From isn at c4i.org Wed Aug 4 13:44:29 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 4 13:53:05 2004 Subject: [ISN] DEFCON 12: Feds Yes, Anarchy No Message-ID: http://www.theinquirer.net/?article=17625 [The lack of ISN postings for the last few days was because I was attending Defcon, a few little grumbles I will go into later, but I did attend the "Crimethinc" talk expecting the speaker to leave that talk bloodied, which it nearly came to that. Priest (the lead Goon) did hold a little "Spot the Fed" before the talk to make "Crimethinc" well aware of the number of Feds in the room, not to mention the six or so that he invited in to watch. - WK] By Doug Mohney 03 August 2004 DEFCON 12, the longest running hacker conference in creation, was a little more laid back this year despite selling out all of their 4,000 badges on the first day. People seemed to be less angry and the queues to get into speeches moved along rather promptly. Even the always-amusing cultural contrasts were turned down a bit, but the Jesus Phreakers still had a table next to the more titillating Culture Junkie in the vendor's room. DEFCON 12's de facto guest of honor was Robert Morris, National Security Agency's Chief Scientist from 1986 to 1994. With his scraggly beard and unfiltered Camels, Morris would have blended in well with the retirees pumping quarters in the slot machines over at Sam's Town. Morris was quite happy wandering about talking to the gawking youth and dropping hints that he didn't really like John Ashcroft. Morris was one of a group of current and former U.S. government employees that appeared on the "Meet the Fed" panel on Saturday afternoon. It was the first time in several years Feds had officially spoken at DEFCON and the panelists used the first half of their presentation as an ad hoc recruiting pitch. Uncle Sam wants talented and clean (i.e. no arrests or documented bad behavior) computer security people. "You can get up to 70 or 75 percent of your students loans forgiven," repeated one official. The U.S. government has a large number of open computer sec positions to fill and has a tough time retaining employees. Entry-level employees join up, learn the ropes, and then end up departing 3 to 4 years later for more lucrative private sector positions. The warm welcome and love the Feds felt was nothing compared to the reception one self-styled "Revolutionary Hacker Anarchist" calling himself "Crimethinc" got during his presentation on "Electronic Civil Disobedience." Starting out as an introduction into the theory of hacker activism, the talk quickly degenerated into comedy with a full-blown rant against Capitalist Pigs combine with a Very Public description of how the Republican National Committee and various corporate web sites would supposedly be attacked one week before the convention and the day of the convention. He finished off his rant by encouraging destructive property actions against buses and harassment of RNC convention delegates in New York City. "We will have a list of the hotels they are staying at and the Broadway plays they are attending," stated Crimethinc. His finish turned the audience against him and earned him two reprimands from DEFCON staff, first a short "You crossed the line, you can't say THAT," from red-shirted DEFCON "goon" staff, followed by a more eloquent and perhaps unprecedented statement from "Priest," a long-time DEFCON staffer/legend. Priest very clearly stated that DEFCON staff and planers in no way, shape, or form encouraged the views of Crimethinc, or breaking the law and went on to emphasize that if people wish to protest injustice, they should do so within the law. The young Crimethinc was quickly escorted off the stage to a holding area by a pair of DEFCON staffers as several angry audience members rushed the stage to confront him. "He should be beaten in front of the Bellagio," remarked one frustrated woman. (The Bellagio is among the most elegant casino/hotels on the Vegas Strip). On a more upbeat note, the Electronic Frontier Foundation (EFF) was raking in the dollars from a fishbowl for donations at their table in the vendor area and a dunking booth outside. DEFCON organizer Jeff Moss took his turn in the booth getting wet for the EFF. From isn at c4i.org Wed Aug 4 13:45:18 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 4 13:53:06 2004 Subject: [ISN] ITL Bulletin for August 2004 Message-ID: Forwarded from: Elizabeth Lennon ELECTRONIC AUTHENTICATION: GUIDANCE FOR SELECTING SECURE TECHNIQUES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Our citizens and businesses benefit when they can easily access convenient electronic services provided by federal agencies via the Internet. To assure the security of these electronic services, agencies often need a process for verifying the identity of the remote users of their information systems. The process of electronic authentication (e-authentication) can be securely implemented using currently available techniques that give the information system provider a level of assurance about the user's identity. In December 2003, the Office of Management and Budget (OMB) issued Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, to help federal agencies provide secure electronic services that protect individual privacy. The memorandum advises agencies to review their electronic transactions, determine which transactions require e-authentication, and provide an appropriate level of assurance for those transactions that require authentication. M-04-04 describes four levels of identity assurance and calls on the National Institute of Standards and Technology (NIST) to develop technical guidance for agencies to use for identifying the appropriate authentication technologies that meet their requirements. Electronic Authentication Guideline NIST's Information Technology Laboratory recently issued NIST Special Publication (SP) 800-63, Electronic Authentication Guideline, by William E. Burr, Donna F. Dodson, and W. Timothy Polk, which provides technical guidance on existing and widely implemented methods for remote authentication. The methods described in the new guideline are based on the application of secret information that is known by the individual to be authenticated and that is used to create identity credentials. This ITL Bulletin summarizes the new guideline. NIST SP 800-63 identifies minimum technical requirements for remotely authenticating the identity of users and provides guidance for each of the four levels of authentication that OMB defines in M-04-04. Topics covered in the guideline include discussion of the e-authentication process, the use of tokens, identity proofing, authentication protocols, and assertion mechanisms. Definitions of technical terms, references to general and NIST publications, and specific information about the use of passwords are also included in the publication. The e-authentication guide is available in electronic format from the NIST Computer Security Resource Center at http://csrc.nist.gov/publications. When used with other government guidance, recommendations, and publications available on the website, the guide will help organizations to develop a comprehensive approach for determining the appropriate level of e-authentication assurance that they need and to select the best available technical solutions. The Authentication Process A user wishing to perform an electronic transaction with an agency should be authenticated through a process that starts with the individual proving identity to a trusted authority and registering a secret for later use. The user, as an applicant, registers with a Registration Authority (RA). The applicant undergoes identity proofing by the RA and, if the applicant's identity is verified, the RA requests that a Credentials Service Provider (CSP) issue digital credentials, binding a token (a secret) to the identity. The applicant becomes a subscriber of the CSP and is a claimant to a verifier when authenticating. Authentication that the claimant is a subscriber is accomplished by proving to the verifier that the claimant controls the token registered to the subscriber. The verifier may be a relying party (typically a government website), or the verifier may be a separate entity that provides assertions to the relying party about the identity or other attributes of the subscriber. Authentication of the agency server or the verifier to the user is accomplished by proving that the server also controls its own token. In electronic commerce, these functions may be consolidated and partitioned in different ways. For example, a bank might perform the RA, CSP, and Verifier functions for its customers (subscribers). A bank customer authenticating to an agency information system may be referred to the bank for authentication, using the password created for financial transactions. The institution then may issue assertions about the subscriber's identity to the agency. In some cases, an employer might register its employees with an independent public key Certification Authority (CA) that issues credentials (public key certificates) directly to the employee-subscribers. Or an employer might operate as both the RA and CA. NIST SP 800-63 covers these examples, as well as additional alternatives, in which the basic elements of authentication may be combined in different ways to respond to specific needs. Authentication Factors Authentication systems are frequently described by the authentication factors that they incorporate. The three factors often considered as the cornerstone of authentication are: * Something you know (for example, a password); * Something you have (for example, an ID badge or a cryptographic key); and * Something you are (for example, a voice print or other biometric measurement). Authentication systems that incorporate all three factors are stronger than systems that incorporate only one or two of the factors. The system may be implemented so that multiple factors are presented to the verifier, or some factors may be used to protect a secret that will be presented to the verifier. For example, a hardware device that holds a cryptographic key might be activated by a password or the hardware device might use a biometric representation to activate the key. This type of device provides two-factor authentication, although the actual authentication protocol between the verifier and the claimant only proves possession of the key. Determining Assurance Levels OMB advises that agencies follow a five-step process in determining the appropriate assurance level for their applications: * Conduct a risk assessment for e-authentication of the system. The risk analysis measures the severity of potential harm and the likelihood of occurrence of adverse impacts to the system if there is an error in identity authentication. Guidance for conducting a risk analysis is available in OBM Circular A-130 and in NIST SP 800-30, Risk Management Guide for Information Technology Systems. * Map identified risks to the applicable assurance level. After all of the risks have been identified, agencies should tie the potential impact of the risks to the proper level of authentication to be used. * Select technology based on e-authentication technical guidance. OMB advises that agencies refer to the technical guidance issued by NIST. * Validate that the implemented system has achieved the required assurance level. A final validation is needed to confirm that the system achieves the required level of assurance, and that the selected authentication process satisfies requirements. * Periodically reassess the system to determine technology refresh requirements. Reassessments ensure that the authentication requirements continue to be valid as technology and requirements change. The required level of authentication assurance should be determined, based on the potential impacts of an authentication error on: * Inconvenience, distress, or damage to standing or reputation; * Financial loss or agency liability; * Harm to agency programs or public interests; * Unauthorized release of sensitive information; * Personal safety; and/or * Civil or criminal violations. OMB defines four levels of authentication assurance for electronic transactions requiring assurance and identifies the criteria for determining the level of e-authentication assurance required for specific applications and transactions, based on the risks and their likelihood of occurrence. As the consequences of an authentication error and misuse of credentials become more serious, the required level of assurance increases. Level 1 is the lowest assurance, and Level 4 is the highest. The levels are based on the degree of confidence needed in the process used to establish identity and in the proper use of the established credentials. * Level 1 - Little or no confidence in the asserted identity's validity. * Level 2 - Some confidence in the asserted identity's validity. * Level 3 - High confidence in the asserted identity's validity. * Level 4 - Very high confidence in the asserted identity's validity. Determining Technical Requirements After determining the assurance level needed for each of the areas of potential impact, agencies should determine the required overall assurance level. The NIST guidance defines technical requirements for each of the four levels of assurance in the following areas: * Tokens (typically a cryptographic key or password) for proving identity. Passwords and symmetric cryptographic keys are shared secrets, which both the claimant and the verifier must protect. Asymmetric cryptographic keys have a private key (which only the subscriber knows) and a related public key, which can be made publicly available through a public key certificate issued by a Public Key Infrastructure (PKI). * Identity proofing, registration, and the delivery of credentials that bind an identity to a token. This process may be done remotely or in person, depending upon the level of assurance required for the system. * Remote authentication mechanisms, that is the combination of credentials, tokens, and authentication protocols used to establish that a claimant is in fact the claimed subscriber. * Assertion mechanisms used to communicate the results of a remote authentication to other parties. Assertions issued by verifiers about claimants as a result of a successful authentication are either digitally signed by their issuers or are obtained directly by relying parties from a trusted party via a secure authentication protocol. Authentication protocols provide a way for a claimant to prove control of a token to a verifier without being compromised by eavesdroppers or other attackers. Eavesdroppers can compromise otherwise secure protocols used with symmetric keys if the tokens are passwords. Summary of Requirements for Levels 1 Through 4 Following is a summary of the technical requirements specified in NIST SP 800-63 for the four levels of assurance defined by OMB: Level 1 requires little or no confidence in the asserted identity. No identity proofing is required at this level, but the authentication mechanism should provide some assurance that the same claimant is accessing the protected transaction or data. A wide range of available authentication technologies can be employed and any of the token methods of Levels 2, 3, or 4, including Personal Identification Numbers (PINs), may be used. To be authenticated, the claimant must prove control of the token through a secure authentication protocol. Plaintext passwords or secrets are not transmitted across a network at Level 1. However, this level does not require cryptographic methods that block offline attacks by an eavesdropper. For example, simple password challenge-response protocols are allowed. In many cases, an eavesdropper, having intercepted such a protocol exchange, will be able to find the password with a straightforward dictionary attack. At Level 1, long-term shared authentication secrets may be revealed to verifiers. Assertions issued about claimants as a result of a successful authentication are either cryptographically authenticated by relying parties (using approved methods) or are obtained directly from a trusted party via a secure authentication protocol. Level 2 requires confidence that the asserted identity is accurate. Level 2 provides for single-factor remote network authentication, including identity-proofing requirements for presentation of identifying materials or information. A wide range of available authentication technologies can be employed, including any of the token methods of Levels 3 or 4, as well as passwords. Successful authentication requires that the claimant prove through a secure authentication protocol that the claimant controls the token. Eavesdropper, replay, and online guessing attacks are prevented. Long-term shared authentication secrets, if used, are never revealed to any party except the claimant and verifiers operated by the CSP; however, session (temporary) shared secrets may be provided to independent verifiers by the CSP. Approved cryptographic techniques are required. Assertions issued about claimants as a result of a successful authentication are either cryptographically authenticated by relying parties (using approved methods) or are obtained directly from a trusted party via a secure authentication protocol. Level 3 is appropriate for transactions that need high confidence in the accuracy of the asserted identity. Level 3 provides multifactor remote network authentication. At this level, identity-proofing procedures require verification of identifying materials and information. Authentication is based on proof of possession of a key or password through a cryptographic protocol. Cryptographic strength mechanisms should protect the primary authentication token (a cryptographic key) against compromise by the protocol threats, including eavesdropper, replay, online guessing, verifier impersonation, and man-in-the-middle attacks. A minimum of two authentication factors is required. Three kinds of tokens may be used: * "soft" cryptographic token, which has the key stored on a general-purpose computer, * "hard" cryptographic token, which has the key stored on a special hardware device, and * "one-time password" device token, which has symmetric key stored on a personal hardware device that is a cryptographic module validated at FIPS 140-2 Level 1 or higher. Validation testing of cryptographic modules and algorithms for conformance to Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules, is managed by NIST. Authentication requires that the claimant prove control of the token through a secure authentication protocol. The token must be unlocked with a password or biometric representation, or a password must be used in a secure authentication protocol, to establish two-factor authentication. Long-term shared authentication secrets, if used, are never revealed to any party except the claimant and verifiers operated directly by the CSP; however, session (temporary) shared secrets may be provided to independent verifiers by the CSP. Approved cryptographic techniques are used for all operations. Assertions issued about claimants as a result of a successful authentication are either cryptographically authenticated by relying parties (using approved methods) or are obtained directly from a trusted party via a secure authentication protocol. Level 4 is for transactions that need very high confidence in the accuracy of the asserted identity. Level 4 provides the highest practical assurance of remote network authentication. Authentication is based on proof of possession of a key through a cryptographic protocol. This level is similar to Level 3 except that only "hard" cryptographic tokens are allowed, cryptographic module validation requirements are strengthened, and subsequent critical data transfers must be authenticated via a key that is bound to the authentication process. The token should be a hardware cryptographic module validated at FIPS 140-2 Level 2 or higher overall with at least FIPS 140-2 Level 3 physical security. This level requires a physical token, which cannot readily be copied, and operator authentication at Level 2 and higher, and ensures good, two-factor remote authentication. Level 4 requires strong cryptographic authentication of all parties and all sensitive data transfers between the parties. Either public key or symmetric key technology may be used. Authentication requires that the claimant prove through a secure authentication protocol that the claimant controls the token. Eavesdropper, replay, online guessing, verifier impersonation, and man-in-the-middle attacks are prevented. Long-term shared authentication secrets, if used, are never revealed to any party except the claimant and verifiers operated directly by the CSP; however, session (temporary) shared secrets may be provided to independent verifiers by the CSP. Strong approved cryptographic techniques are used for all operations. All sensitive data transfers are cryptographically authenticated using keys bound to the authentication process. Electronic identity credentials bind an identity (name) to a token. In some cases, they may be public documents, such as a public key certificate that binds a name to a public key, and that are published for anyone to use. In other cases, credentials that bind a shared secret to an identity are kept in protected CSP databases. Some protocols provide that CSPs issue one-time credentials to verifiers consisting of a name, challenge, and a reply, but not the long-term shared secret. Passwords Appendix A of the guide provides advice about how to estimate the strength of passwords. Attackers may be able to guess the passwords that are chosen by users, and systems should constrain the ability of attackers to test many password guesses. The guideline does not set minimum password length and does not establish a requirement to change passwords frequently. Instead, a method is described for estimating the "guessing entropy" of passwords, based on the password rules (minimum length, types of characters required, randomly chosen or user chosen, and the use of dictionaries to rule out commonly chosen passwords). The method limits the maximum allowed probability (one chance in 214) that an attacker with no other knowledge of the password could guess the password over its entire life. This calculation must account for methods used to limit the rate at which attacks can be carried out (e.g., three bad guesses in a row will lock the account for 24 hours) as well as rules for changing passwords. Passwords can be retained for years if they are fairly complex and if the system limits the rate at which attacks can operate. Requiring frequent change of very complex passwords may result in high costs for the agencies in providing help to users, usability problems, and insecure user practices, such as keeping lists of passwords under keyboards. Moreover, even complex passwords may be vulnerable to "shoulder surfing" attacks and keyboard loggers, while verifier impersonation (e.g., decoy websites) and "social engineering" attacks may trick subscribers into revealing their passwords. Looking Ahead Electronic government is becoming increasingly important to agencies. OMB M-04-04 establishes a framework for determining the level of authentication assurance needed for e-government transactions, and NIST SP 800-63 provides specific technical guidance on how to achieve that level of assurance. M-04-04 and SP 800-63 assist agencies in providing a consistent level of authentication assurance to deliver services and perform their missions while protecting their systems and the privacy of users. NIST continues to investigate other methods for remote authentication, including the use of biometric data and the use of private and personal, but not secret, information. Future guidance will be issued as needed to cover additional authentication techniques and changing technical requirements. Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Wed Aug 4 13:46:09 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 4 13:53:07 2004 Subject: [ISN] REVIEW: "Official (ISC)^2 Guide to the CISSP Exam", Susan Hansche/John Berti/Chris Hare Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKOIGTCE.RVW 20040618 "Official (ISC)^2 Guide to the CISSP Exam", Susan Hansche/John Berti/Chris Hare, 2004, 0-8493-1707-X, U$69.95/C$101.50 %A Susan Hansche susan.hansche@pec.com %A John Berti jberti@deloitte.ca %A Chris Hare chare@chris-hare.com, chare@nortelnetworks.com %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2004 %G 0-8493-1707-X %I Auerbach Publications %O U$69.95/C$101.50 800-950-1216 orders@crcpress.com %O http://www.amazon.com/exec/obidos/ASIN/084931707X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/084931707X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/084931707X/robsladesin03-20 %P 910 p. + CD-ROM %T "Official (ISC)^2 Guide to the CISSP Exam" Once again I have to state a bias in regard to this book. I've known about this book since its inception, I've known and advised the authors, I provided bits of the material, and even contributed one appendix. (The annotated bibliography and references--surprise, surprise.) I was asked to review the chapters while the book was in production. The reason was, of course, that I had reviewed all the other CISSP (Certified Information Systems Security Professional) guides. Specifically, the intent was to ensure that this manual, prepared and supported by (ISC)^2 (International Information Systems Security Certification Consortium) was "head and shoulders" above all the other published works. This volume is not perfect, by any means, but it is the best of the current bunch. Taking material from one source is copying, taking material from two sources is plagiarism, and taking material from many sources is research. This volume has not only research but direct input from a great many sources. Some are mentioned in the acknowledgements, a number of others are to be found on the title page, since sections of major articles from the venerable "Information Security Management Handbook" (cf. BKINSCMH.RVW) were included or used as the basis for parts of the guide. Even this doesn't exhaust the contributions, since much of the work is informed by the material in the (ISC)^2 CBK (Common Body of Knowledge) Review Seminar, and over a hundred individuals have had the chance to augment that content. The result is a breadth and currency of information that exceeds any other guide on the market. Sample questions and exams are eagerly sought by candidates for the CISSP exam. This guide has a significant advantage in this regard: not only do a number of the contributors produce questions for the exam itself (therefore being more than passingly familiar with the style and level of difficulty required), but the CISSP exam committee was also approached for advice and input. No source is able to provide "actual" CISSP exam questions, but the examples provided in this volume are very close in form, mix, degree of difficulty, and concept. The book is not without its faults. The sheer volume of the contributors ensured that topics were covered multiple times, and not all duplicated areas have been amalgamated. In addition, the variety of writing styles can make the text disjointed in places, as it moves from section to section and subject to subject. These factors can make the work difficult and demanding to read and follow. The CISSP exam, as the security field itself, is a changing target, and no book can expect to provide the "best" coverage of the topic indefinitely. As well, security is an immense discipline, and touches on an inordinate number of other areas. This work, however, has come closest to spanning the range of subject matter necessary to challenge the CISSP exam, and is currently the best of the guides. copyright Robert M. Slade, 2004 BKOIGTCE.RVW 20040618 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu A billion here, a billion there, pretty soon it adds up to real money. - Senator Everett Dirksen (1896-1969) http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Aug 4 13:47:21 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 4 13:53:08 2004 Subject: [ISN] 34 flaws found in Oracle database software Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,95013,00.html By Jaikumar Vijayan AUGUST 03, 2004 COMPUTERWORLD Oracle Corp. will soon issue patches to fix 34 different vulnerabilities in its database software that were disclosed to it early this year by a British bug hunter. The flaws, a majority of which are serious, affect both existing and previous versions of Oracle's database technology, said David Litchfield, managing director of Surrey, England-based Next Generation Security Software Ltd. "They include buffer overflows, SQL injection issues and a whole range of other minor issues," said Litchfield, who discovered the flaws. He said that he reported them to Oracle in January and February. "Some of them can be exploited without a user ID and password, while others require them," Litchfield said. Nearly 90% of the flaws allow attackers to potentially gain complete administrative control of vulnerable database servers, he said. Oracle confirmed the existence of the flaws, which were discussed publicly at last week's Black Hat security conference in Las Vegas, but did not offer any further comment. In an e-mailed statement, a company spokeswoman said that Oracle had fixed the flaws and would issue a security alert "soon." According to Litchfield, some of the vulnerabilities are easy to exploit, whereas others require attackers to have fairly detailed technology skills. He said that his company has exploits available that take advantage of the flaws but that it has no plans to release them publicly. Litchfield also claimed that Oracle told him patches were available to fix the problems a few months ago. But the company appears to be waiting for an updated patching process to be ready before releasing the fixes, he said. "It is my opinion that they could have run the old patching process up until the time that the new patching procedure was ready. There really is no point in exposing users to unnecessary risks," he said. Litchfield and his brother, Michael Litchfield, have discovered several previous vulnerabilities in Oracle software, including 20 on the very day the database giant launched its "Unbreakable" marketing campaign. The discovery of such flaws by people who go specifically looking for them should come as no surprise given the size and complexity of today's application software, said Bruce Schneier, co-founder and chief technology officer of Counterpane Internet Security Inc. in Mountain View, Calif. "This could happen to anyone. It tends to happen to Microsoft a lot," Schneier said. "The bugs are already there. All you can do is react when somebody points them out." The companies that make it their mission to discover such flaws are often driven by a "bunch of motivations," Schneier said. From isn at c4i.org Wed Aug 4 13:47:40 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 4 13:53:09 2004 Subject: [ISN] Mozilla puts bounty on bugs Message-ID: http://news.com.com/Mozilla+puts+bounty+on+bugs/2100-1002_3-5293659.html By Robert Lemos Staff Writer, CNET News.com August 2, 2004 The announcement comes a week after the Mozilla Foundation, which directs development of the Mozilla and Firefox browsers and the Thunderbird e-mail client, confirmed that the group's browsers had two serious issues in dealing with digital certificates, the identity cards of the Internet. Last Friday, Microsoft fixed serious vulnerabilities in its Internet Explorer browser, some of which have been widely known since June. "Recent events illustrate the need for this type of commitment," Mitchell Baker, president of the Mozilla Foundation, said in a statement. "The (program) will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers." Linux software maker Linspire and Internet entrepreneur Mark Shuttleworth funded the new initiative, dubbed the Mozilla Security Bug Bounty Program. Linspire seeded the program with $5,000, and Shuttleworth promised to match the first $5,000 in public contributions to the program, the foundation stated. "We (the Mozilla Foundation) are moving into our second year, and we are going back and reviewing all the programs in place that we had in the past and setting priorities for the next year," said Chris Hofmann, director of engineering for the foundation. "Security is an area that we are serious about, and we wanted to get the ball rolling." He added that the foundation will continue to look for more contributors to the program. Hofmann said that despite the bugs, Mozilla's security is good. Some critics have maintained that Mozilla's software has at least as many vulnerabilities as Microsoft's and that the only difference between the two applications is that Microsoft is more popular, so more security researchers are trying to break it. "The conventional wisdom is that if Mozilla had the same market share as Microsoft, we would have as many flaws found--we don't see that as the case," Hofmann said. A representative of Microsoft could not immediately be reached for comment. Few companies have offered rewards for pinpointing software vulnerabilities, and the rewards have almost always been paid by security companies for flaws in other companies' software products. The rewards are generally used by security companies to gain a competitive edge over rivals by having their products recognize more vulnerabilities. The rewards also convince some would-be intruders to give up some of the tricks in their tool kit for quick cash. However, a $500 reward might not be very enticing--a point Hofmann acknowledges. "We don't have any intentions of increasing that amount," he said. "It is mostly a way to thank people who help us further the security of the product." Microsoft does not give bounties to bug finders but did start a program that has posted three $250,000 rewards for leads on virus writers. Currently, the Mozilla Web application--which includes a browser, e-mail, chat program, and Web page editing program--has reached version 1.7. The Mozilla Foundation's Firefox stand-alone browser and Thunderbird e-mail client are close to being complete and are already widely used. More information on the reward program can be found at The Mozilla Organization's Security Center. From isn at c4i.org Wed Aug 4 13:47:57 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 4 13:53:10 2004 Subject: [ISN] IT departments must cope with Patriot Act, university CIO says Message-ID: http://www.nwfusion.com/news/2004/0803patriot.html By John Cox Network World Fusion 08/03/04 Nearly three years after its enactment, the USA Patriot Act remains not just a political but also a technological issue on many college campuses. Unprepared or ill-prepared schools can find themselves facing network problems, service disruptions, and in the worse case FBI agents driving onto the campus with subpoenas to haul off PCs, servers, and computer log data. IT groups can minimize the potential disruptions of Patriot Act investigations by taking the lead on campus to pull together legal counsel, administration, and faculty to craft a clear process for handling investigations that will become more common, says Peter Siegel, CIO at University of Illinois at Urbana Champaign. Siegel spoke this week at the annual conference of the Association for Communications Technology Professionals in Higher Education (ACUTA) meeting in Chicago. "The status of dealing with the Patriot Act in higher education is very mixed," Siegel said. "Some people say, "What does this have to do with IT?" Others say, "We have [network] security professionals who work closely with law enforcement agencies." There's not much in between, where you find people just ramping up [to deal with the Act]. For one thing, it's very hard to get people to share information about this." Siegel pointed out to his audience that while the Patriot Act is new, it doesn't actually introduce new legal instruments or actions. "Every component of the Patriot Act was present in previous law," he said. "But just not often used. Now, it's more likely that a Patriot Act incident will start or end or, especially, go through your campus." Siegel said the act does, however, lower the bar on judicial oversight on searches and seizures. But oversight is still required: seizing records or doing electronic surveillance requires a subpoena issued by a judge. "It allows [electronic] searches without requiring the person [under investigation] being notified, for an undefined 'reasonable time,'" he said. Schools may find themselves drawn into a Patriot Act investigation even if those being investigated are not actually students or employees of the school. The school's network and computers may be hijacked by someone halfway around the world to attack a third location. "You need a solid policy," Siegel told his audience. "If it's 2 a.m. and your network is being used to attack another university or a private company, who gets called?" Investigations under the act often require a complete information blackout. IT groups are forbidden to tell the subjects they're being investigated, or even acknowledge that an investigation is under way. One result is that you can't call network colleagues at another school and ask them how they handled a similar event. Law enforcement agencies may direct IT groups to take certain actions or to not take actions, either leading to network problems. They may be ordered to leave compromised or damaged computers and networks untouched while the investigation is under way. "This can disrupt work patterns," Siegel warned. "A given subnet could be taken offline or required to stay online and you can't explain why to the [affected] users." Investigators could require some network or computer log data to be preserved up to 180 days. But what if parts or all of that data is, by IT policy, automatically deleted every 10 days, Siegel asked. Siegel urged his audience to bring together the campus players, such as legal counsel, appropriate provosts or deans, campus police, and others, who will be involved if any Patriot Act investigation is launched. Hammer out solid policies with clear responsibilities, and good lines of communication. Identify the personnel who will act as the leaders in an incident and train them in "customer relations" - in working knowledgeably and cooperatively with both the campus community and outside law enforcement. Cultivate trust and relationships with local police, state investigators, and local FBI offices, Siegel recommends. "If there's a new FBI agent that joins the local office, invite him over for coffee and talk with him," he says. "The real issues are really not technical, but [about] people. And they are solvable." From isn at c4i.org Wed Aug 4 13:49:35 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 4 13:53:11 2004 Subject: [ISN] Linux Security Week - August 2nd 2004 Message-ID: +--------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 2, 2004 Volume 5, Number 31n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +--------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "A Database Encryption Solution", "Wireless access security scheme gets tryout", "E-commerce attack is imminent, warn security experts" and "Linux in Government: Unseating Incumbents" ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn04 ---- LINUX ADVISORY WATCH: This week, advisories were released for MMDF, Mozilla, kernel, php4, webmin, samba, ethereal, l2tpd, mailman, httpd, libxml2, wv, php, Unreal, Opera, mod_ssl and freeswan. The distributors include SCO Group, Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware and Suse. http://www.linuxsecurity.com/articles/forums_article-9542.html ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --------------------------------------------------------------------- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Survey Results Show Few Linux Security Problems August 2nd, 2004 Other research companies, such as Denmark-based Acunia, have released surveys that report very different results found by those at Evans. Some of these reports note that Windows and Linux are equally secure. Petreley called these findings "erroneous." http://www.linuxsecurity.com/articles/host_security_article-9573.html * Linux Gets Host Application Security July 28th, 2004 When it comes to security, telling applications what they're allowed to do can be a useful antidote to today's unending software vulnerabilities. Simply put, host-based application security allows applications to only perform or communicate in prescribed ways. http://www.linuxsecurity.com/articles/host_security_article-9555.html * A Database Encryption Solution July 28th, 2004 Security is becoming one of the most urgent challenges in database research and industry, and there has also been increasing interest in the problem of building accurate data mining models over aggregate data, while protecting privacy at the level of individual records. Instead of building walls around servers or hard drives, a protective layer of encryption is provided around specific sensitive data-items or objects. http://www.linuxsecurity.com/articles/server_security_article-9559.html +------------------------+ | Network Security News: | +------------------------+ * Data Integrity =96 The Unknown Threat July 30th, 2004 Much of the attention commanded by computer security issues focuses on threats from external sources. Firewalls and perimeter defense tools are deployed to deny unauthorised entry to the network. Experts look for vulnerabilities and ways to ensure that the perimeter cannot be breached. http://www.linuxsecurity.com/articles/security_sources_article-9568.html * Wireless access security scheme gets tryout July 29th, 2004 Paul Wouter of Xelerence Corp. of Canada, is a fan of IPsec. The company maintains and develops Opswan, the Linux IPsec implementation, and he thinks IPsec should be the default tool for wireless connections. Wouter used the Black Hat Briefings this week to test a prototype IPsec wireless authentication scheme called WaveSEC for Windows clients. http://www.linuxsecurity.com/articles/network_security_article-9566.html * Secure programming with the OpenSSL API July 29th, 2004 Learning how to use the API for OpenSSL -- the best-known open library for secure communication -- can be intimidating, because the documentation is incomplete. Fill in the gaps, and tame the API, with the tips in this article. After setting up a basic connection, see how to use OpenSSL's BIO library to set up both a secured and unsecured connection. http://www.linuxsecurity.com/articles/documentation_article-9567.html * Other People's Wi-Fi July 27th, 2004 If you come across an unencrypted, unprotected Wi-Fi signal that isn't yours, do you have a right to use it? That's the question I faced a couple of weeks back, when I sat down in my Dad's living room in his fifth-floor apartment in lovely Queens, N.Y. - home of Archie Bunker, Harry Houdini's grave, the Ramones, and the New York Mets (motto: "At least we're not the Montreal Expos.") http://www.linuxsecurity.com/articles/privacy_article-9554.html * E-commerce attack is imminent, warn security experts July 26th, 2004 A surge in internet scanning activity in the past week could indicate a fresh wave of attacks on e-commerce servers, UK-based web services company Netcraft warned. The firm has detected a surge in scans of port 443, used by Secure Sockets Layer (SSL), a technology designed for securely transmitting financial data such as e-commerce transactions. http://www.linuxsecurity.com/articles/general_article-9545.html +------------------------+ | General Security News: | +------------------------+ * Linux in Government: Unseating Incumbents July 30th, 2004 Despite the riotous cheerleading occuring among Democrats in Boston this week and that soon to occur among Republicans in New York, it's the summer doldrums in a still flat technology market. At times like this, you can imagine tumbleweeds rolling by as the saloon doors flap and creek to stillness. http://www.linuxsecurity.com/articles/vendors_products_article-9572.html * Are P2P networks leaking military secrets? July 30th, 2004 A new Web log is posting what it purports are pictures, documents and letters from U.S. soldiers and military bases in Iraq and elsewhere--all of which the site's operator claims to have downloaded from peer-to-peer networks such as Gnutella. http://www.linuxsecurity.com/articles/government_article-9571.html * The best-laid plans for protecting your data in a power failure July 29th, 2004 Case in point, on Aug. 14, 2003, at about 4:20 p.m. EST, the power went out across much of the Northeastern U.S., affecting an estimated 50 million people. Since the outage occurred on a weekday afternoon, businesses were in the midst of conducting their routine activities and transactions, with most using computers. http://www.linuxsecurity.com/articles/general_article-9564.html * Survey Says Linux Hacks Are Rare July 29th, 2004 Adding more fuel to the Linux vs. Windows fire, a research firm released a survey Wednesday that noted only 8% of Linux developers had ever seen a virus infect their systems. Evans Data, a research firm that regularly polls developers, surveyed 500 Linux developers. An overwhelming majority--92%--claimed that their machines had never been infected by malicious code, and fewer than 7% said that they'd been the victims of three of more hacker intrusions. http://www.linuxsecurity.com/articles/general_article-9562.html * Cybersecurity experts wanted July 26th, 2004 New worries about national cybersecurity are prompting government officials to press colleges for rigorous curricula that train future cyberprotectors. More educational programs, and up-to-date classes that adapt quickly to new needs in cybersecurity, were among suggestions at a hearing in the House Science Committee Wednesday. http://www.linuxsecurity.com/articles/government_article-9547.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Thu Aug 5 06:09:31 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 5 06:14:48 2004 Subject: [ISN] Security UPDATE--Honeywall CD-ROM; Internet Storm Center--August 4, 2004 Message-ID: ==== This Issue Sponsored By ==== Free OpenNetwork White Paper http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BKJR0AF Free Security White Paper from Postini http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BKJS0AG ==================== 1. In Focus: Honeywall CD-ROM and Internet Storm Center 2. Special Report: Black Hat USA 2004 Briefings 3. Security News and Features - Recent Security Vulnerabilities - News: New MyDoom Worm Variant Affects Search Engines Too - News: Microsoft Promises IE Patch for Download.Ject Soon - Feature: A First Look at Windows Firewall 4. Security Matters Blog - MyDoom Strikes Again - Windows Server 2003 Security Guide 5. Security Toolkit - FAQ 6. New and Improved - HTTP-Based Patch Distribution ==================== ==== Sponsor: Free OpenNetwork White Paper ==== Businesses are often overburdened with numerous identity repositories, authentication processes and administration systems. Having a sound identity management strategy eliminates this complexity while automating resource intensive management functions, such as password management, approval processes and the set up and deletion of users as they join and leave the company. In "Understanding the Identity Management Roadmap and Role of Your Microsoft Infrastructure" you will learn how companies are making progress on the road to identity management and how they've leveraged Active Directory to do it. Plus, you'll learn how to make identity management work with your existing infrastructure. Download this free white paper now! http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BKJR0AF ==================== ==== 1. In Focus: Honeywall CD-ROM and Internet Storm Center ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net In the May 19 edition of this newsletter, I discussed the new Honeywall CD-ROM available from the Honeynet Project. The Honeywall CD-ROM is based on a trimmed-down version of Linux and is configurable both before and after boot-up. You can add items you might need or make configuration changes to suit your environment. For example, you could add Secure Shell (SSH) keys, set your IP address preferences, and so on, then burn a CD-ROM so that when you boot to the CD-ROM, your system is configured and ready for use. http://www.winnetmag.com/article/articleid/42745/42745.html You can download a copy of the CD-ROM image (at the URL below, about 50MB in size,) from the Honeynet Project Web site. On July 20, the Honeynet Project announced a subscription program that serves as a way for you to support the project and gain some added value at the same time. For an annual contribution of $150 for corporations or $75 for individuals, the project mails in March and September a copy of the most recent Honeywall CD-ROM; another CD-ROM containing updated whitepapers, tools, and documentation; and a print newsletter that contains "all the new work that has occurred in the past six months." The subscription sounds like a great way to give something back to the project in exchange for its hard work in providing great tools and information to help you with your security endeavors. http://www.honeynet.org/funds/cdrom.html Using a honeypot or network of honeypots can be helpful in learning how and why intruders attempt to penetrate your network. One of this month's SANS Institute Webcasts might address the use of honeypots. On August 11, Johannes Ullrich will present "Internet Storm Center: Threat Update," which "discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month." The Webcast might help you more readily detect various activities trapped by your honeypots or by your other Intrusion Detection Systems (IDSs). http://www.sans.org/webcasts/show.php?webcastid=90491 SANS Internet Storm Center helps track new threats, gathers information about those threats, and presents its findings to the public at the related Web site. Readers often contribute information that can help provide loads of useful details about the latest threats that might otherwise be harder to obtain, and sometimes you find links to other sites that have even more detailed information. If you haven't visited the Internet Storm Center Web site, you might consider doing so to help better understand the current trends in network attacks. http://www.incidents.org or http://isc.sans.org ==================== ==== Sponsor: Free Security White Paper from Postini ==== The Silent Killer: How spammers are stealing your email directory Have you ever had your end users complain about how slow your email system seems to be responding when you have no visible reason for this problem in performance? Are your Microsoft Exchange Server deferral queues constantly full, slowing server performance to a crawl? All of these are signs that spammers are probing your email system in an attempt to identify and "harvest" legitimate email addresses from your organization. This is what is known as the "silent killer" or "directory harvest attack" (DHA). Download this whitepaper now and learn how you can protect your organization against the "silent killer". http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BKJS0AG ==================== ==== 2. Special Report: Black Hat USA 2004 Briefings ==== by Mark Burnett Black Hat, a computer security conference and training company, held the 8th annual Black Hat Briefings last week in Las Vegas. The conference included presentations by nearly 50 speakers from a variety of backgrounds. Among the key topics were electronic voting, privacy on the Internet, Google hacking techniques, and zero-day exploits. "We spent more time picking speakers this year," said Jeff Moss, CEO of Black Hat. "We received a record number of submissions and the quality was remarkable." According to Moss, the focus of the talks has shifted to address new and upcoming security threats: "A couple years ago, the interest was in detecting [known] attacks. The new interest is how you defend against unknown attacks." Moss added that the speakers are "turning their focus to the more difficult problems." One underlying issue addressed in many of the talks is the decreasing amount of time between the announcement of a vulnerability and the deployment of code to exploit it. "Time to attack has gotten so small," said Moss. "It used to be a two-week process that has shifted to one day." According to Stephen Toulouse, a Microsoft security product manager, "The biggest challenge we are dealing with now is people releasing attack code. We're seeing the time to attack shrinking." Dr. Rebecca Mercuri and Bev Harris presented research and analysis on electronic voting and the possible manipulation of it. Mercuri and Harris spoke about the October 2003 California governor recall election, providing an analysis that dispelled erroneous assertions about the benefits of electronic voting and raised questions about the accuracy of election systems. Black Hat also announced the launch of "The Mezonic Agenda: Hacking the Presidency Contest," hosted by Syngress Publishing. Conference attendees received a copy of a CD-ROM that contains a game with the object of hacking and ultimately controlling the outcome of a mock US presidential election. Contestants must use their hacking skills to make themselves the winning candidate of the simulated election. Other speakers presented sessions on the topics of Zero-Day Code, Phishing for Organized Crime, First Global Cyber-War, Secure Wireless Network Deployment, Customer Data Protection, and new Web application attacks. Speakers included Halvar Flake, Black Hat's resident reverse engineer, and Greg Hogland, author of "Exploiting Software." Black Hat holds five conferences annually in North America, Europe, and Asia. For information about upcoming Briefings, visit http://www.blackhat.com/html/bh-link/briefings.html ==== 3. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: New MyDoom Worm Variant Affects Search Engines Too A new MyDoom worm variant, MyDoom.M@mm, was discovered on July 26. Computers affected by the worm are used to perform queries on various search engines to harvest email addresses. According to reports, a significant number of computers were affected by the worm and caused some strain on popular search engines, including Lycos, AltaVista, Yahoo!, and Google. http://www.winnetmag.com/article/articleid/43365/43365.html News: Microsoft Promises IE Patch for Download.Ject Soon Microsoft will finally issue a critical security patch for its infamously buggy Internet Explorer (IE) Web browser this week (possibly by the time you read this newsletter), out of sync with the company's planned monthly security fixes. The patch will fix the flaw that led to last month's Download.Ject malware attack and will be applicable to IE 6.0, IE 5.5, and IE 5.01. The patch follows an unprecedented configuration change update that the company released to partially fix the Download.Ject problem; security experts quickly denounced the change as ineffective. http://www.winnetmag.com/article/articleid/43384/43384.html Feature: A First Look at Windows Firewall Paula Sharick notes that after plowing through more than 200 pages of documentation about the extensive changes in Windows XP Service Pack 2 (SP2), she wasn't optimistic about testing the XP SP2 beta. With the introduction of a real firewall; security controls for Distributed COM (DCOM), remote procedure call (RPC), and WWW Distributed Authoring and Versioning (WebDAV) operations; secure wireless networking; the ability to kill pop-ups; and hands-on management of Microsoft Internet Explorer (IE) plug-ins, SP2 has more in common with a new OS than a service pack with bug fixes. The upgrade also changes the open-access paradigm to a limited- or no-access orientation, which in theory can wreak havoc with network connectivity and server-based operations. Read the rest of Paula's first look at XP SP2 Windows Firewall on our Web site. http://www.winnetmag.com/article/articleid/43363/43363.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Get 2 Free Sample Issues of SQL Server Magazine! If you're a SQL Server user, SQL Server Magazine is a must-read. Each issue offers a treasury of relevant articles, savvy tips, endless code listings, and expertise that will give you the answers you are looking for. Choose from a library of hot topic discussions relating to reporting services, security, high availability, and much more. Order now: http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BKJT0AH Finding the Right Antispam Solution When You Need It In this free Web seminar, learn how to implement a "holistic" approach to email security that eliminates spam, minimizes risk from viruses, saves money, and reduces the administrative burden on IT staff. And, you'll find out the benefits of the "preemptive" email security approach compared with more traditional approaches. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BKEV0AE Extending Microsoft Office with Integrated Fax Messaging Are you "getting by" using fax machines or relying on a less savvy solution that doesn't offer truly integrated faxing from within user applications? Attend this free Web seminar and learn what questions to ask when selecting an integrated fax solution, discover how an integrated fax solution is more efficient than traditional faxing methods, and learn how to select the fax technology that's right for your organization. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BKEW0AF ==================== ==== 4. Security Matters Blog ==== by Mark Joseph Edwards, http://www.winnetmag.com/securitymatters Check out these recent entries in the Security Matters blog: MyDoom Strikes Again If you're looking for more details about the latest MyDoom worm variant, MyDoom.M@mm, you can find some interesting analysis, including links to analysis from several antivirus vendors, in the Handler's Diary for July 26 at the SANS Internet Storm Center Web site. Windows Server 2003 Security Guide The default installation of Windows Server 2003 is much more secure than previous Windows versions. Even so, you might consider making some additional adjustments to further tighten security, depending on your needs, by using Microsoft's new Windows Server 2003 security guide. ==== 5. Security Toolkit ==== FAQ: Why Can't I Update the Active Directory (AD) Schema for Microsoft Systems Management Server (SMS)? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. I recently had this problem too--I had a lab environment in which I repeatedly tried--and failed--to update the schema for SMS by running the extadsch.exe command. After I ran the command, the log file contained a lot of failure messages. After much investigation, I discovered the reason for the failed schema update: I had many domain controllers (DCs) that weren't running and consequently had replication errors. After I started the DCs and resolved the replication errors by forcing a replication, the schema update worked perfectly. You can review the log's failure messages and the subsequent success messages in the FAQ on our Web site. http://www.winnetmag.com/article/articleid/43321/43321.html ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) Free Roadshow in Your City Soon--HP Wireless & Mobility Roadshow 2004 In this free Roadshow, you'll discover trends in the wireless and mobility industry and come away with a better understanding of wireless and mobility solutions. And, talk firsthand about your wireless projects with leaders in the industry. See proven wireless and mobile solutions in action. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BKEX0AG ==================== ==== 6. New and Improved ==== by Jason Bovberg, products@winnetmag.com HTTP-Based Patch Distribution Configuresoft announced Security Update Manager (SUM) 2.5, software that lets you safely distribute patches and software updates across firewalls via HTTP. SUM 2.5 is an add-on module for Configuresoft's Enterprise Configuration Manager (ECM). SUM 2.5 reduces the risk and vulnerabilities associated with opening ports on network firewalls to deploy patches on systems within an organization's Demilitarized Zone (DMZ) and machines located outside the network perimeter. Pricing for SUM 2.5 starts at $25 per server and $5 per workstation. Pricing for ECM starts at $995 per server and $30 per workstation. For more information about SUM and ECM, contact Configuresoft at 719-447-4600 or on the Web. http://www.configuresoft.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BDWV0AP CrossTec Free Download--New - Launch NetOp Remote Control from a USB Drive http://list.winnetmag.com/cgi-bin3/DM/y/egxM0CJgSH0CBw0BJyw0Ac ==================== Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: OpenNetwork -- http://www.opennetwork.com -- 1-877-561-9500 Secondary Sponsor: Postini -- http://www.postini.com --1-888-584-3150 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Aug 5 06:09:49 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 5 06:14:49 2004 Subject: [ISN] Security expert Q&A: The virus writers are winning Message-ID: http://www.nwfusion.com/news/2004/0804fsecure.html By Bob Brown and Neal Weinberg Network World Fusion, 08/04/04 Mikko Hypponen has made a name for himself as a computer security expert in directing anti-virus research at Finland's F-Secure, a $45 million company that regularly issues alerts warning of network threats. He spoke recently with Network World News Editor Bob Brown and Features Editor Neal Weinberg about the latest viruses and what enterprise network executives are up against. What's your take on Mydoom.M, the latest worm making the rounds? It's a really interesting technique remembering how big Mydoom.A was in January. It was the single largest e-mail outbreak in history. Mydoom made headlines then because it was attacking SCO.com and then later on Mydoom.C was attacking Microsoft.com. What's happening here [with Mydoom.M] is that the attack that made headlines with Google going down wasn?t really an attack on Google. It was just using Google to harvest more e-mail addresses. But what Mydoom.M left behind was a back door. We've seen this already with Mydoom.A, which left a back door and several days later its authors scanned public addresses looking for Mydoom.A-infected computers and then installed a spam proxy Trojan called Mitglieder. What seems to be the case with this new Mydoom is that instead of dropping in a spam Trojan they've dropped in a [Distributed Denial-of-Service}client aimed at overloading Microsoft.com's front page, though it hasn't been too successful. Do you have any idea who is behind it? I think it is the same people not only behind the other Mydooms, but also behind Bagle. Possibly even behind SoBig and others. I don't have any concrete evidence on where these guys are operating from, though there are some indications they have come from Russia and are living in central Europe. I think it is more than one guy and that they are organized. What are the chances of catching them? This year has been really good at catching virus writers. But all the arrests have been kids and small-time players, none of the professional virus writers have been caught. The ones that have been caught are not really the worst guys, the ones who are doing this for money that they put back into development of their malicious code. So these guys are doing this for profit? With [Mydoom.M] they don't appear to make money. But looking at the previous Mydoom variants and the Bagle operations the target is to create a very large network of interconnected computers and either turn them into spam proxies or free hosting servers, then steal information like credit card numbers, passwords, user accounts. By far the largest benefit is spamming; most spam today is being sent from infected DSL- or cable-enabled home computers. There are layers. You don't just have the virus writer writing a virus and then using the computers to send spam. You have one group writing the viruses. Once they create a list of IP addresses, they sell those to underground bulletin boards, many of which are run in Russia or China. The going price seems to be $500 for 10,000 IP addresses. That probably gets resold a couple of times before a spammer picks it up and starts using it. It really gets hard to trace the route backwards. What do you think of Microsoft and others offering bounties to nail virus writers? It's great. What's most important is that they put pressure on virus writers as they become afraid of others ratting them out. Obviously Microsoft can afford to put up the bounties, though it hasn't had to pay anything yet from what I know. Who's winning this battle? The virus writers always have the upper hand because they have access to [security vendors'] products. They can download like anyone else. Why would they release a new virus that could be detected by McAfee or Symantec or us? There is no easy answer to this problem. Of course if you want to protect a computer you have the three basic rules, which is running anti-virus, a firewall and keep patching. Or, of course, you could just get rid of Windows and get Linux and forget all sorts of problems. Much of the problem is that home computer users are infecting corporate networks by accident. What responsibility do ISPs have in protecting these home users in the first place? It's irresponsible to sell Internet connections without telling the users of the risks. If you go out and buy an [Asymmetric DSL] box and connect it to your computer and you don?t use a firewall you will be hit by one of the network viruses. If your customers are running Windows and it hasn't been patched and nobody is telling them that they should do that, I think it is irresponsible to be offering network connections. But many of the ISPs are now including basic safeguards with their services and that's what we're specializing in at F-Secure, most successfully with European ISPs. Based on recent reports from F-Secure and others, it sounds like viruses hitting mobile devices could be the next big headache. How big an issue is this? Such viruses really haven't appeared till this summer, with Cabir, the first proof-of-concept virus to hit Symbian-based Bluetooth phones. It's really interesting because it is the first virus that spreads based on proximity -- if you are close to other Bluetooth devices you can spread the virus. Imagine someone with an infected phone getting on a crowded subway and transmitting the virus to hundreds of other phones. Then a couple of weeks ago we found a proof-of-concept PocketPC virus from the same group of virus writers. PocketPC is a very open platform and it's very easy for developers to get their hands on code and port any desktop Windows software to PocketPC. The fear is that such viruses eventually could be used to make phone calls, send text messages and even delete phone numbers. These viruses haven't gone into the wild, but they're out there and how likely is it that some kid will download them and try them out in the wild? Very likely. What's your overall take on the virus situation today? It's been getting worse and worse. I entered the business in 1991, but then things were easy. Back then we just had boot viruses that used to be physically carried around on a disk to be spread, so it would take a year for them to get around the world. Now with Slammer, Sasser, Blaster and the others, viruses hit computers and networks all over the world in a matter of minutes. We can't handle it. Of the 100,000 viruses seen over the last 18 years we've cracked every single one. But it's not a given that will continue to be the case. We might very well see a virus some day that we can't crack. From isn at c4i.org Thu Aug 5 06:10:02 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 5 06:14:50 2004 Subject: [ISN] 3 Admit Hacking Into Lowe's Computer Message-ID: http://www.philly.com/mld/philly/business/9320069.htm Aug. 04, 2004 Associated Press CHARLOTTE, N.C. - Three Michigan men have pleaded guilty to charges that they conspired to hack into the national computer system of the Lowe's home improvement chain to steal credit card information, federal authorities said Wednesday. Under plea agreements, Brian Salcedo, Adam Botbyl and Paul Timmins pleaded guilty to just handful of the 16 charges each man originally faced, the U.S. Attorney's office said. Under a plea agreement, Salcedo, of Whitmore Lake, Mich., pleaded guilty to four counts: conspiracy; transmitting computer code to cause damage to a computer; unauthorized computer access; and computer fraud. The charges carry a maximum penalty of 25 years in prison. Under terms of the agreement, prosecutors will recommend that Salcedo serve about half that, 12 years and seven months. Botbyl, of Waterford, Mich., pleaded guilty to one count, conspiracy, with a recommendation that he serve three years, five months. He could have faced five years. Charges against Timmins were dropped, and he pleaded guilty instead to a new charge of unauthorized access to a protected computer. Prosecutors said that may be the first conviction in the nation for "wardriving." In wardriving, hackers search for vulnerable wireless Internet connections. The original indictment charged that Botbyl and Timmins drove around Southfield, Mich., in April 2003, searching for a vulnerable connection, "using a laptop computer equipped with a wireless card and a wireless antenna." In an indictment handed up in Charlotte in November, federal prosecutors said the trio accessed the wireless network of a Southfield Lowe's store, using that connection to enter the chain's central computer system in North Wilkesboro, N.C., and eventually to reach computer systems in Lowe's stores across the country. Once inside the central Lowe's system, the men installed a program in the computer systems of several stores that was designed to capture credit card information from customers, the indictment said. Lowe's officials said the men did not gain access to the company's national database and that they believed all customers' credit card information was secure. From isn at c4i.org Thu Aug 5 06:10:12 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 5 06:14:51 2004 Subject: [ISN] Olympic security fiasco revealed by stolen passes Message-ID: http://portal.telegraph.co.uk/news/main.jhtml?xml=/news/2004/08/05/wolymp05.xml By Harry de Quetteville in Athens Filed: 05/08/2004 Ten days before the Olympic Games start in Athens, passes allowing vehicles into several venues, including the Olympic village, have been stolen. A security source told the Telegraph that the passes were taken from the windscreens of unattended official vehicles. "Some people left the doors of their cars unlocked and the thieves just came in and took the accreditations," he said. It is not clear whether the thefts were opportunistic or part of a plot to breach the ?700 million security operation for the games, which begin on August 13. The security arrangements, described this week by Gianna Angelopoulos-Daskalaki, president of the Athens Organising Committee, or Athoc, as "the biggest contribution ever made by the armed forces at a time of peace in Greece" has mobilised some 70,000 soldiers and police. But the theft of the passes raises fears that terrorists driving car or lorry bombs could still get through. According to sources in Athoc, the games have been hit by another security failure, after plans to check the backgrounds of staff, contractors and volunteers were dropped as organisers ran out of time. The problems began in mid-May, when organisers began recruiting 7,000 workers to undertake jobs from general receptionists to housekeepers at the Olympic village. But with so many people to process in only three months, the planned background checks were scrapped. "Background checks require 20 days for each employee," a source said. "But Athoc was trying to hire so many people that the checks have not been done. "In many cases the pressure to recruit staff meant that extremely poorly qualified people were hired, but we don't know the backgrounds of many others." Now thousands of staff and contractors with unverified histories are moving freely around supposedly secure venues because formal accreditation passes, bearing photos of the holder, have still not been issued. Instead, Athoc is relying on so-called "bump-in" passes, which are handwritten and issued without photographs or background checks. "What worries me is the accreditation," said an Olympic insider, who spoke to the Telegraph on condition of anonymity. "Athoc has really screwed up the accreditations for staff, volunteers and contractors. Because they need people so badly they are letting them in with bump-in passes. Anyone can come into any venue, including the Olympic village. It's really bad news." The accreditation problem is so worrying that police and soldiers guarding some venues are now asking workers for a passport or other documents to supplement the inadequate passes. Meanwhile, ferry traffic at the port of Piraeus was interrupted yesterday while Greek minesweepers checked the harbour for explosive devices. The port, just southwest of Athens, is extremely busy ferrying tourists to the Greek islands. Once the games begin, liners will be moored in the harbour for use as floating hotels by VIPs including the former US president George Bush Snr, who is leading the US delegation to Athens. Protecting Piraeus against a suicide boat bombing, such as that which killed 17 sailors aboard the USS Cole in Yemen in October 2000, is a priority for the navy and coastguard. From isn at c4i.org Thu Aug 5 06:10:33 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 5 06:14:52 2004 Subject: [ISN] Hacking the planet Message-ID: http://www.lasvegascitylife.com/articles/2004/08/04/cover_story/cover.txt By Joshua Ellis and Patty Walsh August 04, 2004 There's a scene in the retarded hacker flick Swordfish in which slick mastermind John Travolta gives grungy super-hacker Hugh Jackman a challenge: hack into the National Security Agency in a minute or less, while some hot club whore blows him under the table. This has probably never happened to any hacker in history -- but if it did, it would probably have happened at DefCon. What began 12 years ago as a Vegas get-together for a small group of geographically disconnected online friends has become a gigantic free-for-all in which thousands of hardcore hackers, wardrivers, security consultants, federal agents, wannabes and groupies do their level best to outthink, outdrink and outparty one another. In the truest sense, hacking is not an act; rather, it is a viewpoint, a set of tools for thinking about how to interact with systems. The late Judith Milhon, one of the first female hackers ever, defined hacking as "the clever circumvention of imposed limits." The early hackers at MIT and Stanford had limited access to the huge, expensive mainframes on which they worked, and so they devised clever and exotic ways both to gain more time and make their programming time more efficient. One classic story details a computer manager who began locking the door to the computer room to keep the scruffy hippies out at night. When he returned in the morning, he found the entire door to his office had been removed, along with an apologetic note explaining that it had gotten in the way of someone's work. Of course, things have changed over the decades. These days, your average hacker is just as likely to be a 17-year-old junior punk or goth with an anarchy T-shirt and a sticker of Tux the Penguin (the mascot for the free operating system Linux) on his or her laptop. And while DefCon may have begun as an invite-only affair for the old guard of the computer security elite, these days you're more likely to see the punk kid sitting poolside, making out with a goth chick wearing nothing but strategically placed duct tape, drunk on vodka and Red Bull and the simple gleeful awareness that comes from being surrounded by 5,000 people who are just like you. This is what DefCon has come to represent for the hacking community: a combination of trade show and Burning Man, debauchery and deconstruction in one sleepless package. There are three swimming pools at the Alexis Park Resort Hotel. Pool one -- the pool closest to the entrance and the convention area -- belonged to the Goons, the security/logistics crew at DefCon. Generally chosen for their size or physique, they can be intimidating bastards if you don't know what you are doing or where you are going. Pool two was the social hot spot of DefCon, where the notorious and the newbies partied together. It was also the site of QueerCon, the Friday night party hosted by members of the Seattle 2600 group for gay members of the scene. Pool three, at the back end of the hotel, was generally more sedate, despite the occasional presence of massive sound systems and drum 'n' bass and industrial DJs. After-hours socialization at DefCon has always consisted of an endless pilgrimage -- back and forth between the pools and the parties held in private rooms and the never-ending Capture the Flag event, where hundreds of sleep-deprived geeks huddled in a massive convention hall for 36 hours to protect and defend one another's networks. The scores were posted on a giant projection screen at one end of the hall -- which would occasionally switch over briefly to random footage of a pimped-out Ken doll beating up Barbie Ike Turner-style, or the trailer for A Clockwork Orange, or old GI Joe cartoons overdubbed with pedophilic dialogue. In the dark, the attendees look like the ghosts of long-dead cowboys in black leather and quiet medieval monks, flitting between the palm trees and stucco buildings, chatting away about buffer overflow violations, SSH tunneling, and, always, getting laid. Sometime during Friday night or Saturday morning, Southern Californian geeks Brandon and Dan had gotten naked with a couple of the party girls that are part and parcel of the DefCon experience. When they'd awoken, the girls had vanished -- along with their clothes. They spent the next day and night clad in nothing but beach towels with vinyl backpack straps serving as belts, trying to hunt down the skanks who'd made off with their clothes. Their clothes were nowhere in sight at DefCon veteran Bus Driver's party, but neither were the clothes of the local strippers he'd hired to entertain a suite full of sweating, drunken nerds. Surprisingly enough, the pros were something of a bust. It wasn't until a few talented amateurs got up on the coffee tables and started flinging their clothes, swaying to the rhythm of the jungle music pumping outside, when things really began to pick up. This has much to do with the hacker preference for pale nerdy girls over Botoxed boobie queens. The dancers seemed to leave in something of a huff, unhappy to be ignored in favor of a bunch of small-breasted geek girls in Mardi Gras beads and panties with penguins on them. Every convention in Vegas is a breeding ground for random illicit sex. But DefCon is one of the few conventions where random, illicit sex is a primary reason to attend -- a fact which amuses and disgusts a lot of veteran hackers. "The past couple of years, I've talked to people who don't even know anything about computers," one older scenester told us. "They just heard it was a great party. It's like Burning Man -- now, half the people are just wandering around looking for the naked girls." While the pools were an endless array of amusement and indulgence, a more refined, prominent event took place: the Black and White Ball. The Black and White Ball is like a warped version of prom, minus the jocks, the popularity contest and the superficiality. Among the guests were Jesus and his Disciples (a group of hackers sporting nothing but white sheets, with "Jesus hacker" carrying the Holy Bible), an S&M bondage couple, some guy dressed up in pimp attire with a three-foot afro wig, and Renderman, the notorious Canadian hacker known for his black fedora hat and his zoot suits. Another point of interest was the first annual Dunk the Geek, where a speaker, goon or inebriated hacker would sit in a dunk tank and await his or her ice-cold fate for a charitable cause -- the Electronic Frontier Foundation, a non-profit organization that defends digital rights. The EFF is often considered to be the ACLU of cyberspace. They're legendary for fighting corporate and government interests when they interfere with the rights of cybercitizens. That fight is getting more and more serious every day. It's difficult to get anybody to go on the record at DefCon, and with good reason: In the recent political climate of America under the PATRIOT Act, a lot of these people could easily be construed as terrorists. Thanks to the Digital Millennium Copyright Act, almost everyone there -- including at least one of the CityLife reporters covering this story -- violate federal law several times a day. Most attendees feel that the laws are unjust and stupid, made not for the protection of the people, but for special interests in business and government. One of the strangest things about attending DefCon is the odd mixture of dissent and laissez faire objectivism. Most hackers seem to be libertarians: they're interested in self-preservation and the rights of the individual, often to the exclusion of others. There is a core of arrogance, of genuine belief that hackers are somehow above not only laws, but the people around them, by sheer virtue of intellect. There are exceptions of course. The hacker group Cult of the Dead Cow (which didn't make much of an appearance at DefCon this year) have been exploring the possibilities of "hacktivism" for a few years now: the idea of using their skill set and knowledge for the benefit of humanity. Other hackers work to bring technological infrastructure to developing nations. But the majority who attend DefCon seem concerned mostly with learning the latest tricks, getting the greatest schwag and finding the hottest girls (or guys). Even the arrest of programmer Dimitri Skylarov for discussing theoretical ways of cracking DVD encryption schemes at DefCon 9 in 2001 didn't seem to arouse the crowd too much. That happened just over a month before 9/11, and the climate has changed drastically since then. There seem to be less attendees who are willing to openly announce that they work with the federal government (though there may actually be more feds around now than ever before). The feeling of paranoia has increased noticeably over the past three years; in some sense, it has put a slight damper on the general explosion of hedonism and goofiness that has always marked DefCon. What happens in Vegas stays in Vegas unless, of course, it gets you hauled off to Guantanamo Bay. So what does the future hold for DefCon? Probably a lot less of the old guard and substance of previous years. "Every year, I tell myself I'm not gonna come," one pioneering hacker told us. "I book my ticket later and later. There have been some years where I didn't even show up until the first day -- somebody would call me and say 'Dude, you've got to make it out here.' But I find less and less reason to come every year." The consensus amongst the older hackers seems to be that DefCon is increasingly about style over substance, and that it is becoming more and more mainstream, attracting more clueless wannabes and party-seekers than those who are genuinely interested in the scene itself. Most of the more mature scenesters stay in their rooms, or use the time between seminars and talks to check out the Vegas nightlife rather than the poolside scene. One notable exception this year was Apple co-founder Steve Wozniak, who showed up in a giant blue Humvee with a satellite dish on the roof for constant Internet access, and who spent much of DefCon whizzing around on his Segway with a big grin on his face. Then again, you find the same attitude in people who've only been attending for two or three years but already consider themselves old hands. As jaded as attitudes might be, and as disdainful as everyone seems to be, they still show up every year. The end of DefCon is traditionally marked by an awards ceremony, where prizes such as Best Buy gift certificates, books, swag, and ?ber-hacker black badges (which are lifelong free access passes to DefCon) are given to those that succeeded in the various contests, be they important or utterly absurd. This year was marked by several new contests, with a few unintentional new entries like the hamburger-eating contest. Apparently, some hackers got together and went to In-N-Out. A hacker ordered a 10 patty "animal burger," and before the guy knew it, fellow hackers were placing bets on who could top that massive stack. He actually surpassed his own record by gorging himself on an impressive 20 patty burger (with fries on the side, of course). The lock picking contest is a DefCon favorite, and this year it included an "obstacle course," where the object of the game was to pick the most locks in the best time, with eight different locks in a row. Then there was the illustrious wardriving contest. Wardriving -- a term invented by Dis.org vets Seric and Peter Shipley -- consists of driving or walking around while looking for unsecured wireless Internet (or wi-fi) access points. It's derived from the old hacker practice of "wardialing," in which an automated program dials every possible number in an area code, noting down which numbers have modems attached to them (you can see an example of this in the classic hacker film Wargames, starring Matthew Broderick and Ally Sheedy's breasts). Perhaps the highlight of the awards ceremony was the Second Annual DefCon Wi-fi Shootout Contest. The goal of the contest was to reach the greatest possible connect distance between two wi-fi stations via innovative antennae designs and ingenious engineering skills. Three young college students from Ohio using the team name P.A.D. took home the gold and received several standing ovations for breaking the world record for the longest wi-fi distance with a whopping 55.1 miles, using a home-brewed 600 megawatt signal amplifier. Though their parents tried to talk them out of their far-fetched plan for fame and glory, P.A.D. drove all the way to Vegas from Cincinnati in a mini-van with a satellite-like receiver disc duct-taped to the roof of the vehicle. As they stood near the podium and described their journey, you could see the sparkle in their eyes. While DefCon has become more mainstream over the years, and some say that substance has dissipated from the true core of the event, there was no denying the passion that flowed through the veins of these kids. It was their time to shine in the spotlight, and DefCon was their forum to finally fit in with a crowd. And that seemed to be the recurring theme of this and every DefCon: for those few days they're in Las Vegas, these hackers don't have to worry about getting their asses kicked for their clothes or their often total lack of social skills. At DefCon, they can be heroes, if just for a day, standing in front of all their fellow geeks, winning awards for feats of prowess that most of their peers and even family members couldn't even begin to understand. And then they slip away into the night, back to the real world, to their jobs as system administrators or security experts, to their dorms and high schools; anonymous again amongst the beautiful people, waiting another year for their time to shine. -=- Joshua Ellis is a writer, rock star and Web guru. You can save your soul at column.zenarchery.com, the Website for his weekly column All Tomorrow's Parties. Patty Walsh is a freelance journalist. From isn at c4i.org Fri Aug 6 08:16:48 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 6 08:27:24 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-32 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-07-30 - 2004-08-06 This week : 49 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: New Features at Secunia.com Secunia has implemented various statistical features at the websites for both Secunia advisories and Virus Information. Secunia Advisories Statistics: http://secunia.com/advisory_statistics/ Examples of Specific Product Statistics: http://secunia.com/product/11/ (Internet Explorer 6) http://secunia.com/product/761/ (Opera 7.x) http://secunia.com/product/1480/ (Mozilla 1.3) Secunia Virus Information Statistics: http://secunia.com/virus_statistics/ Furthermore, Secunia has made it possible for you to include all graphs available at secunia.com on your own website. This is described in detail at: http://secunia.com/secunia_image_inclusion/ ======================================================================== 2) This Week in Brief: ADVISORIES: Chris Evans has discovered multiple vulnerabilities in the very widely used image library libpng. Some of these vulnerabilities could be exploited to compromise a vulnerable system. Many Linux distributions have already issued updated packages, and some standalone programs have also issued new versions to address the vulnerabilities. Please refer to Secunia.com for further information on updated distributions and programs. Reference: http://secunia.com/SA12219 -- Microsoft issued a very rare "out-of-cycle" patch for Internet Explorer addressing three vulnerabilities, which all could be exploited to compromise a user's system. Among the addressed vulnerabilities, there is also a fix for an older vulnerability that has actively been used by attackers to compromise users' systems and install e.g. adware. Reference: http://secunia.com/SA12192 -- Mozilla / Mozilla Firefox is vulnerable to a very sophisticated spoofing issue using XUL (XML User Interface Language), which could be exploited to spoof the whole user interface (including tool bars, SSL certificate dialogs, address bar and more). Reference: http://secunia.com/SA12188 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12188] Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability 2. [SA12192] Microsoft Internet Explorer Multiple Vulnerabilities 3. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities 4. [SA11978] Multiple Browsers Frame Injection Vulnerability 5. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 6. [SA12204] Mozilla / Netscape SOAPParameter Integer Overflow Vulnerability 7. [SA12160] Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing 8. [SA12212] PuTTY Authentication Process Buffer Overflow Vulnerabilities 9. [SA12219] libpng Multiple Vulnerabilities 10. [SA10856] Mozilla Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12218] MailEnable Professional HTTPMail "Content-Length:" Buffer Overflow Vulnerability [SA12203] BlackJumboDog FTP Commands Buffer Overflow Vulnerability [SA12192] Microsoft Internet Explorer Multiple Vulnerabilities [SA12183] Comersus SQL Injection and Cross-Site Scripting Vulnerabilities [SA12217] StackDefender Invalid Pointer Dereference Denial of Service Vulnerabilities [SA12199] Webcam Watchdog "sresult.exe" Cross-Site Scripting Vulnerability UNIX/Linux: [SA12234] Red Hat update for mozilla [SA12228] Gentoo update for libpng [SA12225] Red Hat update for libpng [SA12223] Fedora update for libpng [SA12222] SuSE update for libpng [SA12221] Debian update for libpng [SA12220] Mandrake update for libpng [SA12219] libpng Multiple Vulnerabilities [SA12197] Citadel/UX "USER" Command Buffer Overflow Vulnerability [SA12229] Red Hat update for glibc [SA12224] Gentoo update for courier [SA12213] Gentoo update for putty [SA12202] Horde IMP Script Insertion Vulnerability [SA12201] ripMIME Attachment Extraction Bypass [SA12195] Debian update for squirrelmail [SA12193] SCO OpenServer update for OpenSSL [SA12191] DansGuardian Banned Extension Filter Bypass Vulnerability [SA12186] Gentoo update for phpMyAdmin [SA12185] Red Hat update for ipsec-tools [SA12184] Red Hat update for SoX [SA12182] Mandrake update for wv [SA12216] SGI IRIX CDE Multiple Vulnerabilities [SA12215] Fedora update for kernel [SA12214] DGen Insecure Temporary File Creation Vulnerability [SA12211] Red Hat update for kernel [SA12210] Linux Kernel File Offset Pointer Handling Memory Disclosure Vulnerability [SA12196] UnixWare / Open UNIX Xsco Buffer Overflow Vulnerabilities [SA12187] OpenServer uudecode Insecure Temporary File Creation Vulnerability [SA12205] Oracle9i Application Server Privilege Escalation Issue Other: [SA12208] NetScreen ScreenOS SSHv1 Denial of Service Vulnerability [SA12207] U.S. Robotics Wireless Access Point Denial of Service Cross Platform: [SA12232] Mozilla / Mozilla Firefox / Mozilla Thunderbird libpng Vulnerabilities [SA12204] Mozilla / Netscape SOAPParameter Integer Overflow Vulnerability [SA12233] Opera Browser "location" Object Write Access Vulnerability [SA12230] JetBoxOne CMS Arbitrary File Upload Vulnerability [SA12212] PuTTY Authentication Process Buffer Overflow Vulnerabilities [SA12200] WHM AutoPilot Username and Password Retrieval [SA12190] lostbook Script Insertion Vulnerability [SA12189] LinPHA User Authentication Bypass Vulnerability [SA12188] Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability [SA12231] eNdonesia Cross-Site Scripting Vulnerability [SA12209] WackoWiki textsearch Cross-Site Scripting Vulnerability [SA12206] Sun Java JRE/SDK XSLT Processor Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12218] MailEnable Professional HTTPMail "Content-Length:" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-08-04 CoolICE has reported a vulnerability in MailEnable Professional, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12218/ -- [SA12203] BlackJumboDog FTP Commands Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-02 Chew Keong TAN has reported a vulnerability in BlackJumboDog, potentially allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12203/ -- [SA12192] Microsoft Internet Explorer Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-07-30 Microsoft has issued an update for Internet Explorer. This fixes three vulnerabilities, allowing malicious websites to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/12192/ -- [SA12183] Comersus SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-08-03 Two vulnerabilities have been reported in Comersus, allowing malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12183/ -- [SA12217] StackDefender Invalid Pointer Dereference Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2004-08-04 iDEFENSE has reported two vulnerabilities in StackDefender, which potentially can be exploited by malicious people to crash a system protected by StackDefender. Full Advisory: http://secunia.com/advisories/12217/ -- [SA12199] Webcam Watchdog "sresult.exe" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-02 Dr_insane has reported a vulnerability in Webcam Watchdog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12199/ UNIX/Linux:-- [SA12234] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-05 Red Hat has issued an update for mozilla. This fixes multiple vulnerabilities, where the most serious can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12234/ -- [SA12228] Gentoo update for libpng Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-05 Gentoo has issued an update for libpng. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12228/ -- [SA12225] Red Hat update for libpng Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-05 Red Hat has issued an update for libpng. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12225/ -- [SA12223] Fedora update for libpng Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-05 Fedora has issued an update for libpng. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12223/ -- [SA12222] SuSE update for libpng Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-05 SuSE has issued an update for libpng. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12222/ -- [SA12221] Debian update for libpng Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-05 Debian has issued an update for libpng. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12221/ -- [SA12220] Mandrake update for libpng Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-05 MandrakeSoft has issued an update for libpng. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12220/ -- [SA12219] libpng Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-05 Chris Evans has discovered multiple vulnerabilities in libpng, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12219/ -- [SA12197] Citadel/UX "USER" Command Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-03 CoKi has reported a vulnerability in Citadel/UX, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12197/ -- [SA12229] Red Hat update for glibc Critical: Moderately critical Where: From remote Impact: System access Released: 2004-08-05 Red Hat has issued an update for glibc. This fixes an old vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12229/ -- [SA12224] Gentoo update for courier Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-05 Gentoo has issued an update for courier. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12224/ -- [SA12213] Gentoo update for putty Critical: Moderately critical Where: From remote Impact: System access Released: 2004-08-05 Gentoo has issued an update for putty. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12213/ -- [SA12202] Horde IMP Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-03 A vulnerability has been discovered in Horde IMP, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12202/ -- [SA12201] ripMIME Attachment Extraction Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-08-03 A security issue has been reported in ripMIME, potentially allowing malicious people to bypass filtering software. Full Advisory: http://secunia.com/advisories/12201/ -- [SA12195] Debian update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-03 Debian has issued an update for squirrelmail. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12195/ -- [SA12193] SCO OpenServer update for OpenSSL Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-02 SCO has issued updated packages for OpenSSL. These fix three vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial-of-Service). Full Advisory: http://secunia.com/advisories/12193/ -- [SA12191] DansGuardian Banned Extension Filter Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-07-30 Ruben Molina has reported a vulnerability in DansGuardian, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12191/ -- [SA12186] Gentoo update for phpMyAdmin Critical: Moderately critical Where: From remote Impact: System access, Security Bypass Released: 2004-07-30 Gentoo has issued an update for phpMyAdmin. This fixes two vulnerabilities, which can be exploited by malicious people to manipulate certain configuration settings and inject arbitrary code. Full Advisory: http://secunia.com/advisories/12186/ -- [SA12185] Red Hat update for ipsec-tools Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-07-30 Red Hat has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12185/ -- [SA12184] Red Hat update for SoX Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-30 Red Hat has issued an update for sox. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12184/ -- [SA12182] Mandrake update for wv Critical: Moderately critical Where: From remote Impact: System access Released: 2004-07-30 Mandrakesoft has issued an update for wv. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12182/ -- [SA12216] SGI IRIX CDE Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2004-08-04 SGI has confirmed multiple vulnerabilities in CDE, which can be exploited by malicious people to compromise a vulnerable system or gain escalated privileges. Full Advisory: http://secunia.com/advisories/12216/ -- [SA12215] Fedora update for kernel Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-04 Fedora has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information in kernel memory. Full Advisory: http://secunia.com/advisories/12215/ -- [SA12214] DGen Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-08-04 Joey Hess has reported a vulnerability in DGen, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12214/ -- [SA12211] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2004-08-04 Red Hat has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12211/ -- [SA12210] Linux Kernel File Offset Pointer Handling Memory Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-04 Paul Starzetz has reported a vulnerability in the Linux kernel, which can be exploited by malicious, local users to disclose sensitive information in kernel memory. Full Advisory: http://secunia.com/advisories/12210/ -- [SA12196] UnixWare / Open UNIX Xsco Buffer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-08-02 SCO has confirmed some vulnerabilities in UnixWare and Open UNIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12196/ -- [SA12187] OpenServer uudecode Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-08-02 SCO has confirmed an old vulnerability in OpenServer, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12187/ -- [SA12205] Oracle9i Application Server Privilege Escalation Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2004-08-03 Juan Manuel Pascual Escriba has reported a security issue in Oracle9i Application Server, allowing malicious local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/12205/ Other:-- [SA12208] NetScreen ScreenOS SSHv1 Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-04 Mark Ellzey Thomas has discovered a vulnerability in ScreenOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12208/ -- [SA12207] U.S. Robotics Wireless Access Point Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2004-08-03 Albert Puigsech Galicia has reported a vulnerability in U.S. Robotics Wireless Access Point 8054 Series, allowing malicious people to cause a Denial of Service. Full Advisory: http://secunia.com/advisories/12207/ Cross Platform:-- [SA12232] Mozilla / Mozilla Firefox / Mozilla Thunderbird libpng Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-05 Mozilla has confirmed some vulnerabilities in Mozilla, Mozilla Firefox, and Mozilla Thunderbird, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12232/ -- [SA12204] Mozilla / Netscape SOAPParameter Integer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-03 zen-parse has reported a vulnerability in Mozilla and Netscape, potentially allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12204/ -- [SA12233] Opera Browser "location" Object Write Access Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Spoofing, Exposure of sensitive information Released: 2004-08-05 GreyMagic has discovered a vulnerability in Opera, allowing a malicious website to steal sensitive information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12233/ -- [SA12230] JetBoxOne CMS Arbitrary File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-08-05 y3dips has reported a vulnerability in Jetbox One, allowing malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12230/ -- [SA12212] PuTTY Authentication Process Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-08-04 Core Security Technologies has discovered two vulnerabilities in PuTTY, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12212/ -- [SA12200] WHM AutoPilot Username and Password Retrieval Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-08-03 A vulnerability has been reported in WHM AutoPilot, allowing malicious people to retrieve usernames and clear text passwords. Full Advisory: http://secunia.com/advisories/12200/ -- [SA12190] lostbook Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-07-30 r3d5pik3 has reported a vulnerability in lostBook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12190/ -- [SA12189] LinPHA User Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2004-07-30 Fernando Quintero has reported a vulnerability in LinPHA, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12189/ -- [SA12188] Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-07-30 A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface. Full Advisory: http://secunia.com/advisories/12188/ -- [SA12231] eNdonesia Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-05 y3dips has reported a vulnerability in eNdonesia, allowing malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12231/ -- [SA12209] WackoWiki textsearch Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-04 A vulnerability has been reported in WackoWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12209/ -- [SA12206] Sun Java JRE/SDK XSLT Processor Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation Released: 2004-08-03 Marc Schoenefeld has discovered a vulnerability in Sun Java JRE/SDK, allowing an untrusted applet to gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/12206/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Aug 6 08:17:01 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 6 08:27:26 2004 Subject: [ISN] Source code stolen from U.S. software company in India Message-ID: http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,95045,00.html by John Ribeiro AUGUST 05, 2004 IDG NEWS SERVICE Jolly Technologies, a division of U.S. company Jolly Inc., reported yesterday that an insider at its research and development center in Mumbai stole portions of the source code and confidential design documents relating to one of its key products. As a result, the company has halted all development at the center. Jolly Technologies is a vendor of labeling and card software for the printing industry. It set up its R&D facility in Mumbai less than three months ago, according to a statement from the parent company. The company said that according to a report obtained from its branch in India, a recently hired software engineer used her Yahoo e-mail account, which now allows 100MB of free storage space, to upload and ship the copied files out of the research facility. The company detected the theft and is trying to prevent the employee from further distributing the source code and other confidential information. The vast majority of U.S.-based software companies require their employees to sign an employment agreement that prohibits them from carrying the company's source code out of a development facility or transferring it in any way. Though the Indian branch of Jolly Technologies requires employees to sign a similar employment agreement, the sluggish Indian legal system and the absence of intellectual property laws make it nearly impossible to enforce such agreements, the company said. Representatives of San Carlos, Calif.-based Jolly Technologies in Mumbai are working closely with local law enforcement authorities, seeking their assistance in taking corrective action against the employee and to prevent such crimes from occurring again. The company said it has decided to delay further recruitment and halt development activities in India until better legal safeguards are in place. From isn at c4i.org Fri Aug 6 08:17:14 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 6 08:27:27 2004 Subject: [ISN] Cyberattacks Disrupt Japanese Government Networks Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=MDSTRH0UZSHREQSNDBCCKHQ?articleID=26806122 By The Associated Press Aug. 5, 2004 TOKYO (AP) -- A wave of cyberattacks disrupted Japanese government computer networks earlier this week, but no damage was reported, an official said Thursday. The attacks, late Sunday and early Tuesday, targeted eight ministries and agencies and caused computers to freeze up under a deluge of data, Chief Cabinet Secretary Hiroyuki Hosoda told a news conference. Hosoda said the barrage also made it impossible for anybody to access Web sites for the eight government bodies--the Cabinet Office, Foreign Ministry, Finance Ministry, Justice Ministry, National Police Agency, Defense Agency, Coast Guard, and Fair Trade Commission He said there was no significant damage and that the networks had resumed normal operations. However, he added that it's nearly impossible to track the data. "We don't know where the attack came from, or who did it," he said. In January, several ministries suffered a similar, small-scale cyberattack, temporarily freezing Web servers but causing no permanent damage. So-called denial-of-service--or DoS--attacks bombard a Web server with so much data that the machine becomes unusable. From isn at c4i.org Fri Aug 6 08:17:29 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 6 08:27:28 2004 Subject: [ISN] Can You Hack the Vote? Message-ID: http://www.pcworld.com/news/article/0,aid,117261,00.asp Tom Spring PC World August 05, 2004 Electronic voting systems have drawn fire from courts, lawmakers, and citizens groups--and now they're under attack by hackers. It's an organized assault, too. E-voting technology expert Rebecca Mercuri, a Harvard research fellow who has been outspoken in her opposition to such systems, has issued a "Hack the Vote" challenge, trying to illustrate what she calls their unreliability and vulnerability. She unveiled the so-called Mercuri Challenge at the recent Black Hat Briefings and Defcon 12 security conferences. Preelection Action Urged Mercuri suggests electronic voting machines be hacked during their preelection testing, so officials will abandon them before an actual election. "People in the election community say this technology is bulletproof," Mercuri says. "It's not." She especially opposes use of electronic voting technology in its current state, which does not allow for a verifiable backup. "I'm not asking anyone to break any laws, we just want the opportunity to hack e-voting systems to prove that it can or cannot be done," she says. Mercuri says the likeliest e-voting fraud would involve unauthorized remote access to voting machines, when a hacker manipulates results; or backdoor access to voting systems by workers with approved access but their own agenda. She described her concerns at a Defcon keynote address, "Hack the Vote." As part of her challenge, Mercuri is calling on e-voting system vendors VoteHere and Advanced Voting Solutions to supply any challengers "full specifications" of their voting system for review. The first person to undetectably change vote tallies can claim $10,000 from a separate challenge. Who's Got the Cash? That $10,000 is being offered by noted e-voting proponent and Carnegie Mellon University computer scientist Michael Shamos. His $10,000 bet, the Direct-Recording Electronic (DRE) Hacking Challenge contends no one can hack undetectably into a DRE voting machine. "It is impossible to tamper with e-voting systems without being detected," he said in a telephone interview countering Mercuri's claims. Shamos says no one has ever taken him up on the challenge because, as he puts it, "the fundamental system is unhackable." Shamos recently added another twist to his challenge. Takers must fork over $5000 to be held in escrow for Shamos. If the contestant fails to undetectably tamper with the e-voting results, Shamos keeps the $5000. Both Shamos and Mercuri acknowledge they are using the same vehicle while on opposite sides of the e-vote debate. Mercuri says her public challenge is meant to draw attention to Shamos's DRE Hacking Challenge. However, a growing number of e-voting naysayers agree with much of what Mercuri claims. For example, in April California banned the use of touch-screen voting machines in a handful of counties until it could be proven the systems are secure and bug-free. Rebuttals, Responses Tom Mereckis, head of marketing for VoteHere, says he is "puzzled" by Mercuri's challenge because VoteHere makes full specifications of its voting systems available to anyone. "Our full source code and cryptography specs have already been published," Mereckis says. "We did answer Mercuri's challenge last month on our Web site." Conversely, the president of Advanced Voting Solutions says he has no intention of ever releasing the proprietary workings of its voting systems. "We aren't interested in participating in a hacking carnival sideshow," Howard Van Pelt says. For the same reasons that American Airlines and Bank of America do not make the full specifications of their systems available to the public, Advanced Voting Solutions doesn't either, he adds. Mercuri says VoteHere forces anyone who wants to test its system sign a restrictive licensing agreement that makes it a felony to examine its systems and share that data with the public. "That's not what we consider open and available," Mercuri says. "There is nothing in the licensing agreement that you can't find bugs and talk about them," VoteHere's Mereckis says. Prospective contestants seemed ambivalent about the e-voting hacking challenge. "Sounds like a good way to land in prison," said one Defcon attendee who preferred not to give his name. Other attendees said hackers are always interested in a challenge--with $10,000 riding on it or not. From isn at c4i.org Fri Aug 6 08:17:47 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 6 08:27:29 2004 Subject: [ISN] Security Cavities Ail Bluetooth Message-ID: http://www.wired.com/news/privacy/0,1848,64463,00.html By Kim Zetter Aug. 06, 2004 Serious flaws discovered in Bluetooth technology used in mobile phones can let an attacker remotely download contact information from victims' address books, read their calendar appointments or peruse text messages on their phones to conduct corporate espionage. An attacker could even plant phony text messages in a phone's memory, or turn the phone sitting in a victim's pocket or on a restaurant table top into a listening device to pick up private conversations in the phone's vicinity. Most types of attacks could be conducted without leaving a trace. Security professionals Adam Laurie and Martin Herfurt demonstrated the attacks last week at the Black Hat and DefCon security and hacker conferences in Las Vegas. Phone companies say the risk of this kind of attack is small, since the amount of time a victim would be vulnerable is minimal, and the attacker would have to be in proximity to the victim. But experiments, one using a common laptop and another using a prototype Bluetooth "rifle" that captured data from a mobile phone a mile away, have demonstrated that such attacks aren't so far-fetched. Laurie, chief security officer of London-based security and networking firm ALD, discovered the vulnerability last November. Using a program called Bluesnarf that he designed but hasn't released, Laurie modified the Bluetooth settings on a standard Bluetooth-enabled laptop to conduct the data-collection attacks. Then, German researcher Herfurt developed a program called Bluebug that could turn certain mobile phones into a bug to transmit conversations in the vicinity of the device to an attacker's phone. Using Bluebug from a laptop, an attacker could instruct a target phone to call his phone. The phone would make the call silently and, once connected, open a channel for the attacker to listen to conversations near the targeted phone. The attacker's phone number would appear on the victim's phone bill, but if the attacker used a throwaway phone, the number would be out of service. "(A victim) will know that his phone made a call that it shouldn't have made, but he won't necessarily come to the right conclusion that someone listened in on the conversation that he was having at that particular time," Laurie said. "He may think he accidentally pressed buttons to make the call while the phone was in his back pocket." An attacker could also install a gateway on the victim's phone to reroute phone calls through his own phone so that he could hear and record conversations between parties without their knowledge. And he could send text messages from his computer through a victim's phone to another phone so the receiver would think the message originated from the victim. There would be no record of the sent message on the victim's phone unless the attacker planted it there. "I can plant the message on the phone and make it look like he sent a message that he never sent. So when the FBI grabs the phone (for evidence), the message will be in the first guy's outbox," Laurie said. "It has really serious consequences." The use of Bluetooth, a wireless technology that lets two devices exchange information over a short distance, is growing rapidly in Europe and the United States. About 13 percent of mobile phones shipped in the United States this year have Bluetooth, according to IDC research. The number will grow to about 53 percent globally and 65 percent in the United States by 2008. These are just the phones. According to IMS Research, 2 million Bluetooth-enabled devices -- phones, laptops and PDAs -- are shipped weekly in the world. Laurie and Herfurt have only tested phones for vulnerabilities so far. "They're talking about putting Bluetooth in everything: home security, medical devices," Laurie said. "If they don't do something about security there is some really serious stuff ahead of us." The attacks, dubbed "Bluesnarfing" and "Bluebugging," work on several models of the most popular brands of mobile phones: Ericsson, Sony Ericsson, and Nokia (Laurie provides a chart of affected phones on his website). In each case, the researchers needed access to the target phone for only a few seconds to conduct attacks. Phones are vulnerable when they are in "discoverable" or "visible" mode, and the Bluetooth functionality is enabled. Visible mode lets Bluetooth phones find other Bluetooth phones in their vicinity so phone owners can exchange electronic contact information. Users can turn the visible mode off, but some models of Nokia can be attacked even when a user turns off the visible mode, Laurie said. The attacker would need to know the device's Bluetooth address, but Laurie said hacking programs available online make it possible to discover the address. "The Nokia 6310 and 8910 series and the Sony Ericsson T610 are probably the worst affected because they are very popular phones," he said. They're "at least 70 percent of the market in Europe." Laurie and Herfurt found problems with Motorola phones as well, but Siemens phones came out clean. "Motorola said they would fix it in the current release so they started immediately to correct the problem," Laurie said, adding that the Motorola vulnerability was limited since the phones can be in visible mode for only brief periods when the owner exchanges information with other phone users. Although phone owners can leave Nokia and Sony Ericsson phones in visible mode, the phone companies said people don't usually do this. They also said that because Bluetooth's range is generally 30 feet, an attacker could target only people who stayed within range long enough to be attacked. But Laurie said that he achieved ranges closer to 50 feet in tests. With either range he could stand in a building lobby or hallway and collect data from mobile phones on floors above and below him. And a device demonstrated at DefCon could increase that range more than tenfold. The BlueSniper "rifle," created by John Hering and colleagues at Flexilis as a proof-of-concept device, resembles a rifle. It has a vision scope and a yagi antenna with a cable that runs to a Bluetooth-enabled laptop or PDA in a backpack. Aiming the rifle from an 11th-floor window of the Aladdin hotel at a taxi stand across the street in Las Vegas, Hering and colleagues were able to collect phone books from 300 Bluetooth devices. They bested that distance and broke a record this week by attacking a Nokia 3610i phone 1.1 miles away and grabbing the phone book and text messages. "The odds of anybody (attacking a phone) are very slim to begin with," said Nokia spokesman Keith Nowak, noting that the only vulnerable model sold by the company in the United States is the 6310i. "But if you're worried about it, just turn the Bluetooth off or take it out of discoverable mode." This works for regular phones, Laurie said, but not the Nokia car phone, which does not let users switch to hidden mode or turn off Bluetooth. Nokia announced in May that it would have software upgrades to address the Bluetooth problem for all of its phones by the end of the summer, though this will not include car phones, and users would have to send in their phones to Nokia to have the patch installed. Sony Ericsson told Laurie it fixed the problem. But when he examined the phones, he discovered they fixed the bugging problem but not the data-theft issue. Sony Ericsson could not be reached for comment. Laurie found that most people forget to switch off Bluetooth and the visible mode after exchanging information with someone. About 50 percent to 70 percent of phones he examined in road tests were in visible mode and vulnerable to one type of attack or another. In one experiment, standing for about two hours in London Underground stations during rush hour, Laurie found 336 Bluetooth phones, 77 of which were vulnerable to attack. He conducted a similar test at Britain's House of Parliament, carrying a laptop in his backpack. After going through security, he wandered the ground floor for 14 minutes looking at paintings and passing politicians while the attack ran automatically from his backpack. Of 46 Bluetooth devices he found, eight phones were vulnerable to attack. Herfurt is working on developing Bluebug to run from a phone so an attacker wouldn't even need a bulky laptop. Laurie said most people don't think they have valuable data on their phones, but many people store passwords, PINs and financial account numbers in their phones. A London shopkeeper he knows didn't care about the vulnerability until he attacked her phone and extracted the door and alarm codes for three of her businesses. Michael Foley, executive director for the Bluetooth Special Interest Group, said the risk of attacks has gone down since the issue came to light. But as long as the risk is above zero, the industry group is taking it seriously and working with phone makers to address the problems. "Now that the manufacturers are aware of these vulnerabilities, I don't think you'll see new phones coming out that are vulnerable to the attack," he said. From isn at c4i.org Fri Aug 6 08:18:02 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 6 08:27:30 2004 Subject: [ISN] Defcon 12's Fear and Hacking in Vegas Message-ID: http://www.tomshardware.com/business/200408021/index.html By Humphrey Cheung August 2, 2004 The 12th annual Defcon hacker convention was held at the Alexis Park Hotel in Las Vegas Nevada. For three days, hackers exchanged ideas, presented new and sometimes scary information and partied hard. More than a hundred speakers gave dozens of talks on computer security, hacking and privacy issues. For a mere $80 attendees received access to the talks, contests and the after-hours parties. In this article we will cover some of the more interesting contests and give you an overall feel for the convention so that you can decide whether you want to attend next year. Three download videos are included. Wall Of Sheep The Wall of Sheep is a projector screen that displays captured usernames and passwords. The Wall, which originally was named as the Wall of Shame, is a time-honored tradition at Defcon where a loose knit group of people continuously sniffs the network for any plaintext usernames and passwords on the wired and wireless networks. Since this is a hacker convention, attendees using the Defcon network should protect their logins by using VPN, SSH or other encryption technology. Some attendees apparently didn't get the message. In the first few years, the usernames and passwords were written on paper plates and then taped to the wall. As the number of passwords found grew, a better solution had to be found. A computer security engineer, named "Riverside", wrote the Wall of Sheep software from scratch. He also was one of the original people who started the Wall. The usernames and passwords cycle up and down so people can see all the information gathered since the start of the convention. In addition only the first three characters of the password are shown in order to protect the privacy of the user. Riverside said that some people have been so ignorant in using the wireless at Defcon. He gave several examples of people who had their passwords intercepted, who then tried to change their passwords on the same insecure network, only to have the information intercepted again! Riverside examines all the new attacks at Defcon and then implements a defense at his daytime job. About 200-500 passwords are found every year at Defcon. The typical passwords are email, FTP and other login passwords. This year, someone was dumb enough to email their tax returns in .PDF format at the convention. This traffic was immediately intercepted and the above humorous message was displayed on the projector. Also another person was emailing people asking how to get a fake ID. This was also intercepted and displayed. I have blacked out some identifying information to protect the users' privacy. [an error occurred while processing this directive] As Riverside explains, "The Wall has shown people the importance of using encryption, not just at Defcon but in all network traffic. I have had security experts who have attended Black Hat, SANS and other conventions thank me for showing them how vulnerable their traffic was." [...] From isn at c4i.org Mon Aug 9 08:43:28 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 9 08:54:45 2004 Subject: [ISN] 34 flaws found in Oracle database software Message-ID: Forwarded from: security curmudgeon [Few comments on this article.. -jericho] : http://www.computerworld.com/securitytopics/security/story/0,10801,95013,00.html : : By Jaikumar Vijayan : AUGUST 03, 2004 : COMPUTERWORLD : : Oracle Corp. will soon issue patches to fix 34 different vulnerabilities : in its database software that were disclosed to it early this year by a : British bug hunter. Thirty four is a lot.. perhaps Oracle could stand to hire some audit talent. : "They include buffer overflows, SQL injection issues and a whole range : of other minor issues," said Litchfield, who discovered the flaws. He : said that he reported them to Oracle in January and February. Seven to eight month turnaround time... chalk that up to "regression testing"? : Oracle confirmed the existence of the flaws, which were discussed : publicly at last week's Black Hat security conference in Las Vegas, but : did not offer any further comment. In an e-mailed statement, a company : spokeswoman said that Oracle had fixed the flaws and would issue a : security alert "soon." http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html All New 0-Day David Litchfield, Founder, Next Generation Security Software This presentation will be entirely new and never seen before. Code included. Yet on the BlackHat CD provided, there is no bh-us-04-litchfield.pdf set of slides (with or without 0-day). I also heard in passing that Litchfield told the audience first thing that there would be no 0-day disclosure, instead there would only be generic SQL injection discussion. Can anyone confirm this? If true, did Jaikumar Vijayan not attend the talk and write this based solely on the schedule? From isn at c4i.org Mon Aug 9 08:44:29 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 9 08:54:46 2004 Subject: [ISN] REVIEW: "Software Forensics", Robert M. Slade Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKSFWRFR.RVW 20040706 "Software Forensics", Robert M. Slade, 2004, 0-07-142804-6, U$39.95/C$3.95/UK#29.99 %A Robert M. Slade rslade@vcn.bc.ca rslade@computercrime.org %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2004 %G 0-07-142804-6 %I McGraw-Hill Ryerson/Osborne %O U$39.95/C$3.95/UK#29.99 800-565-5758 fax: 905-430-5020 %O http://www.amazon.com/exec/obidos/ASIN/0071428046/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0071428046/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0071428046/robsladesin03-20 %P 215 p. %T "Software Forensics" As long as I'm reviewing books about which I can't be objective, I might as well review my own. This book is about software forensics. Nobody seems to know what that is. "Oh, you look for child porno and drug dealer addresses on seized computers, right?" Umm, no. That's computer forensics which, although it should be broader, has become limited to the basic data recovery aspect of the wider field of digital forensics. Software forensics delves into what evidence you can glean from software itself. This is useful in malware and virus research (where it has long been known as forensic programming), as well as in cases involving intellectual property and plagiarism. The study and tools utilized in software forensics can assist with determining the intent and authorship of a piece of software. At times it can even help with tasks such as recovering source code with legacy programs, or porting to new systems. In the book there is an overview of software forensics itself. One chapter looks at blackhat sociology and culture, since those characteristics can be evident in the programming style. There is material on the various tools, and properties of malicious software. Presentation of this type of evidence in court is difficult, so chapter five reviews expert witness restrictions and other legal issues. Content is included on programming cultures, stylistic analysis, and authorship analysis. I can say, without any bias whatever, that this is the finest work on this topic available today. I can say that, because it's the *only* book that is dedicated to the subject. copyright Robert M. Slade, 2004 BKSFWRFR.RVW 20040706 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear. - II Timothy 4:3 http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Mon Aug 9 08:45:16 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 9 08:54:47 2004 Subject: [ISN] Source code stolen from U.S. software company in India Message-ID: Forwarded from: Chris Wysopal http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,95045,00.html "The company said that according to a report obtained from its branch in India, a recently hired software engineer used her Yahoo e-mail account, which now allows 100MB of free storage space, to upload and ship the copied files out of the research facility. The company detected the theft and is trying to prevent the employee from further distributing the source code and other confidential information." What this means is large free web email storage facilities make intellectual property theft easier. Just zip and send an attachement to yourself. But this is the real kicker: "Though the Indian branch of Jolly Technologies requires employees to sign a similar employment agreement, the sluggish Indian legal system and the absence of intellectual property laws make it nearly impossible to enforce such agreements, the company said. ... The company said it has decided to delay further recruitment and halt development activities in India until better legal safeguards are in place." Is this true? Can Indian employees steal source code with no legal repercussions? Wow, think of all the code that is outsourced to India these days with no legal protections. And it is all a Yahoo file attachment away. -Chris From isn at c4i.org Mon Aug 9 08:45:39 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 9 08:54:49 2004 Subject: [ISN] Linux Advisory Watch - Aug 6th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 6, 2004 Volume 5, Number 31a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com This week, advisories were released for Xsco, OpenSSL, uudecode, samba, sox, phpMyAdmin and wv. The distributors include SCO Group, Conectiva, Gentoo, Mandrake, Red Hat. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn10 ----- Using Pam Pluggable Authentication Modules is a method for authenticating users. Using PAM, programmers can provide a more easy and versatile means of performing authentication functions. The ability to change from basic password authentication to the use of smart cards or even biometrics can be changed without having to recompile programs or require serious modifications. Additionally, PAM can be used to modify the terms of access by users as well as system resources. Just a few of the things you can do with PAM: - Use a different encryption method for passwords such as MD5, making them harder to brute force decode; - Set resource limits on all your users so they can't perform denial of service attacks (number of processes, amount of memory, etc) - Enable shadow passwords on the fly - Allow specific users to login only at specific times from specific places Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of .rhosts files in user's home directories by adding these lines to /etc/pam.d/login: # # Disable rsh/rlogin/rexec for users # login auth required pam_rhosts_auth.so no_rhosts Set filesystem limits instead of allowing unlimited as is the default. You can control the per-user limits using the resource- limits PAM module and /etc/pam.d/limits.conf. For example, limits for group 'users' might look like this: @users hard core 0 @users hard nproc 50 @users hard rss 5000 This says to limit the creation of core files to zero bytes, restrict the number of processes to 50, and restrict memory usage per user to 5 Meg. The Linux-PAM System Administrators' Guide is a "draft" document that describes the usage of the default PAM modules. http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html Keep in mind that there is the potential to create a situation whereby even root doesn't have access to the system, creating all kinds of configuration headaches. Use caution. Security Tip Written by Dave Wreski (dave@guardiandigital.com) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --------------------------------------------------------------------- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: SCO Group | ----------------------------// +---------------------------------+ 7/30/2004 - Xsco Buffer overflow vulnerability UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges. http://www.linuxsecurity.com/advisories/caldera_advisory-4622.html 7/30/2004 - Xsco Buffer overflow vulnerability OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges. http://www.linuxsecurity.com/advisories/caldera_advisory-4623.html 7/30/2004 - OpenSSL Multiple vulnerabilities This patch addresses a large number of outstanding OpenSSL vulnerabilities http://www.linuxsecurity.com/advisories/caldera_advisory-4624.html 7/30/2004 - uudecode Insecure tempfile vulnerability If a user uses uudecode to extract data into open shared directories, such as /tmp, this vulnerability could be used by a local attacker to overwrite files or lead to privilege escalation. http://www.linuxsecurity.com/advisories/caldera_advisory-4625.html +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 7/30/2004 - samba Buffer overflow vulnerabilities Exploitation of these vulnerabilites could lead to execution of arbitrary code. http://www.linuxsecurity.com/advisories/conectiva_advisory-4620.html 7/30/2004 - sox Buffer overflow vulnerabilities Ulf H=E4rnhammar found two buffer overflow vulnerabilities[2] in SoX. They occurred when the sox or play commands handled malicious .WAV files. http://www.linuxsecurity.com/advisories/conectiva_advisory-4621.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 7/30/2004 - samba Buffer overflow vulnerabilities Two buffer overflows vulnerabilities were found in Samba, potentially allowing the remote execution of arbitrary code. (Note: this announcement takes the ERRATA released by Gentoo into account). http://www.linuxsecurity.com/advisories/gentoo_advisory-4617.html 7/30/2004 - phpMyAdmin Multiple vulnerabilities Multiple vulnerabilities in phpMyAdmin may allow a remote attacker with a valid user account to alter configuration variables and execute arbitrary PHP code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4618.html 7/30/2004 - SoX Buffer overflow vulnerabilities By enticing a user to play or convert a specially crafted WAV file an attacker could execute arbitrary code with the permissions of the user running SoX. http://www.linuxsecurity.com/advisories/gentoo_advisory-4619.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 7/30/2004 - wv Buffer overflow vulnerabilty iDefense discovered a buffer overflow vulnerability in the wv package which could allow an attacker to execute arbitrary code with the runner's privileges. http://www.linuxsecurity.com/advisories/mandrake_advisory-4615.html 7/30/2004 - OpenOffice.org Multiple vulnerabilities Buffer overflow vulnerabilty These updated packages contain fixes to libneon to correct the several format string vulnerabilities in it, as well as a heap-based buffer overflow vulnerability. http://www.linuxsecurity.com/advisories/mandrake_advisory-4616.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 7/30/2004 - sox Buffer overflow vulnerabilities A malicious WAV file could cause arbitrary code to be executed when the file was played or converted. http://www.linuxsecurity.com/advisories/redhat_advisory-4613.html 7/30/2004 - ipsec-tools Key verification vulnerability Buffer overflow vulnerabilities When configured to use X.509 certificates to authenticate remote hosts, psec-tools versions 0.3.3 and earlier will attempt to verify that host certificate, but will not abort the key exchange if verification fails. http://www.linuxsecurity.com/advisories/redhat_advisory-4614.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Aug 9 08:46:04 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 9 08:54:50 2004 Subject: [ISN] Romanian Indicted in Hacking Scheme Message-ID: http://www.latimes.com/technology/la-fi-hacker6aug06,1,431196.story?coll=la-headlines-technology Associated Press August 6, 2004 A Romanian man has been indicted by a grand jury that charged him and five Americans with a $10-million scheme to steal goods from a computer equipment distributor. The indictment returned Wednesday accuses Calin Mateias, 24, of Bucharest, of hacking into the online ordering system of Santa Ana-based Ingram Micro Inc. and posing as a legitimate customer to place more than 2,000 orders over four years. Computers and equipment were shipped to Romania or to people in the U.S. who had been recruited in Internet chat rooms to send the equipment or the proceeds from its sale to Mateias, the indictment alleged. "It's larger than your average computer hacking case. It's a lot more damage," said Assistant U.S. Atty. Wesley Hu. Mateias, who was charged with conspiracy and 13 counts of mail fraud, is in Romania and is not in custody, officials said. The U.S. attorney's office in Los Angeles said the Justice Department was working with Romanian authorities to "ensure Mateias is brought to justice, whether in Romania or the United States." Also charged with mail fraud are Olufemi Tinubu, 21, and Tarion Finley, 20, of Atlanta; Valeriu Crisovan, 27, of Hallandale, Fla.; Jeremy Long, 28, of Richmond, Va.; and Warren Bailey, 21, of Anchorage. Each will be issued a summons to appear this month in federal court in Los Angeles. Authorities searched Mateias' home in Romania in April, but prosecutors declined to say what was found. They also would not say how they believe he hacked into the online ordering system of Ingram Micro, a wholesale computer and equipment company. A spokeswoman for the company ? the world's largest computer equipment distributor, with $22.6 billion in sales last year ? did not return phone calls seeking comment. Mateias, who faces a maximum of 90 years in prison if convicted on all counts, has long been known as a computer hacker who uses the pseudonyms "Dr. Mengele" and "Metal." Authorities allege that Mateias hacked into Ingram Micro's online ordering system in 1999. The company blocked shipments to Romania, so he recruited Americans to accept the merchandise, officials say. From isn at c4i.org Mon Aug 9 08:46:41 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 9 08:54:51 2004 Subject: [ISN] Webmaster held on terror charges Message-ID: Forwarded from: William Knowles http://news.com.com/Webmaster+held+on+terror+charges/2100-1028_3-5300745.html By Ben Charny Staff Writer, CNET News.com August 6, 2004 The publisher of two pro-jihad Web sites has been arrested in London on suspicion of terrorism-related activities, U.S. investigators said on Friday. Babar Ahmad, 30, was remanded in custody by a London magistrates court on Friday on a U.S. extradition warrant. American authorities are seeking to try Ahmad on five federal charges, including material support of terrorism and prohibited support of the Taliban, according to a U.S. Department of Justice official. If found guilty, Ahmad would face more than 20 years in federal prison. Ahmad is accused of raising money for Islamic militants through two American-based Web sites that he operated, Azzam.com and Qoqaz.net. Azzam was hosted by Internet service providers in Nevada and Connecticut, and Qoqaz was run outside the United States, the Justice Department said. Ahmad hid his connection to the sites using encrypted data and aliases, such as the name of his college roommate, according to a 37-page affidavit outlining the charges that was filed this week in U.S. District Court in Connecticut. Between Feb. 29, 2000, and Dec. 17, 2001, both Web sites urged Muslims to "use every means at their disposal to undertake military and physical training for jihad" and told them to take up physical and firearms training, the Justice Department said. The sites also provided "explicit instructions" about how to raise funds and deliver them to the Taliban. It directed couriers to carry letters saying the money they carried was from charitable donations in the United States, the agency said. U.S. investigators said they have uncovered e-mails on an Azzam account that link Ahmad to an unnamed Chechen Mujahedeen leader suspected of taking part in a Moscow theater attack in October 2002. In addition, they found an e-mail message dated July 2001 from a U.S. Naval enlistee on active duty that "expressed anti-American sentiment and offered praise for the Mujahedeen," the Justice Department said. British authorities had apparently been investigating Ahmad since 2003, when they recovered authentic U.S. naval battle plans while searching a location connected to the Web site publisher. Among other things, the documents describe the naval battle group's vulnerability to specific types of terrorist attacks, the Justice Department said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ From isn at c4i.org Mon Aug 9 08:51:40 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 9 08:54:52 2004 Subject: [ISN] Tridentcom 2005 Message-ID: Forwarded from: Sandro Marcelo Rossi ======================================================================= Tridentcom 2005 First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities Trento (Italy), February 21 - 25, 2005 ======================================================================= Important Dates Full Papers due: *** September 5, 2004 *** Notification of Acceptance: October 20, 2004 Camera-ready Manuscripts due: November 10, 2004 Sponsored by CreateNet/ICST Co-sponsored by IFIP Conference proceedings will be published by IEEE Computer Society Press. web site with updated conference information: http://www.tridentcom.org/ ======================================================================= Scope Telecommunication infrastructures play a vital role in modern society. The advancements in the range of network service offerings, their performance, quality of service, security, and ubiquity are relentless, despite global economy fluctuations. The demand for high bandwidth network infrastructures is continuously growing within both academic and industrial sectors. Grid computing is one of the many examples of the new emerging paradigmof networking characterized by huge data traffic flows, that require an extremely high-performance network infrastructure. The need of high speed is emerging also in mobile, wireless network environments, where new wireless technologies promise data rates above 100 Mbps. Other high bandwidth network examples include community access networks, on demand optical networks and the Next Generation Internet. To meet these challenges, experimental activities on infrastructures, such as testing, verification, deployment, are pivotal for academic researchers, developers, service managers and providers, as well as for end users. The management of research infrastructures is increasingly dependent on a business model that optimizes their operational price/performance ratio. For example, access to experimental infrastructures for real-life applications by specific user communities would benefit all the stakeholders involved: the end users, because of the experimental evaluation of the provided services, the researchers and infrastructure experimenters, because of the knowledge gained from case-study analysis, and the infrastructure managers, because of the business exploitation of the network. The synergies created by opening research infrastructures to real life users offer all parties involved an enormous development potential, which needs to be thoroughly investigated and discussed. Tridentcom is the first event that brings together all aspects related to experimental telecommunication infrastructures, creating a forum where telecommunication networks researchers, vendors, providers and users can exchange ideas on past experience, requirements, needs, visions for the establishment of such infrastructures. Research on all aspects of testbed and research infrastructure operation and management will find in Tridentcom its first forum for focused discussion. High quality papers reporting on original research and on experiment results addressing the above areas are solicited for submission. The main topics of the conference are: Next Generation Internet Testbeds Next Generation Wireless Network Testbeds Next Generation Optical Network Testbeds Ubiquitous Network Testbeds Wireless Sensor Testbeds Testbed Operation & Management for User Communities Testbed Operation & Management for Research Communities Testbed Cooperation & Integration Innovative Measurements Methodologies & Tools Traffic Measurements Testbeds Software Tools to Support Distributed Testbeds / Virtual Laboratories Management of Massive Databases of Experimental Data Knowledge & Technology Transfer Procedures Security (AAA) Testing on Open Testbeds Social Impacts of Infrastructures Infrastructure Real-Life Applications Business Models for Infrastructure Budgeting & Planning Infrastructure Renting & Pricing Policies Vendors & Providers Partnerships The meeting will take place at Trento, capital of the Trentino province, heart of recent and rapidly growing R&D initiatives in Computer Science and Telecommunications, and surrounded by some of the most spectacular skiing resorts in the Alps. Pauses in the conference program will allow social activities and informal interaction among the participants. ======================================================================= Organizing committee: Conference General Co-Chairs: Roberto Battiti University of Trento Mario Gerla UCLA Vice General Co-Chairs: Marcos Rogerio Salvador CPqD Telecom and IT Solutions Marco Ronchetti University of Trento Steering Committee Chair: Imrich Chlamtac University of Trento, UT Dallas, Create-Net Technical Program Committee: Co-Chairs: Javier Aracil Universidad Publica de Navarra Shivkumar Kalyanaraman Rensselaer Polytechnic Institute Kenichi Mase Niigata University Members: Giuseppe Bianchi University of Roma Tor Vergata (Italy) Ernst Biersack Eurecom (France) Victor Castelo CSIC-RedIRIS (Spain) Piero Castoldi Scuola Superiore Sant'Anna (Italy) Michele Crudele Universit Campus Bio-Medico di Roma (Italy) Cem Ersoy Bogazici University (Turkey) Alex Galis University College London (UK) Giulio Iannello Universit Campus Bio-Medico di Roma (Italy) Parviz Kermani IBM - Watson Research Center (USA) Cees de Laat University of Amsterdam (The Netherlands) Xing Li Tsinghua University (China) Thomas Magedanz FHI FOKUS (Germany) Olivier Martin CERN (Switzerland) Peter McBurney University of Liverpool (UK) Saverio Niccolini Ecole d'Ingnieurs du Canton de Vaud (Switzerland) Yoram Ofek University of Trento (Italy) Yuji Oie Kyushu Institute of Technology (Japan) Bjorn Pehrson KTH (Sweden) Dipankar Raychaudhuri Rutgers University (USA) Shiro Sakata Chiba University (Japan) Rege Romeu Scarabucci CPqD Telecom & IT Solutions (Brazil) Yuval Shavitt Tel Aviv University (Israel) Michael Stanton RNP (Brazil) Bill St. Arnaud CANARIE (Canada) Csaba Szab Budapest University of Technology and Economics (Hungary) Sven Ubik CESNET (Czech Republic) Hisao Uose NTT (Japan) Giorgio Ventre Universita` di Napoli Federico II (Italy) Steven Willmott UPC (Spain) Adam Wolisz Technical University of Berlin (Germany) Thomas Ziegler FTW (Austria) Panel Chair: Michael I. Smirnov FHI FOKUS Demo Chair: David W. Walker University of Cardiff Publicity Co-Chairs: North America: Hakki Candan Cankaya Alcatel USA South America: Sandro Marcelo Rossi CPqD Telecom and IT Solutions Asia: Shigeo Shioda Chiba University Publication and Web Chair: Piero Spinnato Create-Net Finance Chair: Dru Lundeng ICST Local Organization Chair: Sandro Pera Create-Net ======================================================================= From isn at c4i.org Wed Aug 11 01:40:28 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 11 02:38:54 2004 Subject: [ISN] REVIEW: "Stealing the Network: How to Own a Continent", Ryan Russell Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKSTNHOC.RVW 20040721 "Stealing the Network: How to Own a Continent", Ryan Russell, 2004, 1-931836-05-1, U$49.95/C$69.95 %E Ryan Russell BlueBoar@thievco.com %C 800 Hingham Street, Rockland, MA 02370 %D 2004 %G 1-931836-05-1 %I Syngress Media, Inc. %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1931836051/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1931836051/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1931836051/robsladesin03-20 %P 402 p. %T "Stealing the Network: How to Own a Continent" This book is fiction (more a series of short stories or scenarios than a novel), but, like Winn Schwartau's "Pearl Harbor Dot Com" (cf. BKPRHRDC.RVW, and "Terminal Compromise" before it, BKTRMCMP.RVW), the authors intend the book to be taken as a serious addition to security literature. Chapter one is basically about hiding and paranoia. The central character seems to be using a considerable amount of money to hide while setting up some kind of crime, and then abandons everything. The points in regard to ensuring computers and data are unrecoverable are interesting, and probably workable. The more important aspects of the plot which involve creating a team, employing cutouts, and disappearing are left almost completely undetailed. If, therefore, we are supposed to learn anything either about crime, or how to detect or prevent it, the content and information simply aren't there. The claim that the "technology" is real, and would work, is unverifiable because we haven't had any technology yet. (The writing is edgy, interesting, and mostly readable. However, it's also difficult and confused in places.) The story continues, via another character (two, actually) in chapter two. This time the technical aspects are more detailed (and fairly realistic) although the community factors are questionable (and the story has some important gaps). (I can personally vouch for the fact that the description of the physical attributes of that specific hotel are bang on, although the ... umm ... social amenities are not.) An "Aftermath" section is at the end of every chapter. In some instances the segment provides a little advice on detecting the attacks described in the story, but this is by no means true in all cases. Nothing much is added in chapter three: a wireless network is penetrated for a second time. Man-in-the-middle attacks, some IP, and UNIX cracking are added in chapter four, phone phreaking in five, and sniffing and rootkits in six. Chapters seven and eight describe software analysis and exploits. Malware is used in chapter nine, although there are the usual unresolved problems with directing attacks and limiting spread. The lack of particulars on the intent of the attack makes the chapter quite perplexing. As with any volume where multiple authors work on separate chapters, the quality of the writing varies. (That the authors did strive together on the overall plot is evident from a few subtle ties between different stories. An appendix lists some of the discussion in this regard: for those interested in the process of writing and collaboration it is an interesting piece in its own right.) One specific point is that a few sections have very stilted dialogue. Overall, most of the book is readable as fiction, although it is hardly thriller level plotting. Since it is fiction, the story has to be a story, and interesting, and therefore contain elements that are not related to the technology under examination. It is difficult to draw the line between not enough and too much, but the authors do seem to have included an awful lot of material that is unimportant either to the security functions or to the plot. A number of these digressions are simply confusing. The characters used in the stories are frequently stereotypes, although not always of the same type. (I was very amused by the note that the book attempted to remain true to geek culture, including "swearing, boorishness, and allusions to sex without there being any actual sex.") If you watch a lot of movies with somewhat technical themes you can recognize where quite a number of personae come from. Basic editing is the province of the publisher rather than the author(s), but it must be noted that spelling, grammatical, and typographical errors are surprisingly common. Not enough to be a real annoyance, but a proper copy edit would have improved the book quite a bit. This book is certainly interesting enough (albeit rather disjointed) as fiction, and technical enough for everyone tired of the usual Hollywood view of computers. The security risks noted are real, and therefore a read through the book could be used to alert non- specialists to a number of security issues and vulnerabilities (although you'd hardly want to use it for training). I enjoyed it and I think it's got a place, although I'm having difficulty in defining where that place is. copyright Robert M. Slade, 2004 BKSTNHOC.RVW 20040721 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Economics is extremely useful as a form of employment for economists. - John Kenneth Galbraith http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Aug 11 01:40:55 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 11 02:38:55 2004 Subject: [ISN] 34 flaws found in Oracle database software Message-ID: Forwarded from: chris Subject: Re: [ISN] 34 flaws found in Oracle database software -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I attended this presentation and it is true that Dave did not do any zero days. It was, however an incredible presentation on SQL injection/queries. In addition, due to A/V technical difficulties, Dave spent the first 20 minutes of the talk doing a Q&A with the audience on Oracle/SQL vulnerabilities that was worth the price of admission all by itself. He started the presentation after the A/V guys got the projectors working. The room was packed to capacity, SRO, and as far as I could tell no one walked out. My guess is that Jaikumar Vijayan did not attend the talk. Chris On Mon, 9 Aug 2004, InfoSec News wrote: > Forwarded from: security curmudgeon > > [Few comments on this article.. -jericho] > > : http://www.computerworld.com/securitytopics/security/story/0,10801,95013,00.html > : > : By Jaikumar Vijayan > : AUGUST 03, 2004 > : COMPUTERWORLD > : > : Oracle Corp. will soon issue patches to fix 34 different vulnerabilities > : in its database software that were disclosed to it early this year by a > : British bug hunter. > > Thirty four is a lot.. perhaps Oracle could stand to hire some audit > talent. > > : "They include buffer overflows, SQL injection issues and a whole range > : of other minor issues," said Litchfield, who discovered the flaws. He > : said that he reported them to Oracle in January and February. > > Seven to eight month turnaround time... chalk that up to "regression > testing"? > > : Oracle confirmed the existence of the flaws, which were discussed > : publicly at last week's Black Hat security conference in Las Vegas, but > : did not offer any further comment. In an e-mailed statement, a company > : spokeswoman said that Oracle had fixed the flaws and would issue a > : security alert "soon." > > http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html > > All New 0-Day > David Litchfield, Founder, Next Generation Security Software > This presentation will be entirely new and never seen before. Code > included. > > Yet on the BlackHat CD provided, there is no bh-us-04-litchfield.pdf > set of slides (with or without 0-day). I also heard in passing that > Litchfield told the audience first thing that there would be no 0-day > disclosure, instead there would only be generic SQL injection > discussion. > > Can anyone confirm this? If true, did Jaikumar Vijayan not attend the > talk and write this based solely on the schedule? > > > > _________________________________________ > Help InfoSec News with a donation: http://www.c4i.org/donation.html > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBF5NsOyWtx0MtxawRAuQCAJ9B4mnQ0lp/YXj3jSnxiK61qVFYYwCgldvf CTLBJAMss2WMe6UtE3ImPDs= =oU+A -----END PGP SIGNATURE----- From isn at c4i.org Wed Aug 11 01:41:51 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 11 02:38:56 2004 Subject: [ISN] Databases, Tools Aiming at Software Vulnerabilities Message-ID: http://www.kpmginsiders.com/display_search.asp?content_id=449029 Databases, Tools Aiming at Software Vulnerabilities By Dave Pelland, Managing Editor, Technology Insider July 14, 2004 As the growth of known software vulnerabilities shows no sign of abating, databases and management tools are emerging to help network administrators automate the identification and triage process. The tools, which include hardware or externally provided services, typically perform functions such as conducting an inventory of a network's technology assets and notifying administrators about emerging vulnerabilities. This generally involves describing a software flaw and its potential effects, as well as providing information about any patches or technical workarounds needed to mitigate the exposure. "At a basic level, you get the data, figure out if or where it affects you, and decide whether you need to fix it or not, based on your environment," says Rick Trapp, VP of product management for Computer Associates' vulnerability management unit. Vulnerability management tools obtain information about emerging problems from numerous sources, including software providers, Web sites aimed at security professionals and hackers, online newsletters, and databases maintained by security vendors and non-profit organizations. In addition, security researchers look for surges in hacking activity that may indicate attempts to exploit a previously undiscovered vulnerability. The role of vulnerability databases has been expanding over the past few months. New entities have emerged, such as the United States Computer Emergency Readiness Team (US-CERT) Web site, operated by the Department of Homeland Security and the private sector. The Open Source Vulnerability Database (OSVDB) has joined established resources such as CERT Coordination Center at Carnegie Mellon University and the Common Vulnerabilities and Exposures (CVE) list maintained by the non-profit Mitre Corporation. Despite its name, OSVDB examines commercial software as well as open source applications. The "open source" designation refers to its use of volunteers compiling information, much in the way open source programs are examined by a community of developers. Administrators will check the databases when network performance degrades after an incident, or during routine system maintenance. "From what I have seen, most security folks use vulnerability databases for convenient reference," says Brian Martin of OSVDB. "In some cases, they use it to help during auditing or certification [to verify that] the system doesn't have any of the documented vulnerabilities." Where things become a bit trickier for databases is deciding how to distinguish between the vulnerabilities that are public knowledge and those that only a few researchers may have uncovered. Database managers have to weigh disclosure of these so-called day-zero exploits -- for which a mitigation strategy or patch have not been developed -- carefully to avoid alerting hackers. "It gets into a delicate balance," Trapp says. "Say we know there's something out there that can be exploited, but there's no indication of exploit activity. What do you do with that?" Trapp says if researchers uncover a vulnerability, they contact the vendor that released the product to see if the company is aware of it, if they've seen any exploits and if they've developed a patch. If a problem is not disclosed publicly, Trapp says they'll avoid giving hackers a head start on developing malicious code by delaying any information release until a patch is available. OSVDB's Martin agrees on the importance of withholding information about unpatched vulnerabilities. "One rule that governs the information we make available is that it must already be public in another forum," Martin says. "We will not publish information that has not been sent to a vendor [without giving them] adequate time to assess the issue, unless it has already been published." Perhaps more important than their role in notifying administrators about a vulnerability is the databases' ability to provide information about resolving it -- either by providing a link to the vendor's patch or, if a patch has not been released, workarounds to help reduce problems. "If a site doesn't tell you how to fix a solution, they aren't providing what you need," says Donald L. Pipkin, a security consultant and trainer and author of "Halting the Hacker." "Providing information about the solution is critical to the legitimacy of these organizations. If a database is not cooperating with vendors or linking to the solutions, how legitimate are they?" According to Computer Associates' Trapp, some information providers might release information about an unpatched vulnerability or provide code that enables an exploit to be developed, ostensibly for testing purposes. But he says using such exploit code to test a network is similar to using gasoline and matches to test if something is flammable. Organizations maintaining vulnerability databases and lists are increasingly cooperating by sharing information and formatting data in compatible formats so users of vulnerability tools can coordinate reports of software flaws from a variety of sources. "If you go back seven or so years ago, when we first started collecting vulnerability data, the first thing that would happen when we contacted a vendor would be the vendor going into denial," Trapp says. "Now instead of denial, most have become cooperative and it's viewed as a responsible industry action to help protect the environment." Martin says this cooperation among information sources is integral to protecting networks. "We have been in constant contact with members of CVE regarding our databases, working together to cross-reference each other," Martin says. "Technically, there isn't a need to coordinate with them, but we feel strongly that it benefits all parties to keep a line of communication [that] will only help each database improve." From isn at c4i.org Wed Aug 11 01:42:12 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 11 02:38:59 2004 Subject: [ISN] Fed up hospitals defy patching rules Message-ID: Forwarded from: William Knowles http://www.nwfusion.com/news/2004/080904patchfights.html By Ellen Messmer Network World 08/09/04 Amid growing worries that Windows-based medical systems will endanger patients if Microsoft-issued security patches are not applied, hospitals are rebelling against restrictions from device manufacturers that have delayed or prevented such updates. Moreover, the U.S. Food and Drug Administration (FDA) is encouraging the aggrieved hospitals to file written complaints against the manufacturers, which could result in devices losing their government seal of approval. If hospitals encounter a patch-related issue "that may lead to death or serious injury, they must file a report," says John Murray, the FDA's software and electronic records compliance expert. Murray acknowledges that healthcare organizations might be reluctant to do this "because they don't want the manufacturer mad at them." Device makers such as GE Medical Systems, Philips Medical Systems and Agfa say it typically takes months to test Microsoft patches because they could break the medical systems to which they're applied. In some instances, vendors won't authorize patch updates at all. Angry hospital IT executives who say they can't ignore the risks from computer worms and hackers getting into unpatched Windows-based devices are taking matters into their own hands by applying the patches themselves. "When Microsoft recommends we apply a critical patch, the vendors have come back and said 'We won't support you,'" says Dave McClain, information systems security manager at Community Health Network in Indianapolis. So the hospital has gone ahead and applied critical Microsoft patches to vulnerable patient-care systems when vendors wouldn't, McClain says. The hospital views the failure to apply patches as a possible violation of the federal Health Insurance Portability and Accountability Act (HIPAA ). "We have HIPAA regulatory issues, and you can't hold us back from compliance," he says. Other hospitals make the same contentions. The North Carolina Healthcare Information and Communications Alliance (NCHICA), a 250-member technology advocacy group for regional hospitals, clinics, pharmacies and legal firms, earlier this year sent a letter to the FDA's enforcement division asking the FDA to provide "more guidance" on patching. The problem, NCHICA wrote, is that "security flaws can result in systems that do not function as intended and/or allow unauthorized modification to data. Systems compromised in these ways may represent a significant risk to patient safety." "Security of the systems is the primary focus of the letter," says Holt Anderson, executive director of NCHICA. Without the operating systems properly maintained in terms of patching, "there is no way to secure devices that are connected to a LAN or wireless facility," he says. The FDA's Murray says the medical industry faces a serious problem because the "quality of some of these off-the-shelf software products is on the low side," alluding to the perennial stream of security notifications from Microsoft and other software vendors. He adds that when the FDA eight years ago began allowing off-the-shelf software in medical devices, it didn't foresee the kinds of security issues, such as computer worms, that plague networks. The FDA doesn't have a comprehensive response to the problem. "But we're not going to go back to a time of non-networked medical devices that used to be stand-alone," Murray says. The problem is that computer worms that target Microsoft-based computers, including MS-Blaster and Sasser, have increasingly struck hospital networks, where unpatched Windows-based patient-care systems have become infected. Some manufacturers, including Philips, contend that hospitals must do a better job of applying security defenses to protect medical devices by buying intrusion-prevention systems (IPS ) and internal firewalls. However, hospital IT professionals respond that it's not that unusual for medical-device manufacturers to be the origin of worms that get in their networks. There have been several instances in which viruses originated from medical instruments straight from the vendors, says Bill Bailey, enterprise architect at ProHealth Care, a Milwaukee healthcare provider. Medical equipment arrived with computer viruses on it or service technicians introduced the viruses while maintaining the equipment, he says. Bailey says he wants device manufacturers to consider including host-based IPSs on Windows-based patient systems. In addition, he would like to see Microsoft involved in helping tailor its operating system and applications for the medical industry. "The medical-device manufacturers don't understand the systems, whether Microsoft or Unix," Bailey says. "They leave them in an untouchable state for a long time. The idea of periodic changes is hard for them." Although Bailey says he's not in favor of filing complaints with the FDA, which could escalate into legal conflict, he does want to see the FDA apply pressure on the manufacturers. The FDA shows signs of doing just that. This June during a Web-based conference with the 47-member University HealthSystem Consortium to discuss the issue of security patching, the FDA's deputy director in the medical-device division of the Office of Science and Engineering Laboratories urged hospitals to file complaints about medical devices. [...] *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* From isn at c4i.org Wed Aug 11 01:43:17 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 11 02:39:03 2004 Subject: [ISN] Source code stolen from U.S. software company in India Message-ID: Forwarded from: "David M. Bittlingmeier, MS, CISSP, PMP" Cc: weld@atstake.com Chris ~ Having recently returned from a three week assignment reviewing outsourcing in India I will point out that the 'Best of breed' in India companies are less at risk than many U.S. companies. While policies and/or laws may or may not 'raise the bar' a MAJOR way to protect from this is followed by those companies that wish too. Much like U.S. centric companies, there is no 'one size fits all' and each vendor has to be reviewed to 'know' what the risks are or are not. Using the Internet is an easier 'risk' to overcome than say a USB 1GB drive that can be plugged into a workstation (even a 64mb USB drive which are almost free now a days). The point, from my experience, is that each company has to be reviewed and re-reviewed regularly to 'know' that the data is secured, be that India, U.K., USA and other countries that I have reviewed. Best Regards, David Sorry ~ If you can not receive HTML e-mails the formatting may be off ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ David M. Bittlingmeier, MS, CISSP, PMP CISSP (Certified Information Systems Security Professional) PMP (Project Management Professional Credential) Bittlingmeier and Associates Pacifica, Ca * E-mail: david@bittlingmeier.com ( Phone: 650.359.5005 ? Mobile: 415.260.5170 WEBSITE: www.bittlingmeier.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CONFIDENTIALITY NOTICE: This e-mail message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News Sent: Monday, August 09, 2004 5:45 AM To: isn@attrition.org Subject: RE: [ISN] Source code stolen from U.S. software company in India Forwarded from: Chris Wysopal http://www.computerworld.com/securitytopics/security/cybercrime/story/0,1080 1,95045,00.html "The company said that according to a report obtained from its branch in India, a recently hired software engineer used her Yahoo e-mail account, which now allows 100MB of free storage space, to upload and ship the copied files out of the research facility. The company detected the theft and is trying to prevent the employee from further distributing the source code and other confidential information." What this means is large free web email storage facilities make intellectual property theft easier. Just zip and send an attachement to yourself. But this is the real kicker: "Though the Indian branch of Jolly Technologies requires employees to sign a similar employment agreement, the sluggish Indian legal system and the absence of intellectual property laws make it nearly impossible to enforce such agreements, the company said. ... The company said it has decided to delay further recruitment and halt development activities in India until better legal safeguards are in place." Is this true? Can Indian employees steal source code with no legal repercussions? Wow, think of all the code that is outsourced to India these days with no legal protections. And it is all a Yahoo file attachment away. -Chris From isn at c4i.org Wed Aug 11 02:32:23 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 11 02:39:05 2004 Subject: [ISN] Zambian parliament passes tough cyber crime law Message-ID: http://www.theage.com.au/articles/2004/08/11/1092102488282.html Lusaka August 11, 2004 Zambia's parliament has unanimously passed a tough law to curb cyber crime that would see convicted computer hackers and other offenders get jail sentences ranging from 15 to 25 years. The Computer Misuse and Crimes law, which was passed by lawmakers without any debate on Tuesday, will come into effect after President Levy Mwanawasa gives his presidential assent. "If there is no debate or objection, then the bill passes third reading," said deputy speaker Jason Mvula when the bill was presented for the last stage of enactment in the National Assembly. The government said the new law would help curb cyber crimes that had become a problem in the poor southern African country where only one in 1000 people have access to computers, according to unofficial figures. The new law enjoys support from bankers and some computer experts who argue that electronic fraud has become rampant in the country's financial sector. The most famous cyber offence in Zambia was committed by a young computer expert who accessed the State House website and replaced the picture of then president Frederick Chiluba with a cartoon. He was arrested and charged with defaming the head of state but the case was dropped as there was no provision in Zambian law to deal with cyber crimes. AFP From isn at c4i.org Wed Aug 11 02:32:38 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 11 02:39:06 2004 Subject: [ISN] Database culture ripe for ID theft Message-ID: http://www.oaklandtribune.com/Stories/0,1413,82~10834~2325047,00.html By Mark Jewell Associated Press August 10, 2004 BOSTON -- BJ's Wholesale Club Inc. attracts shoppers to its stores by putting thousands of discounted products under one roof. It wasn't hard to attract cyberthieves either, with databases that amass credit card numbers in huge numbers. The theft earlier this year of thousands of credit card records from the nation's third-largest warehouse club illustrates the potential for massive-scale identity theft whenever so much purchase-enabling information is stored in one place. It also illustrates how difficult the cleanup can be. The Secret Service still doesn't know whether the breach was an inside job or the work of hackers, but it has made some arrests, said Tim Buckley, a Secret Service agent investigating the case. The suspects arrested recently in the United States and abroad may have ties to a large international identity theft ring, Buckley said. He declined to say how many arrests have been made or provide further details. Meanwhile, financial institutions are still smarting. They've had to reissue hundreds of thousands of credit cards belonging to BJ's customers as a precaution against further fraud. The BJ's case may be the largest retail fraud of its kind based on the amount of cards reissued, experts say. Hundreds of thousands of replacements were sent to customers across the 16 states where BJ's operates, though BJ's says the breach affected only "a small fraction" of its 8 million members. Philadelphia-based Sovereign Bank covered about 700 fraudulent transactions from the BJ's theft and had to reissue 81,000 cards twice, at a cost of about $1 million, once in May and again in June, after a glitch occurred with the first batch, said spokeswoman Ellen Molle said. "There are some pretty heavy losses out there," said Greg Smith, president of the Pennsylvania State Employees Credit Union, which reissued cards to 14,000 of its members at a cost of $100,000. Visa and MasterCard issuers in the United States, most of them banks, lost an estimated $820 million from fraud in 2003, up 6 percent from the previous year, according to a study by Credit Card Management, an industry magazine. When BJ's disclosed the breach in a March 12 news release, it said it had altered its security systems and was confident customers' information was secure. BJ's, which has 150 clubs and 78 gas stations, has said the theft would have no material effect on its finances. Consumer advocacy organizations say they've received few consumer complaints. But the Natick, Mass.-based company now faces claims from some of the 10 to 15 banks that had to replace cards or reimburse consumers for fraudulent transactions. Investigators and bank officials have declined to disclose the monetary losses. As sensitive data about consumers -- not just credit card numbers but also buying habits and other personal information -- are recorded in databases, the potential for identity theft on a massive scale is increasing. Last week, three men pleaded guilty in North Carolina to charges they conspired to hack into the Lowe's home improvement chain's data network to steal credit card information. Lowe's officials said the men failed to get into the company's national database. In another case involving a mother lode of data, a Florida man was charged last month with stealing large amounts of consumer information from database aggregator Acxiom Corp. -- the second such hack of Acxiom files revealed in the past year. Prosecutors say the stolen data was not used for identity fraud but to distribute ads via an e-mail business the man runs. Such thefts raise costs for credit card issuers, which typically cover most losses from fraudulent transactions and limit liability to merchants. The problem is a moving target because thieves are creating increasingly sophisticated criminal networks with global reach. "However they find the numbers, they end up on some computer bulletin board and are sold," said Buckley. Lawmakers are responding. A federal law signed July 15 increases criminal penalties and eases the burden of proof prosecutors must meet to win convictions in identity theft cases. The law also establishes a new crime of aggravated identity theft and sets stiffer punishment guidelines for cases originating from information stolen in a workplace. A Michigan State University study to be published later this year found as many as 70 percent of all identity theft cases originate with information stolen in a workplace, rather than through hacker intrusions, home robberies or mail fraud. The study's author, Judith Collins, an MSU criminal justice professor, said the tougher sentencing the new federal law requires is a move in the right direction. "But it does nothing to pre-empt identity theft," she said. A California law that took effect last year holds merchants more accountable for safeguarding customers' card data, but analysts say few such protections exist elsewhere. Under the California law, banks and other companies must notify customers when a breach of their personal information is suspected. The law requires businesses to limit how and when they display consumers' Social Security numbers, including a ban on printing a customer's number on cards needed to access services. Some health insurers use Social Security numbers as members' ID numbers and stamp it on membership cards, creating a risk if a card is stolen. The credit industry "has been relatively slow in taking more security steps than they already have in place because they sort of felt they could tolerate the loss," said Robert Richardson of the Computer Security Institute, an organization for security professionals. New steps could include employing identification technologies such as fingerprint scans. More merchants will disclose security breaches like the one at BJ's if other states follow California's lead, Richardson said. Carol Baroudi, a retail and computer security analyst with the research firm Baroudi Bloor, believes most such cases escape public scrutiny. "I don't think this case was that much of an anomaly," Baroudi said. "I think the fact that we've actually heard about it is different ... BJ's had the guts to come forward. They took the risk that people would stigmatize them for this." From isn at c4i.org Thu Aug 12 03:12:43 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 12 03:24:23 2004 Subject: [ISN] REVIEW: "Stealing the Network: How to Own a Continent" Message-ID: Forwarded from: Thor -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As an author of this book, I request that the mods accept this post, particularly since Mr. Slade has made the decision to put words in our mouths (or pens in our hands as the case may be ;) regarding our publication. I ask that you respect my opinions as you have those of the reviewer. > "Stealing the Network: How to Own a Continent", Ryan Russell, 2004, > 1-931836-05-1, U$49.95/C$69.95 > %E Ryan Russell BlueBoar@thievco.com > %C 800 Hingham Street, Rockland, MA 02370 > %D 2004 > %G 1-931836-05-1 > %I Syngress Media, Inc. > %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 > www.syngress.com %O > http://www.amazon.com/exec/obidos/ASIN/1931836051/robsladesinterne > > http://www.amazon.co.uk/exec/obidos/ASIN/1931836051/robsladesinte-21 > %O > http://www.amazon.ca/exec/obidos/ASIN/1931836051/robsladesin03-20 > %P 402 p. > %T "Stealing the Network: How to Own a Continent" > > This book is fiction (more a series of short stories or scenarios > than a novel), but, like Winn Schwartau's "Pearl Harbor Dot Com" > (cf. > BKPRHRDC.RVW, and "Terminal Compromise" before it, BKTRMCMP.RVW), > the authors intend the book to be taken as a serious addition to > security literature. Regarding this statement, the reviewer either made grand assumptions as to our "intent," or he was sorely mislead. There is no one on the team that I know of who considered this work more than "technology fiction." I can't think of a single author who, for a moment, considered this "a serious addition to security literature." To that degree, I ask that those interested accept my apology on behalf of the errant reviewer. In my opinion, anyone else who reads the book will easily understand this, though it is clear that not all can grasp that concept. Just so that we are all on the same page, we (the authors) don't really intend for you to consider this book a training manual on how to take over a continent. > Chapter one is basically about hiding and paranoia. The central > character seems to be using a considerable amount of money to hide > while setting up some kind of crime, and then abandons everything. > The points in regard to ensuring computers and data are > unrecoverable are interesting, and probably workable. The more > important aspects of the plot which involve creating a team, > employing cutouts, and > disappearing are left almost completely undetailed. If, therefore, > we are supposed to learn anything either about crime, or how to > detect or prevent it, the content and information simply aren't > there. The > claim that the "technology" is real, and would work, is > unverifiable because we haven't had any technology yet. (The > writing is edgy, > interesting, and mostly readable. However, it's also difficult and > confused in places.) Again, I apologize to the list. As an author, I strive to make plot, intent, and storyline continuity so naturally obvious that one need not think too much to accept the experience; however, at the same time, I try to create content that is unique, interesting, and thought provoking. It is apparent that in the case of the reviewer, I failed in attaining that goal. I accept responsibility for that. But just so that my opinions won't be considered biased, let's assume that my chapter was complete blithering prose. After all, I would not want the list to think I would ever consider being crass enough to review my own work in a public forum. That being said, I want the list to know how much fun we had writing this book. The talent and ability of the other authors stands on its own, and it was an honor to work with them. If you want an engaging storyline with a technical basis, all wrapped around fictional stories of what these amazing people (other than me) could do if they wanted to, then I suggest you pick the book up. For instance, chapter 3 is *not* just about the penetration of yet another wireless network... It is about how easy it is for attackers to compromise the infrastructure of healthcare (and other) facilities given the limitations placed on them by software vendors, and how our private information can be easily compromised or changed. And the methods are real-- in this case, deadly. *ALL* the chapters are like that, and attempting to summarize them (other than mine, of course) in one or two words is an act of futility-- indeed, an act I consider misleading to those who might otherwise enjoy the content. > This book is certainly interesting enough (albeit rather > disjointed) as fiction, and technical enough for everyone tired of > the usual > Hollywood view of computers. The security risks noted are real, > and therefore a read through the book could be used to alert non- > specialists to a number of security issues and vulnerabilities > (although you'd hardly want to use it for training). I enjoyed it > and I think it's got a place, although I'm having difficulty in > defining where that place is. Not withstanding the apparent praise in this paragraph, I remain perplexed by it: The review previously noted our claim of "the technical content being real" as unverifiable, yet here, the "security risks" are noted by the reviewer as real. I'll let you come to your own decision. The reason the reviewer can't define the box in which our book should be card-catalogued is, well, because it is *different.* I think so, anyway. The people I have talked to about the book have really enjoyed it, and have observed that the fictional accounts are a metaphor to the issues we face today, delivered within a setting that offers an interesting plot beyond the mundane. This is not meant to take away from right of the reviewer to offer opinion. I mean for it to represent the right I have to offer mine. Thanks for your time. Tim Mullen -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQRrDWIhsmyD15h5gEQIwhgCfYshhHkreODZne6OPcM6IxMJjqc0AoKWH 5BJ4CzI+c+wOVHFnH/KRCi22 =lqN8 -----END PGP SIGNATURE----- From isn at c4i.org Thu Aug 12 03:13:02 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 12 03:24:25 2004 Subject: [ISN] Online Data a Gold Mine for Terrorists Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,95108,00.html By Dan Verton and Lucas Mearian AUGUST 09, 2004 COMPUTERWORLD The widespread availability of sensitive information on corporate Web sites appears to have been largely overlooked by IT and security managers who responded last week to the Department of Homeland Security's warning of a heightened terrorist threat against the financial services sector. Freely available on the Web, for example, are 3-D models of the exterior and limited portions of the interior of the Citigroup Inc. headquarters building in Manhattan -- one of the sites specifically named in the latest terror advisory issued by the DHS. Likewise, details of the Citigroup building's history of structural design weaknesses, including its susceptibility to toppling over in high winds, the construction of its central support column and the fire rating of the materials used in the building, are readily available on the Web. A Citigroup spokeswoman declined to comment, referring the matter to the building owner, Boston Properties Inc. Similarly, the Web site of the Chicago Board of Trade includes photographs of the facility's underground parking garages, floor plans of office suites, and contact names and phone numbers for the telecommunications service providers that serve the building. Maria Gemskie, a spokeswoman for the Chicago Board of Trade, said the exchange could not comment publicly about specific security precautions being put in place. But she stressed that "all aspects of security are taken very seriously and we are looking into [our Web content] as well." But information like that posted on the exchange's Web site can be a gold mine for terrorists, security experts said. A senior intelligence official at the DHS, speaking on condition of anonymity, said the recent capture of al-Qaeda computer expert Muhammad Naeem Noor Khan in Pakistan yielded a computer filled with photographs and floor diagrams of buildings in the U.S. that terrorists may have been planning to attack. "Not thinking through the security implications of some of the information put online can be a very dangerous mistake," said Amit Yoran, director of the National Cyber Security Division at the DHS. "The Pentagon has looked very closely at this issue, and certainly corporate America should do the same." In fact, Yoran said the situation is serious enough that the DHS may need to look into publishing best-practices guidelines for companies to follow. Unheeded Warnings Eric Friedberg, managing director of New York-based security firm Stroz Friedberg LLC, said the warnings about sensitive Web site postings that his company took to the private sector two years ago have "fallen on deaf ears". MacDonnell Ulsch, managing director of Janus Risk Management Inc. in Marlboro, Mass., said making this type of information available is inexcusable. "It may make it easier for contractors and service providers to do their jobs, but the risk may exceed the benefit," said Ulsch. "A well-trained engineer can easily discern the greatest points of vulnerability in a building by analyzing the design. Making this information available is a fundamental mistake with deadly consequences." According to Ulsch, what companies do or fail to do in response to a threat is a direct result of their understanding of the risk. Consequently, when companies are told to beware of terrorists driving truck bombs into or near their buildings, they deploy concrete barriers, he said. And that seems to be exactly what has happened in the aftermath of the latest threat-level increase, with most firms focusing on redundancy and recovery while paying very little attention to countersurveillance and information control. Sylvain Pendaries, CIO at CDC Ixis North America Inc. in Manhattan, said previous terror alerts have loosened the purse strings of executives in his company, enabling him to complete disaster recovery plans. CDC Ixis in February completed an upgrade to its communications network, moving from two T3 lines to a Sonet ring that connects sites in New York and New Jersey at OC48 port speeds. While an increased focus on disaster recovery is necessary, Yoran said the lack of focus on blocking cybersurveillance activities stems from a disconnect between the terrorist alert system and the role of cybersecurity in homeland defense. "In practical terms, tuning a firewall, changing parameters on antivirus software and advocating more frequent password changes don't really line up with the different threat levels," he said. Michelle Petrovich, a spokeswoman for Robert Liscouski, assistant secretary for infrastructure protection at the DHS, said that while companies have the right to post whatever information they want, the DHS encourages all companies to add Web site reviews to their list of preventive security measures. From isn at c4i.org Thu Aug 12 03:13:19 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 12 03:24:26 2004 Subject: [ISN] Disaster-Recovery Spending On The Rise Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=XK4GA3V5Z1GP4QSNDBCSKHY?articleID=26806386 By Steven Marlin and Martin J. Garvey Aug. 9, 2004 Spending on business-continuity and disaster-recovery planning is poised to grow following last week's terrorist threats against financial-services firms. Unlike other IT areas, where growth in spending by financial-services institutions tends to be stable, business-continuity spending spikes as a result of crises. In 2002, following the Sept. 11, 2001, attacks, it jumped 19%, to $3.4 billion, according to research firm TowerGroup. This year, in response to last summer's blackout, spending is expected to climb 12% to $4 billion. Following the latest threats, TowerGroup expects financial firms' business-continuity spending to climb nearly 10% in each of the next three years, hitting $5.2 billion in 2007. The financial-services industry swiftly responded to the elevation of the terrorist-threat level last week, setting in motion a full-scale crisis-management plan that's been refined since the Sept. 11 attacks. Hours before the latest threats against specific financial-services buildings in New York, northern New Jersey, and Washington, D.C., were made public on Aug. 1, the Department of Homeland Security notified key financial-services industry representatives. That night, the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security--the main coordinating group between the industry and the government--held a conference call with Treasury Department officials to review what was known about the threat and decide what steps to take. Among those steps was the implementation of added security around the named targets. Earlier that day, BITS, a banking-industry group that has taken a lead in formulating crisis-management plans, had arranged a conference call among its own members to ensure business continuity and safety of physical assets and personnel. Included on the call were senior executives from the top 100 banks at just below the CEO level--vice chairmen, CIOs, chief technology officers, and chief information security officers. The terror alert prompted banks to rev up backup and recovery sites. "A half-dozen customers put us on pending alert," says Jim Simmons, CEO at SunGard Availability Services. "The large financial institutions are well prepared. We're concerned with smaller companies." Since the 2001 attacks closed financial markets for a week, the financial-services sector has taken numerous steps to bolster its already strong business-continuity efforts in the event of a large-scale disaster. Redundant systems, failover switching capabilities, simulations, regular drills and exercises, geographic distance between main and backup sites, and establishment of satellite offices have been tested and retested over the years. "From a back-office perspective, the financial-services industry is extremely resilient," says TowerGroup analyst Virginia Garcia. Still troubling, though, is the continued geographical concentration of financial-services firms in New York--and terrorists' apparent focus on disrupting financial markets. The headquarters for seven of the top 20 investment-management firms and 14 of the top 20 securities-trading firms are located there, according to TowerGroup. While all these firms have established contingency plans to ensure continued operations, the potential for another attack remains a concern, Garcia says. In particular, she says, it's imperative that senior execs continue to be part of business-continuity planning. Says Garcia, "Whereas in other [IT] segments we see incremental increases in spending year to year, in this market, if something big happens, it gets the attention of high-level executives." From isn at c4i.org Thu Aug 12 03:13:41 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 12 03:24:27 2004 Subject: [ISN] Hack . . . hack back . . . repeat Message-ID: http://www.nwfusion.com/news/2004/080904defcon.html By Rodney Thayer Network World 08/09/04 LAS VEGAS - Capture the flag might be only a game, but it was serious business at DefCon, the world's largest annual computer hacker convention. For 36 straight hours, eight teams of experienced hackers and serious security professionals played predator and prey as they tried to hack into competitors' networks while defending their own. From my front-row seat as a member of the winning team, Sk3wl of R00t (hacker slang for "School of Root," where "root" refers to gaining administrator access to a system), I got a bird's-eye view of how new - and not so new - attacks could be launched and thwarted. Each qualified team playing the game - organized by a Seattle security community group called the Ghetto Hackers - controlled a pair of Windows machines running a variety of network and Web-based services that were connected to each other and a central scoring mechanism called the Scorebot via a Gigabit Ethernet network. Rest assured, this hacker network was not connected to the Internet. As soon as the doors to the secluded hacker playground disguised as a hotel ballroom were opened at 10 a.m. July 30, the air was tense in this crowded room. The game scenario and the legitimately purchased Windows images were presented to participants two hours before the official noon start time. How would you like to have to lock down two Windows boxes in just two hours as you started to recognize that there were world-class exploit developers in the room - and on your network? A team scored by attacking rivals' servers and stealing flags (data strings stored within the servers). The successful hacker then presented the stolen flags to the scoring system for credit. The overall score was a combination of credit for attacking other teams' servers and successfully defending your own services. Penalties were issued for excessive consumption of bandwidth, so simple port scans and brute force attacks were not used, and denial-of-service attacks were forbidden. In the middle of the room sat the Ghetto Hackers' gear, necessary for keeping the game within bounds and blasting loud techno music for the entire 36-hour ride. We'd trained for the competition in small conference rooms with similar tunes blaring as white noise to desensitize. But by the time it was 2 a.m., and you were staring at a network trace flying by on a screen, you noticed that your heartbeat and your breathing synchronized with the music and the packet traffic. At that point, it was time to take a walk. At the beginning everyone was organized with their supplies. Our cooler was stocked with ice and Coke. As time dragged on, people started bringing in food and drinks. At first we were organized and sent out someone for bread and cold cuts. But by the middle of Day Two we gave up and started ordering pizza. We stuck with soda for the most part, but as the contest wore on, a beer or two appeared. As we scanned the room (discreetly, of course) we saw the other teams behaving the same way if not more so. One team had a steadily draining bottle of Southern Comfort on top of its server. The Ghetto Hackers' full-length equipment rack was ornamented by a large, red, wooden arch in the style of a Japanese archway complete with Asian script. Our Japanese language expert slunk over for a closer look and determined the writing on the wall to be complete gibberish, with no hidden message to help us crack the code. Each team carefully arranged its equipment - everything from laptop Macs to Cisco switches, some piled 3 feet high on the allotted two tables - around the periphery of the room. Teams were supposed to have a maximum of 15 members, but no one stuck to that upper limit as the flow in and out of the room easily boosted each roster to more than 20 people. The ground rules I agreed to dictate that I not divulge individuals' identities. But in general terms I can say the teams included at least two CTOs; security professionals from Ernst & Young, AOL and the University of California at Santa Barbara; and well-known and unknown hackers. Additionally, at least four teams had members hailing from the U.S. Department of Defense. We mostly kept to ourselves and minimized visible screen space to avoid becoming vulnerable to "shoulder surfing" or other forms of spying. You also had to do some reconnaissance to sniff out any secret deals being cut to share or trade information among teams. Think "Survivor," when it was good. There wasn't exactly a book on how to organize your team or set strategy for this sort of thing. But our winning strategy as a team was organization. We organized everything from a rotating "cat nap" schedule to divvying up jobs along lines of expertise. Because offense was 80% of the overall score, you had to maintain support for your front-line attackers. The trick was to not ignore your defenses. If your defenses slipped, other teams could get in and score. As the Ghetto Hackers pointed out at the awards ceremony, we were solid attackers - not significantly better than other teams - but we had very good defense and were able to keep other teams from stealing flags from us. Most attacks we saw were levied against information in the database. Someone would figure out how to run the Wiki (a piece of server software that lets users freely create and edit Web page content using any Web browser) and do some obscure set of queries that would reveal flag data. Or someone would go into the Multi-User Dungeon, online game environments that use a great deal of bandwidth, and figure out if you walked north through the forest just the right way you'd be able to pick up a flag. We saw many failed attacks. Someone tried to buffer overflow the Web server with 800,000-byte null packets. Someone else tried to go after SNMP services to gain entry. Teams even attempted to capture their incoming Scorebot traffic and replay that same traffic in the direction of our machines in the hopes that our services would mistake them for the actual Scorebot and give up flags to them. If I were to apply my experiences to a more everyday situation than what was taking place at the off-the-strip Alexis Park hotel, five points would bubble to the top of the security cauldron: Unsecure, unnecessary services - such as terminal services and SNMP - are running on most Windows machines. You've got to take care to shut down or firewall all unnecessary ports used by these services. * Passwords are revealed frequently. To defend against this, periodically change all passwords, including those that give access to Web services and databases. * Customized Web applications typically leak critical information. To defend against this, applications must be modified so they do not have commands that give too much information without proper authorization or let users modify objects out of turn. * Unmonitored services are dangerously open to attack. Watch your logs like a hawk. * Hack attacks happen. Be very, very afraid. Thayer is principal investigator with Canola & Jones, a security research firm in Mountain View, Calif. He can be reached at rodney@canola-jones.com. Acknowledgements Thanks to the Ghetto Hackers for running a great contest. They put together a complex game and made it run under very stressful conditions and it worked great. Thanks also to Sk3wl of R00tfor letting me join in. From isn at c4i.org Thu Aug 12 03:13:54 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 12 03:24:28 2004 Subject: [ISN] Russian hackers pose an increasing threat Message-ID: http://www.stuff.co.nz/stuff/0,2106,2999403a28,00.html 11 August 2004 At the end of last month, police arrested members of an online extortion ring that cost British companies up to $110 million. Russia, with its highly educated workforce and inefficient police force, has become infamous for computer piracy and crime. "People used to be scared of the Russian mafia. Now they are scared of Russian hackers," police Lieutenant-general Boris Miroshnikov told President Vladimir Putin last Wednesday, according to Itar-Tass news agency. Last month, British police announced a joint operation had smashed a small group of Russian hackers who had extorted money from British banks and betting firms. But Russian police said this particular racket was just the tip of the iceberg. "There are no more attacks against these specific companies, but no-one is safe from such attacks," says Yevgeny Yakimovich, head of the interior ministry's section K, which battles high-tech criminals. "All firms with money are under threat, no-one is safe ... Any organisation with access to the internet is open." He declined to name the British companies affected. In the scheme, which operated for nearly a year and cost the firms as much as $115 million in lost business and damages, hackers overloaded targeted computers by swamping them with information. Rather than lose a day's business, the firms paid the hackers money to stop them from attacking their computers again. The young Russians hackers netted about $63,000 before being caught. The Government has frequently ordered police to intensify the fight against computer crime. But one of the problems they face is that hackers can be based far apart. Those arrested in the joint Russian-British operation were based in Moscow, St Petersburg and near the Volga town of Saratov and may never have physically met. "Every year the amount of crimes goes up. There were 233 last year, and there have been more than 600 already this year," says Yakimovich. "This goes on every day but we don't always hear about it." Police said most hackers were young and educated, worked more or less independently and did not fit most police profiles of criminals. It was not clear exactly how many were detained last week. They have not been charged yet, but could face up to 15 years in prison if convicted of extortion. "This was not a normal organisation. Everyone sat at home and everyone had their role," says Valery Syzrantsev, head of the interior minister's investigations department. "These are really not the kind of criminals we are used to dealing with." From isn at c4i.org Thu Aug 12 03:14:10 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 12 03:24:29 2004 Subject: [ISN] Hopkins teen pleads guilty in Internet attack Message-ID: http://www.startribune.com/stories/789/4923066.html Randy Furst Star Tribune August 12, 2004 After months of negotiations between prosecutors and defense attorneys, a 19-year-old Hopkins man pleaded guilty Wednesday in U.S. District Court in Seattle to releasing a widely publicized Internet virus. But the plea agreement set the stage for what may be a larger legal battle on how much damage the virus did and whether Microsoft Corp. should shoulder some of the blame. Assistant U.S. Attorney Annette Hayes said she would ask for restitution in the millions of dollars for the "Blaster" worm that Jeffrey Parson sent out over the Internet last August. But defense attorneys maintain that Parson's virus caused far less damage than prosecutors contend. Under the agreement, he agreed to a prison sentence of between 1? years and three years and one month. The 10-page memorandum lays out his admissions in the case, but it is apparent that major facts remain in dispute. The amount of restitution ordered could affect how much time he serves. Although federal law allows a judge to order restitution of more than $1 million, it does not necessarily mean that Parson, who lives with his parents in Hopkins, can pay it. "He works at a minimum-wage job," and he pays rent to his parents, said his lawyer, Carol Koller, assistant public defender. Prosecutor Hayes said she had not determined how long a sentence she will ask for within the perimeters of Parson's plea agreement. Either side can pull out of the agreement if it does not agree with the sentence imposed by U.S. District Judge Marsha J. Pechman, who presided at Wednesday's hearing. Parson was a senior at Hopkins High School when he was arrested. He has since graduated. Issues remain Sentencing was set for Nov. 12 when both sides are expected to lay out their sharply divergent views to Pechman. "There are two issues that remain open," Hayes said in a telephone interview. "How many computers were infected and how much damage that caused. "The government's position is that there were more than 48,000 computers that were infected by Parson's version of the MS Blaster worm. The government's position is that the Blaster worm in all its variants caused millions and millions in damage, both to individual computers and Microsoft, but in particular, Parson's version of the worm caused well more than $1 million dollars in damages." However, Koller said she disagrees. "We contest that," she said. "We ... believe that damage figures are far lower." She also challenged the claim that Parson is responsible for the large sum of money Microsoft spent to prevent its Web site from being disabled by Parson's virus. "One of the ... issues is how much Microsoft did in reaction to the Blaster worm they would have had to do anyway, even had there never been a Blaster worm," Koller said. "They had released a product that was vulnerable." Lou Gellos, a spokesman for Microsoft in Redmond, Wash., said Wednesday that he did not know how much damage Parson's version of the Blaster virus caused the company. "The prosecutor's office is working with our people at Microsoft on what those damages are," he said, "and this is a figure that will come out at sentencing." He said he also did not know how many e-mails Parson's virus generated in its attack. "It wasn't just Microsoft," he said. "It was a worm that infected many people's computers throughout the world." Parson's role According to court documents, Parson learned about a virus called the MS Blaster worm, which was designed to spread randomly and infect computers with a code that directed them to launch an attack on a Microsoft Web site called windowsupdate.com. The object would be to clog the site, causing people to get a notification denying them access. Parson obtained a new version of the worm, which came to be known by various names, including the "B" or "teekids" variant. It contained some "back-door software" that would allow him access to computers he infected at a later time. On Aug. 12, 2003, he transmitted the virus to 50 computers. It spread later to more computers, but just how many is in dispute. Those computers then launched their attack on Microsoft's Web site on Aug. 16. The worm, however, did not succeed in shutting down the Web site. Microsoft responded to the attack, and the plea agreement says the losses to Microsoft and the infected computers are at least $5,000. Koller, the public defender, said "everybody agrees" that the original Blaster worm did far more damage than Parson's version. Part of the issue will be how much of it can be laid at Parson's feet. It is not clear where he will serve his sentence. "We believe he would be eligible for placement in a federal prison camp," said Koller. Such camps are considered lower-security prisons. At the hearing, Pechman removed Parson from electronic home monitoring before his sentencing. He can leave home only to go to work, or to doctor's appointments, or if he gets permission from a pretrial services officer. From isn at c4i.org Thu Aug 12 03:18:19 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 12 03:24:30 2004 Subject: [ISN] Hackers download SIUE data, police say Message-ID: http://www.stltoday.com/stltoday/news/stories.nsf/News/Metro+East/A3F75AB9CA0230BB86256EEE0012DF3B?OpenDocument&Headline=Hackers+download+SIUE+data,+police+say By Trisha Howard Of the Post-Dispatch 08/11/2004 The names and passport information of more than 500 foreign students at Southern Illinois University Edwardsville was illegally downloaded last week by a fellow student at the school, according to a search warrant filed Wednesday by university police. Greg Conroy, an SIUE spokesman, said Wednesday that three students had been questioned Friday after university officials discovered the security breach. Conroy said he expected the university to seek criminal charges in the case. The search warrant, filed in Madison County Circuit Court, said that the hacker downloaded the information from a special database set up to comply with provisions of the federal Patriot Act. The data included names, dates of birth, Social Security numbers and visa information, Sgt. Marty Tieman of the SIUE Police Department said in his affidavit. Conroy said that employees in the university's Office of Information Technology found out about the breach on Friday while doing their daily check of activity logs. The log showed that someone had downloaded the information early that morning. Computer experts then tracked the computer to one of three students who share an apartment at Cougar Village, Conroy said. On Friday afternoon, police seized three computers from the apartment and questioned the three students, Conroy said. Tieman said in his affidavit that police were greeted at the door by one of the three students, who admitted that he had seen his roommate access the server and download the information. Conroy said that officials had not yet determined a motive. "For all I know, these students could have been doing this as a prank," Conroy said. "At this point, I don't know what they wanted to do with the information." Conroy said investigators from a Metro East law enforcement computer task force were examining all three computers for evidence. He emphasized that the system does not allow hackers to change vital information. But he said that the breach was possible because an employee had failed to disable a feature that gives people access to the system without a password. "The students were scanning the system, they found the flaw, and they started downloading files," Conroy said. "It's an unfortunate mistake, but it happened." From isn at c4i.org Fri Aug 13 13:00:38 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 13 13:10:58 2004 Subject: [ISN] Los Alamos vulnerable to PC theft, inspector general declares Message-ID: Forwarded from: "Michael J. Reeves, AA, ASc" http://www.fcw.com/fcw/articles/2004/0809/web-energy-08-12-04.asp By Sarita Chourey Aug. 12, 2004 The Energy Department's Los Alamos National Laboratory is vulnerable to loss and theft of personal computers, the agency's inspector general found. Some classified desktop computers were not properly inventoried, and employees did not give required notification of a missing part of a computer, according to a report released today by the inspector general. The lab's listing of classified computers was inaccurate and identification and accreditation paperwork was in disarray, the report states. Agency officials agreed with the findings. But they are working to remedy the chronic security weaknesses and classified media mismanagement. In May, Energy Secretary Spencer Abraham renewed efforts to tighten security by announcing a host of reforms, including a goal of converting many computers with classified data into disk-free stations in five years. At the end of fiscal 2002, Los Alamos officials said the lab had about 5,000 laptops and 40,000 desktop computers. Energy officials have halted all classified activity until concerns about computer security, which have persistently dogged the agency, are resolved. "People who believe their dedication to science or to our mission supersedes our commitment to safety, security and environmental compliance put us all at risk," wrote Peter Nanos, the lab's director, in an internal memo issued last month after a recent flap over missing pieces of classified removable electronic media. Today's report follows an April interim report that found management to be unaccountable for laptops. From isn at c4i.org Fri Aug 13 13:01:39 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 13 13:10:59 2004 Subject: [ISN] Fed up hospitals defy patching rules Message-ID: Forwarded from: PaulBlair@westhillscollege.com > "Security of the systems is the primary focus of the letter," says > Holt Anderson, executive director of NCHICA. Without the operating > systems properly maintained in terms of patching, "there is no way > to secure devices that are connected to a LAN or wireless facility," > he says. This is not true. There are more than a few ways to mitigate Windows Security issues in this type of situation. IPSEC can be used to regulate traffic between devices, and prevent the spread of the common RPC based Worms, and VLANs can keep sensitive devices confined to their own. > Some manufacturers, including Philips, contend that hospitals must > do a better job of applying security defenses to protect medical > devices by buying intrusion-prevention systems (IPS ) and internal > firewalls. I agree, but the manufacturers need to do their part by certifying patches In a more expedient manner. > There have been several instances in which viruses originated from > medical instruments straight from the vendors, says Bill Bailey, > enterprise architect at ProHealth Care, a Milwaukee healthcare > provider. Medical equipment arrived with computer viruses on it or > service technicians introduced the viruses while maintaining the > equipment, he says. Based on my own personal experience with 'third party devices', this is not surprising to me at all. In my case, the device was a Windows server which handled our voice mail. Twice it was infected with a SQL based worm and once with Blaster. None of the other machines on our network were infected, due to some of the mitigating factors I mentioned above, but they very well could have been. In the case of the SQL based worm, the infected server saturated our internal network to the point of it being useless. After these incidents, we put pressure on the vendor to certify patches more quickly. If we feel that there is a threat we now apply patches to these servers, regardless of their 'certification'. Hospitals should not be faulted for doing the same when critical patches are released. Paul Blair Information Technology Services West Hills College spam1@toadlife.net From isn at c4i.org Fri Aug 13 13:02:21 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 13 13:11:01 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-33 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-08-05 - 2004-08-12 This week : 31 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: A vulnerability has been discovered in AOL Instant Messenger, which could be exploited to compromise a vulnerable client. The vulnerability was found by two different parties around the same time. However, due to no response from AOL's security team, one of the researchers chose to issue their advisory. Currently, no permanent solution is available from AOL. However, AOL has stated that a new version of the messenger client is upcoming. Please view Secunia Advisory for details. Reference: http://secunia.com/SA12198 -- Apple has issued a security update, which corrects several vulnerabilities including the "libpng" vulnerability. Mac OS X users are advised to download and install the update from Apple. Please view Secunia Advisory below for more information. Reference: http://secunia.com/SA12249 VIRUS ALERTS: During the last week, Secunia issued one MEDIUM RISK virus alert. Please refer to the grouped virus profiles below for more information: Bagle.aq - MEDIUM RISK Virus Alert - 2004-08-09 23:37 GMT+1 http://secunia.com/virus_information/11110/bagle.aq/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12219] libpng Multiple Vulnerabilities 2. [SA12198] AOL Instant Messenger "Away" Message Buffer Overflow Vulnerability 3. [SA12188] Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability 4. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities 5. [SA12232] Mozilla / Mozilla Firefox / Mozilla Thunderbird libpng Vulnerabilities 6. [SA11978] Multiple Browsers Frame Injection Vulnerability 7. [SA12233] Opera Browser "location" Object Write Access Vulnerability 8. [SA10856] Mozilla Multiple Vulnerabilities 9. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 10. [SA12249] Mac OS X Security Update Fixes Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12270] Shuttle FTP Suite Directory Traversal Vulnerability [SA12269] IceWarp Web Mail Multiple Unspecified Vulnerabilities [SA12261] Microsoft Exchange HTML Redirection Script Insertion Vulnerability [SA12263] Sygate Secure Enterprise / Sygate Enforcer Multiple Vulnerabilities [SA12259] ServerMask Web Server Identity Exposure Security Issue UNIX/Linux: [SA12266] Slackware update for mozilla [SA12250] Slackware update for libpng [SA12249] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA12248] Sun Solaris libpng Vulnerabilities [SA12246] HP VirtualVault / Webproxy Multiple Vulnerabilities in Apache [SA12244] HP-UX Apache and PHP Vulnerabilities [SA12243] Conectiva update for apache [SA12242] Conectiva update for libpng [SA12240] Mozilla Application Suite for Tru64 UNIX libpng Vulnerabilities [SA12268] Slackware update for sox [SA12267] Slackware update for ImageMagick [SA12258] Gentoo update for horde-imp [SA12253] GeNUGate Unspecified Denial of Service Vulnerabilities [SA12241] Citrix Secure Gateway OpenSSL Vulnerability [SA12239] GraphicsMagick libpng Vulnerabilities [SA12264] Gentoo update for cfengine [SA12251] Cfengine RSA Authentication Vulnerabilities [SA12256] Gentoo update for spamassassin [SA12255] SpamAssassin Message Handling Denial of Service Vulnerability [SA12257] Sun Solaris XDMCP Parsing Vulnerability [SA12252] Mandrake update for shorewall [SA12247] SuSE update for kernel [SA12245] HP-UX Process Resource Manager File Corruption Vulnerability Other: [SA12254] Symantec Clientless VPN Gateway 4400 Series Multiple Vulnerabilities Cross Platform: [SA12271] PHP-Nuke Search Box Cross-Site Scripting Vulnerabilities [SA12262] Moodle "Post.php" Cross-Site Scripting and Unspecified Moodle Text Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12270] Shuttle FTP Suite Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Security Bypass Released: 2004-08-11 Ziv Kamir has reported a vulnerability in Shuttle FTP Suite, which can be exploited by malicious people to read or place files in arbitrary locations on a vulnerable system. Full Advisory: http://secunia.com/advisories/12270/ -- [SA12269] IceWarp Web Mail Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-08-11 Multiple unspecified vulnerabilities have been reported in IceWarp Web Mail, which can potentially be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, access sensitive information, and manipulate the file system. Full Advisory: http://secunia.com/advisories/12269/ -- [SA12261] Microsoft Exchange HTML Redirection Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-10 Microsoft has released an update for Exchange Server 5.5 SP4. This fixes a vulnerability, allowing malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12261/ -- [SA12263] Sygate Secure Enterprise / Sygate Enforcer Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2004-08-11 Martin O'Neal of Corsaire has reported three vulnerabilities in Sygate Secure Enterprise (SSE), which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12263/ -- [SA12259] ServerMask Web Server Identity Exposure Security Issue Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-08-10 Martin O'Neal of Corsaire has discovered a security issue in ServerMask, allowing malicious people to determine if a system is running Microsoft Internet Information Server (IIS) even though the product's functionality should prevent this. Full Advisory: http://secunia.com/advisories/12259/ UNIX/Linux:-- [SA12266] Slackware update for mozilla Critical: Highly critical Where: From remote Impact: Spoofing, DoS, System access Released: 2004-08-11 Slackware has issued an update for mozilla. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), spoof content of websites, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12266/ -- [SA12250] Slackware update for libpng Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-10 Slackware has issued an update for libpng. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12250/ -- [SA12249] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2004-08-10 Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/12249/ -- [SA12248] Sun Solaris libpng Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-09 Sun has acknowledged some vulnerabilities in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12248/ -- [SA12246] HP VirtualVault / Webproxy Multiple Vulnerabilities in Apache Critical: Highly critical Where: From remote Impact: Spoofing, DoS, System access, Security Bypass Released: 2004-08-10 HP has confirmed some vulnerabilities in Apache affecting HP VirtualVault and HP Webproxy, which can be exploited by malicious people to cause a DoS (Denial of Service), bypass security restrictions, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12246/ -- [SA12244] HP-UX Apache and PHP Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2004-08-09 HP has confirmed some vulnerabilities in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service), bypass security restrictions, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12244/ -- [SA12243] Conectiva update for apache Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-09 Conectiva has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12243/ -- [SA12242] Conectiva update for libpng Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-08-09 Conectiva has issued an update for libpng. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12242/ -- [SA12240] Mozilla Application Suite for Tru64 UNIX libpng Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-09 HP has confirmed some vulnerabilities in the Mozilla Application Suite for Tru64 UNIX, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12240/ -- [SA12268] Slackware update for sox Critical: Moderately critical Where: From remote Impact: System access Released: 2004-08-11 Slackware has issued an update for sox. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12268/ -- [SA12267] Slackware update for ImageMagick Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-08-11 Slackware has issued an update for ImageMagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12267/ -- [SA12258] Gentoo update for horde-imp Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-10 Gentoo has issued an update for horde-imp. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12258/ -- [SA12253] GeNUGate Unspecified Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-10 Two unspecified vulnerabilities have been reported in GeNUGate, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12253/ -- [SA12241] Citrix Secure Gateway OpenSSL Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-09 Citrix Systems has acknowledged a vulnerability in Citrix Secure Gateway, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12241/ -- [SA12239] GraphicsMagick libpng Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-08-09 The GraphicsMagick group has confirmed vulnerabilities in GraphicsMagick, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12239/ -- [SA12264] Gentoo update for cfengine Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-08-11 Gentoo has issued an update for cfengine. This fixes a vulnerability, which can be exploited by malicious people to compromise the system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12264/ -- [SA12251] Cfengine RSA Authentication Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-08-10 Juan Pablo Martinez Kuhn has discovered two vulnerabilities in Cfengine, allowing malicious people to compromise the system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12251/ -- [SA12256] Gentoo update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2004-08-10 Gentoo has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12256/ -- [SA12255] SpamAssassin Message Handling Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-08-10 A vulnerability has been discovered in SpamAssassin, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12255/ -- [SA12257] Sun Solaris XDMCP Parsing Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-08-10 A vulnerability has been reported in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12257/ -- [SA12252] Mandrake update for shorewall Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-08-10 MandrakeSoft has issued an update for shorewall. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12252/ -- [SA12247] SuSE update for kernel Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-09 SuSE has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to disclose sensitive information in kernel memory. Full Advisory: http://secunia.com/advisories/12247/ -- [SA12245] HP-UX Process Resource Manager File Corruption Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data, DoS Released: 2004-08-09 An unspecified vulnerability has been reported in HP Process Resource Manager (PRM), which can be exploited by malicious, local users to corrupt files on the system. Full Advisory: http://secunia.com/advisories/12245/ Other:-- [SA12254] Symantec Clientless VPN Gateway 4400 Series Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Manipulation of data Released: 2004-08-10 Multiple vulnerabilities have been reported in Symantec Clientless VPN Gateway 4400 Series, where some have an unknown impact and others can be exploited to conduct cross-site scripting attacks or manipulate users' signon information. Full Advisory: http://secunia.com/advisories/12254/ Cross Platform:-- [SA12271] PHP-Nuke Search Box Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-11 SmOk3 has reported some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12271/ -- [SA12262] Moodle "Post.php" Cross-Site Scripting and Unspecified Moodle Text Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Unknown Released: 2004-08-11 Two vulnerabilities have been reported in Moodle, where one can be exploited by malicious people to conduct cross-site scripting attacks and the other has an unknown impact. Full Advisory: http://secunia.com/advisories/12262/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Aug 13 13:02:39 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 13 13:11:02 2004 Subject: [ISN] iTunes wireless music streaming cracked Message-ID: http://www.newscientist.com/news/news.jsp?id=ns99996282&lpos=home1 Will Knight 13 August 04 NewScientist.com news service Apple's wireless streaming technology for iTunes has been cracked to allow it support non-Apple software platforms. Norwegian computer programmer Jon Johansen released a program called JusteForte that defeats the encryption used on Apple's Airport Express on Thursday. Johansen was made famous in 1999 for breaking the encryption used in software called CSS that prevented DVD copying. Airport Express is a small base station that wirelessly connects a computer to the internet or to a local network. It also has an audio socket that can be used to link a computer to a conventional stereo or pair of speakers. This allows music stored digitally to be played remotely. Until now, however, this feature has only been compatible with Apple computers and an add-on for Apple's iTunes audio software called AirTunes. Encryption algorithms Johansen figured out the secret encryption key used to secure the wireless link between a computer and an Airport Express base station and lock other systems out. His program, JusteForte, uses this key to send MP4 digital audio files from a Windows computer to an Airport Express base station. Johansen has also published the encryption key online, opening the way others to design software that can access the base stations. He says Airport Express uses a combination of two encryption algorithms AES and RSA. But precisely how Johansen succeeded in cracking the key is unclear. Cryptographic algorithms encode information by jumbling it up using mathematical formulas and a key consisting of a string of characters. Both algorithms have stood up to extensive testing, so Johansen is likely to have found a weakness in the way these algorithms are implemented rather than the algorithms themselves. "There are lots of ways to break an encryption system," says Bruce Schneier, a renowned cryptography expert. "The lesson is that it's hard to do." Software update Schneier told New Scientist Apple could change the key Airport Express uses via a software update, but that Johansen would probably be able to obtain the new key using the same undisclosed method. Schneier also defends Johansen's actions explaining that he is it is important to test the security of any system. "It's interesting science," he says. "He does it because that's how you learn and we are more secure because he does it." Apple declined to make any comment when contacted by New Scientist. In 1999 Johansen co-authored a program called DeCSS, which defeats DVD encryption, making it possible to play DVDs on any computer and copy movies. He was accused of enabling copyright infringement and taken to court in Norway but acquitted following two court cases that took place in December 2003 and January 2004. Apple has been beset by assaults against its proprietary music technology. Johansen has released two other programs designed to defeat the copy controls implemented by iTunes, called Fairplay and FairKeys. And, In July 2004, competitor RealNetworks developed a way for songs bought through its Harmony music service to play on iPods. Apple designed the iPod to play only songs bought through the iTunes store, as well as those created by users themselves. From isn at c4i.org Fri Aug 13 13:02:54 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 13 13:11:04 2004 Subject: [ISN] Hunt for XP SP2 flaws seen in full swing Message-ID: http://www.nwfusion.com/news/2004/0813huntforx.html By Joris Evers IDG News Service 08/13/04 While users are testing Service Pack 2 for Windows XP to prevent compatibility problems, hackers are picking apart the security-focused software update looking for vulnerabilities, security experts said. "We will see new vulnerabilities discovered in SP2 over the next few weeks. Give it a month or two and we will also see worms that affect SP2," said Thor Larholm, senior security researcher at PivX Solutions LLC, a security services company in Newport Beach, Calif. SP2 represents real progress for Microsoft and underscores its commitment to security, according to industry observers. The update provides protection against most security exploits known today. For example, the improved and automatically enabled Windows Firewall would block attacks such as the Blaster worm that crippled the Internet a year ago. "A lot of the current attack vectors are blocked by SP2," Larholm said. "Folks are now trying to find new ways to plant code on a system. A lot of these new ways will use e-mail, instant messaging and Web traffic - any kind of traffic that a PC requests from the outside world - because that will go through the firewall without restrictions." Also, it appears Microsoft's new software-based memory protection technology is vulnerable, according to Larholm. The data execution prevention (DEP) is meant to protect users against buffer overruns, but Microsoft appears to have implemented it poorly, providing an easy way for attackers to circumvent the protection, Larholm said. Although there undoubtedly will be vulnerabilities found in SP2, the bar for Windows security has been raised and the operating system will be tougher to attack, said Russ Cooper, a senior scientist at TruSecure, in Herndon, Va. "We will always see new attacks, but at least Microsoft has put a stake in the ground and has said, 'Now this is enough.' The existing attacks have been stopped," he said. Because of the new Windows Firewall, Cooper predicts that future attacks will target applications that require users to change their firewall configurations, essentially opening a door to their systems. "If you see anything, you will see attacks that are more targeted at communities of users, such as (users of) Quake, Kazaa, BitTorrent, anything that has a listening service and requires a user to create a rule to bypass the firewall. That is where they are opening themselves up to attack," Cooper said. Microsoft is currently unaware of any vulnerability in SP2, a company spokesman said. If a vulnerability is reported, the software maker will investigate it and determine the appropriate response. This could include providing an update as part of its monthly patch cycle or an out-of-cycle update, the spokesman said. From isn at c4i.org Fri Aug 13 13:03:09 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 13 13:11:06 2004 Subject: [ISN] US Emergency Alert System open to hack attack Message-ID: http://www.theregister.co.uk/2004/08/13/eas_hack_attack/ By Kevin Poulsen SecurityFocus 13th August 2004 The US Emergency Alert System (EAS) that lets officials instantly interrupt radio and TV broadcasts to provide emergency information in a crisis suffers from security holes that leave it vulnerable to denial of service attacks, and could even permit hackers to issue their own false regional alerts, federal regulators acknowledged Thursday. "Security and encryption were not the primary design criteria when EAS was developed and initially implemented," the Federal Communications Commission (FCC) wrote in a public notice launching a review of the system. "Now, however, emergency managers are becoming more aware of potential vulnerabilities within the system. For example, the complete EAS protocol is a matter of public record and potentially subject to malicious activations or interference." The EAS was launched in 1997 to replace the cold-war era Emergency Broadcast System known best for making the phrase "this is only a test" a cultural touchstone. Like that earlier system, the EAS is designed to allow the President to interrupt television and radio programming and speak directly to the American people in the event of an impending nuclear war, or a similarly extreme national emergency. The system has never been activated for that purpose, but state and local officials have found it a valuable channel for warning the public of regional emergencies, including the "Amber Alerts" credited with the recovery of 150 abducted children. Despite its regional successes, the EAS is increasingly under fire by critics who charge that its national mission is obsolete in an era of instant 24-hour news coverage, and who deride its quaint reliance on analog radio and broadcast and cable television. On Thursday, the FCC responded by opening a formal review of the EAS, beginning a public comment period on how the network might be improved. One of the issues the FCC is probing is the security of the system. As first reported by SecurityFocus nearly two years ago, the EAS was built without basic authentication mechanisms, and is activated locally by unencrypted low-speed modem transmissions over public airwaves. That places radio and television broadcasters and cable TV companies at risk of being fooled by spoofers with a little technical know-how and some off-the-shelf electronic components. Under FCC regulations, unattended stations must automatically interrupt their broadcasts to forward alerts, making it possible for even blatantly false information to be forwarded without first passing human inspection. The FCC's review follows a detailed report on the EAS produced by the non-profit Partnership for Public Warning (PPW) in February, which noted that "EAS security is now very much an issue." "Since attacks involving chemical or biological weapons are likely to require use of the EAS system to provide official alert information to the public, it is possible that an attacker could decide to cripple the EAS or use it to spread damaging disinformation," reads the PPW report. With Thursday's Notice of Proposed Rulemaking, the FCC acknowledged the vulnerabilities "could be exploited during times of heightened public anxiety and uncertainty" to distribute false information to the public, or that alternatively the "EAS signal could be subject to jamming." Among the questions the FCC is pondering: how best to protect broadcasters from legal liability if they inadvertently rebroadcast a false EAS message; who should be responsible for system security; how can the authenticity of EAS messages be verified; and "what security standards, if any, should be implemented?" "The Commission must now buckle down and do what it is we are asking state and local officials to do - assess vulnerabilities, create a plan for better service, and review and update that plan as communications technologies evolve," said commissioner Jonathan Adelstein in a statement. There are no reported cases of the EAS vulnerabilities being exploited, and the PPW report concludes that the potential consequences of spoofing attacks are limited. "Research into the behavior of warning recipients suggests that a single false alarm, without corroboration from other credible sources, generally elicits only limited reaction from the public." From isn at c4i.org Fri Aug 13 13:05:28 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 13 13:11:10 2004 Subject: [ISN] REVIEW: "Security Assessment", Greg Miles et al Message-ID: Fowarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKSACSNI.RVW 20040721 "Security Assessment", Greg Miles et al, 2004, 1-932266-96-8, U$69.95/C$89.95 %A Greg Miles gmiles@securityhorizon.com %A Russ Rogers rrogers@securityhorizon.com %A Ed Fuller %A Matthew Paul Hoagberg %A Ted Dykstra %C 800 Hingham Street, Rockland, MA 02370 %D 2004 %G 1-932266-96-8 %I Syngress Media, Inc. %O U$69.95/C$89.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1932266968/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1932266968/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1932266968/robsladesin03-20 %P 429 p. %T "Security Assessment: Case Studies for Implementing the NSA IAM" The introduction tries to explain the NSA (National Security Agency) IAM (Information Assurance Methodology), but is so heavily larded with (management) buzzwords that no clear concept emerges. The indications are that the book is primarily aimed at those who have taken one of the IAM courses, although there is an explicit statement that the material can be used by untrained professionals and also by the "customers" who are undergoing an assessment. Chapter one describes IAM in words that make it seem very similar to such tools as CoBIT (ISACA's Control Objectives for Information Technology tool), ISO 17799, and the NIST (the US National Institute of Standards and Technology) self-assessment guide. However, almost all of the chapter is devoted to a promotion of sharp negotiation of the scope of an IAM contract, from the vendor perspective. Chapter two reiterates the need to control customer expectations and define contract objectives. (There is more jargon, and also the use of idiosyncratic and undefined acronyms like PASV [Pre-Assessment Site Visit].) The Organizational Information Criticality Matrix (OICM) described in chapter three is a kind of simplistic business impact analysis. In chapter four, system information criticality and the System Criticality Matrix (SCM) are said to be more detailed than the OICM. Defining system boundaries is acknowledged to be difficult, but neither the explanation nor the examples used are of any help in clarifying the issue. Both the text and the tables used in the "case study" are extremely confusing in regard to the relation between entries in the OICM and the SCM. The system security environment, described in chapter five, is what most people would know as corporate culture: the general attitudes and behaviours common to an institution. The book suggests finding and using the CONOPS (concept of operations) documentation while admitting that it may not be found in most commercial enterprises. (The authors don't explain that this is basically identical to the common policy and procedures manuals, although they do eventually get around to mentioning these texts.) The TAP (Technical Assessment Plan) is actually just a specific format for a detailed contract, so we have to go through all of that type of editorial comment again, without really getting much information about the recommended TAP structure. Chapter seven involves the assessment itself, and generally deals with administrative details--and making sure that the customer does not modify the scope of the contract. The eighteen basic information security models get listed, although this seems to be almost an afterthought, rather than the core of the IAM itself. Findings, the report of the assessment results, are described in chapter eight. A sixteen page example does little more than provide a format. The close out report, in chapter nine, is a final sales meeting with the customer. The final report is given in a different, and more general, format in chapter ten. Cleanup work and followup sales of consulting are discussed in chapter eleven. The constant repetition of very basic ideas and the turgid and buzzword-laden text make this work far longer than is justified by the information provided. In addition, the extreme emphasis on the viewpoint of a vendor trying to sell a contract (and protect himself from doing any unbillable work) is a severe limitation on the audience for this tome. Essential components of the IAM model and process do not seem to hold any central place in the book, and the reader discovers them almost by accident, and despite of the writing rather than because of it. copyright Robert M. Slade, 2004 BKSACSNI.RVW 20040721 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Ambivalent? Well, yes and no. http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Mon Aug 16 04:17:26 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 16 04:34:00 2004 Subject: [ISN] Linux Advisory Watch - August 13, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 13, 2004 Volume 5, Number 32a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com This week, advisories were released for apache, Cfengine, Courier, Ethereal, Gaim, glibc, gnome-vfs, gv, imagemagick, kernel, libpng, libpng10, mozilla, MPlayer, Nessus, Opera, PuTTY, Roundup, sox, SpamAssassin, squirrelmail, and shorewall. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, Red Hat, Slackware, Suse, Trustix, and Turbolinux. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Root Security Keeping the superuser account secure should be a top priority for any system. The most sought-after account on your machine is the superuser account. This account has authority over the entire machine, which may also include authority over other machines on the network. Remember that you should only use the root account for very short specific tasks and should mostly run as a normal user. Running as root all the time is a very very very bad idea. Several tricks to avoid messing up your own box as root: - When doing some complex command, try running it first in a non destructive way...especially commands that use globbing: e.g., you are going to do a rm foo*.bak, instead, first do: ls foo*.bak and make sure you are going to delete the files you think you are. Using echo in place of destructive commands also works. - Provide your users with a default alias to the /bin/rm command to ask for confirmation for deletion of files. - Only become root to do single specific tasks. If you find yourself trying to figure out how to do something, go back to a normal user shell until you are sure what needs to be done by root. - The command path for the root user is very important. The command path, or the PATH environment variable, defines the location the shell searches for programs. Try and limit the command path for the root user as much as possible, and never use '.', meaning 'the current directory', in your PATH statement. Additionally, never have writable directories in your search path, as this can allow attackers to modify or place new binaries in your search path, allowing them to run as root the next time you run that command. - Never use the rlogin/rsh/rexec (called the "r-utilities") suite of tools as root. They are subject to many sorts of attacks, and are downright dangerous run as root. Never create a .rhosts file for root. - The /etc/securetty file contains a list of terminals that root can login from. By default (on Red Hat Linux) this is set to only the local virtual consoles (vtys). Be very careful of adding anything else to this file. You should be able to login remotely as your regular user account and then use su if you need to (hopefully over ssh or other encrypted channel), so there is no need to be able to login directly as root. - Always be slow and deliberate running as root. Your actions could affect a lot of things. Think before you type! Security Tip Written by Dave Wreski (dave@guardiandigital.com) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --------------------------------------------------------------------- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 8/11/2004 - libpng Multiple vulnerabilities Chris Evans found several vulnerabilities in unpatched libpng versions pior to 1.0.16rc1 and 1.2.6rc1 http://www.linuxsecurity.com/advisories/conectiva_advisory-4655.html 8/11/2004 - apache Format string vulnerability Ralf S. Engelschall found[1] a dangerous call[2] to ssl_log function in ssl_engine_log.c that could allow remote attackers to execute arbitrary messages http://www.linuxsecurity.com/advisories/conectiva_advisory-4656.html 8/13/2004 - squirrelmail Multiple vulnerabilities This patch addresses four vulnerabilities in SquirrelMail, including XSS and SQL injection attacks. http://www.linuxsecurity.com/advisories/conectiva_advisory-4669.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 8/11/2004 - squirrelmail Multiple vulnerabilities This patch addresses multiple Cross Site Scripting and SQL Injection vulnerabilities. http://www.linuxsecurity.com/advisories/debian_advisory-4653.html 8/11/2004 - libpng Multiple vulnerabilities This patch addresses a large number of vulnerabilities in libpng. http://www.linuxsecurity.com/advisories/debian_advisory-4654.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 8/11/2004 - kernel Multiple vulnerabilities This update kernel for Fedora Core 2 contains the security fixes as found by Paul Starzetz from isec.pl. http://www.linuxsecurity.com/advisories/fedora_advisory-4657.html 8/11/2004 - libpng10 Multiple vulnerabilities Multiple libpng vulnerabilities are backpatched to the old 1.0.x libpng libraries. http://www.linuxsecurity.com/advisories/fedora_advisory-4658.html 8/11/2004 - libpng Multiple vulnerabilities This patch fixes numerous buffer overflow and pointer dereference vulnerabilities that a security audit turned up in libpng 1.2.x http://www.linuxsecurity.com/advisories/fedora_advisory-4659.html 8/11/2004 - kernel Unsafe pointer vulnerabilities A local unprivileged user could make use of these flaws to access large portions of kernel memory. http://www.linuxsecurity.com/advisories/fedora_advisory-4660.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 8/11/2004 - MPlayer Buffer overflow vulnerability When compiled with GUI support MPlayer is vulnerable to a remotely exploitable buffer overflow attack. http://www.linuxsecurity.com/advisories/gentoo_advisory-4645.html 8/11/2004 - Courier Cross-site scripting vulnerability The SqWebMail web application, included in the Courier suite, is vulnerable to cross-site scripting attacks. http://www.linuxsecurity.com/advisories/gentoo_advisory-4646.html 8/11/2004 - libpng Multiple vulnerabilities libpng contains numerous vulnerabilities potentially allowing an attacker to perform a Denial of Service attack or even execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4647.html 8/11/2004 - PuTTY Buffer overflow vulnerability PuTTY contains a vulnerability allowing a SSH server to execute arbitrary code on the connecting client. http://www.linuxsecurity.com/advisories/gentoo_advisory-4648.html 8/11/2004 - Opera Multiple vulnerabilities Several new vulnerabilities were found and fixed in Opera, including one allowing an attacker to read the local filesystem remotely. http://www.linuxsecurity.com/advisories/gentoo_advisory-4649.html 8/11/2004 - SpamAssassin Denial of service vulnerability SpamAssassin is vulnerable to a Denial of Service attack when handling certain malformed messages. http://www.linuxsecurity.com/advisories/gentoo_advisory-4650.html 8/11/2004 - Horde-IMP Input validation vulnerability Denial of service vulnerability Horde-IMP fails to properly sanitize email messages that contain malicious HTML or script code so that it is not safe for users of Internet Explorer when using the inline MIME viewer for HTML messages. http://www.linuxsecurity.com/advisories/gentoo_advisory-4651.html 8/11/2004 - Cfengine Heap corruption vulnerability Cfengine is vulnerable to a remote root exploit from clients in AllowConnectionsFrom. http://www.linuxsecurity.com/advisories/gentoo_advisory-4652.html 8/13/2004 - Roundup Filesystem access vulnerability Roundup will make files owned by the user that it's running as accessable to a remote attacker. http://www.linuxsecurity.com/advisories/gentoo_advisory-4664.html 8/13/2004 - gv Buffer overflow vulnerability gv contains an exploitable buffer overflow that allows an attacker to execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4665.html 8/13/2004 - Nessus Race condition vulnerability Nessus contains a vulnerability allowing a user to perform a privilege escalation attack using "adduser". http://www.linuxsecurity.com/advisories/gentoo_advisory-4666.html 8/13/2004 - Gaim Buffer overflow vulnerability Gaim contains a remotely exploitable buffer overflow vulnerability in the MSN-protocol parsing code that may allow remote execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4667.html 8/13/2004 - kdebase,kdelibs Multiple vulnerabilities Buffer overflow vulnerability KDE contains three security issues that can allow an attacker to compromise system accounts, cause a Denial of Service, or spoof websites via frame injection. http://www.linuxsecurity.com/advisories/gentoo_advisory-4668.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 8/11/2004 - libpng Buffer overflow vulnerabilities Chris Evans discovered numerous vulnerabilities in the libpng graphics library. http://www.linuxsecurity.com/advisories/mandrake_advisory-4643.html 8/11/2004 - shorewall Insecure temporary file vulnerability The shorewall package has a vulnerability when creating temporary files and directories, which could allow non-root users to overwrite arbitrary files on the system. http://www.linuxsecurity.com/advisories/mandrake_advisory-4644.html 8/13/2004 - gaim Buffer overflow vulnerabilities Sebastian Krahmer discovered two remotely exploitable buffer overflow vunerabilities in the gaim instant messenger. http://www.linuxsecurity.com/advisories/mandrake_advisory-4662.html 8/13/2004 - mozilla Multiple vulnerabilities A large number of Mozilla vulnerabilites is addressed by this update. http://www.linuxsecurity.com/advisories/mandrake_advisory-4663.html +---------------------------------+ | Distribution: Openwall | ----------------------------// +---------------------------------+ 8/11/2004 - kernel Multiple vulnerabilities his corrects the access control check in the Linux kernel which previously wrongly allowed any local user to change the group ownership of arbitrary NFS-exported/imported files. http://www.linuxsecurity.com/advisories/openwall_advisory-4642.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 8/11/2004 - kernel Multiple vulnerabilities Updated kernel packages that fix potential information leaks and a incorrect driver permission for Red Hat Enterprise Linux 2.1 are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4635.html 8/11/2004 - kernel Multiple vulnerabilities Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4636.html 8/11/2004 - libpng Buffer overflow vulnerabilities An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. http://www.linuxsecurity.com/advisories/redhat_advisory-4637.html 8/11/2004 - gnome-vfs VFS Multiple vulnerabilities An attacker who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. http://www.linuxsecurity.com/advisories/redhat_advisory-4638.html 8/11/2004 - glibc Multiple vulnerabilities Updated glibc packages that fix a security flaw in the resolver as well as dlclose handling are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4639.html 8/11/2004 - mozilla Multiple vulnerabilities Updated mozilla packages based on version 1.4.3 that fix a number of security issues for Red Hat Enterprise Linux are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4640.html 8/11/2004 - Ethereal Multiple vulnerabilities Updated Ethereal packages that fix various security vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4641.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 8/11/2004 - libpng Buffer overflow vulnerabilities Exploitation could cause program crashes, or possibly allow arbitrary code embedded in a malicious PNG image to execute. http://www.linuxsecurity.com/advisories/slackware_advisory-4631.html 8/11/2004 - mozilla Multiple vulnerabilities This is a full upgrade of Mozilla, put in place to remove security vulnerabilities whose fixes were not backported. http://www.linuxsecurity.com/advisories/slackware_advisory-4632.html 8/11/2004 - imagemagick Buffer overflow vulnerabilities This imagemagick patch fixes issues with PNG images. http://www.linuxsecurity.com/advisories/slackware_advisory-4633.html 8/11/2004 - sox Buffer overflow vulnerabilities Fixes buffer overflow security issues that could allow a malicious WAV file to execute arbitrary code. http://www.linuxsecurity.com/advisories/slackware_advisory-4634.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 8/6/2004 - libpng Multiple vulnerabilities Several different security vulnerabilities were found in the PNG library which is used by applications to support the PNG image format. http://www.linuxsecurity.com/advisories/suse_advisory-4626.html 8/11/2004 - kernel Multiple vulnerabilities This patch fixes a large number of kernel vulnerabilities, including a recently discovered race condition that can be exploited for access to kernel memeory. http://www.linuxsecurity.com/advisories/suse_advisory-4630.html 8/12/2004 - gaim Buffer overflow vulnerabilities Remote attackers can execute arbitrary code as the user running the gaim client. http://www.linuxsecurity.com/advisories/suse_advisory-4661.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 8/6/2004 - libpng Multiple vulnerabilities This is a roundup patch that fixes all known vulnerabilites with respect to libpng. http://www.linuxsecurity.com/advisories/trustix_advisory-4627.html 8/11/2004 - kernel Multiple vulnerabilities This roundup patch fixes a large number of kernel vulnerabilites. http://www.linuxsecurity.com/advisories/trustix_advisory-4629.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 8/11/2004 - libpng Multiple vulnerabilities Multiple buffer overflows and a potential NULL pointer dereference in libpng allow remote attackers to execute arbitrary code via malformed PNG images. http://www.linuxsecurity.com/advisories/turbolinux_advisory-4628.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Aug 16 04:18:42 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 16 04:34:02 2004 Subject: [ISN] DidTheyReadIt operations and security concerns Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" DidTheyReadIt is a new service on the net. It has garnered some attention from the privacy community already: I will deal with some of that later. I would like to examine the actual operations of the service. The discussion surrounding it has been marked by assumptions and lack of knowledge. Some assertions have been made that are at odds with the actual operations. DidTheyReadIt is both less, and more, dangerous than has been made out. As the name implies, it provides a kind of "return receipt" for email. It does this, of course, using Web bugs. A "single pixel" image file is called from the central host, using a hash that presumably corresponds to the sender, subject, and receiver, looking like the following: img src="http://didtheyreadit.com/b906148b2edfdab9e7de03a23f59687eworker.jpg" width="1" height="1" / (I have removed the surrounding angle brackets: hopefully this will prevent any mailers from trying to render the HTML.) Having obtained an account from DidTheyReadIt (and paid for the privilege), there are two ways to use the service. RISK 1 If you have WinXP or W2K (and a "standard" mailer) you can run a background program on your computer. I have downloaded the installation program and made a cursory examination of it, but I have strong reservations about actually running it on my system. One can assume that the process runs in the background, adds the Web bugs to outgoing email traffic, and sends information to the central computer. However, even a brief analysis of the code indicates it can do more than that. Among other things it calls the kernel, uses the Registry, and obtains information on privileges within your system. These may be valid activities within the context of the operation of the program, but, given what the program must be doing, what else is it doing? There is a significant possibility for information leakage here. RISK 2 You can use the program without running the background process. To do this, you append "didtheyreadit.com" to the email address. If I wanted to send a message to my rslade@isc2.org address, I would send it to rslade@isc2.org.didtheyreadit.com. The central computer then reformats the email in HTML and adds the Web bug. In this way, obviously, DidTheyReadIt gets to read all the email I send. When email is opened using a mailer that automatically calls for information from the Web, the URL is requested, and the central computer has confirmation that the individual actually read the email. DidTheyReadIt promises that they can tell you how long the email remained open. (In the tests that I've done so far this information has been available in slightly under half of the cases.) (When the URL is requested, a series of packets each containing a single byte is sent. Lauren Weinstein [see below] has noted that this may be the way the Rampell measures how long the message remains open. In tests the file transfer time seems to vary, but has always been shorter than the longest time that I've been "informed" a message has remained open. Others have theorized that the material transferred may be scripting that remains active as long as the message is open, passing information back to Rampell. This does not seem to be the case. When downloaded manually, the file is 302 bytes, has the internal structure of a JPEG file, and displays as a one [or possibly two] pixel black dot. A refresh tag could be used, but this has been observed neither in the coding seen nor the activity of browsers. At this point I don't know what the basis of the "read duration" is.) RISK 3 The central computer actually has rather a lot of information from that URL request. There is information about the time it was opened. There is purported information about the location and organization, but this is obviously obtained from a whois lookup from the IP address. There is information about the browser application, and the language used. In the case of Windows software running under emulation on a non-Windows system, there was enough information to indicate that this was so. RISK 4 The amount of information that DidTheyReadIt could build up is quite staggering. As well as simple lists of valid email addresses, they can tie address information to browsers and other applications, and the language of the user. They can, of course, build maps of connections between correspondents. The hash seems to also be linked to the subject line, so that even if email is not being sent through the central computer itself a database of topics and interests can be built. I'm rather surprised that Rampell Software (the company behind DidTheyReadIt) is even trying to sell their service: make it free, get the masses on board, and they have a gold mine of marketing information. Rampell is presumably well aware of the marketing possibilities. Each and every confirmation message from them carries at least two marketing messages: one pushing you to buy an upgrade to the version you have, and another promoting some other Rampell product. The system is not prefect, of course: send a message to me and you will probably not get acknowledgement that I read it, since my mailer does not (automatically) render HTML and go to the Web. However, prevailing upon some friends with more "standard" mailers, such as Outlook and Eudora, the system does seem to work (at least partially) with a wide variety of systems, including Macs, and Macs running Outlook under PC emulation. Cookie filters that prevent you from going to an "outside" site might limit the susceptibility of Web based mail systems, but otherwise these should all return the tracking URL. The system has interesting limitations with regard to mailing lists, and copies. When sent to a mailing list, and even to a number of people copied on the "To:" and "Cc:" lines, only one hash is generated. Although the confirmation message from Rampell mentions the possibility of further confirmations whenever someone subsequently reads the message, in testing that does not appear to happen. Each hash appears to be good for one use, and one use only. Sending a message to a mailing list gets you a response from the first person (or the first *susceptible* person) to read it. As noted at the beginning, there has already been some interest in the system and the privacy considerations. There have been two mentions of the system in the RISKS-FORUM Digest. http://catless.ncl.ac.uk/Risks/23.41.html#subj2 In the first, Lauren Weinstein gave a reasonable account of the system and the potential problems, noting the possible solutions. The use of text-only email is the best solution, and blocking the Rampell server would work as well. Turning off image display may alleviate privacy problems, but that does depend upon how different applications handle that option. Some may submit the URL to the Rampell server, and simply not display the image. http://catless.ncl.ac.uk/Risks/23.44.html#subj11 A second posting noted that DidTheyReadIt is illegal in France, and speculated that travellers to France might find themselves in legal trouble if they were subscribers. In practical terms, having the Rampell software installed on your system could be evidence against you. In which case, using the modified email addresses would leave you free and clear, so long as you didn't send any modified mail while in France. France might, of course, want to block Rampell's IP addresses. A marketing consultant did an article on the errors that Rampell made in promoting the service. He suggested that an opt-out approach or option would have avoided the bad press. Unfortunately, this demonstrates that he doesn't understand how the system or the technology works. As Weinstein's analysis indicated, you have to change your software, or have some backend support, in order to prevent detection. It is, of course, quite possible that Rampell has only the purest of motives in providing the service, and would never consider using the information obtained by providing it. I would not dare to impugn the integrity of the company or its principles and principals. However, I would note that historically: - a certain delivery company stated that it would never sell the database of digitized signatures collected when it started using electronic pads--and then, some years later, did exactly that. - companies with very rigorous privacy policies, having collected significant amounts of personal customer data, have gone bankrupt, and the files have been offered for sale. - it has, sadly, been known to happen that evil intruders have broken into companies and stolen personal information from computerized files--or even planted backdoors and logging/reporting software in their systems. ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Blessed is the man who, having nothing to say, abstains from giving in words evidence of the fact. - George Eliot http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Mon Aug 16 04:19:50 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 16 04:34:03 2004 Subject: [ISN] Cyberspace Gives Al Qaeda Refuge Message-ID: Forwarded from: William Knowles http://www.latimes.com/news/nationworld/world/la-fg-cyberterror15aug15,1,4439590.story?coll=la-home-headlines By Douglas Frantz, Josh Meyer and Richard B. Schmitt Times Staff Writers August 15, 2004 ISTANBUL, Turkey - In December, Al Qaeda operatives posted a manifesto on the Internet calling for attacks inside countries allied with the United States in Iraq. Spain, with elections approaching, was singled out as a target. On March 11, terrorists set off bombs on four commuter trains in Madrid and killed 191 people. Three days later, Spanish voters replaced the pro-war government with a party whose leader had promised to withdraw the country's 1,300 troops from Iraq. The posting of the strategy and the timing of the Madrid bombings shocked even the most hardened Al Qaeda watchers recently when they reviewed the little-known manifesto. "It's quite extraordinary in that you have a group of people talking about influencing a political process and then having it happen," said a U.S. national security official who analyzed the 54-page posting and spoke on condition that his name not be used. "Reading through this thing, it is just mind-blowing." Since Osama bin Laden and his followers were driven from their bases in Afghanistan, the Al Qaeda terrorist network has demonstrated an increasing ability to exploit the Internet as it reconfigures itself as a semi-leaderless global extremist movement far more elusive than the original incarnation. Websites run by Al Qaeda and its backers have become virtual classrooms for terrorists, offering instructions for activities such as kidnapping and using cellphones to set off bombs, like the ones used in Madrid. Independent Al Qaeda cells and the network's loose hierarchy use easily available encoding programs and simple techniques to exchange virtually undetectable messages between Internet cafes in Karachi and libraries in London. The Internet's importance to Al Qaeda was highlighted this month by the disclosure that Pakistani authorities had apprehended Mohammed Naeem Noor Khan, a suspected Al Qaeda computer engineer, and collected a wealth of electronic material. E-mail and other information from Khan's computers led to the arrests of 13 suspects in Britain and sent investigators scrambling to unravel electronic links among militants in Pakistan, Europe and the United States, British, U.S., and Pakistani authorities said. The discovery of files on financial institutions in New York and Washington among Khan's trove also played a role in prompting the Bush administration to issue a terrorist warning. Although it has long been known that Al Qaeda used the Internet to conduct reconnaissance on potential U.S. targets, the disks and hard drives taken from Khan disclose much about the resiliency and adaptability of a far-flung network hiding in plain sight, said U.S. and foreign intelligence officials and outside experts interviewed for this report. "The Internet allows the organization to become a virtual self-perpetuating and changing entity in cyberspace that provides technological guidance and moral inspiration to a new generation," said Magnus Ranstorp, a counter-terrorism expert at the University of St. Andrews in Scotland. Rather than the computer whizzes often described by government officials and the press, the Al Qaeda operatives are more often people with everyday skills who have harnessed the Internet in a campaign against the United States and its allies. Even Khan, whom senior U.S. officials describe as extremely computer savvy, used skills available to many people with computer training. Over time, they developed and shared techniques to avoid detection. An Al Qaeda survival manual warned adherents not to use the same Internet cafe too many times. Messages should be written on a word processor and pasted into an e-mail to avoid keeping the computer connected to the Internet for too long, it said. The result is a changing definition not only of Al Qaeda but also of the threat from what is known as cyber-terrorism. After Sept. 11, the biggest fear of terrorists using the Internet was their potential to disable air traffic control systems or disrupt the electric power grid of the United States. Billions were spent shoring up infrastructure defense. Although those concerns remain, authorities said no incident of cyber-terrorism has been recorded and worries have receded. Instead, the discovery of the December manifesto, the arrest in Pakistan last month and the accumulation of other evidence are leading to recognition that for now, at least, cyberspace is not a weapon for Al Qaeda, but a tool ? one more difficult to counter than gunmen huddled in caves and tents. James Lewis, director of technology policy at the Center for Strategic and International Studies in Washington, said one clear advantage for Al Qaeda is that the Internet gives it a communications system that rivals that of a superpower without the accompanying risk. "There is no central headquarters," he said. "There is no central place you can knock out." U.S. and foreign authorities interviewed in recent days generally agreed with a report last spring by the U.S. Treasury and Justice departments, which concluded that the Internet poses tough challenges "because it is largely anonymous, geographically unbounded, unregulated and decentralized." Al Qaeda is not a newcomer to the Internet. In 2000, the group hacked into the e-mail and bank accounts of a U.S. diplomat in Saudi Arabia as part of an effort to track his movements and plot an assassination attempt, which was later abandoned, Ranstorp and a security official in the region said. In the final stages of planning the Sept. 11 attacks, hijacker Mohamed Atta sent a coded message over the Internet that said: "The semester begins in three more weeks. We've obtained 19 confirmations for studies in the faculty of law, the faculty of urban planning, the faculty of fine arts and the faculty of engineering." After the Sept. 11 attacks on the World Trade Center and Pentagon, the camps and safe houses in Afghanistan where Atta and his accomplices had once trained were destroyed in the U.S. air assaults. Thousands of Al Qaeda adherents fled to hiding places in the tribal areas along the Afghan-Pakistani border, to Pakistan and to dozens of other countries. They left behind computers with files on how to build nuclear bombs, diagrams of U.S. buildings and software for stealing passwords off the Internet. In the months that followed, key leaders were killed or captured. Bin Laden has remained so deeply hidden that most intelligence officials think he no longer exercises much control over the network. The U.S. and its allies worked with some success to shut down the flow of money to Al Qaeda through Saudi charities, wealthy benefactors and other means. Faced with this multi-pronged assault, Al Qaeda reinvented itself, with a new reliance on the Internet. Manuals from the training camps were posted on websites. Praise for the "holy war" and appeals for money to continue the fight started popping up. Information was shared among members, and alliances with local and regional extremist groups were formed through cyberspace. More recent Internet postings reflected the adaptations of the new Al Qaeda, with its independent cells and new, often untrained recruits scattered throughout the Middle East, Europe and Africa. In late May, a website linked to Al Qaeda in Saudi Arabia published detailed instructions for carrying out a kidnapping. Three weeks later, U.S. aerospace engineer Paul M. Johnson Jr. was kidnapped in Riyadh, the Saudi capital, and later beheaded. Saudi extremists have proved particularly adept at using the Internet to communicate with other Al Qaeda groups and to promote their aim to topple the royal family, security officials in the country said. But the posting that called for attacks on U.S. allies in Iraq ? and its chilling effectiveness ? has proved the most startling. "It shows that they are very strategic in what they are doing," the U.S. national security official said. The document was posted on a website run out of the Middle East. Its language, religious references and other telltale signs convinced U.S. experts that an Al Qaeda member wrote it, though they have not identified the author. Titled "Jihad in Iraq: Hopes and Dangers," the posting advocated attacking countries aligned with the U.S. that were most vulnerable to pressure to withdraw their troops from Iraq. Italy and Spain were singled out, with a special mention of Spain's approaching elections. "Withdrawal of Spanish or Italian forces would put immense pressure on the British presence in a way that Tony Blair might not be able to bear," it said in one of several paragraphs underlined for emphasis. "In this way the dominoes will begin to fall quickly." At another point, the posting said, "We think that the Spanish government could not tolerate more than two, maximum three blows, after which it will have to withdraw as a result of popular pressure." The posting was available on one of the hundreds of Arabic-language websites that cater to extremists and moderates alike. Many of them are watched by intelligence and law enforcement agencies, but experts say there are far too many to monitor thoroughly. Evan Kohlmann, a Washington-based terrorism analyst who has been a consultant to the U.S. government, said he was monitoring an Internet chat room frequented by Islamic extremists last month when someone posted copies of the complete Windows desktop of a U.S. soldier serving in South Korea. The soldier had apparently installed a program to access his work computer through another computer and the hacker found a back door and took control of the machine by using simple techniques, Kohlmann said. Simplicity seems to work best. One common method of communicating over the Internet is essentially an e-mail version of the classic dead drop. Members of a cell are all given the same prearranged username and password for an e-mail account on an Internet service provider, or ISP, such as Hotmail or Yahoo, according to the recent joint report by the Treasury and Justice departments. One member writes a message, but instead of sending it, he puts it in the "draft" file and then logs off. Someone else can then sign onto the account using the same username and password, read the draft and then delete it. "Because the draft was never sent, the ISP does not retain a copy of it and there is no record of it traversing the Internet ? it never went anywhere, its recipients came to it," the report said. Secure messages also can be transmitted using widely available encryption tools. Slightly more advanced methods allow messages to be embedded in image, sound or other files transferred over the Internet through a process called "steganography." The files cannot be distinguished without a decoding tool. The difficulty of intercepting and deciphering messages has given rise to a game of cyber cat and mouse, according to government and independent experts. In an effort to gather information on potential recruits and donors, U.S. law enforcement agencies operate websites that are set up to resemble extremist Islamic sites. Visitors leave an electronic trail when they enter the site. On the other side, Al Qaeda can transmit false information to determine whether its members are being monitored by law enforcement. The Internet offers stealth to its users, but authorities can get valuable information if they can get their hands on data stored in computers or on disks. U.S. and foreign investigators still are sifting through the material taken from Khan. By cross-referencing the data with old files on people, places and methods of attacks, they hope to get a new picture of the organization's operations and identify its operatives, senior U.S. law enforcement officials say. They also are getting a closer look at the role of the Internet in Al Qaeda's strategies ? and a rare chance to turn the tables on the organization's computer prowess. "Al Qaeda relies on the Internet just like everyone else, and increasingly more so," a senior Justice Department official said. "But that reliance could also come back to bite them." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ From isn at c4i.org Mon Aug 16 04:20:06 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 16 04:34:04 2004 Subject: [ISN] Password to easy fraud lies in pets' names and birthdays Message-ID: http://icwales.icnetwork.co.uk/0100news/0200wales/tm_objectid=14535492&method=full&siteid=50082&headline=password-to-easy-fraud-lies-in-pets--names-and-birthdays-name_page.html Aug 16 2004 The Western Mail MOST internet and online banking customers leave themselves open to fraudsters by using predictable passwords, new research claims. More than three-quarters of people surveyed used words that could be easily guessed. Only one in five had passwords consisting of a combination of random letters and numbers, according to Visa Europe. The rest relied on nicknames, birthdays and anniversaries, family or pet names and memorable dates. But the group warned that people could be putting their security at risk, as personal information was often easy for hackers to obtain or guess. It added that first names or the names of places or famous people were also easy for hackers to get, and programmes existed that enabled hackers to try all the words in a dictionary when trying to find out someone's password. The research found that 21% of people used their own or their partner's nickname for their password, while 15% used their birthday or anniversary and 15% used the name of their pet. Around 14% had a family members' name as their password, 7% relied on a memorable date, and 2% even unimaginatively used the word password. A third of people also admitted they used the same password for everything, while 24% said they used the same one most of the time. Four out of 10 people said they had between two and four passwords, with just 12% of people managing to remember between five and seven different ones. Just under a third of people admitted they had shared their password with their partner, while 16% had told a member of their family, and just half of those questioned were confident no-one else knew their log-in details. Hugo Bottelier, vice president of Visa Europe, said,"Of course, it is important that our passwords are personal and meaningful to us, but also that they are difficult to decipher and not easily guessed." Survey Shop questioned 1,005 internet users by telephone during March. From isn at c4i.org Mon Aug 16 04:26:55 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 16 04:34:05 2004 Subject: [ISN] Hunt for XP SP2 flaws seen in full swing Message-ID: Forwarded from: security curmudgeon : http://www.nwfusion.com/news/2004/0813huntforx.html : : By Joris Evers : IDG News Service : 08/13/04 : : While users are testing Service Pack 2 for Windows XP to prevent : compatibility problems, hackers are picking apart the security-focused : software update looking for vulnerabilities, security experts said. : : "We will see new vulnerabilities discovered in SP2 over the next few : weeks. Give it a month or two and we will also see worms that affect : SP2," said Thor Larholm, senior security researcher at PivX Solutions : LLC, a security services company in Newport Beach, Calif. As usual with Windows Service Packs, the first week or two is spent figuring out what features have changed or broken significantly. While most of the griping is about functionality breaking that was made public well in advance, a few other changes crept in that are of interest to the security world. (read below) : "A lot of the current attack vectors are blocked by SP2," Larholm said. : "Folks are now trying to find new ways to plant code on a system. A lot : of these new ways will use e-mail, instant messaging and Web traffic - : any kind of traffic that a PC requests from the outside world - because : that will go through the firewall without restrictions." Fortunately, all the MSIE exploits will still do nicely =) -- ------Original Message----- From: Fyodor [mailto:fyodor@insecure.org] Sent: Wednesday, August 11, 2004 3:31 PM To: nmap-hackers@insecure.org Subject: Windows XP SP2 incompatible with Nmap This is just a heads-up that most Nmap functionality will not work on the just-released Microsoft Windows SP2. Why? Microsoft apparently broke it on purpose! When an Nmap user asked MS why security tools such as Nmap broke, MS responded[1]: "We have removed support for TCP sends over RAW sockets in SP2. We surveyed applications and found the only apps using this on XP were people writing attack tools." I don't know why they consider Nmap an "attack tool", particularly when they recommend it on some of their own pages[2]. Shrug. Removing SP2 re-enables the functionality and causes Nmap to work again. Many problems unrelated to Nmap have been found with SP2 as well[3], though it does some welcome security improvements for people stuck on that platform. I will work on this if I get time, but am currently busy rewriting the core port scanning engine for the next version of Nmap. It is much faster, offers much better multiple-host parallelization, and provides other long-desired features such as completion time estimates. If someone finds a solution to this SP2 problem, please send a patch. It may not be too hard, as Nmap supports operating systems such as Win95 that didn't have raw socket support in the first place. Cheers, Fyodor [1] http://seclists.org/lists/nmap-dev/2004/Apr-Jun/0077.html [2] http://www.microsoft.com/serviceproviders/security/tools.asp [3] http://www.crn.com/sections/breakingnews/breakingnews.jhtml?articleId=23905071 -- The TCPIP.SYS modifications in XP SP2 have also limited the number of concurrent half-open TCP connections to -10-. Yeah. That means you can't try to connect to more than ten things at once unless one of them answers. This breaks most vulnerability scanning, p2p networking, and many game networks, but I think they were aiming to keep worms from spreading. There appears to be no registry key to change this setting. There is a 3rd party patch available for this: http://www.lvllord.de/ (site not resolving now) From isn at c4i.org Mon Aug 16 04:28:44 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 16 04:34:06 2004 Subject: [ISN] Cyber Fears on Fed's Web Plan Message-ID: http://www.nypost.com/business/18671.htm By HILARY KRAMER August 15, 2004 With little fanfare, the Federal Reserve will begin transferring the nation's money supply over an Internet-based system this month - a move critics say could open the U.S.'s banking system to cyber threats. The Fed moves about $1.8 trillion a day on a closed, stand-alone computer network. But soon it will switch to a system called FedLine Advantage, a Web-based technology. Proponents say the system is more efficient and flexible. The current system is outdated, using DOS ? Microsoft's predecessor to the Windows operating system. But security experts say the threat of outside access is too big a risk. "The Fed is now going to be vulnerable in two distinct ways. A hacker could break in to the Fed's network and have full access to the system, or a hacker might not have complete access but enough to cause a denial or disruptions of service," said George Kurtz, co-author of "Hacking Exposed" and CEO of Foundstone, an Internet security company. "If a security breach strikes the very heart of the financial world and money stops moving around, then our financial system will literally start to collapse and chaos will ensue." FedLine is expected to move massive amounts of money. Currently, Fedwire transfers large-dollar payments averaging $3.5 million per transaction among Federal Reserve offices, financial institutions and federal government agencies. Patti Lorenzen, a spokeswoman for the Federal Reserve, said the agency is taking every precaution. "Of course, we will not discuss the specifics of our security measures for obvious reasons," she said. "We feel confident that this system adheres to the highest standards of security. Without disclosing the specifics, it is important to note that our security controls include authentication, encryption, firewalls, intru sion detection and Federal Reserve conducted reviews." Ron Gula, president of Tenable Network Security and a specialist in government cyber security, said he's sure the Fed is taking every precaution. But no system is 100 percent foolproof. "If the motive was to manipulate the money transferring, there are Tom Clancy scenarios where there are ways to subvert underlying technologies," Gula said. "For example, a malicious programmer can put something in the Fed's network to cause the system to self-destruct or to wire them money." The biggest concern isn't the 13-year-old who hacks into the Fedwire and sends himself some money - it's terrorism. On July 22, the Department of Homeland Security released an internal report saying a cyber attack could result in "widespread disruption of essential services ... damag(ing) our economy and put(ting) public safety at risk." But the Fed's undertaking of this massive overhaul is considered a necessity. "Our strategy is to move to Web-based technology because there are inherent limitations with DOS based technology and our goal is to provide better and robust product offerings to meet our customers' needs," said Laura Hughes, vice president of national marketing at the Chicago Fed, which has spearheaded this program. From isn at c4i.org Tue Aug 17 05:44:53 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 17 05:55:43 2004 Subject: [ISN] Linux Security Week - August 16, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 16, 2004 Volume 5, Number 32n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Image flaw pierces PC security", "OpenVPN 101: introduction to OpenVPN", "SSH Authentication: A Basic Overview", and "Wi-Fi hacking, a primer" ---- >> Bulletproof Virus Protection << Protect your network from costly security breaches with Guardian Digital's multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn04 ---- LINUX ADVISORY WATCH: This week, advisories were released for apache, Cfengine, Courier, Ethereal, Gaim, glibc, gnome-vfs, gv, imagemagick, kernel, libpng, libpng10, mozilla, MPlayer, Nessus, Opera, PuTTY, Roundup, sox, SpamAssassin, squirrelmail, and shorewall. http://www.linuxsecurity.com/articles/forums_article-9620.html ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --------------------------------------------------------------------- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html ---- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Image flaw pierces PC security August 11th, 2004 Six vulnerabilities in a common code that handles an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X. The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. http://www.linuxsecurity.com/articles/host_security_article-9610.html * Secure Your Workplace When Going On Vacation August 10th, 2004 In the northern hemisphere, the long-awaited summer holidays are just around the corner for many workers. The longer days and warmer weather will see many people taking a well-earned break from the office. But leaving computers unattended for a few days can also be a problem unless you take the right precautions. http://www.linuxsecurity.com/articles/host_security_article-9604.html * Spam Blocking Techniques August 10th, 2004 Recent analyst estimates indicate that over 60 percent of the world's email is unsolicited email, or "spam." Spam has now become a significant security issue and a massive drain on financial resources. In fact, this deluge of spam costs corporations an estimated $20 billion each year in lost productivity. http://www.linuxsecurity.com/articles/general_article-9605.html +------------------------+ | Network Security News: | +------------------------+ * Wi-Fi hacking, a primer August 13th, 2004 Wi-Foo: The Secrets of Wireless Hacking is a new technical tome about the security (and insecurity) if 802.11 standards. Written by three security consultants with a history roaming the occult worlds of encyrption and hackery, the book is not for dabblers or those who blush at the site of a UNIX prompt. http://www.linuxsecurity.com/articles/network_security_article-9616.html * OpenVPN 101: introduction to OpenVPN August 12th, 2004 This document will introduce OpenVPN as a free, secure and easy to use and configure SSLbased VPN solution. The document will present some simple (and verified) scenario's that might be useful for preparing security/networking labs with students, for creating a remote access solution or as a new project for the interested home user. http://www.linuxsecurity.com/articles/network_security_article-9611.html * Security Cavities Ail Bluetooth August 9th, 2004 Serious flaws discovered in Bluetooth technology used in mobile phones can let an attacker remotely download contact information from victims' address books, read their calendar appointments or peruse text messages on their phones to conduct corporate espionage. An attacker could even plant phony text messages in a phone's memory, or turn the phone sitting in a victim's pocket or on a restaurant table top into a listening device to pick up private conversations in the phone's vicinity. http://www.linuxsecurity.com/articles/network_security_article-9599.html * What is fwknop? August 9th, 2004 fwknop stands for "Firewall Knock Operator" and is an upcoming piece of fwknop implements network access controls (via iptables) based on a flexible port knocking mini-language, but with a twist; it combines port knocking and passive operating system fingerprinting to make it possible to do things like only allow, say, Linux-2.4/2.6 systems to connect to your SSH daemon. http://www.linuxsecurity.com/articles/projects_article-9600.html +------------------------+ | Cryptography News: | +------------------------+ * SSH Authentication: A Basic Overview August 11th, 2004 SSH is most commonly used to gain a remote shell, but it can be used for file transfers, to display remote X applications on a local machine, and even to securely connect to services that lack encryption. Unfortunately, many who use it from day to day don't have a good understanding of how it actually works. http://www.linuxsecurity.com/articles/cryptography_article-9609.html +------------------------+ | General Security News: | +------------------------+ * Spam: Made In The U.S.A. August 12th, 2004 Proof that the United States is capitalism's capital, a survey released Thursday said that nearly all the world's spam is spewed by a limited number of hard-core spammers within the U.S. http://www.linuxsecurity.com/articles/privacy_article-9615.html * Interview with Bruce Schneier, Counterpane Internet Security August 12th, 2004 Bruce Schneier, founder and CTO of Counterpane Internet Security, is one of the world's foremost security experts and author of the influential books Applied Cryptography, Secrets & Lies and Beyond Fear. His free monthly newsletter, Crypto-Gram, has over 100,000 readers. Interviewed by Glyn Moody, he discusses the lack of accountability of software companies, security through diversity, and why he would rather re-write Windows than TCP/IP. http://www.linuxsecurity.com/articles/cryptography_article-9613.html * Executive Conversation: Attacking the Phishing Threat - What Every Company Needs to Know August 11th, 2004 By now just about every person with an email inbox has been exposed to a phishing scam. Spoofs are showing up with alarming frequency and to make matters worse, criminals have upped the ante with increasingly sophisticated coding and graphics. http://www.linuxsecurity.com/articles/privacy_article-9608.html * Of course Linux is more secure... August 9th, 2004 In the hacking world the answer would probably be 'NO'. Any idiot can write alter somebody else's code to write a virus or worm for Windows. To try and hack into a Linux box that's been properly set up and is kept patched is extremely difficult... not to say virtually impossible. http://www.linuxsecurity.com/articles/host_security_article-9597.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Aug 17 05:45:09 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 17 05:55:45 2004 Subject: [ISN] McAfee to buy Foundstone for $86M Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,95293,00.html By Paul Roberts AUGUST 16, 2004 IDG NEWS SERVICE Antivirus software company McAfee Inc. said today that it's buying Foundstone Inc., which makes software for detecting and managing software vulnerabilities, for $86 million in cash. The acquisition will add Foundstone's line of vulnerability management software to McAfee's growing list of security products. McAfee plans to combine Foundstone's technology for spotting and remediating software vulnerabilities with its intrusion-detection and security policy management products, allowing companies to identify and shield high-priority computer assets from attack. As part of the deal, Foundstone's professional services group will become part of McAfee's services team, McAfee said. McAfee's purchase of Mission Viejo, Calif.-based Foundstone follows moves in the past year to focus its product offerings and bolster its standing in the intrusion detection and prevention market. In April 2003, McAfee, formerly Network Associates Inc., paid $220 million to purchase IntruVert Networks Inc. and Entercept Security Technologies Inc. The acquisitions gave Santa Clara, Calif.-based McAfee a jump-start in detecting both network-based attacks -- IntruVert's specialty -- and attacks targeted at network servers, or "hosts." McAfee in recent months has also shed products and business units. In December 2003, the company announced the sale of its Magic help desk and management software division to BMC Software Inc., an enterprise management products maker, for $47 million. In April, the company sold its Sniffer family of network management products for $275 million to an investment group including Silver Lake Partners and Texas Pacific Group that relaunched the product under the auspices of a reconstituted Network General Corp. McAfee will initially focus on getting Foundstone's technology to recognize and interact with the IntruVert and Entercept technologies, as well as McAfee's VirusScan 8, said Vince Rossi, senior vice president of product management at McAfee. The goal is to help customers assess their exposure to Internet- and network-borne threats using a constantly updated threat profile provided by McAfee's other products. With detailed information on which of their computer assets are the most exposed, IT departments can focus on dealing with the biggest threats to their most critical assets, saving time and effort, he said. "Entercept and [IntruVert's] IntruShield are primarily focused on delivering proactive risk mitigation, but there's little guidance to customers on how to best use those technologies given their business environment," Rossi said. "Foundstone provides us with a front end that allows customers, in an automated way, to discover their environment and prioritize their resources based on business risk and on threats." The purchase of privately held Foundstone, which began in 1999 as a security consulting services company and more recently began marketing and selling security software and hardware, will complement McAfee's investment network and host intrusion-prevention technologies, said John Pescatore, an analyst at Gartner Inc. "Now that you have host and network intrusion detection, companies need to know where they're vulnerable, so vulnerability management becomes important," he said. The move also gives McAfee access to Foundstone's marquis vulnerability management customers, many of which are large companies, and boosts McAfee's otherwise unremarkable professional services group, Pescatore said. Foundstone's head of professional services will lead McAfee's professional services group after the acquisition. The company's security consultants will also be allowed to continue working in a "boutique" fashion within McAfee's professional services group, Rossi said. McAfee has promised Foundstone that the company's security experts won't be pressured to recommend only McAfee technology, said Rossi and George Kurtz, CEO of Foundstone. McAfee said that it expects its acquisition of Foundstone to be complete in the next 60 days and that it will update its financial guidance for the fourth quarter of 2004 and for fiscal 2005 to account for the purchase. From isn at c4i.org Tue Aug 17 05:45:31 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 17 05:55:46 2004 Subject: [ISN] No Easy Fix for Internal Security Message-ID: http://www.thechannelinsider.com/article2/0,1759,1636529,00.asp By David Raikow August 16, 2004 Opinion: The idea of banning portable storage media in the workplace sidesteps the fact that internal security is a human issue, not a technical one. Not too long ago, the Gartner Group raised a minor dustup in the IT community by releasing a report claiming that portable storage media - including consumer devices such as cameras and MP3 players with built-in or removable memory - represent a new security threat to corporate networks. While I am almost always happy to see people talking about security beyond firewalls and virus scanners, this particular case represents a classic example of the way in which the tech community - including the media - regularly bungles security issues. According to the Gartner Group, these devices have grown so easy to use, and place so much memory within such small and innocuous physical packages, that they represent a dangerous new mechanism for employees to steal data or introduce malicious code into corporate networks. The Gartner report simultaneously sensationalized and diminished a key security issue by taking it out of context and presenting it as a new problem tied to specific technologies. The media and much of the tech community, in turn, leaped to the worst possible conclusion from the Gartner report: that the real issue was whether businesses should ban iPods. Internal data security is not a new problem, nor is it strictly speaking a technical one; employees have been stealing business records since businesses have been keeping them. Banning iPods will stop nothing. While there are some exceptions, there is very little data of value that an employee would need a gigabyte of memory to remove from an office. You can fit a lot of credit card numbers on a floppy disk, or for that matter, on a piece of paper. So, how should businesses address this issue? Internal security is an enormous topic, but the first step is to recognize it as a human, rather than a technical problem. If an employee can access a specific piece of data, he or she can steal it, no matter what technological precautions you may take. Human issues require complex, nuanced responses, and they rarely have a "silver bullet" solution. The best precaution you can take is to know your employees. Before you give someone access to your valuable data, it is entirely appropriate for you to take reasonable steps to be confident that they are trustworthy. Keep in mind, however, that it's important to be completely upfront with the applicant about those steps. When making a new hire, ask applicants hard questions, check credit reports and really interview references; don't take anything at face value. Respect for staff's privacy is both ethical and necessary to maintain a productive work environment; nevertheless, managers must be held responsible for awareness of staff's personal qualities, interpersonal dynamics and morale. Don't snoop - Big Brother in the workplace accomplishes nothing but making employees miserable - but know your people, who should be trusted, and how far. No, striking a balance isn't easy. But keep in mind that the primary role of technology in this process should lie in maintaining appropriate limitations on access to data. Know what information individual employees need to do their jobs - and what they don't. Use network authorization and authentication systems, account restrictions and OS-level permissions to make sure staff can easily access appropriate data but nothing else. Make liberal use of internal firewalls, encryption and intrusion-detection systems to detect and block attempts to circumvent your access controls. These systems should be as transparent as possible to your employees; think of them as the digital equivalent of locks on filing cabinets and office doors. Last, and definitely least, if removable media remain a particular concern, consider taking technical steps to prevent them from interfacing from your network. I would definitely not recommend banning cameras and MP3 players from the office, but there is nothing necessarily wrong with preventing them from being plugged into office computers or other equipment. Several vendors offer software products that can disable or limit access to FireWire and USB ports, including Zone Labs, Symantec, SecureWave and Verdasys. Keep in mind that these measures are pointless unless they also include steps for disabling CD and DVD burners, Zip drives and other writable media. This approach can require substantial investments in time and money, restricts legitimate and useful functionality, and is far from foolproof. But in high-security environments, it can provide some additional protection when used in conjunction with other precautions. Understanding that some of the biggest threats to your network come from the inside is crucial to a realistic assessment of your security needs. Looking for a simple answer to a complex problem, however, is just asking for trouble. From isn at c4i.org Tue Aug 17 05:45:43 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 17 05:55:48 2004 Subject: [ISN] Hackers keeping pace, warns expert Message-ID: http://australianit.news.com.au/articles/0,7204,10472070%5E15318%5E%5Enbv%5E,00.html Correspondents in Bombay AUGUST 17, 2004 COMPUTER hackers are keeping up with the times and are putting an increasingly technology-dependent world at risk, the chairman of leading US-based IT security firm McAfee said. "The telecom infrastructure - whether it be routing in India, UK, Germany or US - is at risk, " George Samenuk told a business conference in Bombay. "When cellphones go down, it is 10 times as worse because the whole world revolves around cellphones nowadays," he said. "One major telecom company had 800MB of their source code stolen. A large retail chain could not operate their credit card automation on a Saturday because of a virus attack and lost millions of dollars." Mr Samenuk said software could now automatically block out 90 per cent of attacks, but other viruses were still getting through. He recommended complying with normal safety procedures such as keeping long passwords and frequently changing them and not allowing unauthorised people to access organisations' networks. But he said the increased reliance on technology for sensitive information presented challenges as hackers often posed as banks inquiring for personal details. "We have had tens of thousands of people who had money stolen from their accounts. So this is another major concern," he said. "As many, many more people are switching to using mobile phones for emails and tracking stock quotations, we are seeing the propensity of attacks increase." The global rush for internet-enabled phones, which are estimated to number over 15 million by the end of next year, would be an enormous security challenge, he said. From isn at c4i.org Tue Aug 17 05:46:01 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 17 05:55:50 2004 Subject: [ISN] Big Brother's Last Mile Message-ID: http://www.securityfocus.com/columnists/261 By Mark Rasch Aug 16 2004 On August 9th, 2004, the U.S. Federal Communications Commission (FCC) took a major step toward mandating the creation and implementation of new Internet Protocol standards to make all Internet communications less safe and less secure. What is even worse, the FCC's ruling will force ISP's and others to pay what may amount to billions of dollars to ensure that IP traffic remains insecure. The FCC ruling comes pursuant to a request by U.S. law enforcement agencies to extend the reach of a decade old federal statute, the Communications Assistance for Law Enforcement Act, or CALEA, to broadband Internet service providers including cable companies, DSL providers, satellite providers and even electric companies that provide inline Internet access. The ruling, if it becomes final, may require such ISPs to create and deploy new and expensive technologies that would ensure that communications carried over broadband were deliberately insecure and capable of being intercepted, retransmitted, read, and understood by law enforcement. Of course, whatever law enforcement can do, hackers will be able to do easier and faster. What this means is that IP protocols may have to be adjusted, and the future of encryption may also be in doubt. A Brief History of Taps To understand CALEA, you need a bit of history. From the dawn of Alexander Graham Bell to 1968, there were few if any specific rules on the legal requirements for listening in on electronic communications. The U.S. Supreme Court had tried to apply the precepts of the Fourth Amendment's protections of the privacy of "persons, places, houses and effects" to a voice traveling over a wire, finally concluding in 1963 that the amendment protects people's privacy rights, not simply their physical location. In response, Congress passed the Omnibus Crime Control and Safe Streets Act of 1968, Title III of which established the rules for intercepting telephone calls. Concerned that the FBI lacked the technical ability to install and monitor wiretaps, Congress in 1970 mandated that the cops could ask for, and a court could order, the phone company to give the police "information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the [the company's] services." It also provided that the communications company "be compensated . . . by the applicant for reasonable expenses incurred in providing such facilities or assistance." In other words, a court could order an ISP to cooperate, conditioned on the cops agreeing to pay for the help. Effectively, this is no different than requiring a landlord, when presented with both a court authorized search warrant and an order requiring cooperation, and an order requiring the cops to pay up, to show the police where the target's apartment is, and maybe show them how to pick the lock. In 1994, however, at the request of law enforcement, Congress broadly expanded the law. No longer was the phone company merely required to provide technical assistance to help execute an already issued wiretap order -- now all covered telecommunications providers had to spend billions of rate-payer's dollars to design their systems in such a way as to be susceptible to the possibility of later court ordered surveillance. This is the equivalent of requiring that the landlord design the building without doors or locks (or with very weak ones), just in case the cops later want to search anyone in the building. As the Department of Justice described it, "CALEA for the first time required telecommunications carriers to modify the design of their equipment, facilities, and services to ensure that lawfully-authorized electronic surveillance could actually be performed." But CALEA never applied to ISPs, per se. In fact, section 102 of CALEA states that it "does not [apply to] persons or entities insofar as they are engaged in providing information services" although it does apply to "person[s] or entit[ies] engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier." In other words, if you are replacing the local telephone exchange service, and the FCC concludes it is in the public interest, you might be covered by CALEA. On August 9th, the FCC tentatively concluded that broadband providers were exactly that. Push Me, Pull You The FCC concluded that "facilities-based providers of any type of broadband Internet access service. . . are subject to CALEA because they provide a replacement for a substantial portion of the local telephone exchange service." They arrived at this conclusion, it turns out, by completely misreading recent technology history The FCC wrote that, at the time CALEA was enacted, Internet services were generally provided on a dial-up basis by two separate entities providing two different capabilities -- a local exchange telephone company carrying the calls between an end user and her chosen Internet Service Provider, and the ISP providing e-mail, content, Web hosting and other Internet services. ISPs were exempt from CALEA. But because the local phone company was subject both to FCC jurisdiction and to CALEA, dial-up access was implicitly covered as well: to accomplish its purposes of intercepting communications pursuant to a court order, the FBI only had to capture the communication at the POTS (Plain Old Telephone Service) line, and the problem was solved. The FCC's reasoning is that because broadband replaces dial-up access to the Internet, and dial-up was subject to CALEA, broadband must ipso facto be subject to CALEA. However, while most individual users in 1994 connected to the Internet via dial-up, the Internet was already built principally on broadband communications. In fact, from its inception until 1991, very little of the overall bandwidth of the Internet consisted of an individual user dialing into a node for access. Most users were government, industry, military or educational users sitting at terminals with relatively fast (for 70's and 80's technology) non-dial-up connections. Broadband isn't some newfangled replacement for dial-up: it's the backbone and spine of the Internet, and has been for decades. A Brave New Internet The FBI, in requesting this authority defined "broadband access service" as "the process and service used to gain access or connect to the public Internet using a connection based on packet-mode technology that offers high bandwidth" but "does not include any 'information services' available to a user after he or she has been connected to the Internet, such as the content found on Internet Service Providers' or other websites." Essentially, the FCC concluded that CALEA can't force website operators to design their systems to reveal the IP addresses or identity of people who visit the site, but could force ISPs not only to reveal the identical information, but also to design the system to enable law enforcement to reveal the information. It is important to note that this expansion of CALEA was not needed to compel the ISPs to comply with a lawful subpoena. ISP's and everyone else must already comply under existing law. But a subpoena can only compel a recipient to turn over documents or records that exist. The FCC's ruling goes well beyond the extensive subpoena authority of the grand jury and the Foreign Intelligence Surveillance Court, and even the USA-PATRIOT Act. By making ISPs the electronic equivalent of the phone company, and therefore subject to CALEA, the FCC opens the door to mandating that all future TCP/IP technologies -- possibly even encrypted ones -- be designed at the outset to be tapable. After all, it would do the cops no good to receive a mass of encrypted packets. What's worse, all of this would be done on your dime. As Commissioner Abernathy pointed out in a statement, "upgrading networks to comply with a new packet-mode standard for surveillance will be a costly endeavor, and there are many unanswered questions about how these costs should be recovered." The FBI had an answer when ISPs and phone companies complained about the cost. The Bureau suggested that the cost be defrayed by increasing the rates you and I pay. So much for the government's E-rate program to make broadband more affordable. I am all for letting the cops tap phones, and even IMs, chat sessions, e-mail and websites with appropriate court orders. What I don't like is making us reinvent the Internet just for these purposes. The FCC action is a large step towards requiring this. SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. From isn at c4i.org Wed Aug 18 06:53:17 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 18 07:00:54 2004 Subject: [ISN] Cyber Fears on Fed's Web Plan Message-ID: Forwarded from: Eric Hacker On Mon, 16 Aug 2004 03:28:44 -0500 (CDT), InfoSec News wrote: > http://www.nypost.com/business/18671.htm > > With little fanfare, the Federal Reserve will begin transferring the > nation's money supply over an Internet-based system this month - a > move critics say could open the U.S.'s banking system to cyber > threats. ..... > Patti Lorenzen, a spokeswoman for the Federal Reserve, said the > agency is taking every precaution. > "Of course, we will not discuss the specifics of our security > measures for obvious reasons," she said. Hmmm. Are the reason's obvious because we are dealing with a bureaucratic government agency that still has the bassackwards idea that security through obscurity works? Most security engineering is a compromise between cost and risk, and maybe it is unwise to go into detail about those compromises (maybe not). Regular Multi-million dollar transactions, like electronic voting, do not fall into that category. This should be a rock solid as AES and go through just as much public review. Eric Hacker From isn at c4i.org Wed Aug 18 06:53:50 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 18 07:00:56 2004 Subject: [ISN] REVIEW: "Computer Security for the Home and Small Office", Thomas C. Greene Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKCMSCHO.RVW 20040727 "Computer Security for the Home and Small Office", Thomas C. Greene, 2004, 1-59059-316-2, U$39.99/C$57.95 %A Thomas C. Greene http://basicsec.org tcgreene@verizon.net %C 2560 Ninth Street, Suite 219, Berkeley, CA 94710 %D 2004 %G 1-59059-316-2 %I Apress %O U$39.99/C$57.95 510-549-5930 fax 510-549-5939 info@apress.com %O http://www.amazon.com/exec/obidos/ASIN/1590593162/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1590593162/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1590593162/robsladesin03-20 %P 405 p. %T "Computer Security for the Home and Small Office" Thomas Greene asked me to do the technical review for this book, which speaks to his bravery, regardless of what it says about his wisdom. So there's no point in pretending that I'm unbiased here. However, I must say that I was bracing myself for yet another security book by a writer rather than a techie--and was delightfully surprised, right from the beginning, at how useful Greene's material was. The "Introduction" is a bit unusual: it doesn't lay out the theme or structure of the book, but jumps right into dispelling myths and making suggestions. You will be introduced to the fact that Greene is an Open Source/Linux ... well, fanatic might be too mild a term, extremist might be closer to reality. There is also a section on how to get, and configure, the Mozilla Web browser for safer surfing. Chapter one deals with the dark side of computing, and a variety of attendant risks. The descriptions sometimes gloss over technical niceties, but the assessment of threat levels is more reasonable than in most similar works. Vulnerabilities and means of attack are presented in chapter two. An excellent and helpful list of Windows services that most users can turn off at no cost to function (and considerable addition in safety) is provided, as is a similar list for Linux. A sensible review of social engineering is presented in chapter three. More advanced tools are introduced in chapter four, but, in contrast to many similar works, the text goes on to provide explanations and suggestions on use. Chapter five explains many places where information may be stored on your computer (and network) in the course of normal operations, and how to clean up after yourself. Greene really lets himself go in his promotion of Linux and Open Source software in chapter six, presenting sanguine arguments. In chapter seven, a number of anecdotes are used to support the idea that you can learn about the computer and take control of your own safety, without having to live in fear of the unknown, or be dependent upon consultants of unknown competence. This book presents material for the intelligent but non-specialist computer user. The text is readable, and the content useful. It does not cover the entire range of computer security, but it does provide valuable information for those who rely on computers for their work, and would like to achieve a level of security that is significantly higher than that available by default, without having to spend a great deal of time and money on it. Particularly for the Windows XP user, this is my primary endorsement for a computer security book. I would also recommend the work to security professionals, at least as a reference, since it contains Windows configuration that system administrators should know, and the vast majority don't. copyright Robert M. Slade, 2004 BKCMSCHO.RVW 20040727 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Any girl can be glamorous. All you have to do is stand still and look stupid. - Hedy Lamarr http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Aug 18 06:54:06 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 18 07:00:57 2004 Subject: [ISN] Crypto researchers abuzz over flaws Message-ID: http://news.com.com/Crypto+researchers+abuzz+over+flaws/2100-1002_3-5313655.html By Declan McCullagh Staff Writer, CNET News.com August 17, 2004 update: Encryption circles are buzzing with news that mathematical functions embedded in common security applications have previously unknown weaknesses. The excitement began Thursday with an announcement that French computer scientist Antoine Joux had uncovered a flaw in a popular algorithm called MD5, often used with digital signatures. Then four Chinese researchers released a paper that reported a way to circumvent a second algorithm, SHA-0. While their results are preliminary, these discoveries could eventually make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature--unless a different, more secure algorithm is used. A third announcement, which was even more anticipated, took place Tuesday evening at the Crypto 2004 conference in Santa Barbara, Calif. The other papers also were presented at the conference. Eli Biham and Rafi Chen, researchers at the Israel Institute of Technology, originally were scheduled to present a paper identifying ways to assail the security in the SHA-0 "Secure Hash Algorithm," which was known to have imperfections. In a presentation Tuesday evening, however, Biham reported some early work toward identifying vulnerabilities in the SHA-1 algorithm, which is believed to be secure. Biham's presentation was very preliminary, but it could call into question the long-term future of the wildly popular SHA-1 algorithm and spur researchers to identify alternatives. Currently considered the gold standard of its class of algorithms, SHA-1 is embedded in popular programs like PGP and SSL. It's certified by the National Institute of Standards and Technology and is the only signing algorithm approved for use in the U.S. government's Digital Signature Standard. SHA-1 yields a 160-bit output, which is longer than MD5's 128-bit output and is considered more secure. Jim Hughes, general chairman of the Crypto 2004 conference, said on Tuesday morning that the news was sufficiently important that he was organizing the first Webcast in the conference's 24-year history. "There are three significant rump session papers on hash collisions that will be presented," including an update on Joux's findings, Hughes said in a message to a cryptography-related mailing list. Unique fingerprints "If you could find two contracts that hash out to the same signature, you could replace one with the other and in a court of law there would be at least an ambiguity about which one is valid," Hughes, a senior fellow at StorageTek, said in a telephone interview. "That's a very significant possibility." The MD5, SHA-0, and SHA-1 algorithms are known to computer scientists as hash functions. They take all kinds of input, from an e-mail message to an operating-system kernel, and generate what's supposed to be a unique fingerprint. Changing even one letter in the input file results in a completely different fingerprint. Security applications rely on these fingerprints being unique. But if a malicious attacker could generate the same fingerprint with a different input stream, the cloned fingerprint--known as a hash collision--would certify that software with a back door is safe to download and execute. It would help a crook who wanted to falsely sign an e-mail instructing that someone's bank account be emptied. Because researchers have long known that no practical encryption algorithm can be completely secure, they attempt to design ones that take an inordinately long time to generate duplicate fingerprints. SHA-1 is regarded as secure because it is not possible to knowingly generate hash collisions using existing techniques. The SHA-1 algorithm relies on a computer executing a routine 80 times in an attempt to create a unique fingerprint. Biham said that he had been been able to duplicate the fingerprint for 36 of those 80 rounds. If vulnerabilities similar to those identified in SHA-0 are eventually discovered in SHA-1, that would mean that attempts to forge a fingerprint would be accelerated by about 500 million times--putting it within theoretical reach of a network of fast PCs. The weakness in the MD5 algorithm may be the more immediate threat. The open-source Apache Web server product uses MD5 hashes to assure the public that source code on dozens of mirror sites is not modified and is safe to run. So does Sun Microsystems' Solaris Fingerprint Database, which the company says can "verify that a true file in an official binary distribution is being used, and not an altered version that compromises system security." MD5's flaws that have been identified in the past few days mean that an attacker can generate one hash collision in a few hours on a standard PC. To write a specific backdoor and cloak it with the same hash collision may be much more time-intensive. Still, Hughes says that programmers should start moving away from MD5. "Right now the algorithm has been shown to be weak," he said. "Before useful (attacks) can be done, it's time to migrate away from it." From isn at c4i.org Wed Aug 18 06:54:31 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 18 07:00:58 2004 Subject: [ISN] Oracle Still Sitting on Database-Security Patches Message-ID: http://www.eweek.com/article2/0,1759,1637212,00.asp By Lisa Vaas August 17, 2004 Oracle Corp. is in public-relations hot water after weeks of stony silence on its delay in releasing 34 security vulnerabilities patches for flaws it has known about since January or February. "Clearly, it's a good thing that they're getting the patches ready, but it seems to me that Microsoft [Corp.] has gotten a lot of grief for delaying patches for a variety of reasons," reads one post on the Weblog .net DElirium. "Will Oracle be held to the same standard?" The flaws were discovered in January by David Litchfield, managing director of Next Generation Security Software Ltd., in Surrey, England. According to Litchfield, the flaws include buffer overflow attacks and SQL injection techniques for gaining access to Oracle databases. Litchfield has demurred on giving further details of the flaws, not wanting to enable hackers to commit exploits before Oracle has released patches. He first mentioned the flaws at the BlackHat security conference in Las Vegas last month, saying he had expected Oracle to deliver the patches in time for that conference. Oracle has confirmed that the flaws do exist and that it has already created fixes, but the Redwood Shores, Calif., database giant has not offered details on when patches would be available. In light of Microsoft's recurring security woes and the criticism that has steadily rained down upon it, some are itching to see Oracle get its share of the grief - particularly in light of its "Unbreakable" database ad campaign. But as experts and one blog writer suggested, the security situation in general for Oracle databases is a far cry from Microsoft Windows. "If you use Oracle, your [database] will be for sure behind dozens of firewalls, servers, etc.," wrote one blog contributor. "Different from [Microsoft SQL Server instances] that are very often used for Web and installed on the same machine as the Web server. The risks involved on an Oracle update and a Windows update are very different." Ian Abramson, chief technology officer at Toronto-based Red Sky Data Inc., agreed with that premise. "Most installations we have are pretty secure to the outside world nowadays," he said. John Pescatore, an analyst at Gartner Inc., said the skill sets of Oracle DBAs (database administrators) also tend to be higher than those of the population of professionals who run Microsoft's SQL Server databases, which have the reputation of being far simpler to manage. "Oracle databases tend to be behind firewalls and protected by [people with] a much more sophisticated set of skills," he said. In the meantime, rumors are flying that Oracle is delaying the patches release while it constructs a new patch-delivery paradigm?specifically, a cumulative, monthly patch-release schedule a la Microsoft's current strategy. Pescatore counts Microsoft as a client and advised the company on its initial adoption of the cumulative patch-release program. He said the move helped enterprises because it made patch releases more "predictable and packaged up." "A lot of other large, Oracle-sized software companies have waited and watched to see how it went with Microsoft, to see if they'd get roasted, to see if they looked like they were trying to hide vulnerabilities," Pescatore said. "We [had] advised Microsoft that we thought it would help enterprises. [Before the cumulative patch program], you hadn't even finished one patch when they said they had another." Oracle's delayed flaw fixes come at a crucial time, coinciding with Microsoft's release of SP2 (Service Pack 2) for Windows XP, which has been shown to break about 50 applications upon installation. As such, some have sought to compare the two companies' approach to patch delivery. But that comparison is weak, Pescatore said, considering that SP2 is mostly breaking applications that are doing "bad things." "Two things are breaking applications," he said. "[Applications that have the] Windows firewall on by default, and Microsoft made a lot of changes in how Windows handled remote procedure calls, forcing them to be authenticated. "So, the firewall is sort of forcing applications to work in a more secure way," he said. "That's breaking some of them?mostly gaming and things that try to communicate on the Internet. And remote procedure calls - sloppy programming done in Windows that was taken advantage of by programmers." Some Oracle users said they'd welcome a shift to a monthly patch-release schedule. "That seems to me to be the best of both worlds," said Kelly Cox, an Oracle DBA who runs a small consultancy in Alexandria, Va. "With [a monthly release], you still need to wait a little bit, but at least they'll bundle it. The only problem is waiting for that [once-a-month date]." From isn at c4i.org Wed Aug 18 06:54:46 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 18 07:00:59 2004 Subject: [ISN] Hackers join dark side Message-ID: http://www.theinquirer.net/?article=17923 By Nick Farrell 18 August 2004 SECURITY EXPERTS MessageLabs say that there is evidence that virus writers are working hand in hand with spammers. The move takes the virus writers away from their self-appointed roles as champions of the small guy against corporatism and into the hands of dark cyber capitalism. According to a recent report, MessageLabs says it has established the link by monitoring chat rooms to infiltrate the secretive world of virus writers and spammers. It claims to have seen messages flow between virus writers and spam writers about joining forces. The spammers are faced with a proliferation of software blocking spam and are keen to pay writers to create viruses that attach to e-mails and circumvent the spam blockers. "There is little or no monetary profit to be gained from simply distributing viruses, but when you combine the capabilities of a virus and the profit that can be earned from spam, suddenly you have an altogether more materialistic proposition," MessageLabs said in its report. However it represents a change in the profile of virus writers who always saw themselves as counter-culture. The image of the teen hacker nerd standing against the big corporates such as Microsoft is enshrined in the movie industry and often a redeeming feature in court cases when they are caught. However with recent cases of cyber extortion, links to the Russian Mafia, and now links to spammers, the hacker's image is turning from annoying criminal with a small c, to outright evil money grabbers and they are unlikely to ever get the same level of sympathy again. Still that is the dark side for you. From isn at c4i.org Wed Aug 18 06:55:02 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 18 07:01:00 2004 Subject: [ISN] Study: Unpatched PCs compromised in 20 minutes Message-ID: http://zdnet.com.com/2100-1105_2-5313402.html By Matt Loney and Robert Lemos ZDNet (UK) August 17, 2004 Don't connect that new PC to the Internet before taking security precautions, researchers at the Internet Storm Center warned Tuesday. According to the researchers, an unpatched Windows PC connected to the Internet will last for only about 20 minutes before it's compromised by malware, on average. That figure is down from around 40 minutes, the group's estimate in 2003. The Internet Storm Center, which is part of the SANS Institute, calculated the 20-minute "survival time" by listening on vacant Internet Protocol addresses and timing the frequency of reports received there. "If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe," the center, which provides research and education on security issues, said in a statement. The drop from 40 minutes to 20 minutes is worrisome because it means the average "survival time" is not long enough for a user to download the very patches that would protect a PC from Internet threats. Scott Conti, network operations manager for the University of Massachusetts at Amherst, said he finds the center's data believeable. "It's a tough problem, and it's getting tougher," Conti said. One of Conti's administrators tested the center's data recently by placing two unpatched computers on the network. Both were compromised within 20 minutes, he said. The school is now checking the status of computers before letting them connect to the Internet. If a machine doesn't have the latest patches, it gets quarantined with limited network access until the PC is back up to date. "We are giving the people the ability to remediate before connecting to the network," Conti said. The center also said in its analysis that the time it takes for a computer to be compromised will vary widely from network to network. If the Internet service provider blocks the data channels commonly used by worms to spread, then a PC user will have more time to patch. "On the other hand, university networks and users of high-speed Internet services are frequently targeted with additional scans from malware like bots," the group stated. "If you are connected to such a network, your 'survival time' will be much smaller." In a guide to patching a new Windows system, the Internet Storm Center recommends that users turn off Windows file sharing and enable the Internet Connection Firewall. Microsoft's latest security update, Windows XP Service Pack 2, will set such a configuration, but users will have to go online to get the update, opening themselves up to attack. One problem, experts say, is network administrators' reliance on patching and their assumption that users will quickly patch systems. Speaking recently at the Microsoft TechEd developer conference in Amsterdam, Microsoft security consultant Fred Baumhardt said the day is likely to come when a virus or worm brings down everything. "Nobody will have time to detect it," he said. "Nobody will have time to issue patches or virus definitions and get them out there. This shows that patch management is not the be-all and end-all." Baumhardt stressed the importance of adaptability, using the human immune system as an example: "Imagine if your body said, 'Hmm, I have the flu. I've never had this before, so I'll die.' But that doesn't happen: Your body raises its temperature and so on, to buy time while other mechanisms kick in." "If the human body did patch management the way (companies do), we'd all be dead." From isn at c4i.org Wed Aug 18 06:55:19 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 18 07:01:02 2004 Subject: [ISN] Hackers Take Aim at GOP Message-ID: http://www.wired.com/news/politics/0,1283,64602,00.html By Noah Shachtman Aug. 17, 2004 Online protests targeting GOP websites could turn out to be more than symbolic during this month's Republican National Convention, possibly blocking a critical communications tool for the party. In the past, activists have been able to shut down the website of, say, the World Economic Forum for a few hours. But the impact of such a takedown was nebulous at best: It's hard to argue the organization really suffered from a few-hour lag in posting its press releases online. In this year's presidential race, however, campaign websites have moved beyond the margins. During John Kerry's acceptance speech in Boston last month, for example, his website was visited by 50,000 people an hour, according to comScore Networks, the online traffic-measuring firm. That's a droplet compared to the millions who'll watch the convention on TV. But taking down a campaign website would nevertheless remove a critical tool for reaching the public -- and likely generate a slew of stories in the mainstream media about the crash. So it's no surprise that hardened electronic activists are planning to jam up the servers of GeorgeWBush.com, GOP.com and related websites, once the Republican National Convention gets underway Aug. 29. "We want to bombard (the Republican sites) with so much traffic that nobody can get in," said CrimethInc, a member of the so-called Black Hat Hackers Bloc [1]. It's one of several groups planning to distribute software tools to reload Republican sites over and over again. These FloodNet programs are similar to hackers' distributed denial-of-service attacks, which overwhelm a server with thousands and thousands of simultaneous requests for information. But some activists are condemning the planned attacks, saying they violate the principles of free speech that protesters rely on for their demonstrations. "If you feel that you must shut up someone through intimidation or false accusations or any other method -- you are not relying on the superiority of the truth," The Pull, co-founder of the online political action group Hacktivismo, wrote in an e-mail. "People can not condemn censorship and then embrace it." The point of the electronic demonstrations isn't to take down a site, according to Ricardo Dominguez, co-founder of the Electronic Disturbance Theater, or EDT, which is releasing a FloodNet program of its own. Unlike hackers' denial-of-service attacks, which often hijack computers against their users' will, EDT's JavaScript-based software depends on how many people use the program. "It's a way to let people around the world gather and let their presence be felt," Dominguez said. Not that he would mind if a Republican server just happened to crash along the way. In 2002, at the EDT's direction, 43,000 people flooded the site of the World Economic Forum during its meeting in New York. The organization's website went offline for several hours following the demonstration. The Black Hat Hackers Bloc is hoping to cause a whole lot more trouble when the Republicans start to gather in New York. The groups will be targeting not only GOP computers, but "e-mail, faxes and phones, too," CrimethInc said, as well as unspecified "financial disruption." Officials from the Republican Party and from Computer Horizons, the Mountain Lakes, New Jersey, firm responsible for network services at the GOP convention, did not respond to requests to comment for this article. It's unclear exactly how effective these online actions will be. In an interview, CrimethInc boasted that his associates defaced the website for Drug Abuse Resistance Education, or DARE, with a pro-pot-legalization screed, and promised similar strikes against Republican sites. In the past, veteran online activists have called these tactics the "kind of stupidity that gives hacking a bad name." The attacks during the Republican convention may be just the beginning, however. At the Hackers on Planet Earth gathering in New York City, one speaker promised attendees, "You will learn how to infiltrate organizations like the RNC, how to look for and find security holes, and how mischief and mayhem is achieved." [1] http://phil.ist-backup.de/rncelectronic/ From isn at c4i.org Thu Aug 19 12:00:26 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 19 12:07:31 2004 Subject: [ISN] Security UPDATE--Windows XP SP2 Help--August 18, 2004 Message-ID: ==================== ==== This Issue Sponsored By ==== Qualys - The Leader in On Demand Vulnerability Management http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BKdZ0AS Free Security White Paper from Postini http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BKda0AZ ==================== 1. In Focus: Windows XP SP2 Help 2. Security News and Features - Recent Security Vulnerabilities - News: Microsoft Issues August Security Fixes - Feature: Cleaning Up After Classified Email 3. Security Matters Blog - How to Temporarily Disable Installation of Windows XP SP2 - It Had to Happen Sooner or Later, Part 2 - What Are You Exposing in Your Word, Excel, and PowerPoint Files? 4. Security Toolkit - FAQ 5. New and Improved - Updated Patch Management Solution - Secure Your Compressed Attachments ==================== ==== Sponsor: Qualys ==== Find network weaknesses before the next worm finds you. 80% of vulnerability exploits are available within 60 days of the vulnerability release. Take preemptive action by eliminating the weakness first. Run a free security check today to detect and eliminate security risks in your network BEFORE they can be compromised. - Discover and map your entire network. - Scan for over 3,500 unique security threats on routers, switches, hubs, firewalls, desktop computers, wireless access points and other network appliances. - Get detailed vulnerability information on affected hosts, the security risk posed and potential consequences if exploited. - Get links to validated patches and fixes. Leading organizations scan their critical assets for vulnerabilities weekly. Click on the link below to run your free security check. http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BKdZ0AS ==================== ==== 1. In Focus: Windows XP SP2 Help ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net Certainly you know by now that Windows XP Service Pack 2 (SP2) has been released. As anticipated, some systems have had problems after installation of the new service pack. But many people report that their installations have been successful and without incident. Some of you might want to wait until later to install SP2. If you use Microsoft Software Update Services (SUS) or Automatic Updates, you'll probably need to disable SP2 installation until you're ready for it. Microsoft has released two tools to help: "Toolkit to Temporarily Block Delivery of Windows XP SP2 to a PC Through Automatic Updates and Windows" (at the first URL below) and "Executable to Un-block Delivery of Windows XP SP2 to a PC Through Automatic Updates and Windows Update" (at the second URL below). http://www.microsoft.com/downloads/details.aspx?familyid=8bce6bba-ea5d-4425-89c1-c1cb1ccd463c&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=b2300c7b-f3d7-48d6-b86c-1256c0321727&displaylang=en If you want to slipstream SP2 into your XP installation packages, Adrian Earnshaw posted a link in the NTBugtraq mailing list (at the first URL below) that points to an article on the Windows-Help.NET Web site that describes step-by-step how to create a slipstream package (at the second URL below). http://www.ntbugtraq.com http://www.windows-help.net/windowsxp/winxp-sp2-bootcd.html Some people might have difficulty with Microsoft Systems Management Server (SMS) after installing SP2. Rod Trent posted a link in the PatchManagement.org mailing list (at the first URL below) that points to an FAQ on the myITforum.com Web site. The FAQ (at the second URL below) tells how to correct certain problems with SP2 and SMS that might relate to Distributed COM (DCOM) and access through port 135. http://www.patchmanagement.org http://myitforum.techtarget.com/articles/1/view.asp?id=7648 If you're looking for information and tools from Microsoft related to SP2, try the search engine at the Microsoft Download Center. If you select Windows XP as the Product/Technology and enter the keywords "Service Pack 2," you'll find lots of articles, tools, and reference material to help you. http://www.microsoft.com/downloads/search.aspx?displaylang=en The Microsoft Developer Network (MSDN) also has a Web page--the Microsoft Security Developer Center--that lists lots of security resources for developers, including a course, "Windows XP Service Pack 2 Training for Developers," which provides "awareness of the implications in the deployment of Service Pack 2 on computers running on the Windows XP Professional and Windows XP Home Editions and how the application developer will be affected by them." http://msdn.microsoft.com/security/productinfo/xpsp2/default.aspx At Microsoft's support site, you'll find a Web page that contains lots of links to a few known issues, as well as troubleshooting, step-by-step help, and more. You'll also find a link to an upcoming Webcast, "Understanding Microsoft Windows XP Service Pack 2," which is scheduled for August 19, 10:00 A.M. Pacific Time. http://support.microsoft.com/default.aspx?pr=windowsxpsp2it One more resource you might find helpful is the "Windows XP Service Pack 2 Experiences" Web forum hosted by the SANS Institute's Internet Storm Center. The forum has classified posts according to the poster's experience with SP2--that is, whether he or she had "no problems," "small problems," "big problems, but solvable," "big problems, could not use/install," "had to rebuild system," or "no opinion." If you're having trouble with SP2, you might read the forum's posts or use its search engine to see whether anyone had similar trouble and found a solution. http://isc.sans.org/xpsp2.php ==================== ==== Sponsor: Free Security White Paper from Postini ==== The Shifting Tactics of Spammers: What You Need to Know about New Email Threats As the incidence of spam and malicious emails carrying viruses and worms continues to increase, conventional content filtering anti-spam solutions fail to keep pace. This paper will describe the latest email threats, how spam filters typically operate and how spammers are attempting to defeat conventional software and appliance content filtering technologies. You'll see how spammers are moving beyond hash busting and Bayesian poisoning and learn how spammers are stealing addresses from your email directory with "directory harvest attacks"?compromising and even bringing down your email servers. Download this free white paper now! http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BKda0AZ ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.winnetmag.com/departments/departmentid/752/752.html News: Microsoft Issues August Security Fixes Microsoft issued just one new fix in its August collection of security bulletins. The fix is a security bulletin that has a moderate severity rating and affects Microsoft Exchange Server 5.5. One fix is a far cry from July's monthly updates, which included eight bulletins. Two weeks ago, however, Microsoft released a set of Microsoft Internet Explorer (IE) fixes out of sync with its monthly security updates; the fixes patched IE flaws that were discovered in June. http://www.winnetmag.com/article/articleid/43602/43602.html Feature: Cleaning Up After Classified Email Los Alamos National Laboratory (LANL), the birthplace of the atomic bomb and one of the most secretive places in the United States, has had several security breaches, including the sending of classified messages over the lab's unclassified email system. LANL's problems got Paul Robichaux thinking about the technical challenges of "cleaning" an ordinary email system through which someone has sent confidential or sensitive information. It's no easy task. Read what he has to say in this article on our Web site. http://www.winnetmag.com/article/articleid/43393/43393.html ==================== ==== Announcements ==== (from Windows & .NET Magazine and its partners) Take our Salary Survey, and Enter to Win $500! We need your help! Windows & .NET Magazine is launching its first Windows IT Pro Industry Salary Survey, and we want to know all about you and what makes you happy as an IT professional. When you complete the survey (about 15 minutes of your time), you'll be entered in a drawing for one of two $500 American Express gift certificates. Look for the survey results--and how you stack up against your peers--in our December 2004 issue. To take the survey, go to http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BKP70AX Microsoft Exchange Connections October 24-27 in Orlando, FL Microsoft and Windows & .NET Magazine team up to produce the essential conference for network administrators and IT managers on Exchange Server and Outlook technology. Register early, and attend sessions at concurrently run Windows Connections for free. See the complete conference brochure online or call 800-505-1201 for more information. http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0KXQ0Az Harness the Power of Active Directory Provisioning Join NetIQ for Part 1 of this two-part, live, interactive Web seminar series. Discover the benefits of user provisioning in Active Directory to establish a complete user account life-cycle management solution without the expense of a full-blown identity management solution. Register today! http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BKYD0At Get 2 Sample Issues of Windows & .NET Magazine (soon to be Windows IT Pro)! In September, Windows & .NET Magazine will become Windows IT Pro! Act now to get our special charter issue that shows you how to plug DNS holes and select the best scripting editor, plus learn more about the business side of IT. And discover the top 10 PC trends we think you need to keep an eye on. Get two risk-free new and improved issues and a subscription at 40% off the cover price at http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BKNu0AX ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://www.winnetmag.com/securitymatters Check out these recent entries in the Security Matters blog: How to Temporarily Disable Installation of Windows XP SP2 Microsoft offers a few ways to postpone Windows XP Service Pack 2 (SP2) installation for those who use Windows Update and Automatic Updates. It Had to Happen Sooner or Later, Part 2 Somebody has released a malicious Windows CE worm that inserts a back door into the OS. What Are You Exposing in Your Word, Excel, and PowerPoint Files? Microsoft recently released an update to its Remove Hidden Data tool (rhdtool.exe) that cleans hidden and collaboration data out of Office 2003 and Office XP files. ==== 4. Security Toolkit ==== FAQ: I have an internal firewall between sections of my network. What ports must I open to allow user and computer account authentication? by John Savill, http://www.winnetmag.com/windowsnt20002003faq A. Basic authentication on a network consists of several steps. First, the client locates a domain controller (DC), which requires DNS connectivity--UDP and TCP ports 53. Next, the client performs a connectivity test by using a Lightweight Directory Access Protocol (LDAP) Ping--UDP port 389. Then, the client uses Kerberos (UDP and TCP ports 88) and Server Message Block (SMB--UDP and TCP ports 445) to complete the authentication to the DC. Therefore, you must enable all these ports. ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events ) We're Bringing the Experts Directly to You with 2 New IT Pro Workshop Series On Security and Exchange Don't miss two intense workshops designed to give you simple and free tools to better secure your networks and Exchange servers. Discover how to prevent hackers from attacking your network and how to perform a security checkup on your Exchange deployment. Get a free 12-month subscription to Windows & .NET Magazine and enter to win an Xbox! Register now! http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BKYF0Av ==================== ==== 5. New and Improved ==== by Renee Munshi, products@winnetmag.com Updated Patch Management Solution St. Bernard Software announced version 6.2 of its patch management solution UpdateEXPERT. The new version has expanded support for portable workstations and laptops, letting you patch these devices when they make a network connection and accommodate their slower speed connections from remote locations. UpdateEXPERT 6.2 also lets you assign a network share as a patch repository so that you can optimize storage and better control patch distribution. Prices start at $840 for a 1-year subscription to support 1 to 50 workstations. For more information, visit http://www.stbernard.com Secure Your Compressed Attachments PKWARE announced SecureZIP for Windows, the first offering in PKWARE's cross-platform SecureZIP product family, which covers all major computing platforms. SecureZIP combines encryption and digital signature capabilities with ZIP file compression. Users can secure and compress email attachments from within Microsoft Outlook or IBM Lotus Notes or directly from the desktop with one mouse click. SecureZIP encryption algorithms support Triple DES (3DES) and Advanced Encryption Standard (AES), and SecureZip users can use either passwords or digital certificates for encryption. PKWARE provides the free ZIP Reader tool for viewing any zipped, encrypted, or digitally signed files. For more information, go to http://www.pkware.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@winnetmag.com. ==================== ==== Sponsored Links ==== Argent Comparison Paper: The Argent Guardian Easily Beats Out MOM http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BDWV0A3 CrossTec Free Download--New - Launch NetOp Remote Control from a USB Drive http://list.winnetmag.com/cgi-bin3/DM/y/eg6z0CJgSH0CBw0BJyw0AH ==================== Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@winnetmag.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com ==================== ==== Contact Our Sponsors ==== Primary Sponsor: Qualys -- https://www.qualys.com -- 1-800-745-4355 Secondary Sponsor: Postini -- http://www.postini.com -- 1-888-584-3150 ==================== This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.winnetmag.com/sub.cfm?code=wswi201x1z You received this email message because you asked to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto:Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Aug 19 12:00:41 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 19 12:07:33 2004 Subject: [ISN] Researchers find holes in XP SP2 Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,95325,00.html By Paul Roberts AUGUST 18, 2004 IDG NEWS SERVICE Security researchers inspecting a new update to Microsoft Corp.'s Windows XP found two software flaws that could allow virus writers and malicious hackers to sidestep new security features in the operating system. German Internet security portal Heise Security published a security bulletin, dated Aug. 13, that describes two holes in Windows XP Service Pack 2 (SP2) and warns users about running programs from untrusted Internet sites. The flaws could allow virus writers to circumvent the security feature and write worms that spread on XP SP2 systems, according to the bulletin. However, the researcher who discovered the holes said he doesn't consider the flaws to be serious and still recommends installing SP2. Microsoft released XP SP2 to its customers shortly after completing work on the massive software update, on Aug. 6. SP2 contains a number of new security features, including an improved version of Windows Internet Connection Firewall, now named Windows Firewall, a new, user-friendly interface for managing security settings and improved features for detecting and blocking malicious content downloaded from Web sites. Heise Security Editor and Chief Jurgen Schmidt and his colleagues discovered the holes in an XP SP2 feature that marks files downloaded using the Internet Explorer Web browser or saved from e-mail messages using the Outlook Express e-mail client with a Zone Identifier, or ZoneID, according to Schmidt. The ZoneID records the Internet Explorer security zone from which the file originated. Internet Explorer security zones assign different levels of security permission to different sources of files and data. For example, Web sites and files downloaded from the Internet are considered less secure than those obtained from a LAN the computer is connected to or from the local computer hard drive. XP SP2 saves ZoneIDs in a text file on the local computer. The file is linked to the downloaded file and used to issue pop-up warnings when Windows users attempt to open files from a dangerous source. However, certain Windows features allow users to open files without receiving a warning, Heise Security found. For example, users can open files using text commands issued through the Windows command prompt, a standard Windows feature, without being warned about the risk associated with opening the file. A second bug exploits what Schmidt called a "programming error" in XP SP2 that fails to update the ZoneID information cached for immediate use when files are renamed. That could allow malicious hackers or viruses to get around the user warnings, at least temporarily, by renaming a malicious file that would otherwise generate a warning, he said. Neither security hole could be exploited by a remote attacker, and both require Windows users to take actions such as opening the Windows command shell or renaming files to overwrite other files on Windows, he said. However, a flaw such as the failure to update cached ZoneID information could cause problems as third-party software programs try to take advantage of XP SP2, he said. Microsoft was informed of the holes Aug. 12. The Microsoft Security Response Center responded to the report, saying that the issues raised were not in conflict with "the design goals of the new protections" and that it didn't consider the holes serious enough to warrant a patch or workaround, Schmidt said. A Microsoft spokesman couldn't confirm that the company issued a statement to Heise Security. Many security experts agree that XP SP2 improves Windows security, especially by deploying a desktop firewall by default that blocks all but common Internet traffic to and from Windows XP machines. However, the hunt for holes in XP SP2 began as soon as the software update was released. Some security researchers predict that hackers will discover ways to circumvent many of the XP SP2 features, even writing worms and viruses that target machines running the updated operating system. "SP2 is not going to be the end of all viruses. Users have to be aware of the fact that the new security features of SP2 are not catchall solutions," Schmidt said. From isn at c4i.org Thu Aug 19 12:00:58 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 19 12:07:35 2004 Subject: [ISN] Innovation Center Nurtures Newborn Security Companies Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A13360-2004Aug18.html By Ellen McCarthy August 19, 2004 Sitting in a glass-walled conference room first thing Monday morning, executives from a dozen start-up companies were given the local tech equivalent of a buried treasure map: a detailed presentation by the Department of Homeland Security on how to win grants and sell it products. Later the fortunate entrepreneurs took turns making individual pitches to the agency's representatives. It's the kind of opportunity some local techies spend months chasing down, but it's almost commonplace for executives of companies housed in the Chesapeake Innovation Center (CIC), an Annapolis incubator focused solely on developing homeland security technologies. Not yet a year old, the incubator already has gained the attention of federal agency officials and venture capitalists by sifting through the crowded field of security start-ups, plucking out some of the most promising and helping those companies get their products on the market. "We are laser-focused on national security. Everyone we deal with has some interest in homeland security. Everyone is passionate about the war on terrorism," said John H. Elstner, CIC's chief executive. The incubator was born out of Anne Arundel County's efforts to bolster its technology industry. Efforts to create an incubator were underway when terrorists struck on Sept. 11, 2001, propelling security into the tech sector's spotlight and prompting CIC's directors to narrow the incubator's mission. Anne Arundel County Economic Development Corp. so far has pumped about $1.5 million into the incubator. Under the direction of Elstner and Business Cluster Development, a Menlo Park, Calif., company that advises incubators, CIC recruited a group of corporate sponsors, including Nokia, BearingPoint Inc. and law firm Piper Rudnick, to help pay the center's bills. CIC won't release specific figures, but its directors say the incubator's annual budget is "in the high six figures." The plan is to rely much less on taxpayer funding over time, Elstner says. But to survive, CIC will have to produce successful companies. The incubator takes an equity stake in each of its start-ups, so if they are acquired or go public in the future, CIC will get a cut of the profit. Companies also pay a "membership fee" ranging from $600 to $3,500 for space in the center. Before CIC opened last October, its directors evaluated 150 companies that wanted to be housed in the center. They chose seven to be part of its inaugural class, providing them a home for about two years. The main criterion for acceptance is simple: have technology -- or a feasible idea for technology -- that will make the country safer. Of course, every third company in the Washington area these days seems to have a product it claims will protect the nation from terrorists. In order to cull the best of the best, CIC starts by asking target customers, like government agencies and large corporations, about their most pressing gaps in security technology. Companies with the potential to fill those needs are given a priority at the center. When BearingPoint encountered a small Israeli company with cybersecurity technology it was interested in reselling to its own customers, the McLean firm recommended that CIC take a look at the start-up. Elstner and others met with the Israeli firm, Moozatech Inc., evaluated its business and offered the company a spot in the incubator. "It's really good for us because we can identify new technologies and processes in these small companies, put money in their pocket and go to market," said Mark Gembicki, managing director of BearingPoint's critical infrastructure program, who keeps an office at the incubator. "CIC is a way of vetting those companies in more detail and giving a company like BearingPoint assurances that the technology is good, the management is good." In less than a year, CIC grew from occupying one floor of its Annapolis office building to three, and it's now home to 14 start-ups. Unlike the incubators with foosball tables and keg parties that became ubiquitous during the late 1990s, CIC is a mostly serious place with entrepreneurs who have cycled through earlier companies and careers. While CIC's residents are all in the security sector, their missions vary widely: PharmAthene is a biotech firm creating treatments for anthrax. UTrue Inc. sells technology to help protect large cargo containers. Lighthouse Communications Services is developing GPS systems for cellular devices. Real User Corp.'s technology is a replacement for computer passwords. Users are asked to remember a set of photos of human faces, then pick out the familiar images from a random series of faces in order to log in. (Real User's highest-profile customer is the Senate.) Alon Moritz, chief executive of Moozatech, said he spent six months making regular trips to Washington in an attempt to catch the eye of government buyers. "It's a profession in and of itself, trying to sell to the government," Mortiz said. "Since I moved in here, the amount of interest from government agencies, if I could measure it, has gone up 1,000 percent." CIC has a partnership with the National Security Agency and meets regularly with research and acquisition officials from the Department of Defense. Glaringly absent from the incubator's list of sponsors is the one organization all of its companies want to serve -- the Department of Homeland Security. Elstner says he hears "loud and clear" the complaints of private-sector companies finding it difficult to sell to the Department of Homeland Security. The center's strategy is to first develop a working relationship with the people at the agency and prove that CIC has something to offer before asking the department for formal or financial support. "That's part of why this place was built -- to address the frustrations of the private sector as the public sector gets into gear," Elstner said. "Have we gotten any DHS money? Not yet. Do we want to? You bet. Do we think we will? Absolutely." From isn at c4i.org Thu Aug 19 12:01:29 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 19 12:07:36 2004 Subject: [ISN] Oracle to Patch on Monthly Schedule Message-ID: http://www.eweek.com/article2/0,1759,1637495,00.asp By Lisa Vaas August 18, 2004 Oracle has broken the silence surrounding its failure to release patches for multiple security flaws, confirming to eWEEK.com that the release delay is caused by the fact that the company is heading to a monthly patch rollup model, as many had suspected. "Oracle [Corp.] is moving to a monthly patch rollup model because we believe a single patch encompassing multiple fixes, on a predictable schedule, better meets the needs of our customers," a spokeswoman for the Redwood Shores, Calif., database giant said in an e-mail exchange. "While it is challenging to produce all patch sets on a fixed schedule, we are confident that a regular patch schedule is the right thing for our customers." Challenging to Oracle, welcome by some users and, evidently, challenging to other users. "I was equally surprised when Microsoft announced they were going to a 30-day release cycle," wrote one user, who requested anonymity. "[In my opinion], the companies are taking advantage of sysadmins who are reluctant to patch an operational system. - I think any sysadmin would agree for the most part [that] small, incremental security patches are magnitudes easier to deal with than some monster like Microsoft's 200MB+ XP SP2 [Service Pack 2]." Not everyone agrees. Kelly Cox, an Oracle DBA who runs a small consultancy in Alexandria, Va., said she'd much rather deal with patches in one fell swoop, rather than having them dribble in as with the current model. "I'd rather just get it and have them explain what it's for, and then if it applies to me, I can apply it," Cox said. "The only problem is waiting for that [monthly date]." The Oracle spokeswoman confirmed that the security vulnerabilities in question - which were reported by Next Generation Security Software Ltd.'s David Litchfield at last month's BlackHat conference in Las Vegas - affect Oracle Database, Oracle Application Server and Oracle Enterprise Manager. She said the commonly reported number of vulnerabilities, which is 34, is inaccurate, but did not give a correct figure. However many there are, they have all been fixed in base development, the spokeswoman said - i.e., in the main code base for Oracle products. But why the delay, given that Oracle was first told about the vulnerabilities between January and February? "Oracle company policy requires that significant security issues be fixed on all supported releases and platforms," she wrote. "Generally, a security alert will be issued when all patches are ready. This policy ensures that our customers are treated equally, receiving the same level of notification and protection." All patches are expected to be completed by Aug. 31, at which time an alert will be issued, she said. From isn at c4i.org Thu Aug 19 12:01:42 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 19 12:07:37 2004 Subject: [ISN] Resident Evil viral marketing ploy backfires Message-ID: http://www.theregister.co.uk/2004/08/18/t-virus_hoax_spam/ By John Leyden 18th August 2004 A marketing campaign to promote the latest version of the Resident Evil video game has provoked a panic about the spread of a non-existent mobile phone virus. Users have received unsolicited SMS text messages on their mobile phones telling them they are infected by the so-called T-Virus, prompting calls to AV company Sophos about the supposed outbreak. The messages are sent from a website designed to promote the game Resident Evil: Outbreak, in which players defend themselves against zombies by blowing their heads off with a shotgun. The website allows unsolicited text messages to be sent to mobile phones claiming that the phone is infected, without the permission of the phone's owner. A typical message reads: "Outbreak: I'm infecting you with t-virus, my code is ******. Forward this to 60022 to get your own code and chance to win prizes. More at t-virus.co.uk." "The messages themselves are not infectious, but some people have panicked that they might have received a real mobile phone virus," said Graham Cluley, senior technology consultant for Sophos. "This marketing campaign seems particularly ill-conceived, as there is so much genuine interest in the mobile virus threat at present." CE Europe, the company behind the marketing campaign, has issued a press release which makes it clear that the whole thing is a promotional stunt. IT departments and anti-virus support staff have enough work in dealing with real viruses without dealing with hoaxes. Doubtless, they will be less than whelmed by the self-proclaimed ingenuity of CE Europe's viral marketing tactics. It's not the first time a virus hoax has been started to promote a product. In 1996, Penguin Books started the Irina hoax in an attempt to promote a new book. The hoax continued to spread and cause confusion for some years. VMyths provides extensive background on the whole virus hoax phenomenon. From isn at c4i.org Fri Aug 20 04:23:21 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 20 04:36:14 2004 Subject: [ISN] REVIEW: "Computer Security for the Home and Small Office", Thomas C. Greene Message-ID: Forwarded from: andy cuff Hi, The need for such a book is huge! Along these very lines I have compiled a webpage detailing various products that a home user can use for FREE and will provide a Windows user with huge leap forward in protection, especially if they are not willing to pay for commercial products, or, they have done so but their subscription has lapsed. Details can be found on the Talisker Security Wizardry Site at http://securitywizardry.com/homeuser.htm take care -andy cuff From isn at c4i.org Fri Aug 20 04:25:42 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 20 04:36:16 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-34 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-08-12 - 2004-08-19 This week : 40 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Liu Die Yu has discovered a new address bar spoofing vulnerability in Internet Explorer. The vulnerability can be exploited by performing a sequence of steps, which then leads to Internet Explorer not being able to update the address bar correctly. Secunia has made a demonstration of the vulnerability, which can be found here: http://secunia.com/internet_explorer_address_bar_spoofing_test_popup/ More details are available in the Secunia advisory below. Reference: http://secunia.com/SA12304 -- A vulnerability has been reported within an ActiveX object that comes with Adobe Acrobat Reader 5 and Adobe Reader 6. The vulnerability can be exploited to compromise a vulnerable system, if the user e.g. visits a malicious web page. Adobe has issued a fix for this problem. Reference: http://secunia.com/SA12303 VIRUS ALERTS: During the last week, Secunia issued two MEDIUM RISK virus alerts. Please refer to the grouped virus profiles below for more information: Mydoom.n - MEDIUM RISK Virus Alert - 2004-08-16 23:36 GMT+1 http://secunia.com/virus_information/10738/mydoom.n/ RATOS.A - MEDIUM RISK Virus Alert - 2004-08-16 09:19 GMT+1 http://secunia.com/virus_information/11145/ratos.a/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 2. [SA11978] Multiple Browsers Frame Injection Vulnerability 3. [SA12198] AOL Instant Messenger "Away" Message Buffer Overflow Vulnerability 4. [SA12280] Nokia IPSO Denial of Service Vulnerability 5. [SA12303] Adobe Acrobat Reader ActiveX Control Buffer Overflow Vulnerability 6. [SA12188] Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability 7. [SA11793] Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities 8. [SA12285] Adobe Acrobat Reader Shell Command Injection and Buffer Overflow Vulnerability 9. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities 10. [SA12125] Gaim Unspecified MSN Protocol Buffer Overflow Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12303] Adobe Acrobat Reader ActiveX Control Buffer Overflow Vulnerability [SA12304] Internet Explorer Address Bar Spoofing Vulnerability [SA12301] MAILsweeper for SMTP Attachment Blocking Bypass Vulnerability [SA12291] Kerio Mailserver Unspecified HTTP Service Vulnerabilities [SA12278] MapInfo Discovery Cross-Site Scripting and Authentication Bypass Vulnerability [SA12277] MAILsweeper for SMTP PowerPoint Document Processing Denial of Service [SA12279] BadBlue Proxy Relay Vulnerability UNIX/Linux: [SA12319] YaPiG Arbitrary Command Execution Vulnerability [SA12314] Gentoo update for xine [SA12292] Mandrake update for gaim [SA12287] SuSE update for gaim [SA12283] Mandrake update for mozilla [SA12282] Gentoo update for gaim [SA12320] Heimdal ftpd Signal Handling Vulnerabilities [SA12318] NetBSD update for ftpd [SA12300] Xephyrus JST Directory Traversal Vulnerability [SA12295] Gentoo update for acroread [SA12289] Conectiva update for squirrelmail [SA12285] Adobe Acrobat Reader Shell Command Injection and Buffer Overflow Vulnerability [SA12284] Gentoo update for kdebase / kdelibs [SA12281] Gentoo update for gv [SA12315] Mandrake update for rsync [SA12313] Gentoo update for rsync [SA12312] Trustix update for rsync [SA12310] Debian update for rsync [SA12307] SuSE update for rsync [SA12294] Rsync Path Sanitation Vulnerability [SA12286] Sympa Unauthorised List Creation Security Issue [SA12311] Debian update for kdelibs [SA12299] Rxvt-unicode Arbitrary Terminal Window Access Vulnerability [SA12296] Gentoo Tomcat Privilege Escalation Vulnerability [SA12293] Debian update for ruby [SA12290] Ruby CGI Session Management Insecure File Creation Vulnerability [SA12288] Gentoo update for nessus [SA12309] CVS File Existence Information Disclosure Weakness Other: [SA12280] Nokia IPSO Denial of Service Vulnerability Cross Platform: [SA12317] PSCRIPT Forum User Profile Script Insertion Vulnerability [SA12308] Cacti SQL Injection and Path Disclosure Vulnerability [SA12298] QuiXplorer Directory Traversal Vulnerability [SA12297] Simple Form Open Mail Relay Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12303] Adobe Acrobat Reader ActiveX Control Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-16 Rafel Ivgi has reported a vulnerability in Adobe Acrobat Reader, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12303/ -- [SA12304] Internet Explorer Address Bar Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-08-16 Liu Die Yu has discovered a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to conduct phishing attacks against a user. Full Advisory: http://secunia.com/advisories/12304/ -- [SA12301] MAILsweeper for SMTP Attachment Blocking Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-08-16 Martin O'Neal of Corsaire has reported a vulnerability in MAILsweeper for SMTP, which can be exploited by malicious people to bypass the attachment blocking functionality. Full Advisory: http://secunia.com/advisories/12301/ -- [SA12291] Kerio Mailserver Unspecified HTTP Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-08-13 Some vulnerabilities with an unknown impact have been reported in Kerio MailServer. Full Advisory: http://secunia.com/advisories/12291/ -- [SA12278] MapInfo Discovery Cross-Site Scripting and Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information Released: 2004-08-12 Various vulnerabilities have been reported in MapInfo Discovery, allowing malicious people to obtain sensitive information, conduct cross-site scripting attacks and bypass security authentication. Full Advisory: http://secunia.com/advisories/12278/ -- [SA12277] MAILsweeper for SMTP PowerPoint Document Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-13 A vulnerability has been reported in MAILsweeper for SMTP, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system. Full Advisory: http://secunia.com/advisories/12277/ -- [SA12279] BadBlue Proxy Relay Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-08-12 Texonet has reported a vulnerability in BadBlue, allowing malicious people to relay connections. Full Advisory: http://secunia.com/advisories/12279/ UNIX/Linux:-- [SA12319] YaPiG Arbitrary Command Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-18 aCiDBiTS has reported a vulnerability in YaPiG, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12319/ -- [SA12314] Gentoo update for xine Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-18 Gentoo has issued an update for xine-lib. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12314/ -- [SA12292] Mandrake update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-13 MandrakeSoft has issued an update for gaim. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12292/ -- [SA12287] SuSE update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-13 SuSE has issued an update for gaim. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12287/ -- [SA12283] Mandrake update for mozilla Critical: Highly critical Where: From remote Impact: Spoofing, DoS, System access Released: 2004-08-13 MandrakeSoft has issued an update for mozilla. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), spoof content of websites, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12283/ -- [SA12282] Gentoo update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-13 Gentoo has issued an update for gaim. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12282/ -- [SA12320] Heimdal ftpd Signal Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2004-08-18 Przemyslaw Frasunek has reported some vulnerabilities in Heimdal ftpd, which potentially can be exploited by malicious users to gain escalated privileges or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12320/ -- [SA12318] NetBSD update for ftpd Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2004-08-18 NetBSD has issued an update for ftpd. This fixes some vulnerabilities, which potentially can be exploited by malicious users to gain escalated privileges or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12318/ -- [SA12300] Xephyrus JST Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-16 A vulnerability has been reported in Xephyrus JST, which can be exploited by malicious people to read arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12300/ -- [SA12295] Gentoo update for acroread Critical: Moderately critical Where: From remote Impact: System access Released: 2004-08-16 Gentoo has issued an update for acroread. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12295/ -- [SA12289] Conectiva update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-08-13 Conectiva has issued an update for squirrelmail. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12289/ -- [SA12285] Adobe Acrobat Reader Shell Command Injection and Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-08-13 Greg MacManus has reported two vulnerabilities in Adobe Acrobat Reader, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12285/ -- [SA12284] Gentoo update for kdebase / kdelibs Critical: Moderately critical Where: From remote Impact: Spoofing, Privilege escalation Released: 2004-08-13 Gentoo has issued updates for kdelibs and kdebase. These fix two vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, and one vulnerability, which can be exploited by malicious people to spoof the content of websites. Full Advisory: http://secunia.com/advisories/12284/ -- [SA12281] Gentoo update for gv Critical: Moderately critical Where: From remote Impact: System access Released: 2004-08-13 Gentoo has issued an update for gv. This fixes an older vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12281/ -- [SA12315] Mandrake update for rsync Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information Released: 2004-08-18 MandrakeSoft has issued an update for rsync. This fixes a vulnerability, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12315/ -- [SA12313] Gentoo update for rsync Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-18 Gentoo has issued an update for rsync. This fixes a vulnerability, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12313/ -- [SA12312] Trustix update for rsync Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-17 Trustix has issued an update for rsync. This fixes a vulnerability, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12312/ -- [SA12310] Debian update for rsync Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-17 Debian has issued an update for rsync. This fixes a vulnerability, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12310/ -- [SA12307] SuSE update for rsync Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information Released: 2004-08-17 SuSE has issued an update for rsync. This fixes a vulnerability, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12307/ -- [SA12294] Rsync Path Sanitation Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-16 A vulnerability has been reported in rsync, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12294/ -- [SA12286] Sympa Unauthorised List Creation Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-08-13 A security issues has been reported in Sympa, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12286/ -- [SA12311] Debian update for kdelibs Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-08-17 Debian has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12311/ -- [SA12299] Rxvt-unicode Arbitrary Terminal Window Access Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2004-08-16 A vulnerability has been reported in rxvt-unicode, which potentially can be exploited by malicious, local users to manipulate or access sensitive information. Full Advisory: http://secunia.com/advisories/12299/ -- [SA12296] Gentoo Tomcat Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-08-16 A vulnerability has been reported in the tomcat package for Gentoo, which can be exploited by malicious, local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/12296/ -- [SA12293] Debian update for ruby Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-08-16 Debian has issued an update for ruby. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12293/ -- [SA12290] Ruby CGI Session Management Insecure File Creation Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-08-16 Andres Salomon has reported a vulnerability in Ruby, which potentially can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12290/ -- [SA12288] Gentoo update for nessus Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-08-13 Gentoo has issued an update for nessus. This fixes a vulnerability, which potentially can be exploited by malicious, local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/12288/ -- [SA12309] CVS File Existence Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-08-17 A weakness has been reported in Concurrent Versions System (CVS), which potentially can be exploited by malicious users to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/12309/ Other:-- [SA12280] Nokia IPSO Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-12 A vulnerability has been discovered in Nokia IPSO, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12280/ Cross Platform:-- [SA12317] PSCRIPT Forum User Profile Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-18 Christoph Jeschke has reported a vulnerability in PForum, allowing malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12317/ -- [SA12308] Cacti SQL Injection and Path Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2004-08-18 Fernando Quintero has reported two vulnerabilities in Cacti, which can be exploited by malicious people to see the installation path and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12308/ -- [SA12298] QuiXplorer Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-08-16 Cyrille Barthelemy has reported a vulnerability in QuiXplorer, which can be exploited by malicious people to read arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12298/ -- [SA12297] Simple Form Open Mail Relay Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-08-16 A vulnerability has been reported in Simple Form, which can be exploited by malicious people to use it as an open mail relay. Full Advisory: http://secunia.com/advisories/12297/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Aug 20 04:26:08 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 20 04:36:17 2004 Subject: [ISN] South Pole 'cyberterrorist' hack wasn't the first Message-ID: Forwarded from: William Knowles http://www.theregister.co.uk/2004/08/19/south_pole_hack/ By Kevin Poulsen, SecurityFocus 19th August 2004 It's a tale Tom Clancy might have written. From their lair in distant Romania, shadowy cyber extortionists penetrate the computers controlling the life support systems at a Antarctic research station, confronting the 58 scientists and contractors wintering over at the remote post with the sudden prospect of an icy death. After some twists and turns, the researchers are saved in the fourth act by an international law enforcement effort led by FBI agents wielding a controversial, but misunderstood, federal surveillance law. That's the story behind an intrusion into the network at the National Science Foundation's Amundsen-Scott South Pole Station in May of last year, as it's been told by the FBI and the US Attorney General. But did it actually happen that way? The attack itself was real enough. On May 3rd, network administrators for US Antarctic Program and the South Pole Station received an anonymous e-mail with the subject line "South Pole Station Servers HACKED." "This is a message from earth to earth, do you copy?," the -mail began. The message demanded money, and threatened to sell information stolen from the network "to another country," according to the FBI. To establish their bona fides, the intruders attached a sample of data lifted from the South Pole network. Network administrators quickly took the compromised system offline and began forensics, while FBI computer crime experts traced the demand letter to a cyber caf? in Romania - a country that exports hacker extortion schemes the way Nigeria produces Internet advance fee scams. Agents zeroed in on two suspects who were already targets of FBI investigations in Mobile, Alabama and Los Angeles, California for similar protection rackets, and the pair were quickly rolled up by Romanian law enforcement. The matter "is now pending prosecution in Romania," says FBI spokesman Joe Parris. But did the intruders really endanger the lives of the 58 scientists and contractors? Could they have shut off the heat at a time of year when aircraft don't dare to land for anything short of a medical emergency? The most dramatic element of the South Pole story was absent from the FBI's first public release on the attack in July of last year. That account - which has since been scrubbed from the FBI's website [1] - underscored the importance of the Internet to scientists living at the South Pole station, describing connectivity as "a lifeline" to the outside world. But that's as far as it went. The hacked life support system first crept into the tale last February, in testimony by FBI cyber chief Keith Lourdeau to a Senate subcommittee conducting hearings on "cyber terrorism." "During May, the temperature at the South Pole can get down to 70 degrees below zero Fahrenheit; aircraft cannot land there until November due to the harsh weather conditions," says Lourdeau. "The compromised computer systems controlled the life support systems for the 50 scientists." (The FBI's Parris said he hadn't seen Lourdeau's Senate testimony, and was therefore not able to comment on it.) Lourdeau took pains in his testimony to point out that the FBI still has not seen anything that qualifies as cyber terrorism under the bureau's definition of the term. But last month Attorney General John Ashcroft showed less reticence in describing the South Pole hacks as "a cyber-terrorist threat" in a 29-page Justice Department report meant to highlight, through dozens of examples, the importance of the controversial USA Patriot Act, which he claimed had aided agents tracking the alleged cyber terrorists' email. "The hacked computer ... controlled the life support systems for the South Pole Station that housed 50 scientists 'wintering over' during the South Pole's most dangerous season," reads the Justice Department report. "Due in part to the quick response allowed by [the USA Patriot Act], FBI agents were able to close the case quickly with the suspects' arrest before any harm was done to the South Pole Research Station." Memo: 'No Critical System Corrupted' When Newsweek examined the Justice report last month, the NSF disputed the role the USA Patriot Act played in the Romanian investigation. But spokesman Peter West says the Foundation will not otherwise not comment on the South Pole intrusion. Justice Department spokesman Mark Corallo didn't return a phone call inquiring about the description of events in the Justice report. But an internal assessment of the attack by NSF senior staff, intended to explain the intrusion to the NSF's inspector general and obtained by SecurityFocus under the Freedom of Information Act, appears at odds with the Justice Department's version. For starters, by the time the suspects were arrested, the compromised system had already been secured -- the arrests were apparently not responsible for preventing harm to the station. And as described in the memo, released as a partially-redacted draft, the incident was something less than a cyber terror attack to begin with, and prompted a measured response from network administrators. "Given the fact that no financial records or systems were compromised, no safety or loss of life was threatened, and no critical system corrupted" by the Romanian hackers, "we need to balance legitimate security needs with the legitimate needs of our scientists at the Pole," the memo reads. The assessment noted that, at the time of the Romanian intrusion, the South Pole's network was less secure than other NSF sites "purposely to allow for our scientists at this remotest of locations to exchange data under difficult circumstances." Indeed, the station was no stranger to hack attacks when the would-be extortionists struck. Other documents show that less than two months earlier the NSF's security team was plunged into a similar fire drill when a computer intruder named "PoizonB0x" penetrated the primary and backup data acquisition servers for a radio telescope at the station called the Degree Angular Scale Interferometer (DASI), which measures properties of the cosmic microwave background radiation -- the afterglow of the Big Bang. The intruder, rated a prolific website defacer by tracking site Zone-H, used his moment of cosmic access to erect a webpage on the servers proclaiming, "I love my angel Laura." PoizonB0x's Antarctic love letter apparently failed to spur a change in the station's cyber security posture. The Romanian extortion attempt did, and on May 12th of last year the NSF's director of polar programs, Karl Erb, issued a memo ambitiously directing all "science, operations and personal use systems connected to the South Pole station network to identify and correct all known vulnerabilities." Erb also announced a tightening of the firewall rules for the network. "This aligns the security posture at South Pole with the other stations," he wrote. [1] http://www.landfield.com/isn/mail-archive/2003/Jul/0092.html *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Aug 20 04:26:25 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 20 04:36:19 2004 Subject: [ISN] Opinion: Cryptanalysis of MD5 and SHA: Time for a new standard Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,95343,00.html Opinion by Bruce Schneier Counterpane Internet Security Inc. AUGUST 19, 2004 COMPUTERWORLD At the Crypto 2004 conference in Santa Barbara, Calif., this week, researchers announced several weaknesses in common hash functions. These results, while mathematically significant, aren't cause for alarm. But even so, it's probably time for the cryptography community to get together and create a new hash standard. One-way hash functions are a cryptographic construct used in many applications. They are used with public-key algorithms for both encryption and digital signatures. They are used in integrity checking. They are used in authentication. They have all sorts of applications in a great many different protocols. Much more than encryption algorithms, one-way hash functions are the workhorses of modern cryptography. In 1990, Ron Rivest invented the hash function MD4. In 1992, he improved on MD4 and developed another hash function: MD5. In 1993, the National Security Agency published a hash function very similar to MD5, called the Secure Hash Algorithm (SHA). Then in 1995, citing a newly discovered weakness that it refused to elaborate on, the NSA made a change to SHA. The new algorithm was called SHA-1. Today, the most popular hash function is SHA-1, with MD5 still being used in older applications. One-way hash functions are supposed to have two properties. One, they're one-way. This means that it's easy to take a message and compute the hash value, but it's impossible to take a hash value and re-create the original message. (By "impossible," I mean "can't be done in any reasonable amount of time.") Two, they're collision-free. This means that it's impossible to find two messages that hash to the same hash value. The cryptographic reasoning behind these two properties is subtle, and I invite curious readers to learn more in my book Applied Cryptography. Breaking a hash function means showing that either -- or both -- of those properties aren't true. Cryptanalysis of the MD4 family of hash functions has proceeded in fits and starts over the past decade or so, with results against simplified versions of the algorithms and partial results against the whole algorithms. This year, Eli Biham and Rafi Chen, and separately Antoine Joux, announced some pretty impressive cryptographic results against MD5 and SHA. Collisions have been demonstrated in SHA. And there are rumors, unconfirmed at this writing, of results against SHA-1. The magnitude of these results depends on who you are. If you're a cryptographer, this is a huge deal. While not revolutionary, these results are substantial advances in the field. The techniques described by the researchers are likely to have other applications, and we'll be better able to design secure systems as a result. This is how the science of cryptography advances: We learn how to design new algorithms by breaking other algorithms. In addition, algorithms from the NSA are considered a sort of alien technology: They come from a superior race with no explanations. Any successful cryptanalysis against an NSA algorithm is an interesting data point in the eternal question of how good they really are in there. As a user of cryptographic systems -- as I assume most readers are -- this news is important, but not particularly worrisome. MD5 and SHA aren't suddenly insecure. No one is going to be breaking digital signatures or reading encrypted messages anytime soon with these techniques. The electronic world is no less secure after these announcements than it was before. But there's an old saying inside the NSA: "Attacks always get better; they never get worse." These techniques will continue to improve, and probably someday there will be practical attacks based on these techniques. It's time for us all to migrate away from SHA-1. Luckily, there are alternatives. The National Institute of Standards and Technology (NIST) already has standards for longer --and harder-to-break -- hash functions: SHA-224, SHA-256, SHA-384 and SHA-512. They're already government standards and can already be used. This is a good stopgap, but I'd like to see more. I'd like to see NIST orchestrate a worldwide competition for a new hash function, like it did for the new encryption algorithm, Advanced Encryption Standard, to replace Data Encryption Standard. NIST should issue a call for algorithms and conduct a series of analysis rounds, where the community analyzes the various proposals with the intent of establishing a new standard. Most of the hash functions we have and all the ones in widespread use are based on the general principles of MD4. Clearly we've learned a lot about hash functions in the past decade, and I think we can start applying that knowledge to create something even more secure. Better to do it now, when there's no reason to panic, than years from now, when there might be. NIST's SHA site http://csrc.nist.gov/CryptoToolkit/tkhash.html Bruce Schneier is the chief technology officer of Counterpane Internet Security Inc. in Mountain View, Calif. You can subscribe to his monthly "Crypto-Gram" newsletter at www.schneier.com. From isn at c4i.org Fri Aug 20 04:26:38 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 20 04:36:20 2004 Subject: [ISN] NIST makes lists Message-ID: http://www.fcw.com/fcw/articles/2004/0816/web-nist-08-19-04.asp By Florence Olsen Aug. 19, 2004 A program that experts have said is the missing piece in federal efforts to promote secure computing will be ready later this year. Officials at the National Institute of Standards and Technology announced that a security configuration checklists program for information technology products, including a logo that vendors can put on their wares, [1] is on track for completion before the end of 2004. A security configuration checklist describes the software options and settings that users can choose to minimize the security risks associated with a particular type of hardware or software. More commonly referred to as lockdown guides or security benchmarks, security checklists are basically documents for securing IT hardware or software in different settings. Security checklists for home computer users, for example, would be different from those for federal computer users handling sensitive data. A checklist could include scripts, templates and pointers to Web sites where users can download software updates or firmware upgrades to make products more secure from attack by viruses and other malicious code spread via the Web. NIST officials said they plan to distribute the lists through a Web portal, checklists.nist.gov. The role of NIST employees will be to screen checklists to see that they meet the program's requirements, publish the checklists for public review and, finally, to add checklists to the repository and remove them when they become outdated. NIST officials have already published two security checklists, one for Microsoft Corp.'s Windows 2000 and XP Professional. They can be downloaded from a NIST Web site: csrc.nist.gov/itsec. NIST officials will work with other organizations that produce security checklists, including the Defense Information Systems Agency and National Security Agency, and the nonprofit Center for Internet Security. The checklist program, however, has no connection to the federal government's National Information Assurance Partnership, a security program for testing products in a laboratory setting. The scope of the security checklist program is broad, officials said, and will include operating systems, database software, Web servers, e-mail servers, routers, intrusion-detection systems, virtual private networks, biometric devices, smart cards, telecommunications switches and Web browsers. To locate a particular checklist, users will be able to search with at least 14 different fields, including checklist point of contact, product manufacturer name, product name, product version and platforms on which the checklist was tested. NIST officials envision the portal being used by everyone, including product developers, government agencies, businesses and citizens. NIST's authority for creating the security checklist program comes from a 2002 law, the Cyber Security Research and Development Act. The Homeland Security Department is listed on NIST's Web site as a program sponsor. [1] http://csrc.nist.gov/publications/drafts.html From isn at c4i.org Fri Aug 20 04:26:52 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 20 04:36:22 2004 Subject: [ISN] Microsoft fixes XP SP2 patching flaw Message-ID: http://www.nwfusion.com/news/2004/0819mspatch.html By John Fontana Network World Fusion 08/19/04 Microsoft Thursday released a fix for the Windows XP Service Pack 2 installation package it provided to corporate users of its free patch deployment server to correct a flaw that would not allow IT to stealthy install the service pack without end-user intervention. The problem affected those using Microsoft's Software Update Services (SUS), a free Windows server add-on that runs behind the corporate firewall. SUS allows companies to create a centralized internal staging area and schedule the distribution of patches after they are tested and approved instead of downloading patches from Microsoft directly to desktops. Microsoft informed users that the deployment of XP SP2 through SUS would be "silent" and not require any end-user intervention, but that turned out not to be the case to the surprise and dismay of users. "Client computers did not silently install the service pack at the scheduled time," says Brian Dor?, an administrator in the office of information systems at the University of Louisiana at Lafayette. "Instead they wait for a user login and prompt to start the SP2 Wizard and [end user license agreement]. Users can also cancel the install at this point. Obviously it was a major problem." Dor? says the university typically silently installs service packs in the wee hours of the morning. "Users that arrived at work the next morning were greeted with the SP2 Wizard when they logged on and were given the choice to cancel or install. Those that canceled were not patched. Those that accepted the install could not use their computers for up to 30 minutes while the patch installed." So instead of having his desktops updated, Dor? was left with a hodge-podge of patched and unpatched clients and forced to temporarily block his SUS server from distributing SP2. The fix was made available Thursday and SUS users will automatically get a small update file when they synchronize SUS servers with the Microsoft Windows Update service that provides patches, according to Microsoft officials. Users also can execute a manual download to get the file. The synchronization will not download the entire XP SP2 package if it has already been downloaded. Microsoft officials said the problem was with the "install parameters" of the XP SP2 package made available to SUS users and not with XP SP2 itself. The fix is contained in a 1M-byte file called aurtf.cab, which contains the metadata to update the XP SP2 install package for SUS. SUS works in conjunction with a client side mechanism called Automatic Updates, which grabs the patches from the SUS server and installs them on the desktop. Last week, Microsoft issued a set of tweaks for Automatic Updates that block it for the next 120 days from automatically downloading XP SP2 directly from Microsoft's Windows Update service. Users had asked for more time to test the patch before Automatic Updates kicked off on Monday. Microsoft is expected soon to post information on the SUS issue on its SUS Web site [1]. [1] http://www.microsoft.com/windowsserversystem/sus/default.mspx From isn at c4i.org Fri Aug 20 04:27:27 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 20 04:36:23 2004 Subject: [ISN] HERT interviews Kismet's author, Mike Kershaw Message-ID: http://hert.org/story.php/46/ By sulla August 19, 2004 Kismet is simply the best war driving tool out there plus it's free as in GPL. It runs on linux, *BSD, Mac OS X and even on your little linux PDA. The brain and guts driving its development is Mike Kershaw alias Dragorn, works during the day on IBM mainframes and hack kismet code at night. Mike graciously agreed to a HERT interview to tell us a little bit more about himself, his view on WiFi security and the future of Kismet. What is your background? I've been running Linux for about 10 years now, and programming since I was a wee larva on a TI-99a console. What do you do for living? My non-wireless alter ego gets paid for doing work with big iron - IBM mainframes and large numbers of virtual servers. What were you working on before you started kismet? Nothing of any great notice -- I've always had a continual slow trickle of code for various projects, bugfixing other software I use, etc. Kismet was my first public project that really caught on. I guess you probably consider yourself a hacker. Define hacking? My preference is the old-school definition - if you mean digging into things, figuring out how they work, and having fun learning, of course! Tell us about the first time you played with wireless networks and what motivated you to start coding kismet? I'd gotten a cheap linksys card and was poking around and found Airsnort. At the time, the drivers only supported PF_NETLINK sockets to fetch packets, which meant only one program could capture packets at a time, and airsnort had no capabilities to dump the packets to a file - watching the number of packets seen count up isn't much fun if you can't do anything with them! Kismets very beginnings were a set of modifications to airsnort to display SSIDs and log the data to a dumpfile that ethereal could read. Once I got a cisco card, I had to rewrite the capture system to support different drivers, and it just grew from there and became it's own program entirely. Did you imagine that the security of wifi networks would be so bad?? Definitely not at the beginning! Now I've become entirely jaded towards security as a whole (or rather, peoples complete lack of it) and not much surprises me when it comes to open wireless networks. Despite all the press about it, the overall percentage of unencrypted networks is still at about 80% (*), and companies still make the news for exposing personal data over insecure networks. (*) Percentage gathered from the pc running in my car that monitors all the time I bought a linksys wrt54g access point 2 weeks ago and by default WPA encryption isn't enabled and the password was admin. Wifi products are marketed as reliable and secure. Don't you think they give a false sense of security? I think it all depends what environment you're using the network in. Most home users are, bluntly, boring: The chances of someone spending the time to crack WPA (or even WEP) just to get to your network connection is pretty slim, especially when they can just go 10 feet down the road and find an open one. For most people at home, WPA should be just fine. I think the program really comes in in the small office segment. If you run a business that handles personal information about customers, I DEFINITELY wouldn't trust WEP or WPA alone. Unfortunately, the same group likely to buy consumer hardware like this for a smaller office is the same group least likely to understand the security implications. I don't know how this can be solved, other than more education about security. What do you think of the WiFi Alliance's effort to fix WEP with WPA? Will 802.11i finally raise the bar high enough in terms of security? It's a step forwards, for sure, but it's not going to solve everything, Infact, work is being done now which exposes holes in the key distribution used by most vendors - the IEEE spec doesn't specify that the backend Radius connection has to be encrypted, and once that is known the entire key exchange can be extracted. Have you obtained any financing? major sponsor or donation for your project? I've gotten continual donations of hardware from users who want better support for different cards - without that, I don't think Kismet would work as well as it does with as many different cards. Obviously, I won't turn down donations of any sort, but I don't spend a lot of time actively seeking them. Are you working on a commercial version of Kismet? Nope, no real plans for a commercial version. I'm a big fan of open source, Kismet couldn't haven gotten to where it is without other open source projects for me to learn from and draw upon, and I wouldn't feel right turning it into a commercial product. On the vendor side, do you think any products could compete with Kismet? what do you think of Air Defense? I've got a comment I usually make when asked that: "Anyone who can afford AirDefense isn't going to even consider an open source product." I don't really view myself in direct competition with them, though of course I hope to keep advancing Kismet until it can be considered enterprise-quality as well. To some extent, the commercial vendors will always be a step ahead, since they sign NDAs and get full information on the chipsets, while the open source side is limited to the information which is made public. What's the status of the plugin architecture and api? Still working on it. Every release brings Kismet a little closer to supporting plugins, as more and more of the core of the program gets rewritten and modularized. Soon I'll be replacing large sections of code and redesigning the core packet handlers to be modular, I've got about 5000 lines pending completion to merge in now. Kismet is running as root and it uses pcap and ethereal libs; have you implemented some kind of privilege separation like in openssh yet? Actually it's had that for a very long time - it does a combination of process separation and priv dropping. Current versions of Kismet spin a separate process and communicate via IPC to perform root operations like channel control, while the main packet capture/parsing/logging/etc process drops privs to the specified user immediately after binding to the interfaces. It's possible to disable this, but I don't suggest it at all. I know you receive patches from kismet users; I submitted one once :) but it seems that kismet is still a one man show. I'm always happy to get patches and talk to people about changes. At the moment I don't really have anything set up to allow anyone else direct access to change the code. Part of it is my own coding style - I usually have a very clear idea of where I want the code to go and how I want new features to work, which unfortunately makes it somewhat exclusive. I'd like to think I'm fairly approachable with new ideas however, and I try to make the interfaces to interact with Kismet as open as possible (for example, the client/server protocol and the FIFO named pipe) Netstumbler always get a lot of press even though it is a very inferior program compared to Kismet; doesn't that piss you off sometimes? I'm sure theres enough media attention to go around. Really, netstumbler targets a bit of a different audience. It doesn't bother me much. What do you think of kismac, bsd airtools, abbadon's airjack? Kismac is some good code, their name causes a little confusion but they do a good job of making an OSX-native tool. Airjack is more proof of concept than really workable. What computers and equipment do you own? You probably receive a bunch of hardware donations from users who want you to support specific network devices. I've got a sony laptop for most of my development, and I try to get one of each chipset out there to help with support. How hard would it be to reverse engineer and implement a RFMON driver for Airport Extreme and other broadcom chipsets? Fairly difficult. You'd have to set up a lowlevel debugger in windows and trace every memory write it does to the pcmcia card, and then try to interpret them. I haven't even attempted it since I don't run windows anywhere. What's on your todo list? New tcp core, new packet path, plugins, new IDS stuff, general rewrite and cleanup of a lot of code, and general cleanup and stability fixes. Always something. War Driving in town using kismet kindda reminds me of the VL glasses in William Gibson's novel, Virtual Light. These data-glasses overlays data and plans on top of your vision, the same way you can imagine wireless networks and IP packets bouncing from building to building. There are 3d GPS navigation gizmos on the market already; do you have any long term plan to implement realtime 3d mapping? It would be fun! I've toyed with the idea, of course, anyone who's interested can write a gl client to tie into the client/server protocol. Besides kismet any other projects or ideas? I'm finishing up the cleanup of the smart-ap code I wrote for hope5 to try to manage intelligent groups of access points in hostile environments like hacker conventions. Your girlfriend or wife isn't jealous you spend a lot of time on computers? Well, I'm single at the moment. I suppose that answers that question. -m From isn at c4i.org Mon Aug 23 03:30:03 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 23 03:38:17 2004 Subject: [ISN] Call for Papers : Pak Con 1st Message-ID: Forwarded from: fz@pakcon.org [ call for papers ] Papers and presentations are now being accepted for PakCon 1st, Pakistan's First Hacking convention. [ submission ] Papers that are more technical or that discuss new and never-seen-before attack methods are of more interest than a subject that has been covered several times before. We are striving to create a deep-knowledge technical conference and any presentation that helps achieve this will most likely be selected. Speakers wishing to present their papers at the convention should submit a 1 page abstract of their topic of discussion either in plain text or portable document format (.pdf) latest by August 20th, 2004 at cfp@pakcon.org. Attachments of any other form or those triggering our antivirus software shall be deleted and the speaker shall not be entertained. Candidates whose papers are selected for presentation will be contacted via e-mail if there are any questions regarding their presentation, and would be required to submit their complete papers no later than September 10th, 2004. Complete papers are to be submitted with hard copies of the same for distribution amongst the audience. [ topics ] Topics of interest include, but are not limited to the following: . Information Security . Network & Vulnerability Analysis . Penetrating Testing . Firewall technologies . Intrusion detection and prevention technologies . Denial-of-service attacks and countermeasures . Encryption technologies . Honeypots / Honeynets . 0-day Attacks . Incident Response and Disaster Recovery . GPRS and CDMA Security . Access Control & Authentication . Network Protocol and Analysis . Viruses, Worms, Trojans . WLAN and Bluetooth Security. . Malicious code analysis . Analysis of attacks against networks and machines . OS Hardening . File system security . Security in heterogeneous and large-scale environments . Techniques for developing secure systems This list is not intended to limit possible topics, but is merely to give examples of topics. Please note: We do not accept product or vendor related pitches. If your talk involves an advertisement for a new product or service your company is offering, please do not submit. [ presentation resources] Requirements for any special audio/video or presentation aid should be communicated well in advance to the management who will try their best to arrange for the same. In the event of requirement of proprietary equipment the speaker is to arrange for the same. In any case, the speaker is required to inform the management of his/her presentation hardware/software. [ timing ] Each speaker shall be allotted a time slot of a maximum of 45 minutes to setup and deliver his/her paper. It is expected the speaker will budget time for any special equipment setup and audience participation including a Q&A session. [ remuneration ] As Pak Con 1st is a community based, non-profit event, Pak Con will not be providing any remuneration for papers presented or for any products displayed during the course of events. Though, we will be able to provide accommodation to the speakers coming from outside Karachi, Pakistan. For further details, please contact us directly. Now is the time to prepare and submit your Pak Con 1st presentation. [ want more information? ] Please visit http://www.pakcon.org/ for detailed information regarding speakers and accepted papers. Updated announcements will be posted to newsgroups, security mailing lists and this web site. From isn at c4i.org Mon Aug 23 03:30:19 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 23 03:38:18 2004 Subject: [ISN] CREM goes AWOL in Albuquerque Message-ID: http://www.abqtrib.com/archives/news04/082004_news_crem.shtml By James W. Brosnan Scripps Howard News Service August 20, 2004 WASHINGTON - Now it's the nuclear security watchdogs - in Albuquerque - who have lost track of CREM. The National Nuclear Security Administration, the agency created because of concerns over lack security at the nation's nuclear labs, said late Thursday there is an "accounting discrepancy" involving three electronic copies of the same classified document at NNSA offices in Albuquerque. The classified removable electronic media, or CREM, did contain nuclear weapons data, NNSA spokesman Bryan Wilkes confirmed. He would not provide any more details or say why the document was at the Albuquerque offices of the agency. The agency has asked the FBI to assist the Department of Energy's office of Security and Safety Performance Assessment, an independent office reporting directly to Energy Secretary Spencer Abraham, to investigate the missing CREM. Bill Elwell, a spokesman for the Albuquerque FBI, said Thursday: "A case was referred to us by DOE and we are investigating. That's all I can say." The FBI got the case early this week, he said. About 400 employees work at the NNSA office, Wilkes said. No disciplinary action has been taken against anyone so far, but all classified operations involving CREM have been halted, he said. Wilkes said the discrepancy was discovered last week as part of Abraham's order to all DOE facilities to stop operations involving CREM and conduct a complete inventory of such media. That stemmed from the reported disappearance of a disk at Los Alamos National Laboratory, which some authorities now believe was the result of an accounting error. The Los Alamos incident renewed calls by some lawmakers to terminate the University of California's contract to operate the New Mexico lab. The latest incident involves employees working directly for the federal government. "Secretary Abraham's decision to require an inventory of all CREM in the Department of Energy was a prudent one," said NNSA Administrator Linton Brooks in a statement. "I am disappointed that we have found another case of lax procedures in protecting classified information. I expect NNSA employees, both federal and contractor, to adhere to the highest standards of performance." From isn at c4i.org Mon Aug 23 03:30:43 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 23 03:38:20 2004 Subject: [ISN] Linux Advisory Watch - August 20, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 20, 2004 Volume 5, Number 33a | +---------------------------------------------------------------------+ Editors: Dave Wreski David Isecke dave@linuxsecurity.com dai@linuxsecurity.com This week, advisories were released for acroread, ftpd, gaim, glibc, gv, kdelibs, kernel, mozilla, mysql, Nessus, Netscape, pam, qt3, Roundup, rsync, ruby, semi, spamassassin, squirrelmail, and Tomcat. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat, Suse, and Trustix. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Reducing the Risk Reducing the risk of intrusion can be achieved by eliminating many of the known common problems. The vast majority of attacks on done by script kiddies who scan massive IP blocks looking for a vulnerable computer, then run a program which they don't understand, to exploit the vulnerability they've just discovered. To block these script kiddies just fix the common vulnerabilities that the programs they use rely on. Buffer Overflow A buffer overflow attack is when the attacker sends malformed packets to a service that causes the memory buffer to overflow. The cracker hopes this will cause the program to crash and defaulting into a root prompt. Buffer overflows happen because of programming errors where input was not checked to be valid. To prevent buffer overflows, all code must be meticulously hand checked multiple times by multiple people. Since this is not often possible, to limit the chances of being successfully cracked by a buffer overflow attack, make sure you keep your systems up to date and get rid of all excess services. Reducing the number of total services your server is offering, the less amount of code that could have a potential buffer overflow. Also, there are kernel patches that prevent some forms of buffer overflow. Denial of Service A Denial of Service, DoS, attack can come in many shapes and forms. The Blue Screen of Death from Windows can be one if it is caused by someone and not just poor programming. Also, the infamous DDoS attacks from earlier this year are an example where multiple 'zombie' computers coordinate together to attack a host all at the same time. A DoS attack is anything that maliciously prevents the computer from doing what was intended. This is usually accomplished by errors in code that will cause the program to eat up all the system resources. IP Session Hi-Jacking IP Session Hi-Jacking, also known as a man in the middle attack, is a sophisticated attack which can now be done using tools circulating in the script kiddie community. With an IP Session Hi-Jacking, an user connects to a system using a service like telnet, then a cracker intercepts the packets and tricks the system into thinking that the cracker's machine is actually the user's machine. The user will think her connect got dropped, when in actuality, it is still going, but it has been taken over by the cracker. With this form of attack, there is no way to block it, but there are checks that can be done to prevent it. Telnet is the type of service that crackers want to hi-jack; it has shell access, is unencrypted, and doesn't perform many checks to make sure the person really is who they say they are. SSH, on the other hand, would be very hard to hi-jack; it has strong encryption, multiple checks of an identity, and can have its shell access limited. Most services can't really be hi-jacked, but the ones that can, like telnet, usually have a secure replacement, like SSH, that can be used instead. Security Tip Written by Ryan Maple (ryan@guardiandigital.com) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --------------------------------------------------------------------- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 8/13/2004 - squirrelmail Multiple vulnerabilities This patch addresses four vulnerabilities in SquirrelMail, including XSS and SQL injection attacks. http://www.linuxsecurity.com/advisories/conectiva_advisory-4669.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 8/20/2004 - ruby Insecure file permissions This can lead an attacker who has also shell access to the webserver to take over a session. http://www.linuxsecurity.com/advisories/debian_advisory-4689.html 8/20/2004 - rsync Insufficient path sanitation The rsync developers have discoverd a security related problem in rsync which offers an attacker to access files outside of the defined directory. http://www.linuxsecurity.com/advisories/debian_advisory-4690.html 8/20/2004 - kdelibs Insecure temporary file vulnerability This can be abused by a local attacker to create or truncate arbitrary files or to prevent KDE applications from functioning correctly. http://www.linuxsecurity.com/advisories/debian_advisory-4691.html 8/20/2004 - mysql Insecure temporary file vulnerability Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method which is part of the mysql-server package. http://www.linuxsecurity.com/advisories/debian_advisory-4692.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient path sanitization This update backports a security fix to a path-sanitizing flaw that affects rsync when it is used in daemon mode without also using chroot. http://www.linuxsecurity.com/advisories/fedora_advisory-4688.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 8/13/2004 - Roundup Filesystem access vulnerability Roundup will make files owned by the user that it's running as accessable to a remote attacker. http://www.linuxsecurity.com/advisories/gentoo_advisory-4664.html 8/13/2004 - gv Buffer overflow vulnerability gv contains an exploitable buffer overflow that allows an attacker to execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4665.html 8/13/2004 - Nessus Race condition vulnerability Nessus contains a vulnerability allowing a user to perform a privilege escalation attack using "adduser". http://www.linuxsecurity.com/advisories/gentoo_advisory-4666.html 8/13/2004 - Gaim Buffer overflow vulnerability Gaim contains a remotely exploitable buffer overflow vulnerability in the MSN-protocol parsing code that may allow remote execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4667.html 8/13/2004 - kdebase,kdelibs Multiple vulnerabilities Buffer overflow vulnerability KDE contains three security issues that can allow an attacker to compromise system accounts, cause a Denial of Service, or spoof websites via frame injection. http://www.linuxsecurity.com/advisories/gentoo_advisory-4668.html 8/20/2004 - acroread Buffer overflow vulnerabilities Acroread contains two errors in the handling of UUEncoded filenames that may lead to execution of arbitrary code or programs. http://www.linuxsecurity.com/advisories/gentoo_advisory-4682.html 8/20/2004 - Tomcat Insecure installation Improper file ownership may allow a member of the tomcat group to execute scripts as root. http://www.linuxsecurity.com/advisories/gentoo_advisory-4683.html 8/20/2004 - glibc Information leak vulnerability glibc contains an information leak vulnerability allowing the debugging of SUID binaries. http://www.linuxsecurity.com/advisories/gentoo_advisory-4684.html 8/20/2004 - rsync Insufficient path sanitation This vulnerability could allow the listing of arbitrary files and allow file overwriting outside module's path on rsync server configurations that allow uploading. http://www.linuxsecurity.com/advisories/gentoo_advisory-4685.html 8/20/2004 - xine-lib Buffer overflow vulnerability Insufficient path sanitation An attacker may construct a carefully-crafted playlist file which will cause xine-lib to execute arbitrary code with the permissions of the user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4686.html 8/20/2004 - courier-imap Format string vulnerability Insufficient path sanitation An attacker may be able to execute arbitrary code as the user running courier-imapd (oftentimes root). http://www.linuxsecurity.com/advisories/gentoo_advisory-4687.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 8/13/2004 - gaim Buffer overflow vulnerabilities Sebastian Krahmer discovered two remotely exploitable buffer overflow vunerabilities in the gaim instant messenger. http://www.linuxsecurity.com/advisories/mandrake_advisory-4662.html 8/13/2004 - mozilla Multiple vulnerabilities A large number of Mozilla vulnerabilites is addressed by this update. http://www.linuxsecurity.com/advisories/mandrake_advisory-4663.html 8/20/2004 - rsync Insufficient path sanitation If rsync is running in daemon mode, and not in a chrooted environment, it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. http://www.linuxsecurity.com/advisories/mandrake_advisory-4679.html 8/20/2004 - spamassassin Denial of service vulnerability Security fix prevents a denial of service attack open to certain malformed messages. http://www.linuxsecurity.com/advisories/mandrake_advisory-4680.html 8/20/2004 - qt3 Heap overflow vulnerability his vulnerability could allow for the compromise of the account used to view or browse malicious graphic files. http://www.linuxsecurity.com/advisories/mandrake_advisory-4681.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 8/20/2004 - ftpd Privilege escalation vulnerability A set of flaws in the ftpd source code can be used together to achieve root access within an ftp session. http://www.linuxsecurity.com/advisories/netbsd_advisory-4678.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 8/19/2004 - pam Privilege escalation vulnarability If he pam_wheel module was used with the "trust" option enabled, but without the "use_uid" option, any local user could use PAM to gain access to a superuser account without supplying a password. http://www.linuxsecurity.com/advisories/redhat_advisory-4670.html 8/19/2004 - Itanium kernel Multiple vulnerabilities Updated Itanium kernel packages that fix a number of security issues are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4671.html 8/19/2004 - semi Insecure temporary file vulnerability Temporary files were being created without taking adequate precautions, and therefore a local user could potentially overwrite files with the privileges of the user running emacs. http://www.linuxsecurity.com/advisories/redhat_advisory-4672.html 8/20/2004 - Netscape Multiple vulnerabilities Netscape Navigator and Netscape Communicator have been removed from the Red Hat Enterprise Linux 2.1 CD-ROM distribution as part of Update 5. These packages were based on Netscape 4.8, which is known to be vulnerable to recent critical security issues, such as CAN-2004-0597, CAN-2004-0598, and CAN-2004-0599. http://www.linuxsecurity.com/advisories/redhat_advisory-4673.html 8/20/2004 - kernel Denial of service vulnerability A bug in the SoundBlaster 16 code which did not properly handle certain sample sizes has been fixed. This flaw could be used by local users to crash a system. http://www.linuxsecurity.com/advisories/redhat_advisory-4674.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient pathname sanitizing If rsync is running in daemon-mode and without a chroot environment it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. http://www.linuxsecurity.com/advisories/suse_advisory-4676.html 8/20/2004 - qt3 Buffer overflow vulnerability Chris Evans found a heap overflow in the BMP image format parser which can probably be abused by remote attackers to execute arbitrary code. http://www.linuxsecurity.com/advisories/suse_advisory-4677.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Path escape vulnerability Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected. http://www.linuxsecurity.com/advisories/trustix_advisory-4675.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Aug 23 03:31:14 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 23 03:38:21 2004 Subject: [ISN] Proposed dates for free TSCM seminar Message-ID: Forwarded from: Tim Johnson [In an effort to cross-pollinate the list a little, Tim Johnson, an Atlanta area TSCM (Technical Surveillance Counter Measures) professional would like to offer a free class on the subject. He would like to present this class first to those of you on the list in and around the Atlanta area first, but if more interested parties want to hear the talk from outside Atlanta, he is interested giving the class again. Mr. Johnson is also on the hunt for a sponsor. - WK] This may sound like it is a little far out for planning, but right now, I'm looking at the middle of October (16th, Saturday) as the earliest we could do it. REI is available at that time and can bring in their equipment and make a demo and the annual ASIS thing will have come and gone. If no one in the Atlanta area wants to do some presenting or speaking, I'm pretty sure I can get some former government TSCM people to drop by, as well as some of you in the private sector who are doing the work. Right now, this is shaping up to be at least a 4 hour deal. It will remain free, but, I'll gladly accept a $5.00 or $10.00 donation at the door to cover the cost of the CD's, etc. There won't be anyone checking you off on a list. Most likely, there'll just be a box in a back corner somewhere to drop it into if you feel the results were worth it. On the other hand, if I have to pay for a place, there may be a small fee involved to cover the cost of the rental. I'm thinking there may be some security company associated with ASIS here in the Atlanta area who would make available their facility for such an activity. I'll start working on a general syllabus for the presentation; if you have something you'd like to have discussed, let me know. More as it comes in or is developed. Tim ====================== For the benefit of those who are receiving the announcement for the seminar..... This is directed primarily to the corporate people in the Atlanta, Ga area. I would like to put on a free seminar (probably on a Saturday would be best) for corporate security people and the private investigators of Georgia (people from surrounding states will be welcome to attend on a space available basis). I would anticipate the seminar to last no more than 4 hours, but historically, they end up going as long as I am able to handle questions or until the doors have to be closed. As this will be free, I am looking for something I can get for nothing (If a charge is involved, let me know how much and I'll be able to see if attendees would be willing to pay on a pro-rated basis). If you would be interested in "sponsoring" the seminar, please get back to me. If you are not from here, but know an organization in the Atlanta area that might be interested in sponsoring, have them get in contact with me. Also, let me know how many people you would be able to accommodate if you are interested in sponsoring. The seminar would address the mechanics of a TSCM (debugging) sweep, the legal aspects of bugging (as well as i understand them) and debugging, equipment and training involved for low level to high level threats, additional aspects of the service provided to a client, the ethics involved, and anything else you folks might be able to come up with. Nothing classified or super sensitive, but....... You'll be welcome to bring your equipment for comparison and show and tell. Hopefully, I'll be able to get someone from REI to come down and hook up their OSCOR and computer and set up for video presentation onto a big screen and we can all look at and discuss signals at the same time. Brief presentations and discussions will be welcomed from the attendees, as well. I also want to do the same thing for law enforcement.....a free seminar for law enforcement ONLY in which I will make the presentation, answer questions and present a forum in which law enforcement people will be better able to discuss the problems they encounter and the equipment they have available for both bugging and debugging; the legal aspects of bugging and what they should do before, during and after an "operation", the possible capabilities of the bad guys, etc. If they want to throw me out during a portion of their "sensitive" discussions, that will be fine with me. For this portion, I'm hoping I can hook up with one of the area law enforcement agencies or a college or university that would want to "sponsor" it. Comments and suggestions are always welcome. Tim Johnson -- Tim Johnson Technical Security Consultants Inc. PO Box 1295 Carrollton, GA 30112 770-836-4898 770-712-2164 Cell What you say in private is your business. Keeping it private is ours. Georgia License # PDC 002074 Technical Security Consultants Inc. Member INTELNET http://www.dbugman.com This e-mail is intended for the use of the addressee(s) only and may contain privileged confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Neither this information block, the typed name of the sender, or anything else in this message is intended to constitute an electronic signature for purposes of the Uniform Electronic Transactions Act or the Electronic Signatures in Global and National Commerce Act (E-Sign) unless a specific statement to the contrary is included in this message. From isn at c4i.org Mon Aug 23 03:31:30 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 23 03:38:22 2004 Subject: [ISN] Think someone was hacking the Weather Service? Message-ID: http://www.drudgereport.com/flash4ws.htm XXXXX DRUDGE REPORT XXXXX SUN AUG 22, 2004 16:00:02 ET XXXXX WEATHER SERVICE 'WARNING' CATCHES LOS ANGELES BY STORM; REPORT STATED DANGEROUS TORNADO HEADED DOWNTOWN Sun Aug 22 2004 16:40:44 ET The skies in the Los Angeles basin were fair Saturday morning when computers connected to the National Weather service in Oxnard began screaming. "AT 825 AM PDT...NATIONAL WEATHER SERVICE DOPPLER RADAR WAS TRACKING A LARGE AND EXTREMELY DANGEROUS TORNADO 7 MILES SOUTH OF GLENDALE...OR ABOUT NEAR DOWNTOWN LOS ANGELES...MOVING NORTHEAST AT 20 MPH." An official bulletin issued at 8:39 AM PDT warned residents that a Tornado Warning was in effect until 9:15. "IF NO SHELTER IS AVAILABLE...LIE FLAT IN THE NEAREST DITCH OR OTHER LOW SPOT AND COVER YOUR HEAD WITH YOUR HANDS." There was hardly a cloud in the sky, but the alert stated in horrifying detail: "THE TORNADO IS EXPECTED TO BE NEAR PASADENA BY 8:50." The warning remained on the state's EMERGENCY DIGITAL INFORMATION SERVICE database for 4 minutes, without further comment. Until: EDIS-08-21-04 0858 PDT NATIONAL WEATHER SERVICE LOS ANGELES/OXNARD CA "PLEASE DISREGARD THE PREVIOUS TORNADO WARNING. NO TORNADO EXISTS." It's not clear if weather service employees believed they were actually living through a shock scene from this summer's fuss film DAY AFTER TOMORROW, or if the event was simply a computer glitch gone horribly wrong. But one weather service staffer reached at the Oxnard office hours after the commotion joked how someone there will surely be hiding in a ditch for the misfire. Developing... From isn at c4i.org Mon Aug 23 03:31:56 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 23 03:38:23 2004 Subject: [ISN] E-Vote Machine Certification Criticized Message-ID: http://www.eweek.com/article2/0,1759,1638537,00.asp By Bill Poovey, Associated Press Writer August 22, 2004 HUNTSVILLE, Ala. (AP) - The three companies that certify the nation's voting technologies operate in secrecy, and refuse to discuss flaws in the ATM-like machines to be used by nearly one in three voters in November. Despite concerns over whether the so-called touchscreen machines can be trusted, the testing companies won't say publicly if they have encountered shoddy workmanship. They say they are committed to secrecy in their contracts with the voting machines' makers?even though tax money ultimately buys or leases the machines. "I find it grotesque that an organization charged with such a heavy responsibility feels no obligation to explain to anyone what it is doing," Michael Shamos, a Carnegie Mellon computer scientist and electronic voting expert, told lawmakers in Washington, D.C. The system for "testing and certifying voting equipment in this country is not only broken, but is virtually nonexistent," Shamos added. Although up to 50 million Americans are expected to vote on touchscreen machines on Nov. 2, federal regulators have virtually no oversight over testing of the technology. The certification process, in part because the voting machine companies pay for it, is described as obsolete by those charged with overseeing it. The testing firms - CIBER and Wyle Laboratories in Huntsville and SysTest Labs in Denver?are also inadequately equipped, some critics contend. Federal regulations specify that every voting system used must be validated by a tester. Yet it has taken more than a year to gain approval for some election software and hardware, leading some states to either do their own testing or order uncertified equipment. That wouldn't be such an issue if not for troubles with touchscreens, which were introduced broadly in a bid to modernize voting technology after the 2000 presidential election ballot-counting fiasco in Florida. Failures involving touchscreens during voting this year in Georgia, Maryland and California and other states have prompted questions about the machines' susceptibility to tampering and software bugs. Also in question is their viability, given the lack of paper records, if recounts are needed in what's shaping up to be a tightly contested presidential race. Paper records of each vote were considered a vital component of the electronic machines used in last week's referendum in Venezuela on whether to recall President Hugo Chavez. Critics of reliance on touchscreen machines want not just paper records - only Nevada among the states expects to have them installed in its touchscreens come November?but also public scrutiny of the software they use. The machine makers have resisted. "Four years after the last presidential election, very little has been done to assure the public of the accuracy and integrity of our voting systems," Rep. Mark Udall, D-Colo., told members of a House subcommittee in June at the same hearing at which Shamos testified. "If there are any problems, we will spend years rebuilding the public's confidence in our voting systems," Udall said. "We need to squarely face the fact that there have been serious problems with voting equipment deployed across the country in the past two years." In Huntsville, the window blinds were closed when a reporter visited the office suite where CIBER Inc. employees test voting machine software. A woman who unlocked the door said no one inside could answer questions about testing. Shawn Southworth, a voting equipment tester at the laboratory, said in a telephone interview that he wouldn't publicly discuss the company's work. He referred questions to a spokeswoman at CIBER headquarters in Greenwood Village, Colo., who never returned telephone messages. CIBER, founded in 1974, is a public company that promotes itself as an international systems integration consultant. Its government and private-sector clients include the Air Force, IBM and AT&T. In 2003, government work generated the largest percentage of the company's total revenue, 26 percent. Also in a sprawl of high-tech businesses that feed off Redstone Arsenal and NASA's Marshall Space Flight Center in Huntsville is the division of Wyle Laboratories Inc. that tests U.S. elections hardware, including touchscreens made by market leaders Diebold Inc., Sequoia Voting Systems Inc. and Election Systems & Software Inc. Wyle spokesman Dan Reeder refused to provide details on how the El Segundo, Calif.-based company, which has been vetting hardware for the space industry since 1949 in Huntsville, tests the voting equipment. "Our work on election machines is off-limits," Reeder said. "We just don't discuss it." He did allow, though, that the testing includes "environmental simulation...shake, rattle and roll." Carolyn Goggins, a spokeswoman for SysTest Labs, the only other federally approved election software and hardware tester, refused to discuss the company's work. More than a decade ago, the Federal Election Commission authorized the National Association of State Election Directors to choose the independent testers. On its Web site, the association says the three testing outfits "have neither the staff nor the time to explain the process to the public, the news media or jurisdictions." It directs inquiries a Houston-based nonprofit organization, the Election Center, that assists election officials. The center's executive director, Doug Lewis, did not return telephone messages seeking comment. The election directors' voting systems board chairman, former New York State elections director Thomas Wilkey, said the testers' secrecy stems from the FEC's refusal to take the lead in choosing them and the government's unwillingness to pay for it. He said that left election officials no choice but to find technology companies willing to pay. "When we first started this program it took us over a year to find a company that was interested, then along came Wyle, then CIBER and then SysTest," Wilkey said of he standards developed over five years and adopted in 1990. "Companies that do testing in this country have not flocked to the prospect of testing voting machines," said U.S. Election Assistance Commission chairman DeForest Soaries Jr., now the top federal overseer of voting technology. A 2002 law, the Help America Vote Act, created the four-member, bipartisan headed by Soaries to oversee a change to easier and more secure voting. Soaries said there should be more testers but the three firms are "doing a fine job with what they have to work with." Wilkey, meanwhile, predicted "big changes" in the testing process after the November election. But critics led by Stanford University computer science professor David Dill say it's an outrage that the world's most powerful democracy doesn't already have an election system so transparent its citizens know it can be trusted. "Suppose you had a situation where ballots were handed to a private company that counted them behind a closed door and burned the results," said Dill, founder of VerifiedVoting.org. "Nobody but an idiot would accept a system like that. We've got something that is almost as bad with electronic voting." From isn at c4i.org Mon Aug 23 03:32:07 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 23 03:38:25 2004 Subject: [ISN] Instant messaging used for leaks Message-ID: http://www.theinquirer.net/?article=17988 By Tony Dennis 20 August 2004 TECHNICALLY SAVVY CITY types who work in London's financial institutions have woken up to the fact that their emails are being tapped. So they've taken to using instant messaging (IM) instead. This discovery came to light when a leading forensic firm, Kroll Ontrack, spoke to Britain's FT. Kroll's Adrian Palmer told the FT that City firms have recently been asking his firm if he can help reveal how trading secrets have leaked out ? probably through IM sessions. The answer, of course, is that it's very difficult to capture individual users' IM sessions. Particularly since the employers themselves would probably have to inform their City workers that they'd put such data capture tools in place. But Kroll seems to be missing a trick. If City traders have worked out ways to use IM on their desktops, they certainly will have spotted that it is relatively easy to join a standard Yahoo! or Messenger IM session via a mobile phone. All of Microsoft's smartphone offerings come with a Messenger client by default and there's plenty of Symbian apps that enable the likes of Nokia smartphones to participate in IM sessions too. Worse still, after having conversed on their mobiles via an IM session, the canny trader could finally pass the crucial bit of data ? such as the name of the company whose shares are involved ? via SMS. And that would be almost totally untraceable. Seems like Kroll has opened up a whole new can of worms for the City regulators to worry about. From isn at c4i.org Mon Aug 23 03:32:20 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 23 03:38:27 2004 Subject: [ISN] Cyber front has favorable bytes Message-ID: http://www.usatoday.com/tech/news/2004-08-22-hackers-kept-out_x.htm By Patrick O'Driscoll USA TODAY 8/22/2004 NEA IONIA, Greece - In a post-9/11 world, even the computers that run the Olympics have color-coded warnings for threats. "Green is good. Red is very bad," says Jean Chevallier, executive vice president of Atos Origin, Paris-based head of the Games' $400 million information system. In between are yellow (mild) and orange (more alarming). Halfway through the Athens Olympics, the worst anyone has seen here is "a light yellow," Chevallier says. The threat? Some news people have unplugged official terminals in the press centers and tried to tap into the network with their own laptops, apparently thinking they can surf the Internet. They got nowhere. The network for the Games has no two-way link with the Internet. For event results, computer users click on a separate site, Athens2004.com, run by the Athens Olympic Organizing Committee (ATHOC). That site gets results only by one-way transmission from Chevallier's hacker-proof network. Chevallier, who also worked at the 2002 Salt Lake Winter Olympics, says a computer "bridge" made info-tech at those Games potentially vulnerable to outside attack. Although there were no breaches, thousands of alerts and alarms kept the IT team busy. This time, "the image of a hacker coming in from the Internet is obsolete ... impossible." Sounds like a perfect trash-talk challenge to byte heads with anti-Olympic fever. But Chevallier says the only way anyone could break in is from inside. Even then, odd traffic - logging in from the wrong place or trying to roam where not allowed - triggers lockouts and other safeguards. Network computers don't even have CD-ROMs, floppy drives or other outside data ports. "A few days ago, we saw somebody entered the computer room at a venue at 3 a.m. and tried to log in," Chevallier says. "They tried five or six times" and failed. The team's hub is at ATHOC headquarters, in an old shoe factory in this Athens suburb, two subway stops from the Olympic stadium complex. With 130 people at terminals and screens around the clock, it looks like NASA mission control. If info technology were an Olympic team, it would be the largest by far: 330 Atos Origin staffers and 2,300 info-tech volunteers at 36 sports venues and 26 non-sport sites. Coming from 44 nations, they run 10,500 computers, 900 servers, 23,000 desktop telephones, 13,000 cell phones, 9,000 two-way radios and 2,500 public information terminals. From isn at c4i.org Tue Aug 24 02:36:56 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 24 03:06:11 2004 Subject: [ISN] Windows Upgrade Causing Campus Headaches Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A26111-2004Aug23.html By Brian Krebs washingtonpost.com Staff Writer August 23, 2004 Microsoft Corp.'s decision to release a major upgrade for its flagship operating system in the same month that hundreds of thousands of students are reporting to college campuses across the nation is causing a major headache for the higher education community. The upgrade, known as Service Pack 2, is designed to patch numerous gaps in Windows XP, the operating system of choice for an estimated 200 million computer users worldwide. The free update includes safeguards against spyware and viruses, a hardened Internet firewall to keep out hackers and upgrades to automate security features and better alert users to security risks on their personal computers. Worried that the upgrade could conflict with other applications running on university networks, and a related concern that thousands of students attempting to download the software could bring campus computer networks to a standstill, technology administrators at some universities have taken steps to block an automatic service that downloads the software. "The timing is extremely unfortunate," said Anne Agee, deputy chief information officer at George Mason University in Fairfax, Va., whose school is blocking automatic installation of SP2 on all faculty and staff computers because the update interferes with software that the university uses to run faculty PCs. "It wouldn't be so bad if we had gotten this more than a month ago, because at least then we would have had plenty of time to test it and make a decision about how we want to correct for this," Agee said. An extremely large file that could slow networks to a halt if too many students download it at the same time, SP2 also contains code that interferes with popular firewall and antivirus programs that many people run on their computers, according to Microsoft. Although Windows XP is configured by default to automatically download the latest patches from Microsoft -- a process that the company turned on last week -- schools like George Mason are taking advantage of a Microsoft tool that prevents it from happening. Alan Paller, research director at the SANS Institute in Bethesda, said the backlash from schools is somewhat justified. "The idea that the technology people at these schools view this update as a threat to their operations is absolutely accurate, as most of these folks consider forced security upgrades a threat to [network] reliability and uptime," he said. "This is really a problem of Microsoft's own design -- not just because of its timing -- but also because they delivered such unsafe computers in the first place." While students and faculty can still manually obtain the SP2 download, blocking the automatic distribution seriously hampers one of the primary tools Microsoft is using to roll out the security fixes included in SP2. Meanwhile, classes at George Mason start the week of August 30, and university officials are still debating whether to block students from installing the upgrade. For the time being, Catholic University in Washington, D.C., has decided to block downloads of SP2, according to chief information officer Zia Mafaher. A hundred miles to the south, officials at the University of Richmond made the same decision. "Microsoft's timing really couldn't have been worse for us," said Chris Faigle, a security administrator at the school, where classes start today. "For the faculty and students, we simply won't be able to handle all of the additional issues that would almost certainly come up in addition to just getting the students registered on the network." Other schools across the country are taking similar action. The University of Notre Dame in South Bend, Ind., for example, will bar its 10,000 students from installing SP2 until it finishes testing the program on its network, said Gary Dobbins, the school's director of information. "[We] didn't want SP2 to land on machines here at the same time the students descend on the campus." The University of Michigan's medical school is blocking campus computers from automatically downloading the Microsoft update, choosing instead to deploy the fix using its own internal computer servers. "Our primary concern is the impact this will have on our network and the length of time it would take to get from Microsoft directly," said Damon Palyka, a computer security technician at the school. A number of schools that have built systems to register computers on their network plan to periodically probe student PCs to ensure they contain the latest antivirus updates and Microsoft security patches. But SP2 can interfere with those automatic inspections since it turns on the Windows firewall, said Jack Suess, chief information officer at the University of Maryland Baltimore County. So UMBC plans to bar computers owned by its 4,000 students from automatically downloading the update until the school is ready to roll out its own tweaks. "We estimate that between 5 to 10 percent of the student population will have pretty serious problems after installing this update and will require help from us," Suess said. "Add that to inquiries from faculty and staff and allowing this go forward at move-in time could be a real challenge." Microsoft had already delayed a scheduled July release of SP2 so it could fix several other kinks in the upgrade. The company did not want to push the release date back again because of the chance that another severe Internet attack could occur in the meantime, said Matt Pilla, Microsoft's senior product manager for Windows. Averting Another Blaster Computers running Windows XP that are not updated with SP2 will be more susceptible to catching and spreading Internet worms and viruses on the school networks, even in the short span of time it takes to download and install the latest updates. Computer security experts and Microsoft are anxious to avoid a repeat of last August, when computers owned by hordes of college students arriving for the start of the fall semester were infected en masse by the "Blaster" and "Welchia" worms. The worms generated so much Internet traffic that some schools were forced to temporarily kick thousands of students off their networks. Those schools spent much of the last year designing and testing homegrown computer applications to ensure that students and faculty have protections in place on their PCs before they can hook back up to the networks, said Rodney Petersen, security task force coordinator for EDUCAUSE, an information technology association for colleges and universities. The last thing they want, he said, is to introduce a gigantic package of software onto their systems without conducting extensive testing first. Not all schools are so worried. American University in Washington, the University of Virginia in Charlottesville and the College of William and Mary are encouraging students to install the upgrade as soon as possible. "I think some schools are being somewhat unnecessarily paranoid about this," said Carl Whitman, American's executive director of e-operations. "At this point, the bad stuff on the Internet is getting pretty out of hand and we need whatever help we can get." Georgetown University will not block Service Pack 2 downloads either, said spokeswoman Laura Cavender. Elsewhere, schools such as Brown University in Providence, R.I., and Davidson College near Charlotte, N.C., are advising students to hold off installing SP2 for a few weeks, but are not stopping them from doing so. Dan Updegrove, vice president for information technology at the University of Texas at Austin, said his school is advising students to get the update. "We want to get it out there as fast as we can," Updegrove said. "The idea of telling our students to install a patch to block this other patch -- and then in the event that an Internet attack that would have been prevented by SP2 surfaces telling them to then please delete the install anti-patch patch - that strikes me as a little absurd." Hurdles to the CD-ROM Solution Several schools, including Brown and George Mason, planned to circulate SP2 on CD-ROMs, a move that would allow students to install the upgrade without connecting to the Internet. Microsoft, however, last week sent a letter to those schools warning them against duplicating and distributing the patches without buying an expensive license that includes the right to install Microsoft programs on student PCs. "It is a definite possibility that an enterprising hacker hoping to harm companies, campuses or personal assets could compromise the integrity of a disk that has not been created by an Authorized Replicator," Microsoft wrote. "As a result, Microsoft must take special precautions when it comes to security updates and how they are distributed." Distributing the service pack via CD-ROM, according to EDUCAUSE, could help schools speed up installs and diminish the chances of campus-wide Internet sluggishness caused by thousands of student PCs downloading the update simultaneously; downloading and installing SP2 can take anywhere from one to three hours with a high-speed Internet connection. Microsoft has agreed to give schools one service pack disk for every 50 students on campus, with extra disks costing 32 cents each. Microsoft said it has received orders for the CD-ROM from approximately 60 institutions, and that nearly 100,000 CD-ROMs have already been shipped to schools nationwide. Some schools, including American University, will not receive them for another two weeks, though Microsoft said it expects to ship any ordered discs within five to 12 business days. "For the vast majority of institutions that have students returning this week, that's too little too late," said EDUCAUSE's Petersen. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Aug 24 02:37:20 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 24 03:06:12 2004 Subject: [ISN] ACSAC 2004 - Works in Progress call for paper Message-ID: Forwarded from: ACSAC announce-admin Dear Colleague, We are soliciting submissions to the Works In Progress (WIP) session at the 20th Annual Computer Security Applications Conference (ACSAC). The conference is taking place Dec. 6-10, 2004 in Tucson, AZ. Submissions are due October 1, 2004. Author notification October 15, 2004. Abstracts should be at most 2 type-written pages in length and should briefly describe the objectives of the current work, any accomplishments to date, and future plans. Abstracts should be sent as ASCII text or pdf files to program_chair@acsac.org. Special consideration will be given to WIP abstracts that discuss system implementation, deployment, and lessons learned in the following areas: * Access control * Applied cryptography * Audit and audit reduction * Biometrics * Certification and accreditation * Database Security * Denial of service protection * Defensive information warfare * Electronic commerce security * Enterprise Security * Firewalls and other boundary control devices * Forensics * Identification and Authentication * Information Survivability * Insider threat protection * Integrity * Intellectual property rights protection * Incident response planning * Intrusion detection and event correlation * Middleware and distributed systems security * Mobile Security * Modeling and simulation related to security * Operating systems security * Privacy * Product evaluation criteria and compliance * Risk/vulnerability assessment * Security engineering * Security management * Software safety and program correctness * Wireless Security Accepted abstracts will be presented in the WIP session on Wed. Dec. 8, 2004 5:45-7pm in 5-minute slots. For more information see www.acsac.org or contact the Program Chair at program_chair@acsac.org. Sincerely, Christoph Schuba 20th ACSAC Program Vice-Chair, WIP chair christoph.schuba@sun.com Daniel Thomsen 20th ACSAC Program Chair dthomsen@tresys.com Pierangela Samarati 20th ACSAC Program European Chair samarati@dti.unimi.it From isn at c4i.org Tue Aug 24 02:38:09 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 24 03:06:14 2004 Subject: [ISN] Linux Security Week, August 23rd, 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 23, 2004 Volume 5, Number 33n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | David Isecke dai@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Crypto researchers abuzz over flaws", "No Easy Fix for Internal Security", "Big Brother's Last Mile", and "Vulnerability Protection: A Buffer for Patching". ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ---- LINUX ADVISORY WATCH: This week, advisories were released for acroread, ftpd, gaim, glibc, gv, kdelibs, kernel, mozilla, mysql, Nessus, Netscape, pam, qt3, Roundup, rsync, ruby, semi, spamassassin, squirrelmail, and Tomcat. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat, Suse, and Trustix. http://www.linuxsecurity.com/articles/forums_article-9645.html ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Computer Security 101 August 18th, 2004 Within the space of a single introductory article it is impossible to cover every aspect of the virus / antivirus topic. I will attempt to provide as much knowledge as I can without overwhelming you. http://www.linuxsecurity.com/articles/host_security_article-9634.html * Vulnerability Protection: A Buffer for Patching August 17th, 2004 The purpose of this paper is to identify the problem facing the network security community regarding vulnerabilities and patches. It explains why current security technologies such as firewalls, intrusion detection and prevention systems, and automated patch management solutions have failed in preventing vulnerabilities from being exploited. http://www.linuxsecurity.com/articles/network_security_article-9632.html * Password to easy fraud lies in pets' names and birthdays August 16th, 2004 Most internet and online banking customers leave themselves open to fraudsters by using predictable passwords, new research claims. More than three-quarters of people surveyed used words that could be easily guessed. http://www.linuxsecurity.com/articles/host_security_article-9624.html +------------------------+ | Network Security News: | +------------------------+ * Introduction to Vulnerability Scanning August 18th, 2004 Similar to packet sniffing, port scanning and other "security tools", vulnerability scanning can help you to secure your own network or it can be used by the bad guys to identify weaknesses in your system to mount an attack against. The idea is for you to use these tools to identify and fix these weaknesses before the bad guys use them against you. http://www.linuxsecurity.com/articles/server_security_article-9633.html * No Easy Fix for Internal Security August 17th, 2004 Not too long ago, the Gartner Group raised a minor dustup in the IT community by releasing a report claiming that portable storage media--including consumer devices such as cameras and MP3 players with built-in or removable memory--represent a new security threat to corporate networks. http://www.linuxsecurity.com/articles/network_security_article-9631.html * Big Brother's Last Mile August 17th, 2004 On August 9th, 2004, the U.S. Federal Communications Commission (FCC) took a major step toward mandating the creation and implementation of new Internet Protocol standards to make all Internet communications less safe and less secure. What is even worse, the FCC's ruling will force ISP's and others to pay what may amount to billions of dollars to ensure that IP traffic remains insecure. http://www.linuxsecurity.com/articles/network_security_article-9629.html +------------------------+ | General Security News: | +------------------------+ * Crypto researchers abuzz over flaws August 19th, 2004 Encryption circles are buzzing with news that mathematical functions embedded in common security applications have previously unknown weaknesses. The excitement began Thursday with an announcement that French computer scientist Antoine Joux had uncovered a flaw in a popular algorithm called MD5, often used with digital signatures. http://www.linuxsecurity.com/articles/cryptography_article-9640.html * Open-Source Backups Using Amanda August 19th, 2004 This well tested network backup tool depends on standard tools such as dump, cron and GNU tar. Find out how to set up regular backups for your whole network. Those of us who have received the call can feel the tension and nervous tone in the caller's voice when he or she asks, "How good are the backups?" http://www.linuxsecurity.com/articles/host_security_article-9639.html * Scientists Work On Quantum Code August 16th, 2004 Relying on the principles of uncertainty underlying quantum mechanics, Harvard researchers recently established the first experimental secure network that, when perfected, should make it impossible for hackers to gain unauthorized access to documents shared electronically. http://www.linuxsecurity.com/articles/cryptography_article-9623.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Aug 24 02:37:50 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 24 03:06:15 2004 Subject: [ISN] Ex-Varian worker charged with hacking Message-ID: http://www.reuters.co.uk/newsArticle.jhtml?type=internetNews&storyID=6048907 23 August, 2004 BOSTON (Reuters) - A former employee of Varian Semiconductor Equipment Associates hacked into the company's computer system and damaged some software after learning he would be let go by the chip equipment maker, federal prosecutors have charged. Patrick Angle, 34, logged into Varian's computer server and deleted the source codes for software he and others were developing, U.S. Attorney Michael Sullivan said in a news release on Monday. Prosecutors and the Federal Bureau of Investigation said Angle became upset with the Gloucester, Massachusetts-based company after being told his contract would be terminated. If convicted, Angle could face up to 10 years in prison and a fine of up to $250,000 (138,000 pounds). He was not available for immediate comment. Varian Semiconductor said it noticed the problem "fairly quickly" and was able to restore the source code. "Varian Semiconductor has cooperated fully and is pleased the government is supportive of taking action to protect the proprietary information of our company," said Gary Loser, the company's general counsel. From isn at c4i.org Tue Aug 24 02:38:27 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 24 03:06:17 2004 Subject: [ISN] Report says Virtually All Big Companies Will Outsource Security By 2010 Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=29116929 By Gregg Keizer TechWeb News Aug. 23, 2004 The need to stay ahead of the hacker curve will drive nearly 90% of big U.S. companies to outsource their security to managed service providers by the end of the decade, a report released Monday suggested. According to the Yankee Group, businesses will hand over security--initially for perimeter defenses but eventually for inside-the-firewall protection--to managed security service providers to the tune of $3.7 billion by 2008, a jump from 2004's estimated $2.4 billion. "Enterprises are outsourcing more technology in general," said Matthew Kovar, a VP at Yankee Group's security solutions group. "But we'll see a lot more in the security space. Enterprises know what they have to do, but more of them will see that [security] isn't a core competency," he added, and will hand the reins to a managed security service provider. Security outsourcing will prove attractive, said Kovar, for reasons other than the cost savings typically cited by companies that farm out business processes. Among the drivers toward managed services are the accelerated attacks of today's threats--giving enterprises virtually no time to put up defenses on their own before an attack infiltrates a network--legislative requirements such as HIPAA and Sarbanes-Oxley, and the trend toward pushing out the network perimeter to include partners and remote workers. "The well-defined perimeter just doesn't exist anymore," Kovar said. These and other factors are outpacing the average company's ability to keep up with the latest counter-measures and techniques to thwart attacks, Kovar said in his report. At the same time, security is moving from the network perimeter to protecting critical network links, key servers, databases, and end-user desktops, in part because of worms that other exploits that managed to sneak through the perimeter on laptops or through remote sessions. While managed services biggest number of customers are currently those subscribing to anti-spam services, managed firewalls aren't far behind, said Kovar. And as the trend continues, other security defenses now solved by hardware, such as intrusion detection and intrusion prevention, will also be shipped out for others to handle. "One of the easiest managed services to see success is E-mail anti-spam services," Kovar said. "People saw the pain and saw that they needed to outsource the solution." Companies such as Brightmail and MessageLabs have capitalized on the anti-spam managed approach, grabbing part of the $140 million business that Kovar said "cropped up almost overnight." The outsourcing of security will follow other IT outsourcing trends by going offshore, said Kovar, who expects that "security will be the next to go to Ireland, India, and beyond." Services such as application code review, he said, simply can't be done cost effectively in North America. The vendors that Yankee Group sees in the top tier include TruSecure and Symantec, with Unisys, Netsec, Solutionary, Internet Security Systems, and RedSiren close on their heels. Notable by its absence, said Kovar, is McAfee. "That would concern me if I was an enterprise investing in their technologies," he said. In the end, the winners will be the vendors with the best security gurus, or as Kovar put it, "the best knowledge gatherers. The real intellectual property for security is in advanced algorithms, intelligence, and the ability to rapidly deploy new security countermeasures in real time to a large installed base of enterprise customers and their global networks." From isn at c4i.org Tue Aug 24 02:38:40 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 24 03:06:18 2004 Subject: [ISN] Meet the Peeping Tom worm Message-ID: http://www.theregister.co.uk/2004/08/23/peeping_tom_worm/ By John Leyden 23rd August 2004 A worm that has the capability to using webcams to spy on users is circulating across the Net. Rbot-GR, the latest variant of a prolific worm series, spreads via network shares, exploiting a number of Microsoft security vulnerabilities to drop a backdoor Trojan horse program on vulnerable machines as it propagates. Once a backdoor program is installed on a victim's PC it's game over and an attacker can do whatever takes their fancy. But Rbot-GR comes pre-loaded with functionality specifically designed to control webcam and microphones. Other variants of the worm do not come with this "Peeping Tom" routine, according to AV firm Sophos. "If your computer is infected and you have a webcam plugged in, then everything you do in front of the computer can be seen, and everything you say can be recorded," said Graham Cluley, senior technology consultant for Sophos. "It would be like having a regular web cam conversation except you wouldn't know you're taking part in it." Aside from its voyeuristic behaviour, the Trojan component of the worm will attempt to steal registration information for games and PayPal passwords from infected machines. It's a thoroughly nasty piece of code so it comes as some relief that Rbot-GR hasn't particularly widespread. Sophos has received only as handful of reports about the worm and most vendors rate it as a medium-risk threat. As usual, Rbot-GR is a Windows-only menace. From isn at c4i.org Tue Aug 24 02:39:17 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 24 03:06:20 2004 Subject: [ISN] REVIEW: "Fighting Spam for Dummies", John R. Levine/Margaret Levine Young/Ray Everett-Church Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKFTSPDM.RVW 20040719 "Fighting Spam for Dummies", John R. Levine/Margaret Levine Young/Ray Everett-Church, 2004, 0-7645-5965-6, U$14.99/C$21.99/UK#9.99 %A John R. Levine www.iecc.com/johnl %A Margaret Levine Young www.gurus.com/margy %A Ray Everett-Church www.everett.org %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2004 %G 0-7645-5965-6 %I John Wiley & Sons, Inc. %O U$14.99/C$21.99/UK#9.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764559656/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764559656/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764559656/robsladesin03-20 %P 222 p. %T "Fighting Spam for Dummies" Part one introduces the world of spam. Chapter one tells us that spam is bad and that spammers like to do it, but there is little substance to the material and a lot of oddly spam-like verbiage. Even though the authors outline the "dictionary" process (that generates addresses on a semi-random basis) in chapter two, they insist on trotting out the usual recommendations to limit exposure and prevent address harvesting. A confusing look at US law, in chapter three, says that the situation is confused. Chapter four does provide information about obtaining and deciphering email headers, but the attempts to be funny make it hard to understand. Part two deals with filtering spam. Chapter five has a generic description of filtering, but there is little useful content. Chapters six to ten describe menu items related to filtering in the Outlook, Netscape, Eudora, AOL, Hotmail, and Yahoo programs. Part three looks at filtering programs and services. Chapter eleven has a terse review list of major filtering programs (with some odd exceptions: SpamAssassin is not mentioned), a few spam filter review sites, and fairly detailed descriptions of POPfile and Spam Bully. A reasonable, if brief, outline of filtering services is given in chapter twelve. Chapter thirteen touches on a few items not previously detailed, but it is far from being a useful guide to the network and email administrators that it supposedly addresses. Part four is the usual "Part of Tens." Chapter fourteen lists the most common spam scams. The list of annoyances in chapter fifteen is mostly unrelated to spam. (For the one that is, dealing with popups, some fairly complex solutions are listed, and a simple one is missed-- turning off JavaScript and ActiveX works great. The cost to the user will vary with patterns of activity.) This book does provide some pointers to software based assistance with spam filtering and removal. However, even in relation to the minuscule size of the book the content is very thin. Repetition, editorializing, and attempted humour take the place of substantive information. "Stopping Spam" (cf. BKSTPSPM.RVW) and "Removing the Spam" (cf. BKRMSPAM.RVW) are from an older era, and address the issue from a perspective of users who were more used to manual email controls, as well as a time when spam was not the overwhelming majority of email. Even so, they dealt with the issue realistically and informatively, which this book does not. The current work is better than nothing, but only just. copyright Robert M. Slade, 2004 BKFTSPDM.RVW 20040719 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu I've got a PhD and no one listens. I take off my clothes off, and here you all are. - Briony Penn to the media, 20010123 http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Aug 25 06:17:50 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 25 06:27:10 2004 Subject: [ISN] Dozens Charged in Crackdown on Spam and Scams Message-ID: http://www.nytimes.com/2004/08/25/technology/25spam.html By SAUL HANSELL August 25, 2004 Federal and state law enforcement agencies have quietly arrested or charged dozens of people with crimes related to junk e-mail, identity theft and other online scams in recent weeks, according to several people involved in the actions. The cases, which have been brought by law enforcement offices around the country, are expected to be announced by Attorney General John Ashcroft in a news conference in Washington on Thursday. The federal authorities have stepped up efforts to crack down on junk e-mail messages, or spam, since Congress passed a law in December criminalizing fraudulent and deceptive e-mail practices. The law subjects spammers to fines and jail terms of up to five years. So far, the law has had little noticeable effect. Spam represents 65 percent of all e-mail, up from 58 percent when the law was passed, according to Symantec, a company that makes a widely used spam filter. The new cases are also expected to involve charges of credit card fraud, computer crime and other offenses that carry significant penalties. Many of the cases were developed by an investigative team that combined federal law enforcement officials and executives from industries that do business through the Internet. Nearly two dozen investigators work in an office in Pittsburgh operated by the National Cyber-Forensics and Training Alliance, a nonprofit organization with close ties to the Federal Bureau of Investigation. Much of the financing for the effort, known as Operation Slam Spam, comes from the Direct Marketing Association, a trade group that wants to promote what it considers is the legitimate use of e-mail marketing. "We felt that the key to the new law was enforcement," said H. Robert Wientzen, who recently stepped down as the president of the marketing association and is still involved in the antispam campaign. "We want spammers to realize that spam is not a free game for them and that they face real penalties if they continue." The operation has built a database of known spammers, drawing from law enforcement agencies and from private companies that are investigating and bringing civil suits against some of the biggest users of junk e-mail messages. It has also deployed online decoys to catch spammers and has bought products advertised in spam messages so that the financial records could be traced to the source of the message. As the cases have been developed, the Pittsburgh group has used its information to persuade prosecutors to devote resources to bringing cases against junk e-mail companies and other abusers of the Internet. Law enforcement agencies have only recently taken an interest in fighting the spam problem. It is a series of small crimes, often without clear victims, that is hard to investigate. But prosecutors and investigators are starting to become more aggressive as the volume of spam continues to increase and as the messages that spammers send are being used more often to commit other crimes, including identity theft and credit card fraud. And the authorities have become increasingly concerned about the spammers' use of computer viruses to hijack millions of desktop computers so they can relay messages and hide their true identities. The Justice Department announcement expected on Thursday is meant to highlight several different government actions related to computer crime. The department has conducted a handful of similar operations in the past, calling them cyber sweeps, but the crackdown to be disclosed this week is thought to be the biggest by far. A Justice Department spokesman declined to comment. In May, Jana D. Monroe, assistant director of the F.B.I.'s cyber division, told a Senate committee that the agency was developing cases on more than 50 of the most active spammers. Prosecutors had hoped to announce some prominent convictions earlier this summer. But the cases have proven to be more complex than expected, in part because of new evidence turned up at each step. "These cases never end," said Steve Linford, the director of the Spamhaus Project, a clearinghouse of information on spammers based in London that works with law enforcement agencies. "When they seize a whole bunch of computers from one gang," Mr. Linford said, "they normally see a lot of information that leads to another gang." Indeed, federal and state prosecutors have arrested some people whose names they will not reveal at the news conference this week because the suspects are leading them to others involved in spam and other crimes, officials said. In April, the Justice Department brought what it said was the first criminal prosecution under the antispam law against three people in suburban Detroit. Last month, however, the case was quietly dismissed at the government's request. The prosecutor in the case, Terrence Berg, said that such dismissals were normal procedure, and that the charges could be brought again after more evidence was developed. Spam has proven to be a plague of the modern world that has defied nearly every effort to mitigate its effects. Major companies and Internet providers have spent millions of dollars on software meant to identify and discard unwanted messages, but the spammers have found myriad techniques to get around the barriers. Efforts to develop technical standards that would help separate "good" e-mail messages from "bad" have been delayed by bickering among the big e-mail providers. It is unclear whether the heightened spate of criminal prosecutions will make much difference in the in-boxes of the half-billion e-mail users around the world. "There is such a large number of spammers,'' said Enrique Salem, a senior vice president of Symantec, "that no matter how many you arrest, more people will send spam.'' But Mr. Linford of Spamhaus said he thought that the current wave of prosecutions had the potential to at least temporarily diminish the flood of spam. "Spammers believe that they will never be caught,'' Mr. Linford said. "If they get 10, 20, 30 well-known spammers, the rest of the spam community will start to notice. Any spammers who can be made to give up because they think the F.B.I. is getting too close is very good for us.'' Still, Mr. Linford added that spam activity had been increasing overseas and that spammers in other countries, especially Russia, were expected to move quickly to fill any gaps left if spammers in the United States are shut down or scared off. "Next year and the year after,'' he said, "we are going to see Russia as the main spam problem.'' From isn at c4i.org Wed Aug 25 06:19:50 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 25 06:27:12 2004 Subject: [ISN] [Vmyths.com ALERT] Cyber-terror attack predicted for Thursday Message-ID: Forwarded from: Vmyths.com Virus Hysteria Alert CATEGORY: Dire predictions of a cyber-war or cyber-terrorism Russian news site MosNews.com has reported "terrorists will paralyze the Internet on August 26" (this Thursday). The story cites virus experts Alexander Gostev and Eugene Kaspersky, both who work for Kaspersky Labs, a large Russian antivirus firm. MosNews ran the story under the headline "Russian Computer Expert Predicts Internet Terrorist Attack." MosNews.com story (English): http://www.mosnews.com/news/2004/08/24/internetend.shtml The web page address includes the phrase "internetend" -- an obvious reference to the end of the Internet as we know it. Vmyths dismisses this "Internet Terrorist Attack" story as baseless hysteria, for numerous reasons explained below. It appears MosNews derived their story from a newswire published by Lenta.ru, which may have derived their own story from a Novosti newswire. In other words, it's "hand-me-down" news, and this is a systemic problem in computer security. Reporters will often quote each others' stories as their main sources of information. Worse, these stories originated in Russia, where many news agencies have dissolved into sensationalist tabloids since the breakup of the Soviet Union. Speaking directly to Novosti's reporters, Gostev supposedly claimed "the United States and Western Europe will suffer from the attack" on Thursday, while Kaspersky supposedly "reminded that similar attacks had earlier paralyzed [the] Internet in South Korea. He added that it would be 'impossible' to stop terrorist organizations if they 'get down to business.'" As expected, the Novosti newswire described the cyber-terrorists as "Islamic" fundamentalists who declared Thursday a day of "electronic jihad." Gostev and Kaspersky claimed they learned about the cyber-terror attack from data "published on specialized sites," and Gostev admitted "it is difficult to say how true this information is." Statements like this raise a RED FLAG at Vmyths. We believe the men studied messages left by narcissistic braggarts, not Islamic cyber-warriors. Vmyths has seen NO objective corroborating evidence for an Internet armageddon in the near future. Narcissistic braggarts have a notorious habit of (1) declaring an attack date and then (2) failing to show up for duty at the appointed time. One of the most hilarious examples of this took place in 1997; see http://Vmyths.com/hoax.cfm?id=28&page=3 for details. According to Novosti, Kaspersky concluded by saying "it is ghastly enough that these people have mentioned 'electronic jihad' for the first time." Kaspersky is clearly mistaken if the newswire quoted him in context. Hackers and the media have used this exact term for years; a Google search returns 500+ matches. Israel's Jerusalem Post newspaper used a similar term, "virtual jihad," four years ago. mi2g (a well-documented fearmonger) has issued predictions over the years for electronic jihads which have NEVER come to pass. Remember this when virus hysteria strikes: http://Vmyths.com/resource.cfm?id=31&page=1 MosNews quoted Lenta.ru, which quoted another virus expert, who insisted "Kaspersky Labs has been foretelling the doomsday for a long time." Vmyths agrees they occasionally sensationalize threats -- but a global cyber-terror prediction seems highly out of character for them. And the Kaspersky.com website so far offers no special news/advice for its clients. The Novosti newswire oddly claims Kaspersky Labs "will be switched over to the 'yellow' danger level" on Thursday, but this, too, seems highly out of character for the antivirus firm. For all of these reasons, Vmyths dismisses this "Internet Terrorist Attack" story as baseless hysteria. Vmyths assumes Alexander Gostev & Eugene Kaspersky were quoted out of context -- but we don't know HOW MUCH they were quoted out of context. This may be an example of a "worst-case scenario briefing" gone awry. (See http://Vmyths.com/rant.cfm?id=540&page=4 for more on this subtopic.) We asked Kaspersky Labs to comment on the Russian news stories and we'll publish their response as soon as we get it. Unfortunately, the global media has a FETISH for "end of the Internet" stories. Vmyths predicts the following: (1) On Wednesday, news outlets around the world will report the Novosti newswire (and stories derived from it) without question. A sensationalist reporter might even link cyber-terrorism to the breaking news of two Russian jetliners that just crashed. "Did Islamic hackers take over the cockpits?" (2) On Thursday, a few news outlets will acknowledge the prediction flopped. (3) On Friday, reporters will dump the story as a non-event. The SANS "Internet Storm Center" (http://isc.sans.org) currently reports a "green" status for the Internet. SANS "predicts that the Internet will not vaporize into a cloud of nothingness this Thursday, but if it does, it's been our pleasure to help stave off its inevitable annihilation this long." Vmyths applauds SANS for its sense of humor. Don't bet on an Islamic cyber-attack this Thursday. Stay calm. Stay reasoned. And stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com Rob@Vmyths.com (319) 646-2800 Acknowledgements: * Cory Altheide (SANS), for URLs to Russian news stories * Confidential source, for the Novosti newswire CATEGORY: Dire predictions of a cyber-war or cyber-terrorism --------------- Useful links ------------------ Common clich?s in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 False Authority Syndrome http://Vmyths.com/fas/fas1.cfm From isn at c4i.org Wed Aug 25 06:20:03 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 25 06:27:14 2004 Subject: [ISN] ISS: Critical Netscape hole could be widespread Message-ID: http://www.nwfusion.com/news/2004/0824isscriti.html By Paul Roberts IDG News Service 08/24/04 Security company Internet Security Systems Inc. (ISS) is warning its customers about a critical security hole in a commonly used technology from the Mozilla Foundation called the Netscape Network Security Services (NSS) library that could make Web servers vulnerable to remote attack. ISS issued a security bulletin Tuesday about a flaw in the NSS library's implementation of the Secure Sockets Layer Version 2 (SSLv2) protocol that could allow remote attackers to use an SSLv2 connection to take control of Web servers using the NSS library. The flaw in the NSS library affects the Netscape Enterprise Server and Sun's Sun Java System Web Server, but may also affect countless other products that use the open source NSS library, ISS said. The problem stems from a flaw in the way the NSS library handles requests for new SSLv2 sessions. Servers using the NSS library do not check the length of a record field in the first part of the negotiation between two systems attempting to establish an SSLv2 session. Malicious hackers could use the absence of that length check in the first record sent in the negotiation, known as the "hello message," to cause a heap overflow, allowing them to place and run malicious code on a vulnerable server, ISS said. In heap overflows, an area of a vulnerable computer's memory that is allocated for use by a software program is exceeded by a piece of data that is larger than the allocated space, causing adjacent areas of memory on the system to be overwritten with arbitrary data or malicious code sent by the attacker. If successfully exploited, the NSS library vulnerability gives a remote attacker access to the vulnerable system with the same level of privileges as those given to the Web server. On Microsoft Windows systems, Web servers typically have full system privileges, ISS said. While SSLv2 protocol support is disabled on the Netscape Enterprise Server and Java System Web Server, SSLv2 is a commonly used protocol for sending sensitive information over the Internet, and many installations may have the support for SSLv2 enabled, ISS said. In addition to the Sun Java System Web Server and Netscape Enterprise Server, the flaw affects the Netscape Personalization Engine, Netscape Director Server and Netscape Certificate Management Server, the company said. The Mozilla Foundation issued a patch for the NSS library that fixes the SSLv2 hole. Alternatively, NetScape Enterprise users can disable the SSLv2 protocol, ISS said. From isn at c4i.org Wed Aug 25 06:20:14 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 25 06:27:15 2004 Subject: [ISN] India to conduct IT security audit Message-ID: http://www.vnunet.com/news/1157596 James Watson Computing 25 Aug 2004 India's IT industry body, the National Association of Software and Services Companies (Nasscom), is preparing a security audit of its 860 member companies to ensure that the flow of outsourcing work from the UK and US isn't halted by fears over privacy and data protection. The news follows an announcement that India's software industry is now the country's single biggest source of export revenue, accounting for revenues of nearly $13bn (?7bn). However, last week's move by Lloyds TSB's group union, LTU, to take legal action against the bank for breach of the Data Protection Act (DPA), is just one of a number of things sparking fears in India of a potential slowdown in outsourcing growth. For India to continue evolving as a global IT heavyweight, it has to ensure that it has an adequate legal framework for data security and privacy, says Nasscom. Although most of the big Indian IT companies comply with UK data protection rules, such as the BS 7799 standard, no equivalent laws exist in India. From isn at c4i.org Wed Aug 25 06:21:23 2004 From: isn at c4i.org (InfoSec News) Date: Wed Aug 25 06:27:16 2004 Subject: [ISN] 'Hacktivists' Log On Message-ID: http://msnbc.msn.com/id/5783835/site/newsweek/ [How much do you want to bet that young CrimethInc is lashing out against his Republican parents for not getting him a pony for his 10th birthday, not buying him a car for his 16th birthday, and he REALLY holds a grudge? - WK] By Sarah Childress Newsweek Aug. 30, 2004 issue As protesters in New York paint signs and map out marching routes for next week's Republican National Convention, on the other side of the country another kind of protester is working stealthily by the glow of a computer screen. Aided by a young radical computer hacker calling himself CrimethInc, a group of politically active "hacktivists" are plotting to disrupt the convention electronically. CrimethInc and his "Black Hat Hackers Bloc" vow they'll take down Republican Web sites, e-mail servers, phones and fax lines, alter electronic billboards and cause what he calls unspecified "financial disruption." They don't plan to do it alone. Last week CrimethInc e-mailed a call to arms to hackers across the country, with instructions on causing electronic disruptions. But no sooner did he hit send than his e-mail account was deactivated and he disappeared into the ether. Earlier, by pay phone, CrimethInc told NEWSWEEK, "We don't believe that extremist right-wing groups ... have the right to be able to put forth their propaganda." (The New York police computer-crime unit is watching for threats, says spokesman Paul Browne. "Sometimes it's a combination of boasting and planning, but we take it seriously," he says. "We'll take appropriate action if there's any malicious activity.") A tall guy with tousled hair and wire-rimmed glasses, CrimethInc sees himself as David fighting Goliath. But it's not just Republicans who disagree with him - he's taken the most flak from fellow hacktivists. On Web forums and at recent conventions, they complain that he gives hacktivism a bad name and violates their code to defend free speech. "If you've got an issue with a political opponent, you create a better argument and publicize that, but you don't shout them down in a town-hall meeting," says hacktivist Oxblood Ruffin. "That's basically what you're doing when you shut down someone's Web site." It's hard to tell whether CrimethInc's group is all talk. But his arrogant, anti-establishment speech at a recent hacker convention convinced some attendees that he's at least determined enough to cause damage. It wouldn't take much; even something as simple as crashing a Web site for a few hours at peak times could wreak havoc on the GOP's well-laid convention plans. The bloc isn't the only group planning online attacks. Hacktivists from the well-established Electronic Disturbance Theater will stage a "virtual sit-in" on a Republican site during the convention, using software that floods servers with requests for Web sites. (The group used the same tactic to bring down the World Economic Forum's site in 2002.) Ricardo Dominguez, the group's director and New York University prof, gives a nod to CrimethInc for mixing code and politics. But he can't fully endorse any anonymous protester - real hacktivists, he says, log on to be counted. From isn at c4i.org Thu Aug 26 05:44:39 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 26 06:21:08 2004 Subject: [ISN] 25th August 2004 Message-ID: Forwarded from: Richard Caasi http://www.viruslist.com/eng/index.html?tnews=461517&id=2100900 25th August 2004: Who knows what tomorrow will bring? A handful of sites are stating that Eugene Kaspersky, founder of Kaspersky Labs, believes that tomorrow will bring a massive terrorist attack on the Internet. This is being quoted in a range of ways, ranging from factual reporting to citing the story as an example of cyber hysteria. However, Kaspersky is not predicting the end of the Internet tomorrow - or even in the near future. The story stems from brief comments made yesterday at a press conference which was dedicated to cybercrime and the problems of spam. At this press conference, Kaspersky commented that the possibility of terrorists using the Internet as a tool to attack certain countries was a reality. As an example, he cited the fact that a number of Arabic and Hebrew language websites contained an announcement of an 'electronic jihad' against Israel, to start on 26th August 2004. In an interview today, Kaspersky stressed that such information was not necessarily trustworthy. 'We don't know who is behind these statements.' He went on to clarify: 'It's not the first time the term 'electronic jihad' has been used. We've seen this before, with the focus being on sending racist emails, and defacing and hacking Israeli web sites. But it is the first time I have seen sites encouraging the use of Internet attacks against one country as a form of terrorism.' 'As we've already stated many times in the past, it would be easy enough to use a network of infected computers to launch such an attack. We saw the impact that Sasser, Mydoom and Slammer had, on the Internet, businesses and organisations. Just imagine if such an attack was directed at one country or one critical point in the infrastructure of the Internet. Computers are a tool - and just like any tool, they can be used or misused.' Kaspersky emphasised that the likelihood of a massive attack directed against Israeli institutions tomorrow is low. However, he believes that Pandora's box has now been opened. Hackers and virus writers can be motivated by a range of factors: money, curiosity, or political conviction. But whatever their motivation, the insecure nature of the Internet and weak security precautions offer a wealth of opportunities. 'Maybe it won't be tomorrow, or the day after tomorrow - but sooner or later, terrorists will be using the Internet as another weapon in their arsenal.' From isn at c4i.org Thu Aug 26 05:44:51 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 26 06:21:15 2004 Subject: [ISN] Old computers: An IT department liability that's costing more Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,95481,00.html By Lucas Mearian AUGUST 25, 2004 COMPUTERWORLD Resellers of old computer equipment say they will no longer accept used equipment without charging for erasing hard drives to ensure they aren't held liable for exposing sensitive data. Marc Sherman, chairman and CEO of WindsorTech Inc. in Highstown, N.J., a used IT equipment reseller, charges companies a flat $8.75 fee for performing a basic audit of used computer equipment and $10 to $30 for erasing disk arrays, depending on the disk's size. "As the business developed over the years, we've gone into a world where data security is critical," he said. "The whole thing now is we're in a situation where we're reluctant to buy equipment unless we're fully indemnified. Otherwise, it puts us in a very dangerous situation. "It's been an educational process for IT users. The information on a computer doesn't belong to the company. It belongs to the customer," he said. Sherman said he believes his company is more trustworthy when it comes to ensuring data has been erased from drives before resale because his is the only publicly traded firm that resells used equipment and must answer to the U.S. Securities and Exchange Commission and the National Association of Securities Dealers. Jill Vaske, vice president and co-founder of Redemtech Inc., a Columbus, Ohio-based recycler of PCs and other IT products, said that with the economy picking up, companies are just beginning to change out PCs and servers after holding on to them for longer than the normal three-year refresh cycle. Redemtech manages end-of-life technology turnover for almost 100 Fortune 500 and Global 1,000 companies, making sure data isn't exposed when computers are reconditioned for continued use or given to charities. "Our experience is [that] most resellers aren't minding the liability side of end-of-life equipment. They don't assume liability for reselling it," Vaske said. Liability for any data exposed through the resale of technology equipment rests squarely on the company that created the data, according to Alan Burger, an attorney at the law firm of Burger, Trailor & Farmer in West Palm Beach, Fla. "You can't shift the risk by contract to a reseller," he said. Burger sees a growing problem around data security and information privacy because of a number of laws that took effect over the past three years, including the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act, also known as the Financial Institution Privacy Protection Act of 2001. "You're just getting into that computer changeover due to technology obsolescence now," he said. "You will have billboards on both sides of the highway saying, 'Was your health information exposed? Call ABC attorneys.' " Examples of the necessity of data protection abound. For instance, in January 2003 a disk drive with 176,000 insurance policies was stolen from Guelph, Ontario-based Co-operators Life Insurance Co. In response to such events, California adopted a new law, SB 1386, which went into effect this month. It requires any company that stores information about California residents to publicly divulge any breach of security affecting that data within 48 hours. Said Sherman: "These regulations ... are really validating our business model." From isn at c4i.org Thu Aug 26 05:53:00 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 26 06:21:16 2004 Subject: [ISN] Tech sleuths track hacker Message-ID: http://www.dchieftain.com/news/43773-08-25-04.html Dana L. Bowley El Defensor Chieftain Editor August 25, 2004 A computer hacker who broke into a state agency's system recently and essentially downloaded the agency's database was tracked down by researchers from a New Mexico Tech program, state legislators were told here Monday. A research assistant in Tech's Information Technology department and the ICASA program, Srinivas Mukkamala, told seven members of the legislative Information Technology Oversight Committee who were meeting in Socorro this week that the intrusion into the agency's system demonstrates the vulnerability of computer networks, even the state's. It also, he said, demonstrates the cutting-edge technology being developed by the Institute for Complex Additive Systems Analysis division at Tech. Officials declined to identify the agency involved other than to say it is one of the smaller state agencies, with offices in Santa Fe and Albuquerque, but it has control over a considerable amount of money. Ultimately, Mukkamala said, no funds were taken and no data was lost or misused. But the ease with which the system was hacked by a disgruntled former employee should concern legislators, he and other ICASA representatives said. Mukkamala said the individual used programs that are available on the Internet to enter the system through an open printer port accessed via the agency's Web page, gain full access to the Web server and from there enter the agency's information technology administration server. Once in the IT server, the hacker established himself as the system administrator and downloaded virtually the entire database. Mukkamala said that after the agency discovered the intrusion, it asked ICASA to do an analysis and try to trace the hack. "Even though he tried to erase his tracks, we were able to trace the footprint (back to the hacker)," he said. The suspect turned out to be a disgruntled former employee who left the agency about a year ago but still had access information for the system. There was no information available concerning the law enforcement side of the case. Mukkamala said that while he was doing the analysis of the agency's computer system, he found it so easy to access that "I was able to walk all through their network." The ICASA officials used the break-in to demonstrate how vulnerable computer systems are to attack and how urgently the state needs to implement a training program for system administrators and users. Most information system breaches, they said, are the result of poor policies and procedures directly related to inadequate training. "A firewall is not enough," Mukkamala told the lawmakers. "Information security needs to be multi-layered." He said those layers should include preventive security such as virus protection and firewalls, intrusion detection scanning, user authentication systems and enforcement of policies that promote secure usage. "A very small percentage of people who call themselves hackers really understand the workings of IT systems," Mukkamala said, but because of the availability of hacking tools they can cause havoc with poorly secured systems. He said that 75 percent of IT systems with a firewall are vulnerable to attack, and 95 percent of those without a firewall. And, he said, while most virus and worm attacks don't cause serious damage, the disruptions they cause are costly. He noted that the Melissa virus last year cost business and government an estimated $8.7 billion. Rather than damage, virus and worm developers are going for speed, he said, and they're succeeding. Where it once took days for a virus or worm to spread, now it's nearly instantaneous. He cited the recent "Slammer" worm, which infected more than 100,000 computers per hour and spread around the globe in three minutes. Max Baca, of the IT department at New Mexico Highlands University, which will be teaming up with Tech on some projects, said up to now there has been no economic incentive for virus and worm developers, but that is changing. "Worm and virus developers are linking up with spammers" to develop ways to defeat anti-spam software and procedures and to actually force spam on computer users without the user doing anything. "So now, there's an economic incentive," Baca said, which is bad news for IT administrators. Teresa Hall, associate director of ICASA, while making a pitch for more funding for her program, urged the committee to recommend funding for training of state IT administrators and system users. "I would urge the state to invest in security training immediately," Hall said. ICASA is a division of Tech and is a cooperative venture between academia, industry and government dedicated to studying the behavior, vulnerabilities and predictability of very complex systems, and developing real-world processes and solutions. From isn at c4i.org Thu Aug 26 06:01:04 2004 From: isn at c4i.org (InfoSec News) Date: Thu Aug 26 06:21:18 2004 Subject: [ISN] FBI probes possible hacking Message-ID: http://www.tcpalm.com/tcp/local_news/article/0,1651,TCP_16736_3137204,00.html By Derek Simmonsen staff writer August 26, 2004 FORT PIERCE -- The FBI is investigating whether someone broke into the police chief's computer and distributed his e-mails to the public. The investigation began in late July after copies of e-mails apparently written by Chief Eugene Savage to his secretary, Rosetta Smith, were sent anonymously in the mail to several people, police spokeswoman Audria Moore said Wednesday. Copies were sent to Savage and Smith, as well as to members of the news media and some City Hall employees. It is not clear if the e-mails were legitimate or forgeries, she said. "We don't know if these e-mails came from here, if they were retrieved from our records," Moore said. After a brief internal investigation, the police department asked the FBI to take over the investigation. Special Agent Judy Orihuela, an FBI spokeswoman, said she could not comment on the investigation. The e-mails appeared to contain allegations of a personal nature regarding Savage and Smith, according to those who viewed the e-mails. In a written statement, Savage said allegations in the e-mails have "no foundation." "This is a personal attack on my character and I am seeking a personal legal solution against the person(s) disseminating the damaging information," he wrote. Savage and Smith turned their copies of the e-mails over to the FBI, Moore said. Fort Pierce officials expressed support for Savage and concern that police department computers -- and possibly city computers -- could be hacked. "It appears that someone illegally hacked a police department computer and is removing information from that computer," said City Manager Dennis Beach. "An investigation into how that happened is under way." Beach, who said he spoke briefly to Savage on Wednesday about the possible computer security breach, said he has full confidence in the chief. The lapse in computer security remains worrisome, he said. "There's certainly sensitive, or should I say, confidential information in (city computers)," Beach said. "If a hacker is successful in getting into (a police department computer), he could be successful in getting into another and could wreak havoc, if he's inclined to do so." Commissioner R. "Duke" Nelson said he was shown a transcript of the e-mails this week. "I don't know how valid they are," he said. "There was nothing on them that indicated that they were valid. "I have the utmost confidence in Chief Savage and in the police department," Nelson said. "We'll have to wait and see what the investigation reveals." From isn at c4i.org Fri Aug 27 06:09:45 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 27 06:59:58 2004 Subject: [ISN] REVIEW: "Internet Security", Tim Speed/Juanita Ellis Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKISJSAM.RVW 20040719 "Internet Security", Tim Speed/Juanita Ellis, 2003, 1-55558-298-2, U$44.99 %A Tim Speed %A Juanita Ellis %C 225 Wildwood Street, Woburn, MA 01801 %D 2003 %G 1-55558-298-2 %I Digital Press %O U$44.99 800-366-BOOK Fax: 617-933-6333 fax: +1-800-446-6520 %O http://www.amazon.com/exec/obidos/ASIN/1555582982/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1555582982/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1555582982/robsladesin03-20 %P 398 p. %T "Internet Security: A Jumpstart for Systems Administrators and IT Managers" The introduction starts out by talking about wild west bank robbers and then admits that those stories have nothing to do with the topic at hand. Inexplicably, the theme continues to be used throughout the book. Chapter one gives a timeline of Internet related historical events, and an overview of the base protocols of the TCP/IP suite at various levels of detail. (There are also some screenshots from Microsoft Windows.) The security review process provided in chapter two is not bad, although it gets weaker as it moves into details. Cryptography is explained on an "it works by magic" level in chapter three. Chapter four talks about some of the technologies discussed earlier, but the purpose of the repetition is unclear. Firewalls are described in chapter five, and a checklist for evaluating them is provided, but many points on the review form will be difficult for any but the expert to assess. Aspects of authentication are discussed in chapter six, but there is very limited explanation on most points. Factors involved in public key infrastructures are handled in much the same way in chapter seven. Chapter eight, supposedly about messaging security, starts out with viruses and other malware, drifts through spam, and ends up with a number of issues regarding proper configuration of email systems. A reasonably good overview of risk management and mitigation is given in chapter nine, although the material could use a bit more structure. The content on incident response, disaster recovery, and business continuity, in chapter ten, is not as good, but still fair. Those who know security will recognize the patterns underlying the material that the authors present. Those who have tried to explain security concepts, however, will understand that what is given in the text is superficial and sometimes misleading. IT managers who do not require details may be able to take a very limited familiarity with terms and concepts from this work. System administrators will need considerably more detail, and need material with a greater comprehension of areas of strength and weakness in the various aspects and technologies of security. copyright Robert M. Slade, 2004 BKISJSAM.RVW 20040719 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Any fool can criticize, condemn and complain - and most do. - Dale Carnegie (1888-1955) http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Fri Aug 27 06:11:10 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 27 07:00:00 2004 Subject: [ISN] [Vmyths.com ALERT] Cyber-terror attack canceled for lack of interest Message-ID: Forwarded from: Vmyths.com Virus Hoax Alert Vmyths.com Virus Hysteria Alert Truth About Computer Security Hysteria {26 August 2004, 17:25 CT} CATEGORY: Dire predictions of a cyber-war or cyber-terrorism Media warnings of a looming "Internet Terrorist Attack," supposedly planned for today, have proven unfounded. As usual, Islamic "suicide hackers" failed to report for duty. (See http://Vmyths.com/mm/ads/Vmyths/oif/trendle.jpg for background info on "suicide hackers.") In our previous Hysteria Alert, Vmyths said it asked Kaspersky Labs to comment on the "threat" of an Islamic cyber-attack predicted for today. We promised to publish their response as soon as we got it. Founder Eugene Kaspersky quickly responded to our inquiry. Visit http://Vmyths.com/hoax.cfm?id=281&page=3#EKreply01 for his verbatim reply. We assumed Kaspersky Labs was quoted out of context to some extent, and their email to Vmyths reinforced our belief. This media event looks like a "worst-case scenario briefing" gone awry. Some computer security websites went so far as to ridicule the notion of a looming cyber-terror attack. These sites used a coordinated "self-defacement campaign" as a humorous way to get their points across. A list of SELF-defaced websites includes: http://www.attrition.org http://www.infowarrior.org http://www.reznor.com http://www.treachery.net Vmyths applauds these sites for their sense of humor. Vmyths made three initial predictions in our previous Hysteria Alert. First, we said news outlets around the world would report the "Internet Terrorist Attack" prediction without question. Second, we said a few news outlets would acknowledge the prediction flopped today. Third, we said the media would dump the story tomorrow as a non-event. Prediction #2 came true and we fully expect the same for prediction #3. Prediction #1 proved correct, although not in the magnitude we implied. Reuters, the Associated Press, Bloomberg, and other major western newswires displayed a healthy dose of journalistic common sense. Vmyths has forged relationships with computer security reporters over the years and we feel our previous Hysteria Alert destroyed the sensationalism of the "Internet Terrorist Attack" story. But we cannot objectively demonstrate the value of our Hysteria Alerts. As such, Vmyths must acknowledge prediction #1 did not come true in the magnitude we implied. The day is still young, but please don't bet on an Islamic cyber-attack today. Stay calm. Stay reasoned. And stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com Rob@Vmyths.com (319) 646-2800 CATEGORY: Dire predictions of a cyber-war or cyber-terrorism --------------- Useful links ------------------ Remember this when virus hysteria strikes http://Vmyths.com/resource.cfm?id=31&page=1 Common clich?s in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 False Authority Syndrome http://Vmyths.com/fas/fas1.cfm From isn at c4i.org Fri Aug 27 06:11:59 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 27 07:00:02 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-35 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-08-19 - 2004-08-26 This week : 48 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has implemented new features at Secunia.com SECUNIA ADVISORIES NOW INCLUDE "Solution Status": In addition to the extensive information Secunia advisories already include, Secunia has added a new parameter: "Solution Status". This simply means that all Secunia advisories, including older advisories, now include the current "Solution Status" of a advisory, e.g. if the vendor has released a patch or not. IMPROVED PRODUCT PAGES: The improved product pages now include a detailed listing of all Secunia advisories affecting each product. The listings include a clear indication of the "Solution Status" each advisory has ("Unpatched", "Vendor patch", "Vendor workaround", or "Partial fix"). View the following for examples: Opera 7: http://secunia.com/product/761/ Internet Explorer 6: http://secunia.com/product/11/ Mozilla Firefox: http://secunia.com/product/3256/ EXTRA STATISTICS: Each product page also includes a new pie graph, displaying the "Solution Status" for all Secunia advisories affecting each product in a given period. View the following for example: Internet Explorer 6: http://secunia.com/product/11/#statistics_solution FEEDBACK SYSTEM: To make it easier to provide feedback to the Secunia staff, we have made an online feedback form. Enter your inquiry and it will immediately be sent to the appropriate Secunia department. Ideas, suggestions, and other feedback is most welcome Secunia Feedback Form: http://secunia.com/contact_form/ ======================================================================== 2) This Week in Brief: ADVISORIES: Yesterday (25-08-2004), K-OTik.COM Security Survey Team reported to Secunia that a so called "Zero-day" exploit for Winamp is circulating on the Internet. After testing the issue, Secunia was able to confirm that the exploit was working. Using Internet Explorer, this can be exploited to automatically compromise a user's system. The vulnerability is caused due to insufficient restrictions on Winamp skin zip files. This can be exploited to execute arbitrary code on a user's system. The exploit is very basic, and allows even less-skilled "Script Kiddies" to change the exploit to do whatever they would like it to do. Currently, the vendor has not issued a patch for this. Therefore, the only present solution is to uninstall the product and wait for the vendor to issue a patch. Reference: http://secunia.com/SA12381 -- Security researcher "http-equiv", specialised in Internet Explorer, has demonstrated a new vulnerability in Internet Explorer, which also affects Internet Explorer with Windows XP Service Pack 2 installed. The vulnerability allows a malicious website to compromise a user's system, if the user drags and drop an image on a web page. However, in several articles issued last week, Microsoft claimed that this issue is not a "high risk" for users. This is not the case. The issue is very severe and requires Internet Explorer users to be very careful, disable Ative Scripting, or use another product. See also this open letter posted on The Inquirer from Secunia CTO, Thomas Kristensen: http://theinq.com/?article=18079 Currently, no solution is available from Microsoft. Reference: http://secunia.com/SA12321 -- Chris Evans has discovered a vulnerability in the QT library, which can be exploited to compromise a vulnerable system. The QT library is used by many applications on several platforms e.g. Windows, Linux/Unix, and Mac OS X. The vulnerability can be exploited through applications that rely on the QT library to decode or display BMP images. Please view secunia.com for more information on updated packages and programs, which address this vulnerability. Reference: http://secunia.com/SA12325 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 2. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 3. [SA9711] Microsoft Internet Explorer Multiple Vulnerabilities 4. [SA11978] Multiple Browsers Frame Injection Vulnerability 5. [SA12336] PHP-Fusion Public Accessible Database Backups 6. [SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability 7. [SA12376] Microsoft Outlook Express "BCC:" Recipient Disclosure Weakness 8. [SA12303] Adobe Acrobat Reader ActiveX Control Buffer Overflow Vulnerability 9. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities 10. [SA12305] MySQL "mysql_real_connect" Buffer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability [SA12367] Painkiller Password Processing Buffer Overflow Vulnerability [SA12334] aGSM Buffer Overflow Vulnerability [SA12372] Easy File Sharing Web Server Exposure of Sensitive Information [SA12347] Nihuo Web Log Analyzer "User-Agent:" Header Script Insertion Vulnerability [SA12374] ignitionServer "SERVER" Denial of Service Vulnerability [SA12365] Bird Chat User Flooding Denial of Service [SA12346] BadBlue Web Server Multiple Connections Denial of Service Vulnerability [SA12386] Cisco Secure Access Control Server Multiple Vulnerabilities [SA12380] Window Washer "Bleached" Data Exposure Weakness [SA12376] Microsoft Outlook Express "BCC:" Recipient Disclosure Weakness UNIX/Linux: [SA12382] Fedora update for gaim [SA12377] Sun Solaris Multiple Apache Vulnerabilities [SA12357] Slackware update for Qt [SA12356] Fedora update for Qt [SA12354] Gentoo update for mozilla/firefox/thunderbird [SA12350] Red Hat update for qt [SA12348] BNC SARA Buffer Overflow Vulnerabilities [SA12342] Gentoo update for qt [SA12333] Mandrake update for qt3 [SA12373] WebAPP Directory Traversal Vulnerability [SA12361] Debian update for icecast-server [SA12358] Hastymail Script Insertion Vulnerability [SA12355] Gentoo update for cacti [SA12352] xv Multiple Buffer Overflow Vulnerabilities [SA12344] Icecast "User-Agent:" Header Script Injection Vulnerability [SA12343] Mandrake update for kdelibs/kdebase [SA12351] sredird Client Signature Information Processing Vulnerabilities [SA12370] PHP Code Snippet Library Cross-Site Scripting Vulnerability [SA12369] Gentoo update for kdelibs [SA12341] Konqueror Cross-Domain Cookie Injection Vulnerability [SA12339] Sympa Create List Script Insertion Vulnerability [SA12335] Fedora update for rsync [SA12363] Sun Solaris CDE Mailer dtmail Privilege Escalation Vulnerability [SA12349] IMWheel Insecure Temporary File Creation Vulnerability Other: [SA12353] Axis Network Camera / Video Server Command Injection and Directory Traversal Cross Platform: [SA12379] Netscape Multiple Products NSS Library Vulnerability [SA12378] Sun Java System Web Server NSS Library Vulnerability [SA12362] NSS Library SSLv2 Connection Negotiation Buffer Overflow Vulnerability [SA12371] Symantec Multiple Products ISAKMPd Denial of Service Vulnerability [SA12359] eGroupWare Cross-Site Scripting and Script Insertion Vulnerabilities [SA12340] MyDMS SQL Injection and Directory Traversal Vulnerabilities [SA12338] Mantis Cross-Site Scripting and Script Insertion Vulnerabilities [SA12336] PHP-Fusion Public Accessible Database Backups [SA12368] Plesk "login_name" Cross-Site Scripting Vulnerability [SA12360] PvPGN Unspecified Information Leakage [SA12345] JShop Server "xPage" Parameter Cross-Site Scripting Vulnerability [SA12337] Davenport WebDAV-CIFS Gateway XML Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12381] Winamp Skin File Arbitrary Code Execution Vulnerability Critical: Extremely critical Where: From remote Impact: System access Released: 2004-08-25 A vulnerability has been reported in Winamp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12381/ -- [SA12367] Painkiller Password Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-25 Luigi Auriemma has reported a vulnerability in Painkiller, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12367/ -- [SA12334] aGSM Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-24 Dmitriy Baranov has reported a vulnerability in aGSM, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12334/ -- [SA12372] Easy File Sharing Web Server Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-26 James Bercegay has discovered a vulnerability in Easy File Sharing Web Server, which can be exploited by malicious people to access sensitive information. Full Advisory: http://secunia.com/advisories/12372/ -- [SA12347] Nihuo Web Log Analyzer "User-Agent:" Header Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-23 Audun Larsen has reported a vulnerability in Nihuo Web Log Analyzer, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12347/ -- [SA12374] ignitionServer "SERVER" Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-08-25 A vulnerability has been reported in ignitionServer, which can be exploited by malicious people to cause a DoS (Denial of Service) on vulnerable systems. Full Advisory: http://secunia.com/advisories/12374/ -- [SA12365] Bird Chat User Flooding Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2004-08-24 Donato Ferrante has reported a vulnerability in Bird Chat, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12365/ -- [SA12346] BadBlue Web Server Multiple Connections Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-08-24 James Bercegay has reported a vulnerability in BadBlue Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12346/ -- [SA12386] Cisco Secure Access Control Server Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2004-08-26 Multiple vulnerabilities have been reported in Cisco Secure Access Control Server (ACS), which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass user authentication. Full Advisory: http://secunia.com/advisories/12386/ -- [SA12380] Window Washer "Bleached" Data Exposure Weakness Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of sensitive information Released: 2004-08-26 First Last has reported a weakness in Window Washer, which can be exploited by malicious people to disclose "securely" deleted data on a disk. Full Advisory: http://secunia.com/advisories/12380/ -- [SA12376] Microsoft Outlook Express "BCC:" Recipient Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2004-08-25 Juha-Matti Laurio has reported a weakness in Outlook Express 6, which may disclose email addresses in "BCC:" fields to other recipients. Full Advisory: http://secunia.com/advisories/12376/ UNIX/Linux:-- [SA12382] Fedora update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-26 Fedora has issued an update for gaim. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12382/ -- [SA12377] Sun Solaris Multiple Apache Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, DoS, System access Released: 2004-08-25 Sun has acknowledged multiple vulnerabilities in Apache for Solaris, which can be exploited to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12377/ -- [SA12357] Slackware update for Qt Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-24 Slackware has issued an update for qt. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12357/ -- [SA12356] Fedora update for Qt Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2004-08-24 Fedora has issued an update for qt. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12356/ -- [SA12354] Gentoo update for mozilla/firefox/thunderbird Critical: Highly critical Where: From remote Impact: Spoofing, DoS, System access Released: 2004-08-23 Gentoo has issued updates for mozilla, firefox, and thunderbird. These fix multiple vulnerabilities, which can be exploited to abuse other sites certificates, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12354/ -- [SA12350] Red Hat update for qt Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-23 Red Hat has issued an update for qt. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12350/ -- [SA12348] BNC SARA Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-24 Matthias Bethke has reported some vulnerabilities in SARA from British National Corpus, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12348/ -- [SA12342] Gentoo update for qt Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-08-23 Gentoo has issued an update for qt. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12342/ -- [SA12333] Mandrake update for qt3 Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-19 MandrakeSoft has issued an update for qt3. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12333/ -- [SA12373] WebAPP Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-25 A vulnerability has been reported in WebAPP, which can be exploited by malicious people to access sensitive information. Full Advisory: http://secunia.com/advisories/12373/ -- [SA12361] Debian update for icecast-server Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-24 Debian has issued an update for icecast-server. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12361/ -- [SA12358] Hastymail Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-24 The vendor has reported a vulnerability in Hastymail, allowing malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12358/ -- [SA12355] Gentoo update for cacti Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2004-08-23 Gentoo has issued an update for cacti. This fixes a vulnerability, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12355/ -- [SA12352] xv Multiple Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-08-24 infamous41md has reported multiple vulnerabilities in xv, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12352/ -- [SA12344] Icecast "User-Agent:" Header Script Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-24 Markus W?rle has reported a vulnerability in Icecast, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12344/ -- [SA12343] Mandrake update for kdelibs/kdebase Critical: Moderately critical Where: From remote Impact: Hijacking, Spoofing, Privilege escalation Released: 2004-08-23 MandrakeSoft has issued updates for kdelibs and kdebase. These fix multiple vulnerabilities, which can be exploited to perform certain actions on a vulnerable system with escalated privileges, spoof the content of websites, or hijack sessions. Full Advisory: http://secunia.com/advisories/12343/ -- [SA12351] sredird Client Signature Information Processing Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2004-08-23 Max Vozeler has reported two vulnerabilities in sredird, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12351/ -- [SA12370] PHP Code Snippet Library Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-25 Nikyt0x has reported a vulnerability in PHP Code Snippet Library, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12370/ -- [SA12369] Gentoo update for kdelibs Critical: Less critical Where: From remote Impact: Hijacking Released: 2004-08-25 Gentoo has issued an update for kdelibs. This fixes a vulnerability in Konqueror, which potentially can be exploited by malicious people to hijack users' sessions via session fixation attacks. Full Advisory: http://secunia.com/advisories/12369/ -- [SA12341] Konqueror Cross-Domain Cookie Injection Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2004-08-23 WESTPOINT has discovered a vulnerability in Konqueror, which potentially can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/12341/ -- [SA12339] Sympa Create List Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-23 Joxean Koret has reported a vulnerability in Sympa, which can be exploited by malicious, authenticated users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12339/ -- [SA12335] Fedora update for rsync Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-08-20 Fedora has issued an update for rsync. This fixes a vulnerability, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12335/ -- [SA12363] Sun Solaris CDE Mailer dtmail Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-08-24 iDEFENSE has discovered a vulnerability in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12363/ -- [SA12349] IMWheel Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2004-08-23 I)ruid has reported a vulnerability in IMWheel, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12349/ Other:-- [SA12353] Axis Network Camera / Video Server Command Injection and Directory Traversal Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2004-08-23 bashis has reported two vulnerabilities in Axis Network Camera / Video Server, which potentially can be exploited by malicious people to compromise a vulnerable system and gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12353/ Cross Platform:-- [SA12379] Netscape Multiple Products NSS Library Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-25 ISS X-Force has reported a vulnerability in the NSS library included with various Netscape products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12379/ -- [SA12378] Sun Java System Web Server NSS Library Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-25 ISS X-Force has reported a vulnerability in the NSS library included with Sun Java System Web Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12378/ -- [SA12362] NSS Library SSLv2 Connection Negotiation Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-08-25 ISS X-Force has reported a vulnerability in the NSS library, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12362/ -- [SA12371] Symantec Multiple Products ISAKMPd Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-08-25 A vulnerability has been reported in multiple Symantec products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12371/ -- [SA12359] eGroupWare Cross-Site Scripting and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-24 Joxean Koret has reported some vulnerabilities in eGroupWare, allowing malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/12359/ -- [SA12340] MyDMS SQL Injection and Directory Traversal Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-08-23 Joxean Koret has reported two vulnerabilities in MyDMS, which can be exploited by malicious people to conduct SQL injection attacks and for users to access sensitive information. Full Advisory: http://secunia.com/advisories/12340/ -- [SA12338] Mantis Cross-Site Scripting and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-23 Joxean Koret has reported two vulnerabilities in Mantis, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/12338/ -- [SA12336] PHP-Fusion Public Accessible Database Backups Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-08-20 y3dips has reported a vulnerability in PHP-Fusion, allowing malicious people to view sensitive data. Full Advisory: http://secunia.com/advisories/12336/ -- [SA12368] Plesk "login_name" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-25 Sourvivor has reported a vulnerability in Plesk, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12368/ -- [SA12360] PvPGN Unspecified Information Leakage Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2004-08-24 The vendor has reported a vulnerability in PvPGN, potentially allowing malicious people to see sensitive information. Full Advisory: http://secunia.com/advisories/12360/ -- [SA12345] JShop Server "xPage" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-08-23 Dr Ponidi has reported a vulnerability in JShop Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12345/ -- [SA12337] Davenport WebDAV-CIFS Gateway XML Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-08-23 A vulnerability has been reported in Davenport WebDAV-CIFS Gateway, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12337/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Aug 27 06:12:16 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 27 07:00:03 2004 Subject: [ISN] Cisco warns of flaws in ACS product Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,95514,00.html By Paul Roberts AUGUST 26, 2004 IDG NEWS SERVICE Networking equipment maker Cisco Systems Inc. is warning customers about security holes in two products that provide user authentication and authorization services for network devices such as firewalls and routers. The company issued a security advisory yesterday identifying "multiple denial-of-service- and authentication-related vulnerabilities" in two products: the Cisco Secure Access Control Server for Windows (Windows ACS) and Cisco Secure Access Control Server Solution Engine (Secure ACS). The vulnerabilities could allow attackers or malicious users to crash the ACS products or gain unauthorized access to network devices. ACS products centralize user identity management for other Cisco products and management applications, allowing administrators to manage and enforce access policies that control who can log into a network. Cisco found that both the Secure ACS and ACS Windows products stopped responding to new TCP connections after being flooded with TCP connections on Port 2002. The DoS condition hampered the ability of the ACS devices to process authentication requests and required the ACS devices to be rebooted to restore authentication services, Cisco said. In other instances, Cisco found that, under certain circumstances attackers that faked (or "spoofed") the network address of a computer that is accessing the ACS administrative user interface could access that interface without being asked to log in first, Cisco said. Cisco released product upgrades for ACS Windows Versions 3.2 and 3.3 and for the ACS Solution Engine. The company recommended that customers with service contracts obtain the updates using the Cisco Product Upgrade Tool or by contacting Cisco's technical assistance center. From isn at c4i.org Fri Aug 27 06:12:29 2004 From: isn at c4i.org (InfoSec News) Date: Fri Aug 27 07:00:05 2004 Subject: [ISN] World-renowned hackers gathering in Malaysia Message-ID: http://star-techcentral.com/tech/story.asp?file=/2004/8/27/technology/8772532&sec=technology August 27, 2004 KUALA LUMPUR: More than 20 world-renowned hackers -- not crackers -- will congregate here at the Third Annual Hack In The Box Security Conference (HITBSecConf2004) from Oct 4-7. In hacker counter-culture parlance, "crackers" are those who hack into computer systems for malicious reasons, while hackers specialise in testing networks to drive the development of intrusion countermeasures. The hackers attending Malaysia's first non-profit homegrown hacking and network security conference will come from Australia, Canada, Europe, the United States and the Asia Pacific region, conference organiser Hack In The Box (M) Sdn Bhd said in a statement. HITBSecConf2004 (http://conference.hackinthebox.org) will feature two very prominent keynote speakers: Theo De Raadt and John T. Draper. Draper, also known as "Captain Crunch," was one of the original members of the Homebrew Computer Club, and has over 30 years of programming and security expertise. Widely known as an information systems security pioneer, he is credited with introducing, among others, Apple Computer Inc cofounders Steve Jobs and Steve Wozniak to the computing world, and a generation of hackers to the concept of "phone phreaking." His work with Jobs and Wozniak led him to become the 13th employee of Apple Computer, where he designed telephone interface boards, as well as hardware and software for the Apple II personal computer. De Raadt, who will be presenting a paper entitled Exploit Mitigation Techniques, has been involved with free Unix operating systems since 1990, and was one of the founders and prime developers of NetBSD. In 1995 he created the OpenBSD project, developing a free version of Unix that focused primarily on security. "We are truly honoured that some of the greatest minds of the network security and computer industry have chosen to present their research papers at our event," said Dhillon Andrew Kannabhiran, founder and chief executive officer of Hack In The Box. "As with last year's conference, attendees will get a look at some of the latest attack and defence methods, including new and previously unpublished exploits," he added. The main aim of HITBSecConf2004 is to enable the dissemination, discussion and sharing of network security information, presented by respected members of the mainstream network security arena, as well as the underground or "BlackHat" community. Building on the success of the last two annual conferences, this year's event has been extended to cover four days, kicking off on Oct 4 with a two-day hands-on technical training session, followed by the conference proper. There will also be a "Capture The Flag" live hacking competition on Oct 6 and 7. "This is truly a golden opportunity for local network security vendors as well as members of the computer industry to come forward and gain first-hand knowledge of the latest threats and attacks facing organisations," said Kannabhiran. From isn at c4i.org Mon Aug 30 02:28:15 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 30 03:07:44 2004 Subject: [ISN] New method of phising? Message-ID: Forwarded from: Tcat Houser I don't have a print reference for this... Sorry! This grandfather was talking to his mother... Old but not stupid (her anyway). She got a land-line telephone call from a computer thanking her for her credit-card application, however they needed to "confirm" some personal data. That of course was a red-flag to her. She sure as hell doesn't need to create more things to tidy up should she die tomorrow. (A possiblity as her only son is an AARP member!) As a pretty happy VoIP user with an unlimited account, I can see where it would be rather easy to setup an off-shore VoIP with a stolen CC to continue harvesting. Forwarded is forarmed. Tcat From isn at c4i.org Mon Aug 30 02:30:22 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 30 03:07:45 2004 Subject: [ISN] Inside Security Administrator UPDATE--August 27, 2004 Message-ID: ==== This Issue Sponsored By ==== Windows Scripting Solutions http://list.winnetmag.com/cgi-bin3/DM/y/ehF20CJgSH0CBw0BFyu0AG Get Your Free Email Security Toolkit from Postini http://list.winnetmag.com/cgi-bin3/DM/y/ehF20CJgSH0CBw0BKqm0A4 ==================== 1. New Additions to the Online Article Archive September 2003 Issue - Focus: Preparing for Windows Server 2003 - Features - Access Denied - NT Gatekeeper 2. What's New in the Latest Issue September 2004 Issue - Focus: Windows XP SP2 Makes Internet Exploring Safer - Feature: Safer Internet Exploring ==== Sponsor: Windows Scripting Solutions ==== Try a Sample Issue of Windows Scripting Solutions Windows Scripting Solutions is the monthly newsletter from Windows & .NET Magazine that shows you how to automate time-consuming, administrative tasks by using our simple downloadable code and scripting techniques. Sign up for a sample issue right now, and find out how you can save both time and money. Click here! http://list.winnetmag.com/cgi-bin3/DM/y/ehF20CJgSH0CBw0BFyu0AG ==================== Security Administrator is a monthly, paid, print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. Nonsubscribers can access all the newsletter content in the online article archive from the premiere issue of Security Administrator (February 2001) through the print issue released 1 year ago and featured below. In addition to receiving the monthly print newsletter, subscribers can access all the newsletter content, including the most recent issue, at the Security Administrator Web site. http://www.winnetmag.com/windowssecurity Subscribe today and access all the issues online! https://secure.pentontech.com/nt/security/index.cfm?promocode=00wi25xxhm ==================== ==== 1. New Additions to the Online Article Archive ==== September 2003 Issue To access this issue of Security Administrator, go to the following URL: http://www.winnetmag.com/windowssecurity/issues/issueid/661/index.html Focus: Preparing for Windows Server 2003 Learn about changes Microsoft made to its latest server OS to make it more secure out of the box. Other features describe how to configure ISA Server clients, block pop-up ads, understand event ID 560, and much more. Features Configuring ISA Server Clients ISA Server's Web Proxy Autodiscovery capability and Firewall Client software make setup a breeze for intranet clients that use ISA Server to get to the Internet. --Leon Braginski http://www.winnetmag.com/windowssecurity/article/articleid/39675/39675.html Netcat Discover the varied uses of this handy port-scanning and file-transfer tool. --Jeff Fellinge http://www.winnetmag.com/windowssecurity/article/articleid/39680/39680.html Windows Server 2003: Secure by Default These 10 changes to default security mechanisms and OS configuration standards help make Windows 2003 more secure out of the box. --Joe Rudich http://www.winnetmag.com/windowssecurity/article/articleid/39808/39808.html Access Denied Detecting PPTP Attacks on Remote Access Servers Learn how to determine if an attacker is trying to access your RAS server by guessing usernames and passwords. --Randy Franklin Smith http://www.winnetmag.com/windowssecurity/article/articleid/39685/39685.html Restricting the Programs Users Can Run Software restriction policies provide more control than APPSEC does. --Randy Franklin Smith http://www.winnetmag.com/windowssecurity/article/articleid/39684/39684.html Understanding Event ID 560 Learn how to distinguish between password changes and password resets. --Randy Franklin Smith http://www.winnetmag.com/windowssecurity/article/articleid/39686/39686.html Using Passwords with Kerberos Although more resistant to cracking than NTLM, Kerberos is still vulnerable in the absence of strong passwords. --Randy Franklin Smith http://www.winnetmag.com/windowssecurity/article/articleid/39683/39683.html NT Gatekeeper Granting the Bypass Traverse Checking Advanced User Right Learn the pros and cons of letting users bypass directory traversal access checks. --Jan De Clercq http://www.winnetmag.com/windowssecurity/article/articleid/39678/39678.html Using NewSID to Acquire Unique SIDs Learn how to use the NewSID tool to fix a security identity uniqueness problem. --Jan De Clercq http://www.winnetmag.com/windowssecurity/article/articleid/39676/39676.html Using PuList to Determine SID Processes The PuList command-line tool can display the identity of every process running on your NT 4.0 system. --Jan De Clercq http://www.winnetmag.com/windowssecurity/article/articleid/39679/39679.html ==================== ==== Announcements ==== (brought to you by Windows & .NET Magazine and its partners) Do You Find Monitoring Windows Servers a Daunting Task? In this free eBook, we'll examine four main types of monitoring crucial to any network: performance, capacity, availability, and security. For each area, you'll find out the most important events and conditions to monitor to maximize performance, manage capacity, ensure availability, and stay on top of security. Download this free eBook today! http://list.winnetmag.com/cgi-bin3/DM/y/ehF20CJgSH0CBw0BKgv0A3 Achieving Service Management May Be Your Destination, but Do You Have the Road Map That Will Take You There? During this expert panel discussion, you'll get real-world perspectives about how to make the move from the traditional systems-management practice of monitoring individual IT elements to mapping the interdependencies and managing the elements as a single complete service. Register now for this free Web seminar! http://list.winnetmag.com/cgi-bin3/DM/y/ehF20CJgSH0CBw0BKgw0A4 ==== Sponsor: Get Your Free Email Security Toolkit from Postini ==== Get Equipped to Fight Against Spammers With Our Latest Email Security Toolkit II ? Includes White Papers, Web Seminar, eBook Take the next steps against the "silent killer" and learn how to prepare for directory harvest attacks. Plus, find out how to eliminate spam and viruses by learning spammers? new covert tactics designed to get past conventional spam content filters. You'll discover real-world examples of new attacks and threats so you can learn what you must do to protect your organization. Get the latest Email Security Toolkit now! http://list.winnetmag.com/cgi-bin3/DM/y/ehF20CJgSH0CBw0BKqm0A4 ==================== ==== 2. What's New in the Latest Issue ==== September 2004 Issue Focus: Windows XP SP2 Makes Internet Exploring Safer New service pack adds security enhancements to IE; use packet filtering to add an extra layer of network protection; learn about LogParser's Strings field. The following article is available at no charge to nonsubscribers for a limited time: Feature Safer Internet Exploring In XP SP2, Microsoft Internet Explorer (IE) includes important security enhancements such as an add-on manager, a pop-up blocking mechanism, and Local Machine security zone lockdown. --Jan De Clercq http://list.winnetmag.com/cgi-bin3/DM/y/ehF20CJgSH0CBw0BKqn0A5 Subscribers have access to the entire contents of the September 2004 issue. For a list of the other articles available in this issue, visit the URL below. http://www.winnetmag.com/windowssecurity/issues/issueid/727/index.html ==================== ==== Events Central ==== (brought to you by Windows & .NET Magazine) New Web Seminar! Email Security and Compliance for Financial Services: What You Need to Know to Safeguard Your Organization Are you a financial services company bogged down with email management? In this free Web seminar, learn how to make a case to purchase a reliable email security management solution to help you enforce email security, safeguard the privacy of your messages, and reduce potential liability or risk associated with email communications. Register now! http://list.winnetmag.com/cgi-bin3/DM/y/ehF20CJgSH0CBw0BKgx0A5 ==================== ==== Contact Us ==== About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring UPDATE -- emedia_opps@winnetmag.com ==================== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. https://secure.pentontech.com/nt/security/index.cfm?promocode=00wi25xxhm You received this email message because you requested to receive additional information about products and services from the Windows & .NET Magazine Network. To unsubscribe, send an email message to mailto: Security-UPDATE_Unsub@list.winnetmag.com. Thank you! View the Windows & .NET Magazine Privacy policy at http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy Windows & .NET Magazine a division of Penton Media Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All Rights Reserved. From isn at c4i.org Mon Aug 30 02:31:03 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 30 03:07:47 2004 Subject: [ISN] Linux Advisory Watch - August 27th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 27th, 2004 Volume 5, Number 34a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for ruby, rsync, kdelibs, mysql, acroread, Tomcat, glibc, spamassassin, qt3, ftpd, Netscape, the Linux kernel. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat, SuSE, and Trustix. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Using swatch for log analysis With most services, when anything slightly significant happens, a message about it is reported to syslogd. The sooner the user is aware of the message, the sooner the user can take action in regard to that message if it is needed. With 1000+ long log files, log checkers are needed as time savers and to make sure an indication of trouble is not missed. Swatch stands for Simple WATCHer. Other log analysis software scans the logs periodically, they can tell you what HAS happened. Swatch can do this, but it can also actively scan log entries as syslogd gets them and tell you what IS happening. Not only this, swatch can also take actions when it encounters certain log messages. Installation: First, download the newest version of swatch. Then run: perl Makefile.PL make make test make install make realclean After swatch is installed, perl modules that are needed for use of swatch may also have to be downloaded. Configuration: Swatch uses regular expressions to find lines of interest. Once swatch finds a line that matches a pattern, it takes an action, such as printing it to the screen, emailing it, or taking a user defined action. watchfor /[dD]enied|/DEN.*ED/ echo bold bell 3 mail exec "/etc/call_pager 5551234 08" This is an example of a section of a swatch configuration script. First, swatch looks for a line that contains the word denied, Denied, or anything that starts with DEN and ends with ED. Once it finds a line that contains one of the three search strings, it echoes the line in bold into the terminal and makes the bell sound (^G) 3 times. Then, swatch emails the user that is running swatch (usually root) about the line and executes the /etc/call_pager program with the given options. ignore /sendmail/,/fax/,/unimportant stuff/ In this example, the search strings sendmail, fax, and unimportant stuff are going to be ignored, even if they would normally match one of the strings being looked for. Use: Using swatch is very simple. For using swatch to check logs normally, run: swatch --config-file=/home/chris/swatch.conf --examine=/var/log/messages This is assuming that the configuration file for swatch is located at /home/chris/swatch.conf and that the file that is to be checked in called /var/log/messages. To use swatch as a constantly running service that scans lines of a log file as they come in, run: swatch --config-file=/home/chris/swatch.conf --tail-file=/var/log/messages Security Tip Written by Chris Parker (news@linuxsecurity.com) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --------------------------------------------------------------------- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 8/20/2004 - ruby Insecure file permissions This can lead an attacker who has also shell access to the webserver to take over a session. http://www.linuxsecurity.com/advisories/debian_advisory-4689.html 8/20/2004 - rsync Insufficient path sanitation The rsync developers have discoverd a security related problem in rsync which offers an attacker to access files outside of the defined directory. http://www.linuxsecurity.com/advisories/debian_advisory-4690.html 8/20/2004 - kdelibs Insecure temporary file vulnerability This can be abused by a local attacker to create or truncate arbitrary files or to prevent KDE applications from functioning correctly. http://www.linuxsecurity.com/advisories/debian_advisory-4691.html 8/20/2004 - mysql Insecure temporary file vulnerability Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method which is part of the mysql-server package. http://www.linuxsecurity.com/advisories/debian_advisory-4692.html +---------------------------------+ | Distribution: Fedora: | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient path sanitization This update backports a security fix to a path-sanitizing flaw that affects rsync when it is used in daemon mode without also using chroot. http://www.linuxsecurity.com/advisories/fedora_advisory-4688.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 8/20/2004 - acroread Buffer overflow vulnerabilities Acroread contains two errors in the handling of UUEncoded filenames that may lead to execution of arbitrary code or programs. http://www.linuxsecurity.com/advisories/gentoo_advisory-4682.html 8/20/2004 - Tomcat Insecure installation Improper file ownership may allow a member of the tomcat group to execute scripts as root. http://www.linuxsecurity.com/advisories/gentoo_advisory-4683.html 8/20/2004 - glibc Information leak vulnerability glibc contains an information leak vulnerability allowing the debugging of SUID binaries. http://www.linuxsecurity.com/advisories/gentoo_advisory-4684.html 8/20/2004 - rsync Insufficient path sanitation This vulnerability could allow the listing of arbitrary files and allow file overwriting outside module's path on rsync server configurations that allow uploading. http://www.linuxsecurity.com/advisories/gentoo_advisory-4685.html 8/20/2004 - xine-lib Buffer overflow vulnerability Insufficient path sanitation An attacker may construct a carefully-crafted playlist file which will cause xine-lib to execute arbitrary code with the permissions of the user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4686.html 8/20/2004 - courier-imap Format string vulnerability Insufficient path sanitation An attacker may be able to execute arbitrary code as the user running courier-imapd (oftentimes root). http://www.linuxsecurity.com/advisories/gentoo_advisory-4687.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient path sanitation If rsync is running in daemon mode, and not in a chrooted environment, it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. http://www.linuxsecurity.com/advisories/mandrake_advisory-4679.html 8/20/2004 - spamassassin Denial of service vulnerability Security fix prevents a denial of service attack open to certain malformed messages. http://www.linuxsecurity.com/advisories/mandrake_advisory-4680.html 8/20/2004 - qt3 Heap overflow vulnerability his vulnerability could allow for the compromise of the account used to view or browse malicious graphic files. http://www.linuxsecurity.com/advisories/mandrake_advisory-4681.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 8/20/2004 - ftpd Privilege escalation vulnerability A set of flaws in the ftpd source code can be used together to achieve root access within an ftp session. http://www.linuxsecurity.com/advisories/netbsd_advisory-4678.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 8/20/2004 - Netscape Multiple vulnerabilities Netscape Navigator and Netscape Communicator have been removed from the Red Hat Enterprise Linux 2.1 CD-ROM distribution as part of Update 5. These packages were based on Netscape 4.8, which is known to be vulnerable to recent critical security issues, such as CAN-2004-0597, CAN-2004-0598, and CAN-2004-0599. http://www.linuxsecurity.com/advisories/redhat_advisory-4673.html 8/20/2004 - kernel Denial of service vulnerability A bug in the SoundBlaster 16 code which did not properly handle certain sample sizes has been fixed. This flaw could be used by local users to crash a system. http://www.linuxsecurity.com/advisories/redhat_advisory-4674.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient pathname sanitizing If rsync is running in daemon-mode and without a chroot environment it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. http://www.linuxsecurity.com/advisories/suse_advisory-4676.html 8/20/2004 - qt3 Buffer overflow vulnerability Chris Evans found a heap overflow in the BMP image format parser which can probably be abused by remote attackers to execute arbitrary code. http://www.linuxsecurity.com/advisories/suse_advisory-4677.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Path escape vulnerability Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected. http://www.linuxsecurity.com/advisories/trustix_advisory-4675.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Aug 30 02:31:59 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 30 03:07:48 2004 Subject: [ISN] Tridentcom 2005 Message-ID: Fowarded from: Sandro Marcelo Rossi (We apologize if you receive multiple copies of this message) ======================================================================= Tridentcom 2005 First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities Trento (Italy), February 21 - 25, 2005 ======================================================================= Important Dates Full Papers due: *** September 5, 2004 *** Notification of Acceptance: October 20, 2004 Camera-ready Manuscripts due: November 10, 2004 Conference proceedings will be published by IEEE Computer Society Press. IFIP WG6.3 sponsorship pending web site with updated conference information: http://www.tridentcom.org/ ======================================================================= Scope Telecommunication infrastructures play a vital role in modern society. The advancements in the range of network service offerings, their performance, quality of service, security, and ubiquity are relentless, despite global economy fluctuations. The demand for high bandwidth network infrastructures is continuously growing within both academic and industrial sectors. Grid computing is one of the many examples of the new emerging paradigm of networking characterized by huge data traffic flows, that require an extremely high-performance network infrastructure. The need of high speed is emerging also in mobile, wireless network environments, where new wireless technologies promise data rates above 100 Mbps. Other high bandwidth network examples include community access networks, on demand optical networks and the Next Generation Internet. To meet these challenges, experimental activities on infrastructures, such as testing, verification, deployment, are pivotal for academic researchers, developers, service managers and providers, as well as for end users. The management of research infrastructures is increasingly dependent on a business model that optimizes their operational price/performance ratio. For example, access to experimental infrastructures for real-life applications by specific user communities would benefit all the stakeholders involved: the end users, because of the experimental evaluation of the provided services, the researchers and infrastructure experimenters, because of the knowledge gained from case-study analysis, and the infrastructure managers, because of the business exploitation of the network. The synergies created by opening research infrastructures to real life users offer all parties involved an enormous development potential, which needs to be thoroughly investigated and discussed. Tridentcom is the first event that brings together all aspects related to experimental telecommunication infrastructures, creating a forum where telecommunication networks researchers, vendors, providers and users can exchange ideas on past experience, requirements, needs, visions for the establishment of such infrastructures. Research on all aspects of testbed and research infrastructure operation and management will find in Tridentcom its first forum for focused discussion. High quality papers reporting on original research and on experiment results addressing the above areas are solicited for submission. The main topics of the conference are: Next Generation Internet Testbeds Next Generation Wireless Network Testbeds Next Generation Optical Network Testbeds Ubiquitous Network Testbeds Wireless Sensor Testbeds Testbed Operation & Management for User Communities Testbed Operation & Management for Research Communities Testbed Cooperation & Integration Innovative Measurements Methodologies & Tools Traffic Measurements Testbeds Software Tools to Support Distributed Testbeds / Virtual Laboratories Management of Massive Databases of Experimental Data Knowledge & Technology Transfer Procedures Security (AAA) Testing on Open Testbeds Social Impacts of Infrastructures Infrastructure Real-Life Applications Business Models for Infrastructure Budgeting & Planning Infrastructure Renting & Pricing Policies Vendors & Providers Partnerships The meeting will take place at Trento, capital of the Trentino province, heart of recent and rapidly growing R&D initiatives in Computer Science and Telecommunications, and surrounded by some of the most spectacular skiing resorts in the Alps. Pauses in the conference program will allow social activities and informal interaction among the participants. ======================================================================= Organizing committee: Conference General Co-Chairs: Roberto Battiti, University of Trento Mario Gerla, UCLA Vice General Co-Chairs: Marcos Rogerio Salvador, CPqD Telecom and IT Solutions Marco Ronchetti, University of Trento Steering Committee Chair: Imrich Chlamtac, University of Trento, UT Dallas, Create-Net Technical Program Committee: Co-Chairs: Javier Aracil, Universidad Publica de Navarra Shivkumar Kalyanaraman, Rensselaer Polytechnic Institute Kenichi Mase, Niigata University Members: Ozgur B. Akan, Middle East Technical University (Turkey) Giuseppe Bianchi, University of Roma Tor Vergata (Italy) Ernst Biersack, Eurecom (France) Victor Castelo, CSIC-RedIRIS (Spain) Piero Castoldi, Scuola Superiore Sant'Anna (Italy) Michele Crudele, University Campus Bio-Medico di Roma (Italy) Cem Ersoy, Bogazici University (Turkey) Alex Galis, University College London (UK) Giulio Iannello, Universit? Campus Bio-Medico di Roma (Italy) Parviz Kermani, IBM - Watson Research Center (USA) Cees de Laat, University of Amsterdam (The Netherlands) Xing Li, Tsinghua University (China) Thomas Magedanz, FHI FOKUS (Germany) Olivier Martin, CERN (Switzerland) Peter McBurney, University of Liverpool (UK) Saverio Niccolini, Ecole d'Ing?nieurs du Canton de Vaud (Switzerland) Yoram Ofek, University of Trento (Italy) Yuji Oie, Kyushu Institute of Technology (Japan) Bjorn Pehrson, KTH (Sweden) Dipankar Raychaudhuri, Rutgers University (USA) Shiro Sakata, Chiba University (Japan) Rege Romeu Scarabucci, CPqD Telecom & IT Solutions (Brazil) Yuval Shavitt, Tel Aviv University (Israel) Michael Stanton, RNP (Brazil) Bill St. Arnaud, CANARIE (Canada) Csaba Szab?, Budapest University of Technology and Economics (Hungary) Sven Ubik, CESNET (Czech Republic) Hisao Uose, NTT (Japan) Giorgio Ventre, University of Napoli Federico II (Italy) Steven Willmott, UPC (Spain) Adam Wolisz, Technical University of Berlin (Germany) Thomas Ziegler, FTW (Austria) Panel Chair: Michael I. Smirnov, FHI FOKUS Demo Chair: David W. Walker, University of Cardiff Vice Demo Chair: Maurizio D'Arienzo, University of Napoli Federico II (Italy) Publicity Co-Chairs: North America: Hakki Candan Cankaya, Alcatel USA South America: Sandro Marcelo Rossi, CPqD Telecom and IT Solutions Asia: Shigeo Shioda, Chiba University Publication and Web Chair: Piero Spinnato, Create-Net Finance Chair: Dru Lundeng, ICST Local Organization Chair: Sandro Pera, Create-Net ======================================================================= From isn at c4i.org Mon Aug 30 02:32:22 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 30 03:07:50 2004 Subject: [ISN] FBI busts alleged DDoS Mafia Message-ID: Forwarded from: William Knowles http://www.securityfocus.com/news/9411 By Kevin Poulsen SecurityFocus Aug 26 2004 A Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors, in what federal officials are calling the first criminal case to arise from a DDoS-for-hire scheme. Jay Echouafni, 37, is a fugitive from a five-count federal indictment in Los Angeles charging him with aiding and abetting computer intrusion and with conspiracy. As CEO of the online satellite TV retailer Orbit Communication Corp., Echouafni allegedly paid a business associate to recruit members of the computer underground to cripple three online stores, resulting in long periods of downtime and an estimated $2 million in losses to the businesses and their service providers. Paul Ashley, 30, of Powell, Ohio, is named in a separate criminal complaint as Echouafni's go-between in arranging two of the attacks. Ashley was the network administrator of the Web and IRC hosting company CIT/FooNet, run from his home, which was shuttered sometime after being raided by the FBI last February. Three other Americans and one U.K. citizen are charged with actually carrying out the attacks. "This is an example of a growing trend: that is, denial of service attacks being used for either extortionate reasons, or to disable or impair the competition," says FBI supervisory special agent Frank Harrill. "It's a growing problem and one that we take very seriously, and one that we think has a very destructive impact and potential." According to an FBI affidavit filed in the case, Echouafni was a client of CIT/FooNet's hosting services when he made a deal with Ashley, then the owner, in October of last year. Echouafni allegedly paid Ashley $1,000 to snuff out two competing websites that he claimed had stolen some of his content and were staging DDoS attacks against his company. Ashley in turn used his connections in the underground, and in at least one case the promise of free CIT/FooNet server, to recruit three associates to do the dirty work: Joshua Schichtel, Jonathan Hall, and Lee Walker, known online as "Emp," "Rain," and "sorCe" respectively. Each of the three apparently had sizable "botnets" at their disposal, meaning they could each command thousands of compromised PCs to simultaneously attack a single host -- Walker alone had control of between 5,000 and 10,000 computers through a customized version of the Agobot worm, according to the FBI affidavit. Schichtel's network of 3,000 zombies was more modest, and he quietly subcontracted the job to Richard "Krashed" Roby, who allegedly took the assignment in exchange for a free shell account. The attacks began on October 6th, with SYN floods slamming into the Los Angeles-based e-commerce site WeaKnees.com, crippling the site, which sells digital video recorders, for 12 hours straight, according to the FBI. The company's hosting provider, Lexiconn, responded by dropping WeaKnees.com as a client, sending the company to more expensive hosting at RackSpace.com. RackSpace fought back, but the attackers proved determined and adaptive. In mid-October the simple SYN flood attacks were replaced with an HTTP flood, pulling large image files from WeaKnees.com in overwhelming numbers. At its peak the onslaught allegedly kept the company offline for a full two weeks. (The company declined to comment on the case). RapidSatellite.com, which sells satellite TV receivers, was hit at the same time and with similar results. The company responded by quickly moving their electronic storefront to the distributed content delivery services of Speedera, only to be crippled three days later by an attack on that provider's DNS servers, which for an hour also blocked access to other Speedera-hosted sites, including Amazon.com and the Department of Homeland Security, according to the FBI affidavit. RapidSatellite then moved to Akamai, but were out again within a week when the attackers switched to an HTTP flood attack, running massive numbers of queries through RapidSatellite.com's search engine. Behind the scenes Ashley was allegedly micromanaging the assault. A chat log recovered from Schichtel's hard drive shows Ashley admonishing his subordinate to stay on top of his portion of the attack: "u gotta keep ane [sic] eye on it...cuz they could null route the ip and change the dns...and it would be back up." When Schichtel asks, "what did they do to you?," Ashley replies with an answer fit for Tony Soprano. "[F]---ing with us...well, a customer." "Operation Cyberslam" In December, the alleged DDoS conspirators' informal relationship became more corporate, when Echouafni purchased CIT/FooNet from Ashley, and kept Ashley on as network administrator at $120,000 a year salary. Ashley, in turn, formally hired Hall to perform "security" for the company -- which the FBI suggests was a euphemism for launching more DDoS attacks against Echouafni's enemies. In Feburary, Echouafni -- now the boss -- phoned Hall directly to order an attack on a new target, according to the government: another satellite T.V. retailer called Expert Satellite. Hall dutifully launched a SYN flood against the new victim, but the results didn't please his CEO; Echouafni contacted Hall repeatedly to inform him that the site had resurfaced, and to express his disappointment. "Echouafni also implied that [Hall] would be fired if he did not launch the attacks," reads the affidavit By then, law enforcement was making progress on the investigation they code named "Operation Cyberslam." FBI cyber crime agents had spotted what appeared to be reconnaissance for the HTTP flood attacks in WeaKnees.com's October log files, originating from a shell hosting company called Unixcon. Unixcon traced the activity to an account that had been established with a stolen credit card number, but an FBI source, whose identity is protected in the affidavit, fingered U.K. resident and Unixcon administrator Lee "sorCe" Walker as the culprit. Walker was already known to the FBI from an investigation earlier in the year, when one of Walker's IRC enemies complained that Walker had DDoSed him. The Bureau even had Walker's home address. An FBI agent traveled to the U.K. in February to accompany London police as they raided Walker, who admitted to the WeaKnees.com and RapidSatellite.com attacks, and fingered Ashley as his handler, according to the affidavit. The Bureau raided Ashley's home on Valentine's day. Before they hauled away CIT/FooNet's servers -- an act that would briefly cause controversy in the hosting community -- Ashley allegedly admitted to the attacks, and named all three of his cyber button men and Echouafni. Echouafni was arrested in Massachusetts, and released on $750,000 bail secured by his house. "We've alleged in the indictment that Echouafni was the manager, organizer and leader of the group," says assistant U.S. attorney Arif Alikhan, head of the Los Angeles computer crimes section, who's prosecuting the case. He's also missing. According to court records, last month Echouafni's attorney won a motion to permit Echouafni's wife and children to "travel freely within and outside of the United States of America," and to have their passports returned. That was Echouafni's last action in court: the government says he's disappeared, and officials believe he's likely in Morocco. "He's a native of Morocco, and he was arrested in March as he returned from Morocco into the U.S.," says the FBI's Harrill. Echouafni's attorney did not return a phone call. The Echouafni investigation was one of a handful of cases specifically cited Thursday by U.S. Attorney General John Ashcroft in announcing what the Justice Department called "Operation Web Snare -- a tallying of over 150 recent and ongoing federal criminal cases relating to computers or identity theft. Ashcroft said the case illustrates "the increased use of the Internet to damage rival businesses and communicate threats for commercial advantage." "I think it's the first case of its kind involving a DDoS for commercial advantage or for hire," says Alikhan. "There are DDoS attacks all the time organized on IRC, but this is certainly the first case where you have a corporate executive who was using the services of another person to launch attacks against competitors." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Aug 30 03:02:54 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 30 03:07:51 2004 Subject: [ISN] OMB unveils FISMA how-to Message-ID: http://www.fcw.com/fcw/articles/2004/0823/web-fisma-08-27-04.asp By Florence Olsen Aug 27, 2004 Office of Management and Budget officials this month released final instructions to federal agencies for filing mandatory reports on their systems security efforts in 2004. [1] The annual compliance reports, a requirement under the Federal Information Security Management Act, must be filed by Oct. 6, this year. The 28 pages of instructions include a reporting template and expanded definitions of terms and concepts associated with FISMA. OMB Director Joshua Bolten noted in his instructions that all security requirements established by FISMA apply to all agencies, regardless of their size. The reporting requirements for small agencies, which OMB officials define as microagencies, are slimmed down, he said. But the actual security requirements are the same for all agencies. Microagencies are ones with fewer than 100 employees. Any organization that operates, uses or simply has access to federal information systems must also comply with FISMA, Bolton reminded agency officials. Contractors, grantees, state and local governments, industry partners-none are exempted, the OMB guidelines state. The new guidelines also give federal agencies a Sept. 15, 2005, deadline for categorizing their transactions systems according to recommended user-authentication levels published by the National Institute of Standards and Technology. The technical recommendations for verifying users' identities online appear in NIST Special Publication 800-63. [1] http://www.cio.gov/documents/FY04%20FISMA%20reporting%20instructions.doc From isn at c4i.org Mon Aug 30 03:03:06 2004 From: isn at c4i.org (InfoSec News) Date: Mon Aug 30 03:07:53 2004 Subject: [ISN] Clarke Touts Broad Approach To IT Security Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=DJ0LKLR4Y2FTYQSNDBCSKHY?articleID=45400035 By W. David Gardner TechWeb News Aug. 27, 2004 Richard Clarke, best known as the former counterterrorism czar for presidents Bill Clinton and George W. Bush, ended his government career as the White House adviser to the President on Cyberspace Security. He's now bringing that expertise to the IT world. In an Internet presentation sponsored by RSA Security Inc., Clarke on Thursday sounded the alarm on some possible threats, but also unveiled a list of 10 steps, or checkpoints, to help secure IT installations. Clarke, now chairman of Good Harbor Consulting, advocates a broad approach to IT security, employing what he terms "a holistic view of risk." Clarke noted that the broad area of IT security is growing has traditionally been slighted by top management in large corporations. He said management--including CEOs, board directors, CIOs, CFOs, HR heads, and internal auditors--should meet regularly to discuss security issues. "This whole group needs to get together once a month," he suggested. Security issues are rapidly growing in importance to business, he said, noting that not only do top executives have to pay attention to legislation like Sarbanes-Oxley and HIPAA, but also that there is much pending legislation--on both the national and state levels--that could benefit from input from informed IT managers and from involved top management. "This [can be] about showing the Congress that you don't need to be regulated, because you're doing it yourself," he said. He ticked off a list of proposed legislation that could become law. The SEC is considering supporting legislation that would require an IT-security readiness statement to be filed with the SEC annually. The FCC is examining regulations that would require ISPs to beef-up their security. Also under consideration, he noted, is legislation aimed at improving security at chemical and electric-power plants. Clarke listed 10 steps for businesses to follow: * Establish automatic monitoring of compliance and auditing capabilities of networks. "Every day you can see if you're secure," he said. * Acquire a patch-management system and service. Noting that 50 or 60 patches are issued each week by software providers, Clarke called patching "the No. 1 headache of CIOs." * Set up an identity-access-management system, preferably a two-factor password-ID system. "Almost any password can be broken" by programs easily available on the Internet, he noted. * Data should be encrypted in sensitive areas. He said proposed California legislation calls for many IT organizations to encrypt data. * Participate in an early-warning system, preferably with an organization with a set of detect sensors. * Establish rigorous security-oriented service-level agreements with ISPs. Clarke indicated that the FCC is considering making this provision mandatory for certain IT users. * Institute an IT security-awareness program, a sort of catch-all program that would educate staff on widespread security aspects of their networks. * All software--not just products from Microsoft--should be systematically tested. Clarke noted that buffer-overflow problems have been cited for years but little has been done to correct the problem. He said there is a need for "software products that test software." * Secure the physical part the IT organization to make sure that intruders can't just walk in and violate security. * Address "the road-warrior problem," as illustrated by network users logging in from remote locations who unknowingly have infected software, typically on laptops. Clarke also addressed the possible security threat posed by the offshore outsourcing of IT operations. "I don't think it's a problem," Clarke said. "Some Indian companies do a better job than U.S. companies." From isn at c4i.org Tue Aug 31 01:15:26 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 31 01:38:59 2004 Subject: [ISN] SSH Bouncing - How to get through firewalls easily. ( Message-ID: Forwarded from: "Linux Security: Tips, Tricks, and Hackery" +------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery 30-August-2004 | | Published by Onsight, Inc. Edition | | | | http://www.hackinglinuxexposed.com/articles/20040830.html | +------------------------------------------------------------------+ This issue sponsored by Beginning Perl, Second Edition Hacking Linux Exposed author James Lee's most recent book, Beginning Perl Second Edition, emphasizes the cross-platform nature of Perl. Throughout the book, Lee promotes Perl as a legible, sensible programming language and dispels the myth that Perl is confusing and obscure. Perfect for the beginning Perl user looking to gain a quick and masterful grasp on the language, this concise and focused book begins with the basics and moves on to more advanced features of Perl, including references, modules, and object-oriented programming. For reviews and purchasing information, go to http:// www.hackinglinuxexposed.com/books/ -------------------------------------------------------------------- SSH Bouncing - How to get through firewalls easily. By Brian Hatch Summary: Often you'll have firewalls or other network equipment that doesn't allow direct SSH access to machines behind it. Using a bit of trickery, you can get through without seemingly jumping through any hoops. ------ Have you ever been in the situation that you wanted to SSH directly to a machine, but there has been some device in between that prevents it? Say you have a Linux firewall that protects your DMZ, and you have a boatload of machines behind it that you want to manage. There are all sorts of methods that are used to do so, and all have some level of annoyance. SSH to the intermediate host The first and most simple solution is to SSH to the machine in the way, say the firewall. The firewall administrator can just set up one or more non-privileged accounts for users who need access to the machines behind it. This is a pain, of course - if you want to upload a file, you need to upload it to the firewall via sftp/scp, and then upload it to the target server. What a pain. And security-wise, you now have all these random firewall accounts running amok, probably not your favourite situation. Of course, it's still nicer than Windows networking, but we can do better. Non-standard SSH ports You can set up a bunch of ports that tunnel into the target machines. You might have firewall port 5000 go to port 22 (the SSH port) on machine1, firewall:5001 go to machine2, firewall:5002 go to machine3, etc. For example, #!/bin/sh # Set up forwards for inbound SSH EXT_IP=205.382.29.20 # External IP address EXT_IFACE=eth0 # External Interface INT_IFACE=eth1 # Internal Interface # handy dandy tcp forward function tcp_forward () { local ext_port int_ip echo "$1" | { read int_ip ext_port # create prerouting and appropriate forward from the tuple iptables -A PREROUTING -t nat -p tcp -d $EXT_IP \ --dport $ext_port -j DNAT \ --to-destination $int_ip:22 iptables -A FORWARD -i $EXT_IFACE -o $INT_IFACE \ -p tcp -d $int_ip --dport 22 -m state \ --state NEW -j ACCEPT } tcp_forward " 192.168.1.1 5000" tcp_forward " 192.168.1.2 5001" tcp_forward " 192.168.1.3 5002" tcp_forward " 192.168.1.4 5003" ... tcp_forward " 192.168.1.58 5057" tcp_forward " 192.168.1.59 5058" What problems do we have with this setup? Well, you need to manage the forwards, which is rather a pain. Also, you now have these ports open to the outside world, which means you need to create ACLs for them on the firewall or the target or both, lest anyone be able to try to guess passwords. The other problem with this is that you'll get ssh host key conflicts unless you're careful -- you appear to connect to the machine 'firewall' but you get different keys when you hit the actual machine behind it. To get around this, you can use $HOME /.ssh/config sections like this: Host machine1 Hostname firewall.my_network.com Port 5000 HostKeyAlias machine1 Host machine2 Hostname firewall.my_network.com Port 5001 HostKeyAlias machine2 Then you can just ssh machine1 and not need to remember the port, and due to the HostKeyAlias option each machine will have it's own key recognised correctly, rather than sharing the one for the firewall. Netcat SSH bounce This is my preferred method, and it can be used to create a seamless connection. What you do is SSH to the intermediate machine (the firewall in this example) and from that machine you run Netcat (nc). Netcat can be used in all sorts of situations, such as a replacement for telnet: $ nc www.some_host.com 80 GET / HTTP/1.0 ... When used as a telnet-like replacement, all it does is open up a connection to the remote port and transfer the data, unaltered, to and from it and your keyboard/screen. So how do we use this to help out with our SSH connection? OpenSSH supports the ability to use a proxy command. A proxy command is a program (shell script, binary, etc) that /usr/bin/ ssh will run, rather than making an actual TCP connection to the target. The job of the proxy command is to establish a connection to the target. /usr/bin/ssh talks to this command, and doesn't care how it does its work. So, what will our proxy command do? + The proxy command will SSH to the firewall + On the firewall, it will run Netcat as follows: nc -w 1 target_host 22 The nc command says 'connect to port 22 on the target host, and wait one second after the connection is dead before closing it.' Now Netcat's stdin/stdout are going to be connected to the SSH server on the target, and the /usr/bin/ssh client on your desktop. To the client program, it looks just like it's hit the target directly, the proxy does the work of getting them together. So, how do we create this proxy? How 'bout a shell script: $ cat netcat-proxy-command #!/bin/sh bouncehost=$1 target=$2 ssh bouncehost nc -w 1 $target 22 Then point to this proxy command via your $HOME/.ssh/config file: $ head $HOME/.ssh/config Host machine1 Hostname machine1 HostKeyAlias machine1 ProxyCommand netcat-proxy-command firewall.my_network.com 192.168.1.1 Host machine2 Hostname machine2 HostKeyAlias machine2 ProxyCommand netcat-proxy-command firewall.my_network.com 192.168.1.2 ... Or, to make it even easier to copy/paste, use the fact that %h in a $HOME/.ssh/config file is replaced with the hostname, and you can use the following: $ head $HOME/.ssh/config Host machine1 Hostname 192.168.1.1 HostKeyAlias machine1 ProxyCommand netcat-proxy-command firewall.my_network.com %h Host machine2 Hostname 192.168.1.2 HostKeyAlias machine2 ProxyCommand netcat-proxy-command firewall.my_network.com %h ... All the logic of how to actually get to the host is in the config file, all the magic in getting there is in the proxy script, and you can connect 'directly' to the target machine at the command line like this: $ ssh machine1 $ scp machine1:/path/to/some/file . Now doing this requires that you can connect to the firewall without a password[1] If you can't, then you'll want to to enable SSH key based security. If you don't know how to do that yet, see one of the "Previous Articles" (http:// www.hackinglinuxexposed.com/articles/20021211.html) that covers it. There are many other options that I didn't cover here, such as VPN technologies, Portknocking and fun tunnels like chownat (http:// chownat.lucidx.com/). While these can all be exciting, I'm trying to stick to pretty portable tools that are likely pre-installed on your machines anyway. Next time, we'll see how to tighten security a bit by making changes to the firewall user's configuration. NOTES: [1] If you don't have passwordless authentication to the firewall, you'll need to type the firewall password each time too. This is annoying, but not a show stopper. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He can't understand how a few months have gone by since he had time to write. Oh wait, maybe it's the number of kids in his home, and the massive distance between him and any free babysitting -- i.e. relatives... Brian can be reached at brian@hackinglinuxexposed.com. -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@lists.onsight.com. Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2004, Brian Hatch. From isn at c4i.org Tue Aug 31 01:15:48 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 31 01:39:00 2004 Subject: [ISN] Public Safety Technology Conference Announcement Message-ID: Forwarded from: JUSTNETNews ********************************************************* Major Public Safety Technology Conference Announcement ********************************************************* The U.S. Departments of Justice and Homeland Security jointly present the 6th Annual "Technologies for Public Safety in Critical Incident Response Conference and Exposition 2004" Hosted by: DHS's Science & Technology Directorate and DOJ's National Institute of Justice This first ever joint DOJ-DHS 3-day conference will allow the Department of Homeland Security, Science and Technology Directorate and the Department of Justice, National Institute of Justice to highlight the technology and training tools currently available and being developed for the responder community to deal with major threats to lives and property, such as terrorist attacks. The conference offers a unique opportunity for responders, business and industry, academia and elected Federal, State and local stakeholders to network, exchange ideas and address common critical incident technology needs. Date: September 27-29, 2004 Location: Hyatt Regency, New Orleans Theme: Prevention, Response, Preparedness and Recovery Attendees: Public Safety Practitioners, Federal, State and Local Government, and Industry/Private Sector Registration Fees: $245: Public Safety Practitioner/Government $355: Academia/Non-Profit $565: Industry/Private Sector/Other Exhibit Hall: Can accommodate 95 10'x 10' booths Tentative topics include: * Interoperability * Information and Intelligence Sharing * Transportation Security * Physical Security for Critical Infrastructure Protection * Border Security * Federal Funding and Other Assistance * Threat and Vulnerability Assessment * Electronic Crime and Cyber Security * Countering Terrorist's Use of Explosive Devices * CBRN Countermeasure Technologies * Incident Command * Equipment Standards and Testing * Simulation and Training Technologies * Personal Protection * Technologies for Safer Communities * Concealed Weapons Detection & Surveillance Tools * Urban Search and Rescue * The SAFETY Act * Gun Shot Detection Conference co-sponsors: * U.S. Department of Commerce * Office of the Assistant Secretary of Defense for Homeland Defense * Technical Support Working Group * International Association of Chiefs of Police * International Association of Fire Chiefs * National Emergency Management Association * National Sheriff's Association * Eastern Kentucky University/Justice & Safety Center For more information about this conference, please see http://www.regonline.com/eventinfo.asp?EventId=13297 or call Lisa Hecker, Conference Manager, at 505-670-6153. From isn at c4i.org Tue Aug 31 01:16:00 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 31 01:39:02 2004 Subject: [ISN] NY IT Prepares for Disaster Recovery Message-ID: http://www.eweek.com/article2/0,1759,1640495,00.asp By Brian Fonseca August 30, 2004 As New York braces for the Republican National Convention this week, IT managers at the city's financial services companies may be nervous about the potential for terrorism, but they're prepared. Having learned from the terrorist attacks of Sept. 11, 2001, and the massive power blackout of 2003, many Manhattan-based companies are now hardened with beefed-up disaster recovery initiatives, such as encrypted data backup processes, remote backup facilities and redundant telecommunications systems. John Shaffer, like IT managers at financial companies across the city, has checked and rechecked his backup and disaster recovery systems to ensure availability of his company's critical IT resources. "There's definitely a concern. [Terrorists] have obviously picked buildings in our area that are potential targets. Who really knows what's going to happen?" said Shaffer, director of technology at Greenhill & Co. Inc., an investment bank located near Madison Square Garden, site of the RNC. "We've been reviewing our plans to make sure that in the worst-case scenario, I [can] move my e-mail someplace else." The tragic events of Sept. 11 triggered Shaffer and his company to begin implementing serious disaster recovery measures. Some of these included moving its backup facility from New York to Connecticut and providing redundant telecommunications systems outside New York. "I think companies have figured out that they can't have all their assets sitting in one place; you need things outside the city," Shaffer said. "But they still come here to do the work." Looking to eliminate possible single points of failure, Shaffer said his company is also considering deploying VOIP (voice-over-IP) technologies to enable employees to work remotely. Also under consideration is a wireless installation around the company's facility that would reroute calls via a satellite dish, should ground wires become unusable or temporarily disrupted. While the threat of terrorism has remained somewhat of a constant in New York, the RNC has pushed companies located in the area around Madison Square Garden to aggressively plug any holes in their disaster recovery strategies. "I started getting calls before the specific terror targets were named, more convention-centric questions," said Bruce Leibstone, president of Warren Systems Group Inc., a New York company that provides desktop and server infrastructure support services. "They've asked me, 'My office is downtown?is there something I should be doing?' A lot of firms get far removed from the backup process until it's needed." One of Warren Systems' most-sought-after services during the RNC will be an encrypted backup service powered by EVault Inc. technology that can take scheduled or triggered snapshots of customer data without affecting server replication. Russ Vernon, chief operating officer of asset management company Barrett Associates Inc., turned to Warren Systems for help crafting an emergency telecommuting plan during the RNC. To prepare, Barrett studied employee commuting habits, determining, for example, which critical employees come in from New Jersey at Pennsylvania Station, which is located under Madison Square Garden, or live in the neighborhood around the arena. Vernon then ensured that Barrett's systems provide remote access for those employees. "I guess the convention is the next issue in New York, but it could easily be the weather hitting the Florida coast," Vernon said. "We don't look at any one issue, like the convention, different from any other disaster. We need to be ready for anything, whether seen or unforeseen." To shore up its business continuity measures, CDC Ixis North America Inc., the U.S. arm of a French bank, earlier this year deployed Verizon Communications Corp.'s Enterprise Advance Network. The service provides a 2.4G-bps SONET (Synchronous Optical Network) ring that links voice and data between CDC Ixis' two New York offices and the company's New Jersey disaster recovery site. But that's not all. CDC Ixis Chief Communications Officer, Kieran Long, said his company is only months away from adding a mirrored production site in New Jersey that will enable it to have two active instances of its IT operations that back up each other. The RNC's IT staff said they are ensuring that their own systems remain open at all times. "Our first line of defense is redundancy. Most everyone has a cell and a land line," said Max Everett, director of IT for the RNC. "We're working directly with the Secret Service and US-CERT to ensure our data integrity and network security." From isn at c4i.org Tue Aug 31 01:24:27 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 31 01:39:04 2004 Subject: [ISN] Report: IRS can't access security data Message-ID: http://www.fcw.com/fcw/articles/2004/0830/web-irs-08-30-04.asp By David Perera Aug. 30, 2004 An Internal Revenue Service database that collects information but cannot deliver it to users raises questions about the tax agency's modernization plans, according to a recent audit by the Treasury Inspector General for Tax Administration. As the IRS finally brings modern systems online - including the Customer Account Data Engine, the Integrated Financial System and the Custodial Accounting Project - the lack of an effective audit trail review would "be a significant security weakness that should weight significantly on whether to accredit future modernization applications," the report states. The Security Audit and Analysis System (SAAS) is intended to replace the current system that keeps track of when IRS financial data is accessed - a necessary tool for fending off hacker attacks or detecting unauthorized internal access. But even though the audit database can collect records, bad software performance and functionality problems prevent users from querying the information and generating reports, according to the inspector general. As a result, IRS business units can't use the system to identify possibly malicious actions aimed at updated applications, according to auditors. Since its delivery in November 2002 by Computer Sciences Corp., the security analysis system has collected audit trail information for the IRS' e-Services and Internet Refund Fact of Filing applications. Both initiatives are part of the agency's $10 billion upgrade of its tax-processing technology. Auditors charge that agency officials knowingly accepted a defective product - an allegation that Daniel Galik, the IRS' chief of mission assurance, disputes in the agency's official response. "The SAAS met all defined requirements and passed all tests," he wrote. Citing security concerns, CSC officials declined to comment on the report. Treasury Department officials also state that problems with the audit system went undetected for almost a year because the IRS' Computer Security Incident Response Center never wrote a help-desk ticket describing the database's defects. The center is responsible for thwarting hacker intrusions into IRS networks, but "apparently, the [center] has not been using the SAAS since the November 2002 system delivery date," the report states. The IRS will spend $776,000 through the next fiscal year on labor and maintenance for the audit system, according to the report. However, IRS officials said steps are under way to correct the database's failures. Testing of audit trails from updated applications were set to begin this month, and functioning logs will be online by October, according to agency officials. "Early tests look as if they're on track for completion," said Peggy Begg, assistant inspector general for audit. Officials said they are establishing internal ownership over the audit trails to ensure that data is reviewed. Periodic compliance reviews will start in March 2005, they said. IRS officials rejected the auditors' recommendation that the agency develop full-fledged alternatives to the security audit system in case delays continue with the database. Agency officials are committed "to ensuring that SAAS supports the business and security requirements for sensitive systems," the agency's written response states. From isn at c4i.org Tue Aug 31 01:24:45 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 31 01:39:05 2004 Subject: [ISN] States prepping cyberalert plan Message-ID: Forwarded from: William Knowles http://www.nwfusion.com/news/2004/083004nastd.html By Tim Greene Network World 08/30/04 PROVIDENCE, R.I. - Looking to gauge the risk of attacks against their networks, state officials this week will vote on new measures that would assess threats and dictate specific actions to take to protect key resources. If adopted, the common alert-level procedures would color-code the threat to state networks and recommend action to take in response to specific threats. The proposed cybersecurity alert system would establish a secure Web site state officials could tap to determine why each state has the security ranking it does and whether they should take action based on what other states experience. Homeland security ranked among the key topics considered last week at the National Association of State Telecommunications Directors (NASTD). The state network executives also shared experiences with VoIP, and concerns about public-safety networks, the threat of worms to state agencies, making more efficient use of existing infrastructure and getting enough staff to carry out their duties. NASTD members were warned that coordinated attacks against their networks could be a tactic terrorists use. "We should regard cyberterrorism as a weapon of mass destruction," said William Pelgrin, chairman of the Multistate Information Sharing and Analysis Center (MS-ISAC), which he coordinates through the New York State Office of Cyber Security & Critical Infrastructure Coordination. The system will be very specific, Pelgrin said. "If we went to yellow, it would tell you why and what you need to do right now. It might be: Block Port 445 until a patch comes out." MS-ISAC has been developing for more than a year and already has helped out member states. During last August's week of worm outbreaks, Arkansas sought and received help to restore its affected network segments, said Claire Bailey, the director of its the state's department of information systems. MS-ISAC is an informal group set up at the request of the Department of Homeland Security (DHS) to gather and share data about critical state government networks with the goal of protecting them from potential cyberattacks that could threaten public health and safety. While Pelgrin said the full cyber-evaluation criteria are secret, he said the appraisal takes into consideration events outside the networks. For instance, New York has been ranked as blue or "guarded" solely because the Republican National Convention is being held this week in New York City, Pelgrin said, not because of network problems. Montana, which shares a 600-mile border with Canada, is seeking grants to upgrade law-enforcement radio networks so local, county, state and federal agencies can talk to each other, said Carl Hotvedt, chief of the network technology services bureau for the state's information services division. "The problem is a lot of different systems that don't talk to each other," he said. Federal agents at a remote border crossing recently needed help from the local police 10 miles away, but their radios used different frequencies. "The border patrol needed backup but couldn't contact the local sheriff," Hotvedt said. Homeland security has given new momentum to a 15-year project to better integrate public safety radio networks, said R.D. Porter, security services manager for the Missouri division of information services. Wyoming, Virginia, Florida and Arizona are among states either planning or revamping their radio networks to interoperate better, he said. While radio network concerns are somewhat far afield from the concerns of corporate IT executives, other worries are the same. In Pennsylvania the state's acting telecom director is concerned about security of desktops and the threat of worms and viruses shutting down networks for extended times. That translates into a pending proposal to beef up authentication of desktops and servers before they are allowed access to the network, said Charles Strubel, acting director of Pennsylvania's telecom services bureau. He said software to make sure these devices have necessary patches installed would protect networks from worms and Trojans. Software or hardware to segregate network segments that get infected would limit the effects of outbreaks and keep services closer to normal levels, he said. Strubel also is looking at building redundant fiber rings to serve schools in the northern part of the state to handle dual purposes. They would deliver needed connectivity for inter-school communication and distance learning. But redundant fiber also would support the schools' role as disaster shelters and command centers by providing high-speed links to emergency agencies. North Dakota already has a statewide ATM-over-SONET network on which it wants to overlay networks for police agencies to connect via encrypted paths, said Glen Rutherford, network architect for the state's IT department. His proposal to the DHS would make use of North Dakota's existing network to carry traffic that was secured at each end by separate firewalls, authentication software and encryption devices. If it is successful, other states could adopt the model and link their networks to share information, he said. North Dakota also is seeking funding to back up its data centers to keep key state agencies operating if a disaster strikes its primary site, said Mike Ressler, deputy to the CIO of the state's IT department. West Virginia has applied for grants to install redundant routers and other network gear to make the state's networks more resilient against attacks, said Deepesh Randeri, manager of state network infrastructure in the department of administration. In some states, homeland security is more basic, such as extending 911 services to all state facilities, as in the case of Oklahoma. A DHS grant paid for upgrades to PBX software so 911 calls would accurately reflect where a caller was located and interoperate with the public 911 emergency call system. Mississippi is looking for more staff to keep up with its network security needs, said Jimmy Webster, data network manager for the department of IT services. He said he only has four staff members who work on security in addition to other duties. While DHS grants are available, Webster said some federal mandates still leave the states short of cash. "There's still a lack of effort to fund some of the things we need to do today," he said. And physical security, such as protecting airports and bridges, seem to take precedence over protecting networks. "If you compete for money, cyber will lose 90% of the time and physical will win," he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Aug 31 01:25:04 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 31 01:39:07 2004 Subject: [ISN] Overseas Hacker Attacks Increase for 3rd Straight Month: Ministry Message-ID: http://english.yna.co.kr/Engnews/20040831/300500000020040831132244E0.html SEOUL, Aug. 31 (Yonhap) -- The number of South Korean Web sites reported to have been attacked in August by overseas-based hackers rose for the third straight month, sounding alarm bells for the country's cyber security, the government said Tuesday. In August, overseas hackers attacked 287 Web sites in South Korea, up from 262 in July and 172 in June, the Ministry of Information and Communication said in a statement. From isn at c4i.org Tue Aug 31 01:25:21 2004 From: isn at c4i.org (InfoSec News) Date: Tue Aug 31 01:39:08 2004 Subject: [ISN] Get Ready To Patch Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=QW0L2OWLDGIHWQSNDBCSKHQ?articleID=45400083 By John Foley and George V. Hulme Aug. 30, 2004 In the first three weeks it's been available, businesses have downloaded more than 1 million copies of Microsoft's Service Pack 2 for Windows XP, and consumers have downloaded many more. It's merely a start in what's shaping up to be the most far-reaching and complex software patch ever attempted. Over the next three months, Microsoft's goal is to push SP2 out to more than 100 million PCs. Few expect it to be easy. Applications already are breaking as software vendors and systems administrators test the security-packed Windows update before rolling it out to users. Microsoft has identified about 50 applications that are incompatible with SP2, and company officials admit that many custom applications are likely to encounter glitches, too. Last week, Microsoft released a 100-page technical document that describes how companies should assess applications for compatibility with SP2 and what they should do when things don't work. Microsoft's mother of all patches is just the latest in what's become a familiar and frustrating industrywide exercise, as software companies and their customers race to stay ahead of the worms and other attacks that seek to take advantage of newly discovered vulnerabilities in operating systems and applications. "You have to take this stuff seriously. You can't let your guard down for a second," says Michael Kamens, global network and security manager with Thermo Electron Corp., which has tested SP2 but hasn't determined a rollout schedule for its several thousand Windows XP machines. For many companies, patching has been akin to software triage, with IT personnel dropping what they're doing every time a critical security bulletin rings the alarm. A growing number of companies, however, are putting people, processes, and tools in place to bring greater efficiency and control to that ad hoc way of doing things. And technology vendors are making some much-needed changes, too. Oracle has revealed that it will begin releasing its software patches on a once-a-month schedule, so customers can better plan for them. "We believe a single patch encompassing multiple fixes on a predictable schedule better meets the needs of our customers," Oracle said in a written statement. Oracle also indicated that a security fix would be issued shortly for vulnerabilities that have been discovered in its products but declined to comment further on the pending fix or its revised patch strategy. Microsoft began issuing monthly patches last October, and Computer Associates and SAP have been on regular schedules even longer. SAP uses its Support Portal to make updates available, including specialized patches for customers who may need help reconciling SAP applications with third-party products. CA delivers patches once a quarter, but it moves faster when necessary. "When I sit down with customers, I seldom get to bring up the issue--it's usually one of the top things they mention," says Sam Curry, VP of CA's e-Trust security-management unit. Jim Burdiss, VP and CIO of Smurfit-Stone Container Corp., likes the trend toward scheduled patches. "The end game is to get away from fire drills as much as possible," he says. "When those patches happen randomly, you force IT to go into a reactive mode." The randomness of ad hoc patches makes resource and budget planning difficult, he says. Oracle's policy change and product improvements from Microsoft, including new features in Systems Management Server 2003 that automate aspects of Windows patch management, are steps in the right direction. But challenges remain. The Yankee Group consulting firm estimates that a company with more than 500 PCs spends up to 120 staff hours testing and installing every patch. "The issue is, companies have to test and test before deploying a patch," says Yankee Group senior analyst Eric Ogren. At the Arkansas Army National Guard, two people work full time patching about 50 Windows servers and 1,500 PCs. "That seems excessive," says senior network manager Lynn Melton. "It's frustrating." The military unit uses several tools to deploy patches, including St. Bernard Software's UpdateExpert, Lieberman Software's User Manager Pro, and Cisco Systems' CiscoWorks. Melton tried an earlier version of Microsoft's Systems Management Server but it required too much effort, he says. He's interested in the vendor's Windows Update Services patch-management system, which promises to let customers handle patches for more products than Windows, including SQL Server and Exchange. But it won't be ready until the first half of next year. "If we could use one tool to do more than one thing, that would be helpful," Melton says. Thermo Electron uses Microsoft's Software Update Services 1.0 tool (the predecessor to Windows Update Services) for patching at its headquarters, but remote locations continue to handle the job locally, so it's a challenge to get everything done quickly. "The problem is, you need a dedicated full-time person to write scripts and push the patches out there," security manager Kamens says. The company is deploying Systems Management Server 2003 to help, but at an estimated total cost of about $1 million, it won't be cheap. Even after predeployment testing, Kamens says, patches too often "break things." But it's something that has to be done--the risks of unpatched systems include worms and other threats, the data vulnerabilities and system snags associated with such threats, and potential liability, lost productivity, and other costs related to any security breaches. Thermo Electron's IT staff rolls out software updates to 800 servers once a month on a Sunday morning to minimize system downtime. Companies of all sizes are grappling with the issue. Ajacs Die Sales Corp., a small distributor of tool-and-die components, has only VP of IT Steve Wierenga to patch its 22 PCs and four servers. "We have it under control," says Wierenga, who evaluates Microsoft's patches himself each month. "We're small enough that we can address an issue with a patch in short order if it causes a problem." At the other end of the spectrum, software vendor SupportSoft Inc. says one of its customers, a bank with 50,000 PCs, will have dozens of technicians testing the SP2 patch over several months. Stolt Sea Farm, a seafood company, takes a no-frills approach. The company's IT environment consists of 550 thin-client terminals and 50 Windows servers spread among locations in about a dozen countries. Because there are no desktop PCs to support and most of its software comes from Microsoft, the company's small IT staff is able to install patches within 24 hours--and it does so without any testing. "I would say we are very efficient," says systems administrator Terje Sorgjerd. CIO Burdiss of Smurfit-Stone Container believes businesses need to master the nuts and bolts of patch management to focus IT resources on what really matters: delivering increased business value. "Before you can do governance and develop the value of IT to the business and all of the things we're trying to aspire to, you have to have some credibility," he says. "In my mind, the lights-on stuff has to work every time, and these patches can be counter to that." The good news is that companies generally seem better prepared to deal with patches today than a year ago, using patch-management products from specialists such as PatchLink Corp. and Shavlik Technologies LLC and new capabilities from their primary software suppliers. For example, PeopleSoft Inc., which issues patches quarterly, has cut the number of manual steps required to find, download, and install patches and software updates from 49 to seven. Better defined internal procedures at user companies are helping, too. As a result, the Yankee Group estimates costs have dropped to about $150 per patch for each PC, from about $250 last year. Companies are "better at it than they were 12 months ago," says Michael Cherry, an analyst with Directions On Microsoft. "But it still requires a considerable allocation of resources." That will be especially true with SP2, which, at a minimum of 75 Mbytes per machine, promises to clog networks if not managed carefully. And once it's installed on PCs, help-desk administrators could see a spike in support calls as users grapple with nuances in the way Microsoft's Internet Explorer browser works with SP2 and other security-related changes. "It's going to cause as many problems as it fixes," predicts Simon King, SupportSoft's director of product marketing for enterprise solutions. "It's going to be a huge undertaking." Microsoft group product manager Barry Goffe says the company is doing everything it can to help. In addition to the 100-page applications-compatibility document, it has already released a 200-page technical overview of SP2, a Solution Accelerator that provides guidance on how to load Windows XP SP2 onto a computer, and other documentation. Over the next few months, Microsoft plans to deliver the beta version of an applications-compatibility toolkit for SP2, which will automate some manual processes. And next year, improved patch management in the form of Windows Update Services should arrive. It makes for quite a patch. The next few months will tell just how much companies have really improved at managing it all. -- With Charles Babcock and Beth Bacheldor