From isn at c4i.org Wed Dec 1 06:09:48 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:09 2004 Subject: [ISN] Unprotected PCs Fall To Hacker Bots In Just Four Minutes Message-ID: http://www.techweb.com/wire/security/54201306 By Gregg Keizer TechWeb.com November 30, 2004 The lifespan of a poorly protected PC connected to the Internet is a mere four minutes, research released Tuesday claimed. After that, it's owned by a hacker. In the two-week test, marketing-communications firm AvanteGarde deployed half a dozen systems in "honeypot" style, using default security settings. It then analyzed the machines' performance by tallying the attacks, counting the number of compromises, and timing how long it took an attack to successfully hijack a computer once it was connected to the Internet. The six machines were equipped with Microsoft Windows Small Business Server 2003, Microsoft Windows XP Service Pack 1 (SP1), Microsoft Windows XP SP1 with the free ZoneAlarm personal firewall, Microsoft Windows XP SP2, Macintosh OS X 10.3.5, and Linspire's distribution of Linux. Not surprisingly, Windows XP SP1 sans third-party firewall had the poorest showing. "In some instances, someone had taken complete control of the machine in as little as 30 seconds," said Marcus Colombano, a partner with AvanteGarde, and, along with former hacker Kevin Mitnick, a co-investigator in the experiment. "The average was just four minutes. Think about that. Plug in a new PC--and many are still sold with Windows XP SP1--to a DSL line, go get a cup of coffee, and come back to find your machine has been taken over." Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well as Windows XP SP2, fared much better. Although both configurations were probed by attackers, neither was compromised during the two weeks. "If you're running a firewall so your machine is not seen, you're less likely to be attacked," said Colombano. "The bot or worm simply goes onto the next machine." Although Windows XP SP1 includes a firewall, it's not turned on by default. That security hole was one of those plugged--and heavily touted--by Microsoft in SP2. The successful attacks took advantage of weak passwords on the target machines, as well as a pair of long-patched vulnerabilities in Microsoft Windows. One, the DCOM vulnerability, harks back to July, 2003, and was behind the vicious MSBlast worm of that summer. The second, dubbed the LSASS vulnerability, was first disclosed in April, 2004, and led to the Sasser worm. The most secure system during the experiment was the one running Linspire's Linux. Out of the box, Linspire left only one open port. While it reacted to ping requests by automated attackers sniffing for victims, it experienced the fewest attacks of any of the six machines and was never compromised, since there were no exposed ports (and thus services) to exploit. The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. "The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added. For the bulk of users who work with Windows, however, Colombano didn't recommend dumping Redmond's OS and scurrying for the protection of hacker-ignored platforms. "Update Windows regularly with Microsoft's patches, use a personal firewall--third-party firewalls still have their place, since Microsoft's isn't suited to guard against outbound attacks--keep secure passwords, and use some type of anti-virus and anti-spyware software," he advised. Of the list, the firewall is the most important. The study concluded, for example, that Linux- and Windows-based machines using an application firewall were the best at preventing attacks. "No machine is immune," he counseled. "No human is safe from every virus, and it's the same for machines. That's why people have to have some personal responsibility about security. You have to be a good citizen on the network, so you're not only protecting yourself, but others who might be attacked from exploits originating on your machine." From isn at c4i.org Wed Dec 1 06:09:33 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:11 2004 Subject: [ISN] Black Hat CFPs now open: Europe and Asia Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello ISN, I've been a bit quiet lately, but with Thanksgiving over I wanted to announce our latest round of CFPs. BLACK HAT BRIEFINGS CALL FOR PAPERS EUROPE AND ASIA The Black Hat Briefings was created to fill the need for computer security professionals to better understand the security risks to information infrastructures and computer systems. What makes Black Hat Briefings different? The speakers. We select the speakers that are doing unique research, writing the security tools, or finding the bugs. No vendor pitches. Just straight talk from people who are experts in their chosen field of study. This year our Europe and Asia shows will be held back-to-back, potential presenters are invited to submit CFP's to both shows. If you have original research, new tools, or a fresh perspective on an old problem, we encourage you to submit a presentation. By presenting at the Black Hat Briefings you have the opportunity to both influence your peers and to contribute to the advancement of the state of the art. We are striving to create a high-end technical conference and any talk that helps reach this goal will be given extra attention. Topics of discussion will include zero day attacks and defenses, deep knowledge, policy, management, and the law. If you have a speech idea you believe is of Black Hat caliber, do not hesitate to submit it, even if it does not appear to match an existing track. If you have never been to a Black Hat event, please check out our past presentations on-line to get a feel for what we are looking for: http://www.blackhat.com/html/bh-multimedia-archives-index.html Please do not wait to submit. Presentations are selected and evaluated in the order received. Full and detailed explanations are available at: http://www.blackhat.com/html/bh-europe-05/bh-eu-asia-05-cfp.html Important Dates January 15th 2005: Call for Papers closes for Black Hat Europe and Asia 2005. Please submit now TBD: Early Bird Discount Rate for registration closes February 15th 2005: Black Hat USA Call for Papers opens February 16th 2005: Conference & Group discount rates at the Grand Hotel Krasnapolsky, Amsterdam closes March 29-20th 2005: Black Hat Europe 2005 Training March 31st to April 1st 2005: Black Hat Europe 2005 Briefings April 5-6th 2005: Black Hat Asia 2005 Training April 7-8th 2005: Black Hat Asia 2005 Briefings July 24-27th 2005: Black Hat Trainings, Caesars Palace, Las Vegas Nevada, USA July 28-29th 2005: Black Hat Briefings, Caesars Palace, Las Vegas Nevada, USA -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQEVAwUBQawezEqsDNqTZ/G1AQLcOAf/XhyKp4NxdjWMx5RtRFajnSlEnxNLZhEW nOhvMUuz4mGkHFviIPwrqbaGKuQRt8syzKHZeNoh7Ynlm02WasCEk+90r2PJFUFT dlBs9aVFdpx1d8lEoZru8eXbYvZ0zHRTexc6hWHW6GW92aV7xWeFc7Fj5h4ctHkB rX8dM3u1EVE2rz0cv6EYAeAxhK3h0xbP4o5OafwfvEsNtXKC8V4Rw6+b/xnpNhMv AyrMaXrGdsqB6y2ZMW28NCALQW+bbZ2f1GGHz06Vm4eC7Gr6Ge2X/AezuXDb/RGO ZYZzsvzHWcUN1s5NX5WtCRqhjV0t2RaBPWNi3lRU45xHrbqC5J9u0A== =eol8 -----END PGP SIGNATURE----- From isn at c4i.org Wed Dec 1 06:09:10 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:13 2004 Subject: [ISN] Lycos anti-spam site hit by hackers Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39175578,00.htm Munir Kotadia ZDNet Australia December 01, 2004 Spammers are suspected of hacking into and downing Lycos's anti-spam Web site just hours after it went live. The Web site is currently inaccessible and could also be the victim of a DDoS attack. Lycos on Tuesday kicked off its "make love not spam" campaign by offering users a screensaver that helps to launch distributed denial-of-service (DDoS) attacks on spammers' Web sites. The company said the screensaver uses the idle processing power of a computer to slow down the response times from spammers' Web sites - much in the same way spammers use compromised PCs to distribute unsolicited email messages. However, within hours of the makelovenotspam.com site being launched, the original front page was replaced with a simple message: "Yes, attacking spammers is wrong. You know this, you shouldn't be doing it. Your IP address and request have been logged and will be reported to your ISP for further action." Finnish antivirus firm F-Secure, which advised users not to participate in Lycos' campaign because of "possible legal problems", suspects the site has been hacked by a pro-spam group because "they definitely would have a motive to attack the site". F-Secure reported that the Web site had returned to normal by around 6 a.m. (Sydney time) but at the time of writing makelovenotspam.com was unavailable and could be under a retaliatory DDoS attack. Earlier this year, Symbiot, a Texas-based security firm launched a corporate defence system that was designed to fight back against DDoS and hacker attacks by launching a counter-strike. At the time, Symbiot's president Mike Erwin said that "totally passive" defences were "not an adequate deterrent" and argued that for complete defence an "offensive tactic must be employed". Security experts were alarmed at the company's attitude and warned that such tactics could be counterproductive. Jay Heiser, chief analyst at IT risk management company TruSecure, said Symbiot's proposal was a very bad criterion for choosing risk-reduction measures. "There is no evidence that this is the most effective way to deal with the problems and there is quite a bit of historical precedence that indicates it is totally counterproductive," said Heiser. Lycos was unavailable for comment. ZDNet Australia's Munir Kotadia reported from Sydney. From isn at c4i.org Wed Dec 1 06:10:04 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:14 2004 Subject: [ISN] Stressing security training Message-ID: Forwarded from: William Knowles http://www.fcw.com/geb/articles/2004/1129/web-secure-11-30-04.asp By Florence Olsen Nov. 30, 2004 Teaching basic computer security has become an essential part of training government employees, and agency officials who neglect security education will regret it, said David Jordan, chief information security officer for Arlington County, Va. Employees who are aware of the pitfalls of using computers connected to the Internet are "the most powerful weapons against cyberthreats that you can have," he told Federal Computer Week during a Nov. 29 interview. That's why Jordan said he spends 15 to 20 minutes with all new county government employees talking to them about cybersecurity. And it's why he sends computer and network security information to employees on a biweekly basis via the county's electronic newsletter. For the latter, he solicits the help of editors in the county's communications office. Information security officers, he said, should cultivate good relationships with communications experts who can help them teach employees how to avoid being victims of computer worms and viruses. Editors can take a security officer's message and craft it to suit to the audience, Jordan said. Company officials who sell computer security products also recognize the role user awareness plays in protecting computers and networks from malicious software code. Security policies and firewalls alone won't provide adequate protection, said Kathy Coe, regional director of educational services at Symantec, which makes antivirus and other security software. Last year, for example, officials at a federal financial institution tested employees' adherence to the agency's computer security policy against opening e-mail attachments from unknown sources. About half of the employees failed the test, Coe said. Against agency policy, they opened an e-mail attachment that purported to show a traffic snarl in Washington, D.C., after a North Carolina tobacco farmer drove his tractor into a shallow pond on the National Mall. Without consistent and continuous user awareness training, Coe said, all of us are easy prey. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Dec 1 06:10:19 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:16 2004 Subject: [ISN] Universities struggling with SSL-busting spyware Message-ID: http://www.nwfusion.com/news/2004/1130univestrug.html By Paul Roberts IDG News Service 11/30/04 U.S. universities are struggling with a flare-up of dangerous spyware that can snoop on information encrypted using SSL. Experts are warning that the stealthy software, called Marketscore, could be used to intercept a wide range of sensitive information, including passwords and health and financial data. In recent weeks, information technology departments at a number of universities issued warnings about problems caused by the Marketscore software, which promises to speed up Web browsing. The program, which routes all user traffic through its own network of servers, poses a real threat to user privacy, security experts agree. Columbia University, Cornell University, Indiana University, The State University of New York (SUNY) at Albany, and The Pennsylvania State University are among those noting an increase in the number of systems running Marketscore software in recent weeks. Each institution warned their users about Marketscore and posted instructions for removing the software. The software is bundled with iMesh peer-to-peer software, and may have made it onto university networks that way, said David Escalante, director of computer security at Boston College. The company that makes the software, Marketscore, has headquarters in Reston, Va., at the same mailing address as online behavior tracking company comScore Networks. ComScore Networks did not respond to repeated requests for comment. Reports of infected systems on campuses ranged from a handful up to about 200 on one large campus network, Escalante said. Marketscore is just the latest incarnation of a spyware program called Netsetter, which first appeared in January, said Sam Curry, vice president of eTrust Security Management at Computer Associates. "Basically it takes all your Web traffic and forces it through its own proxy servers," he said. Ostensibly, the redirection speeds up Web surfing, because pages cached on Marketscore's servers load faster than they would if they were served directly from the actual Web servers for sites such as Google.com or Yahoo.com. However, those performance benefits have been elusive. "People who have installed the software complain to us that they're not getting any improvement," Curry said. Richard Smith, an independent software consultant in Boston, is also skeptical of performance improvement claims made by Marketscore and others, especially since many Internet service providers already offer Web caching for their dial-up customers, he said in an e-mail message. At Cornell, the university IT Security Office blocked connections between Cornell's network and the Marketscore servers, according to a message posted on the university's Web site. Administrators at SUNY Albany took similar steps, according to a message posted on that university's Web site. While other legal software programs make similar claims about improving Web browsing speed as Marketscore, Internet security experts are troubled that the software creates its own trusted certificate authority on computers. That certificate authority intercepts Web communications secured using SSL, decrypting that traffic, then sending it to the Marketscore servers before encrypting the traffic and passing it along to its final destination. That traffic could include sensitive information, including passwords, credit card and Social Security numbers, Curry said. Marketscore should be a big concern for companies -- especially those like banks with employees who handle sensitive data, Escalante said. "I don't know how good it is for parties on either end of a transaction to have a third party listening in," he said. If nothing else, all the extra decrypting and encrypting slows down SSL traffic, casting doubt on Marketscore's claims to be an Internet accelerator, Smith said. CA's eTrust anti-virus software labeled Marketscore "spyware" up until June of this year, but stopped doing so after Marketscore appealed that designation using an established vendor appeal process, he said. CA is currently re-evaluating the "spyware" designation using a complicated, multifactor scoring system. The software is less repugnant than its predecessor, Netsetter, which did not clearly disclose to users what it did when installed and made itself difficult to remove. Marketscore is better on both those counts, clearly stating both in the end user license agreement and during the installation process what the product does, and providing users with an easy uninstall program. CA considers Marketscore an example of a new breed of software that lies in the gray area between spyware and legitimate software, Curry said. "Under the old definition, (Marketscore) clearly qualified as spyware. But there are new categories emerging," he said. While Marketscore clearly tracks user behavior, it doesn't hijack Web browser home pages, spew pop-up advertisements or conceal its presence, like earlier generations of spyware did, Curry said. "There's more granularity. Companies have responded and ... are adding benefits and value to these programs. We're looking at ways to more accurately identify this," he said. Perhaps trying to increase its appeal, Marketscore is now advertising itself as an e-mail protection service, in addition to an Internet accelerator. According to the Marketscore.com Web site, members will receive Symantec's CarrierScan Server anti-virus technology at no cost. However, that promise doesn't sit well with Symantec, which said it has no relationship with Marketscore and, in fact, considers the software "spyware," said Genevieve Haldeman, a company spokeswoman. "We don't have relationships with companies that make software we consider malicious," she said. Symantec is considering legal action to force Marketscore to stop using its name and logo on the Marketscore.com Web site, she said. Spyware or not, the lesson of Marketscore is that "if it sounds too good to be true, it probably is," Curry said. From isn at c4i.org Wed Dec 1 06:10:34 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 1 06:30:18 2004 Subject: [ISN] FBI's Cyber-Crime Chief Relates Struggle for Top Talent Message-ID: http://www.eweek.com/article2/0,1759,1733838,00.asp By Ryan Naraine November 30, 2004 The FBI's inability to recruit and keep the best available IT talent has proven to be one of the biggest challenges facing the government's Internet Crime Complaint Center (I3C), a senior official said Tuesday. Delivering the keynote address on the opening day of Ziff Davis Media's Security Virtual Tradeshow, I3C chief Daniel Larkin said the center's staffing problems underline the need for deeper cooperation between the FBI and the IT industry to win the battle against sophisticated cyber-criminals. "We can't recruit and keep the best available minds in the IT world. They come, stay a few years and move on because, ultimately, we can't pay what the industry pays for talent," Larkin said, adding that the bureau also has experienced difficulties with keeping pace with employees' training needs. Because of those shortcomings, Larkin said, the I3C spent the past four years forging partnerships with the biggest names in the tech industry to share expertise, coordinate on intelligence and develop best practices and protocols for fighting cyber-crime. He said the unit has come a long way since its creation in 2000 as the Internet Fraud Complaint Center (IFCC). Originally formed as partnership between the FBI and the National White Collar Crime Center (NW3C) to fight online fraud, Larkin said the unit had to evolve to keep up with the rapidly changing face of crime on the Internet. The I3C now tackles a range of criminal schemes on the Internet, including spam, phishing, spoofed or hijacked bank accounts, international reshipping schemes with origins in West Africa, cyber-extortion, computer intrusions and economic espionage. Larkin discussed several major highlights over the years, including "Operation Web Snare" in August, which led to the arrests or convictions of more than 150 individuals and the return of 117 criminal complaints and indictments. Operation Web Snare was a collaborative effort that included work by 36 U.S. Attorney's offices nationwide, the criminal division of the Department of Justice, 37 of the FBI's 56 field divisions, 13 of the Postal Inspection Service's 18 field divisions, and the Federal Trade Commission, together with a variety of other federal, state, local and foreign law enforcement agencies. Larkin outlined the need to develop new training capabilities to keep up with online scammers who use multiple techniques to hoodwink Internet users into giving up sensitive personal data. "We can use individuals from academia and the tech industry to cross-pollinate resources and feed that to our cyber forensics labs to help build strong cases," he said. "The cycling of new resources into a project brings fresh minds and fresh tactics. That's much more desirable than someone who had been engaged for a few years," he added. "Originally, we were trying to create the mother of all databases to deal with online fraud. But with our staffing problems, we decided it was better to let the industry leaders do that," Larkin said, adding that the I3C now uses a simple, uniformed format for data collection that allows a high level of collaboration. "We act as a bridge between the industry groups and the task forces working the cases. We'll partner with all sides to ensure that information is flowing smoothly," he said. -=- Editor's Note: The Ziff Davis Media Security Virtual Tradeshow is run by eSeminars, a division of Ziff Davis Media, parent company of eWEEK.com. From isn at c4i.org Thu Dec 2 01:48:44 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 2 02:02:22 2004 Subject: [ISN] DallasCon Professional Cyber Defense Conference Message-ID: Forwarded from: DallasCon DallasCon Professional Cyber Defense Conference May 2-7, 2005 Dallas, Texas The wait is over! The fastest growing and the most respected security event in the Southwest is back for its 4th consecutive year. This year, DallasCon is focusing on a practical approach to Network and Wireless Security geared directly to the industry professionals. The event will feature 6-days of intense hands-on training and information on Network and Wireless Security. If you are a Technical Professional who is interested in learning the latest hacks, tricks, and threats in Information Security to protect your company's networks and assets, then you cannot miss DallasCon 2005! Don't Delay! To take advantage of the incredible pre-registration prices, you must register before February 15, 2005. For more information, to submit a paper, or to register visit: http://www.DallasCon.com. From isn at c4i.org Thu Dec 2 01:49:02 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 2 02:02:24 2004 Subject: [ISN] Tenet warns of terrorists combining physical, telecommunications attacks Message-ID: Forwarded from: William Knowles http://www.govexec.com/dailyfed/1204/120104c1.htm By Chris Strohm cstrohm@govexec.com December 1, 2004 Former CIA Director George Tenet on Wednesday said greater government regulation of the Internet and telecommunications networks is needed in order to guard against terrorist attacks. The U.S. intelligence community needs to consider how terrorists might attempt to couple an attack on telecommunication networks with a physical attack, Tenet said during a keynote speech at the E-Gov Institute's homeland security conference in Washington. "Efforts at physical security will not be enough, because the thinking enemy that we confront is going to school on our network vulnerabilities as well, and I think the two are inextricably linked," he said. "The number of known potential adversaries conducting research on information attacks is increasing rapidly and includes intelligence services, military organizations and nonstate entities." According to Tenet "a loose collection of regional [terrorist] networks" now "thrive independently" worldwide by using telecommunications and the Internet to communicate with and learn from each other at almost no cost. Telecommunications technology for government and business should have built-in protections, Tenet said, such as intrusion detection and protection systems, antivirus software, authentication and identify management services, and encryption. "I know that these actions would be controversial in this age where we still think the Internet is a free and open society with no control or accountability," he added. "But, ultimately, the Wild West must give way to governance and control." Many national media outlets were not allowed to attend Tenet's speech. The Associated Press reported that Tenet insisted that natoinal media be kept out, only allowing in reporters for trade publications that cover the government. Tenet was also critical of the direction that intelligence reform is taking in Washington. "There's a big focus on structural change at the top. My perspective is, this is all about data," he said. The U.S. government has "an enormous amount of knowledge" on terrorist activities that should be disseminated to state and local officials, Tenet continued. "We have to start treating them as equals with regard to data and teach them as much as we possibly can by pushing data to them at the lowest levels of classification. [We should] even begin a very serious process of learning how to write at the unclassified level so we can educate everybody about what we see going on in the world." "I really believe data sharing and the movement of data is the most critical feature of reform. I think that's where this game gets won and lost," he said. "We're having discussions about power relationships between people in Washington. At the end of day, I don't think that's the right conversation." Legislation to overhaul the U.S. intelligence community is currently stalled in Congress. A key component of that legislation is creating an intelligence director to oversee the nation's 15 intelligence agencies. Tenet reiterated criticism he expressed to the 9/11 commission earlier this year that the person leading U.S. intelligence agencies should be affiliated with an agency. "If you're not getting your hands dirty every day in terms of risk, I don't think you can lead the men and women of American intelligence, or capably inform the president," he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Dec 2 01:49:14 2004 From: isn at c4i.org (InfoSec News) Date: Thu Dec 2 02:02:26 2004 Subject: [ISN] Microsoft releases patch to plug IE vulnerability Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97957,00.html By Jaikumar Vijayan DECEMBER 01, 2004 COMPUTERWORLD As expected, Microsoft Corp. today released an out-of-cycle security bulletin and patch designed to fix a critical hole in the Internet Explorer Web browser that is already being widely exploited by attackers. The company also announced a change to Windows Update for three previously issued fixes from October for some users of Windows XP Service Pack 1. The vulnerability addressed by Microsoft's latest bulletin, MS04-040, was first disclosed on Oct. 24 and exists in the iFrame tags of Internet Explorer. The buffer overflow flaw allows attackers to take complete control of a compromised system and can be exploited by getting users to visit Web sites where malicious code can be downloaded. A proof-of-concept exploit named Bofra that takes advantage of the iFrame flaw has been available for several days and was used in launching attacks via banner ads last week that redirected users to rogue Web sites. "We are aware of some proof-of-concept code and public attacks" that take advantage of the flaw, said Stephen Toulouse, security program manager at Microsoft's security response center. That's why Microsoft is urging users to apply the latest patch as soon as possible, he added. The flaw doesn't affect users who have already installed XP SP2, he said. Meanwhile, Microsoft today reissued three of its fixes from October for users of SP1 who may not have been offered the updates earlier. The problem involves SP1 users who may have downloaded the SP2 patch but have not installed it on their computers yet. Microsoft's Windows Update and Automatic Updates service wouldnt have offered the October fixes automatically to such users, Toulouse said. Today's updates fixes the problem for those users. From isn at c4i.org Fri Dec 3 04:40:00 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:06 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-49 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-11-25 - 2004-12-02 This week : 40 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=s ======================================================================== 2) This Week in Brief: ADVISORIES: Microsoft has issued a patch for Internet Explorer, which addresses a buffer overflow vulnerability (also known as the IFRAME vulnerability) in several HTML elements. The patch has been long awaited, and all users not running systems with Windows XP Service Pack 2 installed, are urged to install this update as soon as possible. See Secunia advisory below for patch links. References: http://secunia.com/SA12959 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA13269] Winamp "IN_CDDA.dll" Buffer Overflow Vulnerability 2. [SA12959] Internet Explorer HTML Elements Buffer Overflow Vulnerability 3. [SA13317] Microsoft Internet Explorer "Save Picture As" Image Download Spoofing 4. [SA13271] Sun Java Plug-in Sandbox Security Bypass Vulnerability 5. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 6. [SA13328] Microsoft Windows WINS Replication Packet Handling Vulnerability 7. [SA13203] Microsoft Internet Explorer Two Vulnerabilities 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 9. [SA13334] WS_FTP Server FTP Commands Buffer Overflow Vulnerabilities 10. [SA13308] Linux Kernel Local DoS and Memory Content Disclosure Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13334] WS_FTP Server FTP Commands Buffer Overflow Vulnerabilities [SA13318] MailEnable IMAP Service Buffer Overflow Vulnerabilities [SA13317] Microsoft Internet Explorer "Save Picture As" Image Download Spoofing [SA13328] Microsoft Windows WINS Replication Packet Handling Vulnerability [SA13333] JanaServer Two Denial of Service Vulnerabilities UNIX/Linux: [SA13349] Fedora update for cyrus-imapd [SA13346] Conectiva update for cyrus-imapd [SA13345] SUSE Updates For Multiple Packages [SA13341] Sun Solaris Netscape PNG Image Handling Vulnerabilities [SA13335] Fedora update for gaim [SA13332] Gentoo update for sun-jdk/sun-jre-bin/blackdown-jdk/blackdown-jre [SA13320] Debian update for tetex-bin [SA13315] Mandrake update for cyrus-imapd [SA13310] Debian update for cyrus-imapd [SA13309] Gentoo update for cyrus-imapd [SA13307] jabberd Client to Server Component Buffer Overflow Vulnerability [SA13344] Conectiva update for abiword [SA13338] Debian update for libgd [SA13337] Debian update for libgd2 [SA13323] Fedora update for squirrelmail [SA13339] SUSE update for kernel [SA13336] Fedora update for samba [SA13313] Debian update for yardradius [SA13312] YardRadius "process_menu()" Buffer Overflow Vulnerability [SA13354] Fedora update for iptables [SA13326] Gentoo update for opendchub [SA13325] Open DC Hub "RedirectAll" Buffer Overflow Vulnerability [SA13324] Gentoo update for phpwebsite [SA13322] Gentoo update for phpmyadmin [SA13343] Debian update for openssl [SA13340] Sun Solaris ping Utility Privilege Escalation Vulnerability [SA13316] Mandrake update for a2ps [SA13314] Mandrake update for zip [SA13308] Linux Kernel Local DoS and Memory Content Disclosure Vulnerabilities Other: Cross Platform: [SA13327] Orbz Password Field Buffer Overflow Vulnerability [SA13331] FreeImage Library Interleaved Bitmap Image Buffer Overflow Vulnerability [SA13329] Nuked-Klan "Links" Module Script Insertion Vulnerability [SA13319] YaBB Unspecified "shadow" Tags Script Insertion Vulnerability [SA13321] Groupmax World Wide Web Cross-Site Scripting and Directory Traversal [SA13330] IberAgents Clear Text User Credential Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13334] WS_FTP Server FTP Commands Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-30 Reed Arvin has discovered some vulnerabilities in WS_FTP Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13334/ -- [SA13318] MailEnable IMAP Service Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-26 Hat-Squad has reported two vulnerabilities in MailEnable Professional and MailEnable Enterprise Edition, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13318/ -- [SA13317] Microsoft Internet Explorer "Save Picture As" Image Download Spoofing Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-11-26 cyber flash has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to trick users into downloading malicious files. Full Advisory: http://secunia.com/advisories/13317/ -- [SA13328] Microsoft Windows WINS Replication Packet Handling Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-11-29 Nicolas Waisman has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13328/ -- [SA13333] JanaServer Two Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2004-12-01 Luigi Auriemma has reported two vulnerabilities in JanaServer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13333/ UNIX/Linux:-- [SA13349] Fedora update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-02 Fedora has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13349/ -- [SA13346] Conectiva update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-02 Conectiva has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13346/ -- [SA13345] SUSE Updates For Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2004-12-01 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited to bypass certain security functionality, cause a DoS (Denial-of-Service), and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/13345/ -- [SA13341] Sun Solaris Netscape PNG Image Handling Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-12-01 Sun has acknowledged some vulnerabilities in the Netscape browser for Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/13341/ -- [SA13335] Fedora update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-30 Fedora has issued an update for gaim. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13335/ -- [SA13332] Gentoo update for sun-jdk/sun-jre-bin/blackdown-jdk/blackdown-jre Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-30 Gentoo has issued updates for sun-jdk, sun-jre-bin, blackdown-jdk, and blackdown-jre. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13332/ -- [SA13320] Debian update for tetex-bin Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-26 Debian has issued an update for tetex-bin. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13320/ -- [SA13315] Mandrake update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-26 MandrakeSoft has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13315/ -- [SA13310] Debian update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-25 Debian has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13310/ -- [SA13309] Gentoo update for cyrus-imapd Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-25 Gentoo has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13309/ -- [SA13307] jabberd Client to Server Component Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-25 Zhaowei has reported a vulnerability in jabberd, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13307/ -- [SA13344] Conectiva update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2004-12-02 Conectiva has issued an update for abiword. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13344/ -- [SA13338] Debian update for libgd Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-30 Debian has issued an update for libgd. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13338/ -- [SA13337] Debian update for libgd2 Critical: Moderately critical Where: From remote Impact: System access Released: 2004-11-30 Debian has issued an update for libgd2. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13337/ -- [SA13323] Fedora update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-29 Fedora has issued an update for SquirrelMail. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13323/ -- [SA13339] SUSE update for kernel Critical: Moderately critical Where: From local network Impact: Privilege escalation, DoS, Exposure of sensitive information Released: 2004-12-02 SUSE has issued an update for the kernel. This fixes multiple vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service) or leak kernel memory. Full Advisory: http://secunia.com/advisories/13339/ -- [SA13336] Fedora update for samba Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2004-11-30 Fedora has issued an update for samba. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13336/ -- [SA13313] Debian update for yardradius Critical: Moderately critical Where: From local network Impact: System access Released: 2004-11-26 Debian has issued an updated for yardradius. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13313/ -- [SA13312] YardRadius "process_menu()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-11-26 Max Vozeler has reported a vulnerability in YardRadius, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13312/ -- [SA13354] Fedora update for iptables Critical: Less critical Where: From remote Impact: Released: 2004-12-02 Fedora has issued an update for iptables. This fixes a security issue, where iptables under some circumstances fails to load required modules. Full Advisory: http://secunia.com/advisories/13354/ -- [SA13326] Gentoo update for opendchub Critical: Less critical Where: From remote Impact: System access Released: 2004-11-29 Gentoo has issued an update for opendchub. This fixes a vulnerability, which can be exploited by certain malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13326/ -- [SA13325] Open DC Hub "RedirectAll" Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2004-11-29 Donato Ferrante has reported a vulnerability in Open DC Hub, which can be exploited by certain malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13325/ -- [SA13324] Gentoo update for phpwebsite Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-29 Gentoo has issued an update for phpwebsite. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13324/ -- [SA13322] Gentoo update for phpmyadmin Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-29 Gentoo has issued an update for phpmyadmin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13322/ -- [SA13343] Debian update for openssl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-02 Debian has issued an update for openssl. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13343/ -- [SA13340] Sun Solaris ping Utility Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-12-01 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13340/ -- [SA13316] Mandrake update for a2ps Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-26 MandrakeSoft has issued an update for a2ps. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13316/ -- [SA13314] Mandrake update for zip Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-11-26 MandrakeSoft has issued an update for zip. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13314/ -- [SA13308] Linux Kernel Local DoS and Memory Content Disclosure Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2004-11-25 Two vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/13308/ Other: Cross Platform:-- [SA13327] Orbz Password Field Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-11-30 Luigi Auriemma has reported a vulnerability in Orbz, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13327/ -- [SA13331] FreeImage Library Interleaved Bitmap Image Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-11-30 A vulnerability has been reported in FreeImage, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/13331/ -- [SA13329] Nuked-Klan "Links" Module Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-29 XioNoX has reported a vulnerability in Nuked-Klan, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13329/ -- [SA13319] YaBB Unspecified "shadow" Tags Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-11-26 A vulnerability has been reported in YaBB, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13319/ -- [SA13321] Groupmax World Wide Web Cross-Site Scripting and Directory Traversal Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2004-11-29 Two vulnerabilities have been reported in Groupmax World Wide Web and Groupmax World Wide Web Desktop, which can be exploited to conduct cross-site scripting attacks or access arbitrary HTML files. Full Advisory: http://secunia.com/advisories/13321/ -- [SA13330] IberAgents Clear Text User Credential Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-11-29 A security issue has been reported in IberAgents, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13330/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Dec 3 04:40:34 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:08 2004 Subject: [ISN] Former cybersecurity czar: Code-checking tools needed Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97988,00.html By Grant Gross DECEMBER 02, 2004 IDG NEWS SERVICE WASHINGTON -- Software vendors need automated tools that look for bugs in their code, but it may be a decade before many of those tools are mature and widely used, said the former director of cybersecurity for the U.S. Department of Homeland Security. Creating software assurance tools was one long-term focus of the DHS National Cybersecurity Division during Amit Yoran's tenure there, Yoran said today during the E-Gov Institute Homeland Security and Information Assurance Conferences in Washington. About 95% of software bugs come from 19 "common, well-understood" programming mistakes, Yoran said, and his division pushed for automation tools that comb software code for those mistakes. "Today's developers ... oftentimes don't have the academic discipline of software engineering and software development and training around what characteristics would create flaws in the program or lead to bugs," Yoran said. Government research into some such tools is in its infancy, however, he added. "This cycle will take years if not decades to complete," he said. "We're realistically a decade or longer away from the fruits of these efforts in software assurance." Yoran, who resigned from his DHS position in September after being on the job for a year, hinted at why he left, but sidestepped a question about the reasons. In the private sector, he had a "real objective" on how to move forward, he said. "When you move into a strategic and somewhat ill-defined role of 'protect cyberspace,' that's a very difficult mission to get your arms around," he said. "You show up to work on a Monday morning, you're ready to put your fingers to the keyboard, you've got a team of folks working with you, what do you do ... to secure cyberspace from within the Department of Homeland Security?" Most Internet resources are owned by the private sector, and the U.S. government has been hesitant to pass cybersecurity mandates, noted Yoran, former vice president of worldwide managed security services at Symantec Corp. With no operational or regulatory control over most of the Internet, the goal of securing cyberspace at DHS was difficult, he said. Asked if that lack of authority was a reason for leaving the post, Yoran said his successor will need to "look at go-forward issues" in cybersecurity that the division can best address. Yoran, however, defended President George W. Bush's National Strategy to Secure Cyberspace, released in February 2003. The strategy, which sets out five major cybersecurity recommendations, did not advocate regulation, and the White House took the right approach in developing those recommendations by consulting with private industry, Yoran said. "As the Department of Homeland Security ... implementing the national strategy is not our job; it's not our responsibility," he said. "It's the nation's job, it's the international technology community's job and responsibility. We can just help." The national strategy and efforts at DHS can help move cybersecurity efforts beyond the current "cat and mouse game" of finding vulnerabilities, assessing whether to patch them, and patching them when the problems become painful to companies, Yoran said. He predicted a "radical transformation" in the cybersecurity field within two to four years as more companies and government agencies accept technologies such as Web services, remote Internet access and RFID (radio frequency identification) tags. "In the next two to three years, you won't be able to define where your network begins and ends," Yoran said. "The paradigms we rely on today for protecting our information -- stronger firewalls, more accurate intrusion detection -- those types of technologies will be required, but they will be solving an increasingly small percentage of the challenges that are going to be facing us." From isn at c4i.org Fri Dec 3 04:40:22 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:10 2004 Subject: [ISN] Heathrow Security Scare Message-ID: Forwarded from: William Knowles http://www.sky.com/skynews/article/0,,30000-1162666,00.html December 03, 2004 Sky News has uncovered major security lapses at Heathrow airport after an undercover reporter repeatedly gained access to restricted areas. Airport offices and out-of-bounds airside areas were easily breached, forcing bosses to review procedures. An undercover Sky News reporter highlighted how easy it was to walk into British Airways offices containing confidential security documents. He also managed to walk by passenger planes just hours before they were due to take off. BA has launched an investigation following the report, while the British Airports Authority (BAA), owner of Heathrow, admitted "there was room for improvement". The reporter returned to the airport on a number of occasions at night and carrying only a broom managed to escape the attention of security. Only once was he challenged, but even then staff did not ask for security credentials and he was allowed to carry on. He found a BA office unlocked and inside key manuals detailing the airline's security procedures. It detailed how staff are supposed to respond to bomb threats, how they are vetted before joining, and procedures for negotiating with hijackers. On another occasion the reporter broke through what should have been a watertight cordon keeping the public away from restricted areas of the airport. From the public viewing platform on top of Terminal 2 he found a gap in razorwire and slipped through. Once down on to the ground, he walked for 15 minutes unchecked and unnoticed around airliners that later would be filled with passengers. A BAA spokesman said: "Safety and security are the top priorities at Heathrow. "We are constantly seeking ways to maintain an effective barrier between the landside and airside parts of the airport, and to remain alert to any potential vulnerabilities. "On the basis of the information provided by Sky News, it would appear that there is room for improvement in this particular area of the airport and we have already taken steps to address that." And BA also said it would take action. A statement said: "Safety and security are always our top priorities and we are extremely concerned to hear that an undercover reporter has taken some documents and a high visibility vest from one of our landside offices within Terminal 1 at London Heathrow. "We have launched our own immediate investigation into the allegations made against the airline to ensure that appropriate action is taken to avoid this happening again." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Dec 3 04:40:46 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:11 2004 Subject: [ISN] Antispam screensaver downs two sites in China Message-ID: http://news.zdnet.com/2100-1009_22-5474963.html By Dan Ilett ZDNet (UK) December 2, 2004 Lycos Europe's "Make love not spam" campaign has killed access to some of the Web sites of its target alleged spammers, Netcraft has found. According to the Internet traffic monitoring company, Lycos Europe has successfully taken two Web sites hosted in China offline. The sites are bokwhdok.com and printmediaprofits.biz, according to a posting on Netcraft's Web site, dated this week. "A distributed denial-of-service (DDoS) attack launched by users of Lycos Europe's MakeLoveNotSpam.com screensaver has succeeded in crippling several spammer sites, but some of the targeted sites remain available," the posting said. Lycos Europe was unavailable for comment on the matter, but the company said on Tuesday it was not carrying out DDoS attacks, just slowing the bandwidth of its targets. It added that it had no intention of taking Web sites offline. "I have to be very clear that it's not a denial-of-service attack," Malte Pollmann, director of communications services for Lycos, said on Tuesday. "We slow the remaining bandwidth to 5 percent. It wouldn't be in our interests to (carry out DDoS attacks). It is to increase the cost of spamming. We have an interest to make this, economically, unattractive." Lycos Europe is a separate company from the Web portal that bears the Lycos name in the United States. It claims that it maintains roughly 40 million e-mail accounts in eight European countries. The "Make love not spam" screensaver site appeared to have been taken down by its operators on Wednesday. It now shows a graphic and the words "Stay tuned." On Tuesday, the Web portal denied claims that it had been hit by hacker attacks, saying a reported defacement of the "Make love not spam" Web site was a hoax. But Netcraft, among others, reported that the Web site was unavailable at several intervals that day. Lycos Europe launched its antispam campaign earlier this week, offering users a screensaver that uses the idle processing power of their computers to slow down bandwidth that connects to spammers' Web sites. Steve Linford, director of international spam-fighting organization Spamhaus, said on Tuesday that by attacking spammers' bandwidth, the portal could be attacking innocent users' bandwidth. From isn at c4i.org Fri Dec 3 04:41:03 2004 From: isn at c4i.org (InfoSec News) Date: Fri Dec 3 04:53:13 2004 Subject: [ISN] You're faxing my what, where? Message-ID: http://www.canada.com/technology/story.html?id=abe9da66-e9cf-4f5e-9828-d97611c5a234 Jim Middlemiss Financial Post December 2, 2004 Businesses can avoid potential public relations and legal nightmares by developing privacy policies, authentication processes and using cutting-edge technology. The Canadian Imperial Bank of Commerce learned this the hard way last week when U.S. scrapyard operator Wade Peer went public with his story about how one of Canada's largest banks was flooding his fax machine with highly confidential information about its clients for the past three years. The faxes, he said, contained social insurance numbers, bank accounts and client signatures, and despite repeated calls from him they just kept piling up. Finally he sued CIBC to make them stop. The problem appears to stem from the fact Mr. Peer's toll-free number for his autoparts business, which he was forced to close, is similar to that of one of the bank's processing centres. After the story appeared in the press, the bank issued a cease-and-desist order to employees across the country, prohibiting them from sending internal faxes containing client information. Instead, they were advised to use the internal courier system or pick up a phone and engage in an old-fashioned conversation. In a statement CIBC said for the long-term "we are exploring other potential secure technological alternatives for the timely transmission of confidential information between branches and processing centres." Legislators and governments at the provincial and federal level have identified this problem and passed a range of laws requiring companies to take better care of sensitive employee and client information in their possession. Claudiu Popa, president of Informatica, a Toronto-based information security firm, says in addition to financial penalties and lawsuits for damages, "your name is going to get dragged in the news. Embarrassment is one of the biggest fears of companies today." In addition to faxes, misdirected voice mails, improperly addressed e-mails and improperly accessed documents all pose a problem when it comes to protecting confidential data. While it's virtually impossible to eliminate the problem, there are steps companies can take to reduce it, security experts say. The key is developing a solid set of privacy policies and authentication processes coupled with cutting-edge technologies, says John Weigelt, chief security advisor at Microsoft Canada. "They [businesses] have to establish principles to secure their environment." That includes restricting access to information and examining "each layer of defence." FAX FIXES When it comes to faxing large volumes of information, Alan Gahtan, an information technology lawyer in Toronto, says "I think there are some policies and procedures a company can enact to reduce this kind of [risk]." First, he says, "you want to reduce the amount of information." Don't send social insurance numbers, for example. Instead, deposit a master file with the office you are sending the information to and link to that list through the use of names. If a business has a large volume of faxes going one place, the most obvious solution is using speed dial. That eliminates user error as long as the number is correctly imput the first time and it you check regularly to ensure it has not been changed. But why even send faxes in an era of digital information? asks Informatica's Mr. Popa. "Faxes are outdated. Faxes are not secure. Most organizations should preserve documents digitally." If a business has a lot of data flowing to a single place, it could implement a virtual private network, a secure direct pipeline. In the case of computer networks, a scanner can be used to digitize information programmed to be sent to another printer's Internet Protocol address. By digitizing the information, it can be subject to encryption and the use of digital certificates, which prohibit unauthorized users from accessing or reading a confidential document, he says. Faxing documents that require a signature can be eliminated with the use of electronic signatures and basic encryption functions such as s/mime (secure/multipurpose Internet mail extensions), which lets the recipient verify who the information is from and access it only if they have the correct digital certificate on their computer. VOICE MAIL PROBLEMS If a caller phones the wrong number and leaves a message, there is little that can be done to retrieve it, Mr. Gahtan says. A policy should be in place preventing staff from leaving confidential information on a voice mail. Also, voice mail requires a PIN number to access messages, which opens doors to hackers. The redial function on some phones recalls the last numbers dialled, including a PIN. Mr. Gahtan says he makes it a practice of calling another number after accessing his voice mail to ensure his number is bounced from the redial list. ENDING E-MAIL ERRORS Besides the possibility of typing in the wrong address or name in the directory, users should avoid the user-group function, Mr. Gahtan says, because often the sender is not sure whose names are in the group. "Secure messaging and rights management becomes important" when e-mails and computer networks are involved, Mr. Weigelt says. Technologies can be deployed to control and monitor access to documents within an organization. When sending documents outside, encryption is the key to ensuring unwelcome eyes don't view them. Ben Sapiro, an independent IT security consultant in Toronto, says monitoring and controlling access to documents online is critical. Firms need to use server audit tools better to control who is accessing which documents. Proxy servers can inspect traffic going across the network and monitor it. Alerts can be set to advise appropriate managers if someone is trying to access documents that they are not entitled to see. LOCKING DOWN EXTERNAL RELATIONS Businesses also need to be aware of the pitfalls in sending confidential data to third parties. Mr. Weigelt suggests putting agreements in place to ensure information is safeguarded. Mr. Gahtan says: "You want your supplier to agree to conform to some minimum security practices." Those practices should also apply to subcontractors. As well, prohibit information from going offshore, where privacy standards may be lax. Also, include indemnity provisions so if something bad happens and your business faces a financial penalty or hardship, then the party that caused the problem reimburses you. From isn at c4i.org Mon Dec 6 04:27:48 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:29 2004 Subject: [ISN] India to work jointly with Russia to tackle cyber crime Message-ID: http://www.hindustantimes.com/news/181_1136746,0003.htm Press Trust of India Bangalore December 4, 2004 India's Cyber Emergency Response Team (CERT) plans to jointly work with Russia to combat cyber crime, including virus and hacker attacks in their computer networks, a top IT department official said on Saturday. "We are trying to see how best our CERT can work with Russian authorities on Information Security and prevent attacks by virus, worms and hackers," Union IT Department Joint Secretary Madhavan Nambiar said in Bangalore. Delivering his address at the Indo-Russian Information and Communication Technologies Cooperation Conference in Bangalore, Nambiar said the cyber security plan was in the early stages, but CERT had already signed a protocol on e-security with Russia. He said the three areas of cooperation in the IT domain were software parks, Information Security and Software services. The Software Technology Parks of India (STPI) was in the process of setting up a software park in Moscow, Nambiar said. Russian IT Minister Leonid D Reiman invited Indian software service firms to leverage the engineering talent in his country to export software to Europe and the United States. "We want to retain talent within Russia and Indian companies can work on projects in our country for customers in third countries like Europe and America," he said. Reiman said the Russian IT industry team, which has joined President Vladimir Putin's delegation, was keen to learn about the success of India in the software sector and replicate it in their country. From isn at c4i.org Mon Dec 6 04:26:27 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:31 2004 Subject: [ISN] Secrecy News -- 12/03/04 Message-ID: ---------- Forwarded message ---------- Date: Fri, 3 Dec 2004 08:46:03 -0500 From: "Aftergood, Steven" To: secrecy_news@lists.fas.org Subject: Secrecy News -- 12/03/04 SECRECY NEWS from the FAS Project on Government Secrecy Volume 2004, Issue No. 107 December 3, 2004 ** HOMELAND SECRECY ** FLYING BLIND: THE DECLINE OF SCIENCE POLICY ADVICE ** WHITE HOUSE PANEL CRITICIZES CYBERSECURITY OVERCLASSIFICATION ** SCIENCE AND TECHNOLOGY IN THE 108TH CONGRESS (CRS) ** THE CLASSIFIED SILEX URANIUM ENRICHMENT PROJECT ** CIA YIELDS TO SOUTH KOREA IN SPELLING DISPUTE [...] WHITE HOUSE PANEL CRITICIZES CYBERSECURITY OVERCLASSIFICATION Sometimes the act of classifying scientific or technical information can diminish national security instead of enhancing it. Last month, a White House panel concluded that the growing classification of government research on computer security is not serving the nation well because it renders such research inaccessible outside of narrow military and intelligence channels. "Classified cybersecurity R&D is, of course, needed for numerous purposes," observed F. Thomson Leighton, chair of the cybersecurity subcommittee of the President's Information Technology Advisory Committee. "However, classified work tends not to benefit generic cybersecurity products--which are used throughout society (including the military and intelligence communities)," he said at a meeting last month. In the future, he said, the government should "favor unclassified basic research" in cybersecurity. Leighton's speech was first reported in the newsletter Inside the Pentagon on November 25. See "White House Panel Blasts Pentagon's Cybersecurity R&D Policies" by John T. Bennett, Inside the Pentagon, reposted with permission and with a link to the underlying presentation here: http://www.fas.org/sgp/news/2004/11/itp112504.html [...] _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. To SUBSCRIBE to Secrecy News, send email to secrecy_news-request@lists.fas.org with "subscribe" in the body of the message. To UNSUBSCRIBE, send a blank email message to secrecy_news-remove@lists.fas.org OR email your request to saftergood@fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Secrecy News has an RSS feed at: http://www.fas.org/sgp/news/secrecy/index.rss _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood@fas.org voice: (202) 454-4691 From isn at c4i.org Mon Dec 6 04:26:10 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:32 2004 Subject: [ISN] [infowarrior] - mi2g: Welcome to the FUD Factory Message-ID: Forwarded from: Richard Forno mi2g: Welcome to the FUD Factory Richard Forno / www.infowarrior.org #2004-12 Copyright ? 2004 by Author. Permission granted to reproduce with credit. Source URL: http://www.infowarrior.org/articles/2004-12.html - - - - - Everyone's favorite FUD Factory -- "security intelligence" company mi2g -- is at it again. This week, the firm posted a "news alert" sensationally entitled 'The rise of corporate hate sites - lies, damned lies and extortion'. While the topic of "corporate hate sites" is an interesting and even relevant one for today's day and age, it appears that the true goal of this mi2g "news alert" was to attack security pundit Rob Rosenberger's website Vmyths.Com for his analysis and commentary about security-related companies, including mi2g. (For those unaware, Rob is one of the few pundits who calls things as he sees them, and, while refreshing, that sometimes runs contrary to what companies want the public to know.) It's pathetic, if not somewhat amusing, to see mi2g stooping to such desperate levels that it feels obligated to apply the "hate site" moniker to a website that disagrees with its corporate views....however, for a firm that thrives on the development, packaging, marketing, and sales of hysteria, misdirection, selective analysis, and the continuing propagation of Fear, Uncertainty, and Doubt (FUD), this is simply business-as-usual. At least Rosenberger publicly cites his sources and cross-checks his facts. For example, one glaring omission in this report is that while mi2g claims a growth in the number of "corporate hate sites" on the Internet, its report does not account for the explosive growth of websites of all sorts during that time (including, quite logically, "corporate hate sites") -- meaning that mi2g's scary statistics on the this allegedly-new "digital risk" are valid only within the vacuum that they're presented. Caveat reader! You can read the report if you like, but I'll save you some time -- according to mi2g, the real enemy in cyberspace isn't hackers, it's people whose opinions you disagree with. And that's quite evident when reading mi2g's statement: in its 14 paragraphs, there are 6 dedicated to attacking and attempting to discredit Rosenberger and Vmyths while implicitly begging the public for sympathy. Six out of 14. My proprietary BESPOAKE? analysis shows that to be almost half of the entire document -- with that much attention, one would think mi2g wants to portray Rosenberger as the Fourth Horseman of the Internet. As I wrote back in 2002, let's not forget that mi2g started off as an e-business enabler focused on operating portal sites (such as Carlounge.Com and Lawlounge.Com) under the corporate motto "Bringing The Web To The World." Suddenly, in 1999 with the digital apocalypse of Y2K looming ahead, the firm morphed into an internet security company that "by integrating state-of-the-art software engineering technology with super computing capability is revolutionising the world of eCommerce and for the first time maximising the return from the internet whilst minimising the risk." From cars to cyberterrorism in only a few short years. PT Barnum would be proud. (Perhaps mi2g's new corporate motto should be "Bringing FUD to The World One News Release at a Time.") Is mi2g so insecure with its public perception that it had to concoct and sensationally-hype an ominous-sounding "digital risk" in order to justify its attack on a respected website expressing an opinion and asking legitimate-but-still-unanswered questions about its services? You tell me -- but keep in mind this is the same "security intelligence" company now declaring that the greatest cyber-danger these days isn't hackers, technical vulnerabilities, exploitable software, or human complacency but rather independent thinking and holding companies accountable for their statements and services. My sources tell me that mi2g soon will announce it has reason to believe that Saddam Hussein's missing WMD are stockpiled in Rosenberger's Texas basement because it rained in London today. Damn that Rosenberger - is there anything he can't do? mi2g's statement: http://www.mi2g.com/cgi/mi2g/press/021204.php More info on mi2g and its history: http://www.infowarrior.org/articles/2002-12.html http://vmyths.com/resource.cfm?id=64&page=1 http://www.attrition.org/errata/charlatan.html You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners. From isn at c4i.org Mon Dec 6 04:28:00 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:34 2004 Subject: [ISN] Reformed Welsh hacker returns to computer crime Message-ID: http://www.pingwales.co.uk/security/welsh-hacker-returns.html By Robert Andrews 03 December 2004 The Welsh hacker whose escapades sparked panic about a potential World War III has returned to computer crime, planning a Hollywood-style heist to steal a valuable painting. But Mathew Bevan's latest electronic raid won't attract the long arm of the law - it's just an experiment staged for a television show due to be screened in December. Bevan won notoriety 10 years ago when he was arrested on suspicion of breaching and downloading data from US military computer networks in an effort to uncover evidence of a UFO conspiracy. Aged 21, he was charged with conspiracy after allegedly entering the secret Air Force Research Laboratory system in New York using a rudimentary PC in the back bedroom of his parents' Ely, Cardiff, bungalow. A British court later acquitted him after prosecutors abandoned their case and Bevan, whose hacker alias was "Kuji", renounced hacking to become a respected computer security consultant. He has now been enlisted to join a crack team of five reformed criminal masterminds set the challenge of using their underworld expertise to pull off high-profile thefts for The Heist, a three-part Channel 4 series starting Tuesday, December 7, at 9pm. In the show, the Welshman teams up with arch villains like armed robber Terry Smith, who once escaped from his jail term, and Joey Pyle, a former gangster and friend of the Krays. "Basically, a group of experts is brought together and set a task of performing a robbery under strict conditions, as real-life as possible," said Bevan, now 31, who studied computing at the University of Wales Institute, Cardiff, and is originally from the Llandaf area of the city. "Each episode covers a different robbery or task and, in each, I am the technology guru or hacker, monitoring and advising each step of the way. "No real criminals who intend to pull off these kinds of heists would actually employ hacker skills to get the job done. The only hacker skills used are my brains. "It's very similar to performing penetration exercises, only the top brass know what's going on, so essentially it is a real-life test of the organisation. There's nothing like a bit of James Bond!" But Bevan, who will appear on Richard & Judy ahead of the first episode, sets his own brush with the law apart from those of the ex-con colleagues on his team. "I never threatened or hurt anyone with my actions," he said. "Everything I did was on a computer screen from my bedroom; some of the other guys were a little more forceful with their actions. It becomes clear that I have a completely different way of looking at things than the others. "Victims" in each of the three shows approved the simulated attacks, welcoming the test of their own security. In the first episode, the team is given four days to steal a painting, The View From The Bandstand by UK artist Andrew Gifford, whilst on display during the London Art Fair at the Business Design Centre. Bevan is on board to scope out weaknesses in the electronic systems of a building regarded as impregnable. In subsequent shows, he uses his keyboard skills to attempt to smuggle a ?1m car overseas and to kidnap a prize racehorse. "He's the only one of the ex-criminals in the series who hasn't been convicted," said a Channel 4 spokesperson. In his March 1994 hack - which has become part of internet folklore - Bevan, who is from the Ely area of the capital and has explained he turned to hacking at school to escape bullying, was also said to have mounted attacks on Nasa, Nato and Pentagon computers. Pursued by both Scotland Yard and the FBI, the case produced a hailstorm of hype from news media revelling in computer crime stories - normally the attention hackers crave, until they find themselves in the dock. Though reports claimed the Pentagon regarded Bevan as the number one threat to US security, many of the headlines focused on accomplice Richard Pryce's transfer of a database from a Korean nuclear laboratory computer to the New York machine, which sparked fears of an atomic spat between America and North Korea until it was discovered the lab had, in fact, been in South Korea. Pryce pleaded guilty and was fined ?1,200. Following his acquittal at Woolwich Crown Court in November 1997, Bevan reformed and became a so-called "white hat" - a talented hacker who turns his skills to benevolent or commercial use like auditing security systems for a price. Operating under the name Kujimedia, he has since worked as a consultant for the likes of Nintendo and now lives in Wiltshire, from where he advises leading brands on design, viral marketing and online strategies. From isn at c4i.org Mon Dec 6 04:27:22 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:36 2004 Subject: [ISN] Q&A: ISS exec on security threat prevention Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,98047,00.html By Jaikumar Vijayan DECEMBER 03, 2004 COMPUTERWORLD Security architectures that are designed solely to react to threats instead of preventing them in the first place are doomed to fail in a world of fast-evolving and self-propagating threats, says Tom Noonan, CEO of Atlanta-based Internet Security Systems Inc. What do you see as some of the big trends in the security market? This whole notion of reaction in terms of how our systems have been built is running out of steam. Preemption is going to be a very, very fundamental theme in the direction which security is taking. The concept of preemption basically addresses the question of why not avoid a threat or detect it and prevent it rather than react to it. If you look at the traditional security model, all of our technologies have been built as an ad hoc response to a new threat. Fifteen years ago, the only threat was floppy-transported viruses, so the solution was PC-based antivirus. When the threat became unauthorized access, we built firewalls; when it was spam, we built antispam; when it became spyware, we built antispyware tools; and when it is malicious content, we built content security tools. This entire industry has been built in an ad hoc, reactive manner. The technologies that lie underneath are all signature-based, and you cannot have a signature until you have an active threat. That was fine in a disconnected world. When you mention "signature-based technologies," are you referring specifically to antivirus tools? I'm talking about a signature that uniquely identifies a threat by name. Most intrusion-detection systems, most antivirus products, spam, spyware and content-security systems effectively work this way. So how does being preemptive help? Today, time and again, you see the devastating and pervasive impact of highly effective, self-propagating viruses and worms because the vast majority of businesses are dependent on multiple layers of reactive technology. Businesses are suffering daily from this reactive model. They have added every layer of protection they can, and they are still being compromised. The highly effective, self-propagating nature of Internet threats today forces companies into a reactive posture, and that is inefficient. The threat has scaled the control systems that are in place. When you talk about being more proactive, it's not only technology we are talking about, right? We are talking about technology and also about architecture. We are already seeing a pretty dramatic shift in security architectures on the Net. We are talking about management, which is very, very different in a preemptive world. We are talking about a dramatically different economic model in terms of the cost structure and clearly we are talking about different processes internally. What shift are you seeing in security architectures? A move away from point products toward platforms. The disaggregated, multiple layers are going away because the responsibility for making all that stuff work together has been thrust upon the unknowing IT department. The reality is that a whole bunch of acquired products marketed under the same brand, or the same bunch of products marketed under different brands, have never been built as a system or as a platform for security -- only as independent point capabilities to detect a threat. You also mentioned a shift in security economics. Since 2001, security budgets have been increasing on an average of 15% to 20% a year. That is totally unsustainable. No aspect of your cost structure can possibly sustain that kind of growth rate in a competitive global economic environment. CEOs and CFOs are forcing CIOs to be more efficient, not just with capital purchases but with the cost of labor itself. The economic shift in moving toward a platform is pretty significant. Platforms are built to be enterprisewide, meaning they are built and integrated to operate as one system from a vendor. What kind of products or services are you delivering to help your customers address these trends? If you look at our company, most people recognize us as the inventor of intrusion-detection systems and vulnerability-detection systems. >From the start, the vision of this company was to build what we call the universal protection agent. We believed that threats would evolve, as would vulnerabilities, and they would continually change. Building any system that was threat-specific was fundamentally wrong to the long-term scale model. So this whole concept of preemption really began years ago with our vision of building a highly scalable enterprise system that could detect, analyze and prevent any kind of threats against vulnerable pieces of the infrastructure. Instead of focusing primarily on the threat, we are focusing on the vulnerabilities. Because we understand that vulnerability, we can protect against it. From isn at c4i.org Mon Dec 6 04:27:37 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:38 2004 Subject: [ISN] The Hidden Risks of Demo Discs Message-ID: http://www.eweek.com/article2/0,1759,1735655,00.asp By Libe Goad December 3, 2004 In mid-November, members of Sony's PlayStation Underground received the Holiday Demo Disk and discovered that after executing one of the game demos on the disc, their PS2 memory cards were completely erased. While that doesn't mean much to nongamers, anyone who has spent 40-plus hours building a character in a role-playing game or playing through a season of football - well, it's a huge boot in the trousers. The disc, sent via mail to PlayStation Underground members, was also set to be polybagged with several gaming magazines. The glitch was caught in time, so the bug didn't reach as many consumers as it might have. Ryan Bowling, public relations manager for Sony Computer Entertainment America, said Sony responded to the situation by sending out warning e-mails to PlayStation Underground subscribers telling them to remove their memory cards before playing the demo. "It is unfortunate that it happened," Bowling said, "and we're going to make sure it doesn't happen again." But what does this mean for the rest of us? There's more to the story than a handful of gamers losing their saved game files. The implications of such a glitch can be huge, especially as consumers start to set up networked computing systems in the home with routers, networks, servers, etc. Minus cubicles and a water cooler, it's the equivalent of a small enterprise network. Rick Fleming, chief technology officer at Digital Defense Inc, said that although most consumers don't realize it, game consoles are also like computers that run off of their own proprietary operating system. As a result, a bug in a demo CD, CD-ROM or DVD-ROM could affect the rest of a home network and has the potential to spread to an enterprise network through a VPN connection or other portable storage devices. "PlayStation and Xbox are being networked with home computers so I can easily see how something like that would spread across a network," Fleming said. "Every time you connect to something else, there's another opportunity for something to go wrong." Trouble Inside the Firewall The idea that a removable disk can affect an entire networked system seems almost quaint, reserved for corporate spoofs such as "Office Space" where the protagonists use a program on a 3.5 floppy disk to steal money from the company. Now, the companies and consumers focus on outside threats, with the illusion that they're sitting pretty behind Internet firewalls and anti-virus programs. "It's like they'll leave the windows and sliding glass doors open," Fleming said. "Not the front door, though. It's vaulted shut." While there are few recent instances of companies sending out software with embedded viruses, it still happens on occasion. In 2002, Microsoft sent out a .Net developer disk infected with the Nimda virus, though Microsoft says it didn't actually spread to any machines. In the entertainment sector, AOL Time-Warner released a "Powerpuff Girls" DVD in 2001 that contained the peevish "FunLove" virus, which spread to users who played the disc on PC. In an earlier echo of the PlayStation Underground incident, MacAddict Magazine sent out a demo with a version of the Auto-Start virus. In most of these cases, the problems were easily fixed, but is still a signifier that seemingly innocent CDs sent out by reputable companies can contain malicious content. With the CD drives in virtually every machine, it's more common than ever for people to share information via optical media, Fleming said. Most people don't give a second thought to putting something like that in their machine. So, are these little glitches as banal as reports make them out to be? Maybe?though more conspiratorial analysts say these harmless bugs could turn into an entirely new threat that the security community is not ready to handle. "Most of the time when we see threats show up, it's a concept for how a Trojan or virus can be introduced," Fleming said. "When it's introduced, it's mostly very benign?erasing the flash memory on a PlayStation is not going to affect me personally?but what does concern me is that we have a whole new threat vector. People are going to take the concept and think, 'What's the next thing I can do?'" An Ounce of Prevention Not every security expert takes the same point of view, but they all agree that any networked user needs to take the same precautions, whether they're on a home or business network. John Pescatore, vice president of Internet Security at Gartner Inc., said home network security has a long way to go, since most major companies involved in home computing don't focus on that kind of security environment. "There's a funny thing going on," he said. "For many years, Microsoft built Windows with home users in mind, but in 2001-2002, they got religion and started doing more for enterprise security. They forgot about the home user who doesn't have an IT staff to take care of their problems. Pescatore also said there's been discussion in the industry about how to integrate security into consumer electronics. The problem is that companies still say anything harder to use slows down consumer adoption?so no one is willing to make security a priority in a consumer environment. "There's not a lot of incentive to say, 'My product is harder to use,'" Pescatore said. AOL has recently taken one of the first steps into helping consumers with security by offering McAfee VirusScan Online services for free. Businesses also can take a few notes from a home network invasion. Much like home users, Fleming said businesses keep a closer watch on outside threats and don't do enough to make sure that nothing is coming from within the company. "Computer institutions and the FBI have surveys that show around 60 percent of all security instances occur internally," Fleming said. "This is where a lot of companies don't get it. They do all of the testing on outside resources and don't monitor internally." Fleming strongly recommended that businesses create a strong security policy that's enforced through monitoring and training. People need to be aware of bringing in software and other devices from home. That includes things such as music CDs, which often store data other than the actual music tracks. "There has to be mandated vigilance in the enterprises," Fleming said. "It's got to be pounded into their heads to be careful." From isn at c4i.org Mon Dec 6 04:27:04 2004 From: isn at c4i.org (InfoSec News) Date: Mon Dec 6 05:21:39 2004 Subject: [ISN] Linux Advisory Watch - December 3rd 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 3rd, 2004 Volume 5, Number 48a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for java, abiworld, cyrus, squirrelmail, libgd1, openssl, hpsockd, policycoreutils, prelink, libselinux, udev, tcpdump, samba, gaim, FreeBSD kernel, phpMyAdmin, libxpm4, kde, amavisd, open motif, linux kernel, and cyrus-imapd. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Trustix, Red Hat, and SuSE. ----- Open Letter to Linux Security Community Welcome to the new LinuxSecurity.com! I must admit, I am really proud of what we have been able to accomplish over the years. LinuxSecurity.com has grown from a small idea that a couple of security geeks had in 1999, to a major and well respected Linux resource. With an all new look & feel, organizational changes, security events, and additions to our staff, we hope to better serve the Linux and open source community. Although there are many aesthetic improvements, a major part of our development has focused on creating a content structure and backend system that is easy to update. Since the beginning, we have been able to maintain one of the largest, if not the largest and most comprehensive Linux advisory archive on the Internet. Through the years, we have scoured the net for thousands of hours to bring fresh and relevant articles, papers, and resources to you. It wasn't easy in the beginning. We had to create the site from scratch and build a community-wide reputation. The site was started in 1999, the middle of the dot-com boom. Dave Wreski, a Linux security expert and the original founder of LinuxSecurity.com had great foresight. He envisioned the widespread use of Linux as well as many other open source tools. Rather than companies spending thousands of dollars on proprietary tools, he saw a world where open source would be respected and adopted because of its flexibility and greater security through open standards and full disclosure... Read Full Text: http://www.linuxsecurity.com/content/view/117288/49/ ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/content/view/101883/49/ --------------------------------------------------------------------- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/content/view/101882/49/ ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: java plugin vulnerability 26th, November, 2004 Jouko Pynnonen reported[2], through iDEFENSE, a vulnerability[3] in the plugin mechanism which allows remote attackers to bypass the Java sandbox through the use of javascript. http://www.linuxsecurity.com/content/view/106930 * Conectiva: abiword buffer overflow vulnerability fix 1st, December, 2004 iDefense[3] discovered[4] a buffer overflow vulnerability[5] in the wv library which could allow an attacker to execute arbitrary code with the privileges of the user running the vulnerable application. http://www.linuxsecurity.com/content/view/117319 * Conectiva: cyrus-imapd Multiple vulnerabilities 1st, December, 2004 Stefan Esser from e-matters security recently published[2] several vulnerabilities in cyrus-imapd. http://www.linuxsecurity.com/content/view/117320 * Conectiva: squirrelmail cross site scripting vulnerability fix 2nd, December, 2004 Joost Pol noticed[2] that SquirrelMail is prone to a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the result. http://www.linuxsecurity.com/content/view/117321 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: libgd1 arbitrary code execution fix 29th, November, 2004 More potential integer overflows have been found in the GD graphics library which weren't covered by our security advisory DSA 589. They could be exploited by a specially crafted graphic and could lead to the execution of arbitrary code on the victim's machine. http://www.linuxsecurity.com/content/view/106931 * Debian: libgd2 arbitrary code execution fix 29th, November, 2004 More potential integer overflows have been found in the GD graphics library which weren't covered by our security advisory DSA 589. They could be exploited by a specially crafted graphic and could lead to the execution of arbitrary code on the victim's machine. http://www.linuxsecurity.com/content/view/106932 * Debian: openssl insecure temporary file creation fix 1st, December, 2004 Trustix developers discovered insecure temporary file creation in a supplemental script (der_chop) of the openssl package which may allow local users to overwrite files via a symlink attack. http://www.linuxsecurity.com/content/view/117312 * Debian: hpsockd denial of service fix 3rd, December, 2004 "infamous41md" discovered a buffer overflow condition in hpsockd, the socks server written at Hewlett-Packard. An exploit could cause the program to crash or may have worse effect. http://www.linuxsecurity.com/content/view/117313 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora: policycoreutils-1.18.1-2 update Resend with correct id 30th, November, 2004 FixFiles.cron is not needed for targeted policy and needs to be reworked for strict policy. Removing prevents possible relabeling problems. http://www.linuxsecurity.com/content/view/106953 * Fedora: policycoreutils-1.18.1-2 update 30th, November, 2004 FixFiles.cron is not needed for targeted policy and needs to be reworked for strict policy. Removing prevents possible relabeling problems. http://www.linuxsecurity.com/content/view/106952 * Fedora: prelink-0.3.3-0.fc3 update 30th, November, 2004 if layout code needs to re-prelink some library, make sure all libraries that depend on it are re-prelinked too (#140081) http://www.linuxsecurity.com/content/view/106950 * Fedora: libselinux-1.19.1-8 update 30th, November, 2004 Change location of helper applications and remove some debug applications that should not have been part of the distribution. http://www.linuxsecurity.com/content/view/106951 * Fedora: udev-039-10.FC3.2 update 30th, November, 2004 Forgot to turn of debugging logging. This release speeds up udev. http://www.linuxsecurity.com/content/view/106948 * Fedora: tcpdump-3.8.2-6.FC2.1 update 30th, November, 2004 fixed nfs protocol parsing for 64 bit architectures (bug 132781) http://www.linuxsecurity.com/content/view/106949 * Fedora: abiword-2.0.12-7.fc3 update 30th, November, 2004 Fixes for tempnam usages and startup geometry crashes http://www.linuxsecurity.com/content/view/106947 * Fedora: system-config-securitylevel-1.4.18-2 update 29th, November, 2004 This fixes tracebacks introduced by the libselinux update (#139155) http://www.linuxsecurity.com/content/view/106944 * Fedora: samba-3.0.9-1.fc2 update 29th, November, 2004 This update closes two security holes: CAN-2004-0882 and CAN-2004-0930 http://www.linuxsecurity.com/content/view/106941 * Fedora: samba-3.0.9-1.fc3 update 29th, November, 2004 This update closes two security holes: CAN-2004-0882 and CAN-2004-0930. http://www.linuxsecurity.com/content/view/106942 * Fedora: gaim-1.0.2-0.FC2 update 29th, November, 2004 FC2 Update http://www.linuxsecurity.com/content/view/106943 * Fedora: squirrelmail-1.4.3a-6.FC2 update 28th, November, 2004 CAN-2004-1036 Cross Site Scripting in encoded text http://www.linuxsecurity.com/content/view/106934 * Fedora: squirrelmail-1.4.3a-6.FC3 update 28th, November, 2004 CAN-2004-1036 Cross Site Scripting in encoded text http://www.linuxsecurity.com/content/view/106935 * Fedora: spamassassin-3.0.1-0.FC3 update 28th, November, 2004 Several important bug fixes in upstream release. http://www.linuxsecurity.com/content/view/106936 * Fedora: system-config-date-1.7.13-0.fc3.1 update 29th, November, 2004 enable Gujarati and Tamil translations (#140881) http://www.linuxsecurity.com/content/view/106937 +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ * FreeBSD: Kernel memory disclosure in procfs and linprocfs 2nd, December, 2004 The implementation of the /proc/curproc/cmdline pseudofile in the procfs(5) file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a process' argument vector from the process address space. During this operation, a pointer was dereferenced directly without the necessary validation steps being performed. http://www.linuxsecurity.com/content/view/117318 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Sun and Blackdown Java Applet privilege escalation 29th, November, 2004 The Java plug-in security in Sun and Blackdown Java environments can be bypassed to access arbitrary packages, allowing untrusted Java applets to perform unrestricted actions on the host system. http://www.linuxsecurity.com/content/view/106945 * Gentoo: Open DC Hub Remote code execution 28th, November, 2004 Open DC Hub contains a buffer overflow that can be exploited to allow remote code execution. http://www.linuxsecurity.com/content/view/106940 * Gentoo: phpWebSite HTTP response splitting vulnerability 26th, November, 2004 phpWebSite is vulnerable to possible HTTP response splitting attacks. http://www.linuxsecurity.com/content/view/106929 * Gentoo: phpMyAdmin Multiple XSS vulnerabilities 27th, November, 2004 phpMyAdmin is vulnerable to cross-site scripting attacks. http://www.linuxsecurity.com/content/view/106939 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: libxpm4 correct issues with previous update 30th, November, 2004 The previous libxpm4 update had a linking error that resulted in a missing s_popen symbol error running applications dependant on the library. In addition, the file path checking in the security updates prevented some applications, like gimp-2.0 from being able to save xpm format images. http://www.linuxsecurity.com/content/view/106946 * Mandrake: kdepim various bugs fix 27th, November, 2004 A number of bugs in kdepim are fixed with this update. http://www.linuxsecurity.com/content/view/106938 * Mandrake: kdelibs various bugs fix 26th, November, 2004 A number of bugs in kdelibs are fixed with this update. http://www.linuxsecurity.com/content/view/106925 * Mandrake: kdebase various bugs fixes 26th, November, 2004 A number of bugs in kdebase are fixed with this update. http://www.linuxsecurity.com/content/view/106924 +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ * Trustix: amavisd-new, anaconda, courier-imap, cyrus-imapd, cyrus-sasl, file, kernel, mkbootdisk, mys 29th, November, 2004 Fix amavis user creation on install. Support kickstart files on FTP. Hyperthreading detection. http://www.linuxsecurity.com/content/view/106933 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * Red Hat: openmotif image vulnerability fix 2nd, December, 2004 Updated openmotif packages that fix flaws in the Xpm image library are now available. http://www.linuxsecurity.com/content/view/117314 * Red Hat: kernel security vulnerabilities fix 2nd, December, 2004 Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. http://www.linuxsecurity.com/content/view/117315 * SuSE: various kernel problems 1st, December, 2004 Several security problems have been found and addressed by the SUSE Security Team. The following issues are present in all SUSE Linux based products. http://www.linuxsecurity.com/content/view/117316 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: cyrus-imapd remote command execution 3rd, December, 2004 Stefan Esser reported various bugs within the Cyrus IMAP Server. These include buffer overflows and out-of-bounds memory access which could allow remote attackers to execute arbitrary commands as root. The bugs occur in the pre-authentication phase, therefore an update is strongly recommended. http://www.linuxsecurity.com/content/view/117317 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Dec 7 03:24:41 2004 From: isn at c4i.org (InfoSec News) Date: Tue Dec 7 03:37:02 2004 Subject: [ISN] Linux Security Week - December 6th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 6th, 2004 Volume 5, Number 48n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include, Anti-Hacker Tool Kit 2/e, A Secure Network Needs Informed Workers, Network Forensic Tools, and Transcript of the LinuxSecurity.com Launch Chat. --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn05 --- LINUX ADVISORY WATCH This week advisories were released for java, abiworld, cyrus, squirrelmail, libgd1, openssl, hpsockd, policycoreutils, prelink, libselinux, udev, tcpdump, samba, gaim, FreeBSD kernel, phpMyAdmin, libxpm4, kde, amavisd, open motif, linux kernel, and cyrus-imapd. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Trustix, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/117327/150/ ----- Open Letter to the Linux Security Community With an all new look & feel, organizational changes, security events, and additions to our staff, we hope to better serve the Linux and open source community. Although there are many aesthetic improvements, a major part of our development has focused on creating a content structure and backend system that is easy to update. http://www.linuxsecurity.com/content/view/117288/49/ ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/content/view/101884/49/ ----- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Anti-Hacker Tool Kit 2/e 2nd, December, 2004 In every day life people do all sorts of things with all sorts of tools. But, do they get it right? Every tool has to be used in a certain manner, and if one doesn=E2=80=99t know how to use it, the result c= an be damage. It's the same is with computer and network security tools. Before you can select the right tools for the job, you have to know what tools are available and learn how to use them. http://www.linuxsecurity.com/content/view/117307 * Unprotected PCs can be hijacked in minutes 30th, November, 2004 Simply connecting to the Internet -- and doing nothing else -- exposes your PC to non-stop, automated break-in attempts by intruders looking to take control of your machine surreptitiously. http://www.linuxsecurity.com/content/view/116796 * Network Forensic Tools 3rd, December, 2004 Stage 1: Network-capable initial analysis products for first responders, such as Guidance's EnCase Enterprise Edition and Technology Pathway's ProDiscover. These two products can acquire drive images remotely in a live environment, and their use eliminates the need for the Stage 2 tools. http://www.linuxsecurity.com/content/view/117361 * Hacking tool reportedly draws FBI subpoenas 1st, December, 2004 The author of the popular freeware hacking tool Nmap warned users this week that FBI agents are increasingly seeking access to information from the server logs of his download site, insecure.org. http://www.linuxsecurity.com/content/view/117282 +------------------------+ | Network Security News: | +------------------------+ * AirTight Networks announced first Wi-Fi Firewall 1st, December, 2004 AirTight Networks, formerly Wibhu Technologies, announced on Tuesday the availability of SpectraGuard 2.0, the first Wi-Fi firewall to protect enterprise networks from wireless security threats. http://www.linuxsecurity.com/content/view/117287 * Bad, Bad Bots 1st, December, 2004 Automated attacks are coming from unexpected quarters--from across the globe, across town, and most creepily, even from across the hall. According to a recent report from anti-virus vendor Symantec, this year's 450 percent increase in the number of attacks on Windows machines is evidence that automation is proving as efficient for 21st-Century hackers as it did for 20th-Century manufacturers. http://www.linuxsecurity.com/content/view/117295 * Linux Netwosix 1.2 Jinko is released 28th, November, 2004 I'm ready to announce that Linux Netwosix 1.2 is ready. I have completely rebuilt , upgraded and secured the system. Please, read the Announcement Release. Is based on the powerful and reliable Kernel 2.6.9 and has been created for the requirements of every SysAdmin. Nepote contains the updated packages. You can download Netwosix from our Download Center or from one of our mirrors. Thank you! http://www.linuxsecurity.com/content/view/116794 +------------------------+ | General Security News: | +------------------------+ * User knowledge key to good security 1st, December, 2004 Given the continual drive to secure today's enterprises, and in light of National Computer Security Day celebrated this week, Security Pipeline tapped Kathleen M. Coe, Symantec Corp.'s regional education director of education services, for insight on how to foster better user security behavior, as well as how to seed a strong corporate security culture companies require today. http://www.linuxsecurity.com/content/view/117296 * Panelists: A Secure Network Needs Informed Workers 1st, December, 2004 Analysts, law enforcement agents and corporate IT managers focused on surprisingly nontechnical security solutions Tuesday as they discussed the latest risks to corporate networks as part of Ziff Davis Media's online "virtual" tradeshow on security. http://www.linuxsecurity.com/content/view/117286 * Why you should take information security seriously 1st, December, 2004 All of us rely on information every day in just about every aspect of our life. As information is so important, we tend to rank it by its reliability. There are some people whose opinion we trust implicitly on certain matters. We accept as a matter of course that information is only valuable if it is accurate. The most valuable sources of information are those that are seen to be inherently reliable and easy to access. http://www.linuxsecurity.com/content/view/117297 * Federated ID facilitates Web services 1st, December, 2004 Companies looking to make Web services available to business partners and their respective user bases must first figure out how to federate identity. Federated identity management refers to managing access so that only those who have a right to use specific services may do so. http://www.linuxsecurity.com/content/view/117294 * Community Spam Fighting Effort Faces Heat 2nd, December, 2004 Lycos Europe is offering a "screensaver that spams the spammers," using idle computer time to attack sites that have been blacklisted for abusive spamming practices. Monitoring of three of the targets housed on Chinese servers shows that two of the sites, bokwhdok.com and printmediaprofits.biz, have been knocked offline by the attack. A third target, rxmedherbals.info, has remained largely available, with intermittent outages. http://www.linuxsecurity.com/content/view/117308 * Transcript of Launch Chat 2nd, December, 2004 To celebrate the launch of the new LinuxSecurity.com, we hosted a community chat event. It was held yesterday (December 1st 2004) at 4:00pm, and featured several prominent visionaries from the open source community including Jay Beale, Brian Hatch, Paul Vixie, Lance Spitzner, and Dave Wreski. The topics discussed ranged from authentication, patch management, honeypots, virtues of open source, SELinux, as well as others. We are planning another event to held in January; please send us your ideas. (contribute@linuxsecurity.com) http://www.linuxsecurity.com/content/view/117310 * Follow-up: Lycos pulls anti-spam screensaver from site 3rd, December, 2004 Lycos Europe appeared to have pulled a controversial anti-spam screensaver program from its site on Friday, after coming under fire from both security experts and the spammers themselves. http://www.linuxsecurity.com/content/view/117323 * FBI's Cyber-Crime Chief Relates Struggle for Top Talent 1st, December, 2004 The FBI's inability to recruit and keep the best available IT talent has proven to be one of the biggest challenges facing the government's Internet Crime Complaint Center (I3C), a senior official said Tuesday. http://www.linuxsecurity.com/content/view/117285 * Linux in Government: The Government Open Code Collaborative 3rd, December, 2004 As we celebrate the holiday season and prepare for the next round of legislation, a group of state and local governments has banded together to collect and distribute freely the costly software that normally runs taxpayers $100 billion annually. Called the Government Open Code Collaborative or GOCC.gov, this organization states that its members work together voluntarily to encourage "the sharing, at no cost, of computer code developed for and by government entities where the redistribution of this code is allowed". http://www.linuxsecurity.com/content/view/117322 * Is Cyberterrorism Being Thwarted? 3rd, December, 2004 Recently, there's been increased criticism of the federal government's efforts to secure the Internet. The September departure of Amit Yoran from the Department of Homeland Security was widely cited as indicative of problems that run deep, not just through DHS, but the entire government. While everyone agrees there's much work to do, it's important to recognize the accomplishments of the past few years. http://www.linuxsecurity.com/content/view/117324 * Mobile & Wireless: Security was the Watchword in 2004 1st, December, 2004 It's no surprise that the issue that topped the Wi-Fi agenda in 2004 was the same one that's plagued it almost from its introduction. Security, or rather "lack thereof," was an inherent problem in WEP (Wired Equivalent Privacy), the native security spec in the 802.11 IEEE standard. http://www.linuxsecurity.com/content/view/117283 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Dec 7 03:25:03 2004 From: isn at c4i.org (InfoSec News) Date: Tue Dec 7 03:37:04 2004 Subject: [ISN] Gartner: Consumers dissatisfied with online security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,98083,00.html By Paul Roberts DECEMBER 06, 2004 IDG NEWS SERVICE A survey conducted by Gartner Inc. shows that online consumers are growing frustrated with the lack of security provided by banks and online retailers and feel that passwords are no longer sufficient to secure their online transactions. The findings are the latest conclusions drawn from a survey of 5,000 adult Internet users. The survey, which concluded in April, showed that online shoppers want retailers to offer more than just passwords to protect their accounts, and indicate that concerns about a lack of security may be hampering the growth of online commerce, according to Gartner analyst Avivah Litan. Almost 60% of the respondents said they're concerned or very concerned about online security. Even more important for online retailers: Over 80% of those surveyed said they would buy more from an online vendor who offered them more than just a username and password to protect their accounts, she said. "The data shows that consumers want more than passwords," said Litan. However, there are limits to how far consumers will go to secure their online activities. When asked to choose among technologies to supplement password protections, respondents gave high ratings to low-tech options such as challenge and response features, which ask shoppers to provide responses to tailored questions, or shared secret technology that displays shopper-selected images on Web pages to prove the authenticity of e-commerce Web sites. More complicated solutions like security software downloads or so-called multifactor authentication that couple smart cards or USB tokens with usernames and passwords were less popular, said Litan. The most popular choice for fixing the security of online shopping and banking sites is for providers to be made legally responsible for strict security measures, she said. Also, those surveyed indicated that they want the choice of using stronger authentication but do not want to be forced to use it. "Our data shows that consumers think the system is easy to use, but they want something that gives them added protection," she said. Banks and online retailers in the U.S. have lagged behind their counterparts in the European Union and Asia when it comes to using strong authentication to secure online transactions, including smart-card technology and one-time passwords, said Litan. Gartner predicts that by the end of 2007, more than 60% of banks in the U.S., but fewer than 20% of banks worldwide, will rely on simple passwords to authenticate retail customers. But that may change, especially as retailers and banks contend with a wave of sophisticated online scams known as phishing attacks in which people are lured to phony Web sites where they're tricked into divulging personal information such as bank and credit card account numbers, Litan said. Recently, U.S. Bancorp. said that it will use a hardware-token-based authentication service from VeriSign Inc. to secure access to commercial banking services for its customers and may soon introduce a similar service for consumer banking customers. "We're getting more calls from banks and other providers that are looking to protect their customers and give them added security," said Litan. "They're worried that consumers are losing confidence in the online channel." Gartner will publish a research note on consumer authentication options in the near future, according to Litan. From isn at c4i.org Tue Dec 7 03:25:23 2004 From: isn at c4i.org (InfoSec News) Date: Tue Dec 7 03:37:06 2004 Subject: [ISN] Committee pushes for cybersecurity post Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2004/1206/web-dhs-12-06-04.asp By Dibya Sarkar Dec. 6, 2004 Members of the House Select Homeland Security Committee have recommended establishing a new assistant secretary position within the Homeland Security Department to better integrate and coordinate cybersecurity issues. The recommendation is one of six suggestions listed in a new 41-page, bipartisan report [1] that was released today by the committee's cybersecurity subcommittee. The report stated that although DHS officials have created the National Cyber Security Division and several other coordination entities, "now is the time to build toward more robust capabilities." It also stated DHS officials need to exert more effort to work with the private sector and across critical infrastructure sectors in addition to state and local governments. Specifically, the report said officials should: * Create an assistant secretary position within DHS' Information Analysis and Infrastructure Protection Directorate to improve integration within the department and coordination of best practices, risk assessments and warnings across government and the private sector. * Develop a comprehensive and detailed program about current and future plans, implementation guidance and staff recruitment, retention and assignment goals. They should also provide budget information that would be linked to the national strategy. * Update the outreach, coordination and information sharing plan with the private sector, considering different needs of groups and innovative mechanisms for information sharing. * Improve performance on cybersecurity risk assessments and remediation activities that would include a plan for Internet-related recovery. They should also improve coordination with "cyber first responders" across the government and private sectors. * Identify specific initiatives in which DHS' cybersecurity division and the National Communications Systems, a two-dozen member federal interagency group that coordinates and plans for national security and emergency communications during crises, can work together because of their similar missions. Officials should advance the convergence of voice and data technology. * Support research and development and educational activities to improve products and services that are user-friendly. [1] http://hsc.house.gov/files/cybersecurityreport12.06.04.pdf *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Dec 8 02:58:08 2004 From: isn at c4i.org (InfoSec News) Date: Wed Dec 8 03:15:16 2004 Subject: [ISN] Gartner: Consumers dissatisfied with online security Message-ID: Forwarded from: Mark Bernard Dear Associates, As there any surprises here? I think that we're probably all a little concerned about online security. But for those who aren't sure what to think there is always the option of paying Gartner $17k to have them tell you what you should be thinking!! Based on research that I have conducted against the Privacy Commissioners database of completed investigations over 67% of nearly three-hundred investigations here in Canada have been conducted against financial institutions. In contrast 97% of those investigations have required residual remedies to be developed and implemented to resolve confirmed issues. Lesson learned, do your home work up front and avoid productivity issues, federal investigations and wasting time/money. Mark E. S. Bernard, CISM, CISSP, PM, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Edwin H. Friedman: "Leadership can be thought of as a capacity to define oneself to others in a way that clarifies and expands a vision of the future." Information Security Notice: This e-mail is classified as private and is intended for use by the sender and recipient "only". Unauthorized access to this e-mail will be dealt with in accorda