insufficient bounds checking when parsing UTF-8 encoded Uniform Resource Identifiers, which may lead to a heap based buffer overflow and the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121299 * Debian: New crawl packages fix potential group games execution 27th, January, 2006 Steve Kemp from the Debian Security Audit project discovered a security related problem in crawl, another console based dungeon exploration game in the vein of nethack and rogue. The program executes commands insecurely when saving or loading games which can allow local attackers to gain group games privileges. http://www.linuxsecurity.com/content/view/121300 * Debian: New CUPS packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf which are also present in CUPS, the Common UNIX Printing System, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121301 * Debian: New trac packages fix SQL injection and cross-site scripting 27th, January, 2006 Several vulnerabilies have been discovered in trac, an enhanced wiki and issue tracking system for software development projects. The Common Vulnerabilities and Exposures project identifie the following problems: http://www.linuxsecurity.com/content/view/121302 * Debian: New libapache-auth-ldap packages fix arbitrary code execution 27th, January, 2006 "Seregorn" discovered a format string vulnerability in the logging function of libapache-auth-ldap, an LDAP authentication module for the Apache webserver, that can lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121303 * Debian: New flyspray packages fix cross-site scripting 27th, January, 2006 Several cross-site scripting vulnerabilities have been discovered in flyspray, a lightweight bug tracking system, which allows attackers to insert arbitary script code into the index page. http://www.linuxsecurity.com/content/view/121304 * Debian: New wine packages fix arbitrary code execution 27th, January, 2006 H D Moore that discovered that Wine, a free implemention of the Microsoft Windows APIs, inherits a design flaw from the Windows GDI API, which may lead to the execution of code through GDI escape functions in WMF files. http://www.linuxsecurity.com/content/view/121305 * Debian: New clamav packages fix heap overflow 27th, January, 2006 A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system runnig ClamAV. In addition, other potential overflows have been corrected. http://www.linuxsecurity.com/content/view/121306 * Debian: New xpdf packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, that can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121307 * Debian: New mailman packages fix denial of service 27th, January, 2006 Two denial of service bugs were found in the mailman list server. In one, attachment filenames containing UTF8 strings were not properly parsed, which could cause the server to crash. In another, a message containing a bad date string could cause a server crash. http://www.linuxsecurity.com/content/view/121308 * Debian: New lsh-utils packages fix local vulnerabilities 27th, January, 2006 Stefan Pfetzing discovered that lshd, a Secure Shell v2 (SSH2) protocol server, leaks a couple of file descriptors, related to the randomness generator, to user shells which are started by lshd. A local attacker can truncate the server's seed file, which may prevent the server from starting, and with some more effort, maybe also crack session keys. http://www.linuxsecurity.com/content/view/121309 * Debian: New ImageMagick packages fix arbitrary command execution 27th, January, 2006 Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names.=09This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird. http://www.linuxsecurity.com/content/view/121310 * Debian: New drupal packages fix several vulnerabilities 27th, January, 2006 Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: http://www.linuxsecurity.com/content/view/121311 * Debian: New kpdf packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, that can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. The same code is present in kpdf which is part of the kdegraphics package. http://www.linuxsecurity.com/content/view/121312 * Debian: New hylafax packages fix arbitrary command execution 27th, January, 2006 Patrice Fournier found that hylafax passes unsanitized user data in the notify script, allowing users with the ability to submit jobs to run arbitrary commands with the privileges of the hylafax server. http://www.linuxsecurity.com/content/view/121313 * Debian: New pound packages fix multiple vulnerabilities 27th, January, 2006 Two vulnerabilities have been discovered in Pound, a reverse proxy and load balancer for HTTP. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/121314 * Debian: New smstools packages fix format string vulnerability 27th, January, 2006 Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary code with root privileges. http://www.linuxsecurity.com/content/view/121315 * Debian: New libapache2-mod-auth-pgsql packages fix arbitrary code execution 27th, January, 2006 iDEFENSE reports that a format string vulnerability in mod_auth_pgsql, a library used to authenticate web users against a PostgreSQL database, could be used to execute arbitrary code with the privileges of the httpd user. http://www.linuxsecurity.com/content/view/121316 * Debian: New libextractor packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in libextractor, a library to extract arbitrary meta-data from files, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121317 * Debian: New trac packages fix SQL injection and cross-site scripting 30th, January, 2006 This update corrects the search feature in trac, an enhanced wiki and issue tracking system for software development projects, which broke with the last security update. http://www.linuxsecurity.com/content/view/121444 * Debian: New unalz packages fix arbitrary code execution 30th, January, 2006 Ulf H=EF=BF=BDrnhammer from the Debian Audit Project discovered that unalz, a decompressor for ALZ archives, performs insufficient bounds checking when parsing file names. This can lead to arbitrary code execution if an attacker provides a crafted ALZ archive. http://www.linuxsecurity.com/content/view/121446 * Debian: New ImageMagick packages fix arbitrary command execution 31st, January, 2006 Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names.=09This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird. This update filters out the '$' character as well, which was forgotton in the former update. http://www.linuxsecurity.com/content/view/121451 * Debian: New libmail-audit-perl packages fix insecure temporary file use 31st, January, 2006 Niko Tyni discovered that the Mail::Audit module, a Perl library for creating simple mail filters, logs to a temporary file with a predictable filename in an insecure fashion when logging is turned on, which is not the case by default. http://www.linuxsecurity.com/content/view/121452 * Debian: New libmail-audit-perl packages fix insecure temporary file use 31st, January, 2006 Updated package. http://www.linuxsecurity.com/content/view/121461 * Debian: New pdfkit.framework packages fix arbitrary code execution 1st, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121462 * Debian: New pdftohtml packages fix arbitrary code execution 1st, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121463 * Debian: New mydns packages fix denial of service 2nd, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121475 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: cups-1.1.23-15.3 27th, January, 2006 This update fixes the pdftops filter's handling of some incorrectly-formed PDF files. Issues fixed are CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627. http://www.linuxsecurity.com/content/view/121373 * Fedora Core 3 Update: cups-1.1.22-0.rc1.8.9 27th, January, 2006 This update fixes the pdftops filter's handling of some incorrectly-formed PDF files. Issues fixed are CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627. http://www.linuxsecurity.com/content/view/121374 * Fedora Core 4 Update: kernel-2.6.14-1.1656_FC4 27th, January, 2006 This update fixes several low-priority security problems that were discovered during the development of 2.6.15, and backported. Notably, CVE-2005-4605. http://www.linuxsecurity.com/content/view/121377 * Fedora Core 3 Update: mod_auth_pgsql-2.0.1-6.2 27th, January, 2006 Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. Red Hat would like to thank iDefense for reporting this issue. http://www.linuxsecurity.com/content/view/121378 * Fedora Core 4 Update: mod_auth_pgsql-2.0.1-8.1 27th, January, 2006 Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. Red Hat would like to thank iDefense for reporting this issue. http://www.linuxsecurity.com/content/view/121379 * Fedora Core 3 Update: gpdf-2.8.2-7.2 27th, January, 2006 Chris Evans discovered several flaws in the way CUPS processes PDF files. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. http://www.linuxsecurity.com/content/view/121392 * Fedora Core 4 Update: poppler-0.4.4-1.1 27th, January, 2006 Chris Evans discovered several flaws in the way poppler processes PDF files. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. http://www.linuxsecurity.com/content/view/121393 * Fedora Core 4 Update: xpdf-3.01-0.FC4.6 27th, January, 2006 Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues. Users of xpdf should upgrade to this updated package, which contains a patch to resolve these issues. http://www.linuxsecurity.com/content/view/121395 * Fedora Core 4 Update: tetex-3.0-9.FC4 27th, January, 2006 Several flaws were discovered in the way teTeX processes PDF files. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. This package also updates bindings in texdoc and causes the local texmf tree to be searched first. http://www.linuxsecurity.com/content/view/121396 * Fedora Core 3 Update: tetex-2.0.2-21.7.FC3 27th, January, 2006 Several flaws were discovered in the way teTeX processes PDF files. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. http://www.linuxsecurity.com/content/view/121397 * Fedora Core 4 Update: kdegraphics-3.5.0-0.2.fc4 27th, January, 2006 Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues. Users of kdegraphics should upgrade to this updated package, which contains a patch to resolve these issues. http://www.linuxsecurity.com/content/view/121404 * Fedora Core 3 Update: ethereal-0.10.14-1.FC3.1 27th, January, 2006 This update fixes a DoS in Ethereal. http://www.linuxsecurity.com/content/view/121408 * Fedora Core 4 Update: kdelibs-3.5.0-0.4.fc4 27th, January, 2006 A heap overflow flaw was discovered affecting kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. An attacker could create a malicious web site containing carefully crafted JavaScript code that would trigger this flaw and possibly lead to arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0019 to this issue. Users of KDE should upgrade to these updated packages, which contain a backported patch from the KDE security team correcting this issue http://www.linuxsecurity.com/content/view/121415 * Fedora Core 4 Update: httpd-2.0.54-10.3 27th, January, 2006 This update includes fixes for three security issues in the Apache HTTP Server. http://www.linuxsecurity.com/content/view/121420 * Fedora Core 4 Update: openssh-4.2p1-fc4.10 27th, January, 2006 This is a minor security update which fixes double shell expansion in local to local and remote to remote copy with scp. It also fixes a few other minor non-security issues. http://www.linuxsecurity.com/content/view/121421 * Fedora Core 4 Update: mozilla-1.7.12-1.5.2 2nd, February, 2006 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Igor Bukanov discovered a bug in the way Mozilla's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. http://www.linuxsecurity.com/content/view/121496 * Fedora Core 4 Update: firefox-1.0.7-1.2.fc4 2nd, February, 2006 Mozilla Firefox is an open source Web browser. Igor Bukanov discovered a bug in the way Firefox's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. http://www.linuxsecurity.com/content/view/121497 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: HylaFAX Multiple vulnerabilities 27th, January, 2006 HylaFAX is vulnerable to arbitrary code execution and unauthorized access vulnerabilities. http://www.linuxsecurity.com/content/view/121318 * Gentoo: KPdf, KWord Multiple overflows in included Xpdf code 27th, January, 2006 KPdf and KWord both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121319 * Gentoo: xine-lib, FFmpeg Heap-based buffer overflow 27th, January, 2006 xine-lib and FFmpeg are vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121320 * Gentoo: ClamAV Remote execution of arbitrary code 27th, January, 2006 ClamAV is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/121321 * Gentoo: HylaFAX Multiple vulnerabilities 27th, January, 2006 HylaFAX is vulnerable to arbitrary code execution and unauthorized access vulnerabilities. http://www.linuxsecurity.com/content/view/121322 * Gentoo: Blender Heap-based buffer overflow 27th, January, 2006 Blender is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121323 * Gentoo: Wine Windows Metafile SETABORTPROC vulnerability 27th, January, 2006 Fixed packages were issued to fix this vulnerability in Wine, but some of the fixed packages were missing the correct patch. All Wine users should re-emerge Wine to make sure they are safe. The corrected sections appear below. http://www.linuxsecurity.com/content/view/121324 * Gentoo: KDE kjs URI heap overflow vulnerability 27th, January, 2006 KDE fails to properly validate URIs when handling javascript, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121325 * Gentoo: Trac Cross-site scripting vulnerability 27th, January, 2006 Trac is vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution. http://www.linuxsecurity.com/content/view/121326 * Gentoo: Gallery Cross-site scripting vulnerability 27th, January, 2006 Gallery is possibly vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution. http://www.linuxsecurity.com/content/view/121327 * Gentoo: mod_auth_pgsql Multiple format string vulnerabilities 27th, January, 2006 Format string vulnerabilities in mod_auth_pgsql may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121328 * Gentoo: xine-lib, FFmpeg Heap-based buffer overflow 27th, January, 2006 xine-lib and FFmpeg are vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121329 * Gentoo: VMware Workstation Vulnerability in NAT networking 27th, January, 2006 VMware guest operating systems can execute arbitrary code with elevated privileges on the host operating system through a flaw in NAT networking. http://www.linuxsecurity.com/content/view/121330 * Gentoo: ClamAV Remote execution of arbitrary code 27th, January, 2006 ClamAV is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/121331 * Gentoo: Blender Heap-based buffer overflow 27th, January, 2006 Blender is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121332 * Gentoo: Wine Windows Metafile SETABORTPROC vulnerability 27th, January, 2006 There is a flaw in Wine in the handling of Windows Metafiles (WMF) files, which could possibly result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121333 * Gentoo: Sun and Blackdown Java Applet privilege escalation 27th, January, 2006 Sun's and Blackdown's JDK or JRE may allow untrusted applets to elevate their privileges. http://www.linuxsecurity.com/content/view/121334 * Gentoo: Wine Windows Metafile SETABORTPROC vulnerability 27th, January, 2006 There is a flaw in Wine in the handling of Windows Metafiles (WMF) files, which could possibly result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121335 * Gentoo: LibAST Privilege escalation 29th, January, 2006 A buffer overflow in LibAST may result in execution of arbitrary code with escalated privileges. http://www.linuxsecurity.com/content/view/121434 * Gentoo: Paros Default administrator password 29th, January, 2006 Paros's database component is installed without a password, allowing execution of arbitrary system commands. http://www.linuxsecurity.com/content/view/121435 * Gentoo: MyDNS Denial of Service 30th, January, 2006 MyDNS contains a vulnerability that may lead to a Denial of Service attack. http://www.linuxsecurity.com/content/view/121447 * Gentoo: Xpdf, Poppler, GPdf, libextractor, pdftohtml Heap overflows 30th, January, 2006 Xpdf, Poppler, GPdf, libextractor and pdftohtml are vulnerable to integer overflows that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/121449 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated koffice packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121337 * Mandriva: Updated poppler packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121338 * Mandriva: Updated cups packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121340 * Mandriva: Updated tetex packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121341 * Mandriva: Updated xorg-x11 packages to address several bugs. 27th, January, 2006 Issues have been reported with display corruption for various cards, including several ATI and Nvidia cards when using the free drivers. There was also an issue with the Greek keyboard layout. These should be corrected by the upstream 6.9.0 final, which this package is based on. Updated packages should correct these issues. http://www.linuxsecurity.com/content/view/121342 * Mandriva: Updated kdegraphics packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121343 * Mandriva: Updated kolab packages fix vulnerability 27th, January, 2006 A problem exists in how the Kolab Server transports emails bigger than 8KB in size and if a dot (".") character exists in the wrong place. If these conditions are met, kolabfilter will double this dot and a modified email will be delivered, which could lead to broken clear-text signatures or broken attachments. The updated packages have been patched to correct these problems. http://www.linuxsecurity.com/content/view/121344 * Mandriva: Updated pdftohtml packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121345 * Mandriva: Updated wine packages fix WMF vulnerability 27th, January, 2006 A vulnerability was discovered by H D Moore in Wine which implements the SETABORTPROC GDI Escape function for Windows Metafile (WMF) files. This could be abused by an attacker who is able to entice a user to open a specially crafted WMF file from within a Wine-execute Windows application, possibly resulting in the execution of arbitrary code with the privileges of the user runing Wine. The updated packages have been patched to correct these problems. http://www.linuxsecurity.com/content/view/121346 * Mandriva: Updated hylafax packages fix eval injection vulnerabilities 27th, January, 2006 Patrice Fournier discovered the faxrcvd/notify scripts (executed as the uucp/fax user) run user-supplied input through eval without any attempt at sanitising it first. This would allow any user who could submit jobs to HylaFAX, or through telco manipulation control the representation of callid information presented to HylaFAX to run arbitrary commands as the uucp/fax user. (CVE-2005-3539, only 'notify' in the covered versions) Updated packages were also reviewed for vulnerability to an issue where if PAM is disabled, a user could log in with no password. (CVE-2005-3538) In addition, some fixes to the packages for permissions, and the %pre/%post scripts were backported from cooker. (#19679) The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/121348 * Mandriva: Updated clamav packages fix vulnerability 27th, January, 2006 A heap-based buffer overflow was discovered in ClamAV versions prior to 0.88 which allows remote attackers to cause a crash and possibly execute arbitrary code via specially crafted UPX files. This update provides ClamAV 0.88 which corrects this issue and also fixes some other bugs. http://www.linuxsecurity.com/content/view/121349 * Mandriva: Updated mod_auth_ldap packages fix vulnerability 27th, January, 2006 A format string flaw was discovered in the way that auth_ldap logs information which may allow a remote attacker to execute arbitrary code as the apache user if auth_ldap is used for authentication. This update provides version 1.6.1 of auth_ldap which corrects the problem. Only Corporate Server 2.1 shipped with a supported auth_ldap package. http://www.linuxsecurity.com/content/view/121355 * Mandriva: Updated kernel packages fix several vulnerabilities 27th, January, 2006 A number of vulnerabilites have been corrected in the Linux kernel. http://www.linuxsecurity.com/content/view/121356 * Mandriva: Updated kdelibs packages fix vulnerability 27th, January, 2006 A heap overflow vulnerability was discovered in kjs, the KDE JavaScript interpretter engine. An attacker could create a malicious web site that contained carefully crafted JavaScript code that could trigger the flaw and potentially lead to the arbitrary execution of code as the user visiting the site. The updated packages have been patched to correct this problem. http://www.linuxsecurity.com/content/view/121357 * Mandriva: Subject: [Security Announce] Updated ipsec-tools packages fix vulnerability 27th, January, 2006 The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in ipsec-tools racoon before 0.6.3, when running in aggressive mode, allows remote attackers to cause a denial of service (null dereference and crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. The updated packages have been patched to correct this problem. http://www.linuxsecurity.com/content/view/121359 * Mandriva: Updated xpdf packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functionsin the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier,allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121360 * Mandriva: Subject: [Security Announce] Updated mozilla-thunderbird packages fix vulnerability 27th, January, 2006 GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-complicit attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by Thunderbird, along with an inconsistent Content-Type header, which could be used to trick a user into downloading dangerous content by dragging or saving the attachment. The updated packages have been patched to correct this problem. http://www.linuxsecurity.com/content/view/121361 * Mandriva: Updated perl-Convert-UUlib packages fix vulnerability 27th, January, 2006 A buffer overflow was discovered in the perl Convert::UUlib module in versions prior to 1.051, which could allow remote attackers to execute arbitrary code via a malformed parameter to a read operation. This update provides version 1.051 which is not vulnerable to this flaw. http://www.linuxsecurity.com/content/view/121362 * Mandriva: Updated perl-Net_SSLeay packages fix vulnerability 27th, January, 2006 Javier Fernandez-Sanguino Pena discovered that the perl Net::SSLeay module used the file /tmp/entropy as a fallback entropy source if a proper source was not set via the environment variable EGD_PATH. This could potentially lead to weakened cryptographic operations if an attacker was able to provide a /tmp/entropy file with known content. The updated packages have been patched to correct this problem. http://www.linuxsecurity.com/content/view/121363 * Mandriva: Updated ImageMagick packages fix vulnerabilities 27th, January, 2006 The delegate code in ImageMagick 6.2.4.x allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command. http://www.linuxsecurity.com/content/view/121364 * Mandriva: Updated mdkonline package provides url fixes 27th, January, 2006 The mdkonline package for MNF2 was incorrectly connecting to mandrivaonline.net rather than mandrivaonline.com. This update corrects the problem. http://www.linuxsecurity.com/content/view/121365 * Mandriva: Updated dynamic packages fix USB device and Palm detection issues 27th, January, 2006 Dynamic was not calling scripts correctly when hardware was plugged/unplugged. Plugging a digital camera (not usb mass storage, like a Canon camera) was not creating an icon on Desktop (for GNOME) or in the Devices window (for KDE). http://www.linuxsecurity.com/content/view/121366 * Mandriva: Update gthumb packages to fix corrupted UI after photo import 27th, January, 2006 A bug was discovered in gthumb were the UI (User Interface) can get corrupted when importing photos in some non-UTF8 locales (such as French). Some text strings (returned from libgphoto) where not converted into UTF-8 before being used by GTK+. Updated packages have been patched to correct the issue. http://www.linuxsecurity.com/content/view/121367 * Mandriva: Updated libgphoto packages fix bug on disconnection of digital camera 27th, January, 2006 A bug was discovered with libgphoto which was preventing the removal of icons on the desktop (in GNOME) or in the Devices window (in KDE) when a digital camera was unplugged. Updated packages have been patched to correct the issue. http://www.linuxsecurity.com/content/view/121368 * Mandriva: Updated gpdf packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121369 * Mandriva: Updated net-snmp packages fix vulnerabilities 27th, January, 2006 The fixproc application in Net-SNMP creates temporary files with predictable file names which could allow a malicious local attacker to change the contents of the temporary file by exploiting a race condition, which could possibly lead to the execution of arbitrary code. As well, a local attacker could create symbolic links in the /tmp directory that point to a valid file that would then be overwritten when fixproc is executed (CVE-2005-1740). A remote Denial of Service vulnerability was also discovered in the SNMP library that could be exploited by a malicious SNMP server to crash the agent, if the agent uses TCP sockets for communication (CVE-2005-2177). The updated packages have been patched to correct these problems. http://www.linuxsecurity.com/content/view/121370 * Mandriva: Updated apache2 packages fix vulnerabilities 27th, January, 2006 A flaw was discovered in mod_imap when using the Referer directive with image maps that could be used by a remote attacker to perform a cross-site scripting attack, in certain site configurations, if a victim could be forced to visit a malicious URL using certain web browsers (CVE-2005-3352). http://www.linuxsecurity.com/content/view/121371 * Mandriva: Updated mozilla-thunderbird packages merge dropped changes 27th, January, 2006 Recent security updates to mozilla-thunderbird did not include some changes made to the build from the community branch of 2006.0. The changes include corrections to the packaging of language files and some corrections to the uninstall scripts. New builds of the enigmail-es and enigmail-it packages are also included. Updated packages merge both of these builds. http://www.linuxsecurity.com/content/view/121433 * Mandriva: Updated bzip2 packages fix bzgrep vulnerabilities 30th, January, 2006 A bug was found in the way that bzgrep processed file names. If a user could be tricked into running bzgrep on a file with a special file name, it would be possible to execute arbitrary code with the privileges of the user running bzgrep. As well, the bzip2 package provided with Mandriva Linux 2006 did not the patch applied to correct CVE-2005-0953 which was previously fixed by MDKSA-2005:091; those packages are now properly patched. The updated packages have been patched to correct these problems. http://www.linuxsecurity.com/content/view/121448 * Mandriva: Updated gzip packages fix zgrep vulnerabilities 30th, January, 2006 Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. This was previously corrected in MDKSA-2005:092, however the fix was incomplete. These updated packages provide a more comprehensive fix to the problem. http://www.linuxsecurity.com/content/view/121450 * Mandriva: Updated php packages fix XSS and response splitting vulnerabilities 1st, February, 2006 Multiple response splitting vulnerabilities in PHP allow remote attackers to inject arbitrary HTTP headers via unknown attack vectors, possibly involving a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. (CVE-2006-0207) Multiple cross-site scripting (XSS) vulnerabilities in PHP allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in "certain error conditions." (CVE-2006-0208). http://www.linuxsecurity.com/content/view/121474 * Mandriva: Updated libast packages fixes buffer overflow vulnerability 2nd, February, 2006 Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X argument. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121491 * Mandriva: Updated poppler packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Poppler uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121492 * Mandriva: Updated kdegraphics packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Kdegraphics-kpdf uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121493 * Mandriva: Updated xpdf packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121494 * Mandriva: Updated OpenOffice.org packages fix issue with disabled hyperlinks 2nd, February, 2006 OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not prevent the user from clicking the WWW-browser button in the Hyperlink dialog, which makes it easier for attackers to trick the user into bypassing intended security settings. Updated packages are patched to address this issue. http://www.linuxsecurity.com/content/view/121495 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: kernel security update 27th, January, 2006 Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. http://www.linuxsecurity.com/content/view/121279 * RedHat: Moderate: tetex security update 27th, January, 2006 Updated tetex packages that fix several integer overflows are now available. http://www.linuxsecurity.com/content/view/121280 * RedHat: Critical: kdelibs security update 27th, January, 2006 Updated kdelibs packages are now available for Red Hat Enterprise Linux 4. http://www.linuxsecurity.com/content/view/121281 * RedHat: Important: kernel security update 1st, February, 2006 Updated kernel packages that fix a number of security issues as well as other bugs are now available for Red Hat Enterprise Linux 2.1 (64 bit architectures). This security advisory has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121471 * RedHat: Important: kernel security update 1st, February, 2006 Updated kernel packages that fix a number of security issues as well as other bugs are now available for Red Hat Enterprise Linux 2.1 (32 bit architectures) This security advisory has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121472 * RedHat: Moderate: gd security update 1st, February, 2006 Updated gd packages that fix several buffer overflow flaws are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121473 * RedHat: Critical: mozilla security update 2nd, February, 2006 Updated mozilla packages that fix several security bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121482 * RedHat: Critical: firefox security update 2nd, February, 2006 An updated firefox package that fixes several security bugs is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121483 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: xpdf,kpdf,gpdf,kword 27th, January, 2006 "infamous41md", Chris Evans and Dirk Mueller discovered multiple places in xpdf code where integer variables are insufficiently checked for range or overflow. Specially crafted PDF files could lead to executing arbitrary code. http://www.linuxsecurity.com/content/view/121427 * SuSE: novell-nrm remote heap overflow 27th, January, 2006 iDEFENSE reported a security problem with the Novell Remote Manager. http://www.linuxsecurity.com/content/view/121428 * SuSE: kdelibs3 (SUSE-SA:2006:003) 27th, January, 2006 Maksim Orlovich discovered a bug in the JavaScript interpreter used by Konqueror. UTF-8 encoded URLs could lead to a buffer overflow that causes the browser to crash or execute arbitrary code. Attackers could trick users into visiting specially crafted web sites that exploit this bug (CVE-2006-0019). http://www.linuxsecurity.com/content/view/121429 * SuSE: phpMyAdmin (SUSE-SA:2006:004) 27th, January, 2006 Stefan Esser discovered a bug in in the register_globals emulation of phpMyAdmin that allowes to overwrite variables. An attacker could exploit the bug to ultimately execute code (CVE-2005-4079). http://www.linuxsecurity.com/content/view/121430 * SuSE: nfs-server/rpc.mountd remote code 27th, January, 2006 An remotely exploitable problem exists in the rpc.mountd service in the user space NFS server package "nfs-server". http://www.linuxsecurity.com/content/view/121431 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Fri Feb 3 04:27:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:27:59 -0600 (CST) Subject: [ISN] Millionaire on hacking charge Message-ID: http://www.timesonline.co.uk/article/0,,2087-2015469,00.html Sophie Kirkham January 29, 2006 MATTHEW MELLON, heir to a ?6.6 billion banking and oil fortune, will appear in court next month in connection with an investigation into an alleged phone-tapping and computer hacking gang. The former husband of Tamara Mellon, who runs the Jimmy Choo shoe empire, will appear alongside 17 other defendants accused of involvement in the operation, which allegedly provided clients with confidential information about wealthy people and businesses. Following a tip-off from BT, Scotland Yard has conducted a long investigation into a private detective agency run by a former policeman which it believed was bugging phone calls. It is now alleged the group was also hacking into NHS computers to access confidential medical files to blackmail people, spying on police and bugging their phone calls to get information. There are also several charges of falsifying invoices. One of the group is said to have taken BT overalls, a reflective jacket and tools, along with a BT works barrier and stool, and a shirt from NTL, another other telecoms company. A regular on the London social scene and close friends with Elizabeth Hurley and Hugh Grant, Mellon, 41, inherited a ?14m trust fund at the age of 21. He now has a fortune put by The Sunday Times Rich List at ?50m. His family is held in the same regard in America as the Rockefellers, Vanderbilts and Astors. He met Tamara Yeardye in 1998. The couple?s marriage in 2000 at Blenheim Palace took up eight pages in American Vogue and the bride wore a Valentino wedding dress encrusted with diamonds. More than half the guests were said to be wearing Jimmy Choos. The Mellons spent several years as a golden couple of London society often appearing in magazine pages and at charity functions. In 2002 they had a daughter, Araminta. But the marriage fell apart amid revelations of Mellon?s cocaine habit, which he is said to have battled in the 1990s, and the couple went through an acrimonious divorce last year. After the marriage ended Tamara, who is now worth ?60m in her own right, began seeing Oscar Humphries, the son of Barry, creator of Dame Edna Everage. Mellon has recently said he was planning a change in career from working as chief designer for Harry?s, an upmarket men?s shoe company he launched five years ago ? he has tried his hand at film producing in the past. He remains a colourful figure on the social scene ? his hobbies are said to include nude jet skiing ? and he has had a string of celebrity girlfriends since his marriage break-up. He is currently seeing Noelle Reno, a 24-year-old actress. Mellon, who lives in Belgravia, London, is charged with conspiracy to cause unauthorised modification of computer material. Also in the dock at Bow Street magistrates? court in February will be another wealthy businessman, Adrian Kirby, who made his money from waste disposal units. Kirby, 47, of Haslemere, Surrey, has a fortune put at ?65m by the Rich List. He is charged with conspiracy to intercept communications unlawfully, unauthorised modification of computer material and perverting the course of justice. Former Essex police officer Scott Gelsthorpe, 31, of Kettering, Northamptonshire, is facing 15 charges. The suspects, 17 men and one woman, come from southern England, Lincolnshire and France and are said to have committed the offences between July and September 2004. They will appear before magistrates on February 23. From isn at c4i.org Fri Feb 3 04:28:43 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:28:43 -0600 (CST) Subject: [ISN] DHS wants to improve software security Message-ID: http://www.fcw.com/article92172-02-01-06-Web By Michael Arnone Feb. 1, 2006 The Homeland Security Department wants public comment on two draft documents that are part of a federal program to improve software security, according to today's Federal Register. The documents are part of the Software Assurance Program that DHS created as part of the National Strategy to Secure Cyberspace. The program is designed to reduce vulnerabilities and exploitation of weaknesses to improve software security, particularly in software that critical infrastructure uses. One document, "Security in the Software Lifecycle," aims to help developers and project managers of software applications establish strategies to make sure new software products are more secure. The second, "Secure Software Assurance - Common Body of Knowledge," would help colleges and the private sector create curricula to train people in software assurance. The documents and an online comment form are available at the Build Security In Web site [1]. Comments on the two documents are due by Feb. 21. [1] http://buildsecurityin.us-cert.gov/ From isn at c4i.org Fri Feb 3 04:30:11 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:30:11 -0600 (CST) Subject: [ISN] Russian hackers hawked Windows exploit for $4,000 Message-ID: http://news.com.com/Russian+hackers+hawked+Windows+exploit+for+4%2C000/2100-7349_3-6034591.html By Greg Sandoval Staff Writer, CNET News.com February 2, 2006 Competing hacker groups in Russia were peddling the exploit code responsible for the Windows Meta File attacks last December for $4,000, according to security company Kaspersky Lab. "One of the purchasers of the exploit is involved in the criminal adware/spyware business," read a Kaspersky Lab quarterly report released this week. "It seems likely that this was how the exploit became public." The WMF flaw unsettled security experts after they found that the virus-writing community discovered the vulnerability before they did. A slew of Trojan programs were written to try and take advantage of the exploit. The British Parliament was attacked by hackers who tried to exploit the WMF flaw. MessageLabs, an e-mail filtering provider for the U.K. government, said last month that targeted e-mails were sent to various individuals within government departments in an attempt to take control of their computers. The e-mails contained the exploit code. A statement on the Kaspersky Lab site said more than a thousand instances of malicious code were detected in a week. "As the vulnerability was present in all versions of Windows, the situation threatened to spiral out of control." According to Kaspersky, the situation was mitigated by the holiday season, when Internet use was much lighter than normal. When the corrupt WMF files finally came to the attention of anti-spyware experts, they were traced back to Web sites known to spread advertising software surreptitiously to computers. Security companies have lamented the practice by some Web advertisers of paying others to distribute their software. Some of the more unscrupulous among those are in the business of distributing exploits that let them spread adware without the knowledge of computer users. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Fri Feb 3 04:31:06 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:31:06 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-5 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-01-26 - 2006-02-02 This week : 54 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been discovered in Winamp, which can be exploited by malicious people to compromise a user's system. Successful exploitation allows execution of arbitrary code on a user's system when e.g. a malicious website is visited. The vulnerability has been confirmed in version 5.12. Other versions may also be affected. NOTE: An exploit is publicly available. Please refer to the referenced Secunia advisory below for additional details. Reference: http://secunia.com/SA18649 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18649] Winamp Computer Name Handling Buffer Overflow Vulnerability 2. [SA18621] Oracle Products PL/SQL Gateway Security Bypass Vulnerability 3. [SA18629] Cisco VPN 3000 Concentrator HTTP Packet Denial of Service 4. [SA18613] Cisco IOS AAA Command Authentication Bypass Vulnerability 5. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 6. [SA18614] nfs-server "rpc.mountd" Buffer Overflow Vulnerability 7. [SA18628] My Little Forum/Guestbook/Weblog "link" BBcode Script Insertion 8. [SA18630] Debian update for drupal 9. [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution 10. [SA18529] F-Secure Anti-Virus Archive Handling Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18649] Winamp Computer Name Handling Buffer Overflow Vulnerability [SA18646] @Mail Webmail Attachment Upload Directory Traversal [SA18636] ASPThai Forums Login SQL Injection Vulnerability [SA18668] MailEnable Professional EXAMINE Command Denial of Service UNIX/Linux: [SA18679] Debian update for pdfkit.framework [SA18677] Xpdf PDF Splash Image Handling Vulnerability [SA18675] Debian update for pdftohtml [SA18674] GNUStep PDFKit Framework Xpdf Multiple Vulnerabilities [SA18669] Avaya Products PHP Multiple Vulnerabilities [SA18665] Debian update for unalz [SA18659] Avaya Intuity Audix Lynx Arbitrary Command Execution [SA18654] libpng "png_set_strip_alpha()" Buffer Overflow Vulnerability [SA18653] Gentoo update for mydns [SA18647] Pioneers Long Chat Message Denial of Service Vulnerability [SA18644] Gentoo updates for xpdf/poppler/gpdf/libextractor/pdftohtml [SA18643] GIT "git-checkout-index" Symbolic Link Handling Buffer Overflow [SA18642] pdftohtml xpdf Multiple Integer Overflow Vulnerabilities [SA18631] Debian update for imagemagick [SA18630] Debian update for drupal [SA18627] Gentoo update for gallery [SA18638] SUSE update for nfs-server [SA18663] Avaya Intuity Audix OpenSSL Potential SSL 2.0 Rollback [SA18662] Avaya Intuity Audix TCP Timestamp Denial of Service [SA18661] Avaya Intuity Audix Two OpenSSH Security Issues [SA18625] Gentoo update for trac [SA18635] Mandriva update for net-snmp [SA18626] Gentoo update for paros [SA18660] Avaya Intuity Audix "uidadmin' Buffer Overflow [SA18656] Debian update for libmail-audit-perl [SA18652] Mail::Audit Insecure Log File Creation Vulnerability [SA18639] Mandriva update for perl-Net_SSLeay [SA18632] Gentoo update for libast [SA18623] Debian update for lsh-utils [SA18671] Sun Solaris x64 Kernel Processing Denial of Service [SA18650] Trustix update for openssh Other: [SA18629] Cisco VPN 3000 Concentrator HTTP Packet Denial of Service Cross Platform: [SA18648] CRE Loaded "HTML AREA" File Upload Security Issue [SA18640] CommuniGate Pro Server LDAP BER Decoding Vulnerabilities [SA18634] PmWiki Unregister "register_globals" Layer Bypass [SA18678] MyBB "templatelist" SQL Injection Vulnerability [SA18676] SPIP Cross-Site Scripting and SQL Injection Vulnerabilities [SA18667] Calendarix Basic SQL Injection Vulnerabilities [SA18666] SZUserMgnt "username" SQL Injection Vulnerability [SA18664] IPB Dragoran Portal Module "site" SQL Injection Vulnerability [SA18655] UebiMiau Webmail HTML Email Script Insertion Vulnerability [SA18633] AndoNET Blog "entrada" SQL Injection Vulnerability [SA18628] My Little Forum/Guestbook/Weblog "link" BBcode Script Insertion [SA18624] NewsPHP SQL Injection Vulnerabilities [SA18673] Easy CMS Cross-Site Scripting Vulnerabilities [SA18672] sPaiz-Nuke "query" Cross-Site Scripting Vulnerability [SA18670] Nuked-Klan "letter" Cross-Site Scripting Vulnerability [SA18658] BrowserCRM "query" Cross-Site Scripting Vulnerability [SA18657] Cerberus Helpdesk "contact_search" Cross-Site Scripting [SA18645] PHP-Ping "count" Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18649] Winamp Computer Name Handling Buffer Overflow Vulnerability Critical: Extremely critical Where: From remote Impact: System access Released: 2006-01-30 ATmaCA has discovered a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18649/ -- [SA18646] @Mail Webmail Attachment Upload Directory Traversal Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-02 Secunia Research has discovered a vulnerability in @Mail Webmail, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18646/ -- [SA18636] ASPThai Forums Login SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-30 Emperor Hacking Team has reported a vulnerability in ASPThai Forums, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18636/ -- [SA18668] MailEnable Professional EXAMINE Command Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-01 A vulnerability has been reported in MailEnable Professional, which potentially can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18668/ UNIX/Linux:-- [SA18679] Debian update for pdfkit.framework Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 Debian has issued an update for pdfkit.framework. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18679/ -- [SA18677] Xpdf PDF Splash Image Handling Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 Dirk Mueller has reported a vulnerability in Xpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18677/ -- [SA18675] Debian update for pdftohtml Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 Debian has issued an update for pdftohtml. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18675/ -- [SA18674] GNUStep PDFKit Framework Xpdf Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 Some vulnerabilities have been reported in GNUStep PDFKit Framework, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18674/ -- [SA18669] Avaya Products PHP Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-02-01 Avaya has acknowledged some vulnerabilities in various products, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18669/ -- [SA18665] Debian update for unalz Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-31 Debian has issued an update for unalz. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18665/ -- [SA18659] Avaya Intuity Audix Lynx Arbitrary Command Execution Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-31 Avaya has acknowledged a vulnerability in Intuity Audix, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18659/ -- [SA18654] libpng "png_set_strip_alpha()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 A vulnerability has been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service) against applications using libpng or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18654/ -- [SA18653] Gentoo update for mydns Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-31 Gentoo has issued an update for mydns. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18653/ -- [SA18647] Pioneers Long Chat Message Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-30 Bas Wijnen has discovered a vulnerability in Pioneers, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18647/ -- [SA18644] Gentoo updates for xpdf/poppler/gpdf/libextractor/pdftohtml Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-31 Gentoo has issued updates for xpdf/poppler/gpdf/libextractor/pdftohtml. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18644/ -- [SA18643] GIT "git-checkout-index" Symbolic Link Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-30 A vulnerability has been reported in GIT, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18643/ -- [SA18642] pdftohtml xpdf Multiple Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-31 Some vulnerabilities have been reported in pdftohtml, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18642/ -- [SA18631] Debian update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-27 Debian has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18631/ -- [SA18630] Debian update for drupal Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-01-27 Debian has issued an update for drupal. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, and conduct script insertion and HTTP response splitting attacks. Full Advisory: http://secunia.com/advisories/18630/ -- [SA18627] Gentoo update for gallery Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-27 Gentoo has issued an update for gallery. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18627/ -- [SA18638] SUSE update for nfs-server Critical: Moderately critical Where: From local network Impact: System access Released: 2006-01-27 SUSE has issued an update for nfs-server. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18638/ -- [SA18663] Avaya Intuity Audix OpenSSL Potential SSL 2.0 Rollback Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-01-31 Avaya has acknowledged a vulnerability in Intuity Audix, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18663/ -- [SA18662] Avaya Intuity Audix TCP Timestamp Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-01-31 Avaya has acknowledged a vulnerability in Intuity Audix, which can be exploited by malicious people to cause a DoS (Denial of Service) on active TCP sessions. Full Advisory: http://secunia.com/advisories/18662/ -- [SA18661] Avaya Intuity Audix Two OpenSSH Security Issues Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2006-01-31 Avaya has acknowledged two security issues in Intuity Audix, which can be exploited malicious users to gain escalated privileges or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18661/ -- [SA18625] Gentoo update for trac Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-26 Gentoo has issued an update for trac. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18625/ -- [SA18635] Mandriva update for net-snmp Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-01-27 Mandriva has issued an update for net-snmp. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, or by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18635/ -- [SA18626] Gentoo update for paros Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information Released: 2006-01-30 Gentoo has issued an update for paros. This fixes a security issue, which can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18626/ -- [SA18660] Avaya Intuity Audix "uidadmin' Buffer Overflow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-31 Avaya has acknowledged a vulnerability in Intuity Audix, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18660/ -- [SA18656] Debian update for libmail-audit-perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-31 Debian has issued an update for libmail-audit-perl. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18656/ -- [SA18652] Mail::Audit Insecure Log File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-31 Niko Tyni has reported a vulnerability in Mail::Audit, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18652/ -- [SA18639] Mandriva update for perl-Net_SSLeay Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2006-01-27 Mandriva has issued an update for perl-Net_SSLeay. This fixes a vulnerability, which can be exploited by malicious, local users to weaken certain cryptographic operations. Full Advisory: http://secunia.com/advisories/18639/ -- [SA18632] Gentoo update for libast Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-30 Gentoo has issued an update for libast. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18632/ -- [SA18623] Debian update for lsh-utils Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2006-01-26 Debian has issued an update for lsh-utils. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18623/ -- [SA18671] Sun Solaris x64 Kernel Processing Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2006-02-01 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18671/ -- [SA18650] Trustix update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-30 Trustix has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18650/ Other:-- [SA18629] Cisco VPN 3000 Concentrator HTTP Packet Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-27 Eldon Sprickerhoff has reported a vulnerability in Cisco VPN 3000 Concentrator, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18629/ Cross Platform:-- [SA18648] CRE Loaded "HTML AREA" File Upload Security Issue Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-30 kaneda has discovered a security issue in CRE Loaded, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18648/ -- [SA18640] CommuniGate Pro Server LDAP BER Decoding Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-30 Evgeny Legerov has reported some vulnerabilities in CommuniGate Pro Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18640/ -- [SA18634] PmWiki Unregister "register_globals" Layer Bypass Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2006-01-30 Francesco "aScii" Ongaro has discovered a vulnerability in PmWiki, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, disclose sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18634/ -- [SA18678] MyBB "templatelist" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-01 A vulnerability has been discovered in MyBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18678/ -- [SA18676] SPIP Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Cross Site Scripting Released: 2006-02-01 Zone-H Research Team has discovered some vulnerabilities in SPIP, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18676/ -- [SA18667] Calendarix Basic SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-02-01 Aliaksandr Hartsuyeu has discovered two vulnerabilities in Calendarix Basic, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18667/ -- [SA18666] SZUserMgnt "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-02-01 Aliaksandr Hartsuyeu has discovered a vulnerability in SZUserMgnt, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18666/ -- [SA18664] IPB Dragoran Portal Module "site" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-01 SkOd has reported a vulnerability in the Dragoran Portal module for Invision Power Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18664/ -- [SA18655] UebiMiau Webmail HTML Email Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-31 M.Neset KABAKLI has discovered a vulnerability in UebiMiau, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18655/ -- [SA18633] AndoNET Blog "entrada" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-27 Aliaksandr Hartsuyeu has discovered a vulnerability in AndoNET Blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18633/ -- [SA18628] My Little Forum/Guestbook/Weblog "link" BBcode Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-27 Aliaksandr Hartsuyeu has discovered a vulnerability in My Little Forum, My Little Guestbook, and My Little Weblog, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18628/ -- [SA18624] NewsPHP SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-26 SAUDI has reported some vulnerabilities in NewsPHP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18624/ -- [SA18673] Easy CMS Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-31 Preben Nylokken has reported some vulnerabilities in Easy CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18673/ -- [SA18672] sPaiz-Nuke "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-31 Night_Warrior has reported a vulnerability in sPaiz-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18672/ -- [SA18670] Nuked-Klan "letter" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-31 Night_Warrior has discovered a vulnerability in Nuked-Klan, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18670/ -- [SA18658] BrowserCRM "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-01 Preben Nyl?kken has reported a vulnerability in BrowserCRM, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18658/ -- [SA18657] Cerberus Helpdesk "contact_search" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-01 Preben Nyl?kken has reported a vulnerability in Cerberus Helpdesk, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18657/ -- [SA18645] PHP-Ping "count" Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-01-30 cvh has discovered a vulnerability in PHP-Ping, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18645/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 3 04:31:20 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:31:20 -0600 (CST) Subject: [ISN] Kama Sutra virus expected to strike Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/03/AR2006020300346.html By Michael Kahn Reuters February 3, 2006 SAN FRANCISCO (Reuters) - A destructive worm posing as a pornographic e-mail may already have infected hundreds of thousands of computers and could erase many everyday files on Friday, security experts warn. The "Kama Sutra" worm, which targets popular Microsoft Corp., Adobe Systems Inc. and ZIP files, is a threat because many users will not know the virus has infected their computers until it is too late, security experts said. They also estimate that the worm -- which spreads by e-mailing itself to addresses in an infected computer's mailbox -- may already have slipped onto 275,000 to 500,000 machines and is now simply waiting to obliterate files on Friday. The virus, also known as Nyxem, Grew.A or MyWife, tricks users by appearing as an e-mail attachment with subject lines such as "Hot Movie," "give me a kiss" and "Miss Lebanon 2006." Some variations refer to the ancient Kama Sutra guide to elaborate sexual positions in order to attract attention and convince victims to open. "It claims to be a movie or picture with some sort of sexual content," said Johannes Ullrich, chief research officer at the nonprofit SANS Institute research group. "That is how it tricks you." The virus causes a keyboard and mouse to freeze up and then disables anti-virus programs when the computer is restarted, leaving a machine vulnerable, said Ken Dunham, rapid response director at VeriSign Corp.'s security unit iDefense. The attack is scheduled to begin at midnight on February 3. The virus mainly has infected computers of vulnerable consumers and small businesses, which are far less likely to have up-to-date security software, he said. The Kama Sutra worm also stands out because its primary purpose is to destroy files rather than to seek financial gain or to take control of a computer, security experts said. Dunham said any users who suspect they may have triggered the worm should reinstall an anti-virus program and make sure the virus has been removed. "It is already underway and will be activated unless people get removal tools," he said. "If you have opened an e-mail and your computer froze up, you should be very concerned." From isn at c4i.org Fri Feb 3 04:31:32 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:31:32 -0600 (CST) Subject: [ISN] Hacker hands over laptop Message-ID: http://www.mlive.com/news/fljournal/index.ssf?/base/news-34/1138897570313390.xml&coll=5 By Bernie Hillman THE FLINT JOURNAL February 02, 2006 LINDEN - A Linden High School senior who hacked into school records - possibly for the purpose of changing school grades, police say - handed his laptop over to police Tuesday. The laptop will be delivered to the state police crime lab in Lansing next week, said Argentine Township police Lt. Bruce Coverdill. Coverdill said the 17-year-old, who was suspended Jan. 25 for 10 days, is not talking to police and has an attorney. "He admitted getting into some files," Coverdill said. "We don't know what files - possibly changing school grades; we don't know to what degree." But hacking into a school computer is no easy task, said Thomas Svitkovich, superintendent for the Genesee Intermediate School District. "There are fire walls and protective devices in place at all levels," he said. "The systems are closed systems. You can't just dial up and get into something, but I don't know what he got into or what he was doing." It's too early in the investigation to know if the teen acted alone, said Coverdill, who noted that the hacking may have been going on for some time. "(The school) had suspected something was wrong with their files. They approached him, and he admitted to it," Coverdill said. Superintendent Elizabeth Leonard said she couldn't say much more other than the investigation is ongoing. "Certainly he got into some Linden files," Leonard said. Students will have limits on what they can access via computer until the investigation is complete, but Leonard said she could not say what those limits will be. Senior Jamie Wolverton said the incident was not the talk of the school. She found out about it Wednesday from a teacher in the computer lab class. "Someone said they couldn't save something, and (the teacher) said someone hacked into the system, and now we couldn't do that," Jamie said. "She didn't say how or who. We used to be able to save on a disc or under your own name, and now we can't do that." Leonard said a decision whether to lengthen the suspension was expected to be made today. ?2006 Flint Journal From isn at c4i.org Mon Feb 6 01:39:25 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:39:25 -0600 (CST) Subject: [ISN] Oracle aims to tone security muscle with Fusion Message-ID: http://www.zdnet.com.au/news/security/soa/Oracle_aims_to_tone_security_muscle_with_Fusion/0,2000061744,39236748,00.htm By Joris Evers Special to ZDNet 06 February 2006 Billions of dollars worth of acquisitions have bought Oracle a perhaps unexpected bonus: security lessons. Last year, the technology maker bought more than a dozen companies. Now it's picking up tips from those operations and using them in a major overhaul of its business applications software, an initiative called Project Fusion. Other products and processes are benefiting, too. In return, Oracle is teaching its new employees something about security -- literally. The Redwood Shores, California-based, company found that none of the companies it bought required security-specific training for staff. But Oracle does. So employees brought in from PeopleSoft, JD Edwards, Retek and Oblix purchases, among others, are learning the ropes. All in all, Oracle hopes the security sum will be greater than its parts. "To make the merged organisation successful, we take the best of what they did and the best of what we do, and make it what the combined company does," Mary Ann Davidson, Oracle's chief security officer, said in an interview on Tuesday. Security has been a bugbear for the database specialist, which has drawn criticism for the time it takes to fix flaws and the quality of its patches. Experts will be watching closely to see what comes of any new effort. Moreover, Fusion is a hefty undertaking, with the aim of incorporating the technology of companies Oracle has acquired. And security is only one element of Fusion. Oracle President Charles Phillips recently said the company, one year into the project, is already half done with its work on the next generation of its applications. Yet, Phillips said, the first Fusion applications won't be ready until 2008 -- a schedule that falls in line with previous promises. Oracle isn't saying much about security in Fusion or in any of its other products, but in meetings with ZDNet Australia?s sister site CNET News.com last week, company representatives lifted the veil on the software maker's endeavours to get all its security eggs into one basket. One lesson Oracle has learned from PeopleSoft is that less customisation equals fewer security risks. While Oracle has historically allowed developers to program on top of its applications, PeopleSoft took a more limited approach. Its software was mainly set up to let customers analyse their business processes, then build upon its applications. "What you can do from a security perspective in PeopleSoft is limited, while Oracle is more fine-grained and more customisable," said John Heimann, director of security program management at Oracle. "Sometimes simplicity is good for security, because you can sometimes code yourself into a hole." Oracle's buying spree In 2005 alone, Oracle acquired more than a dozen companies. The security synchronisation effort includes some of these: PeopleSoft (January), Oblix (March), Retek (April), TripleHop (June), TimesTen (June), ProfitLogic (July), Context Media (July), I-flex (August), Siebel (September), G-Log (September), Innobase (October), Thor Technologies (November), OctetString (November), TempoSoft (December) Oracle allows developers to define security roles with a lot of flexibility, increasing the risk of mistakes and thus the introduction of flaws. For example, it is possible to restrict which user can access a specific part of an application based on very detailed rules, Heimann said. PeopleSoft doesn't provide the same level of flexibility, he said. "We're going to try and combine the simplicity and declarative nature of PeopleSoft and PeopleTools with the extensibility and flexibility of the Oracle applications framework," Heimann said. As an indication of that, Oracle executives said a key person working on security for Fusion is Robert Armstrong, a former PeopleSoft security chief. Another lesson partially learned from PeopleSoft is to ship products that have a high level of security out of the box, or at least provide an easy way to increase the security level -- something Oracle calls the Secure Configuration Initiative. "In the past, our products have tended to be developer-friendly out of the box," Heimann said. "There were accounts with easy-to-remember passwords like 'Welcome1', demo code, and things were set with permissions that were wide open." Oracle's 10g database products, which shipped in 2004, delivered on some of the "secure by default" approach, Heimann said. Customers should see more of it in future products, including the next generation of the database family, he added. "It will be there to a much greater extent in 11g, and it is a focus for Fusion," he said. "That is the future: Security by default, and delivering it so you don't have to be a sophisticated developer to implement security rules." For example, Oracle is thinking of allowing a system administrator to change security settings using a simple user interface or with drag-and-drop capabilities, Heimann said. Patchy record Oracle, which has marketed its products as "unbreakable," has faced mounting criticism over its security practices. Security researchers have accused the company of fixing security flaws too late, releasing faulty security updates or not plugging holes at all. "Oracle can no longer be considered a bastion of security," Gartner analyst Rich Mogull wrote in a research note after Oracle released a slew of security patches on 17 January. "Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly." The database specialist has not yet experienced a mass security exploit, but this does not mean that one will never occur, Mogull said in his note. He advises database and application managers to protect and maintain Oracle systems more aggressively. Becoming part of Oracle's line-up could intensify the security community's scrutiny of products previously sold by the companies it acquired. So, in addition to product development, the mergers have also had effects on security processes. For example, each unit has amended how it deals with reports of vulnerabilities and with publishing of security alerts, Oracle executives said. The employees and products of the purchased companies have borne the brunt of changes, said Duncan Harris, the senior director for security assurance at Oracle. "The acquired companies did not have very many vulnerabilities reported to them by external researchers. PeopleSoft was the exception," Harris said. "All were still very much using a manual tracking system like that we had five years ago." As for public announcement of fixes, PeopleSoft and JD Edwards security updates are now part of Oracle's quarterly critical patch bulletins. That's a change from before the acquisition. Oracle's patch alerts offer only few details on specific flaws and their impact, while PeopleSoft's security bulletins had more information. Bug handling for most companies Oracle acquired is now part of Oracle's automated system. However, PeopleSoft still maintains its own way of handling vulnerabilities, Harris said. While Oracle has people whose full-time job is dealing with flaws, PeopleSoft has a council of employees that discusses bugs as a team, he said. Another change is that Harris' team of "ethical hackers" will now expand its scope and may scrutinise the newly acquired products. "We don't declare what products my team looks at, but clearly as Oracle acquires new products, then those are eligible for the hackers to have a look at and do an assessment against," he said. Harris wouldn't say if people from any of the acquired companies have joined his hacking team, which is based in the U.K. He also declined to so how large the team currently is. Still, former PeopleSoft employees appear to have a major role in charting the future of Oracle and will leave their marks, especially when it comes to security. "When I knew that we were going to go ahead and buy PeopleSoft, I immediately wanted to have dibs on certain people," Oracle's Davidson said. Added Heimann: "Fusion is serious. We really learned some good things from them and we're really trying to capture the best of it." From isn at c4i.org Mon Feb 6 01:39:38 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:39:38 -0600 (CST) Subject: [ISN] Virus floors Russian stock exchange Message-ID: http://www.theregister.co.uk/2006/02/03/virus_hits_stock_exchange/ By John Leyden 3rd February 2006 A computer virus succeeded in bringing down the main Russian stock exchange on Thursday. The Russian Trading System (RTS) was forced to suspend operations in its three markets between 1315 and 1420 GMT after unnamed malware infected systems. Viral infection resulted in a huge upsurge of outgoing traffic, interrupting normal network operations. "The virus got into a computer connected to a test trading system from the internet," RTS vice president Dmitry Shatsky said in the statement issued Friday, Reuters reports. "The infected computer started generating huge volumes of parasitic traffic, which overloaded the RTS's support routers. The result was that normal traffic - data going in to and out of the trading system - was not processed." RTS has since resumed trading. The exchange is playing down concerns that sensitive systems and data might have been exposed by the attack. The attack on the Russian financial system came the day before the widespread Kama Sutra worm began destroying files on infected systems. The effects of the worm were far less than first feared, but the malware did force Milan city hall to turn off 10,000 computers as a precaution after discovering its systems were riddled with infection on Thursday, and deciding there wasn't enough time to mount an effective clean-up operation, AP reports. ? From isn at c4i.org Mon Feb 6 01:39:51 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:39:51 -0600 (CST) Subject: [ISN] Parkview assisting FBI in probe of file hacking Message-ID: http://www.fortwayne.com/mld/journalgazette/13782298.htm By Michael Schroeder The Journal Gazette Feb. 03, 2006 As part of an ongoing FBI investigation into Medical Informatics Engineering and alleged software tampering at Orthopaedics Northeast, Parkview Health confirmed it is cooperating with the investigation. The hacker appears to have breached Orthopaedics Northeast's network by exploiting connections of Parkview and an unnamed medical office from the outside, said Raymond Kusisto, chief executive officer of Orthopaedics Northeast. The FBI is investigating software company Medical Informatics, 4101 W. Jefferson Blvd., in connection with the breach, a Medical Informatics official confirmed. No charges have been filed. "The hacker simply used Parkview as a mule," Kusisto said. "Parkview didn't have anything to do with this." New Medical Informatics competitor triPRACTIX, 1330 Medical Park Drive - which now manages Orthopaedics Northeast software - contacted the FBI on Orthopaedic Northeast's behalf after hiring consultants who determined software problems were caused by outside tampering, Todd Plesko, chief executive officer of triPRACTIX, had said. There were nine cyber-attacks in the first two weeks of January, Kusisto said. The software problems slowed operations and increased overtime work but didn't affect patient safety or records security at Orthopaedics. 12 area locations, Kusisto said. Karen Belcher, spokeswoman for Parkview, said all patient records in Parkview's network are secure. "When we were alerted... that there was a concern, we went ahead and checked out the systems, and we did not find a problem," Belcher said. If a hacker did enter Parkview's network, individual applications are equipped with security systems designed to restrict access. Belcher said cyber security measures include virus protection, monitoring systemwide operations and tracking user activity. Belcher said Parkview is helping the FBI in any way it can. She referred specific questions about the investigation to Assistant U.S. Attorney David Miller, who would not comment on the matter. A Medical Informatics official said the company is eager to see the results of the FBI's investigation. Chief Operating Officer Eric Jones said that "FBI investigators indicated that there was evidence that machines on MIE's (Medical Informatics Engineering's) network were somehow involved in the alleged attack on ONE's (Orthopaedics Northeast's) network." But Jones maintained that the company is innocent. "We don't believe anything like that occurred," Jones said. "That is not the way that we do business." From isn at c4i.org Mon Feb 6 01:40:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:40:11 -0600 (CST) Subject: [ISN] Personal data on hundreds of Americans faxed to Manitoba company Message-ID: http://www.theglobeandmail.com/servlet/story/RTGAM.20060205.wdata0205/BNStory/National/home STEVE LAMBERT Canadian Press 05/02/06 Lockport, Manitoba - Confidential information on hundreds of United States citizens, including social security numbers, health information and bank account numbers, is being sent mistakenly by fax to a small Manitoba company. A 60-centimetre-high stack of data, which also includes people's addresses and salaries, already sits in the offices of North Regent Rx, a herbal remedy distribution company that operates out of a house in Lockport, 15 kilometres north of Winnipeg. "I know how much these people make, I know what their social security number is, I know where they live," North Regent Rx spokesman Jody Baxmeyer told The Canadian Press. "Almost everything a person needs for identity theft is actually faxed to us on a daily basis." Far from using the information for any illicit purposes, Ms. Baxmeyer says his company has been trying to stop the faxes from coming in, but has been unable to reach an agreement with Prudential Financial, the U.S.-based company that is the intended recipient. The problem started as soon as North Regent Rx began operating 15 months ago. The company's toll-free fax number is almost identical to the number used by Prudential's insurance division, which receives faxes from doctors' offices about medical benefits given to patients with Prudential insurance. Employees at many doctors' offices have dialled the wrong number, sending the information to North Regent Rx. The pile in Ms. Baxmeyer's office reveals data about people in many states - a Maryland woman with thyroid trouble, a Massachusetts man suffering from depression, and Kelly McDonough, 43, an Ohio woman who has lost her sight because of diabetes. "That bothers me," McDonough said from her home in Columbus. "I do not appreciate the fact that my social security number is in the hands of someone I don't know. I know that there can be identity theft with as little information as a social security number." McDonough said the mixup has affected her financially, because she initially didn't get reimbursed for the claim that was mistakenly faxed to North Regent Rx. After waiting for a few weeks, she assumed Prudential might have lost the information and had her doctor's office resend the fax, which reached the right destination on the second try. Prudential says it's trying to address the situation. "As soon as we learned that disability forms were being misdirected due to dialer error, Prudential Financial offered to work with North Regent Rx to resolve the matter," the company said in a written statement. "We have asked the six medical providers that we are aware of that have misdialled to be more careful when dialing." Last August, Prudential vice-president Patrick O'Toole wrote to Ms. Baxmeyer to suggest that North Regent Rx send Prudential the faxes they have been receiving. Ms. Baxmeyer says North Regent has forwarded some faxes to Prudential, and has often faxed messages to the clinics to tell them they have misdialled. But he said it's a time-consuming task for a small company. And the ongoing problem has tied up the fax line, he said, preventing North Regent customers from sending in their orders. "The (solution) from our point of view is pretty simple ? buy our toll-free number," Ms. Baxmeyer said. "It would take care of the problem right there." Ms. Baxmeyer said North Regent Rx has approached Prudential about selling the fax number, but the insurance firm has not yet agreed. North Regent Rx would want to be compensated for the cost of changing its toll-free number on advertising and invoices, as well as for fees charged by the telephone company, he said. Prudential's written statement says the company is "eager to continue to work with North Regent Rx to resolve the issue." This is not the first time personal data has been sent over the Canada-U.S. border to the wrong recipient. In November of 2004, The Globe and Mail and CTV reported that between 2001 and 2004, confidential information about hundreds of Canadian Imperial Bank of Commerce customers was faxed to a scrapyard in West Virginia. The scrapyard's owner, Wade Peer, said the volume of faxes prevented him from communicating with his customers and forced him to close one of his businesses. From isn at c4i.org Mon Feb 6 01:40:24 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:40:24 -0600 (CST) Subject: [ISN] Chinese Hacker Attacks on Korean Gamers Mushrooming Message-ID: http://english.chosun.com/w21data/html/news/200602/200602030008.html The Chosun Ilbo Feb. 3, 2006 There is no failsafe solution in sight for massive attacks from Chinese hackers who steal the sign-in names and passwords of Korean gamers. More and more websites have become infection points for Trojan viruses that leak users?? personal information since last May, when the MSN Korea website was first infected with the malicious code. IT security firm Geot says about 2,000 websites fell victim to Chinese hackers from November of last year through last month. Of the sites used to spread Trojan-style viruses, 70 percent were Korean and the rest Chinese. Geot presumes the Chinese sites are permanent hosts where the spy codes are permitted to incubate unhindered by security updates. The character of the victim sites is also changing rapidly. Once limited to game portals and media or cable TV homepages, they now include public services including two public broadcasters, two local governments, one office of education and a number of university websites. More than 100 websites including terrestrial broadcasters and sports papers unwittingly inflicted multiple damage because they reacted too late or not at all. The type of information being targeted is changing too, from access details for well-known online games to user information of game item market sites. Experts are worried that the hackers?? range could soon extend to more vital areas such as online banking. The government announced an anti-hacking program for online games as the damage spread, but critics say it fails to get to the core of the problem. To tackle the threat at its root, the government should legalize item exchange so that secure sites can be built and protected by law, they say. From isn at c4i.org Tue Feb 7 04:13:50 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:13:50 -0600 (CST) Subject: [ISN] 2 Tigard High students face discipline over calls Message-ID: http://www.oregonlive.com/metrosouthwest/oregonian/index.ssf?/base/metro_southwest_news/1139291813243370.xml&coll=7 MAYA BLACKMUN February 07, 2006 Two Tigard High School students face possible expulsion after harassing phone calls were made over the weekend to five teachers using home numbers placed on the Web by a student hacker last week, officials said. Susan Stark Haydon, a spokeswoman for the Tigard-Tualatin School District, would not identify the students, citing privacy concerns of minors. She said they face discipline up to expulsion for violating the district's policy on threats of violence, hazing, harassment, intimidation, bullying and menacing. The latest incident follows that of another student who hacked into the school's computer system and placed a slew of personal information on the Web. "It's been a painful learning experience," principal Pam Henslee said, "and we hope that students know this is serious business." She would not describe the calls but said they were considered harassment because of their content, repetition and unwelcome nature. Some teachers reported getting calls nonstop in the middle of the night for two to three hours, only to have the calls stop and start up again the next day. After the teachers reported the phone calls Monday morning, Henslee got on the school's intercom and asked students for help. Two students were identified, and they admitted making the calls, she said. They used information posted sometime during the night of Jan. 30 by another Tigard High student that included the roster of the approximately 100-person school staff, staffers' month and day of birth, home and cell phone numbers, home addresses, 18 e-mail passwords along with two network administration passwords, and the combinations of the school's approximately 2,000 lockers, which subsequently had to be changed. Jim Wolf, a Tigard Police Department spokesman, said the hacking case is under investigation. If teachers want to pursue criminal charges, they would have to report the harassment to police where they live. From isn at c4i.org Tue Feb 7 04:14:03 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:03 -0600 (CST) Subject: [ISN] Hacker cripples government website in Chengdu Message-ID: http://www.interfax.cn/showfeature.asp?aid=9724 Shanghai. February 7, 2006 INTERFAX-CHINA The official website of the Chengdu Agricultural Committee, a government body that oversees agricultural production in the southwestern Chinese city, was hacked on Monday and has been inaccessible up to now, a government official told Interfax Tuesday. "We have not found out who did this but we are restoring the website, which will be up and running again within one or two days," an official surnamed Wu said. Wu is the director of the Chengdu Agricultural Committee's Network Administration Department. The government website, www.cdagri.gov.cn, was attacked Monday morning and the homepage was replaced with a black page saying that the website was "rubbish." The hacker also claimed to be from China Eagle Union, a Chinese hacker organization, local newspaper Tianfu Morning News (Tianfu Zaobao), reported. However, as the investigation is still in progress, the real identity and purpose of the hacker remain a mystery. "It is definitely impossible for us to do this, because hacking into government websites is illegal," Luo Yuwei, an official with the China Eagle Union, told Interfax. China Eagle Union is a domestic non-profit organization that has been involved in hacker wars against Japanese and American counterparts. The Chengdu Agricultural Committee, meanwhile, is planning to improve its network security after the accident. "We will upgrade our website this year," Wu said. -KW From isn at c4i.org Tue Feb 7 04:14:17 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:17 -0600 (CST) Subject: [ISN] Shock Absorbers Message-ID: http://www.time.com/time/insidebiz/article/0,9171,1156596,00.html By MARYANNE MURRAY BUECHNER Posted Feb. 05, 2006 When 21-year-old Web entrepreneur Alex Tew received a $50,000 ransom demand last month, he remembers thinking, "There's no way on earth I'm paying these guys." Hackers had kidnapped Tew's Million Dollar Homepage, an advertising website, crippling it with a flood of data. Thousands of dollars, six days and two security teams later, the site was back up. "I can understand why gambling sites that accept thousands of dollars a day could choose to pay and be done with it," Tew says, "but I made a point of standing firm." As cyberextortion schemes become increasingly common, their targets have another choice: cyberinsurance. Demand for this emerging category of insurance, which will even cover a ransom payment, has jumped as more companies--and not just tech firms--depend on digital networks to do business. Written premiums topped $200 million in 2005, up from $100 million in 2003, according to Aon Financial Services Group managing director Kevin Kalinich, as corporations realize they have to guard against liability in addition to the hackers themselves. The rise of the hacker as extortionist reflects a broader change in hacker culture. "It used to be teenagers looking for bragging rights," says Johannes Ullrich, chief research officer for the SANS Institute, a security think tank. "Now it's done for profit." And it's done from anywhere in the world, so catching the bad guys can be complicated. Ullrich estimates that there are 10 or 20 cases a day, compared with virtually none three years ago. More sophisticated viruses, spyware and other forms of malicious code, meanwhile, are the new weapons of choice for committing identity theft, bank fraud, even industrial espionage. Computer crime costs U.S. businesses an estimated $67.2 billion a year, according to the FBI. There are two sides to cyberinsurance: first-party coverage helps companies recover losses owing to, say, a network outage. Many first-party policies also include payments to hackers holding your website or customer data hostage, says ACE USA underwriter Brad Gow. Third-party liability covers legal expenses if security fails and someone sues. Annual premium payments range from $7,500 for a medium-size ($25 million in sales) company to hundreds of thousands of dollars for a multinational corporation, according to AIG. To qualify for coverage, companies must adhere to internationally accepted security standards. "You never know what you're going to come up against," says Moira Mooney, senior risk manager for InterActiveCorp, which owns several online businesses. "Having the insurance is a backstop." What has really kicked things off for the cyberinsurance market is new legislation, in effect in some 20 states, that requires companies to notify customers when their personal data may have been compromised. There were 134 such breaches last year, potentially affecting more than 57 million people, according to the Identity Theft Resource Center. "Companies used to bury this stuff," says Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center. Now that they must go public, buying insurance can reduce liability risk. Insured or not, the top priority is still prevention. Procter & Gamble, for one, eschews cyberinsurance. "What would be scary for us is if we lost critical data--about R&D, our supply chains, even a marketing plan--to our competitors," says chief information officer Filippo Passerini. "There's no insurance that could cover all the damage." From isn at c4i.org Tue Feb 7 04:13:38 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:13:38 -0600 (CST) Subject: [ISN] Azeri hackers attack Danish web sites Message-ID: http://www.cascfen.org/news.php?nid=1479&cid=6 CASCFEN, Baku 06.02.2006 It seems that the new information-communication technologies are going to be used for taking revenge on the case of cartoons of the holy Muslim Prophet Mohammed. As reports the web site Vlasti.Net, Azerbaijani hackers have attacked several Denmark based web sites as a revenge for publication of Mohammed's offensive cartoons. The hackers themselves explain this attack as the light one and don't touch the databases of the hacked web sites. Hackers expressed their protest by simple defacing of the first pages of the Danish web sites. Following are some URL.s of the Danish web sites provided by Vlasti.Net which are "defaced" by Azerbaijani hackers: http://vaaren.dk; http://www.corecomputer.dk; http://www.roklub-forum.dk; http://www.inchrist.dk and http://www.lamri.dk. An image calling to "Jihad" appears instead of home pages of the web sites. From isn at c4i.org Tue Feb 7 04:14:30 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:30 -0600 (CST) Subject: [ISN] Group Crafts Standards for Evaluating Outsourcers Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108379,00.html By Jaikumar Vijayan FEBRUARY 06, 2006 COMPUTERWORLD Six large U.S. banks, an industry group and four major accounting firms joined forces in early 2004 to create standards for assessing the security practices of outsourcing vendors that work with financial services firms. The goal was to create consistent standards for use in evaluating the controls that outsourcing vendors use to protect sensitive data, said Faith Boettger, a senior consultant at BITS, the technology arm of the Washington-based Financial Services Roundtable. The standards are now available to the financial services community, following a trial of the program undertaken by five service providers, including IBM, Acxiom Corp. and First Data Corp. The standards program, called the Financial Institution Shared Assessments Program, was developed by BITS, Bank of America Corp., The Bank of New York Co., Citigroup Inc., JPMorgan Chase & Co., U.S. Bancorp and Wells Fargo & Co. Accounting firms Deloitte & Touche LLP, KPMG International, PricewaterhouseCoopers and Ernst & Young International serve as technical advisers for the program. The guidelines can be used to evaluate an outsourcer's controls for access, asset classification, personnel security, physical and environmental security, communications, business continuity and regulatory compliance, Boettger said. The group expects that the standards will result in improved security and risk-management practices, she said. The program will also give auditing firms standard criteria for measuring the security practices of different service providers, she added. "BITS member companies have for a long time been focused on looking at the management of risk within outsourcing relationships," Boettger said. The new programs should help such companies better meet their regulatory and risk management requirements, she explained. Joe Duffy, lead managing partner for the performance improvement practice at PricewaterhouseCoopers, said the initiative is an example of the private sector coming together to address information security issues at a time of heightened regulatory oversight. "What is groundbreaking here is the fact that industry, the accounting profession and the supplier community are coming together and agreeing" on common assessment standards, Duffy said. From isn at c4i.org Tue Feb 7 04:14:43 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:43 -0600 (CST) Subject: [ISN] In QDR, Defense focuses on combating cyberthreats Message-ID: http://www.gcn.com/vol1_no1/daily-updates/38207-1.html By David C. Walsh Special to GCN 02/06/06 As expected, the newly released Quadrennial Defense Review suggests an evolution in Pentagon thinking about the role of IT in countering cyberthreats. Among IT successes, the 113-page review cites the use of computer-guided drone aircraft in Iraq and Afghanistan. These "in-country" unmanned aerial vehicles, noted the QDR [1], are remotely controlled by operators in Nevada. President Bush submitted the QDR to Congress along with his fiscal 2007 budget request. The QDR is a report the Defense Department produces every four years that lays out DOD's 20-year projection for transformation. These "net-centric reach-backs," noted the report, "achieve a level of air-ground integration that was difficult to imagine just a decade ago." The immediacy of such communications assets "is helping joint forces gain greater situational awareness to attack the enemy," enabling "faster decision-making and subsequent actions," according to the QDR. In the larger scheme, net-centricity wasn't only an enterprise asset but "a weapons system to be protected" like other parts of the nation's critical infrastructure. Information security is so vital, the document warns, that even cyberattacks from abroad could result in an unspecified "overwhelming response." Foreign nations, and not just individuals or small groups, may be involved in sabotage attempts. China is identified as among "near-peer competitors" that bear watching, the QDR stressed. Of DOD's $30 billion IT budget, $2 billion a year is spent on information assurance. Guided by the QDR, the 2007 budget request has increased by $500 million. Current and evolving cyberthreats, the review added, underscored the need to "design, operate and defend the network to ensure continuity of joint operations." This includes the core of net-centric operations, the Global Information Grid (GIG), which enables the digital collection, communication, storage and management of data for Defense. Among the steady progress in this area, the QDR stated, is deployment of "an enhanced land-based network and new satellite constellation" - part of the Transformational Communication Architecture. This ensures "high-bandwidth, survivable Internet protocol communications." Notwithstanding successes in integrating data across different enterprises and time zones, the QDR acknowledged "capability gaps" in military information operations. In all of Iraq, only 133 translators or "heritage speakers" are deployed, for example. To close the gaps and ensure seamless communications, DOD would, according to the QDR, "develop new tools and processes for assessing, analyzing and delivering information to key audiences." David Walsh is a freelance writer in Chevy Chase, Md. [1] http://www.defenselink.mil/qdr/report/Report20060203.pdf From isn at c4i.org Tue Feb 7 04:14:57 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:57 -0600 (CST) Subject: [ISN] Researchers: Popular apps have mismanaged security Message-ID: http://www.networkworld.com/news/2006/020606-application-security.html By Robert McMillan IDG News Service 02/06/06 Big-name companies like America Online (AOL) and Adobe could do a better job of writing secure software, according to a recent report by two Princeton University researchers. The researchers took a look at a number of popular applications, including AOL Instant Messenger and Photoshop, and determined that many of them made changes to the operating system that could allow attackers to bypass some Windows security mechanisms. (Read the report - PDF. [1]) The Princeton team focused on the Windows access control system, which determines what types of things users and applications can do on any given PC. Their conclusion: Many programs ask for too many privileges, opening the door for potential attackers. "Vendors are making mistakes when they write programs for Windows," said Sudhakar Govindavajhala, a Princeton Ph.D. student, and one of the authors of the paper. "It's worrying that your computer can become insecure on installation of new programs." An attacker would first need to gain access to a local account on a computer to take advantage of the problems described in the paper, Govindavajhala said. "These attacks are not exploitable over the Internet, but if someone can get a handle of your machine, then one can do interesting things," he said. After years of focusing on Windows, attackers are increasingly targeting the software that is running on top of the operating system, according to the SANS Institute, a training organization for computer security professionals. SANS lists [2] instant messaging applications, media players and backup software among the most critical areas for new security vulnerabilities. Another Princeton computer scientist who is familiar with the paper said that the research shows just how widespread these "privilege escalation" problems really are. "For the average user, it's a reminder that software applications can open security holes and that application vendors do make mistakes that can cause risks for users," said Ed Felten, a professor of computer science and public affairs. "No application should be considered completely safe." The MediaMax copy protection software used by Sony BMG Music Entertainment was recently discovered to have this kind of privilege escalation flaw, according to Felten. MediaMax's producer, SunnComm, has since patched the problem, he said. The security vulnerabilities that Govindavajhala and his co-author Andrew Appel discovered have been fixed in the AIM client and Adobe's products [3], but there are other programs that suffer from the same problem, Govindavajhala said. Govindavajhala did not want to name specific unpatched products because that information could be used by attackers, he said. [1] http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf [2] http://www.sans.org/top20/ [3] http://www.frsirt.com/english/advisories/2006/0431 From isn at c4i.org Wed Feb 8 03:19:23 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:19:23 -0600 (CST) Subject: [ISN] Honeywell blames ex-employee in data leak Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108434,00.html By Robert McMillan FEBRUARY 06, 2006 IDG NEWS SERVICE Honeywell International Inc. says a former employee has disclosed sensitive information relating to 19,000 of the company's U.S. employees. Honeywell discovered the information being published on the Web on Jan. 20 and immediately had the Web site in question pulled down, said company spokesman Robert Ferris. In court filings dated Jan. 30, the company accused former employee Howard Nugent of Arizona of accessing the information on a Honeywell computer and then causing "the transmission of that information." Nugent has since been ordered not to disclose any information about Honeywell, including "information about Honeywell's employees (payroll data, Social Security numbers, personal information, etc.)," according to a Jan. 31 order signed by Judge Neil Wake of the U.S. District Court for the District of Arizona. The precise method Nugent is alleged to have used to gain access to the information, and why he may have disclosed it, is not clear. In the court filings, Honeywell claimed that Nugent "intentionally exceeded authorized access to a Honeywell computer," but the integrity of Honeywell's computer systems was not compromised, Ferris said. "Nobody hacked into systems," he said, without disclosing further details on the data breach. Honeywell employees were notified of the breach via e-mail on Jan. 23, just days after it was discovered, and the company has since mailed notices about the compromise to all affected employees, Ferris said. The company is working with federal and local authorities on the case, but Ferris declined to comment on whether criminal charges were expected to be filed. Nugent could not be reached to comment for this story. From isn at c4i.org Wed Feb 8 03:19:51 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:19:51 -0600 (CST) Subject: [ISN] NIST experts craft data removal handbook Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27920-1.html By Joab Jackson Contributing Staff Writer 02/07/06 Wonder no longer about how to remove sensitive data from the hard drives and optical disks you are about to toss. The National Institute of Standards and Technology has issued a set of draft guidelines on how to safely remove information from obsolete forms of storage. Matthew Scholl, Richard Kissel, Steven Skolochenko and Xing Li of the NIST Information Technology Laboratory authored Special Publication 800-88 [1], "Guidelines for Media Sanitization: Recommendations of the National Institute of Standards and Technology," which was sponsored by the Homeland Security Department. "When storage media are transferred, become obsolete or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical or electrical representation of data that has been deleted is not easily recoverable," the guidelines stated. Although the publication summarizes the ways to remove data, it emphasizes that a proper disposal methodology should not be based on the type of storage being disposed, but rather on the confidentiality of the material the medium contains. The authors conclude that there are three general approaches to excising data from various storage technologies: Clearing: This approach usually involves overwriting the data with new random data, or in cases of electronic devices, deleting existing information and performing a manufacturer's hard reset (if one exists). Purging: This approach involves "degaussing" the medium, a procedure that involves generating a magnetic field to neutralize the magnetically encoded information. The report notes that the new Serial ATA hard disk drives have a firmware-based Secure Erase command that can purge information to the same degree of unrecoverability. Destroying: The form of destruction depends on the type of media being used. Shredding could work for paper, while pulverization, melting and incineration (tasks usually outsourced) would be more appropriate for hard disks or optical disks. Sanding off the physical recording surface is another option. The report also shows how to apply these approaches to various technologies such as personal digital assistants, routers, copy machines, hard drives and floppy disks. NIST also urged organizations to establish enterprise governance procedures for erasing material from old technologies. "Ultimately, the head of the organization is responsible for ensuring that adequate resources are applied to the program and for ensuring program success," the report noted. "Senior management is responsible for ensuring that the resources are allocated to correctly identify types and locations of information and to ensure that resources are allocated to properly sanitize the information." [1] http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf From isn at c4i.org Wed Feb 8 03:20:05 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:20:05 -0600 (CST) Subject: [ISN] 'Sleeper bugs' used to steal .1m in France Message-ID: http://www.guardian.co.uk/france/story/0,,1703777,00.html Kim Willsher in Paris February 7, 2006 The Guardian Russian thieves have stolen more than .1m (?680,000) from personal bank accounts in France using "sleeper bugs" to infect computers. French authorities claim the thieves can take control of and empty a bank account in seconds. In one hit, a bank customer lost .40,000. Police say the virus is embedded in emails or websites and remains dormant until the user contacts their bank online. When that happens, the bug becomes active and records passwords and bank codes which are then forwarded to the thieves. They then use the information to check the victim has money in the bank before transferring funds to the accounts of third parties, known as mules, who may have agreed to allow money to pass through their accounts in return for a commission of between 5% and 10%. Police claim this is set up through fictitious companies, including one American firm named World Transfer, although the mules could be unaware that their computers are being used for theft. A dozen Russian thieves, described by police as being typically aged between 20 and 30, and several Ukrainian masterminds of the scam have been arrested in Moscow and St Petersburg. The authorities were alerted in November 2004, when a bank customer noticed a large sum missing from his account. This was followed by other reports of theft all over France. In 11 months, the thieves had stolen .1m. Nicolas Woirhaye, a security expert, said the French authorities were alerted to scams every three weeks. He said the best way to beat pirates was to use up-to-date anti-virus software. "All the French victims were trapped because they didn't have any [computer] protection," he said. From isn at c4i.org Wed Feb 8 03:20:20 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:20:20 -0600 (CST) Subject: [ISN] Cyber Law Enforcement in Nepal Message-ID: http://english.ohmynews.com/articleview/article_view.asp?article_class=4&no=273060&rel_no=1 Bishnu K.C. 2006-02-08 Laws are established and enforced by the authority, legislation, or custom of a given community, state or nation to maintain orderly coexistence. Basically, cyber law deals with child pornography, cyber-stalking, cyber-scams, online fraud, software piracy and much more. Legal experts are working in this field to help educate and guide the Internet community on crime prevention and the reporting of cyber crimes. After many years of discussion and effort, recently the government of Nepal has crafted the much awaited Electronic Transaction and Digital Signature Act-Ordinance (ETDSA)-2061 (2004), popularly known as "Cyber Law." This law has provided new trust to the Information Technology (IT) sector, and computer and IT professionals are hopeful that it will create a favorable situation for conducting IT business. It contains a strong provision of punishment against cyber crimes according to the nature of the crime. As per the provisions of law, the government is fully authorized to punish cyber criminals -- both an individual or institution. To what extent "laws are made to be broken" is the big question facing all Nepali people now. Cyber law exists in Nepal, but it has failed to address many problems. The law is not stringent enough for the holistic deception of cyber related crimes. Problems of online media, as well as fines and imprisonment, are not as big as in the U.S. and Japan. Corruption is seen in every field. Big government and some private organizations are using pirated CDs. Even some security organizations responsible for taking action against this crime are seen as violating the rules. Software CDs can be seen in the footpaths of Kathmandu, which has decreased the value, as well as violated the newly implemented law of the country. People are crowding into these places because the price is low. People want just the CDs. Who cares about the quality and law? Program CDs of great value are found all over the Kathmandu valley and prices range from Rs. 50-100 (U.S.$0.70 -1.40). Though this is not new to any Nepali citizen, it may attract the attention of some foreigners visiting Nepal. But even foreigners are taking numerous pirated software CDs back to their countries, said one seller on New Road in Kathmandu. This problem is not limited to CDs. Even in cybercafes, children of young ages can be seen using porn sites. The proprietor of the cafe, not caring about the law, just wants all his computers to be packed. Different hacker software can be found in each individual's computer. Whenever anyone buys a new software CD, it is shared with all his friends and relatives. So, it has become a habit for all Nepali people to share CDs. The misuse of the Internet can prove to be a haven for all kinds of abuses, but who is responsible for this? Despite its disadvantages, the Internet has been a boon for all humans, regardless of age. It seems as if people who are used to it cannot live without it. One can say it has become a part of life. Everybody everywhere, in the cafes or in their vehicles, can be can busy on the net, either for information or fun. The effective implementation of cyber law will be a necessity. Nepal will not be able to regulate the information technology industries without taking the international legal context into account. The main thing is that regulations are enforced. First of all, the authorities should be self-concerned before awaking the citizens. There still needs a lot of homework to be done if Nepal expects a boom in the IT sector. According to the Ministry of Science and Technology, they are working on bringing out cyber regulations in the days ahead and we should expect it to be crafted very soon. Since the computing field is a dynamic one, policies and laws related to this area need to be revised periodically to reflect the changing trends. At both levels -- the local as well as global. ?2006 OhmyNews From isn at c4i.org Wed Feb 8 03:20:33 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:20:33 -0600 (CST) Subject: [ISN] Microsoft security service to ship in June Message-ID: http://news.com.com/Microsoft+security+service+to+ship+in+June/2100-7350_3-6036290.html By Joris Evers Staff Writer, CNET News.com February 7, 2006 Microsoft plans to ship a new security product in June, charging $49.95 a year to shield up to three PCs against viruses, spyware and other cyberthreats, the company said on Tuesday. As previously reported, Windows OneCare Live's June debut marks Microsoft's long-anticipated entry into the consumer antivirus market. That space has long been the domain of specialized vendors, led by Symantec and McAfee. Microsoft announced its intent to offer antivirus products in June 2003 when it bought Romanian antivirus software developer GeCad Software. OneCare combines antivirus, anti-spyware and firewall software with backup features and several tune-up tools for Windows PCs. The product will be sold online and in stores, Microsoft said. The software maker is following common routes to get its software into consumers' hands. It will offer a free 90-day test period and is working on deals with PC makers to ship OneCare on new computers, said Dennis Bonsall, director of Windows OneCare Live at Microsoft. Buyers can install OneCare on up to three PCs that run Windows XP with Service Pack 2. This is a discount over rival products from Symantec and McAfee, which charge $119.99 and $139.99, respectively, before rebates, for three-user editions of their security suites. The Symantec and McAfee products are often heavily rebated. "Up to three licenses is a real good deal," said Andrew Jaquith, an analyst with The Yankee Group in Boston. "I think it is very consumer-friendly and a good deal for families and SOHO (small office, home office) type businesses." OneCare also includes support at no additional charge via e-mail, online chat or phone, Microsoft said. This compares to oft-criticized, mostly paid-support options from Symantec and McAfee. Microsoft announced its plans for OneCare in May 2005. Invited testers have been trying it out since last July and a public test version was released late last year. About 170,000 people are testing OneCare. As a thank-you, testers can get a discounted rate of $19.95 per year if they sign up in April, Bonsall said. Microsoft will sell OneCare on a subscription basis--a change from the traditional way security software has been sold. As long as a subscription is active, users will get signature and feature updates to guard against the latest attacks. Traditionally, users paid annually for signature updates, while a product upgrade required an additional purchase. Symantec and McAfee sell their boxed security suite products for $69.99, before any rebates, and then charge an annual fee for signature updates. However, both security companies have also been moving to a subscription model. In addition to adding subscription options, established security software sellers have prepared for Microsoft's market entry by adding anti-spyware to their security suites. Symantec later this year also plans to introduce a new product, code-named Genesis, that will be sold on a subscription-only basis and has many of the same features as OneCare. "If Microsoft had not combined the two, you would still see the mainstream antivirus vendors all trying to premium-price all these things separately," Jaquith said. Initially, OneCare will only be available in English on the U.S. market. Microsoft plans to have test versions out in other languages within the next year, a representative said. The global antivirus market is growing; it reached $3.7 billion in revenue in 2004, up 36 percent from 2003, IDC said in December. The market research outfit forecasts the antivirus market will grow to $7.3 billion in 2009. With OneCare, Microsoft is targeting consumers, especially those who do not run security or have let their current product expire. The company says it believes 70 percent of consumers fall into that category. In a recent research note, The Yankee Group estimated the niche as a market worth potentially $15 billion. The company plans to include Windows Defender, an anti-spyware program, within Windows Vista, the update to the operating system scheduled to arrive before the 2006 holiday sales season. However, there are no plans to bundle antivirus software in Vista. Microsoft is also eyeing the enterprise security market. It is working on a new Microsoft Client Protection product to defend business desktops, laptops and file servers against malicious attacks. From isn at c4i.org Thu Feb 9 01:41:24 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:41:24 -0600 (CST) Subject: [ISN] User Account Control in Windows Vista Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. GuardianEdge Technologies http://list.windowsitpro.com/t?ctl=2030B:4FB69 GuardianEdge Technologies--Sweepstakes http://list.windowsitpro.com/t?ctl=202FB:4FB69 ==================== 1. In Focus: User Account Control in Windows Vista 2. Security News and Features - Recent Security Vulnerabilities - ISA Server 2004 Service Pack 2 Now Available - IE 7.0 Beta 2 Preview Available for Public Review - Researchers Already Scouring IE 7.0 for Holes 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Soft Token, Strong Authentication ==================== ==== Sponsor: GuardianEdge Technologies ==== Encrypt your data--from Active Directory! The Encryption Anywhere Data Protection Platform from GuardianEdge is a powerful tool for protecting data, managing compliance and enhancing mobility. Controlled within Active Directory, the Encryption Anywhere platform is a scalable, modular system for securing data on end-point devices and for applying consistent encryption policies across your organization. The Encryption Anywhere platform leverages what you've already established in AD, letting you distribute and manage encrypted Microsoft clients without changing your current processes. Encryption is the only true way to protect data; the Encryption Anywhere platform is the breakthrough enterprise encryption solution that provides truly robust enterprise management capabilities while leveraging your existing architecture and investment. For more information, visit http://list.windowsitpro.com/t?ctl=2030B:4FB69 ==================== ==== 1. In Focus: User Account Control in Windows Vista ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Microsoft recently released the document "Applying the Principle of Least Privilege to User Accounts on Windows XP" (at the URL below), which aims to help you implement least-privileged user accounts (LUAs) in your Windows XP environment. The LUA terminology has been in use for quite a while now. Even so, Microsoft apparently wanted a clearer phrase for the concept. Initially, LUA was renamed User Account Protection (UAP), and most recently, the company landed on User Account Control (UAC), which will be the terminology used from here on out. http://list.windowsitpro.com/t?ctl=202F7:4FB69 When Windows Vista makes its debut, native UAC will be built into the OS, so you won't have to jump through countless hoops trying to limit use of administrative privileges on your network. Vista will expose new UAC policies that let you better control user accounts. When using Vista, you'll either be considered a standard user or an administrator with privileges and rights appropriate to those two general types of accounts. For example, there will be 14 different types of administrative consent that cover the usual tasks a person might need to perform. In general, Vista will operate a bit more like Linux systems when it comes to administrative access. You'll operate on the desktop with least privileges, and your account will have a policy assigned to handle any need for elevation of privileges. Standard users will either be prompted for credentials (username and password) or denied elevated access outright, depending on the policy settings. Administrative accounts will have both those possibilities, plus a Prompt for Consent option. In the latter case, administrators would simply click Yes or No to elevated privileges instead of having to enter their credentials. Application installation will be an issue for some users, depending on their particular network. Vista will let you control whether elevation takes place when required by an application. Microsoft said that in an enterprise network, such elevation probably won't be required when installation is delegated to Group Policy Software Install (GPSI) or Microsoft Systems Management Server (SMS). Another policy will govern applications that require elevation of privileges. You'll be able to deny elevation if the applications don't have a valid digital signature. To help with legacy applications that don't adhere to Vista's new architecture, you'll also be able to redirect registry and file writing activity to safe areas on the system. In other words, applications that typically write to the HKEY_LOCAL_MACHINE\SOFTWARE registry subkey or the Program Files, Windows, or Windows\System32 directories will still be able to run, but any write I/O will be written to virtualized locations instead of those actual locations. So the applications will run correctly, but sensitive storage areas won't be overly exposed. UAC will be a welcome change in Windows that will surely bring greater security. There will of course be the usual learning curve, so the sooner you get started understanding the ins and out, the better off you'll be when you begin to use the OS. You can catch glimpses of developing UAC functionality by reading Microsoft's UACBlog (at the URL below) on the Microsoft Developer Network (MSDN). http://list.windowsitpro.com/t?ctl=20308:4FB69 ==================== ==== Sponsor: GuardianEdge Technologies ==== Win a TUMI Laptop Bag from GuardianEdge Register to win one of four quality TUMI laptop computer bags from the company that brings you the Encryption Anywhere Data Protection Platform. GuardianEdge Technologies (formerly PC Guardian) will exhibit at the RSA Conference in San Jose, Feb 14 to 16 in Booth #1827. We are using the show to demonstrate Encryption Anywhere Hard Disk, which delivers full-volume encryption of XP computers right from Active Directory and the Microsoft Management Console. Register online for the contest. You do not have to be at the conference to win. Visit: http://list.windowsitpro.com/t?ctl=202FB:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=202FD:4FB69 ISA Server 2004 Service Pack 2 Now Available Microsoft released ISA Server 2004 Service Pack 2 (SP2). The new service pack brings new features, including enhanced caching, HTTP compression, and traffic prioritization. http://list.windowsitpro.com/t?ctl=20303:4FB69 IE 7.0 Beta 2 Preview Available for Public Review Microsoft released a public beta of the long-awaited Internet Explorer (IE) 7.0. The new browser includes numerous security features that will help make Web surfing much safer than it was with previous versions of IE. http://list.windowsitpro.com/t?ctl=20305:4FB69 Researchers Already Scouring IE 7.0 for Holes As soon as Microsoft released IE 7.0 Beta 2 Preview, researchers went to work looking for security holes, and Tom Ferris found one. http://list.windowsitpro.com/t?ctl=20302:4FB69 ==================== ==== Resources and Events ==== Windows Connections Conference, April 9-12, 2006 Don't miss the essential Windows technology conference. Register early and save! http://list.windowsitpro.com/t?ctl=2030A:4FB69 WHITE PAPER: Evaluate the costs of losing information and learn what real-time information management means and how to accomplish it in your business. http://list.windowsitpro.com/t?ctl=202F6:4FB69 Learn to gather evidence of compliance across multiple systems, and link the data to regulatory and framework control objectives. Live Web Seminar: March 1, 2006; 12:00 EST http://list.windowsitpro.com/t?ctl=202F5:4FB69 Learn about the various applications of SSL certificates and their appropriate deployment, along with details of how to test SSL on your web server. http://list.windowsitpro.com/t?ctl=202FA:4FB69 Industry expert Paul Robichaux discusses how availability is a function of unplanned downtime only, helping you achieve a system available 99.9% of the time. http://list.windowsitpro.com/t?ctl=202FC:4FB69 ==================== ==== Featured White Paper ==== Learn how storage has been redesigned to provide administrators with the tools to manage the storage demands of today and the future. Defer storage purchases, separate backup data from protected data and more! http://list.windowsitpro.com/t?ctl=202F8:4FB69 ==================== ==== Hot Spot ==== Maximizing Network Security Against Spyware and Other Threats Are you solving the real problems of spyware? By leaving your systems open to reinfestation, you risk surging bandwidth consumption, system instability, overwhelmed Help desks, lost user productivity, and other consequences. Manage both the threats and vulnerabilities from one console as a comprehensive security solution. http://list.windowsitpro.com/t?ctl=202F9:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: SANS 2005 Information Security Salary Survey by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=20307:4FB69 SANS published its 2005 Information Security Salary & Career Advancement Survey. The results indicate that security administrators earn an average of $75,275 per year in the United States with an annual raise of 2.9 percent. Read more about the survey in this blog article. http://list.windowsitpro.com/t?ctl=20301:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=20306:4FB69 Q: What are the versions of Windows Vista? Find the answer at http://list.windowsitpro.com/t?ctl=20304:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Subscribers have it all! Become a VIP subscriber and get continuous, inside access to ALL of the online resources published in Windows IT Pro magazine, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CD-ROMs that include the entire article database and are delivered twice per year. Don't miss out--sign up now: http://list.windowsitpro.com/t?ctl=202FF:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products at windowsitpro.com Soft Token, Strong Authentication Diversinet announced the release of its next-generation MobiSecure soft token and MobiSecure Authentication Service Center (MASC). MobiSecure provides an automated self-service system (meaning that users can download the tokens themselves over the Internet) that can support strong authentication for online banking, remote online access, and secure e-commerce applications. MobiSecure soft tokens comply with the Open Authentication (OATH) Reference Architecture and interoperate with OATH-compliant hard-token and smart-card solutions. MobiSecure soft tokens are available now on mobile devices supporting Java, Symbian, Windows Mobile, Palm, and RIM; on SanDisk TrustedFlash memory cards; and on PCs running Windows. For more information, go to http://list.windowsitpro.com/t?ctl=2030C:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=20309:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=20300:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Feb 9 01:41:41 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:41:41 -0600 (CST) Subject: [ISN] Effects of Domain Hijacking Can Linger Message-ID: http://www.eweek.com/article2/0,1759,1923546,00.asp By Paul F. Roberts February 8, 2006 Malicious hackers who are able to hijack an organization's Web domain may be able to steal traffic from the legitimate Web site long after the domain has been restored to its owner, according to a recent report. Design flaws in the way Web browsers and proxy servers store data about Web sites allow malicious hackers to continue directing Web surfers to malicious Web pages for days or even months after the initial domain hijacking. The persistent attack could lead to information or identity theft, according to Amit Klein, a Web application security researcher with the Web Application Security Consortium. The problem, which Klein termed "domain contamination" exists because of features in Web proxy servers, which store versions of Web pages, and Web "clients," or browsers, including Microsoft's Internet Explorer, the Mozilla Foundation's Firefox and the Opera browser. Proxy servers and browsers both establish trust relationships with Web servers that are identified as the authoritative host for a Web page in the DNS (domain name system), Klein said. "Once a client believes it is communicating with the legitimate server for some domain, there's an implicit trust that's placed in that server that is not revoked," Klein told eWEEK. For example, Web browsers store information on the Web server in Web cookies and cached Web pages that are stored locally. Once that information is downloaded and stored on the client, it can be very difficult to get rid of them, Klein said. "There's just no way to sterilize the view or reflection of a Web site on the Internet," he said. Domain hijacking is a recurrent problem on the Internet that occasionally gets mainstream attention, such as when aljazeera.net, the Web domain for Arab satellite television network, was hijacked in March, 2003. More recently, unknown hackers carried out a massive DNS poisoning attack on DNS servers worldwide in March, 2005. That attack used a known vulnerability in a Symantec firewall as well as known weaknesses in Windows NT and Windows 2000 machines to change the DNS record for Web sites. The attack caused unknown numbers of Web surfers to be directed to malicious Web sites that installed spyware and other malicious programs, according to the SANS Institute's Internet Storm Center. In those attacks, and others, domain hosting companies and Internet infrastructure providers moved quickly to restore control of the Web domain to its proper owner and reset DNS servers that have been compromised, ending the attack. However, attackers can modify HTTP headers or HTML content on their attack Web site to ensure that it is stored locally for months or even years, Klein said. Internet users who were caught up in the attack will retain that cached copy of the attacker's site in their browser. The cached page may be the first loaded when the victim attempts to visit that Web page. A sophisticated attacker who embedded scripts in the malicious page could continue to steal information from the victim long after the attack. For example, a script could harvest information from cookies used by the Web site, or load the actual Web page inside a frame in the cached page to conduct an attack that captures the interactions of the user on the page, Klein wrote. Also, proxy Web servers that store cached content can, in certain circumstances, revalidate that content, prolonging the life of hijacked Web pages, Klein wrote. The problem with domain contamination is caused by a major design flaw in the way Web domains are managed, Klein told eWEEK. "Web browsers don't have any information about domain ownership or any versioning From the browser's perspective, the google.com now and google.com of five years ago are the same domain with the same privileges," Klein said. "If they assigned a cookie five years ago, unless it expires naturally, there's no way to verify that the same owner is behind it." Individuals who have the poisoned domain information can get rid of it simply by deleting affected browser cookies or clearing out their Web page cache?standard features on almost every Web browser. However, organizations or individuals who have had their Web domain hijacked don't know which of their visitors went to the hijacked site and, thus, have little recourse to rectify the domain poisoning. "The best response is not to get hijacked to begin with," said Johannes Ullrich, CTO at the SANS ISC. "Once it's happened, there's little that you can do about it." Using SSL (Secure Sockets Layer) to access a Web site can prevent DNS hijacking and Web cache poisoning, and changing your Web server responses to requests from proxy servers can keep them from holding onto poisoned cached content, Klein wrote. From isn at c4i.org Thu Feb 9 01:41:51 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:41:51 -0600 (CST) Subject: [ISN] Spanish hacker jailed for two years Message-ID: http://www.theregister.co.uk/2006/02/08/spanish_hacker_jailed/ By John Leyden 8th February 2006 A Spanish hacker who launched a denial of service attack that hobbled the net connections of an estimated three million users has been jailed for two years and fined ?1.4m. Santiago Garrido, 26, (AKA Ronnie and Mike25) launched the attack using a computer worm in retaliation for been banned from the popular "Hispano" IRC chat room for breaking its rules. The resulting surge in malicious traffic disrupted an estimated three million users of Wanadoo, ONO, Lleida Net and other ISPs, or approximately a third of Spain's net users, at the time of the 2003 attack. ? From isn at c4i.org Thu Feb 9 01:42:04 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:42:04 -0600 (CST) Subject: [ISN] Harrison Ford's latest family-in-peril thriller Message-ID: http://www.mercurynews.com/mld/mercurynews/entertainment/movies/13824243.htm By Bruce Newman Mercury News Feb. 08, 2006 If you think your family is dysfunctional, consider the fate of the perpetually imperiled screen tribe of Harrison Ford: wife kidnapped (1988); wife and daughter abducted (1992); wife murdered (1993); wife and daughter taken hostage (1997); wife killed in plane crash (1999). Ford is the big daddy of domestic disaster, a Swiffer mop of calamity. ``Firewall'' is Ford's latest excavation of the family-in-peril thriller, and it is a mostly rote attempt to reboot ``The Desperate Hours'' -- the taut psychological standoff between Humphrey Bogart and Fredric March from 1955 -- for the computer age. Instead of dramatic tension, ``Firewall'' makes do with a lot of frantic typing at computer keyboards. It's like watching Microsoft's Service Pack 2 download for nearly two hours. This time, Ford plays Jack Stanfield, the designer of an impenetrable computer firewall that protects the Seattle bank where he is a trusted and beloved figure. But that all changes when super-hacker Bill Cox (played by Paul Bettany) sends his team of hench-geeks bursting into Jack's home -- laptops drawn -- to take his wife (Virginia Madsen) and two children hostage. Cox has figured out that the back door through which he can slip past the bank's security system is Jack himself. You don't go to a Harrison Ford movie expecting gritty realism, but even by the lowered standards of the modern thriller, what finally causes ``Firewall'' to collapse is a series of increasingly improbable plot twists. The most laughable of these can't be discussed without revealing the movie's climax, but it is accompanied by what is sure to be one of the year's funniest lines (though not intentionally): ``Where are they, Rusty?'' Jack asks the family schnauzer, completely serious. ``Where have they gone?'' This comes shortly after he uses his daughter's iPod to hotwire the bank's servers, moving $100 million to Cox's offshore account, while downloading Sharon Stone's Celebrity Playlist from iTunes. (OK, he doesn't really get the playlist, just the $100 million.) Cox is one of those suave, arrogant, ill-tempered, blond British bad guys, and Bettany plays him as if he had been stamped from a cookie cutter -- he's Jeremy Irons 2.0. Cox is supposed to be ruthless, willing to stop at nothing to get his loot. But when Jack makes a couple of lame attempts to outwit him early in the movie, Cox is strangely indulgent of his prize pawn. And when Jack's family does something that infuriates him, Cox gives them a cold-blooded demonstration of what will happen if they get out of line again by cruelly executing one of his own men. This is so inexplicable and bizarre that it reminded me of the famous scene in ``Blazing Saddles'' when the town's black sheriff takes himself hostage. Trying to convince a mob of hostile white people to drop the guns they have pointed at him, he points his own gun at his head and threatens to blow it off, then pleads for mercy from himself. In ``Blazing Saddles,'' this disarms both the town's nitwits and the audience. In ``Firewall,'' it just seems like the movie is too weak-kneed to kill a hostage, even though that's the only leverage Cox has got. Eventually, Jack goes on the run with his secretary Janet, who monitors a laptop computer to give him satellite updates on the whereabouts of his family. This would be preposterous enough, even if Janet weren't played by Mary Lynn Rajskub, the potato-faced actress who plays Chloe on ``24,'' where she is the loopy girl Friday to another Jack. By the time Jack Stanfield drives Janet's car toward the picture's climactic fight scene, the story has become so convoluted that the two of them have a thudding conversation covering all the important plot twists to make sure everyone is completely caught up. I won't spoil the ending, even though anyone who has followed Ford's career -- and how could you miss it? -- has seen it before. One nice touch: Cox continues to demonstrate what could happen to Jack's family by helpfully killing off his own henchmen. By the time he and Jack meet, the only remaining question is whether he will take himself hostage. -=- `Firewall' * 1/2 Rated PG-13 (some intense sequences of violence) Cast Harrison Ford, Paul Bettany, Virginia Madsen, Robert Patrick, Mary Lynn Rajskub Director Richard Loncraine Writer Joe Forte Running time 1 hour, 45 minutes From isn at c4i.org Thu Feb 9 01:42:17 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:42:17 -0600 (CST) Subject: [ISN] Microsoft reports two bugs, third identified Message-ID: http://www.networkworld.com/news/2006/020806-microsoft-bugs.html By Jeremy Kirk IDG News Service 02/08/06 Microsoft is warning of two bugs in its software that could potentially give unauthorized control or access over a person's computer, while a third problem has been highlighted by a security research company. One vulnerability revisits the Windows Metafile (WMF) debacle from December, but impacts fewer users. The bug is in Internet Explorer (IE) 5.01 Service Pack 4 on the Windows 2000 Service Pack 4 OS and IE 5.5 Service Pack 2 on Windows Millennium, Microsoft said. An attacker could gain control if a user opened a malicious e-mail attachment or if a user were persuaded into visiting a Web site that had a specially-crafted WMF image, Microsoft said. A patch has not been issued, but Microsoft said the issue is under investigation, and an out-of-cycle patch could be provided depending on customer needs. Microsoft typically issues patches on the second Tuesday of the month, due this month on Feb. 14. A second vulnerability could allow a person with low-user privileges gain higher-level access, Microsoft said. Proof-of-concept code that has been released attempts to exploit overly permissive access controls on third-party application services, along with the default services of Windows XP Service Pack 1 and Windows Server 2003, the company said. No attacks have been reported. Microsoft said several factors diminish the threat of the problem. Those running Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 - the latest updates of the software - are not affected, and someone who launches an attack would need authenticated access to the affected operating system, it said. Security vendor Secunia detailed a third vulnerability involving Microsoft's HTML Help Workshop, software that can create online help for a software application or Web site content. Secunia said the problem "is caused due to a boundary error within the handling of a '.hhp' file that contains an overly long string in the 'contents file' field. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a malicious '.hhp' file is opened." The bug could allow arbitrary code to be executed on a computer, Secunia said. An exploit has been released, and Secunia advised that untrusted .hhp files not be opened. From isn at c4i.org Fri Feb 10 02:07:44 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:07:44 -0600 (CST) Subject: [ISN] Bank of America cancels numerous debit cards Message-ID: http://news.com.com/Bank+of+America+cancels+numerous+debit+cards/2100-1029_3-6037619.html By Greg Sandoval Staff Writer, CNET News.com February 9, 2006 A security breach involving an undisclosed company has prompted Bank of America to cancel the debit cards of numerous customers, a spokesman for the country's largest bank said Tuesday. Bank of America refused to release the name of the company involved, the exact number of customers affected, or whether the company in question was online or a traditional brick-and-mortar establishment. The case is unusual in that debit cards appeared to be at risk. Credit cards are typically involved in security breaches at financial institutions because they are used more often than debit cards for retail transactions. "These are intricate matters...and may involve information that is not exactly clear and concise," said Michael Chee, the bank's spokesman. "It would be premature to discuss any third parties until an investigation is conducted." Chee said that to this point, there is no evidence that any of its customer accounts have been compromised. The move to cancel debit cards was a precaution, he said. An investigation is under way, Chee said, but added that he was unaware of what law enforcement agency was overseeing it. Bank of America issued letters to many customers notifying them of the breach and that their debit cards were no longer good. The bank is also telling customers to watch out for any unauthorized transactions on their statements. "As a proactive security-minded effort, we may take steps to replace people's cards," Chee said. "We know this can represent a minor inconvenience. The question is, would we rather risk inconveniencing customers and protect their information and accounts or do we just do nothing?" From isn at c4i.org Fri Feb 10 02:07:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:07:59 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-6 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-02-02 - 2006-02-09 This week : 55 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Several vulnerabilities have been reported in various Sun Java products, which potentially can be exploited by malicious people to compromise a user's system. Please refer to the referenced Secunia advisories for additional details. References: http://secunia.com/SA18760 http://secunia.com/SA18762 -- A vulnerability has been reported in Internet Explorer 5.01 and 5.5, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error. This can be exploited to execute arbitrary code on a user's system by e.g. tricking the user to visit a malicious website that hosts a specially crafted WMF file or via an email message containing a specially crafted attachment. Reference: http://secunia.com/SA18729 -- Several vulnerabilities have been reported in Mozilla Firefox, Mozilla Suite, and Mozilla Thunderbird. For additional information please refer to the following Secunia advisories. References: http://secunia.com/SA18700 http://secunia.com/SA18704 http://secunia.com/SA18703 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18700] Firefox Multiple Vulnerabilities 2. [SA18704] Thunderbird Multiple Vulnerabilities 3. [SA18649] Winamp Three Playlist Parsing Buffer Overflow Vulnerabilities 4. [SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities 5. [SA18703] Mozilla Suite XML Injection and Code Execution Vulnerabilities 6. [SA18740] Microsoft HTML Help Workshop ".hhp" Parsing Buffer Overflow 7. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 8. [SA18698] Adobe Products Insecure Default File Permissions 9. [SA18699] Sun Java System Access Manager Administrator Access Weakness 10. [SA18691] cPanel Cross-Site Scripting Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18729] Internet Explorer Unspecified WMF Image Handling Vulnerability [SA18740] Microsoft HTML Help Workshop ".hhp" Parsing Buffer Overflow [SA18744] Lexmark Printers LexBce Server Arbitrary Code Execution [SA18731] Hosting Controller SQL Injection Vulnerabilities [SA18730] CyberShop Ultimate Mc Cross-Site Scripting Vulnerabilities [SA18716] MailEnable Enterprise Edition Webmail Denial of Service [SA18756] Windows Insecure Service Permissions Privilege Escalation [SA18728] Lexmark X1100 Series Printing Software Privilege Escalation [SA18713] The Bat! RFC-822 Mail Header Spoofing Weakness UNIX/Linux: [SA18737] MyQuiz "myquiz.pl" Shell Command Injection Vulnerability [SA18709] Fedora update for mozilla [SA18708] Fedora update for firefox [SA18706] Red Hat update for firefox [SA18705] Red Hat update for mozilla [SA18774] Fedora update for kernel [SA18766] Linux Kernel ICMP Error Handling Denial of Service [SA18763] Mandriva update for php [SA18748] Mailback Mail Header Injection Vulnerability [SA18746] Gentoo update for gst-plugins-ffmpeg [SA18745] Gentoo update for adodb [SA18742] Debian update for ipsec-tools [SA18739] GStreamer FFmpeg Plug-in libavcodec Buffer Overflow [SA18718] MPlayer ASF File Parsing Integer Overflow Vulnerabilities [SA18717] SUSE Updates for Multiple Packages [SA18707] KDE kpdf Splash Image Handling Buffer Overflow [SA18743] Gentoo update for apache [SA18710] Outblaze throw.main Cross-Site Scripting Vulnerability [SA18733] Heimdal rshd Server Privilege Escalation Vulnerability [SA18719] Trustix Fcron "convert-fcrontab" Two Vulnerabilities [SA18712] OpenBSD Kernfs Kernel Memory Disclosure Vulnerability [SA18772] Openwall crypt_blowfish Salt Generation Weakness [SA18741] hcidump Bluetooth L2CAP Denial of Service Vulnerability [SA18736] Mandriva update for openssh Other: [SA18750] QNX Neutrino RTOS Multiple Privilege Escalation Vulnerabilities [SA18747] Sony Ericsson Cell Phones Bluetooth L2CAP Denial of Service Cross Platform: [SA18762] Java Web Start Sandbox Security Bypass Vulnerability [SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities [SA18757] eyeOS "_SESSION" PHP Code Execution Vulnerability [SA18722] Loudblog "path" File Inclusion Vulnerability [SA18703] Mozilla Suite XML Injection and Code Execution Vulnerabilities [SA18761] GuestBookHost SQL Injection Vulnerabilities [SA18759] Unknown Domain Shoutbox Two Vulnerabilities [SA18758] phphg Guestbook Multiple Vulnerabilities [SA18732] PHP Link Directory ADBdb and PHPMailer Vulnerabilities [SA18726] PluggedOut Blog Cross-Site Scripting and SQL Injection [SA18721] Papoo Username Script Insertion Vulnerability [SA18720] AgileBill ADOdb server.php Insecure Test Script Security Issue [SA18715] PHP GEN Unspecified Cross-Site Scripting and SQL Injection [SA18704] Thunderbird Multiple Vulnerabilities [SA18754] MyBB "posts" SQL Injection Vulnerability [SA18735] Gallery Unspecified Album Data Manipulation Vulnerability [SA18725] IBM Tivoli Access Manager for e-business "pkmslogout" Directory Traversal [SA18711] MediaWiki Edit Comment Formatting Denial of Service [SA18738] IBM Lotus Domino LDAP Server Denial of Service Vulnerability [SA18727] phpBB "gen_rand_string()" Predictable RNG Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18729] Internet Explorer Unspecified WMF Image Handling Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-08 A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18729/ -- [SA18740] Microsoft HTML Help Workshop ".hhp" Parsing Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-06 bratax has discovered a vulnerability in Microsoft HTML Help Workshop, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18740/ -- [SA18744] Lexmark Printers LexBce Server Arbitrary Code Execution Critical: Moderately critical Where: From local network Impact: System access Released: 2006-02-08 Peter Winter-Smith of NGSSoftware has reported a vulnerability in the LexBce Server Service included with various Lexmark printers, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18744/ -- [SA18731] Hosting Controller SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-02-07 Soroush Dalili has discovered two vulnerabilities in Hosting Controller, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18731/ -- [SA18730] CyberShop Ultimate Mc Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-06 B3g0k has reported two vulnerabilities in CyberShop Ultimate Mc, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18730/ -- [SA18716] MailEnable Enterprise Edition Webmail Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-07 A vulnerability has been reported in MailEnable Enterprise Edition, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18716/ -- [SA18756] Windows Insecure Service Permissions Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-08 Sudhakar Govindavajhala and Andrew W. Appel have reported some security issues in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18756/ -- [SA18728] Lexmark X1100 Series Printing Software Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-08 Kevin Finisterre has reported a vulnerability in Lexmark X1100 Series, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18728/ -- [SA18713] The Bat! RFC-822 Mail Header Spoofing Weakness Critical: Not critical Where: From remote Impact: Spoofing Released: 2006-02-08 3APA3A has discovered a weakness in The Bat!, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/18713/ UNIX/Linux:-- [SA18737] MyQuiz "myquiz.pl" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-06 Aliaksandr Hartsuyeu has reported a vulnerability in MyQuiz, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18737/ -- [SA18709] Fedora update for mozilla Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-02-03 Fedora has issued an update for mozilla. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18709/ -- [SA18708] Fedora update for firefox Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-02-03 Fedora has issued an update for firefox. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18708/ -- [SA18706] Red Hat update for firefox Critical: Highly critical Where: From remote Impact: System access, DoS, Cross Site Scripting Released: 2006-02-03 Red Hat has issued an update for firefox. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18706/ -- [SA18705] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-02-03 Red Hat has issued an update for mozilla. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18705/ -- [SA18774] Fedora update for kernel Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2006-02-08 Fedora has issued an update for the kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information, and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18774/ -- [SA18766] Linux Kernel ICMP Error Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-08 A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18766/ -- [SA18763] Mandriva update for php Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-08 Mandriva has issued an update for php. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18763/ -- [SA18748] Mailback Mail Header Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-07 coderpunk has discovered a vulnerability in Mailback, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18748/ -- [SA18746] Gentoo update for gst-plugins-ffmpeg Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-06 Gentoo has issued an update for gst-plugins-ffmpeg. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18746/ -- [SA18745] Gentoo update for adodb Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-07 Gentoo has issued an update for adodb. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18745/ -- [SA18742] Debian update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-06 Debian has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18742/ -- [SA18739] GStreamer FFmpeg Plug-in libavcodec Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-06 A vulnerability has been reported in GStreamer FFmpeg Plug-in, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18739/ -- [SA18718] MPlayer ASF File Parsing Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-07 AFI Security Research has discovered two vulnerabilities in mplayer, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18718/ -- [SA18717] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Privilege escalation, DoS, System access Released: 2006-02-03 SUSE has issued updates for multiple packages. These fix various vulnerabilities and a security issue, which can be exploited by malicious users to gain escalated privileges, bypass certain security restrictions and conduct script insertion attacks, or by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system Full Advisory: http://secunia.com/advisories/18717/ -- [SA18707] KDE kpdf Splash Image Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-03 A vulnerability has been reported in KDE, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18707/ -- [SA18743] Gentoo update for apache Critical: Less critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2006-02-07 Gentoo has issued an update for apache. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18743/ -- [SA18710] Outblaze throw.main Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-03 Simo Ben youssef has reported a vulnerability in Outblaze, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18710/ -- [SA18733] Heimdal rshd Server Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-07 A vulnerability has been reported in Heimdal, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18733/ -- [SA18719] Trustix Fcron "convert-fcrontab" Two Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-03 Two vulnerabilities have been reported in Fcron, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18719/ -- [SA18712] OpenBSD Kernfs Kernel Memory Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-02-03 SecurityLab Technologies has reported a vulnerability in OpenBSD, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18712/ -- [SA18772] Openwall crypt_blowfish Salt Generation Weakness Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-08 A weakness has been reported in Openwall crypt_blowfish, which potentially can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18772/ -- [SA18741] hcidump Bluetooth L2CAP Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-02-08 Pierre Betouin has reported a vulnerability in hcidump, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18741/ -- [SA18736] Mandriva update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-02-07 Mandriva has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18736/ Other:-- [SA18750] QNX Neutrino RTOS Multiple Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2006-02-08 Multiple vulnerabilities have been reported in QNX Neutrino RTOS, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/18750/ -- [SA18747] Sony Ericsson Cell Phones Bluetooth L2CAP Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2006-02-08 Pierre Betouin has discovered a vulnerability in various Sony Ericsson cell phones, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18747/ Cross Platform:-- [SA18762] Java Web Start Sandbox Security Bypass Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-08 A vulnerability has been reported in Java Web Start, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18762/ -- [SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-08 Seven vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18760/ -- [SA18757] eyeOS "_SESSION" PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-08 James Bercegay has reported a vulnerability in eyeOS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18757/ -- [SA18722] Loudblog "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-06 rgod has discovered a vulnerability in Loudblog, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18722/ -- [SA18703] Mozilla Suite XML Injection and Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-02-02 Two vulnerabilities have been reported in Mozilla Suite, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18703/ -- [SA18761] GuestBookHost SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Security Bypass Released: 2006-02-08 Aliaksandr Hartsuyeu has reported two vulnerabilities in GuestBookHost, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18761/ -- [SA18759] Unknown Domain Shoutbox Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-08 Aliaksandr Hartsuyeu has discovered two vulnerabilities in Unknown Domain Shoutbox, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18759/ -- [SA18758] phphg Guestbook Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-08 Aliaksandr Hartsuyeu has discovered some vulnerabilities in phphg Guestbook, which can be exploited by malicious people to conduct script insertion and SQL injection attacks, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18758/ -- [SA18732] PHP Link Directory ADBdb and PHPMailer Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of system information, DoS, System access Released: 2006-02-06 Mario Oyorzabal Salgado has reported some security issues and vulnerabilities in PHP Link Directory (phpLD2), which can be exploited by malicious people to disclose system information, execute arbitrary SQL code, conduct SQL injection attacks, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18732/ -- [SA18726] PluggedOut Blog Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-06 Hamid Ebadi has discovered a vulnerability in PluggedOut Blog, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18726/ -- [SA18721] Papoo Username Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-03 Thomas Pollet has reported a vulnerability in Papoo, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18721/ -- [SA18720] AgileBill ADOdb server.php Insecure Test Script Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2006-02-06 Secunia Research has discovered a vulnerability in AgileBill, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18720/ -- [SA18715] PHP GEN Unspecified Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-03 Some vulnerabilities have been reported in PHP GEN, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18715/ -- [SA18704] Thunderbird Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2006-02-02 Some vulnerabilities have been reported in Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18704/ -- [SA18754] MyBB "posts" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-02-08 imei addmimistrator has discovered a vulnerability in MyBB, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18754/ -- [SA18735] Gallery Unspecified Album Data Manipulation Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data, System access Released: 2006-02-07 A vulnerability has been reported in Gallery, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18735/ -- [SA18725] IBM Tivoli Access Manager for e-business "pkmslogout" Directory Traversal Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-06 Timothy D. Morgan has reported a vulnerability in IBM Tivoli Access Manager for e-business, which can be exploited by malicious users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18725/ -- [SA18711] MediaWiki Edit Comment Formatting Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-03 A vulnerability has been reported in MediaWiki, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18711/ -- [SA18738] IBM Lotus Domino LDAP Server Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-07 Evgeny Legerov has discovered a vulnerability in Lotus Domino, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18738/ -- [SA18727] phpBB "gen_rand_string()" Predictable RNG Weakness Critical: Not critical Where: From remote Impact: Manipulation of data, Brute force Released: 2006-02-07 Chinchilla has reported a weakness in phpBB, which potentially can be exploited by malicious people to change other user's passwords. Full Advisory: http://secunia.com/advisories/18727/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 10 02:08:20 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:08:20 -0600 (CST) Subject: [ISN] Australia tests cyber-terrorism defences Message-ID: Forwarded from: William Knowles http://www.smh.com.au/news/breaking/australia-tests-cyberterrorism-defences/2006/02/09/1139379611099.html By Louisa Hearn February 9, 2006 Australia is today putting its technical armoury through its paces during a one-day exercise aimed at repelling a future cyber-terrorism attack. Attorney-General Philip Ruddock said the Cyberstorm exercise was aimed at testing both the people and the processes behind Australia's key infrastructure such as transport and emergency services. "Complex IT systems underpin many areas of our economy and they need to be defended," he said in a statement. Cyberstorm is part of a larger week-long US-led scenario and is also being run simultaneously today in Canada, the UK, and New Zealand. A spokesman at the Attorney-General's office said the Australian test scenario centred on a fictional group that was trying to "hack into the transport network and disrupt it for their own political agenda". Counter-terrorism police, computer emergency response team AusCERT and a number of other departments are all involved in the cyber-attack scenario alongside officials from the defence force, ASIO, transportation and emergency services. Unlike the US where IT defences will actually be tested out, the Australian side of the operation is purely desk-based. The spokesman said Australian participants were required to liaise with one another to play out the scenario as well as other countries involved in the exercise. Mr Ruddock described the exercise as a key part of the Australian Government's counter-terrorism strategy and the only way to effectively test systems against theoretical attacks. "Terrorists are constantly seeking new and innovative ways to attack and disrupt our way of life. By conducting exercises such as these we increase Australia's ability to detect, prevent and respond to cyber attacks," Mr Ruddock said. The exercise will physically test procedures, communication channels and responses in the event of a cyber attack as well as international communication protocols between countries. The Australian part of the exercise began this morning and comes amid a week-long exercise being run by The US Department of Homeland Security. It is being run here by GovCERT.au, the body that sets policy for protecting the National Information Infrastructure. Later in the week, participants in the US scenario will seek to exploit technical vulnerabilities and attempt to unleash chaos onto transport and communications systems. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Feb 10 02:07:30 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:07:30 -0600 (CST) Subject: [ISN] LayerOne 2006 - Event Update and Announcement Message-ID: Forwarded from: Layer One LayerOne - 2006 April 15-16, 2006 Pasadena Hilton Pasadena, CA http://layerone.info Initial LayerOne speaker line-up Since the opening of our CFP cycle we have been recieving quite a few papers from a wide background of indivduals. Recently we have begun accepting talks for this years event. There are still a few open speaking slots, but new speakers are being added weekly. If you were thinking of submitting a talk for this years event, now would be a good time to get it into us! Currently slated to speak are: Enno Rey - MPLS/VPLS security Strom Carlson - Smart Card Insecurities Datagram - Introduction to Lockpicking Ken Caruso - The Seattle Wireless Project: 6 Years Later Valkyrie - Hacking the Regs! Your Guide to HIPPA, SOX, and GLBA Paul Henry - Anti-Forensics Dr. Kaos - Anonym.OS With our current accepted speaker line-up we are already very confident that a wide variety of material will be presented. We have several other speakers that we are in the final phases of accepting, along with one or two still empty slots. LayerOne Pre-Registration is now open Pre-registration for this years LayerOne event is now open. Tickets are available online for $60.00USD through our website. Tickets will also be available at the door, but the cost will be $80.00USD. There is also the chance we will hit maximum occupancy with our pre-registration, in which case tickets will not be available at the door. So, guarantee your seat today by pre-registering. We also offer group discounts if you are interested in attending with your company, group, LUG, or other user group. Please visit http://layerone.info/prereg.html for more information. We would also like to thank those that have been supporting us in what we do. Big thanks go out to Shmoocon, Toorcon, LA2600, SCALE, and everyone else who has helped us! We look forward to seeing you in Pasadena in April! From isn at c4i.org Fri Feb 10 02:08:36 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:08:36 -0600 (CST) Subject: [ISN] Openness critical for strong security: SATAN author Message-ID: http://www.zdnet.com.au/news/security/soa/Openness_critical_for_strong_security_SATAN_author/0,2000061744,39237689,00.htm By David Braue ZDNet Australia 10 February 2006 Building secure software doesn't have to be complicated; it just takes a commitment to secure design, and an upfront willingness to work within the unique development environment that is open source. That was the message from Wietse Venema, a Dutch programmer with IBM who visited Melbourne this week for SECURECon, a three-day technical conference highlighting a range of current security issues and remediation strategies for developers. Venema, long a figurehead in the open source and Unix worlds, is best known for his creation of Postfix (initially known as Secure Mailer), a widely used e-mail server application that he wrote to improve upon the dominant but flawed SendMail application. Postfix, developed while Venema was on a six-month research stint at IBM, has since become the standard mailer in Mac OS X and numerous versions of Linux. Even as it continues to evolve today -- the latest version of Postfix was released last month -- the program was significant in that it brought open-source software to the attention of IBM head Lou Gerstner, who in 1998 read a New York Time article on the software and pushed IBM into a formal open-source strategy. IBM is now one of the major contributors of code to the open-source movement. Broad distribution and takeup of the software helped Postfix grow from a short-term project into an ongoing effort, and Venema was quick to credit the scores of open-source developers who have continually improved the system's design. "It's not difficult to build a decent mail system, but it's very easy for people with poorly designed countermeasures too destroy it," he said. "Systems that are not built to be secure will always be like Swiss cheese -- full of holes. You can't make systems secure by just patching the holes." Venema enjoyed mainstream notoriety in the late 1990s as United States media launched a fire-and-brimstone attack on the PhD-qualified physicist, who partnered with fellow security expert Dan Farmer to release SATAN (Security Administrator Tool for Analyzing Networks). Designed as a strong automated probe for weaknesses in any system it targeted, histrionic observers believed Venema and Farmer's tool would destroy the information economy by giving hackers powerful tools to bring down major Web sites. Releasing the system was important, Venema decided, because such security problems could only be fixed if they were known about. His own testing of SATAN found that many systems, even those directly connected to secure systems, had vulnerabilities that were open to exploitation. After inadvertently leaving an early version of SATAN running overnight during its development, Venema found the application had followed a "web of interdependencies" between insecure systems that had taken its probing halfway across the Netherlands. "I found that even people who were very careful about their systems, like my colleagues, had either file sharing relationships or logging relationships with other systems that were wide open," he recalls. "Basically, nearly every system had a bad neighbour." Ferreting out these bad neighbours would help everyone concerned, Venema released -- and the eventual release of the open-source SATAN ultimately proved less controversial than expected. Network administrators "discovered all kinds of stuff they didn't know about," he recalls. "They didn't know there were all these Web servers running on peoples' machines, or even on machines they didn't know about. At the time, people just didn't scan their systems like that. It used to be that people could get fired for running SATAN, but now they can get fired for not running it." From isn at c4i.org Fri Feb 10 02:09:35 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:09:35 -0600 (CST) Subject: [ISN] NSPW 2006 Call for Papers Message-ID: Forwarded from: John Mcdermott FOR IMMEDIATE RELEASE ---------- Call for Papers New Security Paradigms Workshop Schloss Dagstuhl, Germany September 18-21, 2006 Submissions due 26 March 2006 http://www.nspw.org NSPW is a unique workshop that is devoted to the critical examination of new paradigms in security. Each year, since 1995, we examine proposals for new principles upon which information security can be rebuilt from the ground up. We conduct extensive, highly interactive discussions of these proposals, from which we hope both the audience and the authors emerge with a better understanding of the strengths and weaknesses of what has been discussed. In his seminal book "The Structure of Scientific Revolutions", Thomas Kuhn describes the progress of science as "a series of peaceful interludes punctuated by intellectually violent revolutions." These revolutions, which he called "paradigm shifts", are periods during which "one conceptual world view is replaced by another." A paradigm shift is thus not an incremental contribution to an established branch of science; it is an attempt to replace the fundamental dogma of a branch of science with a different, and completely incompatible, set of core principles. The New Security Paradigms workshop is dedicated to the proposition that what Kuhn called "anomalies" - signs that the prevailing paradigm can no longer explain phenomena observed in the real world - are already visible in the science of information security, and, indeed, that the anomalies are so obvious and so serious that the prevailing information security paradigm is or soon will be in crisis. NSPW aspires to be the philosophical and intellectual breeding ground from which a revolution in the science of information security will emerge. We solicit and accept papers on any topic in information security subject to the following caveats: 1) Papers that present a significant shift in thinking about difficult security issues are welcome. 2) Papers that build on a recent shift are also welcome. 3) Contrarian papers that dispute or call into question accepted practice or policy in security are also welcome. 4) We solicit papers that are not technology-centric, including those that deal with public policy issues and those that deal with the psychology and sociology of security theory and practice. 5) We discourage papers that represent established or completed works as well as those that substantially overlap other submitted or published papers. 6) We discourage papers which extend well-established security models with incremental improvements. 7) We encourage a high level of scholarship on the part of contributors. Authors are expected to be aware of related prior work in their topic area, even if it predates Google. In the course of preparing an NSPW paper, it is far better to read an original source than to cite a text book interpretation of it. Our program committee particularly looks for new paradigms, innovative approaches to older problems, early thinking on new topics, and controversial issues that might not make it into other conferences but deserve to have their try at shaking and breaking the mold. Participation in the workshop is limited to authors of accepted papers and conference organizers. Each paper is typically the focus of 45 to 60 minutes of presentation and discussion. Prospective authors are encouraged to submit ideas that might be considered risky in some other forum, and all participants are charged with providing feedback in a constructive manner. The resulting intensive brainstorming has proved to be an excellent medium for furthering the development of these ideas. The proceedings, which are published after the workshop, have consistently benefited from the inclusion of workshop feedback. We welcome three categories of submission: 1) Research papers. These should be of a length commensurate with the novelty of the paradigm and the amount of novel material that the reviewer must assimilate in order to evaluate it. 2) Position papers. These should be 5 - 10 pages in length and should espouse a well reasoned and carefully documented position on a security related topic that merits challenge and / or discussion. 3) Discussion topic proposals. Discussion topic proposals should include an in-depth description of the topic to be discussed, a convincing argument that the topic will lead to a lively discussion, and supporting materials that can aid in the evaluation of the proposal. The later may include the credentials of the proposed discussants. Discussion topic proposers may want to consider involving conference organizers or previous attendees in their proposals. Submissions must include the following: 1) The submission in PDF format, viewable by Adobe Acrobat reader. 2) A justification for inclusion in NSPW. Specify the category of your submission and describe, in one page or less, why your submission is appropriate for the New Security Paradigms Workshop. A good justification will describe the new paradigm being proposed, explain how it departs from existing theory or practice, and identify those aspects of the status quo it challenges or rejects. The justification is a major factor in determining acceptance. 3) An Attendance Statement specifying how many authors wish to attend the workshop. Accepted papers require the attendance of at least one author for the entire duration of the workshop. Attendance is limited, and we cannot guarantee space for more than one author. No submission may have been published elsewhere nor may a similar submission be under consideration for publication or presentation in any other forum during the NSPW review process. The submission deadline is Monday, 26 March 2006. Notification of acceptance will be Monday, 28 May, 2006. Workshop proceedings will be published by the ACM and put in the ACM digital library. In order to ensure that all papers receive equally strong feedback, all attendees are expected to stay for the entire duration of the workshop. We expect to offer a limited amount of financial aid to those who require it. See http://www.nspw.org for details of the workshop policies and for submission procedures. From isn at c4i.org Fri Feb 10 02:11:11 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:11:11 -0600 (CST) Subject: [ISN] Hacker showcase this weekend in San Francisco Message-ID: http://www.linuxdevices.com/news/NS8540785603.html Feb. 09, 2006 An event showcasing cutting-edge applications will take place this weekend in San Francisco. The fifth annual CodeCon event features presentations from developers of interesting, innovative real-world applications, and is set to run from Friday, Feb. 10 through Sunday, Feb. 12. CodeCon was started in 2002 by BitTorrent author Bram Cohen and Len Sassaman, author of the Mixmaster anonymous remailer. The event is sponsored in part by independent book publisher No Starch Press, which has offered Linux-related titles for more than a decade. Organizers say CodeCon offers a "prescient look at the direction of technology." All presenters are project developers, and each presentation includes a functional demo. Presentations include: * Lance James, on Daylight Fraud-Prevention (DFP), an anti-phishing program based on real-time web-based forensics * Daniel S. Wilkerson and Scott McPeak on the Delta interestingness minimizer * Todd Davies, on the Deme group discussion platform * Quinn Weaver, on the Dido perl-based voice menu platform * Robert J. Hansen, on the Djinni unsolvable problem answer approximator * Daniel S. Wilkerson, on the Elsa/Oink/Cqual++ C/C++ program dataflow analyzer * David Barrett, on the iGlance push-to-talk videoconferencing and screen-sharing software * Aaron Harwood, on Localhost P2P software * Nathaniel Smith, on the Monotone version control system * Michael J. Freedman, on the OASIS locality aware server selection infrastructure for content distribution systems * Meredith L. Patterson, on Query by Example, a collection of data mining operations for PostgreSQL * Joe Stewart, on the Truman behavioral malware sandnet * Adam Sourzis, on the Rhizome application stack for rapid semantic-web development * Tom Pinckney, on the SiteAdvisor scam-finding web crawler * Dimitris Vyzovitis and Ilia Mirkin on VidTorrent/Peers, a scalable real-time P2P streaming protocol The fifth-annual CodeCon will be held South of the Slot, at StudioZ [1]. Tickets cost $85 at the door. Additional details can be found here [2]. [1] http://www.studioz.tv/ [2] http://www.codecon.org/ From isn at c4i.org Mon Feb 13 01:47:58 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:47:58 -0600 (CST) Subject: [ISN] Islamist hackers attack Danish sites Message-ID: http://www.theregister.co.uk/2006/02/09/islamic_defacement_protests/ By John Leyden 9th February 2006 Protests over cartoon images of the prophet Mohammed have spilled onto cyberspace with a series of attacks against Danish and other western websites. Islamist ire over the publication of the "satiric pictures" portraying the prophet Mohammed, first published in Denish newspaper Jyllands-Posten, has resulted in 1,000 attacks against web servers, according [1] to defacement archive Zone-H. Danish sites have copped the majority of attacks, but the barrage of assaults has also hit Israeli and other western web servers. Hacker groups from different Muslim nations have united in attacks that promote both moderate and extremist manifestos. Some defacements promote a boycott against Danish products, while others (such as those by the self-styled IIB - Internet Islamic Brigades) threaten suicide bombing attacks on Denmark. The number of politically motivated attacks against Danish servers gives a small measure of the strength of feeling over the issue. Violence during demonstrations over the issue has claimed 10 lives in Afghanistan and elsewhere in the Muslim world. ? [1] http://www.zone-h.org/en/news/read/id=205987 From isn at c4i.org Mon Feb 13 01:48:26 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:48:26 -0600 (CST) Subject: [ISN] AT&T sues small nonprofit company for hacking fees that trace back to it Message-ID: http://www.sltrib.com/business/ci_3489614 By Bob Mims The Salt Lake Tribune 02/09/2006 AT&T Inc. raked in nearly $44 billion in revenues last year, and paid chairman and CEO Edward E. Whitacre Jr. $8.34 million in salary. Whitacre makes $340,000 more a year than the entire $8 million annual budget of HealthInsight, a Salt Lake City-based, 60-employee, nonprofit organization AT&T is suing in U.S. District Court. At issue: more than $25,500 in telephone charges the telecommunications giant acknowledges an unidentified hacker or hackers piled up, but for which it holds the hacker's victim, HealthInsight, responsible. "We've had some discussions with AT&T, but have been unable to resolve this," HealthInsight President and CEO Marc Bennett said Wednesday. "We don't believe we or any company should be responsible for calls we didn't make." AT&T, through its Logan attorneys Todd Turnblom and John Bailey, contends HealthInsight's security measures were inadequate. Further, the telecom says it warned HealthInsight three times that its system was being used to make unauthorized domestic and foreign calls, but the nonprofit failed to act. HealthInsight - which normally has less than $700 in long-distance fees for its Utah and Nevada operations combined - was billed for the $25,554.52 in unauthorized charges racked up on March 11, 2005. The hacker or hackers are thought to have gained access to AT&T's long-distance services through HealthInsight's toll-free line, voice mail and other systems. AT&T seeks the amount it says remains owed, plus interest, along with court and attorney fees to be determined at trial. Bennett stands by his staff's telecommunications security efforts, arguing that anyone can become the victim of a hacker, regardless of taking standard precautions. "We had what we were told were reasonable security measures in place," he said. HealthInsight, which splits its work among 40 Utah and 20 Nevada employees, advises health care providers on Medicare and Medicaid matters, and helps coordinate national programs aimed at improving care for diabetes, heart disease and stroke patients. From isn at c4i.org Mon Feb 13 01:47:26 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:47:26 -0600 (CST) Subject: [ISN] Microsoft plans to release seven patches next week Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,108531,00.html By Elizabeth Montalbano FEBRUARY 09, 2006 IDG NEWS SERVICE Microsoft Corp. on Tuesday plans to release seven patches for several of its software products, including at least two critical updates for known vulnerabilities, according to the company's monthly security update. Microsoft plans to release one critical patch for Microsoft Windows Media Player; four patches for Windows, at least one of which is critical; one security update rated as "important" for both Windows and Microsoft Office; and another update rated as important for Office. More information about the security updates can be found on the company's TechNet site [1]. Microsoft releases security updates for its software products on the second Tuesday of every month, a day that has become known as "patch Tuesday" by security experts. While the Windows Media Player update will not require a restart, the Windows patches and at least one of the Office patches will require the OS to be rebooted before they are applied, according to the site. All of the updates will be detectable using Microsoft's Baseline Security Analyzer tool, and the Windows Media Player patch can be detected through Microsoft's Enterprise Scanning Tool, the company said. Also on Tuesday, Microsoft plans to release an updated version of its Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Microsoft will host a webcast to discuss the security updates on Wednesday at 11:00 a.m. Pacific Standard Time. More information about the webcast can be found on the company's site [2]. [1] http://www.microsoft.com/technet/security/bulletin/advance.mspx [2] http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032288940&EventCategory=4&culture=en-US&CountryCode=US From isn at c4i.org Mon Feb 13 01:47:40 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:47:40 -0600 (CST) Subject: [ISN] Software Fix Readied for BlackBerrys Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/09/AR2006020900576.html By Yuki Noguchi Washington Post Staff Writer February 10, 2006 The company that makes BlackBerry devices said it has completed development of software that will allow its wireless e-mail to continue functioning even if a court orders the service shut down in a patent dispute. The announcement from Research in Motion Ltd., the Canadian company that started selling the popular BlackBerry in 1999, comes less than two weeks before a federal district court hearing. The court has already found that RIM violated patents held by NTP Inc. of McLean, and analysts expect the judge to issue an injunction ordering RIM to cease operations in the United States. That would cause most of the 4 million BlackBerry users in the United States to lose service unless the company can implement the substitute software or the two sides can reach a settlement. RIM said the new BlackBerry software will be available for later download on its Web site and must be installed on customers' e-mail servers as well as each handheld device. The software will not change the appearance or function of existing devices, but its underlying system, RIM contends, is different than NTP's and does not violate any patents. Whether that contention holds up remains to be seen, said Alexandria patent attorney Susan Dadio. "From a technology perspective, whether it's truly a workaround is still a question," because it hasn't met NTP or other patent reviewers' scrutiny, she said. "They have not hit a home run." Information-technology officials were reluctant to react to yesterday's announcement because RIM did not release details about the software. Many companies have invested heavily in equipping staff members with BlackBerrys and in synchronizing office e-mail servers with them, so they have a financial incentive to stick with the devices. RIM said it thinks any injunction, if issued, should not affect existing users, who may not have to download the software. The company said its fix can be remotely activated on BlackBerrys already in use. Kevin Anderson, an attorney for NTP, said the company had not reviewed RIM's proposed software solution and could not comment on whether it would continue to violate NTP's patents. A spokeswoman for RIM said the company had not been contacted by customers about implementing a download and declined to estimate when the software would become available. The companies have been locked in litigation for more than four years, and RIM has disputed the validity of NTP's patents but has lost every battle in court. In 2002, the company was ordered by a jury to pay royalties that now total more than $250 million. Last fall, the U.S. district judge said he would not delay an injunction. And most recently, RIM was denied an appeal of its case to the Supreme Court. In a news release yesterday, RIM maintained that an injunction is not warranted and noted that recent reviews at the U.S. Patent and Trademark Office found that NTP's original patents may not be valid -- a finding NTP could still appeal. RIM is hoping the judge will take the reviews into consideration at the Feb. 24 hearing. Meanwhile, the companies both say they are open to settlement and licensing agreements. But yesterday, RIM chairman and chief executive Jim Balsillie said in a statement that "NTP's public offer of a 'reasonable' license . . . is simply untenable." Anderson, NTP's attorney, said, "Their characterization is simply wrong." ? 2006 The Washington Post Company From isn at c4i.org Mon Feb 13 01:48:55 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:48:55 -0600 (CST) Subject: [ISN] Linux Advisory Wath - February 10th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 10th, 2006 Volume 7, Number 6a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for mydns, gnocatan, ipsec-tools, adzapper, mozilla, firefox, audit, unzip, Fedora kernel, GPdf, libextractor, LibAST, gallery, ADOdb, apache, poppler, kdegraphics, xpdf, openoffice, openssh php, and groff. The distributors include Debian, Fedora, Gentoo, Mandriva, and Red Hat. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. The following reported bugs from bugs.engardelinux.org are fixed in this release: #0000048 The WebTool 'named' module does not check for duplicate zones #0000047 Nagios localhost ping test bug #0000045 SSH cannot create /root/.ssh directory as sysadm_r #0000042 Postfix-2.2.7's broken firewall workaround has problems - ... #0000041 Apache cannot talk to the MySQL socket. #0000039 Unable to mount /home at boot in EnGarde 3.0.3 #0000038 Webtool automatically sets SELinux to Enforcing, even if ... #0000037 Support for PgSQL via WebTool #0000036 UPS - fails to work with selinux enabled #0000035 "postfix reload" fails when run by sysadm_r with selinux ... #0000034 tcpdump fails with selinux enabled Several other bugs are fixed in this release as well. New features include: * A new GDSN Package Management Interface in the Guardian Digital WebTool which allows you to easily browse and install packages from the EnGarde Secure Linux package archives. * A new Spanish (Espa=F1ol) translation of the Guardian Digital WebTool, courtesy of Joe Rodiguez Jr. To use this translation go into to the WebTool Configuration module, click on your username (normally 'admin'), and select Espa=F1ol from the drop-down. * New Guardian Digital WebTool modules for DHCP and UPS services. The DHCP (Dynamic Host Configuration Protocol) module allows you to run a DHCP server on your EnGarde Secure Linux machine. The UPS (Uninterruptible Power Supply) module allows you to configure and monitor a UPS connected to your EnGarde Secure Linux machine and to act as a server for other machines connected to the same UPS. * The latest stable versions of MySQL (5.0.18), fetchmail (6.3.2), iptables (1.3.5), mrtg (2.13.1), nmap (4.00), openssh (4.3p1), php (4.4.2), and postfix (2.2.8). * Several new installable packages such as amavisd-new (2.3.3), clamav (0.88), nagios (1.3), nagios-plugins (1.4.2), nrpe (2.0), postgresql (8.1.1), spamassassin, and many, many new Perl modules. We're also happy to announce the availability of the following HOWTOs: * Installing Joomla! on EnGarde Secure Linux HOWTO * Installing PHPMyAdmin on EnGarde Secure Linux HOWTO * Installing PHP Applications on EnGarde Secure Linux HOWTO * Installing SpamAssassin, ClamAV and Amavisd-new on EnGarde HOWTO * Installing Squirrelmail on EnGarde Secure Linux HOWTO All new users downloading EnGarde Secure Linux for the first time or users who use the LiveCD environment should download this release. Users who are currently using EnGarde Secure Linux do not need to download this release -- they can update their machines via the Guardian Digital Secure Network WebTool module. Read Entire Article: http://www.linuxsecurity.com/content/view/121560/65/ ---------------------- EnGarde Secure Community 3.0.3 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New mydns packages fix denial of service 2nd, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121475 * Debian: New gnocatan packages fix denial of service 3rd, February, 2006 A problem has been discovered in gnocatan, the computer version of the settlers of Catan boardgame, that can lead the server an other clients to exit via an assert, and hence does not permit the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121506 * Debian: New ipsec-tools packages fix denial of service 6th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121534 * Debian: New adzapper packages fix denial of service 9th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121573 * Fedora Core 4 Update: mozilla-1.7.12-1.5.2 2nd, February, 2006 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Igor Bukanov discovered a bug in the way Mozilla's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. http://www.linuxsecurity.com/content/view/121496 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: firefox-1.0.7-1.2.fc4 2nd, February, 2006 Mozilla Firefox is an open source Web browser. Igor Bukanov discovered a bug in the way Firefox's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. http://www.linuxsecurity.com/content/view/121497 * Fedora Core 4 Update: audit-1.0.13-1.fc4 3rd, February, 2006 This release backports some bugfixes and enhancements from the current devel branch. http://www.linuxsecurity.com/content/view/121530 * Fedora Core 4 Update: unzip-5.51-13.fc4 6th, February, 2006 This update fixes several vulnerabilities in the unzip utility. http://www.linuxsecurity.com/content/view/121547 * Fedora Core 4 Update: kernel-2.6.15-1.1831_FC4 7th, February, 2006 This update fixes a remotely exploitable denial of service attack in the icmp networking code (CVE-2006-0454). An information leak has also been fixed (CVE-2006-0095), and some debugging patches that had accidentally been left applied in the previous update have been removed, restoring the functionality of the 'quiet' argument.

http://www.linuxsecurity.com/content/view/121561 * Fedora Core 4 Update: audit-1.0.14-1.fc4 8th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121571 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: GStreamer FFmpeg plugin Heap-based buffer overflow 5th, February, 2006 The GStreamer FFmpeg plugin is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121532 * Gentoo: Paros Default administrator password 6th, February, 2006 Paros's database component is installed without a password, allowing execution of arbitrary system commands. http://www.linuxsecurity.com/content/view/121541 * Gentoo: Xpdf, Poppler, GPdf, libextractor, pdftohtml Heap overflows 6th, February, 2006 Xpdf, Poppler, GPdf, libextractor and pdftohtml are vulnerable to integer overflows that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/121542 * Gentoo: MyDNS Denial of Service 6th, February, 2006 MyDNS contains a vulnerability that may lead to a Denial of Service attack. http://www.linuxsecurity.com/content/view/121543 * Gentoo: LibAST Privilege escalation 6th, February, 2006 A buffer overflow in LibAST may result in execution of arbitrary code with escalated privileges. http://www.linuxsecurity.com/content/view/121544 * Gentoo: Gallery Cross-site scripting vulnerability 6th, February, 2006 Gallery is possibly vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution. http://www.linuxsecurity.com/content/view/121545 * Gentoo: ADOdb PostgresSQL command injection 6th, February, 2006 ADOdb is vulnerable to SQL injections if used in conjunction with a PostgreSQL database. http://www.linuxsecurity.com/content/view/121548 * Gentoo: Apache Multiple vulnerabilities 6th, February, 2006 Apache can be exploited for cross-site scripting attacks and is vulnerable to a Denial of Service attack. http://www.linuxsecurity.com/content/view/121549 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated libast packages fixes buffer overflow vulnerability 2nd, February, 2006 Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X argument. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121491 * Mandriva: Updated poppler packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Poppler uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121492 * Mandriva: Updated kdegraphics packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Kdegraphics-kpdf uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121493 * Mandriva: Updated xpdf packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121494 * Mandriva: Updated OpenOffice.org packages fix issue with disabled hyperlinks 2nd, February, 2006 OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not prevent the user from clicking the WWW-browser button in the Hyperlink dialog, which makes it easier for attackers to trick the user into bypassing intended security settings. Updated packages are patched to address this issue. http://www.linuxsecurity.com/content/view/121495 * Mandriva: Updated openssh packages fix vulnerability 6th, February, 2006 A flaw was discovered in the scp local-to-local copy implementation where filenames that contain shell metacharacters or spaces are expanded twice, which could lead to the execution of arbitrary commands if a local user could be tricked into a scp'ing a specially crafted filename. http://www.linuxsecurity.com/content/view/121550 * Mandriva: Updated php packages fix vulnerability 7th, February, 2006 A flaw in the PHP gd extension in versions prior to 4.4.1 could allow a remote attacker to bypass safe_mode and open_basedir restrictions via unknown attack vectors. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121562 * Mandriva: Updated mozilla packages to address DoS vulnerability 7th, February, 2006 Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. (CVE-2005-4134) The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. http://www.linuxsecurity.com/content/view/121563 * Mandriva: Updated mozilla-firefox packages to address DoS vulnerability 7th, February, 2006 Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. http://www.linuxsecurity.com/content/view/121564 * Mandriva: Updated groff packages fix temporary file vulnerabilities 8th, February, 2006 The Trustix Secure Linux team discovered a vulnerability in the groffer utility, part of the groff package. It created a temporary directory in an insecure way which allowed for the exploitation of a race condition to create or overwrite files the privileges of the user invoking groffer. http://www.linuxsecurity.com/content/view/121572 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: mozilla security update 2nd, February, 2006 Updated mozilla packages that fix several security bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121482 * RedHat: Critical: firefox security update 2nd, February, 2006 An updated firefox package that fixes several security bugs is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121483 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Feb 13 01:49:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:49:11 -0600 (CST) Subject: [ISN] DHS evaluates global cybersecurity exercise Message-ID: http://www.fcw.com/article92302-02-10-06-Web By Dibya Sarkar Feb. 10, 2006 Homeland Security Department officials offered no results or findings from a recently concluded, globally coordinated cybersecurity exercise, but they will begin examining data with the intent of issuing a report this summer. The full-scale exercise, Cyber Storm, was conducted from Feb. 6-10 and involved 115 public, private and international agencies. It examined the response, coordination, and recovery processes and procedures to a simulated cyberattack against critical infrastructures. The federal government has been involved in previous simulated cybersecurity exercises but not on this scale. The purpose of the exercise was not to see how a simulated attack would affect systems. Industry and government officials said it was necessary to see how well organizations worked together in terms of communicating information and responding appropriately to an attack. George Foresman, undersecretary at DHS' Preparedness Directorate, said Cyber Storm was a way to "create a symphony of preparedness," with the department acting as a musical conductor leading participating agencies that acted as musicians. At a press conference today, Foresman said DHS' role is to coordinate the public and private sectors' responses to an actual attack through a common approach. Several state and industry officials who attended the press conference said they were pleased with the exercise and that it was a major step toward addressing cybersecurity on a national scale. However, officials did not provide any details regarding strengths or weaknesses found. They said they will study the analysis before providing any results. DHS officials said the scripted scenario was conducted in a closed environment through Secret Service headquarters in Washington, D.C., and did not include any attacks against real-world systems. Andy Purdy, acting director of DHS' National Cyber Security Division, said the department has two overarching priorities. One is to build an effective cybersecurity response system. The other is to build a program for infrastructure protection. Results of the exercise could affect the National Response Plan and other plans designed to improve national coordination to a cyberattack and disruption. Cybersecurity experts have said the federal government has been slow to address the issue comprehensively. But government officials and company representatives who participated in Cyber Storm said federal officials are working more closely with private- and public-sector officials on a grass-roots level than ever before. William Pelgrin, director of New York state's Cybersecurity and Critical Infrastructure Coordination Office and head of the Multi-State Information Sharing and Analysis Center (ISAC), said his agency and ISAC have been working with DHS officials on the issue for three years. The two groups have has been pleased with the guidance they've received, he added. However, two weeks ago, the National Association of State Chief Information Officers released a survey indicating that the federal government needs to provide more education, training and money to help state and local officials promptly deal with cybersecurity issues. DHS is willing to be "coach and mentor" to state and local officials, but ultimately it's the responsibility of states and localities to "push the ball down the road," Foresman said. Pelgrin said ISAC and DHS are working on guidelines, including suggestions for education and awareness, that local governments can use to help with their day-to-day cybersecurity activities. Several representatives of companies that participated in Cyber Storm said they will also evaluate how their companies fared in coordination and response to the exercise. In addition to DHS, participating federal agencies included the Justice, Commerce, Energy, Defense, Treasury and State departments; the CIA; the National Security Agency; the National Security Council; and the Homeland Security Council. All 50 states also participated in the exercise. Officials from Canada, Australia, the United Kingdom and New Zealand participated. Several companies, including Computer Associates, Intel, Microsoft, VeriSign, Symantec, McAfee and Citadel, participated as well. From isn at c4i.org Mon Feb 13 01:50:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:50:11 -0600 (CST) Subject: [ISN] Turn security rhetoric into action, Oracle warns Message-ID: http://www.zdnet.com.au/news/security/soa/Turn_security_rhetoric_into_action_Oracle_warns/0,2000061744,39237971,00.htm By David Braue ZDNet Australia 13 February 2006 Every software developer likes to believe he or she is committed to application security -- but senior managers need to put their money where their mouths are to turn security rhetoric into action, a senior development manager at Oracle Corporation has told more than 200 delegates at the SECURECon security conference in Melbourne. As senior principal program manager with Oracle, Evelyn Sell's role includes the supervision of part of Oracle's massive fleet of developers. In her experience, a variety of common and preventable factors -- ranging from developer laziness and ignorance of security issues, through to a lack of developer accountability, expectations that coders produce large volumes of code to strict timelines, and overall time-to-market issues -- often cause the security problems that explode into much bigger issues when they're let loose into the field. Particularly in companies producing commercial software, blame can be traced to managers that maintain high expectations of coders but don't provide enough training to ensure adequate application security. "I am blown away by the billions of dollars that is invested in security [fixes] for something that really should be second nature," Sell explained. "It's very important to build in security up front." Once code is complete, fixing the problem can often be much more difficult -- and far more expensive -- than getting it right in the first place. Customers build their own code on top of platforms like Oracle's database and business applications, and even a small security fix can potentially break all sorts of related, interdependent applications. That means security remediation must involve slow movement and extensive testing -- something, Sell admitted, that can be hard given commercial pressure to get products or bug fixes out the door quickly. Sell described Oracle's four-pronged secure development strategy, which is encompassed in a "large, living document" that is constantly upgraded with new knowledge gained from the company's many development teams. Regular analysis of the document reveals common themes that drive future investment. For example, Oracle recently responded to a perceived lack of security coding skills by introducing several mandatory online training modules on secure coding practices; developers that fall short of the 80 percent pass mark are reported to managers for more intensive training. The company also uses a formal product security checklist that is regularly reviewed and used to drive frequent development team meetings. Prescriptive lists of acceptable tools, for applications such as cryptography and random number generation, aim to keep developers from rolling their own or using insecure code from elsewhere. An internal 'tiger team' of security experts constantly pounds Oracle code to identify potential problems before the code ships. This may all sound like a bit much to organise for many managers. However, attention to the other presenters at SECURECon would quickly disabuse complacent managers of the idea that security is optional. Presenters at this year's conference -- the fourth in the Melbourne University-organised event's history, combining two days of presentations with a full day of hands-on 'hackathons' -- discussed both the security of various common technologies, and how to bypass them. Security specialist Chris Spencer highlighted techniques for exploiting buffer overflow problems in Windows, as well as discussing ways to circumvent buffer overflow protections built into Windows XP SP2. Microsoft IT Pro Evangelist shared techniques for hardening Windows Server 2003 SP1, while penetration testing expert C?dric Blancher highlighted the inherent lack of security of most WiFi networks and devices. Other sessions delved into security in Mac OS X, Cisco routers, Unix servers, Apache Web servers, digital rights management (DRM) technologies, and identity based user authentication. Well-known US-based IBM developer Wietse Venema discussed his development of the secure and widely used Postfix e-mail server. Although primarily intended for developers, the content of SECURECon nonetheless resonates for all business managers. Ultimately, they need to understand that code security must trump even commercially imposed deadlines; one major release of Oracle software was held up for more than two weeks while developers resolved a bug they'd identified. That's the kind of delay that gives marketing executives palpitations, but Sell believes that it's ultimately easy to argue the value of good security in terms even managers understand. "All you need to do is show management the fallout line and let them know what [less than optimal security practices] are actually costing them," she said. "This is a small expense compared with the millions of dollars each individual security bug can cost a company. When you talk about the bottom line, all you really need to do is to show management how much less it would cost if they can drop the number of security vulnerabilities shipping in the products." From isn at c4i.org Tue Feb 14 01:38:47 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:38:47 -0600 (CST) Subject: [ISN] How secure is VoIP? Message-ID: http://www.mercurynews.com/mld/mercurynews/13859672.htm By Jessie Seyfer Mercury News Feb. 13, 2006 The allure of Internet phone calling is understandable -- dirt-cheap calls to anywhere in the world, sound quality that's at times superior to the traditional land-line and the ability to take your phone number with you when you travel. But, buyer beware. These calls are just like any other form of digital communication, like e-mail, which can be hacked, spammed and saved on servers. While Internet calling programs from Skype and Vonage to Google and Yahoo are getting more and more popular, security experts warn that they're not as secure as your traditional land-line. ``Lots of people are ignoring the risks about it,'' said Rodney Thayer, a Mountain View security consultant. ``Sometimes there's absolutely no encryption. Someone could listen to your conversation. It's not clear that these services have been hardened so that no inappropriate activity could take place.'' Thayer is one of several experts who will be in San Jose this week for the RSA Conference at the McEnery Convention Center, which highlights just about every aspect of computer security -- data encryption, spam-blocking and anti-fraud methods, for example. Thayer will lead a daylong seminar on Internet phone-calling security. The conference comes on the heels of a national debate over President Bush's authorization of wiretaps without first obtaining a warrant, and a battle between Google and the Department of Justice over privacy. The Mountain View company is fighting a subpoena it received, as did Yahoo, America Online and Microsoft, asking them to provide information to the government about people's search habits. Adding more heat to the issue is an ongoing legal conflict between several Internet phone-calling providers -- as well as privacy advocates -- with the government over whether companies should be required to make it easy for law enforcement to conduct wiretaps over their networks. The providers argue that taking steps to make wiretapping easier will actually make networks more vulnerable to malicious attacks. Federal regulators believe Internet phone systems should follow the same rules as traditional ones, and should offer a standardized level of access to law enforcement. The matter remains before a federal appeals court. Spoken e-mail In thinking about the threats Internet callers may face, experts say it's helpful to think of the calls as spoken e-mails -- after all, they both consist of packets of data zipping across the Internet. Therefore, it's possible for Internet phone calls to be plagued by the same attacks that dog e-mail: Hackers listening to your calls, automated spam messages that call you, and so-called ``phishing'' requests -- phone messages that seek personal financial information from recipients with the intention of raiding their bank accounts. ``I think the next generation of spam is spam voice mail over VoIP,'' said Chris Rouland, chief technology officer at the Atlanta-based Internet Security Systems company, which supplies security for large phone networks and other businesses. VoIP stands for Voice Over Internet Protocol, and is the industry term for Internet phone-calling. At home, people using Internet phone calls should take the same precautions they do for Web and e-mail communications: ``Never accepting calls from people they don't know and don't trust. Never giving out personal information to strangers and people you don't trust,'' said Terrell Karlsten of Yahoo. Skype uses encryption, or hiding data with difficult-to-break codes, and Yahoo uses other methods, to protect conversations. Experts suggest anyone thinking of signing up for Internet calling services ask or make sure they're clear about a specific company's policy toward security and privacy. No spam yet So far, there have not been any major documented incidents of fraud or spamming from using Internet phone-calling. But while growing in popularity, Internet phone calling is still in its infancy. Eleven percent of American households will be using some form of Internet phone service by 2010, according to Forrester Research. Industry analysts at In-Stat reported that the number of people using the technology worldwide grew by 62 percent from 2004 to 2005. Cisco Systems, which makes routing and switching equipment that sends Internet data where it needs to go, believes businesses and Internet service providers should safeguard voice conversations for their staff and customers in the same way they can protect e-mail and instant messaging. ``Secure your phones, secure your routers, secure your VoIP call centers, secure your applications,'' said Jayshree Ullal, senior vice president of Cisco's DataCenter, Switching and Security Technology group. Securing the network Many security options can be installed on the computer network, rather than on people's individual desktop computers, Ullal said. Yet security experts say that if people want to listen to your Internet telephone conversations, they can. In fact, a simple Web search produced a site offering a program to do just that. The program is designed to break into networks and then capture the packets of data containing the conversation, and reconstruct them into an audio file. But the experts also point out that while it's possible for hackers to record conversations, it's unlikely that such attacks will occur randomly. Attacks are more likely to occur on office networks than home networks and are likely to involve conversations that will give hackers information they can sell. For businesses dealing with financial or legal transactions, additional protection is a must, said Kelli Long, of CallTower, a Utah company that sets up phone networks for businesses. ``From a consumer's perspective, if I'm out browsing the Internet and if I'm sending e-mails back and forth, I should expect basically the same amount of security for my voice calls, and at this point, probably even less,'' Long said. Saving conversations So what happens to Internet voice conversations once they're finished? Like any data, an Internet phone call can be saved. And there generally aren't any guidelines about who has a right to save what information. Yahoo's Instant Messaging service does not save conversations, nor does Skype's, according to representatives. ``Privacy is very important to our users,'' Yahoo's Karlsten said. ``We also have preventative measures we've implemented . . . detecting sending patterns and habits associated with spammers.'' Google would not release information about the security of its Google Talk application. But the terms of service for the program state: ``Google may access or disclose your personal information, including the content of your communications, if Google is required to do so in order to comply with any valid legal process or governmental request.'' Rouland admitted that rules around Internet phone calls are just starting to be developed, but the security concerns shouldn't scare people off from Internet phone-calling entirely. ``VoIP is a great application and we expect it to revolutionize the telephone systems today,'' he said. But right now, ``We're in a little bit of the Wild West.'' From isn at c4i.org Tue Feb 14 01:39:00 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:39:00 -0600 (CST) Subject: [ISN] NCsoft site deluged with stolen identities Message-ID: http://joongangdaily.joins.com/200602/13/200602132130583039900090609061.html By Seo Ji-eun, Lee Weon-ho February 14, 2006 Hackers have used the private information of hundreds of people to register on the Web site of "Lineage," one of Korea's most popular online games. Complaints to the game developer, NCsoft Corp., have been rapidly piling up. The company said yesterday that it had received up to 600 reports so far of people being registered without their knowledge as members of the role-playing games "Lineage" and "Lineage 2." The two games have a combined subscriber base of 2 million members. The Ministry of Information and Communication also said that a large number of people have posted notes on Internet communities and portal sites, saying that their names and resident registration numbers were used to sign up with the game site without their permission. "This is the first time that such a huge number of illegal name usage cases have been discovered," said an NCsoft spokesman. "The majority of the registrations took place between last November and January this year." He added that it seems highly likely that the major portal sites or online communities were hacked, but the company is now conducting an investigation. In Korea, gamers can only register one account per person. Observers speculate that hackers used stolen identities to play multiple games, thus earning more virtual items that can be sold for cash. Regarding this case, online industry experts estimate that the total number of netizens whose information was pilfered and used without their consent on the game site could reach the hundreds of thousands, considering the number of official reports already. In order to check if one's private information has been used, one can visit:http://cs.lineage.co.kr/account/new-Account/agreeOverFourteen.asp and type in one's name and resident registration number. The firm's customer center is accepting reports via telephone at 1566-6600. The police will take action as soon as the investigation reveals the cause and method of the information leakage. From isn at c4i.org Tue Feb 14 01:39:13 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:39:13 -0600 (CST) Subject: [ISN] U.S. charges Calif. man in computer botnet case Message-ID: http://www.informationweek.com/security/showArticle.jhtml?articleID=180200468 By Reuters FEBRUARY 13, 2006 SAN FRANCISCO (Reuters) - A California man was indicted on Friday on federal charges of creating a robot-like network of hijacked computers that helped him and two others bring in $100,000 for installing unwanted ad software. The indictment from a federal grand jury in Seattle also accuses Christopher Maxwell, 20, and two unidentified conspirators of crippling Seattle's Northwest Hospital with a "botnet" attack in January 2005. Authorities say the hospital attack caused $150,000 in damages, shut down the intensive care unit and disabled doctors' pagers. "Some people consider botnets a mere annoyance or inconvenience for consumers but they are highly destructive," U.S. Attorney John McKay said in a statement. "In this case, the impact of the botnet could have been deadly." The two-count indictment charges Maxwell with conspiracy to intentionally cause damage to a protected computer and commit computer fraud. A "bot" like the one Maxwell is accused of operating is a program that surreptitiously installs itself on a computer so it can be controlled by a hacker. A botnet is a network of such robot, or "zombie," computers, that can harness their collective power to do considerable damage or send out huge amounts of junk e-mail. The creator of a botnet typically uses a computer or computers to search the Internet for vulnerable machines. After installing malicious code, a bot program connects to the network where it will receive commands from the operator of the network. Authorities charge that Maxwell used a botnet to secretly install unwanted Internet adware, which makes advertising displays pop up on a user's computer, and then earn commissions from a number of companies. If convicted Maxwell, faces a maximum 10 years in prison and a $250,000 fine. As part of his network, authorities said Maxwell hijacked high-powered server networks at California State University, Northridge, the University of Michigan and the University of California, Los Angeles. Copyright 2006 Reuters. From isn at c4i.org Tue Feb 14 01:38:29 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:38:29 -0600 (CST) Subject: [ISN] Hacker Threatens to Take Down Olympics Computers Message-ID: http://www.foxnews.com/story/0,2933,184695,00.html Associated Press February 13, 2006 TURIN, Italy - A would-be hacker was being investigated by police Monday after threatening to attack the internal computer network of the Turin Olympics organizing committee. The man - a technical consultant for the TOROC committee - illicitly gained access to off-limits sections of the network, police officer Fabiola Silvestri said. "This consultant - who is now a former consultant - said in a very strong way that he could do certain things to the network," TOROC spokesman Giuseppe Gattino said. "Nothing has happened and all the passwords have been disabled." Officials declined to reveal the consultant's identity, and Gattino said he didn't know the reasons for his threatening behavior. No charges were immediately filed against the man. In a separate case, police found that a Turin antiques dealer had acquired five Internet domains that had similar names to Olympic Web sites. If accessed, the domains redirected users to the dealer's Web site, which also carried Olympic logos and other copyrighted material, Silvestri said. Once he had been told that what he was doing was illegal, the dealer deleted the material and redirected users from his domains to Olympic Web sites, she said. From isn at c4i.org Tue Feb 14 01:39:39 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:39:39 -0600 (CST) Subject: [ISN] Teen hacker fined for server attack Message-ID: http://www.theage.com.au/news/national/teen-hacker-fined-for-server-attack/2006/02/13/1139679536471.html By Steve Butcher February 14, 2006 HE WAS the only Australian member of a small international computer hacking team - a Melbourne teenager nicknamed Susboy - and he craved kudos. But 19-year-old Stephen Sussich's need to impress his six secret colleagues in Team Simplicity ended when four carloads of police arrived at his family home in Essendon. The ramifications of the dawn raid, which horrified his unsuspecting parents and woke the neighbours, killed Sussich's curiosity for computer hacking. The fallout continued yesterday in Melbourne Magistrates Court when Sussich was convicted and fined $2000 and ordered to pay $3000 compensation to the firm whose server he attacked. Judy McGillivray, prosecuting, told the court that routine maintenance last August of Brisbane-based company Webcentral revealed scanning tools linked to a person with the username mssql. Through another company, Webcentral had server links to 46,000 credit card holders. Ms McGillivray said investigations found mssql had illegally put a "rootkit" - an "intruder's toolkit" - on the server, which can hide its presence, stop access and close windows behind it. When the Australian Federal Police High-Tech Crime Centre in Canberra examined the server, numerous references to Susboy were found. Ms McGillivray said there was no evidence Sussich accessed any credit card details or was financially motivated. Sussich, of Jacka Street, Essendon, pleaded guilty to two charges of unauthorised modification of data to cause impairment. Defence lawyer Peter Randles said Sussich was a "normal, decent young guy" with great computer skills and a talent for breaching security systems. But Mr Randles said curiosity had got the better of Sussich. The police raid last September had "killed his illegal curiosity" and he urged magistrate Lisa Hannan not to convict him. Ms Hannan said while Sussich had shown remorse, his offences undermined community confidence in e-commerce. From isn at c4i.org Tue Feb 14 01:39:51 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:39:51 -0600 (CST) Subject: [ISN] Company sues unknown computer hackers Message-ID: http://www.wvrecord.com/news/newsview.asp?c=174679 By Chris Dickerson Charleston Bureau February 13, 2006 CHARLESTON - A North Carolina company with a Charleston office is suing unnamed hackers who they say broke into their computer system. WeSave Inc. filed the lawsuit Jan. 24 in Kanawha Circuit Court. WeSave, which has an office at 208 Capitol Street, operates discount and loyalty programs for public employees. The suit says that on Jan. 19, hackers believed to be West Virginians using a certain Internet protocol address accessed the computer systems of Freedom Voice Systems of Encinitas, Calif. That company operates under contract with WeSave to receive facsimile transmissions on its behalf and to forward that information to WeSave. "Hackers accessed this system and deleted certain information belong to WeSave with the intent to alter, tamper with, delete, damage and destroy information knowingly and willfully without the authorization of WeSave in violation of the West Virginia Computer Crime and Abuse Act," the company, represented by attorney David Allen Barnette, says in the suit. The company also claims the hackers disrupted and degraded the computer services and denied WeSave computer transmissions in violation of West Virginia Computer Crime and Abuse Act. WeSave says it is entitled to recovery for each hacking violation, including compensatory and punitive damages and other relief, including injunctive relief. WeSave seeks a judgment in amount to be proven at trial, plus pre- and post-judgment interest, punitive damages and other relief, including injunctive relief. The company requests a jury trial. The case has been assigned to Circuit Judge Charlie King. Kanawha Circuit Court case number: 06-C-117 ?2005 The Record, Inc. From isn at c4i.org Tue Feb 14 01:40:03 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:40:03 -0600 (CST) Subject: [ISN] Case Western Reserve shooter blames hacker Message-ID: http://www.starbeacon.com/?MC=NEWS&NID=1&AID=10152 By M.R. KROPKO Associated Press Writer 2/13/2006 CLEVELAND - A former graduate student convicted of killing one man and wounding two others inside the business school at Case Western Reserve University remains convinced he should not be held responsible. In a one-hour interview last week with The Associated Press inside the Cuyahoga County Jail, Biswanath Halder expressed no remorse and accepted no blame for his violent, 7 1/2-hour siege that terrified students and faculty on May 9, 2003. He blamed the university for a hacker who had wrecked his Web site meant to help business entrepreneurs from India. "I didn't take a life," Halder said in a quiet, calm tone, From isn at c4i.org Wed Feb 15 03:12:46 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:12:46 -0600 (CST) Subject: [ISN] Brazilian police bust hacker gang Message-ID: http://www.theage.com.au/news/breaking/brazilian-police-bust-hacker-gang/2006/02/15/1139890794432.html February 15, 2006 Brazilian federal police arrested 41 hackers today accused of using the internet to divert millions of dollars out of other people's bank accounts. Some 200 federal police were deployed in the operation to serve 65 arrest warrants against a gang of hackers mostly operating in Campina Grande, some 1,800km north-east of Rio. Arrests also were made in six other states. Police said over the past three months the gang invaded some 200 accounts in six banks, stealing 10 million reals ($A6.38 million) using a so-called Trojan horse virus sent via email. The program entered computers and, working in the background, copied account numbers and passwords without the users' knowledge. Police said the leader of the gang was a 19-year-old and five of those arrested so far were minors. Police were still looking for 24 other alleged gang members. While only a small percentage of Brazil's 185 million people can afford computers. Those who do have them are among the most active in the world in using online banking services and the internet. Copyright ? 2006. The Age Company Ltd From isn at c4i.org Wed Feb 15 03:13:07 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:13:07 -0600 (CST) Subject: [ISN] Chinese Internet censors face 'hacktivists' in U.S. Message-ID: http://www.post-gazette.com/pg/06045/654754.stm By Geoffrey A. Fowler The Wall Street Journal February 14, 2006 Surfing the Web last fall, a Chinese high-school student who calls himself Zivn noticed something missing. It was Wikipedia, an online encyclopedia that accepts contributions or edits from users, and that he himself had contributed to. The Chinese government, in October, had added Wikipedia to a list of Web sites and phrases it blocks from Internet users' access. For Zivn, trying to surf this and many other Web sites, including the BBC's Chinese-language news service, brought just an error message. But the 17-year-old had had a taste of that wealth of information and wanted more. "There were so many lies among the facts, and I could not find where the truth is," he writes in an instant-message interview. Then some friends told him where to find Freegate, a tiny software program that thwarts the Chinese government's vast system to limit what its citizens see. Freegate -- by connecting computers inside of China to servers in the U.S. -- allows Zivn and others to keep reading and writing to Wikipedia and countless other sites. Behind Freegate is a North Carolina-based Chinese hacker named Bill Xia. He calls it his red pill, a reference to the drug in the "Matrix" movies that vaulted unconscious captives of a totalitarian regime into the real world. Mr. Xia likes to refer to the villainous Agent Smith from the Matrix films, noting that the digital bad guy in sunglasses "guards the Matrix like China's Public Security Bureau guards the Internet." It isn't all science fiction. China is aggressively moving to control the Internet. Even as the 50 million Internet connections within the country grow faster, contact with the rest of the Web is growing muddier. Roughly a dozen Chinese government agencies employ thousands of Web censors, Internet cafe police and computers that constantly screen traffic for forbidden content and sources -- a barrier often called the Great Firewall of China. Type, say, "media censorship by China" into emails, chats or Web logs, and the messages never arrive. Even with this extensive censorship, Chinese are getting vast amounts of information electronically that they never would have found a decade ago. The Internet was one reason the authorities, after a week's silence, ultimately had to acknowledge a disastrous toxic spill in a river late last year. But the government recently has redoubled its efforts to narrow the Net's reach on sensitive matters. It has required all bloggers, or writers of Web logs, to register. At the end of last year, 15 Internet writers were in jail in China, according to the Committee to Protect Journalists, a New York-based group. And China has gotten some U.S. Internet companies to limit the search results they provide or the discussions they host on their Chinese services. A tiny firm Mr. Xia set up to provide and maintain Freegate had to lobby computer-security companies such as Symantec Corp. not to treat it as a virus. In response to China's crackdown and restrictions in many Middle Eastern countries, a small army has been mustered to defeat them. "Hacktivists," they call themselves. Bennett Haselton, a security consultant and former Microsoft Corp. programmer, has developed a system called the Circumventor. It connects volunteers around the world with Web users in China and the Middle East so they can use their hosts' personal computers to read forbidden sites. Susan Stevens, a Las Vegas graphic designer, belongs to an "adopt a blog" program. She has adopted a Chinese blogger by using her own server in the U.S. to broadcast his very personal musings on religion to the world. She has never left the U.S., but "this is where technology excels," she says. "We don't have to have anything in common. We barely have to speak the same language." In Boston, computer scientist Roger Dingledine tends to Tor, a modified version of a U.S. Naval Research Laboratory project, which disguises the identities of Chinese Web surfers by sending messages through several layers of hosts to obscure their path. Freegate has advantages over some of its peers. As the product of ethnically Chinese programmers, it uses the language and fits the culture. It is a simple and small program, whose file size of just 137 kilobytes helps make it easy to store in an email program and pass along on a portable memory drive. Mr. Xia says that about 100,000 users a day currently use Freegate or two other censorship-defeating systems he helped create. It is impossible to confirm that claim, but Freegate and similar programs from others, called UltraReach and Garden Networks, are becoming a part of the surfing habits of China's Internet elite in universities, cafes and newsrooms. Freegate has a key booster in Falun Gong, the spiritual group China banned in 1999 as subversive. It is a practice of meditations and breathing exercises based on moralistic teachings by its founder, Li Hongzhi. Chinese expatriates -- marrying U.S. free-speech politics with protests over persecution of Falun Gong practitioners in China -- have focused their energy on breaking China's censorship systems. They have nurtured the work of Mr. Xia, himself a Falun Gong follower, and several other programmers. Freegate also gets a financial boost from the U.S. government. Voice of America and Radio Free Asia, part of the federal government's Broadacasting Board of Governors, pay Mr. Xia and others to send out emails featuring links to their stories. Kenneth Berman, manager of the anticensorship office of the board's International Broadcasting Bureau, declines to say how much it compensates Mr. Xia. But he says the bureau pays about $5 million a year to companies to help combat Internet censorship abroad, especially in China and Iran. "Our policy is to allow individuals to get anything they want, when they want," Mr. Berman says. "Bill and his techniques help us do that." Human Rights in China, a New York nonprofit group, also helps fund Mr. Xia's enterprise, which runs on a budget of about $1 million a year. The resources behind Freegate and other hactivists could increase if Congress revives a bill to create an Office of Global Internet Freedom. U.S. Internet companies have drawn strong criticism in Congress for compliance with Chinese Web restriction, and hearings on their activities are set for Wednesday. Microsoft, Google Inc. and Yahoo Inc. all say that they abide by local laws. Microsoft's general counsel said this month that the software giant shuts down personal blogs only if it receives a "legally binding notice from a government." [...] From isn at c4i.org Wed Feb 15 03:13:34 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:13:34 -0600 (CST) Subject: [ISN] Hacker fights US extradition Message-ID: http://www.heraldsun.news.com.au/common/story_page/0,5478,18154675%255E1702,00.html From correspondents in London 15 Feb 06 A BRITISH computer enthusiast accused by the US government of the world's "biggest military hack of all time" has begun a court fight against extradition to the US. Gary Mckinnon was arrested last June following charges by US prosecutors that he illegally accessed 97 government computers including Pentagon, US army, navy and NASA systems. Prosecutors said he hacked into sensitive networks over a one-year period from February 2002 and caused $US700,000 ($950,828.58) worth of damage, after crippling US defence systems in the wake of the September 11, 2001 attacks. If found guilty, Mr Mckinnon could face up to $US1.75 million ($2.38 million) in fines and 60 years in jail. Mr Mckinnon's lawyers said he might be prosecuted under military law if he were sent to the United States and could be subjected to "special administrative measures" such as solitary confinement and other tactics to persuade him to plead guilty. He could even face the prospect of being sent to Guantanamo Bay with no chance of parole, they said. Bow Street Magistrates' Court in London is expected to hear from Clive Stafford-Smith, a human rights lawyer who acts on behalf of detainees in Guantanamo Bay. Mr Mckinnon - whose hacking name was Solo - admits gaining access to US government computers but denies he caused any damage. His supporters said the US government should be grateful to him for highlighting its security shortcomings. US prosecutors said there is no evidence Mr Mckinnon downloaded classified information or forwarded files to foreign governments. At the time of the indictment, Paul McNulty, US Attorney for the Eastern District of Virginia, said: "Mr McKinnon is charged with the biggest military computer hack of all time." Mr Mckinnon, from Wood Green in north London, was released on bail in July 2005 and banned from using the Internet. The 40-year-old appeared relaxed in court where he was supported by more than a dozen friends and supporters. Governments have become increasingly nervous over hackers in recent years and there have been several high profile prosecutions. One of the allegations relates to Mr McKinnon deleting files from computers at a US naval station during a critical time following the September 11 attacks, rendering the base's network of computers inoperable. From isn at c4i.org Wed Feb 15 03:14:29 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:14:29 -0600 (CST) Subject: [ISN] The man behind Cisco's security Message-ID: http://news.com.com/The+man+behind+Ciscos+security/2008-1082_3-6038999.html By Joris Evers Staff Writer, CNET News.com February 14, 2006 Cisco Systems drew the ire of the hacking community last summer when it decided to sue a security researcher. The lawsuit was retaliation for disclosing research into the security of software that runs Cisco routers and switches. The networking giant was already a target for cyberattacks, but that move probably put even more heat on its security team. For example, shortly after Cisco sued, and settled, with the researcher, its Web site security was breached. The company alerted customers and advised them to change their passwords. John Stewart is Cisco's chief security officer and heads up the company's IT security team, among other security-related groups. With his staff, Stewart secures a network used by about 40,000 people with more than 60,000 PCs and countless other network connected devices, including 50,000 voice over Internet Protocol, or VoIP, phones. On the day before the annual RSA Conference security confab in San Jose, Calif., Stewart talked to CNET News.com about his responsibilities. Q: There is a big bull's-eye on Cisco as an organization. What do you do to defend yourself against being attacked by hackers? Is there a simple solution? Stewart: I don't think there is a simple solution. Probably the best way to describe it is that we never stop trying to think like our attackers. The best way to think about a defense is to think about the offense. The means by which we approach it go from everything from technology to how we educate and train people toward being aware of the risks and ideally to get security as a piece of every network element and into every person's mind. A lot of people tend to talk about security as the latest security patch or the latest vulnerability that's out there. Do you see security in that way? Stewart: No, those are a great deal about a known class of threats and usually there is a technology answer to your problem. We have a tendency to think about whole classes of problems. Patching is an availability problem just as much as it's a security problem. A virus is just as much a user awareness issue as it is a technology threat. In focusing on trying to handle classes of problems like that, we want to take people issues first, define it and then get a technology answer toward mitigating classes of problems. What would you say are some of the key issues you face in terms of security at Cisco and in defending the Cisco network? Stewart: The types of threats that we all face now are motivated by true financial gain. Often times what we had was an annoyance, or a disruptive kind of threat, something that was not really trying to damage or steal, but we have moved away from that now. This is about mitigating theft and mitigating true damage. That's most different then what we faced in the last few years. If you can describe some of the attacks that you face, what types of attacks are those and do you see many? Stewart: We face distributed denial of service attacks against our Web site, sometimes right towards the end of our quarter. That's a level of business knowledge that an attacking team has. In an attempt to disrupt electronic commerce, we will get an attack near the end of our quarter. That's a different style then we've seen in the past. We certainly face a lot of the more common ones, or the more frequently talked about ones, be it spam, be it the viruses and worms, but we have mitigated to a great degree the risks associated with those. How do you measure if you have been successful in your job as a security professional at Cisco? Stewart: That nobody knows we're there and they are feeling safe. Microsoft is releasing a new operating system later this year, Windows Vista. Microsoft likes to tout all the security enhancements in Vista, do you care about things like that? Do you look at that and think: 'This is going to help me in terms of my security exposure?' Stewart: Not at an operating system by operating system level. Any new technology is one that will have positives in its ability to protect itself and it will have new threats. That's not a Microsoft problem, it is every operating system developed. When you're protecting your own network, what kind of products do you like to use, what sort of technologies do you use? Stewart: We use behavioral technology. The first and best defense we use on computers at Cisco is the Cisco Security Agent. And by behavioral, what it is really doing is saying an operating system is running this way normally, but everything else is questionable. It might be OK, but you have to pose a question to find out whether it really is or isn't. Single handedly the most important technology we have deployed for protecting our computers in the past couple of years. We still use antivirus, we still use anti-spyware, those are key elements. We use all three of Symantec, Trend and McAfee. You mentioned you use Cisco products also to protect your own network. What do you do if you have a problem with a Cisco product and does that ever occur? Stewart: It absolutely occurs. But being a part of engineering, as my team is, and we're part of IT as well, we get to work with engineering very closely. If there is ever a unique need on a product or there is a whole product we have not even invented yet that would be best suited to protect an enterprise, being so collaborative with my engineering team means that we can see the problem from both sides. They can use us as the practicing arm of what they are developing. I am a customer and I'd like to say that I am in a class of good tough customers. Would you say that in terms of security at Cisco you are also accountable for security and totally responsible? Stewart: I think everybody at Cisco is accountable for security at Cisco. What I am uniquely accountable for, as is my team, is education and awareness and the use of technology to help best protect our company. What I'd rather never say is that a security team is responsible for security at a company, namely my security team is responsible for security at Cisco. That means that 99 percent of the company somehow isn't. That's the inverse of what I am looking for. I'd rather be helpful to the business, towards it understanding that we're all responsible. Do your users seem to understand that as well, or do they say: 'John is responsible for everything, I can go connect my laptop to a rogue wireless access point, he's going to take care of it anyway. I can go download spyware or Kazaa onto my PC, John is going to take care of it, it is not really my deal?' Stewart: With this many people, there will always be cases where a person did not realize that they could not do something. From John Chambers as our CEO on down, we all realize that security is part of our responsibility. Is there any technology you won't use because of security reasons? I know of companies that won't use wireless networking, let mobile devices such as Palm Treo smart phones onto their networks, or let somebody connect an iPod to their work computer because of possible security issues. Stewart: We put security software on the Treos and allow them to be deployed. Most people want the Treos not only for contact information, they also want to use other application like e-mail. We say they are allowed to use it with e-mail, if they install security software. It is part of making security part of the generic process. We know that you want to do something productive, here is how you do it safely. ?2006 CNET Networks, Inc From isn at c4i.org Wed Feb 15 03:14:45 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:14:45 -0600 (CST) Subject: [ISN] Gates says security boils down to four focus areas Message-ID: http://www.networkworld.com/news/2006/021406-gates-keynote-rsa-security.html By John Fontana Network World 02/14/06 Bill Gates Tuesday opened the annual RSA Security Conference with an overview on the state of security that was long on vision and broad with its details. Gates, Microsoft's chief software architect, said the industry must meet a set of four high-priority initiatives in order to improve security in an ever increasing digitized world that is working more and more over the Internet. Gates started off light saying he was glad to be keynoting at RSA because his other invitation "was to go quail hunting with Dick Cheney. I'm feeling really safe right now," he said. Gates then launched into the importance of security going forward and categorized a set of priorities under four headings: trust ecosystem, engineering for security, simplicity, and fundamentally secure platforms. "It is a very big challenge to make sure that security is not the thing holding us back," Gates said. "The Internet is such a critical infrastructure for productivity, for reliability, for privacy that the dream we have can only be realized if we not only build secure approaches but make them easy to administer and make it so the users understand exactly what to expect. That means a lot of invention and a lot of improvement from where we are today." Gates gave very little in the way of new initiatives or ideas at Microsoft for meeting his four broad goals, instead tailoring his remarks around announced features in the upcoming Windows Vista client operating system including smart card support, identity technology called InfoCard, and improvements in the Internet Explorer browser. The only real announcement was that Microsoft's Certificate Lifecycle Manager was now in beta. The announcement came as an aside during a demo showing how a user who lost his smart card, laptop and phone could quickly get replacements. Gates used the demo to highlight his trust ecosystem, one of his four priority areas for improving security. "We have chains of trust," Gates said. "What we need to do is track those trust relationships, to grab permissions, to revoke those trust relationships, to develop reputation over time." He said today people live without a trust ecosystem. "It can't be something whether it is one unique piece of software or one unique organization, it has to be totally federated so all the trust statements can be understood and reasoned against. With that we get reputation, for code, for users, across all the different activities they do." He said one key of the ecosystem would be about people and the need to manage certificates, including issuance and revocation. Gates said over the next 3 to 4 years corporate users should start to see a shift away from passwords to two-factor authentication in the form of smart cards. And he said high-value certificates would help users reliably identify Web site owners. In terms of engineering for security, Gates used as an example Microsoft's use of tools and new design practices for developing secure code. "Code has to operate as expected," he said. In terms of simplicity, Gates said Microsoft has to get dramatically better. "The number of screens you have to get involved in, the number of places you have to go to find out what went on are still too high," he said. Gates pointed out some of the things that Microsoft is doing to get better, such as: the inclusion of the OneCare security service in Vista, improvements to the Security Center in the operating system, the use of group policy controls by IT, and the use of InfoCard, a system now supported in IE 7.0 that lets users control the dissemination of their own identity information. "Security and management are not really two separate things," Gates said. Under his goal for fundamentally secure platforms, Gates pointed out Vista, which he said would take Microsoft to new heights in terms of security. He highlighted user protection controls that limit administrative rights and protect malicious code from running amok, along with Windows Defender for blocking spyware. Beta 2 of Defender also was released today. Gates wrapped up by saying the industry needs to focus on all four of these security areas. "The opponent in this case - is not standing still," he said. From isn at c4i.org Wed Feb 15 03:13:51 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:13:51 -0600 (CST) Subject: [ISN] Romanian hacker breaks in to UA journalism computers Message-ID: http://www.azstarnet.com/metro/115789 By Djamila Grossman Arizona Daily Star Tucson, Arizona 02.14.2006 Hackers broke into the computer system of the University of Arizona journalism department, and students were unable to use the computers Monday. All of the department's Apple Macintosh computers were affected and have been logged off the server and the Internet until the problem is solved, said Jacqueline Sharkey, head of the department. No information has been lost so far, she said. It was unclear Monday how long it would take to fix the security leak, she said. "It's a very serious issue, and we took action immediately," Sharkey said. Department officials uncovered the problem during the weekend when they ran a security check on the computers. Many of the computers have had issues in the past weeks that led to temporary shutdowns, but Sharkey said everyone thought it was a hardware problem. The computers are protected by a password, and Sharkey said she suspects that the hackers got through by trying "again and again and again." The security check showed that in other unrelated cases, hackers from Korea and Indonesia had tried to gain access to the system but were unsuccessful, she said. "No type of computer is invulnerable," she said. "Attempts are really common, but they usually fail. In this particular case, the person was able to get in." The department works together with the UA's Center for Computing and Information Technology, which determined that the hacker was in Romania, Sharkey said. Computers used by students to produce the Daily Wildcat newspaper were not affected. All journalism classes will continue on schedule. From isn at c4i.org Wed Feb 15 03:14:07 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:14:07 -0600 (CST) Subject: [ISN] Microsoft issues seven security patches Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108700,00.html By Shelley Solheim FEBRUARY 14, 2006 IDG NEWS SERVICE Microsoft Corp. today released seven software patches, including fixes for security flaws in Internet Explorer (IE) and Windows Media Player that were given a critical severity rating by the company. But security researchers said that the latest monthly batch of patches from Microsoft isn't particularly ominous. "These are seven of the most boring patches I've ever seen," said Russ Cooper, a senior information security analyst at Cybertrust Inc. in Herndon, Va., and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged down applying seven [patches] tonight." "There's definitely no super-serious, freak-out vulnerability," agreed Mike Murray, director of vulnerability research at nCircle Network Security Inc., a security software vendor in San Francisco. One of the critical patches provides a fix for a vulnerability in the way that IE handles Windows Metafile (WMF) images. However, the flaw only affects IE 5.01 Service Pack 4 running on Windows 2000 systems that have the SP4 version of the operating system installed, Microsoft said in a security bulletin. The vulnerability could enable an attacker to construct a WMF image that would support the remote execution of code on systems if users viewed a malicious Web site, e-mail or e-mail attachment, according to Microsoft. If successful, an attacker could take control of an affected system. Because the new vulnerability affects such a narrow scope of users, it isn't as severe as the WMF flaw that Microsoft patched early last month, ahead of the company's regular monthly patch release in January, said Michael Sutton, director of VeriSign Inc.'s iDefense Labs unit in Reston, Va. "We're not aware of any public exploit code for it at this time," Sutton said. The other critical vulnerability affects the way that Windows Media Player processes bitmap (.bmp) files, Microsoft said. An attacker could exploit that flaw by creating a malicious .bmp file that could be used to execute code remotely or take control of systems if users visited a malicious Web site or viewed a specially crafted e-mail message. Microsoft deemed the Media Player flaw to be critical for users of Windows XP SP1 and SP2 as well as Windows Server 2003, Windows 2000 SP4 and other earlier versions of the operating system. The Media Player flaw could pose more of a ripe target for attackers than the WMF one does, Sutton cautioned. "Even though Windows Media Player is not something generally used to render images, it has the capability of doing that," he said. "It's not difficult to create a Web page that uses Windows Media Player to display an image instead of the default application." The remaining five patches affect products such as PowerPoint and the Windows Web Client and were all rated as "important" fixes by Microsoft. From isn at c4i.org Thu Feb 16 05:40:53 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:40:53 -0600 (CST) Subject: [ISN] Security titans weigh in on buyout environment Message-ID: http://news.com.com/Security+titans+weigh+in+on+buyout+environment/2100-7350_3-6040297.html By Dawn Kawamoto Staff Writer, CNET News.com February 15, 2006 SAN JOSE, Calif.--Psst buddy, got a security company to sell? Security companies that are privately held and in the business of protecting information from espionage and offering up secure access are attractive among potential buyers, a panel of security titans and bankers said here Thursday during the RSA Conference 2006. The panel, speaking to a standing-room-only crowd, addressed the current mergers and acquisition environment for security companies, as well as what it takes for them to gain interest in potential buyout candidates. The current valuation for privately held security companies, based on projecting out future revenues, is a mean of slightly more than 6.5 times those revenues. But valuations for publicly traded security companies are substantially lower, said Rob Owens, vice president of equity research for Pacific Crest Securities and panel moderator. "Most of the innovation comes from smaller companies," said Parveen Jain, executive vice president of corporate development and strategy for McAfee, in explaining the difference between valuing a private security company and a public one. Another issue for buyers is public companies tend to be more mature, offering less potential revenue growth, said Michael Cristinziano, vice president of strategic development for Citrix, which acquired SSL VPN start-up Net6 for $50 million two years ago. He added that the ability of a potential buyout target to add to his company's earnings within a 12-month period is a key consideration on whether to do a deal. Symantec, which has been on a tear with acquisitions big and small, wants its potential lifelong partners to have frank discussions with the security giant on its financial outlook and performance. James Socas, senior vice president of Symantec's corporate development, recalled a time when a private company provided financial information that showed declining revenues over a three-year period, yet had a forecast of more than doubling its revenues in the following year. McAfee, meanwhile, hones in on the candidate's operating team, assessing whether they can deliver on the technology and financial numbers they have projected, and be flexible if changes are needed to their business plan. In providing a broad view of areas in which they are interested in making acquisitions, Jain said McAfee finds areas that need addressing include industrial spying, or the tampering and theft of information. Symantec is anticipating more companies will find it incumbent to take on the role of managing their own security, similar to what consumers have done. Citrix is focusing on deals that will provide its customers with the "best access experience," Cristinziano said. Technology to solve the leakage of sensitive information is an area that a number of large potential buyers are interested in, said panelist Neel Kashkari, an investment banker with Goldman Sachs. Kashkari noted Microsoft's entry into the antivirus market has had a negative effect on start-ups in a similar market that are seeking funding or a buyout. "It's created an overhang with valuations," he noted. A number of security companies are turning to a buyout, rather than going public, as a means to pay back initial investors, the panelists noted, pointing to NetScreen Technologies' 2002 IPO as the last "meaningful" public offering of a security company. The regulatory environment, including Sarbanes-Oxley, has made executives of private companies more hesitant to go public, rather than selling their operations, the panelists said. Another issue is that single product security companies are finding Wall Street is less receptive in the post-bubble environment. And then there are the attractive valuations for privately held security companies, in the current climate. "Mergers and acquisitions are white hot right now," Socas said. "We've seen a lot of good companies on the private side." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Thu Feb 16 05:41:11 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:41:11 -0600 (CST) Subject: [ISN] Morgan Stanley offers $15M fine for e-mail violations Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,108687,00.html By Reuters FEBRUARY 14, 2006 NEW YORK -- U.S. investment bank Morgan Stanley has offered to pay $15 million to resolve an investigation by U.S. regulators into its failure to retain e-mail messages, according to a regulatory filing. The Wall Street firm said it had reached "an agreement in principle" with the U.S. Securities and Exchange Commission's Division of Enforcement to resolve an investigation into its preservation of e-mails. The fine would be one of the largest penalties ever imposed on a Wall Street firm for failing to preserve records. U.S. market regulators had threatened to fine Morgan Stanley for failing to keep e-mails in several recent cases brought against the brokerage. Morgan Stanley said the proposal has yet to be presented to the SEC, and no assurance can be given that it will be accepted. The firm said part of the fine would go to regulators. Morgan Stanley also said it was discussing resolution of related charges with the National Association of Securities Dealers, although no agreement has been reached. The investigation has been ongoing, with Morgan Stanley last April saying that SEC staff had recommended actions against the firm for failing to comply with a 2002 order relating to retention of e-mails. E-mail played a central role in a $1.58 billion judgment against Morgan Stanley and in favor of Ronald Perelman, the billionaire investor who said he was defrauded by the Wall Street company over the sale of a business and focused on the firm's inability to produce documents. The judge in that case, frustrated by Morgan Stanley's inability to produce e-mail documents demanded by Perelman's lawyers -- the firm said backup tapes had been overwritten -- took the unusual step of switching the burden of proof so that Morgan Stanley had to prove its innocence. The firm told the SEC that it was working to rectify its problems and pleaded for leniency, saying the transgressions happened when former CEO Philip Purcell, who stepped down last June after a shareholder campaign for his ouster, was running the firm. From isn at c4i.org Thu Feb 16 05:41:45 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:41:45 -0600 (CST) Subject: [ISN] TCP/IP Changes in Windows Vista and Longhorn Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Bindview http://list.windowsitpro.com/t?ctl=20EAA:4FB69 Thawte http://list.windowsitpro.com/t?ctl=20EAD:4FB69 ==================== 1. In Focus: TCP/IP Changes in Windows Vista and Longhorn 2. Security News and Features - Recent Security Vulnerabilities - Intel Invests in European Linux Solution Provider Collax - Sophos to Sell ActiveState - Three Products Achieve ICSA Labs Desktop Anti-Spyware Certification 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Monitor Windows Event Logs for Compliance ==================== ==== Sponsor: Bindview ==== Get the tips you need to prepare and comply with PCI-Data Security standards, including defining the 12 major requirements, and how those requirements affect IT. http://list.windowsitpro.com/t?ctl=20EAA:4FB69 ==================== ==== 1. In Focus: TCP/IP Changes in Windows Vista and Longhorn ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net The upcoming Windows Vista and Longhorn server releases will both use a redesigned TCP/IP stack. The new stack will bring several new features, including routing compartments, a better host model, better support for IP version 6 (IPv6), a new packet-filtering API, and some other changes that don't necessarily affect security (you can read about these changes at the URL at the end of this editorial). The routing compartments feature is really interesting. It lets each user logon session have its own routing table and will prevent Internet traffic from being routed across a VPN into an intranet. The new host model will help defend against attacks on multihomed systems. So for example, a packet that reaches a network interface must have a destination address that matches the interface's address or the packet will be dropped. The new packet-filtering API, now known as Windows Filtering Platform (WFP), will help developers more easily filter or change packets before they're processed further along in the OS. This means that tools such as firewalls and antivirus and antispyware products can better control which data enters the system. You can learn more about WFP at the following URL: http://list.windowsitpro.com/t?ctl=20EB4:4FB69 Windows XP and Windows Server 2003 both support IPv6; however functionality is somewhat limited because they don't support Internet Key Exchange (IKE) and data encryption. The new TCP/IP stack will fix this problem by introducing a fully functional IPv6 protocol layer, which will be enabled by default. However, using IPv6 won't be without problems. Microsoft said that an IPv6-enabled system will first request an AAAA record (which is a record for IPv6 addresses). If the query fails, the system will request an A record (a record for IPv4). Some DNS servers won't answer the A record request if the AAAA request fails. If you want to get a head start on building IPv6 functionality, make sure your DNS server will handle the AAAA, A sequence of requests. Another issue with IPv6 is Network Address Translation (NAT), which might also break connectivity. To get around that problem, Microsoft uses Teredo (also known as Shipworm), which is a method of encapsulating IPv6 inside IPv4 UDP packets. Microsoft first released Teredo support in its Advanced Networking Pack for Windows XP in XP Service Pack 1 (SP1) and later shipped Teredo as part of XP SP2 and Windows 2003 SP1. Teredo will be a standard part of Windows Vista and Longhorn server. You can read more about the IPv6 enhancements at the first URL below and learn more about other new features of the TCP/IP stack at the second URL below. http://list.windowsitpro.com/t?ctl=20EAB:4FB69 http://list.windowsitpro.com/t?ctl=20EAC:4FB69 ==================== ==== Sponsor: Thawte ==== The Starter PKI Program Do you need to secure multiple domains or host names? In this free white paper you'll learn how the Starter PKI Program will benefit your company with timesaving convenience. Plus--you'll get the chance to actually test the program! http://list.windowsitpro.com/t?ctl=20EAD:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=20EAF:4FB69 Intel Invests in European Linux Solution Provider Collax Collax announced that Intel Capital has invested in the company, bringing its total Series A funding to $8.4 million. Collax Business Server's management interface offers simplified management functions for security features including firewalls, proxies, VPNs, antivirus, antispam, antiphishing, PKI, and Web content filtering. http://list.windowsitpro.com/t?ctl=20EB9:4FB69 Sophos to Sell ActiveState Security solutions provider Sophos will sell its ActiveState unit to Canadian venture capital firm Pender Financial Group for $2.25 million. Pender Financial intends to acquire ActiveState through a newly incorporated company, which will allow ActiveState to become independent. http://list.windowsitpro.com/t?ctl=20EBA:4FB69 Three Products Achieve ICSA Labs Desktop Anti-Spyware Certification Three products have earned ICSA Labs Desktop Anti-Spyware Certification. ICSA Labs antispyware testing criteria determine whether products can defend systems against spyware, keyloggers, password stealers, dialers, rootkits, and adware. Find out which products earned certification in this article on our Web site. http://list.windowsitpro.com/t?ctl=20EB7:4FB69 ==================== ==== Resources and Events ==== Let industry expert Brian Moran teach you the tips and tricks he's learned in 15 years of experience fine-tuning SQL Server systems. This is a web seminar you won't want to miss! Live event: Tuesday, March 21, 2006, 12:00 EST. http://list.windowsitpro.com/t?ctl=20EA5:4FB69 Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=20EAE:4FB69 Use clustering technology to protect your company against network outages, power loss and natural disasters. Live Event: Wednesday, February 28, 2006, 12:00 EST http://list.windowsitpro.com/t?ctl=20EA6:4FB69 Gain control of your messaging data with step-by-step instructions for complying with the law, ensuring your systems are working properly and ultimately making your job easier. http://list.windowsitpro.com/t?ctl=20EA9:4FB69 Align compliance with business efficiency, and learn how fax-document management plays a role in your strategy. http://list.windowsitpro.com/t?ctl=20EA7:4FB69 ==================== ==== Featured White Paper ==== Learn about recovery to virtual computer environments, hardware migration strategies, hardware repurposing for optimal resource utilization, meeting recovery time objectives, increasing disaster tolerance, and more. http://list.windowsitpro.com/t?ctl=20EA8:4FB69 ==================== ==== Hot Spot ==== ThreatSentry--IIS Host IPS & Application Firewall Malicious or unauthorized traffic plaguing your Web servers? ThreatSentry combines a state-of-the-art Application Firewall and advanced behavioral intrusion prevention components to block any activity falling outside of trusted parameters. Get enterprise-grade, multi-layered protection for Microsoft IIS at a small business price! Download free trial today. http://list.windowsitpro.com/t?ctl=20EB5:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Wipe Data from Your Old Media by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=20EBC:4FB69 I've covered this issue several times in different ways. Now there's more help: the National Institute of Standards and Technology (NIST) issued a new guide, "Guidelines for Media Sanitization." Find out more in the blog article. http://list.windowsitpro.com/t?ctl=20EB8:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=20EBB:4FB69 Q: How can I clear the cache from Microsoft Internet Explorer (IE)? Find the answer at http://list.windowsitpro.com/t?ctl=20EB6:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Subscribers have it all! Become a VIP subscriber and get continuous, inside access to ALL of the online resources published in Windows IT Pro magazine, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CD-ROMs that include the entire article database and are delivered twice per year. Don't miss out--sign up now: http://list.windowsitpro.com/t?ctl=20EB2:4FB69 Save 44% off the Windows IT Security Newsletter For a limited time, order the Windows IT Security Newsletter and SAVE up to $30 off the regular price. You'll discover endless fundamentals about building and maintaining a secure enterprise, how-to coverage of free security tools, and expert advice on the best way to implement various security components. You'll also get unlimited access to the full online security article database (more than 1900 articles). Subscribe now: http://list.windowsitpro.com/t?ctl=20EB1:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products at windowsitpro.com Monitor Windows Event Logs for Compliance TNT Software offers ELM Event Log Monitor (EVM), which provides monitoring, alerting, reporting, and archiving for Windows event logs. TNT says it leveraged specific functionalities of its ELM Enterprise Manager to produce a tool to meet companies' compliance and security challenges. EVM collects Windows events from hundreds of systems and presents the results at a centralized console, triggers real-time alerts, stores the event data in a central database, and generates audit reports. EVM monitors high-level account changes and logon/logoff activity for compliance and security purposes. You can use preconfigured or customized monitoring settings. For more information, go to http://list.windowsitpro.com/t?ctl=20EBE:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=20EBD:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=20EB3:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Feb 16 05:42:03 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:42:03 -0600 (CST) Subject: [ISN] Security vetting of IT staff on the way, says Unisys Message-ID: http://computerworld.co.nz/news.nsf/news/1421BB672FBCD19ACC257111000FC761 By Stephen Bell Wellington 16 February, 2006 The phrase "security clearance" will become more common in general business as well as sensitive government agencies, says Unisys security consultant Terry Shubkin. "The weakest link in the security chain is still people," she told a Computer Society meeting last week. Increasingly, companies will insist that ICT support staff and client-facing staff must be security cleared, ensuring that they have no suspicious incidents in their past and are likely to abide by the company's security standards. Increasing concern with security, she says, will provide one more disincentive in the already delicate decision whether to outsource ICT work overseas. If the staff working on software are too far from vetting and control by head office, vulnerabilities could intentionally or inadvertently be introduced to its ICT systems. Identity management, "still in its very early days for most New Zealand companies," will get more attention in the near future, Shubkin says. The means by which an employee identifies him/herself to the company network will become increasingly advanced, and will more often include biometrics of some kind, she says. Increased sophistication will also come into identity management's logical partner, authorisation. Shubkin also refers to the growing fear of weaknesses in mobile equipment, which emphasises security as a whole-of-company business-oriented policy, reaching to the highest directors. It's difficult to countermand the chief executive who demands a BlackBerry or similar PDA which will access the company's network and also be connected to unknown other equipment, she concedes, but everyone must observe security disciplines. Some more inert devices, such as flash-memory chips with a USB connection may be just as dangerous, Shubkin says. There have been cases of them being infected with viruses and spyware which copied all open files on the system and then "phoned home" as soon as the chip was plugged into an internet connected machine. Plans for business continuity in the face of a natural disaster are another worry. At least half the audience indicated they had given some thought to the ICT consequences of a bird - flu pandemic. Plans typically include people working from home or elsewhere off-site and the security risks of this mode of operation must be scrupulously evaluated, she says. Increasing skill in the population and more advanced development tools are allowing viruses and other exploits to be developed more easily and quickly. The number of exploits for Unix-type operating systems, including Linux, is increasing and, some sources suggest, now exceeds exploits for Windows. Exploits no longer attack the operating system only; some target the network infrastructure, Shubkin says. Formal tools are evolving to help companies evaluate their security "maturity", with diagrams and dashboards able to identify how mature the organisation is in this respect and where specific failings are. Copyright ? 2005, IDG Communications New Zealand Limited From isn at c4i.org Thu Feb 16 05:42:24 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:42:24 -0600 (CST) Subject: [ISN] Security Breach Reported in N.H. Computers Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/15/AR2006021502764.html The Associated Press February 15, 2006 CONCORD, N.H. -- New Hampshire's state computer system was breached, possibly by a hacker seeking residents' credit card numbers, Gov. John Lynch said Wednesday. The breach involved online and in-person transactions in various locations, including motor vehicle offices and state liquor stores. "We felt it was important to alert the public that there is at least the possibility that some credit card information may have been accessed," Lynch said. No reports of illegal activity have been reported, but officials asked people who used credit cards with the state in the last six months to report suspicious purchases. State information technology experts became aware of the breach Wednesday when they discovered illegal software in the system. The software, which may have been installed for six months, allows a hacker to watch transactions in real time, officials said. From isn at c4i.org Thu Feb 16 05:42:43 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:42:43 -0600 (CST) Subject: [ISN] Homeland Security Spells Out Coming Online Threats Message-ID: Forwarded from: William Knowles http://www.informationweek.com/news/showArticle.jhtml?articleID=180202429 By Gregg Keizer TechWeb News Feb 15, 2006 The top Internet threats for 2006 will include more attacks through instant messages and cell phones, as well as a boost in identity hacks against online brokerage accounts, the Department of Homeland Security and the National Cyber Security Alliance predicted Wednesday. By joining forces, the Department of Homeland Security (DHS) and National Cyber Security Alliance (NCSA) hope to give consumers time to put additional protection in place on their PCs. "Arming consumers with a list of emerging threats is just the first step to educating [them] about the ever-evolving online security environment," said Ron Teixeira, NCSA executive director, in a statement. "It is critical that we also empower users with the how-to practices to protect themselves against these risks." Calling instant messaging networks "extremely vulnerable" and noting that cell phone malware is on the rise, the federal agency and the non-profit also predicted more "spear phishing, [1]" or targeted phishing attacks. Other threats to expect, said the DHS and NCSA, include an increase in brokerage account break-ins. "Since the nature of online brokerage accounts makes it easy to transfer funds from various accounts outside the firm, online brokerage accounts are attractive targets for hackers and thieves," a warning posted online [2] read. NCSA, whose members include America Online, eBay, Microsoft, and Symantec, operates a site dubbed StaySafeOnline.org [3] which offers consumer information on safe computing practices. Among its recommendations, the group said consumers should have a firewall in place, install and keep up-to-date anti-virus and anti-spyware software, and regularly update their computers' operating systems. [1] http://www.techweb.com/encyclopedia/defineterm.jhtml?term=phishing [2] http://www.staysafeonline.org/basics/2006threatlist.html [3] http://www.staysafeonline.org/index.html *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Feb 17 03:16:01 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:16:01 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-7 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-02-09 - 2006-02-16 This week : 110 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released 7 security bulletins as part of their monthly patch release cycle. All users are advised to visit Windows Update and apply available patches. For additional details about the issues corrected, please refer to the referenced Secunia advisories below. References: http://secunia.com/SA18865 http://secunia.com/SA18859 http://secunia.com/SA18853 http://secunia.com/SA18852 http://secunia.com/SA18835 http://secunia.com/SA18729 -- Secunia Research has discovered multiple vulnerabilities in Lotus Notes, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system. Additionally, Secunia Research also reported multiple vulnerabilities in Lotus Domino and iNotes Client, which can be exploited by malicious people to cause a DoS (Denial of Service) or conduct script insertion attacks. Please refer to the referenced Secunia advisories below for details. References: http://secunia.com/SA16340 http://secunia.com/SA16280 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16280] IBM Lotus Notes Multiple Vulnerabilities 2. [SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities 3. [SA16340] IBM Lotus Domino Multiple Vulnerabilities 4. [SA18700] Firefox Multiple Vulnerabilities 5. [SA18649] Winamp Three Playlist Parsing Buffer Overflow Vulnerabilities 6. [SA18835] Windows Media Player Bitmap File Processing Vulnerability 7. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 8. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 9. [SA18787] Internet Explorer Drag-and-Drop Vulnerability 10. [SA18789] HP Systems Insight Manager JBoss and Directory Traversal ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18912] Avaya Products WMF Image Parsing Vulnerability [SA18852] Windows Media Player Plug-in EMBED Element Buffer Overflow [SA18835] Windows Media Player Bitmap File Processing Vulnerability [SA18872] eStara SoftPhone SIP Packet Handling Denial of Service [SA18828] SSH Tectia Server SFTP Service Unspecified Vulnerability [SA18789] HP Systems Insight Manager JBoss and Directory Traversal [SA18859] Microsoft Windows / Office Korean Input Method Editor Vulnerability [SA18865] Microsoft PowerPoint Temporary Internet Files Information Disclosure [SA18787] Internet Explorer Drag-and-Drop Vulnerability [SA18888] MailSite LDAP Service Denial of Service Vulnerability [SA18853] Microsoft Windows IGMP Denial of Service Vulnerability [SA18857] Microsoft Windows Web Client Service Vulnerability [SA18813] iE Integrator Configuration Information Disclosure Weakness UNIX/Linux: [SA18884] Gentoo update for sun-jdk/sun-jre-bin [SA18796] Metamail Mail Boundary Handling Buffer Overflow [SA18911] Avaya Products Ethereal Vulnerabilities [SA18887] Debian update for otrs [SA18882] Debian update for pdfkit.framework [SA18875] Debian update for gpdf [SA18871] Red Hat update for imagemagick [SA18870] Dovecot "imap/pop3-login" Denial of Service Vulnerability [SA18864] Red Hat update for xpdf [SA18863] Red Hat update for libpng [SA18862] Red Hat update for kdegraphics [SA18861] Ubuntu update for kernel [SA18860] Ubuntu update for xpdf/poppler/kdegraphics [SA18851] Gentoo update for imagemagick [SA18839] Fedora update for poppler [SA18838] Fedora update for xpdf [SA18837] Fedora update for kdegraphics [SA18834] Debian update for xpdf [SA18832] Red Hat update for gnutls [SA18830] Mandriva update for gnutls [SA18826] Gentoo update for kdegraphics/kpdf [SA18825] Gentoo update for xpdf/poppler [SA18821] XMB Forums today.php Cookie Data SQL Injection [SA18815] Fedora update for gnutls [SA18799] VHCS Security Issue and Multiple Vulnerabilities [SA18794] GnuTLS libtasn1 DER Decoding Denial of Service Vulnerabilities [SA18788] SUSE update for kernel [SA18785] NeoMail neomail-prefs.pl Missing Session ID Validation [SA18784] Trustix update for kernel [SA18889] Debian update for nfs-user-server [SA18818] Isode M-Vault Server LDAP Vulnerability [SA18845] GnuPG "gpgv" Signature Verification Security Issue [SA18841] Power Daemon WHATIDO syslog Format String Vulnerability [SA18827] Debian update for kronolith [SA18916] Debian update for libast [SA18891] Sun Solaris "in.rexecd" Privilege Escalation Vulnerability [SA18829] Debian update for scponly [SA18812] Debian update for noweb [SA18811] SUSE ld Insecure RPATH Privilege Escalation [SA18809] noweb Insecure Temporary File Creation Vulnerabilities [SA18806] Ubuntu update for heimdal [SA18867] Honeyd IP Reassembly Remote Detection Weakness [SA18824] Kadu Image Send Request Denial of Service [SA18797] CGIWrap Error Message System Information Disclosure [SA18907] Mac OS X Kernel Local Denial of Service Vulnerability [SA18850] SUSE update for openssh [SA18798] OpenBSD update for openssh [SA18795] AIX Kernel Unspecified Local Denial of Service Vulnerability Other: [SA18836] Avaya CSU/VSU ISAKMP IKE Message Processing Vulnerabilities [SA18833] D-Link Wireless Access Point Denial of Service Vulnerability [SA18904] Cisco Products TACACS+ Authentication Bypass [SA18844] FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities Cross Platform: [SA18883] Plume CMS prepend.php File Inclusion Vulnerability [SA18879] dotProject File Inclusion and Information Disclosure Vulnerabilities [SA18878] Magic News Lite File Inclusion and Profile Update Vulnerabilities [SA18847] Flyspray Installation Script "adodbpath" File Inclusion Vulnerability [SA18808] LinPHA "lang" Local File Inclusion Vulnerability [SA18807] HiveMail Multiple Vulnerabilities [SA18803] DocMGR process.php File Inclusion Vulnerability [SA18800] Runcms File Upload and File Inclusion Vulnerabilities [SA18905] HTML::BBCode Script Insertion Vulnerability [SA18885] webSPELL "search.php" SQL Injection Vulnerability [SA18881] PHP Classifieds "member_login.php" SQL Injection [SA18880] SAP Business Connector Arbitrary File Access and Spoofing [SA18877] Magic Downloads Settings Update Authentication Bypass [SA18876] Teca Diary Personal Edition SQL Injection Vulnerability [SA18874] @Mail Webmail Image Tag Script Insertion Vulnerability [SA18873] Clever Copy Private Message "Subject" Script Insertion Vulnerability [SA18869] Lighttpd Case-Insensitive Filename Source Code Disclosure [SA18868] Squishdot Mail Header Injection Vulnerability [SA18858] PyBlosxom Arbitrary File Disclosure Vulnerability [SA18856] CALimba rb_auth.php SQL Injection Vulnerability [SA18855] Magic Calendar Lite SQL Injection Vulnerability [SA18854] Time Tracking Software Multiple Vulnerabilities [SA18849] G?stebuch Homepage URL Script Insertion Vulnerability [SA18843] WRQ Reflection Secure IT SFTP Format String Vulnerability [SA18840] Invision Power Board Army System Mod SQL Injection [SA18831] RunCMS pmlite.php SQL Injection Vulnerability [SA18823] SmE GB Host Username SQL Injection Vulnerability [SA18822] PHP/MYSQL Timesheet SQL Injection Vulnerabilities [SA18819] WebGUI User Account Creation Vulnerability [SA18817] Hitachi Business Logic Cross-Site Scripting and SQL Injection [SA18816] e107 Unspecified BBCode Script Insertion Vulnerabilities [SA18810] Ansilove File Disclosure and File Upload Vulnerabilities [SA18805] DB_eSession "deleteSession()" Function SQL Injection [SA18802] ImageVue Multiple Vulnerabilities [SA18801] Zen Cart Unspecified SQL Injection Vulnerabilities [SA18793] phphd Multiple Vulnerabilities [SA18791] PHPStatus Multiple Vulnerabilities [SA18790] Clever Copy HTTP Headers Script Insertion Vulnerabilities [SA18786] SmE GB Host / Blog Host "url" BBcode Script Insertion [SA18897] MyBB managegroup.php SQL Injection and Cross-Site Scripting [SA18820] PHP-Nuke "pagetitle" Cross-Site Scripting Vulnerability [SA18814] QwikiWiki "search.php" Cross-Site Scripting Vulnerability [SA18804] Siteframe "q" Cross-Site Scripting Vulnerability [SA18792] PHP Event Calendar User Information Manipulation [SA18890] PostgreSQL Privilege Escalation and Denial of Service ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18912] Avaya Products WMF Image Parsing Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-16 Avaya has acknowledged a vulnerability in various products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18912/ -- [SA18852] Windows Media Player Plug-in EMBED Element Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-14 A vulnerability has been reported in Windows Media Player plug-in, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18852/ -- [SA18835] Windows Media Player Bitmap File Processing Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-14 eEye Digital Security has reported a vulnerability in Windows Media Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18835/ -- [SA18872] eStara SoftPhone SIP Packet Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-15 ZwelL has discovered some vulnerabilities in eStara SoftPhone, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18872/ -- [SA18828] SSH Tectia Server SFTP Service Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-13 A vulnerability has been reported in SSH Tectia Server, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18828/ -- [SA18789] HP Systems Insight Manager JBoss and Directory Traversal Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information Released: 2006-02-10 HP has acknowledged a weakness and a vulnerability in HP Systems Insight Manager, which can be exploited by malicious people to disclose system information and potentially to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18789/ -- [SA18859] Microsoft Windows / Office Korean Input Method Editor Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2006-02-14 Ryan Lee has reported a vulnerability in various Microsoft products, which can be exploited by malicious people to gain escalated privileges or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18859/ -- [SA18865] Microsoft PowerPoint Temporary Internet Files Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-02-14 A vulnerability has been reported in Microsoft PowerPoint 2000, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/18865/ -- [SA18787] Internet Explorer Drag-and-Drop Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-14 Matthew Murphy has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18787/ -- [SA18888] MailSite LDAP Service Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-15 Evgeny Legerov has reported a vulnerability in MailSite, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18888/ -- [SA18853] Microsoft Windows IGMP Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-14 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18853/ -- [SA18857] Microsoft Windows Web Client Service Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-14 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18857/ -- [SA18813] iE Integrator Configuration Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-02-14 D Scholefield has reported a weakness in iE Integrator, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/18813/ UNIX/Linux:-- [SA18884] Gentoo update for sun-jdk/sun-jre-bin Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-15 Gentoo has issued updates for sun-jdk and sun-jre-bin. These fix some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18884/ -- [SA18796] Metamail Mail Boundary Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-02-14 Ulf Harnhammar has reported a vulnerability in Metamail, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18796/ -- [SA18911] Avaya Products Ethereal Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-16 Avaya has acknowledged some vulnerabilities in ethereal included in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18911/ -- [SA18887] Debian update for otrs Critical: Moderately critical Where: From remote Impact: Manipulation of data, Cross Site Scripting Released: 2006-02-15 Debian has issued an update for otrs. This fixes some vulnerabilities, which can be exploited by malicious people to conduct SQL injection, script insertion, and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18887/ -- [SA18882] Debian update for pdfkit.framework Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-15 Debian has issued an update for pdfkit.framework. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18882/ -- [SA18875] Debian update for gpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-15 Debian has issued an update for gpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18875/ -- [SA18871] Red Hat update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-15 Red Hat has issued an update for imagemagick. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18871/ -- [SA18870] Dovecot "imap/pop3-login" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-15 A vulnerability have been reported in Dovecot, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18870/ -- [SA18864] Red Hat update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-14 Red Hat has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18864/ -- [SA18863] Red Hat update for libpng Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-14 Red Hat has issued an update for libpng. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) against applications using libpng or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18863/ -- [SA18862] Red Hat update for kdegraphics Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2006-02-14 Red Hat has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18862/ -- [SA18861] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-15 Ubuntu has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18861/ -- [SA18860] Ubuntu update for xpdf/poppler/kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-15 Ubuntu has issued updates for xpdf, poppler, and kdegraphics. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18860/ -- [SA18851] Gentoo update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-14 Gentoo has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18851/ -- [SA18839] Fedora update for poppler Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Fedora has issued an update for poppler. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18839/ -- [SA18838] Fedora update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Fedora has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18838/ -- [SA18837] Fedora update for kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Fedora has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18837/ -- [SA18834] Debian update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-14 Debian has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18834/ -- [SA18832] Red Hat update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-13 Red Hat has issued an update for gnutls. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18832/ -- [SA18830] Mandriva update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-14 Mandriva has issued an update for gnutls. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18830/ -- [SA18826] Gentoo update for kdegraphics/kpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Gentoo has issued updates for kdegraphics and kpdf. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18826/ -- [SA18825] Gentoo update for xpdf/poppler Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2006-02-13 Gentoo has issued updates for xpdf and poppler. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18825/ -- [SA18821] XMB Forums today.php Cookie Data SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-13 James Bercegay has reported a vulnerability in XMB Forums, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18821/ -- [SA18815] Fedora update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-13 Fedora has issued an update for gnutls. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18815/ -- [SA18799] VHCS Security Issue and Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Privilege escalation Released: 2006-02-13 Rom?n Medina-Heigl Hern?ndez has reported some vulnerabilities in VHCS, which can be exploited by malicious people to conduct script insertion attacks, and by malicious users to bypass certain security restrictions and gain escalated privileges. Full Advisory: http://secunia.com/advisories/18799/ -- [SA18794] GnuTLS libtasn1 DER Decoding Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-10 Evgeny Legerov has reported some vulnerabilities in GnuTLS libtasn1, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18794/ -- [SA18788] SUSE update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2006-02-10 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by local users to gain knowledge of potentially sensitive information, bypass certain security restrictions, and cause a DoS (Denial of Service), or by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/18788/ -- [SA18785] NeoMail neomail-prefs.pl Missing Session ID Validation Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-14 Secunia Research has discovered a vulnerability in NeoMail, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18785/ -- [SA18784] Trustix update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2006-02-10 Trustix has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18784/ -- [SA18889] Debian update for nfs-user-server Critical: Moderately critical Where: From local network Impact: System access Released: 2006-02-15 Debian has issued an update for nfs-user-server. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18889/ -- [SA18818] Isode M-Vault Server LDAP Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-02-14 Evgeny Legerov has reported a vulnerability in Isode M-Vault Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18818/ -- [SA18845] GnuPG "gpgv" Signature Verification Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-15 A security issue has been reported in GnuPG, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18845/ -- [SA18841] Power Daemon WHATIDO syslog Format String Vulnerability Critical: Less critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Gotfault Security has discovered a vulnerability in Power Daemon (powerd), which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18841/ -- [SA18827] Debian update for kronolith Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-14 Debian has issued an update for kronolith. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18827/ -- [SA18916] Debian update for libast Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-16 Debian has issued an update for libast. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18916/ -- [SA18891] Sun Solaris "in.rexecd" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-15 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18891/ -- [SA18829] Debian update for scponly Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 Debian has issued an update for scponly. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18829/ -- [SA18812] Debian update for noweb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 Debian has issued an update for noweb. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18812/ -- [SA18811] SUSE ld Insecure RPATH Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 A vulnerability has been reported in SUSE Linux, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18811/ -- [SA18809] noweb Insecure Temporary File Creation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 Javier Fern?ndez-Sanguino Pe?a has reported multiple vulnerabilities in noweb, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18809/ -- [SA18806] Ubuntu update for heimdal Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 Ubuntu has issued an update for heimdal. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18806/ -- [SA18867] Honeyd IP Reassembly Remote Detection Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-02-15 A weakness has been reported in Honeyd, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/18867/ -- [SA18824] Kadu Image Send Request Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2006-02-15 Piotr Bania has reported a vulnerability in Kadu, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18824/ -- [SA18797] CGIWrap Error Message System Information Disclosure Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-02-15 A weakness has been reported in CGIWrap, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/18797/ -- [SA18907] Mac OS X Kernel Local Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-02-16 A vulnerability has been reported in Mac OS X, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18907/ -- [SA18850] SUSE update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-02-14 SUSE has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18850/ -- [SA18798] OpenBSD update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 OpenBSD has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18798/ -- [SA18795] AIX Kernel Unspecified Local Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-02-14 A vulnerability has been reported in AIX, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18795/ Other:-- [SA18836] Avaya CSU/VSU ISAKMP IKE Message Processing Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-13 Avaya has acknowledged some vulnerabilities in Avaya CSU/VSU, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18836/ -- [SA18833] D-Link Wireless Access Point Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-14 Aaron Portnoy and Keefe Johnson has reported a vulnerability in D-Link Wireless Access Point, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18833/ -- [SA18904] Cisco Products TACACS+ Authentication Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-16 A security issue has been reported in various Cisco products, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18904/ -- [SA18844] FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-02-13 Mathieu Dessus has reported two vulnerabilities in FortiGate, which can be exploited by malicious people and users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18844/ Cross Platform:-- [SA18883] Plume CMS prepend.php File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-15 unitedbr has discovered a vulnerability in Plume CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18883/ -- [SA18879] dotProject File Inclusion and Information Disclosure Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of system information, System access Released: 2006-02-15 Robin Verton has discovered some vulnerabilities in dotProject, which can be exploited by malicious people to disclose certain system information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18879/ -- [SA18878] Magic News Lite File Inclusion and Profile Update Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2006-02-15 Aliaksandr Hartsuyeu has discovered some vulnerabilities in Magic News Lite, which can be exploited by malicious people to bypass certain security restrictions and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18878/ -- [SA18847] Flyspray Installation Script "adodbpath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-02-14 rgod has reported a vulnerability in Flyspray, which can be exploited by malicious people to disclose potentially sensitive information and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18847/ -- [SA18808] LinPHA "lang" Local File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-02-13 rgod has discovered a vulnerability in Linpha, which can be exploited by malicious people to disclose sensitive information and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18808/ -- [SA18807] HiveMail Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2006-02-13 James Bercegay has reported multiple vulnerabilities in HiveMail, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18807/ -- [SA18803] DocMGR process.php File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-02-13 rgod has reported a vulnerability in DocMGR, which can be exploited by malicious people to disclose potentially sensitive information and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18803/ -- [SA18800] Runcms File Upload and File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-10 rgod has reported some vulnerabilities in Runcms, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18800/ -- [SA18905] HTML::BBCode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-16 Aliaksandr Hartsuyeu has reported a vulnerability in HTML::BBCode, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18905/ -- [SA18885] webSPELL "search.php" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-15 x128 has discovered a vulnerability in webSPELL, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18885/ -- [SA18881] PHP Classifieds "member_login.php" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-15 Audun Larsen has reported a vulnerability in PHP Classifieds, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18881/ -- [SA18880] SAP Business Connector Arbitrary File Access and Spoofing Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data Released: 2006-02-15 Leandro Meiners has reported two vulnerabilities in SAP Business Connect (BC), which can be exploited by malicious people to conduct spoofing attacks or by malicious users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18880/ -- [SA18877] Magic Downloads Settings Update Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-15 Aliaksandr Hartsuyeu has reported a vulnerability in Magic Downloads, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18877/ -- [SA18876] Teca Diary Personal Edition SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-16 Aliaksandr Hartsuyeu has reported a vulnerability in Teca Diary Personal Edition, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18876/ -- [SA18874] @Mail Webmail Image Tag Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-16 Thomas Pollet has discovered a vulnerability in @Mail, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18874/ -- [SA18873] Clever Copy Private Message "Subject" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-16 Thomas Pollet has discovered a vulnerability in Clever Copy, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18873/ -- [SA18869] Lighttpd Case-Insensitive Filename Source Code Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-15 A vulnerability has been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18869/ -- [SA18868] Squishdot Mail Header Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-15 A vulnerability has been reported in Squishdot, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18868/ -- [SA18858] PyBlosxom Arbitrary File Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-02-14 A vulnerability has been reported in PyBlosxom, which potentially can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18858/ -- [SA18856] CALimba rb_auth.php SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-14 Aliaksandr Hartsuyeu has reported a vulnerability in CALimba, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18856/ -- [SA18855] Magic Calendar Lite SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-14 Aliaksandr Hartsuyeu has reported a vulnerability in Magic Calendar Lite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18855/ -- [SA18854] Time Tracking Software Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-14 Aliaksandr Hartsuyeu has reported some vulnerabilities in Time Tracking Software, which can be exploited by malicious people to bypass certain security restrictions, and to conduct SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/18854/ -- [SA18849] G?stebuch Homepage URL Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-14 Micha Borrmann has reported a vulnerability in G?stebuch (gastbuch), which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18849/ -- [SA18843] WRQ Reflection Secure IT SFTP Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-14 A vulnerability has been reported in Reflection Secure IT, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18843/ -- [SA18840] Invision Power Board Army System Mod SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-14 fRoGGz and Alex has reported a vulnerability in Invision Power Board Army System Mod, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18840/ -- [SA18831] RunCMS pmlite.php SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-14 Hamid Ebadi has discovered a vulnerability in RunCMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18831/ -- [SA18823] SmE GB Host Username SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Released: 2006-02-13 Aliaksandr Hartsuyeu has reported a vulnerability in SmE GB Host, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18823/ -- [SA18822] PHP/MYSQL Timesheet SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-13 Aliaksandr Hartsuyeu has reported some vulnerabilities in PHP/MYSQL Timesheet, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18822/ -- [SA18819] WebGUI User Account Creation Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-13 A vulnerability has been reported in WebGUI, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18819/ -- [SA18817] Hitachi Business Logic Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-13 Two vulnerabilities have been reported in Hitachi Business Logic, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18817/ -- [SA18816] e107 Unspecified BBCode Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-13 Some vulnerabilities have been reported in e107, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18816/ -- [SA18810] Ansilove File Disclosure and File Upload Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2006-02-13 Some vulnerabilities have been reported in Ansilove, which can be exploited by malicious users to disclose certain sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18810/ -- [SA18805] DB_eSession "deleteSession()" Function SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-13 James Bercegay has reported a vulnerability in DB_eSession, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18805/ -- [SA18802] ImageVue Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, System access Released: 2006-02-14 zjieb has reported some vulnerabilities in ImageVue, which can be exploited by malicious people to gain knowledge of certain system information, conduct cross-site scripting attacks, and potentially by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18802/ -- [SA18801] Zen Cart Unspecified SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-13 A vulnerability has been reported in Zen Cart, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18801/ -- [SA18793] phphd Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-10 Aliaksandr Hartsuyeu has reported some vulnerabilities in phphd, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18793/ -- [SA18791] PHPStatus Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-10 Aliaksandr Hartsuyeu has reported some vulnerabilities in PHPStatus, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18791/ -- [SA18790] Clever Copy HTTP Headers Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-10 Aliaksandr Hartsuyeu has reported two vulnerabilities in Clever Copy, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18790/ -- [SA18786] SmE GB Host / Blog Host "url" BBcode Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-10 Aliaksandr Hartsuyeu has reported a vulnerability in SmE GB Host and SmE Blog Host, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18786/ -- [SA18897] MyBB managegroup.php SQL Injection and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-02-16 imei addmimistrator has discovered vulnerabilities in MyBB, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18897/ -- [SA18820] PHP-Nuke "pagetitle" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-13 Janek Vind "waraxe" has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18820/ -- [SA18814] QwikiWiki "search.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-14 Citynova has discovered a vulnerability in QwikiWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18814/ -- [SA18804] Siteframe "q" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-13 Kiki has reported a vulnerability in Siteframe, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18804/ -- [SA18792] PHP Event Calendar User Information Manipulation Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-10 Aliaksandr Hartsuyeu has discovered a vulnerability in PHP Event Calendar, which can be exploited by malicious users to manipulate certain information and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18792/ -- [SA18890] PostgreSQL Privilege Escalation and Denial of Service Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-02-15 Two vulnerabilities have been reported in PostgreSQL, which can be exploited by malicious users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/18890/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 17 03:16:15 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:16:15 -0600 (CST) Subject: [ISN] Homeland Security official suggests outlawing rootkits Message-ID: http://news.com.com/Homeland+Security+official+suggests+outlawing+rootkits/2100-7348_3-6040726.html By Joris Evers Staff Writer, CNET News.com February 16, 2006 SAN JOSE, Calif. -- Perhaps the best way to deal with rootkits is to outlaw them. At least when it comes to such mishaps as the Sony BMG Music Entertainment fiasco, that's what an official from the Department of Homeland Security suggested Thursday. "The recent Sony experience shows us that we need to be thinking about how we ensure that consumers are not surprised by what their software programs do," Jonathan Frenkel, director of law enforcement policy at the U.S Department of Homeland Security said in a speech here at the RSA Conference 2006. A lesson has been learned from the Sony debacle, which left unwitting consumers with software on their PCs that could be used by cyberattackers to hide their malicious code. "Companies now know that they should not surreptitiously install a rootkit on computers," Frenkel said. But perhaps more importantly, how could the mishap have been avoided in the first place? "Legislation or regulation may not be a solution in all cases, but it may be warranted in appropriate circumstances," Frenkel said. Last November, Sony was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology offered a hiding place for malicious software and attackers, which were quick to exploit it. After the rootkit technology was uncovered on Sony's CDs, the company faced heavy criticism and lawsuits. It recalled the discs, stopped production and has agreed to offer compensation for buyers of the CDs that contain the rootkit. Since the Sony case, other companies have been accused of shipping products with rootkit-type behavior. Symantec last month released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software. According to F-Secure, a Finnish antivirus vendor, the German DVD release of "Mr. & Mrs. Smith," contains a digital rights management protection tool that uses rootkit-like cloaking technology. The movie is distributed by 20th Century Fox. From isn at c4i.org Fri Feb 17 03:15:41 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:15:41 -0600 (CST) Subject: [ISN] 'Spam man' wins gold Message-ID: http://www.theage.com.au/news/breaking/olympic-champ-made-big-bucks-in-popup-ads/2006/02/16/1140037817825.html By Stephen Hutcheon and Jacquelin Magnay February 16, 2006 According to the International Olympic Committee's website, Australia's gold medallist Dale Begg-Smith, runs an internet pop-up advertising company that he describes as the third largest of its type. But that's about as much detail as you'll get out of the Lamborghini-driving Canadian-turned-Australian moguls skier who is reluctant to talk about his dealings which remain shrouded in secrecy. Speaking on Monday at a pre-race press conference, the 21-year-old said he had wound down his multimillion-dollar internet business to concentrate on his Olympic ambitions. He refused to reveal the name of his business, nor details of its operations or size. He did say it had "two or three" employees and that it wasn't really an issue with skiing because it had been wound down. "I haven't spent much time on it, I've let it taper off during the ski season," Begg-Smith said when pressed about his work. "There's not much to say. We design technology and stuff like that, some advertising stuff, too." But the companies that he and brother Jason Begg-Smith are involved with are some of the most annoying aspects of the web. Two main companies - called AdsCPM and CPM Media - make money by skimming a small percentage each time an ad scores a hit or is directed to a client's site. Begg-Smith said the figures being bandied about his business - one report had him earning $40 million - were untrue. At his post-race press conference overnight, Begg-Smith became irritated when more questions were asked about his business. According to Canadian press reports he said: "I don't know why we're talking about the company. I just won Olympic gold." Begg-Smith reiterated that his business was set up to help fund his skiing career and that he was now concentrating on his sport. According to the Canadian Press news agency, Begg-Smith said "his business had never dealt with any specific kind of advertising, only the technology to track how often the ads were being seen. It was up to his customers to decide what kind of ads they wanted to use, he said." Web searches reveal that AdsCPM Network has been a supplier of pop-under and -up advertising to websites. Although they are a source of annoyance to web surfers, pop ads are used by many mainstream websites and are perfectly above board. But there is a dark side to the pop ad business. Hidden programs that launch these ads are sometimes secreted - by third parties - in many website with "honeypot" offerings, such as pornography, free games, downloads and gambling. Unsuspecting web surfers visiting these sites can unwittingly become infected with so-called adware which spawns annoying advertisement and which can be used to secretly track a user's web surfing habits. Numerous computer security companies have warnings about AdsCPM and CPM Media which are held responsible for the Xzoomy.com search engine directory page and a site called FreeScratchandWin.com. According to the Spyware Guide website, FreeScratchandWin.com opens pop ads "every few minutes", hijacks users' home- and search-page settings and can spy on users' web usage. Another CPM website, 2nd-thought.com, initiates a so-called browser hijacker program that resets the user's home page and often redirect searches to porn sites. From isn at c4i.org Fri Feb 17 03:16:35 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:16:35 -0600 (CST) Subject: [ISN] Utility hack led to security overhaul Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108735,00.html By Michael Crawford FEBRUARY 16, 2006 COMPUTERWORLD AUSTRALIA Apprehending a notorious hacker rarely involves a car chase or a team of dedicated private investigators, but in the case of Vitek Boden, life imitated a Hollywood script. Boden had waged a three-month war against the SCADA (Supervisory Control and Data Acquisition) system of Maroochy Water Services in Australia beginning in January 2000, which saw millions of gallons of sewage spill into waterways, hotel grounds and canals around the Sunshine Coast suburb. He was caught only after a team of private investigators hired by Maroochy Water Services alerted police to his location. After a brief police pursuit from the Sunshine Coast towards Brisbane, Boden was run off the road. In his car was the specialized proprietary SCADA equipment he had used to attack the system, and a laptop; however, it was a piece of $18 cable that ultimately led to his downfall. Grounds for charges were slim, but the handmade cable showed he had the technical capability to hack the Scada system. The laptop found in his car contained enough messages to prove he sent commands to disrupt various pump stations and that, combined with proprietary radio equipment and specialized cable, was enough to find him guilty of what has been dubbed the first case of critical infrastructure hacking in Australia. Speaking at the Association of Public Safety Communications Officials (APCO) conference on Queensland's Gold Coast yesterday, Mark Tripcony, operations coordinator at Maroochy Water Service, said initially they thought the disruptions to their pumping station were due to a neighboring SCADA system or poorly implemented software until late one night it became clear that some 140 sewage pumping stations were at the mercy of a hacker. "We eventually annihilated all the little things we thought might be causing faults, which were excessive station alarms, pumps running continually or being turned off, software configuration settings changing. "But one night around 11 p.m., a systems engineer was changing configurations in pumping stations and immediately realized they were being changed back. ... This happened for about half an hour and we then realized we were being hacked and had to catch the culprit," Tripcony said, adding that at one stage Vitek had turned off every single alarm in their system and sent sewage running through the drains in a neighboring suburb. "We worked out he had to be within a 25-mile radius, but one night we had not seen any evidence of hacking until he came on about 6.30 a.m. We had private investigators put cars along all the bridges and overpasses from the Sunshine Coast to Brisbane, because we knew the description of his car and knew he would be driving past. The investigators waited until they saw him on the highway and contacted police to intercept the car. "When police went to intercept him, he did a runner; the police then ran him off the road and found a car full of proprietary gear. No one had seen him hack our systems, but from his laptop we were able to find the last recorded event and messages sent which exactly matched our SCADA radio monitoring systems." Vitek was arrested, charged and found guilty on 30 charges of computer hacking, theft and causing environmental damage and jailed for just over two years. Maroochy Water Services had earlier had to "let it slip" to the authorities they believed they were the victims of a hacking attack, because the Environmental Protection Authority was trying to prosecute them. Since the attack, Maroochy Water Service has spent upwards of $55,309 changing every physical lock for pumping stations; it has also implemented strict access key controls and adopted further auditing procedures. From isn at c4i.org Fri Feb 17 03:16:48 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:16:48 -0600 (CST) Subject: [ISN] FBI chief wants stronger partnerships Message-ID: http://www.fcw.com/article92354-02-16-06-Web By Michael Arnone Feb. 16, 2006 SAN JOSE, CALIF. -- In the movie "High Noon," Gary Cooper must outshoot a gang of villains without the help of the townspeople he must save. Thankfully, the FBI doesn't have the same problem with fighting cybercriminals, the bureau's director said yesterday. "We are not facing these outlaws on our own," said Robert Mueller, FBI director, at the RSA Conference 2006 here. "No person, no agency, no company, indeed no country can prevent crime on its own." The FBI already has many partnerships with the private sector, notably its InfraGuard program, Mueller said. The bureau is looking for the private sector to form stronger partnerships with law enforcement and better educate the public about cybersecurity risk mitigation, he said. Success in fighting digital outlaws depends on strong, open collaborations among federal, state and local law enforcement, the private sector and academia, Mueller said. Cyberspace is the like the Wild West, an "open, largely unprotected frontier with seemingly limitless opportunity," Mueller said. At the same time, "IT has become a force multiplier for criminals," he said. Another challenge is that the clear division of responsibility and jurisdiction among federal, state and local law enforcement is "rendered obsolete by the fluid and far-reaching nature of cyberthreats," Mueller said. The FBI understands that companies often don't report cyberattacks because they want to protect their privacy and competitive advantage and avoid bad press, Mueller said. But "maintaining a code of silence will not benefit you or your company in the long run," he said. The FBI won't release proprietary or confidential information when companies reveal they have been attacked, Mueller said. "We don't want you to feel victimized a second time by our investigations," he said. The FBI is refining and expanding its investigation and prosecution of cybercrimes. It is also identifying more of the pre-eminent cybercriminals and their ways of operating, Mueller said. Meanwhile, companies must make every effort to secure their own systems as much as possible, Mueller said. The FBI created a cybersecurity division at its headquarters in 2002 to address cyberthreats in a coordinated and cohesive manner, Mueller said. The bureau has established cybercrime squads at its headquarters and all 56 field offices. The agency has 93 computer crime task forces nationwide, and special teams that can go anywhere in the country on short notice, Mueller said. From isn at c4i.org Fri Feb 17 03:17:01 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:17:01 -0600 (CST) Subject: [ISN] World's first Mac OS X virus spotted Message-ID: http://news.xinhuanet.com/english/2006-02/17/content_4192009.htm 2006-02-17 www.chinaview.cn BEIJING, Feb.17 (Xinhuanet) -- A mischievous computer worm has been found to hit Apple's OS X operating system, believed to be the first such virus ever to target the Mac platform. Called OSX/Leap-A, the worm is spread via instant messaging programs, according to a posting on the Web site of antivirus software company Sophos. The virus is said to spread using Apple's iChat IM service, forwarding itself as a file called "latestpics.tgz" to an infected user's buddy contacts, according to the Sophos Web site. Clicking on the file allows the malware to install and disguise itself as a harmless-seeming Jpeg icon. "This first Macintosh OS X threat is an example of the continuing spread of malicious code on to other platforms," said Vincent Weafer, senior director at Symantec Security Response, in a statement. The worm will not automatically infect Mac computers, but will ask users to accept the file, Weafer said. Symantec has rated the worm a low-risk security threat. From isn at c4i.org Fri Feb 17 03:17:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:17:14 -0600 (CST) Subject: [ISN] Proof: Employees don't care about security Message-ID: http://software.silicon.com/security/0,39024655,39156503,00.htm By Will Sturgeon 16 February 2006 An experiment carried out within London's square mile has revealed that employees in some of the City's best known financial services companies don't care about basic security policy. CDs were handed out to commuters as they entered the City by employees of IT skills specialist The Training Camp and recipients were told the disks contained a special Valentine's Day promotion. However, the CDs contained nothing more than code which informed The Training Camp how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail bank and two global insurers. The CD packaging even contained a clear warning about installing third-party software and acting in breach of company acceptable-use policies - but that didn't deter many individuals who showed little regard for the security of their PC and their company. Rob Chapman, CEO of the Training Camp, who carried out the stunt to promote a course in security for non-IT professionals, said: "Fortunately these CDs contained nothing harmful. No personal or corporate data was transmitted due to the actions of these individuals but the fact remains that this could have been someone wanting to cause havoc in the City." Chapman claimed the "potential outcome could have been disastrous". Effectively the employees, by carrying the CD into the company and putting it straight into their PC, had by-passed much of their company's security. Chapman said: "Employees have to recognise they are the first and easiest route into a company's network." Just last year Japanese bank Sumitomo Mitsui in the City fell victim to a spyware infection which almost ended with the theft of ?220m. That case should have highlighted the threat posed by applications entering the enterprise through unofficial channels and yet it appears few companies have taken note. From isn at c4i.org Mon Feb 20 02:06:49 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:06:49 -0600 (CST) Subject: [ISN] Linux Advisory Watch - February 17th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 17th, 2006 Volume 7, Number 8a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for adzapper, elog, noweb, cponly, kronolith, xpdf, pdfkit, OTRS, gpdf, nfs-users-server, libcast, heimdal, poppler, kdegraphics, gnutls, cpuspeed, pam, postgresql, selinux-policy-targeted, ImageMagick, BomberClone, ghostscript, libpng, kdegraphics, and openssh. The distributors include Debian, Fedora, Gentoo, Mandriva, and SuSE. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. AUDIENCE This document is intended to be of use to those wishing to participate in the exchange of signatures on their OpenPGP keys. It is assumed that the reader has a basic understanding of pgp, what it's used for and how to use it. Those more experienced with pgp may wish to skip the sections they are familiar with, but it is suggested that even the basic information be reviewed. OBSERVATIONS ON GENERATING AND MAINTAINING KEYS When one first generates a key, it is important that it be done on a secure machine in a secure environment. One attack against pgp that is rarely mentioned allows Mallory to steal or even replace a pgp key before it is distributed. Mallory would need to compromise Bob's computer prior to Bob's creation of a key. Mallory could then eavesdrop on Bob as he types the pgp passphrase for the first time, and steal the passphrase along with the secret key. In this case Bob's key is compromised before it even exists. If at any time Mallory is able to break into Bob's computer, she can steal his private key and wait for him to type in his pgp passphrase. Mallory may use a virus or trojan to accomplish this. A screwdriver or bootable CD can compromise the private key. A spy camera or key-logger can compromise the passphrase. This would allow Mallory to read any message ever encrypted to Bob and sign any message or key with Bob's signature. Aside from keeping his personal computer secure, Bob should save a copy of his private key in a secure, off-line, off-site location. This off-line and off-site backup keeps Bob's private key secure against loss from such things as disk crash or his computer being stolen by either common or government thieves. Depending on who is out to get him, he may consider it more secure to burn his private key onto a CD and store it in a bank safe, or print it onto paper and hide it inside a painting. As always, the most appropriate meaning of 'secure' is left to the needs and perceptions of the reader. Note that it is often unnecessary to make a backup copy of a public key for two reasons: 1) if it is publicly available and can be retrieved from a keyserver and 2) the "gpgsplit" command has a "secret-to-public" option that can recover a public key from a private key. Note that gpgsplit may not recover accurate expiration dates and preferences if they were updated after the key was created. One should never sign a key (or use pgp at all) on an untrusted computer or in an untrusted environment. Gather the information needed to sign a key and sign it when you get home. If your home computer and environment are not trusted, you have bigger problems to worry about. Read Entire Article: http://www.linuxsecurity.com/content/view/121645/49/ ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New adzapper packages fix denial of service 9th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121573 * Debian: New elog packages fix arbitrary code execution 10th, February, 2006 Several security problems have been found in elog, an electonic logbook to manage notes. The Common Vulnerabilities and Exposures Project identifies the following problems... http://www.linuxsecurity.com/content/view/121583 * Debian: New noweb packages fix insecure temporary file creation 13th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121606 * Debian: New scponly packages fix potential root vulnerability 13th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121607 * Debian: New kronolith packages fix cross-site scripting 14th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121617 * Debian: New xpdf packages fix denial of service 14th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121618 * Debian: New pdfkit.framework packages fix denial of service 15th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121634 * Debian: New OTRS packages fix several vulnerabilities 15th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121635 * Debian: New gpdf packages fix denial of service 15th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121636 * Debian: New nfs-user-server packages fix arbitrary code execution 15th, February, 2006 Marcus Meissner discovered that attackers can trigger a buffer overflow in the path handling code by creating or abusing existing symlinks, which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121643 * Debian: New libast packages fix arbitrary code execution 15th, February, 2006 Johnny Mast discovered a buffer overflow in libast, the library of assorted spiffy things, that can lead to the execution of arbitary code. This library is used by eterm which is installed setgid uid which leads to a vulnerability to alter the utmp file. http://www.linuxsecurity.com/content/view/121644 * Debian: New heimdal packages fix several vulnerabilities 16th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121646 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: poppler-0.4.5-1.1 10th, February, 2006 Heap-based buffer overflow in Splash.cc in poppler, allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. http://www.linuxsecurity.com/content/view/121591 * Fedora Core 4 Update: xpdf-3.01-0.FC4.8 10th, February, 2006 xpdf contains a heap based buffer overflow in the splash rasterizer engine that can crash kpdf or even execute arbitrary code. Users impacted by these issues, should update to this new package release. http://www.linuxsecurity.com/content/view/121592 * Fedora Core 4 Update: kdegraphics-3.5.1-0.2.fc4 10th, February, 2006 kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a heap based buffer overflow in the splash rasterizer engine that can crash kpdf or even execute arbitrary code. Users impacted by these issues, should update to this new package release. http://www.linuxsecurity.com/content/view/121593 * Fedora Core 4 Update: gnutls-1.0.25-2.FC4 10th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121596 * Fedora Core 4 Update: cpuspeed-1.2.1-1.24_FC4 12th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121597 * Fedora Core 4 Update: pam_krb5-2.1.15-2 14th, February, 2006 This update fixes several bugs which have been found since FC4 was released. http://www.linuxsecurity.com/content/view/121627 * Fedora Core 4 Update: postgresql-8.0.7-1.FC4.1 14th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121629 * Fedora Core 4 Update: selinux-policy-targeted-1.27.1-2.22 14th, February, 2006 Zebra was still broken. Hopefully fixed by this update. http://www.linuxsecurity.com/content/view/121630 * Fedora Core 4 Update: selinux-policy-strict-1.27.1-2.22 14th, February, 2006 Zebra was still broken. Hopefully fixed by this update. http://www.linuxsecurity.com/content/view/121631 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Xpdf, Poppler Heap overflow 12th, February, 2006 Xpdf and Poppler are vulnerable to a heap overflow that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/121598 * Gentoo: KPdf Heap based overflow 12th, February, 2006 KPdf includes vulnerable Xpdf code to handle PDF files, making it vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121599 * Gentoo: ImageMagick Format string vulnerability 13th, February, 2006 A vulnerability in ImageMagick allows attackers to crash the application and potentially execute arbitrary code. http://www.linuxsecurity.com/content/view/121614 * Gentoo: KPdf Heap based overflow 13th, February, 2006 KPdf includes vulnerable Xpdf code to handle PDF files, making it vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121615 * Gentoo: Sun JDK/JRE Applet privilege escalation 14th, February, 2006 Sun's Java Development Kit (JDK) and Java Runtime Environment (JRE) do not adequately constrain applets from privilege escalation and arbitrary code execution. http://www.linuxsecurity.com/content/view/121633 * Gentoo: libtasn1, GNU TLS Security flaw in DER decoding 16th, February, 2006 A flaw in the parsing of Distinguished Encoding Rules (DER) has been discovered in libtasn1, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121654 * Gentoo: BomberClone Remote execution of arbitrary code 16th, February, 2006 BomberClone is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/121655 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated ghostscript packages fix various bugs 10th, February, 2006 A number of bugs have been corrected with this latest ghostscript package including a fix when rendering imaged when converting PostScript to PDF with ps2pdf, a crash when generating PDF files with the pdfwrite device, several segfaults, a fix for vertical japanese text, and a number of other fixes. http://www.linuxsecurity.com/content/view/121595 * Mandriva: Updated gnutls packages fix libtasn1 out-of-bounds access vulnerabilities 14th, February, 2006 Evgeny Legerov discovered cases of possible out-of-bounds access in the DER decoding schemes of libtasn1, when provided with invalid input. This library is bundled with gnutls. The provided packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/121616 * Mandriva: Updated postgresql packages fix various bugs 14th, February, 2006 Various bugs in the PostgreSQL 8.0.x branch have been corrected with the latest 8.0.7 maintenance release which is being provided for Mandriva Linux 2006 users. http://www.linuxsecurity.com/content/view/121632 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: gnutls security update 10th, February, 2006 Updated gnutls packages that fix a security issue are now available for Red Hat Enterprise Linux 4. http://www.linuxsecurity.com/content/view/121594 * RedHat: Important: xpdf security update 13th, February, 2006 An updated xpdf package that fixes a buffer overflow security issue is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121608 * RedHat: Moderate: libpng security update 13th, February, 2006 Updated libpng packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121609 * RedHat: Important: kdegraphics security update 13th, February, 2006 Updated kdegraphics packages that resolve a security issue in kpdf are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121610 * RedHat: Moderate: ImageMagick security update 14th, February, 2006 Updated ImageMagick packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121628 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: kernel remote denial of service 9th, February, 2006 The Linux kernel on SUSE Linux 10.0 has been updated to fix following security problems... http://www.linuxsecurity.com/content/view/121580 * SuSE: binutils, kdelibs3, kdegraphics3, koffice, dia, lyx 10th, February, 2006 A SUSE specific patch to the GNU linker 'ld' removes redundant RPATH and RUNPATH components when linking binaries. Due to a bug in this routine ld occasionally left empty RPATH components. When running a binary with empty RPATH components the dynamic linker tries to load shared libraries from the current directory. http://www.linuxsecurity.com/content/view/121590 * SuSE: openssh (SUSE-SA:2006:008) 14th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121619 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Feb 20 02:07:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:07:11 -0600 (CST) Subject: [ISN] Skype's online phone calls may give wiretappers fits Message-ID: http://seattletimes.nwsource.com/html/businesstechnology/2002810535_skypewiretap17.html By Peter Svensson The Associated Press February 17, 2006 NEW YORK - Even as the U.S. government is embroiled in a debate over the legality of wiretapping, the fastest-growing technology for Internet calls appears to have the potential to make eavesdropping a thing of the past. Skype, the Internet calling service now owned by eBay, provides free voice calls and instant messaging between users. Unlike other Internet voice services, Skype calls are encrypted - encoded using complex mathematical operations. That apparently makes them impossible to snoop on, though the company leaves the issue somewhat open to question. Skype is certainly not the first application for encrypted communications on the Internet. Secure e-mail and instant-messaging programs have been available for years at little or no cost. But to a large extent, Internet users haven't felt a need for privacy that outweighed the effort needed to use encryption. In particular, many consider e-mail programs such as Pretty Good Privacy too cumbersome. And because such applications have had limited popularity, their mere use can draw attention. With Skype, however, criminals, terrorists and other people who really want to keep their communications private are indistinguishable from those who just want to call their mothers. "Skype became popular not because it was secure, but because it was easy to use," said Bruce Schneier, chief technology officer at Counterpane Internet Security. Luxembourg-based Skype was founded by the Swedish and Estonian entrepreneurs who created the Kazaa file-sharing network, target of several court actions by the music industry. Skype's software for personal computers is free. Members pay nothing to talk to each other over PCs, but pay fees to connect to people who are using telephones. Skype software is being built into cellphone-like portable devices that will work within range of wireless Internet "hot spots." While still somewhat marginal in the United States, Skype had 75 million registered users worldwide at the end of 2005. Typically, 3 million to 4 million users are online at the same time. Skype calls whip around the Internet encrypted with "keys," essentially very long numbers. Skype keys are 256 bits long - twice as long as the 128-bit keys used to send credit-card numbers over the Internet. The security is much more than doubled. In theory, Skype's 256-bit keys would take trillions of times longer to crack than 128-bit keys, which are themselves regarded as practically impossible to break by current means. "It is a pretty secure form of communication, which if you're talking to your mistress you really appreciate, but if al-Qaida is talking over Skype, you have probably a different view," said Monty Bannerman, chief executive of Verso Technologies. Bannerman's company makes equipment for Internet service providers, including software that can identify and block Skype calls. Security experts are not completely convinced Skype is as secure as it seems, because the company hasn't made its technology open to review. In the cryptographic world, opening software blueprints to outsiders who can point out errors is considered the safest way to go. Because of the complex math involved, a properly designed cryptographic system can be unbreakable even if its method is known to outsiders. But according to Schneier, if Skype's encryption is weaker than believed, it still would stymie the kind of broad eavesdropping the National Security Agency is reputed to be performing, in which it scans thousands or millions of calls at a time for certain phrases. Even a weakly encrypted call would force an eavesdropper to spend hours of computer time cracking it. Kurt Sauer, Skype's chief security officer, said there are no "back doors" that could let a government bypass the encryption on a call. At the same time, he said Skype "cooperates fully with all lawful requests from relevant authorities." He would not give particulars on the type of support provided. The Justice Department did not respond to questions about its views on Skype encryption. Verso's Bannerman notes Skype calls are decrypted if they enter the traditional telephone network to communicate with regular phones, so a conversation could be intercepted there. Skype does not reveal how many of its calls run on the phone network. "There are other ways of getting at the conversation than brute-force decryption of the hacking," Bannerman said. Schneier thinks eavesdropping on the content of calls is not as important to the NSA as tracking the calls, which is still possible with Skype. For instance, if one account was associated with a terrorist, it would be possible to identify his conversation partners. "What you and I are saying is much less important than the fact that you and I are talking," Schneier says. "Against traffic analysis, encryption is irrelevant." Steve Bannerman, vice president of marketing at Narus, (he is unrelated to Verso's Bannerman), said his company's systems enable wiretapping of voice calls routed over the Internet, but not those from Skype. Telecommunications carriers use Narus technology. The most it can do is identify what type of Skype traffic - voice call, text chat or video conference - is being used, and record the scrambled data for law-enforcement officials. From there, he said, "Who knows what those guys can do?" Copyright ? 2006 The Seattle Times Company From isn at c4i.org Mon Feb 20 02:07:25 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:07:25 -0600 (CST) Subject: [ISN] UNI employees told to initiate fraud alerts Message-ID: http://desmoinesregister.com/apps/pbcs.dll/article?AID=/20060217/SPORTS0207/60217017/1001 By LISA LIVERMORE REGISTER AMES BUREAU February 17, 2006 About 6,000 employees at the University of Northern Iowa were advised in a letter to protect themselves from identity theft by contacting credit reporting agencies and initiating fraud alerts after a security breach was detected last week on a laptop computer at the university, officials said Friday. The laptop, assigned to the UNI's Office of Business Operations, contained Internal Revenue Service W-2 forms for student employees, faculty and staff. UNI officials said a virus was detected on the laptop, which was being used to review how the forms would look like when they were being printed. Tom Schellhardt, vice president for administration and finance said officials found no evidence to suggest personal information was accessed. Even so, everyone with data on the computer was sent the advisory letter along with a recommendation to monitor their personal financial information to ensure their accounts have not been tampered with. Steve Moon, director of network services at UNI, said the person who used the laptop computer did so to review the print jobs for the W2 forms. "There had been problems with printing, and the person wanted to review what the print stream was trying to do," he said. Even so, he said it's risky to put sensitive information on a laptop. "Certainly it's more at risk just to be stolen," he said. "It would be much easier to pick up a laptop and stick it in your backpack than a desktop would be." A. Frank Thompson, a UNI professor of finance, said he didn't think W2 forms should be on the computer at all, because the information must be made into a hard copy anyway for tax purposes. Also, "it simply opens up the possibility of that information being inappropriately accessed," he said. From isn at c4i.org Mon Feb 20 02:08:47 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:08:47 -0600 (CST) Subject: [ISN] Firm Offers $10K Reward For Critical Windows Bug Message-ID: http://www.informationweek.com/showArticle.jhtml?articleID=180204079 By Gregg Keizer TechWeb News Feb 17, 2006 A security company known for paying bounties on bugs will launch a new program next week that will pay researchers $10,000 for finding Windows vulnerabilities that Microsoft classifies as "Critical." The new reward is an addition to iDefense's controversial Vulnerability Contributor Program (VCP), which launched in 2005. "We want to get people excited [about VCP]," said Adam Greene, the assistant director of iDefense Labs. "And we want to encourage researchers to focus on things important to our clients." Windows vulnerabilities was an obvious pick, added Greene, because "so many of our clients use [Windows]." The $10,000 research reward comes with a few strings. The offer ends March 31, said Greene, and it must be submitted exclusively to iDefense. If Microsoft eventually classifies it as a "Critical" fix -- the Redmond, Wash.-based developer uses a four-step rating system to rank patches, with Critical at the top of the chart -- iDefense will pay out the $10,000, which is above and beyond its usual VCP payouts. Although iDefense doesn't publish it usual reward rate structure, it paid out nearly $40,000 in its first three months. Each quarter, iDefense will change the rules of the $10,000 bonus. "We haven't settled on next quarter's," admitted Greene. "But rather than a specific vendor, we're talking about targeting a certain class of vulnerability or class of product. Maybe Web browsers or e-mail." "It's important to change it up a bit to keep people interested," he added. A few other companies trade cash for vulnerabilities. TippingPoint, part of 3Com, has a similar program, dubbed Zero Day Initiative, while Mozilla pays $500 for bugs in its open-source software. But the practice is criticized by some security research rivals. "It blurs the lines between gray and white and black hats," said Mike Puterbaugh, vice president of marketing for eEye Digital Security. "It creates a market for vulnerabilities, and almost legitimizes the black market." Not surprisingly, iDefense's Greene disagreed. "We don't deal with any groups [of researchers] known to have anything to do with illegal activity. Interestingly enough, a lot of these people aren't that interested in the money, but are people who don't want to deal with the vendors, which have ignored them in the past." And paying for bugs may get some dangerous vulnerabilities "off the street," so to speak, Greene said. "You always have to assume that a given vulnerability is in the hands of more than one person," he said, noting that a handful of the bugs iDefense paid for in 2005 were used to actively exploit software after the Reston, Va.-based company received a heads-up from a bounty hunter. iDefense uses the bounties to provide advance notice to clients on developing threats. "In one case last year, a vulnerability [in the VCP program] gave our customers 60 days of advance warning before it was made public," said Greene. eEye Digital Security, well known for discovering vulnerabilities in Microsoft and Apple software, gets to the same result -- early warning for customers -- but relies instead on its own internal research team. "We take a lot of pride in our primary research," said eEye's Puterbaugh, who claimed that internal research led to protections against the recent Windows Media Player vulnerability for customers as far back as June 2004. "iDefense may have the best intentions, but paying for vulnerabilities is definitely a slippery slope," Puterbaugh concluded. Copyright ? 2005 CMP Media LLC From isn at c4i.org Mon Feb 20 02:09:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:09:11 -0600 (CST) Subject: [ISN] Call for Papers - Bellua Cyber Security Asia 2006 Message-ID: Forwarded from: Anthony Zboralski Bellua Cyber Security Asia 2006 Call for Papers - http://www.bellua.net For the second consecutive year, the Bellua Cyber Security Asia 2006 Conference will bring together in Indonesia internationally recognized experts in the security community as well as leading members of the local Indonesian technology and security industry. BCS Asia 2006 will bring together researchers and practitioners from Asia, Europe and the Americas to discuss present and future information security issues through an intensive series of workshopps, presentations, demonstrations and technical sessions. Do not submit product or vendor pitches please. Important Dates: 28-29 August 2006: The Workshops 30-31 August 2006: The Conference The meeting will take place in Jakarta, Indonesia, at the Jakarta Convention Center (see travel and visa information below.) Please send your proposal to cfp2006 at bellua.com as soon as possible and no later than 31 March 2006. This year, proposals will be evaluated in the order received; submit early to maximise your chances of being selected. The program committee invites proposals for paper presentations, demonstrations and poster contributions on any topic relevant to cyber security and hacking including but not limited to: Business Track ISO27001 Information Security Management Systems (ISMS) Business Processes & Security Compliance Management Handling Security failure & incidents Banking Security Telecommunication Security Internet Fraud Security Awareness Social engineering Privacy, anonymity, ethics Cyber Law and Enforcement Technical Track 0 day Hacking & Security Penetration Testing Telecom Security/Phreaking (SS7, GSM, 3G, GPRS, EDGE...) Secure Programming Reverse Engineering Exploit development Forensics Wireless Security & Hacking (WiFi, Bluetooth, vsat...) Web Application Security Database Security Cryptography Spyware/Malware/Worm/Virus Physical Security Your submission should include: Name, title, address, email and phone number Draft of the proposed presentation (in PDF, PowerPoint or Keynote format), proof of concept for tools and exploits, etc. Short biography, qualification, occupation, achievement and affiliations (limit 150 words). Summary or abstract for your presentation (limit 150 words) Time (40-60 minutes). Include time for discussion and questions Technical requirements (video, internet, wireless, audio, etc.) Each non-resident speaker will receive accommodation for 3 nights at the Jakarta Hilton International. For each non-resident speaker, Bellua will cover travel expenses up to USD1000. N.B. If an official sponsor employs you or you only propose a poster contribution, you will not receive any compensation for travel, hotel accommodations or an honorarium from Bellua. Poster sessions are an integral part of Bellua Cyber Security events. Far from being a second option, posters provide an excellent way to present research work in a clear, concise format. A well-thought out poster can be better than an oral presentation in describing complex research work. Posters contributors will receive one complimentary conference pass. Call for Workshops Please send your proposal to cfp2006 at bellua.com as soon as possible and no later than 31 March 2006. This is also a call for workshops. One of the objectives of this meeting is to allow researchers to gain a background in areas that they may know little about. Towards that end a number of Workshops are planned. Some participants in the workshop will be very excited in learning about technical matters such as hacking, exploit writing, penetration testing, social engineering, BCP, DRC or other important attack and defense techniques. Others might enjoy a seminar on a philosophical topic. Workshop presenters are expected not to present just only their own material, but to give a broader overview and encourage discussion and debate. The workshops will be held from 28th to 29th August. Workshops that do not achieve the minimum enrollment will not be offered. The size of workshop will vary from 8 to a maximum of 25 people. Please send the workshop proposal along with the following to cfp2006 at bellua.com as soon as possible and no later than 31 March 2006. Address, affiliation, email and phone number Draft timetable for the proposed workshop with title Summary or abstract of the workshop, limit 250 words. Biography (150 words) Curriculum vitae - Resume Technical requirements Please send your proposal to cfp2006 at bellua.com as soon as possible and no later than 23 December 2004. Program Committee Anthony Zboralski, Bellua Asia Pacific Dhillon Andrew Kannabhiran, HackInTheBox Fetri Miftach, Bellua Asia Pacific John Grygorcewicz, Bispro Consulting John Howie, Microsoft Security Community Emmanuel Gadaix, Telecom Security Task Force Philippe Langlois, Telecom Security Task Force Ralph Logan, The Logan Group, The Honey Net Project David Maynor, ISS X-Force Thomas Wana, Void Jim Geovedi, Bellua Asia Pacific Andi, Void Skyper, Phrack Magazine Mark Dowd Matt Conover, Symantec Andrew R. Reiter Josha Broson, AngryPacket Security Nicolas Fischbach, Colt Telecom Fyodor Yarochkin Visa Information The Department of Justice and Human Rights has officially determined that as of 1 February 2004: The Free Visa Facility (length of stay max. 30 days) will be issued to citizens of the following countries: Brunei, Malaysia, Philippines, Singapore, Thailand, Vietnam, Hong Kong, Macao, Morocco, Chile, Peru. The Visa-on-Arrival Facility (length of stay max. 30 days) will be issued to citizens of the following countries: Australia, Argentina, Brazil, Canada, Denmark, Finland, France, Germany, Hungary, Italy, Japan, New Zealand, Norway, Poland, South Africa, South Korea, Switzerland, Taiwan, United Kingdom, United Arab Emirates, United States. Citizens of countries not stated above are required to apply for a visa at the Indonesian Embassy/Consulate in their country of domicile. For questions regarding event registration, please call +62 570 5800 (Astri). For general event questions, please email bcs2006 at bellua.com. PT Bellua Asia Pacific - Bellua Cyber Security Conferences & Workshops -- Anthony C. Zboralski PT Bellua Asia Pacific - http://www.bellua.com Bumi Daya Plaza 21st Floor, jl. Iman Bonjol No.61 Jakarta 10310 Indonesia. Phone: +62213918330 HP:+62 818 699 084 65b1d8c7 - 6c0b b76a 51ef bfa6 c03b 97c8 af75 420c 65b1 d8c7 From isn at c4i.org Tue Feb 21 01:13:30 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Feb 2006 00:13:30 -0600 (CST) Subject: [ISN] Online Stores Are Caught In Jihad Web Message-ID: http://news.tbo.com/news/metro/MGB47AQ4WJE.html By HOWARD ALTMAN haltman @ tampatrib.com Feb 20, 2006 When Stacey Turmel placed an order online with Davida, an English motorcycle accessory company, she was looking for protective gear with style and comfort. But after plunking down $255 for a two-tone Deluxe Jet helmet, she found herself dragged into the shadowy world of global jihad. Turmel, a St. Petersburg lawyer, has learned that she was among several Davida customers whose personal and credit information was placed on a public Web site - 3asfh.net. The site, hosted temporarily by a Tampa-based Web-hosting company, has been used to exchange information on hacking by people waging war in the name of Islam. "It was scary to find out that jihadis had my personal information," Turmel said. Her loss was modest. After checking records in the spring of 2002, she found several small charges she did not make - none more than $40, but other victims discovered attempts to charge more than $1,000. Investigators and Internet security experts say much more is at stake. Computer hackers - from wayward teens to organized crime syndicates to groups associated with al-Qaida - steal hundreds of billions of dollars every year. Hack attacks such as the one against Turmel are a key weapon of global jihad, experts say. One example is the 2002 explosion that killed more than 200 people at a nightclub in Bali, Indonesia. Computer security experts say Imam Samudra, the man behind the attack, financed it through credit card fraud. Turmel's experience tells the "central story" of jihadi hackers, said Alan Paller, director of research at the SANS Institute, a cybersecurity firm based near Washington that works with the National Security Agency, financial institutions and governments around the world. In a book Samudra wrote in jail, he "exhorts followers to 'learn to hack,'" Paller said. The book continues, "Not just because it makes more money in three to six hours than a policeman makes in six months, because it is how we can bring America and its cronies to its knees." Fragile Web Like Turmel and other customers, Davida's owner, David Fiddaman, was unaware of the jihadi activity. Sellers and buyers need to be more vigilant, say those charged with securing the Internet. Realizing the scope of the problem, the U.S. government is scrambling to catch up. The 2003 Information Operations Roadmap, a recently declassified, 74-page Department of Defense report, outlines methods for government agencies and military units - including Special Operations Command in Tampa - to attack enemy computer networks and deal with hacking attempts on U.S. systems. The Slammer worm, an intrusive computer program introduced in 2003 by unknown hackers, is an example of the Internet's vulnerability, according to a 2004 World Bank report. The report says, "Within 15 minutes after the Slammer was introduced, 27 million people in South Korea were left without cell phone or Internet access, five of the Internet's 13 root servers crashed, 300,000 cables in Portugal went dark, Continental Airlines had to cancel flights because it had no Internet access, the world's largest telecommunications provider was shut off, and 911 service in Seattle" was disrupted. The convenience of the Internet makes consumers prime targets, experts say. "Because of the porous nature of security in commerce and finance, and the prevalence of anonymity, it is very easy to siphon and steal funds," said Tom Kellerman, former senior risk management specialist for the World Bank and author of the 2004 report. Kellerman rattles off statistics driving home his point: $400 billion in losses around the world last year from cybercrime, nine out of 10 businesses affected, identity theft hitting 19.3 million people in the United States. A good chunk of that theft - though no one knows how much - is by jihadi hackers, said Kellerman, who is chief knowledge officer and co-founder of the cybersecurity firm Cybrith LLC. Cybercrime is safer and easier than selling drugs, dealing in black market diamonds or robbing banks, he said. "In the underground and in chat rooms, these people are sharing information," Kellerman said. "The Internet is the wild, wild West. There is a community that shares tricks of the trade very freely." The Internet is "almost like a giant arms bazaar," said Kellerman, where users can download weapons to hack into financial institutions. "In this unregulated and wide-open space, they are facilitating the financing of terrorist acts," he said. The government and business communities are aware of the problems, but their solutions are lacking, Kellerman said. "A lot of people don't realize that until we build better castles and control cyberspace in a better fashion, we are not going to defeat terrorists' financing," he said. "The lack of security contributes to cybercrime, which contributes to terrorism. There is a direct link." Emotional Toll Kellerman's dour assessment is bad news for potential hacking victims. So, too, is a January report from the Javelin Strategy and Research firm, which concludes that although federal laws and credit card companies have done a good job of protecting consumers for out-of-pocket losses, it takes about 40 hours to clear up credit problems after they are discovered. "I don't think there is any question that we all lose when there is fraudulent use of this information," said Gerri Detwiler, president of the Sarasota-based Ultimate Credit Solutions Inc. "The new Harrison Ford movie, 'Firewall,' about a guy whose identity is stolen by thieves, will only add to the concern." Cybercrime is the FBI's third priority, behind counterterrorism and counterintelligence. "The network of cyberhackers is extensive, and we are working with our partners, international, state and local, every day," said FBI spokeswoman Cathy Milhoan, who could not comment specifically about problems faced by Turmel and other victims of 3asfh. Echoing advice from credit experts, Turmel urged consumer caution. "Look at your balances," she said. "Check those statements on a monthly basis. If there is anything you don't recognize, you need to follow up on it right away." From isn at c4i.org Tue Feb 21 01:14:10 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Feb 2006 00:14:10 -0600 (CST) Subject: [ISN] Invasion of the Computer Snatchers Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html By Brian Krebs February 19, 2006 In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves. Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as "0x80" (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims. The young hacker, who has agreed to be interviewed only if he isn't identified by name or home town, takes a deep drag of his smoke and leans back against the couch to exhale. He smiles. This is his day job, and his work is finished in less than two minutes. In two weeks, he will receive a $300 check from one of the online marketing companies that pays him for his services. "Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout. Hacked, remote-controlled home computers, known as robots or "bots," and large groups of robot networks like the one 0x80 runs -- called "botnets" -- are the souped-up cyber engines driving nearly all criminal commerce on the Internet. Botnets are used to relay millions of pieces of junk e-mail, or spam, touting everything from cheap Viagra to get-rich-quick business schemes. And the botmasters who control these computer networks are at the heart of ominous and increasingly common online shakedowns known as "denial of service attacks." In such an attack, Web gangsters demand tens of thousands of dollars in protection money from businesses. If the businesses refuse to pay, the criminals order the thousands of computers that make up their botnets to flood the Web sites with meaningless traffic, crippling the businesses and costing them thousands or hundreds of thousands of dollars in lost revenue. 0x80 says that he doesn't use his botnet to shake down businesses. Instead, he and a growing number of botmasters make money by seeding their botnets with spyware, also known as adware. Once installed on a PC, the adware serves up pop-up advertisements and mines data about the user's online browsing habits. The computer worm that powers the botnet also gathers far more sensitive data from the victim's machine, including passwords, e-mail addresses, Social Security numbers and credit card data. The spyware and adware problem is pervasive and growing: A recent survey by the National Cyber Security Alliance and America Online found that four of five computers connected to the Web have some type of spyware or adware installed on them, with or without the owner's knowledge. The distribution of online advertisements via spyware and adware has become a $2 billion industry, according to security software maker Webroot Software Inc. And as the industry has boomed, so have the botnets. Just a few months ago, FBI agents arrested a 20-year-old from Southern California for installing adware on a botnet of more than 400,000 hacked computers. Jeanson James Ancheta's victims included computers at the Naval Air Warfare Center and machines at the Defense Information Systems Agency, according to government documents. He pleaded guilty to the charges last month. Like Ancheta, 0x80 installs adware and spyware surreptitiously, though the law requires the computer owner's consent. The young hacker doesn't have much sympathy for his victims. "All those people in my botnet, right, if I don't use them, they're just gonna eventually get caught up in someone else's net, so it might as well be mine," 0x80 says. "I mean, most of these people I infect are so stupid they really ain't got no business being on [the Internet] in the first place." Tall and lanky, with hair that falls down to his eyebrows, 0x80 almost never looks you in the eye when he talks, his accent a slurry of heavy Southern drawl and Midwestern nasality. He lives with his folks in a small town in Middle America. The nearest businesses are a used-car lot, a gas station/convenience store and a strip club, where 0x80 says he recently dropped $800 for an hour alone in a VIP room with several dancers. He tells his parents that he works from home for a Web design firm. His bedroom resembles a miniature mission control center, with computers, television and computer monitors, and what must be several miles' worth of tangled wires plugged into an array of surge-protected power strips. At the moment, 0x80 controls more than 13,000 computers in more than 20 countries. This morning he installs spyware on just a few hundred of the 2,000 PCs that he has commandeered in the last few hours. He will stagger the remaining installations throughout this day and into the next, using a program he wrote that automates the process. If he installs too many bundles of spyware at once, the online marketing companies, "get suspicious, they cut me off, and I don't get paid," he mumbles, squinting at the screen while the nub of his cigarette sprinkles ashes all over his laptop and the coffee table. "I've learned not to get greedy." A small dog with matted fur enters the living room and winds through 0x80's feet. 0x80 gives the dog a gentle shove with his foot, without even looking up from his laptop. He furiously stabs at the keyboard with his two forefingers, punching out a short command that produces a mesmerizing blur of black-on-white text that scrolls up the computer screen at several pages per second. 0x80 makes it halfway through a cigarette before the text flying across the screen finally stops. The command he typed -- "pstore" -- is short for "password store." On the screen in front of him is a listing of every user name and password that the owner of each infected computer has stored in the Microsoft Internet Explorer Web browser on his or her computer. A quick scroll through the first few dozen pages of the file reveals credentials his victims have used to log in to online accounts at PayPal, eBay, Bank of America and Citibank, to name just a few. Many of the Web sites for which user names and passwords are stored are harmless, such as sports or hobby sites. Others are potentially far more revealing, such as hard-core sex and fetish Web sites. 0x80 has also found credentials for thousands of e-mail accounts, including dozens at ".mil" and ".gov" (U.S. military and government) addresses. "See all that info?" 0x80 asks. "I don't use it, and I don't sell it like a lot of guys I know do. That's too risky." His goal is to make money, not to end up in jail. One of his victims, a computer-loving 29-year-old pastor named Michael White, could tell 0x80 plenty about jail. White runs the Agape Church and Christian Center in Memphis but admits he wasn't always a man of God. Ten years ago, he was a freshman at the University of Memphis, where he was on the track team and the dean's list. Then he fell in love with liquor, he says, and flunked out of school. He landed in jail twice over the next 18 months, both times for driving a car that didn't belong to him. Next came the accident that changed his life. One night, while White was driving a friend's Mitsubishi Eclipse, a police cruiser pulled up behind him, lights flashing. White says he was intoxicated, and driving without a license or insurance. He panicked, floored the car and lost control, flipping the Eclipse over and over until the fuel tank ignited. White woke up in a hospital bed with third-degree burns over 30 percent of his body. The searing heat from the explosion had melted his ears into little nubs, and doctors had amputated the pinky finger on his scarred left hand. Fifteen plastic surgeries and more than two years of physical therapy later, White had healed enough to face the charges against him, which included aggravated assault for endangering the lives of other motorists. He pleaded guilty in 1999 and served almost two years at a prison in Tennessee. During his time in prison, he says, "I realized the Lord had called me to ministry." Since White's release in 2001, God has played a huge part in his life. And so have computers. He typically spends 50 to 60 hours a week surfing the Web, instant-messaging and e-mailing. He even met his wife online. Shortly after starting his ministry, he entered an online chat room dedicated to Christian ministries and struck up a conversation with a woman using the screen name "Warrior Princess." They hit it off immediately and married 15 months later. Taneshia gave birth to their first child, MaKalya, last month. But the same technology that led White to his wife betrayed him last summer. His desktop computer, which he had paid $350 for in 2004, was suddenly inundated with pop-up ads for adult Web sites. A mysterious toolbar with the symbol "XXX" had shown up in the topmost portion of every Internet Explorer Web browser window he opened. A friend spent a few days trying to remove the pornographic software, but each time he did, the software reinstalled itself after the computer was reconnected to the Internet. White initially suspected that one of the kids he tutors after school had used his PC to visit some questionable Web sites. He wasn't aware that his computer had been hijacked by 0x80 until he was contacted by the reporter writing this story. 0x80's bot program was able to infiltrate the pastor's computer because the PC lacked dozens of software patches that Microsoft has issued to fix security flaws in its Windows operating system. White says he was counting on a $50 firewall and antivirus software suite he purchased from Trend Micro to keep hackers and viruses from attacking his PC, but he confesses he's not sure whether the software was equipped with the latest updates that would allow it to detect the most recent viruses. "I'll be honest, as someone who loves technology, I've not done a great job with this computer," White says. He eventually opted to buy a new PC rather than spend the time and money to repair the infected one. "It just made more sense for me to get a new $300 Dell that came with a free monitor that was better than the one I had," he says. The whole episode, he says, has taught him a valuable lesson: It's easier to take the precautions needed to keep a computer from being hacked than it is to clean it up after the damage has been done. "Overall, you've got to realize that, just like if you don't secure your home, you run the risk of getting burglarized; if you're crazy enough to leave the door on your computer open these days, like I did, someone's gonna walk right in and make themselves at home." 0x80 began learning how to program at age 14, before his family even owned a computer. Like many hackers of his generation, he got his start by meeting techies on networks run by America Online. "This buddy of mine who lived two houses down from me had a computer before I did. He was always on AOL, but he also always had trouble figuring out how to do stuff, so I'd just go on all the time and figure it out for him." 0x80 says he got into writing viruses by accident after logging onto an AOL chat room named "Lesbians Only." "Someone sent me a virus that made it so that every time I typed anything on the keyboard it would pop a message up on the screen that said, 'I'M [expletive] GAY!'" 0x80 recalls. He tried to stop the computer from flashing the message, but nothing worked. "I finally found [information] on it using my friend's PC and figured out how to write a batch script to stop the virus." After that, 0x80 became obsessed with computer viruses and dedicated nearly all his time to tinkering with them. On his 16th birthday, his folks gave him his own computer to do schoolwork. It wasn't long before 0x80 was skipping school to spend time in online channels known as Internet Relay Chat, a vast sea of text-based communications networks that predates instant-messaging software. There are tens of thousands of IRC channels all over the world catering to almost every imaginable audience or interest, including quite a few frequented exclusively by hackers, virus writers and loose-knit criminal groups. IRC channels have traditionally been among the most popular means of controlling botnets. About two years ago, 0x80 entered an IRC channel where several hackers were bragging about how much they were making using botnets to install spyware. Up to that point, 0x80 had used his botnet mainly for "packeting," conducting petty denial-of-service attacks to knock his buddies or enemies offline. Within a few weeks of visiting that channel, 0x80 was modifying the computer worm code he needed to transform his botnet into a money machine. He and his hacker friends are part of a generation raised on the Internet, where everything from software to digital music to a reliable income can be had at little cost or effort. Some of them routinely go out of their way to avoid paying for anything. During a recent conference call with half a dozen of 0x80's buddies using an 800-number conferencing system they had hacked, one guy suggests ordering food for delivery. Nah, one of his friends says, "let's social it." The hackers take turns explaining how they "social" free food from pizza joints by counterfeiting coupons or impersonating customer service managers. "Dude, the best part is when you walk in, you hand them the coupon or whatever, they give you your [pizza], and you walk out," one of them enthuses. "Then, it's like, yes, I am . . . the coolest man alive." "Dude, that's so true," echoes a 16-year-old hacker. "Free pizza tastes so much better than pay pizza any day." 0x80 expresses some ambivalence about this lifestyle and occasionally ponders what he should do next. He's toyed with the notion of going to a community college to get a degree in computer science, but the idea of getting an honest job with a legitimate tech company doesn't hold much appeal. "I'd probably have to take a pretty bad pay cut no matter where I worked," he says. Asked whether he worries about getting caught, 0x80 stuffs his hands into his jeans pockets, shrugs his shoulders and looks down at his shoes. "To tell the truth, man, I'm sorta surprised they haven't caught me yet." He claims he doesn't care but then confesses that he dedicates quite a bit of time to covering his tracks. "I do stay up very late each night trying to make sure nobody is going to kick in my front door . . . If I do [get caught], I'm not all that worried. I've got enough money. I can always get a good lawyer." Adware and spyware distribution companies promise instant riches to people who agree to help install their programs. These installers are known in the business as "affiliates." Many adware distribution sites recruit affiliates with photos of stacked $100 bills. GammaCash.com, for instance, the company that makes the XXX toolbar that Michael White discovered on his computer, features an animated image of a pair of hands cupped to hold an expensive watch. Wait a few seconds, and the watch disappears, only to be replaced by a Cadillac sport utility vehicle, which quickly morphs into a yacht. The companies include in their "terms and conditions" disclaimers that they do not permit the installation of their products without the consent of the person who owns the computer. Most claim they will terminate without pay any affiliates who violate that rule. But 0x80 and one of his friends -- who goes by the screen name Majy -- say they've easily disguised their installation methods. Their biggest complaint about the whole enterprise: being routinely shortchanged by the adware distribution companies, which often "shave," or undercount, the number of programs installed by their affiliates. "It sucks, too, because the companies will shaft you, and there isn't a lot you can do about it," says Majy, 19, who claims to have had as many as 30,000 computers in his botnet. There are, in fact, legal ways to induce PC owners to download spyware and adware. Most computer users acquire spyware and adware simply by browsing certain Web sites, or agreeing to install games or software programs that come bundled with spyware and adware. Before its Web site went dark not long ago, TopConverting.com bundled its adware and spyware with products most likely to appeal to children and teenagers: simple games, online game insignias or "avatars," and "emoticons," custom-made smiley faces for use in instant-message software. The company also marketed short digital videos that catered to the humor of teenage boys: "Beavis and Butt-Head" cartoons, a short clip called "Boob Boxing" and another titled "Bath Fart." Computer users may or may not understand what they are consenting to when they click "OK" to the lengthy, legalistic disclosures that accompany these games or videos. But those notices are legal contracts that essentially absolve the adware companies from any liability associated with the use or misuse of their programs. 0x80 and Majy don't leave computer owners any chance to decline the adware. Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements. 0x80 says he even created a program that allows him to remotely wipe computers in his botnet clean of old adware, making room for him to install new adware -- and get paid again. And getting paid is the whole point. Majy says TopConverting, which did not respond to requests for comment for this article, paid him an average of $2,400 every two weeks for installing its programs. He got 20 cents per install for computers in the United States and five cents per install for PCs in 16 other countries, including France, Germany and the United Kingdom. A nickel per install doesn't sound like much, unless you control a botnet of tens of thousands of computers. Majy also receives income from Gamma-Cash, which bills itself on its Web site as "an industry leader in online adult affiliate programs." The company pays affiliates to drive traffic to adult Web sites, mainly through pop-up advertisements for porn sites served to users through its XXX toolbar, which hijacks the victim's Web browser and sets its home page to one of several subscription porn sites. Majy says Gamma-Cash, which did not respond to requests for comment, sends him a $400 check each month from a bank in Canada. 0x80 also installs adware for Gamma-Cash. And he works for a company called Loudcash, which was recently purchased by one of the largest and most important players in the adware business: 180solutions. Half of the glass-and-steel structure that houses 180solutions' sprawling headquarters in Bellevue, Wash., rests underground; the other half juts out at acute angles. The rooftop sports an AstroTurfed volleyball court, a gas grill and a commanding view of the Seattle skyline. Some of the company's 200-plus employees zip around the long hallways on Segways or foot-powered scooters. Throughout the building are polka-dotted posters that read, "Who Do You Want to Be?" The signs are meant to challenge employees to continuously reevaluate their roles, but they also reflect the seven-year-old company's effort to prove to the world that it has executed a 180-degree shift away from its past business practices. 180solutions got its start in the adware industry with a product called Epipo, which paid people roughly six cents per hour to view specially targeted advertisements sent to their computers. The product became popular among college students, who quickly figured out ways to automate browsing the Web so that they could get paid for viewing ads while they were away from their computers. According to allegations in a lawsuit filed by the Washington state attorney general's office, 180 responded by changing the payment terms so that it was virtually impossible for people to collect the promised money. The company nearly went bankrupt when it settled the suit in 2002. By that time, 180 had changed its marketing strategy. Instead of paying people to install its adware, the company lured them with free games, which came bundled with ad-serving software called "n-Case." The software tracked users' surfing and buying habits, and was extremely difficult to remove. Consumer advocates had little difficulty showing that n-Case was being installed without user consent. Faced with increasing criticism for the fraudulent installs, 180 rebranded the software as 180 Search Assistant. The new software's chief distinguishing feature was that it was easier to remove than n-Case. In 2004, venture capitalists invested $40 million in 180solutions, fueling rapid growth. That year, 180 says, it raked in more than $50 million delivering online ads for some of America's best-known corporations, including JP Morgan Chase, Cingular, T-Mobile, Monster.com and Expedia.com. (Among the hundreds of companies that have placed ads through 180solutions is Kaplan University Online, which is owned by The Washington Post Co.) By 180's own count, its adware is installed on 20 million computers. The people who use those computers receive pop-up ads based on what they are searching for online. If the user searches for the term "travel," 180's software will look through its database of clients in the travel business and present an ad from the company that bid the most on that search term. The next time that user searches using the same term, 180 will serve the ad of the next-highest bidder for that word, and so on. 180 then gets paid from 1.5 to 2.5 cents for each ad it delivers to the user. The more computers with 180's adware, the more revenue each ad generates. Consumer groups gathered mountains of evidence that 180 Search Assistant was being installed on thousands of computers without user consent. Once again, 180 tried to quiet its critics. Toward the end of last year, the company announced it was phasing out 180 Search Assistant in favor of the Seekmo Search Assistant. Company spokesman Sean Sundwall says Seekmo will be more fraud resistant than 180 Search Assistant, and that it will not be distributed or bundled with other software programs without 180's permission. The company says this will give it far more control over how Seekmo is installed and by whom. But Ben Edelman, who has spent years chronicling the offenses of the adware industry while working toward a PhD in economics at Harvard University, says Seekmo is functionally the same program as 180 Search Assistant. Edelman says 180's penchant for renaming its software each time abuses are highlighted is part of the reason the anti-spyware community directs so much vitriol at the company. "The idea that 180solutions got where they are today through bad business practices and that they continue to make money from that user base is hardly unique to them," Edelman says. "What really makes people so mad is that 180 is far less apologetic than the other players" in the industry. The Center for Democracy & Technology, the leader of a group called the Anti-Spyware Coalition, spent two years working with 180 to resolve dozens of consumer complaints about surreptitious installs. Ari Schwartz, the center's deputy director, says each time the subject arose, the company claimed it was blindsided by the accusations and that it needed more time to correct its distributors' behavior. Weeks after 180solutions said it was discontinuing its 180 Search Assistant software, a computer worm began spreading rapidly across AOL's instant message network, downloading and installing viruses and a host of other programs -- including 180 Search Assistant -- on victims' computers. While 180 denied it had anything to do with the worm, for the CDT, that was the last straw: On January 23, the nonprofit filed a detailed complaint with the Federal Trade Commission urging the agency to sue 180solutions for violating consumer protection laws. In a statement, 180solutions denied that it was ignoring the problem, arguing that it had made "great progress in the fight against spyware" and insisting that it shared the CDT's vision of "protecting the rights and privacy of consumers on the Internet . . . We have made voluntary improvements to address every reasonable concern that the CDT has made us aware of." Company executives acknowledge they didn't begin addressing the fraud problems wrought by what 180 co-founder Dan Todd calls "a few bad actors" until mid-2004. Dressed in worn-out jeans and an untucked dress shirt, 34-year-old Todd puts one foot up on the coffee table in his glass office and tries to explain how things spiraled so far out of control. "At some point between dealing with legitimate distributors and these botnet guys who try real hard to look like good guys, we realized that something had gone terribly wrong and that our plan of outsourcing our relationship to the consumer had backfired," Todd says. Last year, he says, 180 executives purchased some of their biggest distributors, including Loudcash, as part of a plan to rein in "rogue distributors" and help clean up the company's adware distribution practices. 180 says it no longer allows its adware to be bundled with adult Web site content or peer-to-peer (P2P) online file-sharing services that many people accuse of promoting music and movie piracy. "Our goal," he says, "is to minimize the financial incentive for people to install our software illegally, with the goal of making sure that our money never gets paid to bad actors." To demonstrate its commitment, 180 filed lawsuits last year against seven distributors, accusing them of using botnets to earn more than $60,000 installing the company's adware without computer owners' consent. When the defendants -- all of whom live outside of the United States -- refused to make the trip here to face the allegations against them, 180 referred the matter to the FBI, says company attorney Ken McGraw. The company also worked with the FBI and Dutch authorities last year on an investigation that shut down a botnet of more than 1 million computers in the Netherlands. The FBI acknowledged that 180 was instrumental in helping to track down the botmasters. 180, in fact, became the target of a denial-of-service attack by the botmasters, who were furious that the company was refusing to pay them for surreptitious adware installs. The attack briefly crippled 180's Web site, making the company a victim of the botnet phenomenon. Yet 180's insistence that it is cracking down on botmasters has yet to win over the anti-spyware activists, who have spent years unraveling the labyrinthine economic ties among advertisers, adware vendors and their affiliates. The anti-spyware hawks don't believe 180solutions has changed the way it operates or that the company is buying up major players in the adware industry in order to clean up its act. "That's sort of like a drunk saying he's buying up a liquor store to solve his drinking habit," says Eric Howes, an executive at Sunbelt Software, an anti-spyware firm. At a recent anti-spyware conference, Todd was openly mocked for claiming that 180 previously had no way of knowing how many of its distributors were installing its software illegally. Someone at the conference suggested that 180 use its technology to periodically present users with pop-ups asking them whether they had authorized the adware to be installed in the first place. Now the company says it is doing just that. If the answer is no, the user can remove the software with a click of a button. 0x80 hasn't paid much attention to the public condemnation of 180's business practices. And he says he doubts any of the measures the company is taking will discourage botmasters from installing adware. "It doesn't really matter what [180] does to try and stop them," the hacker says. "There's just too much money to be made there. People will just find another company to work with." Sam Norris answers the door of his handsome stucco-and-Spanish-tile home near San Diego dressed in jeans, a polo shirt and squeaky-clean blue and white suede sneakers. He smiles broadly. "You picked a great week to come out," he says. "I'm tracking quite a few botnets today." Norris, 31, is president of an Internet service company called ChangeIP.com that finds itself at the center of the battle against botnets. He estimates that he is spending up to 20 hours a week preventing botmasters like 0x80 and Majy from using his network to control their botnets. Botmasters typically control their herds of infected PCs by having each report to a central server and await instructions, which may be to attack a Web site, send spam or download spyware programs. But many of the IRC networks that have been used for this purpose are beginning to crack down on botmasters. As a result, an increasing number of hackers are trying to cover their tracks by taking advantage of the services of companies like Norris's, which allow Internet browsers to find hundreds of small Web sites by name (for example: smallwebsite.com), even though the actual numeric address of the sites can change from day to day. Botmasters like 0x80, however, have turned that process inside out. They use Norris's service to hide their botnets when they jump from server to server. Should authorities or computer security experts start to zero in on the server that's running their botnet, they can switch servers, and ChangeIP.com will enable the hijacked computers to find the new hideout. In most cases, it is easy for Norris to tell which hosts on his network are legitimate Web sites and which are botnets: Most small Web sites don't have thousands of computers trying to access the site at precisely the same time. By tracking the communications traffic between the infected machines and the botmaster's control channel, Norris can capture data that might be useful to law enforcement, including snippets of text or code that may hold clues about the geographic location or identity of the botmaster. Norris says he sees an average of 37 new botnets per week trying to use his company's service, and sometimes as many as 10 new botnets per day. Last spring, he cut off access to a botnet of more than 40,000 PCs that was being used as a massive install base for spyware. "I am seeing this botnet-spyware connection just skyrocket," Norris says, "and I think it's because these guys are realizing there's tons of cash to be made here." A computer programmer by trade, Norris dissected a copy of the bot used by one hacker he recently banished from ChangeIP.com's network. The program contained instructions for installing 14 adware and spyware programs, and Norris says the bot code was encrypted and so thoroughly disguised that none of the antivirus software he used detected the code as malicious. As he was examining the bot program, Norris accidentally executed it, causing his machine to become infected. Almost immediately, he says, the program downloaded a package of adware and launched several pop-up ads for pornographic Web sites. It also installed GammaCash's infamous XXX toolbar. Norris's forensics work revealed that the bot program also contained more than 30 other features, including the ability to capture all of the victim's Web traffic and keystrokes, as well as a program that looks for PayPal user names and passwords. Other programs installed by the bot allowed the attackers to peek through a user's webcam. Norris often works out of his home in the auburn hills of San Marcos, Calif., where F-16 fighter jets from nearby Miramar Naval Air Station streak across the sky. Today he sits down at the desk in his cramped home office and clacks away at his keyboard, generating a slew of line graphs measuring the level of traffic flowing across his company's networks. He's a member of an informal enforcement group of more than 100 independent security experts worldwide who share daily data on the size, location and activity of the Web's most disruptive botnets. Hailing from Internet service providers, computer hardware manufacturers and software security firms, the group's members use that information to shut down botnets by cutting off the infected computers and forwarding the intelligence they glean to law enforcement. Each morning, Norris receives an e-mail listing the online locations of the Web servers used to control some the world's most dangerous botnets. "First thing I do most days is go through this list and try to find out which ones" are using his network, he says, pointing to a report he just generated that lists the top 20 traffic-generating sites on his company's system. "Most of these are botnets." And the botnets are hardly limited to hijacked home computers. A few months back, Norris found more than 10,000 infected PCs on the inside of a Fortune 100 company network, all trying to contact a control server located at ChangeIP.com. When Norris called the company with the bad news, its poorly trained network administrator had no idea how to respond. "I call this guy up and say, 'Hey, you've got 10,000 infected computers on your network that are attacking me,' and this guy is basically, like, 'Well, what do you want me to do about it?' " Norris says that after collecting enough evidence about a botnet, he terminates the account and, he hopes, disconnects the botmaster from his army of infected machines. He says "he hopes" because many times the botmaster will have instructed his enslaved machines in advance to try several other domain names should the main control channel be shuttered. But in most cases, Norris says, the botmaster simply shifts control of his botnet to another Internet service provider. "Other times, the attackers play dumb and send polite e-mails asking why their service has been shut off." And, occasionally, the hackers will rebuild their botnets elsewhere and use them to retaliate against ChangeIP. Last year a botmaster who had been cut off joined forces with another botnet to direct such a massive, constant stream of bogus Web traffic at ChangeIP.com that the site had difficulty processing legitimate traffic for nearly a week. As the botnet problem has escalated, so has the interest of federal law enforcement, Norris says. Not long ago, he was contacted by a National Security Agency official who asked for records related to several ChangeIP accounts. He's also had visits from FBI agents hot on the trail of several botmasters. One FBI agent said he couldn't disclose the details of his investigation but handed Norris a copy of a Time magazine article about Chinese hackers suspected of infiltrating U.S. corporate and military computer networks. "The feds are finally starting to understand that botnets are more than just a nuisance: They're the source of all that's evil on the Internet today, from hacking and spamming to phishing and spying," Norris says. (Phishing involves impersonating trusted Web sites to gain confidential information from computer users.) Shutting down a botnet can be arduous work, but finding the criminal on the controlling end of the herd has proven an especially challenging task for law enforcement. That's in part because security experts like Norris and others often disagree over whether to dismantle the botnets as soon as possible or to monitor them for a period of time in order to gather intelligence that might prove useful in helping investigators track down the criminals behind them. Hank Nussbacher, an independent Internet security consultant based in Israel and a member of the group that's sharing information on botnet activity, says most members have their hands full just shutting down the botnets' command and control centers. "Occasionally, the Internet service provider where the [bot control center] is located requests that it not be shut down because they are collecting forensics information for some law enforcement agency, but I'd say about 98 percent of the time, as soon as we find one, we shut it down." Louis Reigel III, assistant director of the FBI's Cyber Division, says the botnet data regularly shared by security experts like Norris is invaluable. But Reigel stresses that prosecuting botmasters is difficult because their crimes and networks usually span multiple continents, which means working with foreign law enforcement agencies and depending on their cooperation. The FBI has dedicated several agents from its special technologies section to tracking down botnet operators and is pursuing hundreds of investigations, Reigel says. But "the techniques being used by these bot guys are becoming more efficient every day, so the bot situation is probably going to get a lot worse before it gets better." Norris shares that fear and worries that more botmasters will begin to exploit emerging peer-to-peer communication technologies of the sort that power controversial music- and movie-sharing networks like Kazaa and LimeWire. Such networks would allow enslaved computers to communicate instructions and share software updates among one other, so that they would no longer depend on orders from the master servers that Norris and other bot hunters search out and disable every day. "When P2P becomes the norm with these bots," Norris says, "that's when I call it quits with this botnet stuff, because, at that point, it will be pretty much out of my hands." On the eve of a visit to his home by a Washington Post photographer, 0x80 decides to tell his father what he really does for a living, in part, he says, because hiding it is starting to eat him up inside. 0x80 tells his father the whole truth, but he can't bring himself to break the news to his mother because, as he puts it, "she's really Christian and that would just crush her to know I'm involved in something like this." "I told my dad I had made an Internet worm that infected people, and then I used their computers to make money, and he just shook his head and was, like, 'I hope you don't go to jail for that . . .' and . . . 'I hope it wasn't underage porn you was doing.'" That same question has been encroaching on 0x80's peace of mind of late. His hard-boiled pose has begun to break down, and instead of sneering at the risks of getting caught and brought to justice, he's begun to talk about quitting the criminal hacking scene to join the Army, which, he reasons, will offer not only discipline and the motivation to earn his GED but also potentially a free ride to college. From there, he can imagine a more respectable future working on information technology projects for the military. "It's nice to have up to $10,000 a month coming in, but, if it's not legit, then I also have all this other stuff to worry about," 0x80 says. "Like, I gotta hide my laptop every night, and every time I don't come online for a day I have people blowing up my cell phone asking if I got raided by the feds." 0x80 has shared his plans with a few of his online buddies, many of whom have grown dependent on his ability to develop ever more stealthy and effective botnet programs. "Some of my people really don't want me to leave, but I've got to figure out a way to use the [expletive] I know to get something going for myself," 0x80 says. "With the Army, I could get stationed someplace where I would have a better chance at getting a higher-paying job and still be able to do what I like to do. Either way, I gotta get up outta this hole I'm living in." -=- Brian Krebs is a technology reporter for washingtonpost.com. He will be fielding questions and comments about this article Tuesday at 1 p.m. at washingtonpost.com/liveonline ? 2006 The Washington Post Company From isn at c4i.org Tue Feb 21 01:14:26 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Feb 2006 00:14:26 -0600 (CST) Subject: [ISN] =?iso-8859-1?q?Passwords_Pass=E9_at_RSA?= Message-ID: http://www.wired.com/news/technology/0,70234-0.html By Ryan Singel February 17, 2006 SAN JOSE, California -- Identity theft and online bank fraud were the unofficial themes of the 2006 RSA Conference, a massive security confab where Bill Gates came to announce the imminent death of the password and vendors filled the exhibition halls with iPod giveaways and promises that their product could stop everything from spam and malware to hackers and typos. Thanks to a California law known as SB 1386 that requires companies to disclose sensitive data leaks to California consumers, companies like ChoicePoint and shoe retailer DSW became poster children for corporate negligence last year after mishandling sensitive data. In the wake of Senate hearings and investigations from federal regulators, corporations are beefing up security, both behind the scenes and at their virtual front doors. To find out how those changes will affect consumers in their daily online activities, Wired News surveyed the offerings of the over-250 security companies packed into RSA's exhibit hall, accompanied by cryptographer John Callas, who has been attending the conference since 1993. Callas is currently the CTO of PGP, the industry leader in encrypted communications and data storage. Perhaps the biggest change this year will be in online banking, as financial institutions move to comply with federal oversight agencies that are directing banks (.pdf) to secure their sites with more than just user logins and passwords. These extra fraud profiling and authentication measures are necessary, according to Callas, since the threats on the internet have changed. "Now we are not dealing with kids having fun," Callas said. "We are dealing with criminals -- the Russian mafia. And online banking risks are there if your bank offers it, even if you don't use it." E-trade, for instance, already offers free RSA security tokens to its most active users. Those battery-powered devices work by using a using a seed number and the current time to cryptographically generate a secure one-time code to complement the normal user login and password. But those gadgets aren't cheap and most people don't want multiple tokens or prefer not to carry them around. That's prompted newcomers to find alternative methods of performing "two factor" authentication. Callas likes PassMark Security's solution, which examines the device a user logs in from, looking for a number of factors including IP address and a secure cookie or Flash object the bank has previously stored on the machine, as the extra identification. Bank of America began offering the service in May 2005. Now a Bank of America customer logging in at the usual time from her usual machine will only need to enter the user name and password. But if that person is on a different machine using a different browser in a different time zone, for example, she will be presented with challenge questions that she answered when she signed up. Users could also be sent an additional one-time password by SMS text message or called on their cell phone by a machine using a synthetic voice to tell them an extra password. Additionally, PassMark helps keep users from entering passwords into fraud sites pretending to be their bank by displaying a unique image and caption, such as a sailboat labeled "Dream Boat," on the real site. The authentication back to the user is great, and can't easily be hacked without detection, according to Callas. And while it won't eliminate crime, it might be enough to persuade would-be fraudsters to go after a different bank, Callas said. "It is reasonably valuable if you can convince someone to steal from other people," Callas said. Another authentication method that caught Callas' attention was by BioPassword, a company that adds an extra layer of security by locking out users who don't type in a password with the same typing style as the original user. Callas says he's generally not bullish on biometrics like fingerprint readers for e-commerce, since, like credit card numbers, the data can be stolen. But he likes the typing rhythm idea, because unlike a fingerprint, the user can easily reset the system. "If you pick a new password then you will have a new rhythm," Callas said. "That's the disposable biometric." The system does have one side effect that may or may not be a bug, admits BioPassword vice president Dean Bravos. Users who have been drinking may not be able to log in. These two companies aren't the only ones trying to find ways to add extra authentication without requiring users to carry around security tokens. Conference organizer RSA Security, the undisputed leader in security tokens, recently acquired Cyota, which offers financial institutions methods to authenticate users based on their usage patterns. Cyota technology looks at such metrics as users' cookies and IP address, in combination with their transaction history -- so a middle-America socker Mom sending sending $2,000 at 2:00 am to an account in Turkey might raise a red flag. Other new offerings from RSA Security include a browser toolbar that works like a security token, and software that can turn a mobile phone or a BlackBerry into a token. Even mostly invisible, behind-the-scenes authentication will help internet users feel safer, as banks and brokerage houses can now offer financial guarantees to their customers, according to Scott Young, the vice president of RSA/Cyota's consumer division. "A lot of us are familiar with the experience of getting a call from a credit-card company, saying, 'Hey, did you make this transaction?,'" Young said. "Even though we don't see that going on all the time, the reassurance of having someone check with us, even if it was us making that transaction, is really valuable. "Likewise, most of the time, consumers are not inconvenienced by (RSA/Cyota's) extra security but a decent percent will know, since they have will some interaction with the security system at some point, that they are being protected." From isn at c4i.org Tue Feb 21 01:14:48 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Feb 2006 00:14:48 -0600 (CST) Subject: [ISN] Google admits Desktop security risk Message-ID: http://news.zdnet.co.uk/0,39020330,39253447,00.htm Tom Espiner ZDNet UK February 20, 2006 Google Desktop 3 Beta contains a security risk for businesses, says Gartner, and Google agrees Businesses have been warned by research company Gartner that the latest Google Desktop Beta has an "unacceptable security risk". Google Desktop allows indexing and searching of PCs' hard drives, and sharing of information through a feature called Search Across Computers. This enables users to search for information within a network such as an intranet. The risk to enterprises, according to Gartner, lies in how this shared information is pooled by Google. The data is transferred to a remote server, where it is stored and can then be shared between users for up to 30 days. Gartner said in a report on Thursday that the "mere transport [of data] outside the enterprise will represent an unacceptable security risk to many enterprises", as intellectual property could be transported out of the business. Google told ZDNet UK on Monday that it recognised the risk, and recommended that companies take action. "We recognise that this is a big issue for enterprise. Yes, it's a risk, and we understand that businesses may be concerned," said Andy Ku, European marketing manager for Google. Google confirmed to ZDNet UK that data was temporarily transported outside of businesses when the Search Across Computers feature was used, and that this represented "as much of a security risk as email does". "Theoretically any intellectual property can be transferred outside of a company," said Ku. "We understand that there are a lot of security concerns about the Search Across Computers feature, but Google won't hold information unless the user or enterprise opts in [to the feature]." Google said that security was the concern of individual businesses. "The burden falls on enterprises to look after security issues," said Ku. "Companies can disable the Search Across Computers facility." Gartner said that sensitive documents may be inadvertently shared by workers, who may not have specialist knowledge of regulatory or security restrictions. Google said it was unable to comment on the risks posed when individuals sharing sensitive information. "Some users may, and some users may not be able to," said Ku, adding that companies should follow their own policies. "At the end of the day, each company should make its own decision. If they are uncomfortable, they shouldn't enable the feature," Ku said. "It's about what a company deems to be best corporate policy." Gartner has recommended that businesses use Google Desktop for Enterprise, as this allows systems administrators to centrally turn off the Search Across Computers feature, which it said should be "immediately disabled". Companies "must also evaluate what they are allowing to be indexed, and whether they are comfortable that they can adequately bar the sharing of data with Google's servers," said Gartner. Google agreed that Google Desktop Enterprise would better mitigate security risks. "If you're given a choice, choose Enterprise," said Ku. From isn at c4i.org Tue Feb 21 01:15:18 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Feb 2006 00:15:18 -0600 (CST) Subject: [ISN] ITL Bulletin for February 2006 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR FEBRUARY 2006 CREATING A PROGRAM TO MANAGE SECURITY PATCHES AND VULNERABILITIES: NIST RECOMMENDATIONS FOR IMPROVING SYSTEM SECURITY Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce A systematic approach to managing and using software patches can help organizations to improve the overall security of their information technology (IT) systems in a cost-effective way. Organizations that actively manage and use software patches can reduce the chances that the vulnerabilities in their IT systems can be exploited; in addition, they can save time and money that might be spent in responding to vulnerability-related incidents. Patches are additional pieces of code that have been developed to address specific problems or flaws in existing software. Vulnerabilities are flaws that can be exploited, enabling unauthorized access to IT systems or enabling users to have access to greater privileges than authorized. New vulnerabilities are discovered each day, and IT systems are constantly threatened by new attacks. The National Vulnerability Database (NVD), maintained by NIST's Information Technology Laboratory, includes information about more than 16,000 vulnerabilities and reports about new vulnerabilities at the rate of 14 per day. The NVD integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. At the current rate of vulnerability reporting, even small organizations with a single server can expect to spend considerable time reviewing and applying critical patches. Organizations must be aware of and use available security patches. Since not all vulnerabilities have related patches, however, it is essential to apply other security controls that are selected through an analysis of the vulnerabilities and the risks to systems. NIST Special Publication 800-40, Version 2, Creating a Patch and Vulnerability Management Program NIST recently issued Special Publication (SP) 800-40, Version 2, Creating a Patch and Vulnerability Management Program. Written by Peter Mell of NIST, Tiffany Bergeron of The MITRE Corp., and David Henning of Hughes Network Systems LLC, NIST SP 800-40 was developed with the support of the United States Computer Emergency Readiness Team (US-CERT), an organization in the Department of Homeland Security that coordinates defense against and responses to cyber attacks. Version 2 supplements the earlier version of NIST SP 800-40, entitled Procedures for Handling Security Patches (August 2002). Both publications are available at: http://csrc.nist.gov/publications/nistpubs/index.html. NIST SP 800-40 provides guidance for organizational security managers who are responsible for designing and implementing security patch and vulnerability management programs and for testing the effectiveness of the programs in reducing vulnerabilities. The guidance is also useful to system administrators and operations personnel who are responsible for applying and testing patches and for deploying solutions to vulnerability problems. Topics covered in Version 2 include the principles and methodologies for patch and vulnerability management, security metrics for testing the effectiveness of the patch and vulnerability process, management issues such as setting priorities for patch efforts, and federal government resources available to support the patch and vulnerability processes. The appendices include a list of acronyms, a glossary of terms, and information on patch and vulnerability issues available from industry sources. Security Patches Timely patching of software is generally recognized as critical to maintaining the operational availability, confidentiality, and integrity of IT systems. Failure to keep operating system and application software patched is one of the most common problems that security and IT professionals must handle. New patches are released daily, and even experienced system administrators may have difficulty in keeping informed about the new patches and in deploying them properly in a timely manner. Most major attacks on IT systems over the past few years have targeted known vulnerabilities for which patches had existed before the outbreaks. Information about patches can also lead to problems for organizations. Often when a patch is released, attackers will make concerted efforts to reverse engineer the patch swiftly (in days or even hours), to identify the vulnerability, and to develop and release code that exploits the vulnerability. As a result, the period immediately following the release of a patch can be particularly dangerous for organizations because of the time that they need to obtain, test, and deploy the patch. NIST Recommendations for Patch and Vulnerability Management Organizations should implement a systematic, accountable, and documented process for managing exposure to vulnerabilities through the timely deployment of patches. NIST recommends that federal agencies implement the following actions to assist in patch and vulnerability management: Create a patch and vulnerability group (PVG) to facilitate the identification and distribution of patches within the organization. The PVG should be specially tasked to implement the patch and vulnerability management program throughout the organization. The PVG is the central point for vulnerability remediation efforts, such as implementing patching and configuration changes for operating system and application software. Since the PVG should work actively with local administrators, large organizations may need to organize several PVGs; these groups could work together or they could be structured hierarchically with an authoritative top-level PVG. The duties of a PVG include the following: 1. Inventory the organization's IT resources to identify the hardware equipment, operating systems, and software applications that are used within the organization. 2. Monitor security sources for vulnerability announcements, patch and non-patch methods of remediation, and emerging threats that match up with the software within the system inventory of the PVG. 3. Prioritize the order in which the organization addresses the remediation of vulnerabilities, based on analysis of risks to systems. 4. Create a database of remediation methods that need to be applied within the organization. 5. Conduct the testing of patches and non-patch remediation methods on IT devices that use standardized configurations. 6. Oversee the vulnerability remediation process in the organization. 7. Distribute vulnerability and remediation information to local administrators. 8. Perform automated deployment of patches to IT devices using enterprise patch management tools. 9. Configure automatic updates of applications whenever possible and appropriate. 10. Verify vulnerability remediation through network and host vulnerability scanning. 11. Train administrators on how to apply vulnerability remediation. Use automated patch management tools to expedite the distribution of patches to systems. Widespread manual patching of computers is becoming ineffective as the number of patches that need to be installed grows and as attackers continue their rapid development of code that exploits vulnerabilities. While patching and vulnerability monitoring may appear to be overwhelming tasks, the use of automated patching technology can make the job less burdensome. Enterprise patch management tools allow the PVG, or a group they work closely with, to automatically distribute updates and patches to many computers quickly. All medium- to large-size organizations should use enterprise patch management tools for most of their computers. Even small organizations should consider migrating to the use of automated patching tools. Deploy enterprise patch management tools using a phased approach. Implementing patch management tools in phases allows process and user communication issues to be addressed with a small group before the patch application is deployed throughout the organization. Most organizations should deploy patch management tools first for their standardized desktop systems and single-platform server farms of similarly configured servers. Once this has been accomplished, organizations should address the more difficult issue of integrating multiplatform environments, nonstandard desktop systems, legacy computers, and computers with unusual configurations. Manual methods may be needed for operating systems and applications not supported by automated patching tools, as well as for some computers with unusual configurations, such as embedded systems, industrial control systems, medical devices, and experimental systems. For these systems, there should be a written and implemented procedure for the manual patching process, and the PVG should coordinate the local administrator efforts. Assess and mitigate the risks associated with deploying enterprise patch management tools. Enterprise patch management tools, while usually effective at reducing risk, can also create additional security risks for an organization. For example, an attacker could break into the organization?s central patch management computer and use the enterprise patch management tool as a way to distribute malicious code efficiently. Organizations should partially mitigate these risks through the application of standard security techniques that should be used when deploying any enterprise-wide application. Consider using standardized configurations for IT resources. Organizations will find it much easier and less costly to implement a patch and vulnerability management program when they use standard configurations. Further, the PVG may not be able to test patches adequately if IT devices use nonstandard configurations. Enterprise patch management tools may be ineffective if deployed within an environment where every IT device is configured uniquely, because the side effects of the various patches on the different configurations will be unknown. Comprehensive patch and vulnerability management is almost impossible within large organizations that do not deploy standard configurations. Organizations should focus their standardization efforts on the systems that make up a significant portion of their IT resources. Measure the effectiveness of the patch and vulnerability management program in a consistent manner and apply corrective actions as necessary. An organization can measure its susceptibility to attack, based on the number of patches needed, the number of vulnerabilities identified, and the number of network services running on a per-system basis. These measurements should be taken individually for each computer within the system, and the results then aggregated to determine the system-wide result. A second measure to be made is the mitigation response time, which is based on how quickly an organization can identify, classify, and respond to a new vulnerability and mitigate the potential impact of the vulnerability within the organization. The third measure to be made is the cost of the patch and vulnerability program. This may be difficult to measure because actions are often split between many different personnel and groups. The four main costs that should be taken into consideration are: the PVG, system administrator support, enterprise patch and vulnerability management tools, and incidents that occurred due to failures in the patch and vulnerability management program. The patch and vulnerability metrics that are taken for a system or IT security program should reflect the patch and vulnerability management maturity level. For example, attack susceptibility metrics such as the number of patches, vulnerabilities, and network services per system are generally more useful for a program with a low maturity level than a high maturity level. Organizations should document what metrics will be taken for each system and the details of each of those metrics. Realistic performance targets for each metric should be communicated to system owners and system security officers. Once these targets have been achieved, more ambitious targets can be set. The level of patch and vulnerability security should be set carefully to avoid overwhelming system security officers and system administrators. NIST Publications That Support Patch and Vulnerability Management NIST publications can help you in planning and implementing a comprehensive approach to IT security. For information about the NIST publications that are referenced in the patch and vulnerability management guide, as well as other security-related publications, see http://csrc.nist.gov/publications/index.html. NIST Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, helps federal agencies develop plans for their IT systems, by documenting their security requirements and describing the controls that are in place or that are planned for meeting those requirements. NIST SP 800-23, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, helps organizations acquire and use security-related information technology products. NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems, provides a method for organizations to determine the status of their information security systems and to establish a target for improvement, if needed. The guide defines maturity levels for various aspects of an IT security program. NIST SP 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, describes methods for identifying and organizing known IT system vulnerabilities and provides guidance in the acquisition of CVE-compatible products and services. The CVE is a resource for the IT security community, providing a comprehensive list of publicly known vulnerabilities, an analysis of the authenticity of newly published vulnerabilities, and a unique name for each vulnerability. NIST SP 800-55, Security Metrics Guide for Information Technology Systems, describes the security metrics development and implementation process. Implementation of this process will help demonstrate the adequacy of in-place security controls, policies, and procedures. It also will help justify security control investments and can be used in identifying necessary corrective actions for deficient security controls. NIST SP 800-61, Computer Security Incident Handling Guide, discusses how to organize a security incident response capability and how to handle incidents including denial of service, malicious code, unauthorized access, and inappropriate use of systems. NIST SP 800-70, Security Configuration Checklists Program for IT Products?Guidance for Checklists Users and Developers, provides guidance on creating and using security configuration checklists, which are helpful tools for standardization. NIST SP 800-70 describes the Security Configuration Checklists Program for IT Products, which collects reviewed checklists for a variety of operating systems and applications. Information about the checklists repository is available at http://csrc.nist.gov/checklists/index.html. Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems (February 2004), establishes security categories for federal information and information systems. The categories are determined based on the potential impact of a loss of confidentiality, integrity, or availability of information or an information system. The security categories should be used to prioritize multi-system vulnerability remediation efforts. The National Vulnerability Database (NVD) integrates all of the US-CERT vulnerability mitigation products, including vulnerability notes and National Cyber Alert System products. It contains a fine-grained search engine that allows users to search for vulnerabilities containing a variety of characteristics. For example, users can search on product characteristics such as vendor name, product name, and version number, or on vulnerability characteristics such as severity, related exploited range, and type of vulnerability. The NVD provides a vulnerability summary for each CVE vulnerability. Each summary contains attributes of the vulnerability (including a short summary and vulnerable version numbers) and links to advisories, patches, and other resources related to the vulnerability. The NVD is available at http://nvd.nist.gov/. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Tue Feb 21 01:15:31 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Feb 2006 00:15:31 -0600 (CST) Subject: [ISN] Door open for terror: expert Message-ID: http://australianit.news.com.au/articles/0,7204,18214035%5E15319%5E%5Enbv%5E15306,00.html Jennifer Foreshew The Australian FEBRUARY 21, 2006 MORE than 90 per cent of Australia's critical infrastructure was operated by corporations that were expected to protect themselves against e-crime as well as terrorists and overseas attacks, a conference has heard. The public and private sectors were interdependent and relied on national and global networks to do business and provide day-to-day services, a cyber-terrorism expert said. Speaking at the Chief Information Officers City Summit in Sydney last week, Matt Warren said a well targeted cyber-based attack could disrupt water, power and food supplies, and bring society to a standstill. "Government is trying to persuade corporations to increase security on those systems," Professor Warren told The Australian. "However, companies are not being given any extra funds to do that. They are just asked to do it in the national interest." While businesses had a duty of care for their own organisational assets, they were now expected to plan for extraordinary security risks at a national level, he said. "The problem is they are not going to have access to the threat information, so it is hard for them to determine the security risks that they face." Professor Warren, who is head of Deakin University's School of Information Systems, said another issue was that many corporations were not Australian-owned. "In Victoria, there are electricity suppliers that are owned by Singapore companies," he said. "So there may be resistance to increase expenditure on security to protect Australia." Part of the problem arose from Australia's lack of a critical infrastructure protection centre to assist business, or a department of homeland security, he said. Prime Minister John Howard has rejected the idea of a department of homeland security, which was embraced by Labor at the last election. A single critical infrastructure protection centre could achieve better co-ordination between business, law enforcement, intelligence and security agencies, along with civil authorities and defence organisations, he said. Australia should also draw on the experience of Canada, New Zealand, Sweden, Britain and the US, which had all established such a co-ordination centre, he said. "The reality is that Australia could not react to an incident in real-time," he said. "The number of government organisations involved creates complex decision-making and wastes resources." From isn at c4i.org Tue Feb 21 01:15:45 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Feb 2006 00:15:45 -0600 (CST) Subject: [ISN] Beware the 'pod slurping' employee Message-ID: http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html [InfoSec News covered iPod industrial espionage back in 2002, http://seclists.org/lists/isn/2002/Mar/0002.html - WK] By Will Sturgeon Special to CNET News.com February 15, 2006 A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft. Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod [1] and can search corporate networks for files likely to contain business-critical data. At a rate of about 100MB every couple minutes, it can scan and download the files onto the portable storage units in a process dubbed "pod slurping. [2]" To the naked eye, somebody doing this would look like any other employee listening to their iPod at their desk. Alternatively, the person stealing data need not even have access to a keyboard but can simply plug into a USB port on any active machine. Usher denies that his creation is an irresponsible call to arms for malicious employees and would-be data thieves, and instead insists that his scare tactics are intended to stir companies into action to protect themselves against the threat. "This is a growing area of concern, and there's not a lot of awareness about it," he said. "And yet in 2 minutes, it's possible to extract about 100MB of Word, Excel, PDF files--basically anything which might contain business data--and with a 60GB iPod, you could probably have every business document in a medium-size firm." Andy Burton, CEO of device management firm Centennial Software [3], said Usher walks a fine line but believes that he is acting with the best intentions and agrees that companies that still haven't recognized the threat need to be given a wake-up call. "Nobody wakes up in the morning worrying about antivirus or their firewall because we all know we need those things, and we all have them in place," Burton said. "Now the greatest threat is very much inside the organization, but I'm not sure there are that many businesses (that) have realized it's possible to plug in an iPod and just walk away with the whole business in a matter of minutes." Usher said companies shouldn't expect any help from their operating system, the most popular of which lacks the granularity to manage this threat effectively without impairing other functions. "(Microsoft Windows) Vista looks like it's going to include some capability for better managing USB devices [4], but with the time it's going to take to test it and roll it out, we're probably two years away from seeing a Microsoft operating system with the functionality built in," Usher said. "So companies have to ask themselves, 'Can we really wait two years?'" Citing FBI figures that put the average cost of data theft at $350,000, Usher argues that they can't. "The cost of being proactive is less than the cost of reacting to an incident," Usher said. Will Sturgeon of Silicon.com reported from London. [1] http://www.sharp-ideas.net/downloads.php [2] http://www.sharp-ideas.net/pod_slurping.php [3] http://www.centennial-software.com/ [4] http://news.com.com/Microsoft+launches+updated+Vista+preview/2100-1016_3-6001531.html From isn at c4i.org Thu Feb 23 04:35:20 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Feb 2006 03:35:20 -0600 (CST) Subject: [ISN] DEF CON 14 is now in effect! The Call for Papers is open. Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 W00t! DEF CON 14 is now in effect! The Call for Papers is open. This is a short announcement to let everyone know that we are opening the call for papers for DEFCON 14 - the annual gathering of subversive computer folks. Earlier submissions are given higher priority, so prepare your best kung-foo grip, and send it our way. Remember, we are always looking for original and highly technical content, unusual subject matters, software releases, innovative hardware hacking, and generally mind-blowing content. Check out past convention archives to get an idea of what we are talking about. http://www.defcon.org/html/defcon-14/dc-14-cfp.html DEF CON 14 will be August 4-6 at the Riviera Hotel & Casino in Las Vegas. Did you notice that? It's a new hotel this year! See www.defcon.org for more general information. A more complete announcement will be released in a month or so with details of contests and content. The Dark Tangent -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBQ/0Lkw6+AoIwjTCUAQIK5AgAgqyK15k8T1KpTNmGMtAQ6JlpoYt1tWYf Tnmg2shrmJAjZwF1Wi395lQQatq4V8LUIsj2cGMfYy9RRQbiniNthJ5MOB99+NCu Mi5Tm0ilxc82LRap6i5MpVzFoaClHM5W4dlzlONp4APqUO4wFz0Y7x6RpWyPYHzO EydojrzzgGx8QDJ1qOLQKzytEY+LtBQqhDUQm5WUHplhV5a+ntnZPDWqT1ftT9T6 Gsa4nXXx/YnrQGqf+NHT11QIbMU7kSiMJKUAQp/4wytoKt99zwZ9lISaJmXqZGRl iPH5mG3ow+40Zp/hlJjr/UcKO0wx4QakeE56FOUbrE0r2tYKKNvK2g== =FqeS -----END PGP SIGNATURE----- From isn at c4i.org Thu Feb 23 04:35:35 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Feb 2006 03:35:35 -0600 (CST) Subject: [ISN] N.H. state server eyed in possible credit card data breach Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108896,00.html By Todd R. Weiss FEBRUARY 22, 2006 COMPUTERWORLD The FBI, the Department of Justice and New Hampshire officials are investigating a potential security breach after the Cain & Abel computer worm was found on a state Department of Motor Vehicles (DMV) server during a routine security check last week. The state's Office of Information Technology said in a statement that no evidence has been found that indicates any user credit card information was accessed. Residents who used the state server for transactions were warned to keep an eye on their credit card transaction histories, but state officials said no illegal credit card use has been reported. The server held only credit card numbers, with no other personal information. New Hampshire state CIO Richard C. Bailey Jr. said it is still not clear how the worm -- a variation of a legitimate application, the Cain & Abel password recovery program for Microsoft products -- was placed on the server. That could have been done from inside the state's system or over the Internet. No other instances of the worm have been found on other servers in the state network, Bailey said. An unnamed employee at the state's Office of Information Technology (OIT) was placed on paid leave as part of the investigation, Bailey said. He declined to comment further. The worm was found during a routine security checkup as IT workers were evaluating a network intrusion system from Cisco Systems Inc., Bailey said. The Cisco Security Monitoring, Analysis and Response System appliance was used by the IT workers to look for anomalies, track them down and stop any threats, he said. The Cain & Abel worm could allow an intruder to watch activity on the server, according to the OIT. The affected server was taken last week by the FBI, which is conducting forensic analysis on it to try to determine how the worm was placed on it. In addition to being used by the state DMV, the server is also used by the New Hampshire Veterans Home and as a backup system for the state's Liquor Commission. The DMV and Veterans Home use the server to transmit financial information, while the Liquor Commission uses it as a backup system for sales transactions in state liquor stores. "As of yesterday, no one had reported an instance in which their credit card information had been compromised, which we're taking as a good sign," Bailey said. Pamela Walsh, a spokeswoman for the New Hampshire governor's office, said the ongoing investigation will probe whether the Cain & Abel worm was ever activated on the server to look at the stored credit card numbers. "We don't know at this point [that] it that actually happened," she said. From isn at c4i.org Thu Feb 23 04:35:47 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Feb 2006 03:35:47 -0600 (CST) Subject: [ISN] Convicted data thief gets eight years Message-ID: http://news.com.com/2100-7348_3-6042290.html By Declan McCullagh Staff Writer, CNET News.com February 22, 2006 A bulk e-mailer who looted more than a billion records with personal information from a data warehouse has been sentenced to eight years in prison, federal prosecutors said Wednesday. Scott Levine, 46, was sentenced by a federal judge in Little Rock, Ark., after being found guilty of breaking into Acxiom's servers and downloading gigabytes of data in what the U.S. Justice Department calls one of the largest data heists to date. Acxiom, based in Little Rock, says it operates the world's largest repository of consumer data, and counts major banks, credit card companies and the U.S. government among its customers. In August 2005, a jury convicted Levine, a native of Boca Raton, Fla., and former chief executive of a bulk e-mail company called Snipermail.com, of 120 counts of unauthorized access to a computer connected to the Internet. The U.S. government says, however, there was no evidence that Levine used the data for identity fraud. Prosecutors had asked for a longer sentence, but expressed satisfaction with an eight-year prison stay. "This sentence reflects the seriousness of these crimes," said U.S. Attorney Bud Cummins of the Eastern District of Arkansas. It also includes a $12,300 fine; restitution has not yet been determined. According to court documents, Levine and others broke into an Acxiom server used for file transfers and downloaded an encrypted password file called ftpsam.txt in early 2003. Then they ran a cracking utility on the ftpsam.txt file, prosecutors said, discovered 40 percent of the passwords, and used those accounts to download even more sensitive information. When it was in operation, Snipermail.com drew fire from antispam advocates for falsely claiming to operate only "opt-in" lists. The company's now-defunct domain shows up on the Register of Known Spam Operations compiled by the Spamhaus Project, and dozens of sightings of spam from Snipermail.com appear on Usenet's news.admin.net-abuse.sightings discussion group. Acxiom has said that after the 2003 intrusion, it improved its intrusion detection, vulnerability scanning and encryption systems. This is not the first prosecution to arise out of poor security practices on Acxiom's file transfer protocol server (FTP). An Ohio man named Daniel Baas previously pleaded guilty to illegally entering Acxiom's FTP site. That investigation led federal police--including the FBI and Secret Service--to Levine, according to the Justice Department. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Thu Feb 23 04:36:00 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Feb 2006 03:36:00 -0600 (CST) Subject: [ISN] Focus on cybersecurity compliance called ineffective Message-ID: http://www.govexec.com/story_page.cfm?articleid=33439 By Daniel Pulliam dpulliam @ govexec.com February 22, 2006 Adherence to congressionally mandated IT security processes is a poor measure of the true state of cybersecurity across the government, a former federal chief information security officer said Wednesday. Agencies are fixated on complying with statutes such as the 2002 Federal Information Security Management Act and are creating piles of paperwork and checklists that indicate little about actual security levels, said Bruce Brody, vice president of information security at INPUT, a Reston, Va.-based market analysis firm. Brody said annual cybersecurity grades determined by the House Government Reform Committee and its chairman, Rep. Tom Davis, R-Va., based on FISMA compliance, also have little meaning. For fiscal 2004, the federal government achieved an overall grade of D+, up from a D the previous year. "When the annual FISMA grades are released -- which could be imminently -- you have to ask yourself, what do those grades really mean?" Brody said. "The high grades could mean a lot of compliance, but not a lot of security. The low grades could mean that there's plenty of security in place, but it just wasn't verified on paper properly." Brody, who has served as the chief cybersecurity officer at the Energy and Veteran Affairs departments, spoke to members of the press after a three-hour closed-door meeting consisting of chief cybersecurity officers for the Federal Communications Commission, Senate and departments of State, Commerce, Treasury, Transportation and Housing and Urban Development. The workshop was hosted by the Information Security Forum, a nonprofit association of cybersecurity companies, the International Information Systems Security Certification Consortium and INPUT. Brody said the government officials and private sector security professionals at the meeting discussed what "five years of FISMA has given" agencies. The topic produced a great deal of discussion and some mixed opinions, according to Brody. A survey of agency cybersecurity officers conducted in August 2005 found that chief information security officers are spending more time complying with FISMA each year. Marc Noble, the FCC's chief security officer and only workshop attendee available to speak to the media after the meeting, said he hopes to come up with a risk-based solution to secure his agency's IT systems, rather than focusing on regulatory compliance. From isn at c4i.org Thu Feb 23 04:34:59 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Feb 2006 03:34:59 -0600 (CST) Subject: [ISN] Too Many New Gadgets, Too Much Information at Risk Message-ID: http://www.nytimes.com/2006/02/21/business/businessspecial2/21secure.html By DAVID S. JOACHIM February 21, 2006 It is the corporate version of keeping up with the Joneses: every day, it seems, someone arrives at the office with a shiny new gadget that combines a cellphone with all sorts of features you used to find only on your computer. They can get e-mail messages, surf the Web, manage contact lists and calendars, and even create Word and Excel documents that can run on a conventional PC. These smart phones and hand-held computers are so powerful that many office workers now travel without their laptops. Why bother with a clunky box that takes several minutes to start up and connect to a network, when you have a device that is always online and can access information on demand? At first, owners and operators of small businesses may see benefits to this trend. After all, workers are paying for their own little devices in the name of convenience. But, it turns out, they are also giving their technology departments a big headache. That is because these devices represent a sizable security risk. For one, they are configured to hop from Wi-Fi to cellular networks easily, exposing them to deliberate thievery of data. But a bigger threat, analysts say, is that small things are easier to lose, raising the prospect that confidential business files will get in the wrong hands. Pocket-size devices are misplaced all the time ? travelers left 85,000 cellphones and 21,000 hand-held computers in Chicago taxis during a six-month period last year, according to a survey by Pointsec Mobile Technologies, a maker of security software. And as these devices become capable of storing larger volumes of data, some experts are concerned about the increasing vulnerability of those files. Analysts say that workers are too caught up with buying the latest gadgets, forgetting that their data is far more valuable than the device it runs on. That is why some companies, realizing the potential for damage, are getting ahead on mobile security by actually buying small gadgets for their employees, albeit with security strings attached. Seitlin, a small insurance brokerage based in Miami, illustrates the point. The firm decided to buy Palm Treo cellphone-organizers for about 30 of its 250 employees. The company could then dictate what data was stored on the devices, and it could install software to monitor them from afar and even lock them over the air if they fell into the wrong hands, said Ed Whipple, the company's vice president for sales and technology. Seitlin sales agents, rather than carry client records on their Treos, must use a Web site to access claims histories and other private information. These files can be viewed but not stored on the devices through an online service called Nexsure from XDimensional Technologies. If an agent on the road is offline and needs information about a client, he calls the office for it, Mr. Whipple said. If an employee reports that his cellphone is stolen, Mr. Whipple can send a text message to the device, which locks it and asks for a security code, using software called Butler. If the security code is not entered immediately, the memory on the device is wiped clean. The catch is that the Treo must be turned on and transmitting over a wireless or cellular network for Butler to work. For this reason, some companies set up their devices to store all data on a removable SD memory card, which scrambles the data and renders it useless if the card is removed. Seitlin also uses software from Intellisync that allows Treos to act like BlackBerry devices and automatically send e-mail messages without the user having to manually download them. This also allows the devices to stay synchronized with a server in the office. "That's the beautiful thing," Mr. Whipple said. "If I drop my Treo in the water tomorrow, I can go out and buy another one," and the technology department can rebuild the software on a new one to look just like the old one, including all his personal contacts and calendars. This can be done in minutes over the air. John Pescatore, a security analyst at Gartner, a market research company, said that forcing all users to synchronize their data to a single server over the air has another benefit over letting them use their office PC's for backing up data: it creates a log of all information moving to and from the devices. Monitoring software can be set up to search through the data exchanges to make sure no confidential data passes to unauthorized devices, he said. Mr. Pescatore expects this year to be a turning point for mobile security, in the same way that personal firewalls and antivirus software on PC's gained importance early in the decade because of viruses like I Love You and Melissa. "The market doesn't demand security until something bad happens," he said. Of course, security breaches get the most attention when they happen at big companies. But as hardware and software prices have dropped in recent years, small businesses are catching up to larger ones in terms of technology ? and vulnerability. By the end of the year, smart phones with so much storage and processing power will represent about half of all cellphones in the United States, compared with about 30 percent today, Mr. Pescatore said. The proliferation could get people in the habit of sending one another executable files like games, which can carry viruses. More than that, the success of devices that use Microsoft's mobile operating system will mean a decline in the diversity of software, Mr. Pescatore added. Just as Microsoft's domination in PC's made it attractive for programmers to write viruses for Windows, the same could happen to hand-held devices. In computing, as in nature, diversity is the great inoculator. Copyright 2006 The New York Times Company From isn at c4i.org Thu Feb 23 04:36:13 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Feb 2006 03:36:13 -0600 (CST) Subject: [ISN] Security vendors prepare for a bloodbath Message-ID: http://www.zdnet.com.au/news/security/soa/Security_vendors_prepare_for_a_bloodbath/0,2000061744,39239838,00.htm Munir Kotadia ZDNet Australia February 23, 2006 The booming security market is heading for a bloodbath with both vendors and analysts expecting the number of companies selling security applications to fall from more than 700 today to just a handful by the end of the decade. Toby Weiss, senior vice president and general manager of CA's security business, told ZDNet Australia on Tuesday that there are far too many security vendors and consolidation is inevitable over the next three to five years. "The market is incredibly fragmented. I was told we are up to 700 different security solutions, which is daunting for customers to keep up with. Even if they meet with two different vendors a day it would take them an entire year including weekends," said Weiss. That view is echoed by Michael Warrilow, Director of Sydney-based security consultancy Hydrasight, who said CA and Symantec seem to be emerging as the front runners in providing a "security software suite". "There is no doubt that there are far too many security vendors out there. Every man, dog and venture capitalist has been investing in them over the past few years. In a recent US security conference there were literally 700 vendors but many of those are going to disappear or get gobbled up," Warrilow told ZDNet Australia . According to CA's Weiss, the consolidation will be positive for enterprises because they will not have to deal with a large number of point solutions and will have less trouble integrating their products together. "In the last few years customers have not been able to keep up with that number of point solutions and there are not enough standards for [the point solutions] to work with each other very well. "In three to five years customers will probably be looking at one or two vendors to help them manage their security product suite. Similar to the networking systems management today where you would look at maybe IBM or BMC -- but you wouldn't look at 700 different vendors," said Weiss. But this view is slammed by Hydrasight's Warrilow, who argues that consolidation does not make integration issues disappear. "Just because [smaller companies] get gobbled up it doesn't mean the situation is any better. Instead of buying from 20 vendors you are buying 20 products from one vendor," said Warrilow, who pointed the finger at Symantec for being guilty of such practices. "Symantec has bought 25 companies over the past few years it has done a pretty poor job of integrating the products it has bought. Consolidation in terms of the number of vendors does not mean the products are any better integrated and customers have any less of an issue in terms of making them work," added Warrilow. From isn at c4i.org Thu Feb 23 04:36:25 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Feb 2006 03:36:25 -0600 (CST) Subject: [ISN] Washington Post fails to protect Deep Throat Message-ID: http://www.theinquirer.net/?article=29805 By Nick Farrell 21 February 2006 THE WASHINGTON POST, famous for hiding the name of its Deep Throat source during the Watergate scandal, might have accidentally revealed the name of one of its sources in a less important yarn about a hacker. Hack Brian Krebs penned a fairly gushing piece about a 21-year-old hacker identified as "0x80" who claimed to have broken into 2,000 PCs around the globe. 0x80 apparently uses the hacked PCs to send out spam. In amongst detailed descriptions of how 0x80 smokes, which in the US journalistic style is called 'colour', Krebs revealed that his subject lived in a small town in Middle America. "The nearest businesses are a used-car lot, a gas station/convenience store and a strip club," the article said. All hard to trace, but for the fact that the article ran a doctored picture of 0x80 which when the people at Slashdot had [1] a look at the metadata in the pic it revealed 0x80 lived in the town of Roland, population 2,842. Since only a third of the population are 0x80's age, less than half of them are male, and not that many live close to the strip club, he shouldn't be too easy to find, particularly with Kreb's colourful description. When this was pointed out to Krebs in his bog [2], he said that he was aware of it. The picture is no longer linked from the article, but it should not be long before 0x80 will be located. Just as well digital cameras were not around during Watergate. ? [1] http://it.slashdot.org/comments.pl?sid=177830&cid=14748871 [2] http://blog.washingtonpost.com/securityfix/2006/02/more_proof_of_rogue_installs_o.html From isn at c4i.org Thu Feb 23 04:36:39 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Feb 2006 03:36:39 -0600 (CST) Subject: [ISN] Amish teen fined for wiretapping Message-ID: http://www.thenorthwestern.com/apps/pbcs.dll/article?AID=/20060222/OSH0101/602220391/1128 By Patricia Wolff of The Northwestern February 22, 2006 GREEN LAKE - An Amish teenager will pay a fine and restitution to a neighbor for illegally tapping into his telephone line. James Bontrager, 17, W3950 Grand River Road, Markesan, pleaded guilty in Green Lake County Circuit Court Jan. 23, to a charge of telecommunications fraud. He was fined $367 and ordered to pay $36.09 in long distance charges to CenturyTel for calls the teen made on his neighbor's phone line to a relative in Indiana. The Amish traditionally shun telephones and other modern conveniences in their homes. When confronted by Green Lake County Sheriff's Deputy Matthew Vande Kolk, James Bontrager led the deputy to a shed on his property where he had brought his neighbor's phone line inside. He also surrendered the phone he had been using to call relatives, the documents said. Bontrager claimed he did not know the neighbor would be charged for the calls, according to court documents. The crime came to light when Howard and Carol Lang of Markesan, called the Green Lake County Sheriff's office in July of 2005 after noticing charges on their bill that they did not make. Carol Lang said she received calls three or four times a day where no one would answer when she picked up the phone. "I'd answer and could not hear anything. I'd hang up and they'd talk," Carol Lang said. The wiretapping occurred after the Bontragers did some construction on their property last summer. James Bontrager's father, Vernon Bontrager told police he had seen his son digging in a flowerbed near the house and suggested his son did the wiretapping to contact Indiana relatives with whom he had been very close prior to moving to Markesan about five years ago, the documents said. After admitting to the wiretapping, Vande Kolk drove the Bontragers at their request to the Langs' residence to apologize to them, according to the documents. From isn at c4i.org Fri Feb 24 01:51:01 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Feb 2006 00:51:01 -0600 (CST) Subject: [ISN] Malware Honeypot Projects Merge Message-ID: http://www.eweek.com/article2/0,1895,1930735,00.asp By Ryan Naraine February 23, 2006 Looking to streamline the collection of malware samples, two of the biggest honeypot projects?mwcollect and nepenthes - have merged operations. The two projects, which passively trap viruses, spyware and other forms of malicious software by emulating known vulnerabilities, will combine operations to develop a single malware collection tool, according to an announcement my mwcollect head developer Georg Wicherski. The merger comes after a year of concurrent development that caused a lot of overlap and shared work, Wicherski said. "Mwcollect.org will become a top-level community covering malware collection efforts, [and] nepenthes will become the official software used for malware collection and be part of mwcollect.org," he said. A new mwcollect.org meta-portal will be created to host information related to malware collection. Instead of having two tools, mwcollectd will be discontinued after the current version 3.0.4, and nepenthes will be the official successor, Wicherski added. He said the mwcollect Alliance will continue to exist with existing mwcollect v3.0.3 sensor and nepenthes sensors later on. "The benefit to the end user is a much more powerful software due to joined forces, [and] the benefit to the developers is that we need to spend less time on developing due to shared work," Wicherski added. Existing nepenthes users won't notice any changes, but researchers using the mwcollectd tool are urged to make the switch to nepenthes. Going forward, Wicherski said the project pages will be merged under one roof ahead of a new nepenthes version. From isn at c4i.org Fri Feb 24 01:51:16 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Feb 2006 00:51:16 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-8 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-02-16 - 2006-02-23 This week : 59 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Secunia has issued an Extremely Critical advisory regarding a vulnerability in Mac OS X, which can be exploited by malicious people to compromise a user's system. Secunia has constructed a test, which can be used to check if your system is affected by this issue: http://secunia.com/mac_os_x_command_execution_vulnerability_test/ Please see the referenced Secunia advisory for additional details. Reference: http://secunia.com/SA18963 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 2. [SA15852] XML-RPC for PHP PHP Code Execution Vulnerability 3. [SA14337] Mambo "GLOBALS['mosConfig_absolute_path']" File Inclusion 4. [SA17571] Opera Image Control Status Bar Spoofing Weakness 5. [SA16280] IBM Lotus Notes Multiple Vulnerabilities 6. [SA18835] Windows Media Player Bitmap File Processing Vulnerability 7. [SA18931] PHP-Nuke "Your_Account" Module SQL Injection Vulnerability 8. [SA18924] PerlBLOG Multiple Vulnerabilities 9. [SA18934] Debian update for gnupg 10 [SA18907] Mac OS X Kernel Local Denial of Service Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18945] WPCeasy Admin Logon SQL Injection Vulnerability [SA18986] IA eMailServer IMAP SEARCH Command Handling Vulnerability UNIX/Linux: [SA18963] Mac OS X File Association Meta Data Shell Script Execution [SA18987] Red Hat update for metamail [SA18927] Guestex Shell Command Injection and Cross-Site Scripting [SA18923] Leif M. Wright's Blog Multiple Vulnerabilities [SA18983] Gentoo update for gpdf [SA18979] Bugzilla Multiple Vulnerabilities [SA18976] Mandriva update for tar [SA18973] GNU Tar PAX Extended Headers Handling Buffer Overflow [SA18948] Debian update for pdfkit.framework [SA18944] CherryPy "staticfilter" Directory Traversal Vulnerability [SA18943] Mandriva update for libtiff [SA18926] Quirex convert.cgi File Disclosure Vulnerability [SA18924] PerlBLOG Multiple Vulnerabilities [SA18918] Ubuntu update for libtasn [SA18939] Fedora Directory Server Admin Server Password Disclosure [SA18984] Melange Chat Server Information Disclosure Security Issue [SA18977] Mandriva update for kernel [SA18968] SUSE update for gpg / liby2util [SA18956] Gentoo update for gnupg [SA18955] Fedora update for gnupg [SA18942] Mandriva update for gnupg [SA18934] Debian update for gnupg [SA18933] Ubuntu update for gnupg [SA18974] ViRobot Linux Server Authentication Bypass Vulnerability [SA18961] Ubuntu update for heimdal [SA18960] Fedora Directory Server LDAP Denial of Service Vulnerabilities [SA18988] Red Hat update for tar [SA18958] UnixWare ptrace Privilege Escalation Vulnerability [SA18922] Netcool/NeuSecure Configuration File Permissions Weaknesses [SA18971] Ubuntu update for bluez-hcidump [SA18970] Ubuntu update for openssh [SA18969] Gentoo update for openssh / dropbear [SA18964] Dropbear SSH Server scp Command Line Shell Command Injection Other: [SA18952] Xerox ESS/ Network Controller and MicroServer Vulnerabilities [SA18932] DWL-G700AP Web Interface Denial of Service Cross Platform: [SA18982] Geeklog Media Gallery Module SQL Injection and File Inclusion [SA18941] Coppermine Photo Gallery File Inclusion Vulnerabilities [SA18935] Mambo Unspecified System Compromise Vulnerability [SA18930] Admbook "X-Forwarded-For" PHP Code Injection [SA18920] Geeklog SQL Injection and File Inclusion Vulnerabilities [SA18917] PunkBuster Cvars Monitoring Format String Vulnerability [SA18972] PHP-Nuke Personal Menu Script Insertion and SQL Injection [SA18965] Barracuda Directory Multiple Script Insertion Vulnerabilities [SA18951] ilchClan "pid" and "login_name" SQL Injection Vulnerabilities [SA18946] Guestbox Two Vulnerabilities and One Security Issue [SA18938] EmuLinker Packet Handling Denial of Service Vulnerability [SA18937] PostNuke Multiple Vulnerabilities [SA18931] PHP-Nuke "Your_Account" Module SQL Injection Vulnerability [SA18929] BXCP "tid" SQL Injection Vulnerability [SA18925] My Blog BBCode Script Insertion Vulnerability [SA18985] SquirrelMail Cross-Site Scripting and IMAP Injection Vulnerabilities [SA18981] CuteNews "show" Cross-Site Scripting Vulnerability [SA18949] PHP-Fusion Cross-Site Scripting Vulnerabilities [SA18928] ADOdb Cross-Site Scripting Vulnerabilities [SA18919] CPG Dragonfly CMS "linking.php" Cross-Site Scripting Vulnerability [SA18967] Ubuntu update for noweb [SA18936] PHP-Nuke CAPTCHA Bypass Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18945] WPCeasy Admin Logon SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-20 murfie has reported a vulnerability in WPCeasy, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18945/ -- [SA18986] IA eMailServer IMAP SEARCH Command Handling Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-22 Joao Antunes has discovered a vulnerability in Internet Anywhere (IA) eMailServer, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18986/ UNIX/Linux:-- [SA18963] Mac OS X File Association Meta Data Shell Script Execution Critical: Extremely critical Where: From remote Impact: System access Released: 2006-02-21 Michael Lehn has discovered a vulnerability in Mac OS X, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18963/ -- [SA18987] Red Hat update for metamail Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-02-22 Red Hat has issued and update for metamail. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18987/ -- [SA18927] Guestex Shell Command Injection and Cross-Site Scripting Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-02-17 Aliaksandr Hartsuyeu has reported two vulnerabilities in Guestex, which can be exploited by malicious people to conduct cross-site scripting attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18927/ -- [SA18923] Leif M. Wright's Blog Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access Released: 2006-02-17 Aliaksandr Hartsuyeu has reported some vulnerabilities in Leif M. Wright's Blog, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, conduct script insertion attacks, and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18923/ -- [SA18983] Gentoo update for gpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-22 Gentoo has issued an update for gpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18983/ -- [SA18979] Bugzilla Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2006-02-22 Some vulnerabilities have been reported in Bugzilla, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to disclose sensitive information and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18979/ -- [SA18976] Mandriva update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-22 Mandriva has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/18976/ -- [SA18973] GNU Tar PAX Extended Headers Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-22 A vulnerability has been reported in GNU Tar, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/18973/ -- [SA18948] Debian update for pdfkit.framework Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-20 Full Advisory: http://secunia.com/advisories/18948/ -- [SA18944] CherryPy "staticfilter" Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-21 A vulnerability has been reported in CherryPy, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18944/ -- [SA18943] Mandriva update for libtiff Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-20 Mandriva has issued an update for libtiff. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18943/ -- [SA18926] Quirex convert.cgi File Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-02-17 Aliaksandr Hartsuyeu has reported a vulnerability in Quirex, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18926/ -- [SA18924] PerlBLOG Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-02-17 Aliaksandr Hartsuyeu has reported some vulnerabilities in PerlBLOG, which can be exploited by malicious people to conduct script insertion attacks and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18924/ -- [SA18918] Ubuntu update for libtasn Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-17 Ubuntu has issued an update for gnutls. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18918/ -- [SA18939] Fedora Directory Server Admin Server Password Disclosure Critical: Moderately critical Where: From local network Impact: Exposure of sensitive information Released: 2006-02-20 Frank Reppin has reported a vulnerability in Fedora Directory Server, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/18939/ -- [SA18984] Melange Chat Server Information Disclosure Security Issue Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-22 Nexus has discovered a security issue in Melange Chat Server, which potentially can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18984/ -- [SA18977] Mandriva update for kernel Critical: Less critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2006-02-22 Mandriva has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information and cause a DoS (Denial of Service), or by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/18977/ -- [SA18968] SUSE update for gpg / liby2util Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-21 SUSE has issued an update for gpg / liby2util. This fixes a security issue, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18968/ -- [SA18956] Gentoo update for gnupg Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-20 Gentoo has issued an update for gnupg. This fixes a security issue, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18956/ -- [SA18955] Fedora update for gnupg Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-20 Fedora has issued an update for gnupg. This fixes a security issue, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18955/ -- [SA18942] Mandriva update for gnupg Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-20 Mandriva has issued an update for gnupg. This fixes a security issue, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18942/ -- [SA18934] Debian update for gnupg Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-17 Debian has issued an update for gnupg. This fixes a security issue, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18934/ -- [SA18933] Ubuntu update for gnupg Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-20 Ubuntu has issued an update for gnupg. This fixes a security issue, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18933/ -- [SA18974] ViRobot Linux Server Authentication Bypass Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-02-22 dong-houn yoU has discovered a vulnerability in ViRobot Linux Server, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18974/ -- [SA18961] Ubuntu update for heimdal Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-20 Ubuntu has issued an update for heimdal. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18961/ -- [SA18960] Fedora Directory Server LDAP Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-20 Evgeny Legerov has reported some vulnerabilities in Fedora Directory Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18960/ -- [SA18988] Red Hat update for tar Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-22 Red Hat has issued an update for tar. This fixes a vulnerability, which can be exploited by malicious people to cause files to be extracted to arbitrary locations on a user's system. Full Advisory: http://secunia.com/advisories/18988/ -- [SA18958] UnixWare ptrace Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-22 A vulnerability has been reported in UnixWare, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18958/ -- [SA18922] Netcool/NeuSecure Configuration File Permissions Weaknesses Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-02-17 Dimitry Snezhkov has reported two weaknesses in Netcool/NeuSecure, which can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18922/ -- [SA18971] Ubuntu update for bluez-hcidump Critical: Not critical Where: From remote Impact: DoS Released: 2006-02-22 Ubuntu has issued an update for bluez-hcidump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18971/ -- [SA18970] Ubuntu update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-02-22 Ubuntu has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18970/ -- [SA18969] Gentoo update for openssh / dropbear Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-02-21 Gentoo has issued an update for openssh / dropbear. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18969/ -- [SA18964] Dropbear SSH Server scp Command Line Shell Command Injection Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-02-21 A weakness has been reported in Dropbear SSH Server, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18964/ Other:-- [SA18952] Xerox ESS/ Network Controller and MicroServer Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS Released: 2006-02-20 Some vulnerabilities have been reported in Xerox WorkCentre Pro and Xerox WorkCentre, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or cause a Denial of Service (DoS). Full Advisory: http://secunia.com/advisories/18952/ -- [SA18932] DWL-G700AP Web Interface Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-17 l0om has reported a vulnerability in D-Link DWL-G700AP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18932/ Cross Platform:-- [SA18982] Geeklog Media Gallery Module SQL Injection and File Inclusion Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2006-02-22 Some vulnerabilities have been reported in the Media Gallery module for Geeklog, which can be exploited by malicious people to conduct SQL injection attacks, disclose potentially sensitive information and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18982/ -- [SA18941] Coppermine Photo Gallery File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-20 rgod has reported two vulnerabilities in Coppermine Photo Gallery, which can be exploited by malicious people and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18941/ -- [SA18935] Mambo Unspecified System Compromise Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-22 A vulnerability has been reported in Mambo, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18935/ -- [SA18930] Admbook "X-Forwarded-For" PHP Code Injection Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-20 rgod has reported a vulnerability in Admbook, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18930/ -- [SA18920] Geeklog SQL Injection and File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2006-02-20 James Bercegay has reported some vulnerabilities in Geeklog, which can be exploited by malicious people to conduct SQL injection attacks, disclose potentially sensitive information and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18920/ -- [SA18917] PunkBuster Cvars Monitoring Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-02-17 Luigi Auriemma has reported a vulnerability in PunkBuster, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18917/ -- [SA18972] PHP-Nuke Personal Menu Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-22 Jason Lau has discovered two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/18972/ -- [SA18965] Barracuda Directory Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-21 pcps has discovered some vulnerabilities in Barracuda Directory, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18965/ -- [SA18951] ilchClan "pid" and "login_name" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-21 Two vulnerabilities have been discovered in ilchClan, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18951/ -- [SA18946] Guestbox Two Vulnerabilities and One Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information Released: 2006-02-21 l0om has discovered two vulnerabilities and a security issue in Guestbox, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18946/ -- [SA18938] EmuLinker Packet Handling Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-20 A vulnerability has been reported in EmuLinker, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18938/ -- [SA18937] PostNuke Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-21 Maksymilian Arciemowicz has reported some vulnerabilities in PostNuke, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18937/ -- [SA18931] PHP-Nuke "Your_Account" Module SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-17 sp3x has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18931/ -- [SA18929] BXCP "tid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-20 x128 has discovered a vulnerability in BXCP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18929/ -- [SA18925] My Blog BBCode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-17 Aliaksandr Hartsuyeu has reported a vulnerability in My Blog, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18925/ -- [SA18985] SquirrelMail Cross-Site Scripting and IMAP Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-22 Some vulnerabilities have been reported in SquirrelMail, which can be exploited by malicious users to manipulate certain information and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18985/ -- [SA18981] CuteNews "show" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-22 imei addmimistrator has discovered a vulnerability in CuteNews, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18981/ -- [SA18949] PHP-Fusion Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Unknown Released: 2006-02-21 Two vulnerabilities have been reported in PHP-Fusion, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18949/ -- [SA18928] ADOdb Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-20 James Bercegay has reported some vulnerabilities in ADOdb, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18928/ -- [SA18919] CPG Dragonfly CMS "linking.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-02-22 albanialove has reported a vulnerability in CPG Dragonfly CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18919/ -- [SA18967] Ubuntu update for noweb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-22 Ubuntu has issued an update for noweb. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18967/ -- [SA18936] PHP-Nuke CAPTCHA Bypass Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-02-20 Janek Vind "waraxe" has reported a weakness in PHP-Nuke, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18936/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 24 01:51:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Feb 2006 00:51:29 -0600 (CST) Subject: [ISN] Study shows how photonic decoys can foil hackers Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108924,00.html FEBRUARY 23, 2006 NETWORK WORLD A University of Toronto professor and researcher has demonstrated for the first time a new technique for safeguarding data transmitted over fiber-optic networks using quantum cryptography. Professor Hoi-Kwong Lo, a member of the school's Centre for Quantum Information and Quantum Control, is the senior author of a study that sheds light on using what's called a photonic decoy technique for encrypting data. Quantum cryptography is starting to be used by the military, banks and other organizations that seek to better protect the data on their networks. This sort of cryptography uses photons to carry encryption keys, which is considered safer than protecting data via traditional methods that powerful computers can crack. Quantum cryptography is based on fundamental laws of physics, such that merely observing a quantum object alters it. Lo's team used modified quantum key distribution equipment from Id Quantique and a 9.3-mile fiber-optic link to demonstrate the use of decoys in data transmissions and to alert receiving computers about which photons were legit and which were phony. The technique is designed to support high key generation rates over long distances. Lo's study is slated to appear in the Feb. 24 issue of Physical Review Letters. Lo notes that existing products, such as those from Id Quantique and MagiQ Technologies, are for point-to-point applications used by the military and security-sensitive businesses. "In the long run, one can envision a global quantum cryptographic network, either based on satellite relays or based on quantum repeaters," he says. University researchers are fueling many advances in network security. A University of Indiana professor recently revealed technology for thwarting phishing and pharming culprits by using a technique called active cookies. From isn at c4i.org Fri Feb 24 01:51:46 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Feb 2006 00:51:46 -0600 (CST) Subject: [ISN] Atlanta Company Settles Breach Message-ID: http://www.11alive.com/money/money_article.aspx?storyid=76552 By JENNIFER C. KERR Associated Press Writer 2/23/2006 WASHINGTON (AP) -- A data breach that left some 40 million customer accounts vulnerable to hackers will lead to tighter security measures to protect millions of credit and debit card users, officials at the Federal Trade Commission said Thursday. CardSystems Solutions Inc. has settled charges that the company broke the law by failing to ensure adequate safeguards for sensitive customer information. The settlement calls for better safeguards to protect consumer data. The FTC could not seek civil penalties under the law it accused CardSystems of violating. Atlanta-based CardSystems processed credit card and other payments for banks and merchants. Last summer, it was disclosed that tens of millions of mostly MasterCard and Visa accounts were exposed to possible fraud after a hacker broke into the company's computer system. "CardSystems kept information it had no reason to keep and then stored it in a way that put consumers' financial information at risk," said FTC Chairman Deborah Platt Majoras. The company stored information from the magnetic strip of credit and debit cards -- account numbers, expiration dates, and security codes, the agency said. The commission also said CardSystems did not have sufficient passwords to keep a hacker from taking control of its computer network. The assets of CardSystems have since been bought by San Francisco-based Pay By Touch. The settlement requires Pay By Touch to implement a comprehensive security program and obtain independent audits every other year for 20 years. According to evidence gathered in a California case, the hacker was able to grab enough account information to defraud at least 264,000 customers. Visa and MasterCard maintain that there is little financial risk to vulnerable accountholders because of their "zero liability" policies that reverse all fraudulent charges. The lawsuit sought an order requiring Visa and MasterCard to send individual warnings to thousands of consumers whose personal information was stolen in the breach. But the judge rejected the request last fall, saying there was no immediate threat of irreparable harm to consumers. Copyright 2006 by The Associated Press. All Rights Reserved. From isn at c4i.org Fri Feb 24 01:52:20 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Feb 2006 00:52:20 -0600 (CST) Subject: [ISN] Legendary hacker Mitnick turns legit Message-ID: http://www.jpost.com/servlet/Satellite?cid=1139395477381&pagename=JPost%2FJPArticle%2FShowFull By TALYA HALKIN THE JERUSALEM POST Feb. 24, 2006 As he kneeled down and fumbled around in one of his two computer bags in search of extra business cards, Kevin Mitnick looked like your typical scatter-minded computer geek. Once found, however, his silver-coated card, designed to appear like a miniature kit of lock-breaking tools, embossed with the name of his company - Mitnick Security Consulting - told a different story: that of a formerly notorious computer hacker turned expert on preventing cyber-crime. "I just thought it would be kinda cool," he said, handing the card out Thursday at a conference on Internet security organized by the Israeli branch of IDC, a company specializing in global research and consulting. He weaved together anecdotes from his hacking days with an analysis of what he calls "social engineering," which essentially means conning people to get them to reveal passwords and other sensitive computer-related information. Mitnick, as he recounted during his lecture, began hacking as a teenager in California, tapping into various telephone networks before moving on to the kinds of corporate network break-ins that earned him five years in a federal prison. "Last night," he said at the beginning of his talk in his typically wry, dead-pan manner, "I had dinner with the CTO of a security company, and invited a friend to come along." When he asked his friend later that evening if he had told their dinner partner where they had met, the friend told Mitnick he had described them as "neighbors." "That was partially true," Mitnick told the audience. "He was my neighbor in federal detention." Following his release in 2000, Mitnick - who is now in his early forties - transformed himself from one of the world's most famous hackers to one of its most sought-after on-line security consultants. When he was released, Mitnick wasn't even allowed to use a computer. Currently, he is completing his biography, which will be released in 2007 - the year the restriction placed on him by the US government, which has banned him from profiting from his own story, expires. In addition to writing and lecturing world-wide about on-line security, these days Mitnick is hired by companies to break into their computer networks, reveal their security system weaknesses, and teach them how to better protect themselves. So far, he said, he has never failed to break into any system whose security he was hired to assess. "Social engineering," Mitnick explained during the first lecture he has ever given in Israel, "is a form of hacking that relies on influencing, deceiving, or psychologically manipulating unwitting people to comply with a request. I run into a lot of companies where you have the best technology money can buy - but all a hacker needs to do is target one person who has no idea what information they are giving out, and all the money spent on technology is useless." "I used to get in a lot of trouble and which I now get paid for," Mitnick said at the end of his lecture. "I regret having done it, but I did it for the challenge and out of intellectual curiosity, and now I am happy to benefit." Then he turned to his many admirers among the Israeli computer specialists who attended his lecture, and wrote his name on a detached phone receiver one man handed him - the high-profile ex-hacker's version of signing a baseball. Copyright 1995-2006 The Jerusalem Post From isn at c4i.org Fri Feb 24 01:51:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Feb 2006 00:51:56 -0600 (CST) Subject: [ISN] Code hacker heard in Beijing court Message-ID: http://www.shanghaidaily.com/art/2006/02/23/243796/Code_hacker_heard_in_Beijing_court.htm Li Xinran 2006-02-23 BEIJING No.2 Intermediate Court heard a criminal case today about a 31-year-old electronic engineer who thieved more than 3 million yuan (US$372,670) worth of codes from prepaid mobile phone cards, by hacking the data base of Beijing Mobile. It was the biggest Internet theft ever in China. Chen Zhihan, the electronic engineer, who took part in the computer system establishment of Tibet Mobile, used the system password from Tibet Mobile, to break into Beijing Mobile's network. He stole thousands of codes from their database and auctioned them on Taobao.com, the largest auction Website in China. Chen gained 3.7 million yuan from March to July last year by selling the codes. Chen however, forgot to check the validity dates on some of the codes, which caused his customers' to complain to Beijing Mobile, who then noticed Chen's fraudulent behavior. Chen said he had no plans to keep the money, and said he was going to donate it to charity. He said he once donated 200 yuan to a Beijing leukemia patient. From isn at c4i.org Fri Feb 24 01:52:07 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Feb 2006 00:52:07 -0600 (CST) Subject: [ISN] Hacking incident brings guilty plea Message-ID: http://www.pantagraph.com/articles/2006/02/23/news/107325.txt By Brett Nauman bnauman @ pantagraph.com February 23, 2006 BLOOMINGTON - A Bloomington man has pleaded guilty to hacking into and damaging the computer network run by a small school district in Missouri. Henry Curtis Underwood, 33, faces up to 10 years in prison on federal charges of unauthorized computer intrusion, a spokesman for federal prosecutors said Wednesday. Underwood was the technology coordinator for Missouri's Northeast Nodaway R-V School District in January 2005 when he hacked into its computer network and disabled other employees' user accounts, prosecutors said. Don Ledford, spokesman for U.S. Attorney Todd Graves of the Western District of Missouri, said Underwood moved to Bloomington after being fired by the district. Underwood worked for the National Computer Services Group assigned to State Farm Corporate South after leaving Missouri, according to court records. An employee with the NCS Group confirmed Wednesday that Underwood used to work for the company. Ledford said the hacking incident occurred shortly after the Nodaway County Sheriff's Department uncovered a criminal conviction in Underwood's past. The school district placed Underwood on administrative leave after learning of his 1995 federal bank robbery conviction in Texas. While on suspension, Underwood used a laptop computer to gain remote access to the district's computers and disable all the work stations at the district's elementary and high school, Ledford said. "Basically, he got mad about being suspended and this was his retaliation," Ledford said, adding it took a month and $7,000 to get the school district's computer problems fixed. Under a federal plea agreement, Underwood on Tuesday admitted to hacking into the district's computer network. A sentencing hearing will be scheduled at a later date. From isn at c4i.org Mon Feb 27 02:08:42 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Feb 2006 01:08:42 -0600 (CST) Subject: [ISN] CID Agent Combats Identity Theft With DVD Message-ID: http://www4.army.mil/ocpa/read.php?story_id_key=8623 By Kenneth A. Miller February 24, 2006 Army News Service WASHINGTON - A new DVD was launched by the Treasury Department recently which advises consumers on how they can protect themselves should they fall victim to identity theft. Among the subject-matter experts who appeared on the video and were recognized at a Treasury ceremony Jan. 26 was Special Agent Howard Schmidt who serves with the CID Computer Crimes Investigative Unit located at Fort Belvoir, Va. Schmidt's job there has him conducting investigations involving intrusions into Army computer networks and systems which lead to the apprehension of those engaged in cyber crime. "As part of my duties last summer with the CCIU, I was asked by the Department of Treasury to assist in preparing this video aimed at identity theft, prevention and investigation," Schmidt said. "The experience of working with high-tech companies in the private sector, along with the skills learned during my civilian career in the area of cyber-security, provided me with the level of expertise I needed to assist the Treasury Department." Included on the DVD is a special segment providing information specific to military personnel and helpful tips on preventing identity theft for service members who are often in unique situations. "The Fair and Accurate Credit Transactions Act of 2003 allows military members away from their home duty stations to place an "active duty alert" on their credit reports to help minimize the risk of identity theft while deployed," Schmidt said. "When a business sees the alert, it must verify the identity of the Soldier before issuing credit." Schmidt also said that active duty alerts are effective for one year, unless a request is made to remove it sooner. If a specific deployment lasts longer, a Soldier may place another alert on their report. Howard is often asked to assume key roles related to cyber security - formulating national policy, steering strategic operations and fostering innovation by academia. Schmidt voluntarily reported to active duty to serve with CID and the Joint Task Force - Computer Network Operations Law Enforcement Counterintelligence Center which defends DOD computer networks as a result of the 9/11 attacks. In December 2001, he was appointed to serve as the vice-chair of President Bush's Critical Infrastructure Protection Board as a presidential appointee. "It was truly an honor to be nominated and appointed to serve in the White House during a very critical time in our nation's history," Schmidt said. "Having the opportunity to serve as an IMA reserve member of CID, I was able to provide the experience necessary to perform this mission successfully." Schmidt, who has been with the Army Reserve since 1989, also served with the Air Force Office of Special Investigations as director of Computer Crimes Investigations and information warfare before joining CID. He was also a computer forensic specialist with the FBI at the National Drug Intelligence Center and a policeman from 1982 to 1994 with the Chandler (Arizona) Police Department. The video is available online by visiting: http://treas.gov/offices/domestic-finance/financial-institution/cip/identity-theft.shtml. Instructions for initiating an alert may be obtained from the Federal Trade Commission's Web site at http://www.ftc.gov/bcp/conline/pubs/alerts/dutyalrt.htm. From isn at c4i.org Mon Feb 27 02:09:00 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Feb 2006 01:09:00 -0600 (CST) Subject: [ISN] ISC2 official guide plagiarism Message-ID: ---------- Forwarded message ---------- http://www.attackprevention.com/forum/comments.php?id=10 Posted Feb 12, 2006 - 01:55 PM: Subject: Official (ISC)2 Guide is a fraud I have been reviewing Official (ISC)^2 Guide to the CISSP Exam [1]", Susan Hansche/John Berti/Chris Hare, for one my classes and noticed it has widespread plagiarism and what appear to be copyright violations, including materials at the following verbatim http://www.trincoll.edu/depts/cpsc/cryptography/vigenere.html In the text, at page 406, "One of the main problems with simple substitution ciphers is that they are so vulnerable to frequency analysis..." It also contains an exact copy of a copyrighted whitepaper (without reference or citation) from, of all things, the American Bar Association, at the following link: http://www.abanet.org/scitech/ec/isc/dsg-tutorial.html Just as an example, the entire chapter on key management is a copy and paste of that paper. At page 429 of the textbook, Public Key Certificates and Certificate Authorities, compared to this publication by the paper from American Bar Association under Public Key Certificates, these are word-for-word. Indeed the entire chapter on ciphers appears to be stolen off of the WWW. Given that this book is on information security with an entire chapter on ethics, I think this a travesty. I have notified the publisher of this and they are investigating. I thought you might be interested as well. mad _____________________ ------------------ Michael Workman, Ph.D. College of Information Florida State University [1] http://www.amazon.com/exec/obidos/ASIN/084931707X/c4iorg From isn at c4i.org Mon Feb 27 02:09:16 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Feb 2006 01:09:16 -0600 (CST) Subject: [ISN] Auditor loses data on thousands of McAfee employees Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109003,00.html By Robert McMillan FEBRUARY 24, 2006 IDG NEWS SERVICE McAfee Inc.'s auditor, Deloitte & Touche USA LLP, may be thinking of buying some security software itself, after a Deloitte employee left an unencrypted CD containing sensitive information on thousands of McAfee employees in the back of an airline seat in December. The backup CD contained names, Social Security numbers and information on stock holdings held by over 9,000 of McAfee's current and former employees, company spokeswoman Siobhan MacDermott confirmed today. The information concerned McAfee's U.S. and Canadian employees hired prior to 2005, amounting to about 6,000 former employees and 3,290 current staffers, MacDermott said. The CD was left on the airplane on Dec. 15, she said. McAfee was informed of the incident on Jan. 11, nearly a month after the disk was lost. After a Deloitte investigation determined who had been affected, McAfee began notifying employees of the situation via postal mail. The last of these notification letters was sent out last week, MacDermott said. All of those who were affected by the data loss are being given two years' worth of free credit reports, provided by the Experian Information Solutions Inc. credit bureau, she said. "We have no reason to believe that there's been or that there will be any unauthorized access to the information," MacDermott said. McAfee is now in the process of changing its corporate policies to ensure that this type of data loss does not occur in the future, MacDermott said. "We're certainly reviewing how third parties work with our data," she said. "We're working to make sure that we don't have Social Security information on these types of files moving forward." Deloitte spokesman Jeffrey Zack confirmed that a "Deloitte and Touche employee left an unlabeled backup CD in an airline seat pocket, and the lost disk may contain certain personal information on current and former employees." He would not comment on why the CD was not encrypted. Designed to protect data while "in transit and storage," McAfee's own E-Business Client lets users encrypt files "with no technical training or experience," according to the company's Web site. From isn at c4i.org Mon Feb 27 02:08:07 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Feb 2006 01:08:07 -0600 (CST) Subject: [ISN] Security wars: Novell SELinux killer rattles Red Hat Message-ID: http://www.gcn.com/vol1_no1/daily-updates/38330-1.html By Joab Jackson GCN Staff 02/24/06 Novell Inc. of Provo, Utah, has released the source code for its recently acquired open-source Linux security application, AppArmor, and has also set up a project site in hopes of attracting outside developers to further refine the program. The release of the software has sparked debate in the open-source community, however. Novell stressed that AppArmor is easier to use than another open-source program called SELinux. First developed by the National Security Agency, SELinux tackles the same job of mandatory access control (MAC) with an unrelenting thoroughness, though it has a reputation for being difficult to manage. "There needs to be a better way to deploy [MAC] so that the average systems administrator doesn.t need to go through three weeks of training," said Frank Rego, products manager for Novell. Some observers fear that the AppArmor project will fracture the open-source development community around the demanding science of MAC. "In my opinion, Novell wants to split the market," said Dan Walsh, the principal software engineer of Red Hat Inc. of Raleigh, N.C. Both Red Hat and Novell offer enterprise class Linux distributions. "Rather than working with the open-source community [on SELinux], Novell has thrown out its own competing version." Novell acquired AppArmor last May when it purchased Immunix Inc., which developed the software. Novell has made the application, along with its source code, freely available on the site under the GNU Public License. The chief component of AppArmor is a module that must be added into the Linux kernel. Those who don't want to recompile the kernel can install SUSE Linux 10 desktop Linux distribution, as well as SUSE Linux Enterprise Server 9 Service Pack 3, both of which have AppArmor preinstalled. (An AppArmor module for Slackware Linux is also in the works). MAC software tackles the growing problem of applications executing malicious tasks on their host systems. Many of today.s security problems come from application vulnerabilities that are exploited by malicious hackers or rogue programs. MAC software keeps profiles of routine actions that each application on a computer usually takes during normal operations. When a program starts behaving in an unusual fashion, the MAC software can call on the operating system to halt that errant operation. Although both AppArmor and SELinux use the Linux Security Module Interface - a new Linux feature allowing kernel level mediation of security issues - the programs differ in scope. "The biggest difference between AppArmor and SELinux is in the ease of deployment," Rego said. NSA designed SELinux to address highly classified documents for sensitive environments, according to Rego. And while it executes this job well, it may be too powerful for most everyday deployments. In fact, SELinux's complexity may have been an obstacle to wider deployment, Rego speculated. Administrators may turn off security privileges in effort to facilitate smooth operations. AppArmor has a graphical user interface that should ease deployment, Novell hopes. The package includes profiles for widely used programs and utilities, such as Apache, Sendmail, Bind and others. In addition to these programs, the administrator can also build profiles for in-house or other programs using AppArmor's characterization and behavior-learning tools. Not everyone welcomes with the release of AppArmor. "Is this the beginning of the Unix wars all over again?" Walsh asked on a Live Journal blog he opened to express his views on the subject. In the early 1990s and late 1980s, different Unix vendors developed tools and applications that would only work with their own versions of Unix, later forcing them to expend considerable effort on cross-platform versions of these programs. As a result, Microsoft Corp. was able to gain significant market share by offering a single platform, with Windows NT, that could work across a wide variety of hardware. By introducing a second MAC application into the open-source landscape, Novell is splintering the development community, Walsh charged. Only a limited number of developers have the expertise to work on such an application, and the effort Novell itself will put into AppArmor could have been applied to improving the user interface of SELinux. "In the open-source world, we should be working together on a single product for people to use mandatory access control," Walsh said. Red Hat deploys SELinux for its own distribution, as do several other Linux distributions. On the blog, Walsh also cast aspersions on the viability of AppArmor itself, pointing out that the program is easier to use because it doesn't control as many low-level aspects of system operation as SELinux does - aspects that are necessary to consider when setting up a secure environment. "SELinux can be difficult to use because security is difficult to understand," Walsh said. From isn at c4i.org Mon Feb 27 02:09:46 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Feb 2006 01:09:46 -0600 (CST) Subject: [ISN] Ernst & Young fails to disclose high-profile data loss Message-ID: http://www.theregister.co.uk/2006/02/25/ernst_young_mcnealy/ [If E&Y (or any business!) invested less than $50 in a little physical security, stories like this would be less commonplace. http://www.amazon.com/exec/obidos/ASIN/B00004Z6ON/c4iorg - WK] By Ashlee Vance in Mountain View 25th February 2006 Exclusive Ernst and Young should go ahead and pony up for its own suite of transparency services. The accounting firm failed to disclose a high profile loss of customer data until being confronted by The Register. Ernst and Young has lost a laptop containing data such as the social security numbers of its customers. One of the people affected by the data loss appears to be Sun Microsystems CEO Scott McNealy, who was notified that his social security number and personal information have been compromised. While pushing all out transparency for its customers, Ernst and Young failed to cop to the security breach until contacted by us. "We deeply regret that a laptop containing confidential client information was stolen, in what appears to be a random act, from the locked car of one of our employees," said Ernst and Young spokesman Charles Perkins. "The security and confidentiality of our client information is of critical importance to us. The computer was password-protected, and we have no reason to believe the data itself was targeted or that the information was accessed by anyone. We are notifying those clients whose information was contained on the computer." Ernst and Young declined to comment on whether or not McNealy was affected. However, at lat week's RSA security conference, McNealy noted that he received an e-mail from an "anonymous partner" detailing a loss of his private data. "We determined that your name and social security number were among the data (lost)," the partner wrote to McNealy. "This is an organization that we spend an enormous amount of money on to determine whether we are Sarbanes-Oxley compliant," McNealy said. Digging through Sun's financial filings, you'll discover that Ernst and Young serves as the company's auditor and handles Sarbanes-Oxley consulting for Sun. A spokesman at Sun confirmed that Ernst and Young is still the company's auditor but declined to out the firm that lost McNealy's data. It's difficult to determine how massive the Ernst and Young data loss was in this case. Although, today we learned that a Deloitte and Touche CD containing information on McAfee employees was left in an airline seat pocket, exposing the social security numbers of close to 9,000 workers. Certainly, a laptop loss could be as damaging. Ernst and Young declined to return our phone calls seeking more information about the breach and why it has "no reason to believe" the password could be cracked. It makes no mention of stronger security than simple password protection. The company only sent along the earlier statement. Ernst and Young has littered its web site with transparency advice for customers. The company, however, failed to make a public notification of the data loss. Such secrecy seems quite rich given the current climate surrounding security and the protection of customer data. One might ask how a company such as Ernst and Young can judge the transparency of Sun or other customers. Then again, the accounting firm could just stick with the "You have no privacy. Get over it" line. ? From isn at c4i.org Mon Feb 27 02:10:02 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Feb 2006 01:10:02 -0600 (CST) Subject: [ISN] Medical records to go online Message-ID: http://www.news-press.com/apps/pbcs.dll/article?AID=/20060226/NEWS01/602260459/1075 By Michelle L. Start mstart @ news-press.com February 26, 2006 Carrying a prescription that he couldn't read and trying to get it filled at a local CVS store, Bonita Springs resident Sean Balke said he looks forward to the day when medical records will be online. "I don't get that many prescriptions, but this one is for back pain," said Balke, 32. "I can't read it." Starting on April 1, the first step toward having all medical records accessible online will begin in Florida. "We'll be rolling it out over the course of the year," said Rob Cronin, spokesman for SureScripts, which is launching the software in 10 states. "By the end of the year, we expect it to be statewide in Florida." Already 75 percent of Fort Myers pharmacies have signed up for the software, which has yet to go live. Cronin said those pharmacies include stores such as Albertsons, CVS, Kash 'N Karry, Publix, Walgreens and a number of independent pharmacies. It's a big first step in a move to allow patients and physicians to monitor and access medical records online. Federal officials hope to launch software for that type of records-sharing by 2013. In this initial step, doctors will be able to file prescriptions through the SureScript system and pharmacists will be able to view a list of the patients' medications, which will provide an additional safety check. Ideally, pharmacists would catch any signs of possible drug interactions, and emergency room doctors would be able to check which medications are prescribed, which officials said will be extremely helpful if a patient is unconscious. Daniel Kinsella, vice president of The Rever Group consulting firm, said the process of writing prescriptions and then having patients obtain them in a retail setting while dealing with insurance, co-payments and record-keeping has been ineffective and tedious. "Physicians wrote prescriptions without knowledge of other medications that the patient was on, other than those that were self-reported," he said. "Pharmacy benefit and Medical Spending Account managers received and processed tons of paper. Patients were exposed to the inconveniences of delivering prescriptions to retail pharmacists, and the burden of tracking and reporting an array of active prescriptions to their physicians at time of service." By using electronic records, patients can benefit from the consolidation of information about all of their medications, prescribed by all of their doctors and the potential for reviewing new prescriptions for potential drug and food reactions, he said. Kinsella also pointed out that in the not-too-distant future, patients will be able to record the date and time that they take medications, ensuring a higher level of compliance with recommended dosage. "I'm not sure if it is a good thing because of privacy issues," said Vincent Mercogliano, 65, of Fort Myers. "If you have your records online, someone can find out which prescriptions you are on." He worried that it could lead to job loss and other possible ramifications. While officials said the online system will have tight security, some experts said there's no way to guarantee complete privacy regardless of whether it is prescription records or more detailed medical histories. "We have to worry about the hackers of the world," said Pati Trites, chief executive officer of Augusta, Mich.-based Compliance Resources. "There have already been some breaches in the pharmacy system." Her company monitors hospitals, doctors offices and other medical professionals to see whether they are in compliance with HIPPA laws. Trites said during a recent survey, only 55 percent of health care providers and 72 percent of insurance companies were in compliance with the federal privacy protection laws. "We have to work on enforcement of tight security," she said. "The law is a year old. They're basically saying we're not compliant with the law." Trites said she's worried that once all medical records go online, patients could be exposed to some severe ramifications if those records become public. "You could have job loss, insurance denials, increasing rates and publicity," she said. "If you have a teacher with AIDS or Hepatitis C, that's protected information. You can come up with all types of scenarios. We have to find a secure way of transmitting and housing that information." From isn at c4i.org Mon Feb 27 02:11:53 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Feb 2006 01:11:53 -0600 (CST) Subject: [ISN] Linux Advisory Watch - February 24th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 24th, 2006 Volume 7, Number 9a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for heimdal, GnuPG, pdfkit, tutos, netpbm, compat-db, kdebase, gndb-kernel, cman-kernel, dlm-kernel, GFS-kernel, BomberClone, GnuPG, OpenSSH, GPdf, bluez-hcidump, libtiff, kernel, MySQL, tar, metamail, and CASA. The distributors include Debian, Fedora, Gentoo, Mandriva, and SuSE. ---- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi ---- Writing Behind a Buffer In this paper we are going to describe a kind of vulnerability that is known in the literature but also poor documented. In fact, the problem that is going to be analyzed can be reduced to a memory adjacent overwriting attack but usually it is obtained exploiting the last null byte of a buffer, hence we are going to show that the same result is still possible writing behind a buffer, under certain conditions. To fully understand the subject of this article it's necessary to describe the memory organization1 of running processes, then the memory adjacent overwrite attack, concluding with our analysis. Memory Organization A process can be defined as a running program, thus the operating system has loaded its instructions into memory and has allocated different areas of memory to manage its execution. The address space of a running process can be divided into five segments[1,2]: * Code Segment: this segment contains the executable code of the program. * Data and BSS Segment: both sectors are dedicated to the global variables and are allocated during the compile time. To be clear, the sector BSS contains not initialized data while data segment is reserved for static data. * Stack Segment: local variables are allocated in this segment. It is particular useful for storing cotext and for function parameters. The stack memory grows downward. * Heap Segment: this segment represents all the rest of memory ofthe process. The heap memory grows upward and is allocated dynamically. The memory adjacent overwrite attack, exploits the memory allocated into the stack for automatic variables to produce a buffer overflow[6] and to gain the control of the process execution flow. Memory Adjacent Overwrite Attack Last years were released some articles[4,5] about exploiting non-terminated adjacent memory space. The problem exists when the last null byte, terminating a buffer, is overwritten and another buffer precedes it. In fact, when a buffer is declared it is finished into the stack with a null byte to separate it from the rest of the stack. To stay clear let's bring an example written in C where we are going to use two buffers. Read Full Paper http://www.linuxsecurity.com/images/stories/writing-behind-a-buffer.pdf ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New heimdal packages fix several vulnerabilities 16th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121646 * Debian: New GnuPG packages fix invalid success return 17th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121658 * Debian: New pdfkit.framework packages fix several vulnerabilities 17th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121665 * Debian: New tutos packages fix multiple vulnerabilities 22nd, February, 2006 Joxean Koret discovered several security problems in tutos, a web-based team organization software. The Common Vulnerabilities and Exposures Project identifies the following problems... http://www.linuxsecurity.com/content/view/121709 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: netpbm-10.31-1.FC4.2 16th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121656 * Fedora Core 4 Update: compat-db-4.2.52-2.FC4 17th, February, 2006 updated package. http://www.linuxsecurity.com/content/view/121666 * Fedora Core 4 Update: gnupg-1.4.2.1-1 17th, February, 2006 The GNU Privacy Guard provides encryption and signing for messages and arbitrary files, and implements the OpenPGP standard as described by IETF RFC2440. http://www.linuxsecurity.com/content/view/121667 * Fedora Core 4 Update: kdebase-3.5.1-0.3.fc4 17th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121668 * Fedora Core 4 Update: gnbd-kernel-2.6.11.2-20050420.133124.FC4.57 22nd, February, 2006 Updated GFS & Cluster Suite packages for the latest kernel (kernel-2.6.15-1.1831_FC4). http://www.linuxsecurity.com/content/view/121718 * Fedora Core 4 Update: cman-kernel-2.6.11.5-20050601.152643.FC4.22 22nd, February, 2006 Updated GFS & Cluster Suite packages for the latest kernel (kernel-2.6.15-1.1831_FC4). http://www.linuxsecurity.com/content/view/121719 * Fedora Core 4 Update: dlm-kernel-2.6.11.5-20050601.152643.FC4.21 22nd, February, 2006 Updated GFS & Cluster Suite packages for the latest kernel (kernel-2.6.15-1.1831_FC4). http://www.linuxsecurity.com/content/view/121720 * Fedora Core 4 Update: GFS-kernel-2.6.11.8-20050601.152643.FC4.24 22nd, February, 2006 Updated GFS & Cluster Suite packages for the latest kernel (kernel-2.6.15-1.1831_FC4). http://www.linuxsecurity.com/content/view/121721 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: libtasn1, GNU TLS Security flaw in DER decoding 16th, February, 2006 A flaw in the parsing of Distinguished Encoding Rules (DER) has been discovered in libtasn1, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121654 * Gentoo: BomberClone Remote execution of arbitrary code 16th, February, 2006 BomberClone is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/121655 * Gentoo: GnuPG Incorrect signature verification 18th, February, 2006 Applications relying on GnuPG to authenticate digital signatures may incorrectly believe a signature has been verified. http://www.linuxsecurity.com/content/view/121673 * Gentoo: OpenSSH, Dropbear Insecure use of system() call 20th, February, 2006 A flaw in OpenSSH and Dropbear allows local users to elevate their privileges via scp. http://www.linuxsecurity.com/content/view/121683 * Gentoo: GPdf Heap overflows in included Xpdf code 21st, February, 2006 GPdf includes vulnerable Xpdf code to handle PDF files, making it vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121698 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated kernel packages fix multiple vulnerabilities 17th, February, 2006 A number of vulnerabilities were discovered and corrected in the Linux2.6 kernel: The udp_v6_get_port function in udp.c, when running IPv6, allows local users to cause a Denial of Service (infinite loop and crash) (CVE-2005-2973). http://www.linuxsecurity.com/content/view/121669 * Mandriva: Updated bluez-hcidump packages fix buffer overflow vulnerability 17th, February, 2006 Buffer overflow in l2cap.c in hcidump allows remote attackers to cause a denial of service (crash) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet. http://www.linuxsecurity.com/content/view/121670 * Mandriva: Updated libtiff packages fix vulnerability 17th, February, 2006 Stack-based buffer overflow in libTIFF before 3.7.2 allows remote attackers to execute arbitrary code via a TIFF file with a malformed BitsPerSample tag. Although some of the previous updates appear to already catch this issue, this update adds some additional checks. http://www.linuxsecurity.com/content/view/121671 * Mandriva: Updated gnupg packages fix signature file verification vulnerability 17th, February, 2006 Tavis Ormandy discovered it is possible to make gpg incorrectly return success when verifying an invalid signature file. The updated packages have been patched to address this issue. http://www.linuxsecurity.com/content/view/121672 * Mandriva: Updated kernel packages fix multiple vulnerabilities 21st, February, 2006 A number of vulnerabilities have been discovered and corrected in the Linux 2.4 kernel: A numeric casting discrepancy in sdla_xfer could allow a local user to read portions of kernel memory via a large len argument (CVE-2004-2607). http://www.linuxsecurity.com/content/view/121701 * Mandriva: Updated MySQL packages fix temporary file vulnerability 22nd, February, 2006 Eric Romang discovered a temporary file vulnerability in the mysql_install_db script provided with MySQL. This vulnerability only affects versions of MySQL 4.1.x prior to 4.1.12. The updated packages have been patched to address this issue. http://www.linuxsecurity.com/content/view/121710 * Mandriva: Updated tar packages fix vulnerability 22nd, February, 2006 Gnu tar versions 1.14 and above have a buffer overflow vulnerability and some other issues including... http://www.linuxsecurity.com/content/view/121711 * Mandriva: Updated metamail packages fix vulnerability 23rd, February, 2006 Ulf Harnhammar discovered a buffer overflow vulnerability in the way that metamail handles certain mail messages. An attacker could create a carefully-crafted message that, when parsed via metamail, could execute arbitrary code with the privileges of the user running metamail. http://www.linuxsecurity.com/content/view/121722 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: tar security update 21st, February, 2006 An updated tar package that fixes a path traversal flaw is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121693 * RedHat: Important: metamail security update 21st, February, 2006 An updated metamail package that fixes a buffer overflow vulnerability for Red Hat Enterprise Linux 2.1 is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121694 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: gpg,liby2util signature checking 20th, February, 2006 With certain handcraftable signatures GPG was returning a 0 (valid signature) when used on command-line with option --verify. This only affects GPG version 1.4.x, so it only affects SUSE Linux 9.3 and 10.0. Other SUSE Linux versions are not affected. http://www.linuxsecurity.com/content/view/121681 * SuSE: CASA remote code execution 22nd, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121705 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Feb 27 02:13:41 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Feb 2006 01:13:41 -0600 (CST) Subject: [ISN] Ernst & Young loses four more laptops Message-ID: http://www.theregister.co.uk/2006/02/26/ey_laptops/ [E&Y may be number two in revenue and employees, but it appears to be number one when it comes to losing laptops... - WK] By Ashlee Vance in Mountain View 26th February 2006 Ernst and Young appears set on establishing a laptop loss record in February. The accounting giant has lost four more systems, according to a report in the Miami Herald. A group of Ernst and Young auditors toddled off for lunch on Feb. 9, leaving their laptops in an office building conference room. According to security footage, two men entered the conference room a couple of minutes after the Ernst and Young staffers left and walked off with four Dell laptops valued at close to $8,000, the paper reported [1]. This theft follows a higher-profile incident in which an Ernst and Young employee lost his laptop containing the social security numbers and other personal information of customers. One such customer happened to be Sun Microsystems CEO Scott McNealy who was told that his social security number had been compromised - an incident first reported here [2]. The laptop with McNealy's data was stolen from an employee's car, according to Ernst and Young. It's unclear what type of security Ernst and Young had on the four laptops pinched in Miami. It maintains that the laptop containing McNealy's information was password protected. Ernst and Young has failed to issue a public statement about these breaches despite being a major advocate of transparency in such issues in its role as an auditor and corporate advisor. ? [1] http://www.miami.com/mld/miamiherald/news/local/states/florida/counties/broward_county/cities_neighborhoods/weston/13947682.htm [2] http://www.theregister.co.uk/2006/02/25/ernst_young_mcnealy/ From isn at c4i.org Tue Feb 28 03:03:42 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Feb 2006 02:03:42 -0600 (CST) Subject: [ISN] Security wars: Novell SELinux killer rattles Red Hat Message-ID: Forwarded from: Kurt Seifried This article is somewhat... retarded. AppArmour (formerly called SubDomain) is easier to configure and manage in some respects, the rulesets are easier to read. "By introducing a second MAC application into the open-source landscape, Novell is splintering the development community, Walsh charged. Only a limited number of developers have the expertise to work on such an application, and the effort Novell itself will put into AppArmor could have been applied to improving the user interface of SELinux." However like AppArmour there are front ends for SELinux, such as Tresys' "Setools". Additionally you can manage the rules manually (it's just text files, granted a bit on the huge and complicated side but nothing impossible). The Tresys tool for example includes the capability to let you run SELinux in permissive warning mode (so it'll allow but log violations), you can then parse the audit file to build a profile. You can also do this manually using grep and other common command line tools to build a ruleset. To compare SELinux/AppArmour to the UNIX wars is.. odd. You can run either one, and you can convert policies back and forth (guess what, they basically specify the same bits of information in the end). It wouldn't be impossible (in fact it would be relatively easy) for an application vendor to ship both an AppArmour and SELinux profile with their software, minimizing any problems for end users. As for Red Hat complaining about Novell trying to split the market, that's one of the sillier things I've ever read. Isn't one of the benefits of OpenSource that we have access to the code and minimal vendor lock in, i.e. a choice of the best solution for me? It's somewhat disturbing to me to see such comments coming out of Red Hat. Personally I would love it if Red Hat shipped both SELinux and AppArmour, I have had to disable SELinux on several machines specifically because Red Hat's policies for the Apache HTTP web server are too restrictive, and manually fixing the SELinux policies is more trouble right now then it's worth (it's on my todo list... someday). AppArmour would allow me to quickly allow the extra things required by the application. -Kurt From isn at c4i.org Tue Feb 28 03:04:01 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Feb 2006 02:04:01 -0600 (CST) Subject: [ISN] Security pros must improve, says new body Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=5459 By Maxwell Cooter Techworld 27 February 2006 The IT security industry is ill-served by its existing accreditation procedure and needs more help in handling the increasing number of security threats. That's the view of the newly-established Institute of Information Security Professionals (IISP) [1] which has been set up to address the knowledge gap in this area. Speaking at the London launch, the institute's chairman, Paul Dorey, said that the organisation had been formed for two reasons: one was to address the growing demand for information on security, and the second was to address the issue of professional accountability. He said that existing qualifications such as degree level IT security courses and Cisco's CCSP [2] were excellent in their own way but they were "knowledge qualifications". He said that security professionals needed more than just technical knowledge to do their jobs effectively, likening them to young doctors who needed mentoring after completing the formal part of their medical training. The IISP has been backed by industry, academia and the UK government. The launch was held at the Department of Trade and Industry (DTI) which has already applied to be one of the founder members. The organisation's CEO, Nick Coleman said that the DTI was in good company. "We have more than 220 applications from individuals and 20 applications from corporates before the formal launch. We're already overwhelmed." He said that there were three types of membership: full (to be launched in September this year), associate and affiliate. He said that associate members would have to demonstrate technical expertise and full members would be expected to meet even more rigorous criteria. "We will carry out due diligence on all applicants," he said. Coleman said that although the IISP had been set up as a UK organisation, it had already had applications from the U.S., Australia, France and South Korea. "It was our intention to go global at some point in the future," he said but he thought that the interest from other countries was an indication of the need for such an organisation. The IISP is set to announce a series of initiatives at the forthcoming Infosec exhibition and conference to be held in London in April. [1] http://www.instisp.com/ [2] http://www.cisco.com/web/learning/le3/le2/le37/le54/learning_certification_type_home.html From isn at c4i.org Tue Feb 28 03:04:13 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Feb 2006 02:04:13 -0600 (CST) Subject: [ISN] Oracle publishes out-of-cycle security fix Message-ID: http://www.networkworld.com/news/2006/022706-oracle-security-fix.html By Robert McMillan IDG News Service 2/27/06 Oracle has released a critical security patch to the company's E-Business Suite software. The patch, which was released nearly two months ahead of Oracle's next regularly scheduled security updates, fixes a number of vulnerabilities in the Oracle Diagnostics troubleshooting component of the company's E-Business Suite 11i. Oracle executives could not immediately be reached for comment on the update, but the company is advising customers to apply the patch "due to the number of security fixes included," according to enterprise software consulting firm Integrigy. The problems relate to the Oracle Diagnostics Web pages and to the Java classes included with the software, which could be inappropriately used by an attacker. "The most significant issue with the Oracle diagnostics is that some of the diagnostics can be executed without any authentication," Integrigy said in an analysis of the patch. Though Oracle has been issuing its quarterly security updates for only about a year now, it is "standard procedure" for the company to include security fixes in out-of-cycle releases such as the Diagnostics patch. It is, however, unprecedented for Oracle to inform customers of such security fixes, Integrigy said. Oracle probably took this step to speed up adoption of the patch, the consulting firm said. "My guess is that it's just serious enough that they really felt it was necessary to release it early," said Johannes Ullrich, chief technical officer of the SANS Internet Storm Center. Oracle's next security update is scheduled for April 18. Oracle customers can find more information about the patch (document ID: 226429.1) on the Oracle MetaLink site. From isn at c4i.org Tue Feb 28 03:04:27 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Feb 2006 02:04:27 -0600 (CST) Subject: [ISN] IRS needs to tighten security settings: TIGTA Message-ID: http://www.gcn.com/vol1_no1/daily-updates/38341-1.html By Mary Mosquera GCN Staff 02/27/06 The IRS has not consistently maintained the security settings it established and deployed under a common operating environment (COE), resulting in a high risk of exploitation for some of its computers, according to the Treasury Department's inspector general for tax administration. The IRS has adopted a common operating environment for security configurations on all of its workstations. The common environment lets IRS control security configuration settings and software on workstations by using one master COE template, which the IRS installs on its computers. The IRS has installed the master COE image on 95 percent of its computers, TIGTA said in its report [1] released today. Agencies must be able to control security settings under the Federal Information Security Management Act to strengthen the security of federal systems. "The COE essentially minimizes the risk of someone compromising computers on the IRS network," said Michael Phillips, TIGTA's deputy inspector general for audit, in the report. Of 102 computers tested, only 41 percent continued to be in compliance; 59 percent were not or contained at least one high-risk vulnerability that would allow the computer to be exploited or rendered unusable. Almost one-half of the compliant computers contained at least one incorrect setting that could allow employees to circumvent security controls established by the common operating environment. Also, at the time of the audit, the COE security settings had not been installed on more than 4,700 computers. Without them, computers were missing security patches and at high risk for viruses. TIGTA recommended that the IRS hold system administrators accountable for maintaining adequate security settings and periodically check configurations on a sample of computers to assure that they continue to comply with the COE. Computers that do not have the common environment should have it installed, or the computers replaced or brought manually into compliance with the prescribed security configurations, TIGTA said in its report. In addition, the IRS at the time did not own a software license tracking or metering tool that could identify software use for a baseline inventory. For example, the IRS spends up to $32 million annually for Microsoft Office suite products. But the IRS could not explain how it arrived at the number of licenses needed. "Without the ability to track software usage and licenses, the IRS may have unused licenses available that could be redistributed or have licenses that are not needed," Phillips said. The IRS has established a combined Modernization and Information Technology Services organization to prioritize corrective actions that were recommended, which reduces the security risk, said IRS CIO Todd Grams said in a response last month. "We believe the recommendations in this audit are low-risk control deficiencies," he said. Also, as the tax agency has replaced computers and moved from the Windows NT environment, more computers are running the common operating environment security control settings. The IRS will direct system administrators this week to ensure that the password-protected start-up process is enabled and that the system administrator accounts are limited to those who need them to carry out their responsibilities. The IRS has already targeted noncompliant workstations with distribution of baseline COE patches and security settings. By June, IRS will develop a recurring report to identify those computers that do not meet the current version. By August, the IRS will deploy a software metering tool to gather data about software usage and related costs. And to improve oversight of its software licensing, the IRS will implement a software inventory application by October. [1] http://www.ustreas.gov/tigta/auditreports/2006reports/200620031fr.pdf From isn at c4i.org Tue Feb 28 03:05:25 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Feb 2006 02:05:25 -0600 (CST) Subject: [ISN] Credibility Of Analysts Message-ID: http://www.informationweek.com/industries/showArticle.jhtml?articleID=178601879 By Larry Greenemeier Paul McDougall InformationWeek Feb 6, 2006 Research firms make their living by offering expert advice to business and technology people about the best ways to invest their IT dollars. It can be invaluable insight, but only if that analysis comes with no strings attached. And on that, there's no guarantee. Forrester, Gartner, IDC, and others insist their output is squeaky clean, yet they also rake in millions providing services to the very same companies they monitor, heavyweights like Cisco, IBM, Microsoft, and Oracle. Which leads to a question that continues to dog the research firms: How much influence do technology vendors have over their work? At issue are business practices that beg for closer scrutiny. For example, it's not uncommon for IT research firms to write reports that are funded directly by tech vendors. Money changes hands, and the vendor that commissions a report often reviews it before general distribution. Microsoft's "Get The Facts" marketing campaign has made liberal use of sponsored research to tout the benefits of Windows over Linux. Such reports aren't always clearly marked as having a vendor's backing. A 47-page white paper by Security Innovation, published in November, mentions that it was funded by Microsoft at the bottom of page 6. Analysts also show up in the marketing programs of the companies they cover. IDC's Bob O'Donnell recently made an appearance in a video produced by thin-client vendor Wyse Technology on the advantages of thin-client computing. IDC also published a report, sponsored by Wyse, that found the software and hardware costs of thin clients to be 40% lower than PCs. Wyse, it turns out, is an IDC client. And there are hard-to-prove grumblings among small vendors that they have a better chance of being covered by a research firm if they are paying clients. It's called pay-for-play, and it's an issue that the overseers of Gartner's office of the ombudsman do their best to dispel on their Weblog (ombudsman.blog.gartner.com). InformationWeek went to senior executives of leading IT research and advisory firms to ask how they're addressing questions of objectivity and customer trust. Not surprisingly, all say they're committed to delivering information services of the highest integrity. "We are independent--that is not an issue at all," Gartner CEO Gene Hall says. Maybe, but we also see troubling practices that continue to cast doubt over their best intentions. [...]