From isn at c4i.org Fri Oct 1 06:09:22 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 1 06:22:00 2004 Subject: [ISN] Ron Santo/JDRF Walk on Sunday! Message-ID: Forwarded from: William Knowles Our family and friends are preparing for the Juvenile Diabetes Research Foundation (JDRF) "Ron Santo Walk to Cure Diabetes" which will occur on Sunday, October 3rd, 2004. Our walk team is called Ethan's Crew and this is our fifth year of participation. Everyone is doing their best to help find a cure. Of every dollar raised at the JDRF/Ron Santo Walk, 85 cents goes toward research to find a cure. If you would like to make a donation, please check out the link below. http://walk.jdrf.org/walker.cfm?id=85820962 I am walking because of my little nephew who is 5 years old and was diagnosed with Type 1, or Juvenile Diabetes just 11 days after his first birthday. He now wears an insulin pump which at this time is his best chance for a more flexible and healthy lifestyle. Wearing the pump means that he does not get the 5 to 6 insulin shots daily, although he still must endure the pain of moving the tubing site every 3 days and as many as 8 finger sticks daily. He is also still at risk for developing devasting complications such as kidney failure, heart disease and blindness. He must wear the pump 24/7 even in the bathtub and the swimming pool. As a member of Ethan's Crew, I am asking for your support. I would hope that you would sponsor me. Ethan's Crew would appreciate any contribution, no matter how small. With deep appreciation, William Knowles wk@c4i.org http://walk.jdrf.org/walker.cfm?id=85820962 *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Oct 1 06:09:38 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 1 06:22:02 2004 Subject: [ISN] Glitch opens access to kids' records Message-ID: http://www.sptimes.com/2004/10/01/Hernando/Glitch_opens_access_t.shtml By COLLEEN JENKINS Times Staff Writer October 1, 2004 A Miami Herald reporter alerted local child welfare authorities this week to a software glitch that made available thousands of confidential child-abuse and foster care records to anyone with Internet access. Those files contained detailed information about the 3,966 children under the watch of Kids Central, the private consortium that handles foster care and related services for at-risk children in the Department of Children and Families' District 13, which includes Citrus, Hernando, Marion, Lake and Sumter counties. Names of foster children, birth dates, Social Security numbers, photographs, case histories and even directions to children's foster homes were accessible with a password that had been published on Kids Central's Web site, the Herald reported. DCF officials, who monitor the competitively bid contract with Kids Central, immediately ordered that the site be shut down after the reporter informed them of the security breach Wednesday morning. "We take confidentiality of client files as most critical," said Janice Johnson, a longtime DCF administrator who became chief executive officer of Kids Central in Ocala. "We do take this very, very seriously." Kids Central took over foster care, adoptions and other services for at-risk children in District 13 earlier this year as part of a statewide effort to put child welfare services in the hands of community-based care providers. Six local social service providers comprise the consortium: the Centers (formerly Marion-Citrus Mental Health Center), the Children's Home Society, Camelot Inc., the Harbor Behavioral Healthcare Institute, the Life Stream Behavioral Center and Eckerd Youth Alternatives. Part of the transition last spring included adopting a new computer system, called CoBRIS, the Community Based Resource Information System. The system was developed by Edmetrics, a Tallahassee company that was founded by former DCF Secretary James Bax but has no social service technology experience, the Herald reported. In an e-mail response to a Times phone call on Thursday, Edmetrics defended its product, saying the company's software exceeds industry standards for maintaining confidentiality. The unauthorized access was the result of "human error," a company employee said. "Review of security logs has assured us that this reporter was the only unauthorized access into the system," Edmetrics spokesman Steven Stark said. "We will be vigilant to ensure the integrity and security of the CoBRIS system." Johnson said Kids Central was one of the first agencies of its kind in Florida to implement the system. The Web-based CoBRIS allows caseworkers to tap into the state's child welfare database with a password from wherever they are. Apparently, some caseworkers had trouble getting into the database. So the technology staff added a link where people could post their help requests and read others made by their colleagues - without using a password. That's where the trouble occurred. According to the Herald, some of the replies to help requests included specific log-in identities and the corresponding passwords. The newspaper reporter used that information to enter a world of records, including caseworker notes and reports from home visits, that are meant to be kept from the public eye. When Mary Jane Kuhn learned of the breach on Thursday, the president of the Foster Parents Association of Hernando County wasn't pleased. She doesn't tell anybody where her family lives for fear of what a foster child's parents might do with the information, she said. "If they were first-class citizens, obviously we wouldn't have (their kids)," Kuhn said. "It bothers me a lot that they would have access to that. I know some foster parents would probably give up their license if they knew it." Kids Central and DCF officials have no evidence that any child was hurt as a result of the error. Officials said it was illegal to access the confidential database using someone else's identity, but they did not accuse the Herald reporter of breaking the law. "It's not like a hacker got into the system," Johnson said. "Someone was able, through a mistake, to get a password and access the system." Regardless of how the security breach came about, child welfare officials moved swiftly to fix it. Before restoring the Web site Thursday, computer specialists reset all passwords and created a new security measure that requires a log-in and password to access the help function. Passwords now will be handed out only over the phone or in person and not through e-mail. Also, users making a help request will no longer be able to see replies to previous questions, said Don Thomas, district administrator for District 13. A DCF security officer from Tallahassee will examine Kids Central's Web site "to make sure there isn't a way to breach the system again," Thomas said Thursday. Bill Harrigan, president of the Citrus County Foster Parent Association, is counting on the consortium to keep that promise. "I'm really surprised that they let their guard down and let something like that happen," he said. "That's like the major, major no-no." From isn at c4i.org Fri Oct 1 06:12:40 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 1 06:22:04 2004 Subject: [ISN] DOE hacked 199 times last year Message-ID: http://www.gcn.com/vol1_no1/daily-updates/27489-1.html By Wilson P. Dizard III GCN Staff 09/30/04 Weaknesses in the Energy Department's cybersecurity allowed hackers to successfully penetrate its systems 199 times last year in intrusions that affected 3,531 systems, the department's inspector general said. Energy continues to have difficulty finding, tracking and fixing previously reported cybersecurity weaknesses quickly, the IG said in a report, "The Department's Unclassified Cyber Security Program - 2004." [1] The report praised the department for improving its cybersecurity efforts, but pointed to continuing gaps in its virtual defenses, such as: * Incomplete certification and accreditation of major systems * Missing contingency plans for restoring systems after an emergency * Continuing problems with access control, segregation of responsibilities for financial processing and correction of known security vulnerabilities. "Without continuing vigilance in this area, it is likely that future attacks will continue to jeopardize the availability and integrity of critical IT assets," the auditors said. The IG urged the department to track corrective actions needed to fix cybersecurity weaknesses, verify the effectiveness of the actions, strengthen methods of assuring that department employees understand the organization's IT policies, and ensure that all major systems are certified and accredited. The report said Energy management's proposed actions were "responsive to our recommendations," without elaborating on or presenting the actions. The IG report did not describe specific IT vulnerabilities. [1] http://www.ig.doe.gov/pdf/ig-0662.pdf From isn at c4i.org Fri Oct 1 06:12:55 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 1 06:22:05 2004 Subject: [ISN] Toorcon 2004 Brings Hackers to Sunny San Diego Message-ID: http://www.tomshardware.com/business/20040930/index.html By Humphrey Cheung September 30, 2004 Defcon isn't the only hacker convention for people living on the West Coast. Toorcon, a computer security conference in its sixth year, provides a viable alternative to people who want to learn more about computer security. Toorcon was held Friday September 24 to Sunday September 26 at the Manchester Grand Hyatt in sunny San Diego, California. With over 300 people in attendance, it provided a sizable yet still intimate arena to learn about the secrets of computer security. >From the informative seminars to the interesting vendor area, we will give you glimpse into what was Toorcon 2004. You may just want to attend next year. Deep Knowledge Seminars About 20 people ponied up $300 to $500 (depending on when they registered) to attend the Deep Knowledge Seminars held on the Friday night just before the main Toorcon session. These talks were 75 minutes long and were very informative. One interesting seminar, Mobile Cyber Warfare Training, given by Scott Kennedy of SAIC, talked about training IT staff against cyber attack. SAIC conducts "Red versus Blue" training, where IT staff, called the Blue Team, must defend a network against a fictional group of Hackers called the Red Team. All the hardware necessary for the exercise is kept in a small rack that is easily transportable for on-site training. Training costs around $20,000 for a group of fifteen. Red versus Blue training is important as everyday network administrators don't usually get to practice against an insanely knowledgable and determined foe. SAIC officials acting as the hacker Red Team throw everything at the hapless Blue Team. In the battle, some innovative solutions surface. What is the craziest defense that Scott Kennedy has seen? In order to stop kernel exploits, one team actually deleted the OS kernel on their Sun box, which worked very well until they needed to reboot the machine. Servers don't boot too well when the kernel is missing. We all know that website defacements happen frequently. Hackers break into a webserver and change the index.html file so that the website displays some crazy and usually profane stuff. This is very embarassing for the IT staff and for the attacked company. One administrator, in act of simple genius, copied the index.html file to another folder and then ran a cron/scheduled tasks job to overwrite the original index.html file every second. While this doesn't stop the attack, it does ensure that your original website stays up. Even if the attackers change the index.html file, the next second the offending file will be overwritten with the correct copy. Some administrators go even farther by burning the file to a CD and then having it copied to the Apache folder every second. Since the CD is read-only, the attacker cannot deface the copy on the CD. [...] From isn at c4i.org Fri Oct 1 06:13:07 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 1 06:22:06 2004 Subject: [ISN] Katie Bar The Door! Message-ID: http://www.techweb.com/tech/security/47903512 By Keith Ferrell TechWeb.com September 29, 2004 The more technologically sophisticated non-IT employees become, the bigger their potential threat to the enterprise. A little knowledge has always been a dangerous thing, and when it comes to employees and technology, a little technology knowledge can add up to big dangers. Look at wireless LANs (WLANs), for example. A recent survey revealed that 84 percent of companies that have deployed wireless WLANs have not experienced security problems. But there is an interesting footnote to these findings. The primary drivers for WLAN introduction were the promise of increased productivity and demand from end-users. In other words, employees who have grown accustomed to grabbing e-mail at a coffee-shop hotspot want the same level of convenience at the office. And therein lies the potential for - and the potential peril of - a cascade of hardware and software that flows, not just through our businesses, but also through our home and private lives. The technological overlap between cubicle desktop and kitchen table has never been larger. Employees use mobile devices to carry work home, and they often use personal devices and technologies to enhance their business productivity at the office. As noted, most enterprise WLANs are operating securely. What gives many IT specialists pause is the security of that coffee-shop hotspot or home Wi-Fi network, where exists the possibility of inadvertently revealing sensitive business information and passwords or picking up a virus or worm. In a recent column, Wayne Rash pointed out that a high percentage of worm infections are the result of laptops that acquired the worm at home or from other off-site location and were then brought to the office. The worm bypasses company security by entering the business in the employeeis briefcase. The solution? Require employees to reboot laptops before attaching to the network. The challenge? Getting employees, accustomed to leaving their laptops always on, to adhere to the policy. Camera-equipped telephones are another device prompting more than a few security concerns. Camera phones can open enterprise secrets to spies and can expose businesses to unwanted privacy and harassment threats. The solution? Prohibit employees from bringing camera-equipped phones to work. The challenge? Finding employees willing to leave their phones at home or even in the car. A little software knowledge can cause problems, as well. Case in point: Instant Messaging. IM entered business by way of commercial, public programs that employees had begun using at home. Using IM at work was as easy as home use, but home use generally doesn't carry the security and privacy, compliance, and liability risks that the programs can pose for business. The solution? Take a look at the IM guidelines recently released by the Federal Deposit Insurance Corp. (FDIC). The guidelines include banning certain programs and increasing 'information security awareness training.' The challenge? Ensuring that employees fully understand the difference between technologies that they're used to and those that are permitted at work. The situation is only going to grow more complex, as advanced technologies become more and more accessible and affordable for consumers. This is why forward-looking enterprises are applying a lot of effort to creating, disseminating, and enforcing technology policies that apply to off-site device usage, as well as to at-work usage. The target of such policies is those employees who've already got 'a little knowledge.' What they need now is a lot of education. From isn at c4i.org Tue Oct 5 07:29:03 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 5 07:47:42 2004 Subject: [ISN] WorldPay struggles under DDoS attack (again) Message-ID: http://www.theregister.co.uk/2004/10/04/worldpay_ddos/ By John Leyden 4th October 2004 WorldPay, the Royal Bank of Scotland's internet payment transaction outfit, is continuing to fight a sustained internet attack which has left its services largely unavailable for a third successive day. Since Saturday (2 October), WorldPay's online payment and administration system has been reduced to a crawl, due to a malicious DDoS attack by unidentified computer criminals. A spokesman for the company stressed that although is fighting a serious "denial-of-service" attack, its systems is uncompromised and customer data remains secure. "We are processing transactions securely but the attack is blocking our ability to operate normally. We apologise unreservedly for any inconvenience caused," he added. WorldPay's techies are working overtime to restore service but can't say when normal service will be restored. In a notice to customers on Saturday (2 October), WorldPay said: "We regret that access to our payment and administration systems is severely disrupted due to a planned and large scale Denial of Service (DDOS) attack by a third party. Our payment and administration systems are working, safe and secure, but the networks around them are being flooded with requests on a huge scale, causing 'service denials'. We are processing payments, but far slower and fewer than we normally would. "We are executing our contingency plans to move to full restoration of the service but cannot at this point in time predict when all customers will have the service restored without further interruption. While attacks of this type can be anticipated, it does take time to identify and deal with the exact nature of a particular attack. We are doing everything that is possible to restore a full service as soon as is possible," it added. Users are advised to check WorldPay's customer service portal for updates. WorldPay was the subject of a similar three-day long denial of service attack last November. One Reg reader writes: "Looks like they have not learned much from last year/s dos attack as the service has been down for most of the day. We have lost thousands in orders." A WorldPay spokesman said the vast majority of customers had been supportive and understanding. He noted that many businesses had experienced DDoS attacks in recent months. Many of these attacks have been linked to extortion attempts, but WorldPay declines to say if it has received any demands from its attackers. From isn at c4i.org Tue Oct 5 07:29:29 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 5 07:47:44 2004 Subject: [ISN] Linux Security Week - October 4th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 4th, 2004 Volume 5, Number 39n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Gaim Encryption: Simple encryption for instant messages," "Authentication methods in OpenBSD," and "Defending Your IT Infrastructure Through Effective Patch Management," and "Defeating Honeypots." ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ---- LINUX ADVISORY WATCH: This week, advisories were released for kernel, imlib, getmail, sendmail, vnc, CUPS, cadaver, tcpdump, freenet6, apache, subversion, sharutils, webmin, and NetPBM. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, and Trustix. http://www.linuxsecurity.com/articles/forums_article-9995.html AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Ten Steps to E-Mail Security October 1st, 2004 More than 10,000 students depend on Jill Cherveny-Keough for trustworthy computing systems. As director of academic computing at the New York Institute of Technology (NYIT), Cherveny-Keough must ensure that dozens of computing centers across the college's campuses run without a hitch. The centers, located throughout Long Island and Manhattan, support the college's undergraduate and graduate students. http://www.linuxsecurity.com/articles/security_sources_article-10004.html * Gaim-Encryption: Simple encryption for instant messages October 1st, 2004 Instant messaging is everywhere nowadays, but people who use it may be surprised to know how trivial it is to listen in on their private conversations. Snoopers can use tools like tcpdump and aimsniff to tap into the contents of the messages. But with a little free software, IMers can be secure in the knowledge their conversations are, well, secure. http://www.linuxsecurity.com/articles/security_sources_article-9998.html * Tipping the Scales Toward Secure Code October 1st, 2004 Everybody can use more secure code--and sometimes the best way to hone your skills is to listen to other programmers. Here are 18 concise tips offered by your fellow developers, each a specific (and opinionated!) piece of advice that you can put to work immediately. You may not agree with all these suggestions, but each is worth contemplating. http://www.linuxsecurity.com/articles/documentation_article-9990.html * 'Cybernapping' danger of unprotected systems October 1st, 2004 Hackers stealing company data and holding it to ransom is a growing trend, warn security experts. 'Cybernappers' take confidential data such as customer lists from backend systems unprotected by the necessary security systems. http://www.linuxsecurity.com/articles/hackscracks_article-10001.html * Authentication methods in OpenBSD September 30th, 2004 OpenBSD supports several authentication methods besides a simple password. Here are some ways you can keep your systems safe. To use these alternate login methods, the username is changed and OpenBSD processes the authentication in the background. By default, the only authentication methods that are allowed are simple passwords and S/Key. http://www.linuxsecurity.com/articles/documentation_article-9981.html * Secure Linux Competition Heats Up September 30th, 2004 The race is on to deliver a version of the Linux open-source operating system that will be more secure than any of its predecessors but also manageable and affordable enough to garner widespread acceptance. Linux developer MandrakeSoft SA and a consortium of European software makers have tossed their hat into the ring, as has Trusted Computer Solutions Inc., a maker of software used by government agencies and businesses to securely transfer sensitive data. http://www.linuxsecurity.com/articles/vendors_products_article-9976.html * Defending Your IT Infrastructure Through Effective Patch Management September 28th, 2004 Imagine that you are the IT Director of a large retail bank with an active and highly visible Internet banking service. While driving into the office, half-listening to the radio news, you hear your bank's name being announced, immediately followed by the words "hacker", "massive system failure" and "identity theft". http://www.linuxsecurity.com/articles/network_security_article-9960.html * USB--short for 'ultimate security breakdown'? September 28th, 2004 For the average corporate or home PC user, the initialism "USB" refers to a computer port that makes it very easy to connect devices directly to a machine. With this connection, a person can transfer or copy information to and from a computer with little trouble. http://www.linuxsecurity.com/articles/host_security_article-9959.html * Security Log September 27th, 2004 Trusted Computer Solutions Inc. has announced that it is developing a product called TCS Trusted Linux, a multilevel-secure version of the Linux operating system. http://www.linuxsecurity.com/articles/vendors_products_article-9954.html * Biometrics: A Security Makeover September 27th, 2004 One year ago, the prospects for developing biometrics as a reliable security device for computers were viewed by many industry watchers as a nice idea with little applicable potential. After all, biometric security devices have been available in one form or another for 30 years. http://www.linuxsecurity.com/articles/host_security_article-9945.html +------------------------+ | Network Security News: | +------------------------+ * Protecting the Perimeter With OpenBSD September 30th, 2004 The Unix operating system has so many descendants and variations that organizations navigating the maze of choices can quickly become disoriented. Many of these projects were launched to offer operating systems unencumbered by the commercial and proprietary licenses tied to the original AT&T UNIX. http://www.linuxsecurity.com/articles/network_security_article-9988.html * Defeating Honeypots: Network Issues, Part 1 September 30th, 2004 To delude attackers and improve security within large computer networks, security researchers and engineers deploy honeypots. As this growing activity becomes a new trend in the whitehat community, the blackhats study how to defeat these same security tools. http://www.linuxsecurity.com/articles/documentation_article-9980.html * Intrusion Detection Trumps Prevention In Health Care September 30th, 2004 Many health-care organizations are going beyond firewall and intrusion-detection technologies and counting on intrusion-prevention products to safeguard their systems. http://www.linuxsecurity.com/articles/intrusion_detection_article-9985.html * Web Services Management, Security Converge September 30th, 2004 In a deal that could signal a trend, Web services-management vendor Digital Evolution has acquired fledgling Web services management/ security vendor Flamenco Networks. Some consolidation in this market was inevitable, given the number of players, and it should have a positive impact on options. http://www.linuxsecurity.com/articles/security_sources_article-9983.html * 'Know Your Enemy': Everything you need to know about honeypots September 28th, 2004 Honeypots are a relatively new and highly dynamic technology. Because they are so dynamic, it is difficult to define just what they are. Honeypots are unique in that they are not a solution in and of themselves; they do not solve a specific security problem. Instead, they are highly flexible tools with many different information security applications. http://www.linuxsecurity.com/articles/security_sources_article-9958.html +------------------------+ | General Security News: | +------------------------+ * Smart Users Are Dangerous October 1st, 2004 The more technologically sophisticated non-IT employees become, the bigger their potential threat to the enterprise. A little knowledge has always been a dangerous thing, and when it comes to employees and technology, a little technology knowledge can add up to big dangers. http://www.linuxsecurity.com/articles/security_sources_article-9991.html * Network Physics Releases Distributed Network Intelligence Tool September 30th, 2004 Network Physics has introduced NetSensory Enterprise Architecture, a distributed intelligence tool that promises to provide global applications infrastructure visibility, troubleshooting and reporting. The architecture is built on a new distributed operating system, the NetSensoryT OS 4.0, which runs on the company's NP-2000 appliance and a new hardware appliance, the NP-DirectorT. http://www.linuxsecurity.com/articles/network_security_article-9984.html * IT managers are putting security at top of their wish list September 29th, 2004 At a roundtable discussion this week at an International Data Corp. technology conference in Paris, the International Herald Tribune spoke with some of the executives in charge of putting technology to work in Europe. Edited excerpts from their conversation with Jennifer L. Schenker and Victoria Shannon follow. http://www.linuxsecurity.com/articles/general_article-9972.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Oct 5 07:29:49 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 5 07:47:46 2004 Subject: [ISN] Rise of the CISO Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96291,00.html By Jaikumar Vijayan OCTOBER 04, 2004 COMPUTERWORLD As the chief information security officer at General Motors Corp., Eric Litt is in charge of integrating security into every aspect of the company's vast $186 billion business. It's a job that has given him a spot at the executive table, support from the board level down and a chance to implement far-reaching decisions related to information security at the company. "I get plenty of attention, which is a very good thing," Litt says. When it comes to security at the automaker, "resources are not an issue," he says. Litt is one among a small but growing number of executives who say that heightened concerns are driving a gradual evolution of the security function and investing it with more influence than ever before. "Security folks have often been viewed as a necessary evil who always get in the way of your doing business," says Howard Schmidt, CISO at eBay Inc. in San Jose and former White House cybersecurity adviser. But regulatory compliance issues and the increasing losses related to worms, viruses and other hacker attacks are making security a part of the core business process, he says. Kim Milford agrees. "Security is now viewed as a critical requirement in the purchase, design, development and deployment of applications and services," says Milford, information security manager at the University of Wisconsin-Madison. "There seems to be a shift from the emphasis on predominantly technical controls to risk assessment, policies and user education," she adds. For instance, Litt has crafted a model under which all security planning at GM starts with an analysis and understanding of the specific threats and risks faced by a business unit. A central security team evaluates and analyzes everything from regulatory requirements to intellectual property protection, inappropriate use, access control and threats such as denial-of-service attacks, worms and viruses. The group then architects a detailed security implementation requirement for each of the business units based on its specific risk profile. Each of the business units is responsible for implementing the needed technology and process measures and is periodically audited for compliance against its requirements. A color-coded security dashboard for senior management at GM rates the performance of each business unit, with green representing full compliance, yellow showing partial progress and red indicating a total lack of compliance. It's an evolving holistic approach to security that includes "the people, the organization, governance, process and, lastly, technology," Litt says. Strategy, Not Tactics A similar focus on high-level concerns such as regulatory compliance, digital rights management, intellectual property protection and application coding standards defines the evolution of the security organization at the Bank of Montreal in Toronto. "Implementing firewalls and hardening systems are not really security issues any longer but operational issues," says Robert Garigue, the bank's CISO. Those are being approached in the same manner that configuration management or capacity management is, he says. Years of fending off worms, viruses and hacker attacks have allowed Bank of Montreal to implement technologies and automate its responses. The bank is now at a point where it's increasingly offloading those tasks to network and system operations teams. The security function is no longer just about "exceptions management" and responding to emergencies, Garigue says. The focus instead is "about understanding where the new risks are coming from and not getting blindsided by them," he says. It's a task that requires security managers to wear several hats, says Christofer Hoff, director of enterprise security services at Western Corporate Federal Credit Union, a San Dimas, Calif.-based company with $25 billion in assets. It means being a "magician, oracle, facilitator, accountant, psychiatrist, stuntman, public relations consultant and prophet," Hoff says. It requires a background that melds "ditch digging and trench warfare with board presentations and business-based strategy planning," he adds. Much of the organizational influence that such security managers have begun to garner is tied to the business value delivered by the information security function, Hoff says. There's a growing realization in the corporation that "information security is not about technology [but] about rational risk management," he says. That shift in perception is resulting in more authority and influence being invested in the security manager or CISO function, University of Wisconsin's Milford says. An increasing number of CISOs are being asked to participate in crucial business decisions at the highest level, eBay's Schmidt says. For instance, in many cases, the CISO's input and approval is required at the very inception of any large IT project, as companies try to build in security instead of bolting it onto business processes as an afterthought, Schmidt says. "There are many projects that just don't kick off without security guidance in the requirements stage," he says. Because responding to security risks is beginning to be viewed as a cost of doing business, the security manager is also being consulted more to help assess costs and benefits, Milford says. And security funding is also getting easier to come by, she says, pointing to her own organization's success in securing funds for an array of worm and attack mitigation technologies soon after a wave of malicious attacks last year. "This shift has, in some cases, moved the security manager function into the highest levels of the IT organization chart and sometimes even completely outside the realm of IT," Milford says. Although CISOs typically report to CIOs, as companies begin taking more of an operational-risk management approach to IT security, some security managers have been advocating functional parity with the CIO. It's not unusual to find CISOs reporting to chief financial officers and CEOs, Milford says. Lagging Behind But the changes aren't happening at all companies. And corporate inertia and political turf battles continue to make the evolution a painful one, security managers readily acknowledge. At many companies, the security organization still remains "out of sight and out of mind" unless there is some sort of a cyber emergency, says Dennis Treece, director of corporate security at the Massachusetts Port Authority in Boston. "Private-sector managers simply want what they've always wanted from their security program - keeping the company out of trouble and [out of] the papers and doing it for as little money possible," he says. As one of the executives in charge of securing Boston's Logan International Airport, three seaports and a major toll bridge, Treece is focused primarily on physical infrastructure protection. But he oversees the information security side as well. "The physical security folks still don't know much about network security, and network people who are given the security mission think of themselves as IT people, not security people," he says. A divide also exists between network operations teams, which are focused on ensuring optimal performance, and network security teams, which are often viewed as a barrier to that goal, Treece says. A more powerful security function also raises political issues at a higher level, Treece says. "Anytime there's a new player at the table, others have to move aside and cede a little turf," he says. And the person who stands to lose the most turf in the battle is the CIO, who has traditionally been responsible for security, he says. The amount of authority the security manager has depends a lot on the organizational culture and structure, Milford says. In top-down, heavily centralized organizations, the authority stems from the CISO's placement within the organization and who he reports to, she explains. "In less heavily structured organizations, the security manager must gain the trust of the decentralized management and technologists," Milford says. Companies that have adopted process maturity frameworks such as the Software Engineering Institute's Capability Maturity Model are also more likely to be ready culturally to integrate security into every aspect of their business, Garigue says. And Hoff says, "It's all about marketing. If you can't demonstrate your worth, long-term survivability is compromised, and the value you offer the organization remains that of a grudge purchase rather than an enabler. "Our company is enlightened to the value we bring, but only because we go out of our way to relate our successes in business terms" by showing reduction of risk on investment, Hoff says. "To me, it's a simple play." From isn at c4i.org Tue Oct 5 07:30:26 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 5 07:47:47 2004 Subject: [ISN] REVIEW: "Biometrics for Network Security", Paul Reid Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKBIOMNS.RVW 20040527 "Biometrics for Network Security", Paul Reid, 2004, 0-13-101549-4, U$44.99/C$67.99 %A Paul Reid %C One Lake St., Upper Saddle River, NJ 07458 %D 2004 %G 0-13-101549-4 %I Prentice Hall %O U$44.99/C$67.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0131015494/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0131015494/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0131015494/robsladesin03-20 %P 252 p. %T "Biometrics for Network Security" In the preface, Reid presents biometrics as the cure for all network security ills. Given his employment, with a company that sells biometric systems, this enthusiasm is understandable, if not totally compelling. Part one deals with introduction and background. Chapter one is the introduction--mostly to the book. The definition of biometrics itself is very terse. Authentication technologies are promised in chapter two--which starts out by repeating the all-too-common error of confusing authentication with identification. Reid then pooh-poohs passwords and tokens and praises biometrics as strong authentication, without dealing with the fact that a biometric is the ultimate static password, or addressing the technologies (and associated error rates) needed to make biometrics a viable authentication factor. Privacy is confused with intellectual property, access control, and improper employee monitoring in chapter three. Part two lists biometric technologies. Chapter four is a disorganized amalgam of factors generally involved in biometric use and applications. Fingerprint features are reviewed in chapter five with incomprehensible explanations and unclear illustrations. Attacks against fingerprint technologies and systems are raised--but are usually dismissed in a fairly cavalier manner. Similar examinations are made of face (chapter six), voice (seven), and iris (eight) systems. Part three looks at implementing the technologies for network applications. Chapter nine compares the four biometrics from part two, in general terms, and states measures that are rather at odds with other biometric literature. Reid makes a big deal out of simple error rate metrics in chapter ten. Most of chapter eleven talks about hardening biometric devices and hardware. Unconvincing fictional "straw man" case studies and some general project planning topics are in chapter twelve, with more of the same in thirteen and fourteen. Part five, which is only chapter fifteen, casts a rosy-spectacled look at the future when all of security will be made perfect through the use of biometrics--essentially returning us to the preface. Basically, this appears to be a promotional pamphlet padded out to book length: it isn't even as good as Richards' article in the "Information Security Management Handbook" (cf. BKINSCMH.RVW). The material will not help you with a realistic assessment of what biometrics can (and cannot) do, or how to implement it. The "Biometrics" text by Woodward, Orlans and Higgins (cf. BKBIOMTC.RVW) is far superior. copyright Robert M. Slade, 2004 BKBIOMNS.RVW 20040527 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rich Cook http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Tue Oct 5 07:30:51 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 5 07:47:48 2004 Subject: [ISN] U.S. cybersecurity chief abruptly resigns, cites frustration Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2004/10/01/national1052EDT0544.DTL TED BRIDIS AP Technology Writer 10-01-2004 The government's cybersecurity chief has abruptly resigned after one year with the Department of Homeland Security, confiding to industry colleagues his frustration over what he considers a lack of attention paid to computer security issues within the agency. Amit Yoran, a former software executive from Symantec Corp., informed the White House about his plans to quit as director of the National Cyber Security Division and made his resignation effective at the end of Thursday, effectively giving a single's day notice of his intentions to leave. Yoran said Friday he "felt the timing was right to pursue other opportunities." It was unclear immediately who might succeed him even temporarily. Yoran's deputy is Donald "Andy" Purdy, a former senior adviser to the White House on cybersecurity issues. Yoran has privately described frustrations in recent months to colleagues in the technology industry, according to lobbyists who recounted these conversations on condition they not be identified because the talks were personal. As cybersecurity chief, Yoran and his division -- with an $80 million budget and 60 employees -- were responsible for carrying out dozens of recommendations in the Bush administration's "National Strategy to Secure Cyberspace," a set of proposals to better protect computer networks. Yoran's position as a director -- at least three steps beneath Homeland Security Secretary Tom Ridge -- has irritated the technology industry and even some lawmakers. They have pressed unsuccessfully in recent months to elevate Yoran's role to that of an assistant secretary, which could mean broader authority and more money for cybersecurity issues. "Amit's decision to step down is unfortunate and certainly will set back efforts until more leadership is demonstrated by the Department of Homeland Security to solve this problem," said Paul Kurtz, a former cybersecurity official on the White House National Security Council and now head of the Washington-based Cyber Security Industry Alliance, a trade group. Under Yoran, Homeland Security established an ambitious new cyber alert system, which sends urgent e-mails to subscribers about major virus outbreaks and other Internet attacks as they occur, along with detailed instructions to help computer users protect themselves. It also mapped the government's universe of connected electronic devices, the first step toward scanning them systematically for weaknesses that could be exploited by hackers or foreign governments. And it began routinely identifying U.S. computers and networks that were victims of break-ins. Yoran effectively replaced a position once held by Richard Clarke, a special adviser to President Bush, and Howard Schmidt, who succeeded Clarke but left government during the formation of the Department of Homeland Security to work as chief security officer at eBay Inc. Yoran cofounded Riptech Inc. of Alexandria, Va., in March 1998, which monitored government and corporate computers around the world with an elaborate sensor network to protect against attacks. He sold the firm in July 2002 to Symantec for $145 million and stayed on as vice president for managed security services. From isn at c4i.org Wed Oct 6 04:44:30 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 6 04:53:45 2004 Subject: [ISN] REVIEW: "Open Source Software Law", Rod Dixon Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKOSSWLW.RVW 20040527 "Open Source Software Law", Rod Dixon, 2004, 1-58053-719-7, C$139.50 %A Rod Dixon %C 685 Canton St., Norwood, MA 02062 %D 2004 %G 1-58053-719-7 %I Artech House/Horizon %O C$139.50 800-225-9977 fax: 617-769-6334 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580537197/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580537197/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580537197/robsladesin03-20 %P 287 p. + CD-ROM %T "Open Source Software Law" Chapter one discusses the concept of open source software (and related terms such as free software, freeware, and so forth), as well as introducing some (though not all) of the major groups and players. The text points out the difficulties of finding specific definitions when dealing with a community and philosophy of this nature, and the material is indicative and possibly useful, but even so the explanations could be much clearer and less demanding of the reader. The philosophies (and factions) of the open source community are outlined in chapter two, as well as basic ideas such as copyleft. There is further delineation of the reasons behind open source, which does rather beg the question of why the topic wasn't dealt with better in the first place. An interesting section is the analysis of the purported "viral" effect of the General Public License (GPL), which some fear will dilute developers' rights. The issue of licensing, and the different types of licence models, is reviewed in chapter three. The material is detailed and the subject evaluated in depth, but, oddly, the chapter does not seem to clarify the issue as much as, say, Brian Behlendorf's article in "Open Sources" (cf. BKOPNSRC.RVW). After an initially intriguing examination of the US "No Electronic Theft" act of 1997, and the implications for extending property considerations to information, chapter four turns into a meandering, and not altogether clear, editorial on the issue. Chapter five looks at electronic contracts, concentrating on E-Sign and UETA (Uniform Electronic Transaction Act) (governing the validity of digital agreements, with UETA having somewhat more consumer protection), and UCITA (Uniform Computer Information Transaction Act), which extends the rights of developers of software, including assumptions regarding contract formation. "Commercial Models," in chapter six, revisits the licensing debate: again, Behlendorf's article (noted above) seems to provide a superior appraisal. Due to ill-defining "open standards" as a confused amalgam of open source and open systems, Dixon's assessment of the impact on public policy is flawed, but chapter seven is mercifully brief. Chapter eight, as the third item on licensing, doesn't present many new ideas. While there are interesting and informative legal issues presented in this work, a great deal of it is a standard, and somewhat pedestrian, promotion of the open source movement. In addition, Dixon's writing is frequently verbose, turgid, and lacking in clarity. Given the able apologetics offered by "Open Sources" and "The Cathedral and the Bazaar" (cf. BKCATBAZ.RVW), the need for such a work is questionable. copyright Robert M. Slade, 2004 BKOSSWLW.RVW 20040527 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu My spirit is broken, my days are cut short, the grave awaits me. Surely mockers surround me; my eyes must dwell on their hostility. - Job 17:1,2 http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Oct 6 04:45:00 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 6 04:53:50 2004 Subject: [ISN] When is secure FTP not secure? When it reaches your network Message-ID: http://www.computerworld.com/securitytopics/security/story/0,,96265,00.html Advice by James King ID Analytics Inc. OCTOBER 01, 2004 COMPUTERWORLD It's widely accepted that file transfer protocol (FTP) is the simplest way for organizations to send data across the Internet. To enhance security, many companies now use sFTP or FTP/S, the "secure" forms of FTP, believing that data traveling across this protocol is safe. But is it? It's true that secure forms of FTP have additional encryption while commands and data are in transit across the Web. But it's commonly overlooked that while files are indeed secure during transit, they are nonetheless extremely vulnerable for the period of time they reside at the Internet-facing, final point of handoff at the edge of the receiving network. Due to limited Internet bandwidth and large file sizes, it will always take some amount of time for this final transfer because a software program or script at the receiving end must wait for the download to be complete before securing the entire file inside the interior firewall. Imagine a pipe carrying water to a bucket. Though the pipe holds the water securely, the bucket can't be secured until it's filled with the water it's waiting for. The larger the file, the longer the transfer takes. The longer the transfer takes, the greater the vulnerability. The exposure is due to new vulnerabilities discovered, seemingly daily, within operating systems. If a hacker can gain access to the operating system, any files on the computer's disk are available to him. If the files on the disk aren't encrypted, you have made the hacker's day. In an environment where security breaches have become so commonplace that legislation such as California's Senate Bill 1386 makes companies even more liable for data security violations, greater measures of protection are needed. Hackers only need one part of the file to do their dirty work. All it takes is one stolen Social Security number from a customer for your company to be at risk. Here are some measures that IT managers and network architects can take to better ensure data security: 1.) Install a dedicated transfer server in a true DMZ with equipment from different manufacturers, Perhaps the most common method for supporting automatic data transfer is to add this duty to an existing internal server and present the server to partners through the external firewall via network address translation. Unfortunately, this is also the most insecure method. If the single firewall is compromised through a known vulnerability or if the server is compromised through the protocol used for data transfer, the entire network segment where the servers are located is exposed. Isolating the data-transfer duty to a server that isn't multipurposed, being sure to disable any unnecessary services, reduces the number of potential vulnerabilities, but the internal network is still vulnerable. The best method to minimize risk is to create a true DMZ by using two firewalls, each with two interfaces to keep the Internet-facing firewall completely separate from the firewall facing the private network. Also, most organizations source their firewall equipment from a single manufacturer. However, newly discovered vulnerabilities often affect entire ranges of a manufacturer's products. Ideally, the two firewalls in this scenario will be sourced from different manufacturers because it's rare for new vulnerabilities to be effective across platforms. 2.) Establish strict rules at the firewall. A good beginning rule set for the exterior firewall would be explicit denial of access to all, but with implicit access to well-known clients and partners. The interior firewall rule set should explicitly deny all access, including access from the FTP server in the DMZ. Any processes waiting for files from the outside must reach out through the interior firewall and pull files in from the sFTP server. 3.) Require a key exchange for connectivity. Secure FTP provides functionality allowing access only to outside contacts with a valid cryptologic key. This eliminates the need for a user ID and password log-on. The key may also be capable of differentiating individual computers accessing the sFTP server from within a client organization, where there otherwise may be only a single log-in ID or IP presented. If key exchange isn't possible, require the use of strong passwords, meaning those with an eight-character minimum length, required mixing of upper and lower case, and inclusion of punctuation marks. Don't reuse passwords, and change them frequently. 4.) Encrypt, encrypt, encrypt. One of the most important measures is to require exchange of public encryption keys and encrypt the data files that will be transferred. Many programs are available for this level of data encryption in both the commercial and public domains, including Pretty Good Privacy and the GNU version, GPG. An additional bonus of encryption is that almost all of today's encryption programs also include file compression. 5.) Exercise additional caution when using FTP/S. FTP/S uses a Secure Sockets Layer (SSL) wrapper around an FTP server or client to encrypt the log-in and data exchanged between them. But differences in the various SSL implementations and versions used can result in incompatibilities and failures between server and client software. If the initial SSL authentication between two SSL implementations fails, they will often fall back to sending the user log-in and password as clear text rather than fail the log-in. This allows the FTP user log-in data to be clearly read by anyone monitoring the traffic. Oddly enough, once the clear-text log-in is authenticated, the data transfer itself will be encrypted. So the rule is: Check the log files, since this is the only place where this particular failure will show up, especially because your outside contacts can change implementations of FTP/S without your knowledge. If possible, configure the chosen FTP/S server or client to deny or fail the log-in if the initial SSL authentication fails. 6.) Stay current with the latest operating system patches. FTP programs are implemented on a number of platforms, including Windows, Linux, Solaris and many flavors of Unix, so attentive daily updates are essential. 7.) Look for security holes, especially by frequently checking logs. Even with all the latest technology in place to protect data, vulnerabilities can exist. It takes smart people vigilantly applying investigative skills to keep a network truly secure. In a world where new vulnerabilities appear daily and where the rate of litigation increases as rapidly as computing power, it's imperative to secure your data transfers with clients and business partners. Fortunately, a straightforward architectural approach to systems and process design can mitigate most of the risks. Employing the strategies outlined here will make it much easier for IT and security professionals (and their executive management) to sleep at night, knowing that their data is as secure as possible. James King is vice president, engineering and operations, at ID Analytics Inc., a San Diego-based vendor of identity management products and services. From isn at c4i.org Wed Oct 6 04:45:15 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 6 04:53:53 2004 Subject: [ISN] Official's departure revives push for promoting DHS cyber chief Message-ID: http://www.govexec.com/dailyfed/1004/100504tdpm1.htm By William New National Journal's Technology Daily October 5, 2004 The abrupt departure last week of Amit Yoran as a top cybersecurity official appears to have breathed new life into congressional efforts to elevate the position within the Homeland Security Department. Within hours after news Friday that Yoran, director of the department's national cybersecurity division, had quit with one day's notice, staff from various congressional committees met to discuss the issue, government sources said. Earlier in the week, the issue had appeared finished for the year over seemingly insurmountable committee jurisdictional differences. A new, trimmed provision to raise cybersecurity's status in Homeland Security appeared in Monday's Rules Committee version of an intelligence reform bill, H.R. 10. The new provision would elevate cyber security two levels, from director to assistant secretary, and give the new assistant secretary primary authority over the National Communications System. Harris Miller, president of the Information Technology Association of America, said on Tuesday that the inclusion of the amendment "means the issue will not be an afterthought" in government. "Unfortunately, it had to take a fairly high-level departure" for it to get included, Miller said. "Certainly [Yoran's] departure served to re-energize the issue." One attendee insisted that the congressional meeting was not a reaction to Yoran's departure but rather an attempt to meet the Friday deadline set by House leadership for amendments to the intelligence bill. Yoran's departure caused a stir at senior levels of the Bush administration, an administration source said Monday. Yoran met with Homeland Security Secretary Tom Ridge the day before his departure. After the announcement, Robert Liscouski, assistant secretary for critical infrastructure and Yoran's boss, was harshly criticized by the White House Homeland Security Council, the source said. Yoran sent a farewell e-mail to colleagues Sunday night cataloguing dozens of accomplishments of his office during his year there. The original language to elevate cyber security in the department contained several pages of specific authority for the department. A competing bill from the House Government Reform Committee emerged last week and was viewed by some as an attempt to wrest back primary jurisdiction over cybersecurity. Friday's meeting included staff from the Government Reform, Homeland Security, Judiciary and Science committees. "We're pleased that the negotiations were productive," Science Committee Chief of Staff David Goldston said. "We were able to limit the provision to a notion on which there was broad agreement." Still in the House intelligence bill is a provision that would add a specific mention of information security to agencies' systems-planning requirements. The Rules Committee may vote on the bill Wednesday, with floor action expected Thursday. If passed by the House, the issue will be addressed in House-Senate negotiations. The original House language was offered as an amendment to the Senate intelligence reform bill Monday but was ruled non-germane to the bill by the parliamentarian, sources said. That amendment was more extensive in the responsibilities it would have given the next cyber-security chief. From isn at c4i.org Wed Oct 6 04:45:40 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 6 04:53:55 2004 Subject: [ISN] Dutch government sites attacked Message-ID: http://australianit.news.com.au/articles/0,7204,10987848%5E15331%5E%5Enbv%5E15306%2D15318,00.html Correspondents in Amsterdam OCTOBER 06, 2004 SEVERAL Dutch government web sites remained offline on Tuesday after an attack by hackers protesting against unpopular policies of the right-wing cabinet, the government said. In a denial-of-service attack, the hackers continually made fake requests for information from the web sites, effectively shutting out legitimate users, a government statement said. No security sites had been breached, and only public information sites were disabled, said Henk Brons, a spokesman for the government information agency known by its Dutch acronym RVD. Two sites carrying information about government institutions and their activities were affected. A group calling itself the "Hacking Crew 10pht" claimed responsibility for the attacks on a Dutch web forum. Mr Brons said he had no further details on the hackers, adding that police were investigating. The sites crashed when they became overloaded Monday afternoon. Technicians were still working on the problem more than 24 hours later. Mr Brons could not say when the sites would be back online. The Dutch government has come under public criticism over planned spending cuts in 2005 on health care and early retirement benefits. On Saturday, 200,000 staged a protest in Amsterdam, the largest in the Netherlands in 20 years. From isn at c4i.org Wed Oct 6 04:45:29 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 6 04:54:01 2004 Subject: [ISN] Know your enemy Message-ID: http://www.computerweekly.com/articles/article.asp?liArticleID=133966 6 October 2004 A young Asian hacker who easily penetrated the databases of several large US corporations, and whose exploits made him a top target for the FBI, offers advice for dealing with foreign cybercriminals. "Knowing what makes your antagonist tick is the key to getting the result you want," he says. Do you think it is more difficult to hack into US corporate networks today than it was four years ago? If we are talking about the network that existed four years ago and exists now, then it would probably be more difficult, especially if during those years a given target had experienced trespasses by hackers. If it is a recently developed network, then chances to get access are probably better. In general it is easier for hackers to get access to networks in countries with growing and well-developed economies, because such companies have resources to expand their networks. In third-world countries the companies do not have the ability or resources to expand the networks, so they have to fine-tune them and work with what they have. Should US companies worry about hackers in Russia and other countries? Hackers from countries where the economy is less developed than the US are more motivated by money than by pride when they start trespassing on US companies - as opposed to US hackers, who are motivated more by pride than money. (There are many other ways that you can make money in the US.) Also, money is a stronger motivator than pride. That's why people motivated by money are more dangerous. Hackers are businesspeople [if they are motivated by money]. In most cases, they are probably just having difficulties in their countries finding and exploring opportunities to work. If a company that is hacked into can explore with a hacker his or her talents in a more peaceful way, the victim can only benefit. If these hackers are businesspeople, they can be redirected by being offered a better deal than the one they might get by creating pressure through hacking. I deeply believe in this point. It is hard, however, to generalise too much because every case involves different kinds of people and different circumstances. What security measures offer the best protection against hackers? Keep the hackers occupied if you recognise them as a threat. This might be similar to what some countries have done with their nuclear scientists - Russia, for example, keeps them under close supervision and treats them well, but above all keeps them busy professionally. Is there a certain type of network that is particularly easy to hack? There are two types. First, those that develop custom software. They usually invest money in developing the features that software provides, but often forget about securing parts of this software. The second type is where there is a breach in the company's infrastructure. It is not the hacking per se that is dangerous; what should concern the company is being taken advantage of by the use of that information. For example, if one got account numbers of users of PayPal, the hacker could then contact the users in huge numbers and attempt various kinds of fraud. Will security technologies ever be able to keep hackers out, or will hackers always find a way into corporate networks? Software and hardware can be improved to protect against trespasses. But then hackers will concentrate on security breaches in the infrastructure of a company, or do "social engineering". The ultimate goal is to obtain information for subsequent use, and hacking is just one of the many ways to obtain it. Written by CSO staff From isn at c4i.org Thu Oct 7 05:47:33 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 7 06:08:36 2004 Subject: [ISN] CodeCon 2005 Call for Papers Message-ID: Forwarded from: Len Sassaman CodeCon 4.0 February 11-13, 2005 San Francisco CA, USA www.codecon.org Call For Papers CodeCon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what's going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presenters must be done by one of the active developers of the code in question. We emphasize that demonstrations be of *working* code. We hereby solicit papers and demonstrations. * Papers and proposals due: December 15, 2005 * Authors notified: January 1, 2005 Possible topics include, but are by no means restricted to: * community-based web sites - forums, weblogs, personals * development tools - languages, debuggers, version control * file sharing systems - swarming distribution, distributed search * security products - mail encryption, intrusion detection, firewalls Presentations will be a 45 minutes long, with 15 minutes allocated for Q&A. Overruns will be truncated. Submission details: Submissions are being accepted immediately. Acceptance dates are November 15, and December 15. After the first acceptance date, submissions will be either accepted, rejected, or deferred to the second acceptance date. The conference language is English. Ideally, demonstrations should be usable by attendees with 802.11b connected devices either via a web interface, or locally on Windows, UNIX-like, or MacOS platforms. Cross-platform applications are most desirable. Our venue will be 21+. To submit, send mail to submissions-2005@codecon.org including the following information: * Project name * url of project home page * tagline - one sentence or less summing up what the project does * names of presenter(s) and urls of their home pages, if they have any * one-paragraph bios of presenters, optional, under 100 words each * project history, under 150 words * what will be done in the project demo, under 200 words * slides to be shown during the presentation, if applicable * future plans General Chairs: Jonathan Moore, Len Sassaman Program Chair: Bram Cohen Program Committee: * Jeremy Bornstein, AtomShockwave Corp., USA * Bram Cohen, BitTorrent, USA * Jered Floyd, Permabit, USA * Ian Goldberg, Zero-Knowledge Systems, CA * Dan Kaminsky, Avaya, USA * Klaus Kursawe, Katholieke Universiteit Leuven, BE * Ben Laurie, A.L. Digital Ltd., UK * David Molnar, University of California, Berkeley, USA * Jonathan Moore, Mosuki, USA * Len Sassaman, Nomen Abditum Services, USA Sponsorship: If your organization is interested in sponsoring CodeCon, we would love to hear from you. In particular, we are looking for sponsors for social meals and parties on any of the three days of the conference, as well as sponsors of the conference as a whole and donors of door prizes. If you might be interested in sponsoring any of these aspects, please contact the conference organizers at codecon-admin@codecon.org. Press policy: CodeCon provides a limited number of passes to bona fide press. Complimentary press passes will be evaluated on request. Everyone is welcome to pay the low registration fee to attend without an official press credential. Questions: If you have questions about CodeCon, or would like to contact the organizers, please mail codecon-admin@codecon.org. Please note this address is only for questions and administrative requests, and not for workshop presentation submissions. From isn at c4i.org Thu Oct 7 05:49:21 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 7 06:08:38 2004 Subject: [ISN] Security UPDATE -- Strengthen Browser Security with Third-Party Solutions--October 6, 2004 Message-ID: ==== This Issue Sponsored By ==== Download *Free eBook* on Active Directory Security http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3O0AT Get thawte's New Step-by-Step SSL Guide for MSIIS http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3P0AU ==================== 1. In Focus: Strengthen Browser Security with Third-Party Solutions 2. Security News and Features - Recent Security Vulnerabilities - JPEG GDI+ Trojan Unleashed - More JPEG GDI+ Exploits - Welcome to the "You've Been Hacked" Blog 3. Security Matters Blog - Trojans with a Twist 4. Instant Poll 5. Security Toolkit - FAQ - Security Forum Featured Thread 6. New and Improved - Spam Solution Adds User Quarantine Features ==================== ==== Sponsor: ScriptLogic ==== Download the FREE eBook on Active Directory Security today and gain valuable guidance and real-world examples for creating the most secure Active Directory solutions. Published by ScriptLogic Corporation, all 4 chapters are now available individually or as one complete PDF. Download "The Administrator Shortcut Guide to Active Directory Security" today. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3O0AT ==================== ==== 1. In Focus: Strengthen Browser Security with Third-Party Solutions ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net If you subscribe to our WinInfo email newsletter, then you've probably read stories by Paul Thurrott that discuss how Microsoft will handle improvements to Internet Explorer (IE) in the future. If you don't subscribe to the newsletter and want to, then visit the home page below, where you'll find a link to the subscription form. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3Q0AV As you know, it's been quite some time since Microsoft released a new version of the browser. Meanwhile, other browsers, such as Opera Software's Opera and Mozilla Firefox, have added considerable new features and functionality. But Microsoft has decided that it will introduce future IE improvements via service packs--it won't offer newer versions of the Web browser as standalone software because the company considers IE an integral part of the OS. The recent Windows XP Service Pack 2 (SP2) offers improvements to the underlying security of the OS and various components, including IE. Microsoft isn't planning to offer similar improvements to Windows 2000 and earlier OSs. Many of you can't upgrade to XP yet for a variety of reasons, but in the meantime, you still want to improve overall system security. You can gain some of XP SP2's improvements by using third-party products. In at least one case--Windows Firewall--third-party products are typically superior. Because Windows Firewall allows all outbound connections without any means to control them, it's probably a wise idea to use a third-party firewall on systems on which you require precise control over network traffic. To improve the IE security on Windows 2000 and previous OSs, three options immediately come to mind, although there are probably others. One option lets you keep using IE as your primary browser; the other two options recommend that you use another browser as your primary browser and use IE only when you have to for whatever reason. I describe the options below in no particular order. One option is to add PivX's Qwik-Fix Pro to your systems to help you modify IE zones to lock down the browser and prevent malware from exploiting the system. Another option is to purchase a browser such as Winferno Software's Secure IE 2004, which is an IE replacement that offers better security than IE versions prior to XP SP2's. The third option is to use a free third-party browser such as Mozilla Firefox or Opera Software's Opera, both of which offer functionality similar to that found in IE under XP SP2. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3R0AW http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3S0AX http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BDPj0AH http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3T0AY Qwik-Fix Pro and Secure IE 2004 cost money, which of course is reasonable to expect. Opera is available for free if you're willing to view banner advertising while you use it; if you buy it, you can use it ad-free. Firefox is open source and as such is available for free and without banner advertising. ==================== ==== Sponsor: thawte ==== In need of a SSL Certificate for your Microsoft Internet Information Services (MS IIS) web server? This guide will provide a solution for your need by demonstrating how to test, purchase, install and use a digital certificate on your MSIIS web server. Best practices are highlighted throughout this guide to help you ensure efficient ongoing management of your encryption keys and digital certificates. You will also discover how a particular digital certificate can benefit your business by addressing unique online security issues to build customer confidence. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3P0AU ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3U0AZ JPEG GDI+ Trojan Unleashed It was only a matter of time before someone unleashed malware that exploits the JPEG GDI+ vulnerability. Over the last two weeks, various people have released proof-of-concept code. Now someone has unleashed a JPEG file that causes a buffer overrun and runs shell code on the affected system. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3V0Aa More JPEG GDI+ Exploits As could probably be expected, intruders have begun using AOL Instant Messenger (AIM) and other methods to exploit unsuspecting users who have the JPEG GDI+ vulnerability. At least two new Trojan Horse programs have been unleashed. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3W0Ab Welcome to the "You've Been Hacked" Blog We've added a second security blog, "You've Been Hacked," hosted by Brett Hill. Over the next few months, Hill will host a frank discussion of security issues related to Microsoft OSs, services, and products. As the blog title suggests, the blog will focus on what to do if you think you've been hacked. We want to hear from you about your experiences, questions, and concerns. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3X0Ac ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Want the "69 Top SQL Server Tips?" Order SQL Server Magazine today and get 30% off the cover price and receive free, subscriber-only access to the entire SQL Server article archive--filled with thousands of exclusive articles, insider notes, and savvy instructions. Bonus--subscribe now and get the "69 Top SQL Server Tips" guide free! This is a limited-time offer, so order now. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3Y0Ad Get the Charter Issue of Windows IT Pro! Windows & .NET Magazine is now Windows IT Pro! Act now to get our special charter issue rate of just $39.95--that's 52% off the cover price! The September issue shows you how to plug DNS holes and select the best scripting editor, plus learn more about the business side of IT. And discover the top 10 PC trends we think you need to keep an eye on. This is a limited-time offer, so order today! http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BKrg0At ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3Z0Ae Check out this recent entry in the Security Matters blog: Trojans with a Twist Trojan horse programs are a bad enough problem because they can allow remote access to a user's computer. One would think that having a firewall in place would prevent a Trojan from opening back doors in case of infection. But Windows Firewall won't prevent the Win32.Surila.K Trojan from opening a back door on your system. ==== 4. Instant Poll ==== Results of Previous Poll: Have you experienced difficulty determining which of your systems need the latest Microsoft security patches (MS04-027 and MS04-028)? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 20 votes. - 65% Yes - 20% No - 15% I'm not sure (Deviations from 100 percent are due to rounding.) New Instant Poll: Have you been affected by a recent JPEG GDI+ exploit? Go to the Security Hot Topic and submit your vote for - Yes - No, we've patched our systems - No, we've patched our systems and removed vulnerable JPEG images - No - I'm not certain http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BLi70Ax ==== 5. Security Toolkit ==== FAQ by John Savill, http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3a0Al Q: Has Microsoft updated any of the Windows Support Tools in Windows XP Service Pack 2 (SP2)? Find the answer at http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3b0Am Security Forum Featured Thread: Disabling .vbs Files in an OU A forum participant is looking for a way to use a policy to disable the use of some .vbs files in an Active Directory (AD) organizational unit (OU) while allowing the use of some .vbs files that he approves of. His understanding is that he can implement only an "all or nothing" policy and wonders whether anyone knows a way around this limitation. Join the discussion at http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3c0An ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro at http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BK3L0AP ) Get Your Fax Servers Up and Running Smarter, Faster, and More Cost-Effectively In this free Web seminar, you'll learn the latest trends and developments in the fax market, as well as learn best practices for seamless integration with Microsoft Exchange Server and Outlook with real-time fax technologies. Find out integration faxing architecture and multifunction device tactics, deployment techniques, and more. Register today! http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BLyx0AK ==================== ==== 6. New and Improved ==== by Renee Munshi, mailto:products@windowsitpro.com Spam Solution Adds User Quarantine Features Trend Micro announced new End User Quarantine (EUQ) features for Trend Micro Spam Prevention Solution (SPS) to reduce Help-desk burdens, to help corporate users manage their own "approved senders" lists, and to improve accuracy and effectiveness. EUQ, a free add-on, quarantines suspicious "graymail" messages (i.e., messages not clearly identifiable as spam) into Microsoft Exchange Server folders for each user. Thus, SPS users have instant access to potentially important messages and can individually approve any problematic senders. EUQ improves SPS's reporting and management capabilities and decreases the number of false positives while increasing the spam detection rate. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3e0Ap Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to mailto:whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to mailto:r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- mailto:letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BKxi0A2 About product news -- mailto:products@windowsitpro.com About your subscription -- mailto:securityupdate@windowsitpro.com About sponsoring Security UPDATE -- mailto:emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BKxj0A3 View the Windows IT Pro privacy policy at http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BLPu0Aa Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Oct 7 05:49:43 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 7 06:08:39 2004 Subject: [ISN] Wanted: Simple home security Message-ID: http://news.com.com/Wanted+Simple+home+security/2010-7349_3-5397746.html [I agree with the author, but I belive the real incentive needs to be with the end user, no black box security device, and your rates for DSL and internet cable modem become more expensive. - WK] By Jon Oltsik October 6, 2004 How much data can fit through broadband pipes? The next big broadband battle is going to turn on that very question. With data speeds increasing and monthly charges now within range of most family budgets, you should expect a sharp increase in Internet usage across a range of devices from PCs and telephones to stereos and refrigerators. But that will inevitably invite more attacks from worms, viruses, Trojan horses and malicious hackers. You'd think the broadband suppliers would tackle the security void (or even view it as a revenue opportunity). Hardly. Instead, cable and DSL (digital subscriber line) providers are taking baby steps. They prefer to address the security issue by providing a combination of bundles, evaluation software and Web-based advice. Qwest Communications International and Verizon Communications include a free license for MSN Premium, which includes antivirus and firewall protection, along with pop-up blocking. AT&T and several others provide little more than 30-day trials for security software. That puts the burden of responsibility on customers. Savvy home users will go to the store and pick up a copy of McAfee or Symantec's Internet security suite that has antivirus, antispam, firewall and content filtering. Here's the problem. As more bandwidth and devices connect to the Internet, the home network starts to get complex. Suddenly, you need security software on every device in the house. You have to manage configuration changes, patch vulnerabilities, filter content and download the latest antivirus signatures all over the house. Soon, dad has taken on a new role as the family security administrator. If the old man lacks these skills or ignores routine tasks, every system is at risk. I don't know about you, but I barely have enough time to hang out with my kids, keep up with the bills, walk the dog and mow the lawn. I don't want to fill my precious few moments of personal time with maintaining residential firewall rules or deleting spyware. What's needed is a simple home security service with two dominant features: * The security service must not require any security knowledge. Upon installation, the security service asks me a few simple questions (in English, mind you), and then configures itself to my needs. It is dynamic in that it continues to maintain my security, even as threats change. * All I have to do to preserve my security protection is pay a monthly bill. My estimate is that this service would cost between $5 and $15 per month. It's as simple as that. What Internet user wouldn't sign up? This isn't a pie-in-the-sky concept. Several companies from different industry sectors could take a leadership role. The right firm would need skills in security, services, customer service and distribution, backed up by a billing system that could handle monthly cycles. The most plausible candidates come from the traditional security industry crowd, with Symantec and McAfee in the poll position. Both of these companies could use existing products to build a residential security "black box" and sell it through their traditional retail channels. They also have established services capabilities. A number of other security vendors, including Computer Associates International, Fortinet, Jupiter Networks' NetScreen and WatchGuard have security products and services but lack a consumer distribution channel. PC networking companies like Belkin, D-Link, Cisco Systems' Linksys and Netgear could also make a play, as they have some security, distribution, services expertise. Not a perfect match but certainly the foundation for what is needed. Of course, a single broadband provider could pioneer home security services and effectively change the rules of the game. For example, Verizon could establish a relationship with a security technology vendor, develop a model for cooperative development and support, then use existing pieces of its business to market, sell and bill its broadband subscribers. Security could be used in promotions to differentiate Verizon from cable providers to attract new customers. This would require some risk taking and strategic vision--not exactly qualities associated with cable or telecommunications companies. Broadband subscribers don't care who offers this service or which technologies they use. They care about getting rid of the security burden forever, and they'll gladly fork over $10 a month in perpetuity to make this happen. Undoubtedly, the company that comes up with the right home security services business model first will be an instant security leader and make a ton of money in the process. biography Jon Oltsik is a senior analyst at the Enterprise Strategy Group. From isn at c4i.org Thu Oct 7 05:50:01 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 7 06:08:41 2004 Subject: [ISN] Global firms 'lax on information security' Message-ID: http://www.theage.com.au/articles/2004/10/07/1097089457543.html Bangalore, India October 7, 2004 Global corporations are failing to safeguard their information networks against potent threats from viruses, worms and especially their own employees, according to a report unveiled here on Wednesday by consultancy firm Ernst and Young. The Global Information Security Survey said while corporate leaders were increasingly aware of the risks to their information security from people within their organisations they are not acting on that knowlege. "More than 70 percent of the companies surveyed failed to list training and raising employee awareness about information security issues as a top initiative," the report said. Ernst and Young polled more than 1233 organisations from across 70 countries. There were 69 respondents from India making it the second largest country sample. "While organisations remain focused on external threats such as viruses the internal threats are constantly being under-emphasised," said Terry Thomas, partner, Ernst and Young's Risk and Business Solution Practice. "People and organisational issues are equally important. Because many insider incidents are based on concealment, organisations are often unaware that they are being victimised," Thomas told reporters. The report said as corporations are increasingly outsourcing business to thrid party vendors outside their region it was becoming more difficult to retain control over the security of their information. "The more likely and most lethal threats are those originating from within an organisation's growing extended enterprise," it said. The report said 80 percent of the organisations surveyed failed to conduct regular assessment of their IT outsourcer's compliance with the host organisation's security regulatory requirements. Most organisations, it said, felt that information security had no value when "there is no visible attack. "This perception has remained unchanged over the decade that Ernst and Young has been conducting the survey. The topmost obstacle to effective information security today is the lack of security awareness by users," said Thomas. Although 67 percent of the organisations claimed information security was "very important ... persistent gaps continue to exist in the amount of diligence and resources that are deployed to improve the degree of protection. "Information security threats are more lethal today. We expect that incidents, particularly internal ones, will proliferate unless senior management makes information security a core management function," Thomas said. In India, 91 percent of respondents said they had anti-virus systems installed and 56 percent had specific anti-spam protection for their network. However, less than half of respondents from India and globally provided employees with ongoing training in security and control, the report said. Indian organisations, it said, had cited "availability of skilled staff" to implement security as their top problem with "user awareness" in second position. "India is emerging as a favourite destination for outsourcing but organisations are not really understanding the security implications," Thomas said. "They rely mostly on faith and trust rather than addressing hard facts. Employee misconduct is ranked as the number two worry in the world but it is third on the list in India," he said. From isn at c4i.org Thu Oct 7 05:50:15 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 7 06:08:42 2004 Subject: [ISN] Purdy Tapped as Cyber-Security Director Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A12240-2004Oct6.html By Robert MacMillan washingtonpost.com Staff Writer October 6, 2004 The Department of Homeland Security has filled the nation's top cyber-security post after the previous chief abruptly resigned last week in a move that raised questions about the Bush administration's commitment to protecting U.S. computer networks from electronic threats. Andy Purdy, who served as deputy cyber-security director under former National Cyber Security Division head and security industry entrepreneur Amit Yoran, will act as interim director, according to an e-mail written by Robert P. Liscouski, the department's head of infrastructure protection. Purdy has been a member of the cyber-security division since it was set up in 2003, and was the vice chairman and senior adviser on information technology issues for the President's Critical Infrastructure Protection Board. Before that, he was a member of the U.S. Sentencing Commission. He graduated from the College of William and Mary and the University of Virginia Law School, and also worked as a producer for NBC and CBS news programs. Purdy declined an interview request, referring calls to the department's press office. A department spokeswoman did not return a telephone call seeking comment. Purdy moves into his new role at a time when many cyber-security authorities say the Bush administration has come up short in its commitment to protecting the nation from computer viruses and other electronic attacks. Industry officials and security experts said he is a good fit for the job. "We've worked with Andy for a number of years. ... He's a very smart guy and very talented," said Harris Miller, president of the Information Technology Association of America, an Arlington, Va.-based lobbying firm. However, Miller added, the structure of the department should be altered to give cyber-security a higher profile in the administration. "I don't believe [the cyber-security post is] a good long-term position," Miller said. "It needs to be elevated. We've said that repeatedly." Paul Kurtz, executive director of the Cyber Security Industry Alliance and a former White House computer-security official, said, "It's hard to find somebody in this town who doesn't get along with Andy," but "it's the position, not the person, that counts." "Andy is a terribly nice guy and will obviously try to do the best thing, but without authority and without the ability to reach up into [the department] and to reach out among other federal agencies as a more senior person, it's going to be difficult for him to do the job," Kurtz said. This is a problem that industry executives and former government officials said contributed to Yoran's decision to resign last week. Yoran became director of the cyber-security division in September 2003 after the previous White House adviser, Howard A. Schmidt, resigned in April to become the head of security at online auction company eBay Inc. Schmidt succeeded Richard A. Clarke, who had stepped down three months earlier, warning that the administration needed to take online security more seriously. Yoran, who declined to comment for this story, was in charge of implementing the recommendations in the administration's national cyber-security plan, a document that received criticism from a variety of sources for failing to require the business community to strengthen its online security. He also oversaw the creation of the U.S. Computer Emergency Readiness Team, which coordinates efforts to fight online network attacks. Nevertheless, the problem with the position is that it is too far down the chain of command from Homeland Security Secretary Tom Ridge, said Rep. Mac Thornberry (R-Texas), who along with Rep. Zoe Lofgren (D-Calif.) sponsored a House bill to revamp the nation's intelligence structure and elevate the cyber-security position. The position answers to Liscouski, who in turn reports to department Undersecretary Frank Libutti. There are two bills in Congress that would elevate the director's position to an "assistant secretary" position, on par with Liscouski, but Congress has not approved either. The House is scheduled to vote on Thornberry's and Lofgren's bill tomorrow, but the measure faces tough opposition, including from some members of the 9/11 commission that issued the original recommendations. "This is one of those steps that a conservative Republican and a liberal Democrat who've worked on this issue for the past couple of years think needs to be taken, in part to elevate the position [and] in part to elevate the issue so it just doesn't get buried," Thornberry said. Although there has been little evidence to support their assertions, many experts say the Internet remains vulnerable to incidents of "cyber-terrorism," including the possibility that terrorists could take advantage of network connections to manipulate or damage the electronic systems that run the nation's water and power grids. From isn at c4i.org Sat Oct 9 05:02:14 2004 From: isn at c4i.org (InfoSec News) Date: Sat Oct 9 05:38:38 2004 Subject: [ISN] Expert: Online extortion growing more common Message-ID: http://news.com.com/Expert+Online+extortion+growing+more+common/2100-7349_3-5403162.html By Dan Ilett Special to CNET News.com October 8, 2004 "Six or seven thousand organizations are paying online extortion demands," Alan Paller said at the SANS Institute's Top 20 Vulnerabilities conference in London. "The epidemic of cybercrime is growing. You don't hear much about it because it's extortion, and people feel embarrassed to talk about it." The SANS Institute, based in Bethesda, Md., offers training and resources related to information security. "Every online gambling site is paying extortion," Paller asserted. "Hackers use DDoS (distributed denial-of-service) attacks, using botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.'" Paller added he was concerned that the same techniques used for extortion--that is, DDoS attacks--could easily be used to target organizations in the critical national infrastructure. Roger Cumming, the director of the U.K.-based National Infrastructure Security Co-ordination Centre, shares Paller's concern. "There's an enormous amount of extortion," Cumming said. "We are concerned...(that) the technologies of extracting money could be used to endanger the (critical national infrastructure). One of the things we are talking about is how to mitigate that threat." Paller called for tech companies to do better. He said that security vulnerabilities are vendors' responsibility to fix and that their products should reflect the suggestions associated with the SANS top 20 vulnerabilities list. "Applications breaking after patching is the operating system vendor's fault," he said. "They tell developers to build applications on unprotected systems. But the other half of the game is that application vendors should have to test their products on safer systems. You do that with procurement." A representative for at least one prominent British gambling site said that he would rather not comment on the whole issue. Dan Ilett of ZDNet UK reported from London. From isn at c4i.org Sat Oct 9 05:02:42 2004 From: isn at c4i.org (InfoSec News) Date: Sat Oct 9 05:38:40 2004 Subject: [ISN] Linux Advisory Watch - October 8th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 8th, 2004 Volume 5, Number 40a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for syscons, shareutils, netpbm, kdelibs, PHP, samba, kernel, XFree86, samba, getmail, zlib, mozilla, and squid. The distributors include Debian, Slackware, SuSE, Trustix, and Turbolinux. ----- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ----- Password Cracking If for some reason your passwd program is not enforcing non easily guessable passwords, you might want to run a password cracking program and make sure your users passwords are secure. Password cracking programs work on a simple idea. They try every word in the dictionary, and then variations on those words. They encrypt each one and check it against your encrypted password. If they get a match they are in. Also, the "dictionary" may include usernames, Star Trek ships, foreign words, keyboard patterns, etc. There are a number of programs out there...the two most notable of which are ``Crack'' and ``John the Ripper'' http://www.false.com/security/john/index.html They will take up a lot of your CPU time, but you should be able to tell if an attacker could get in using them by running them first yourself and notifying users with weak passwords. Note that an attacker would have to use some other hole first in order to get your passwd (Unix /etc/passwd) file, but these are more common than you might think. Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com) ----- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html --------------------------------------------------------------------- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 10/2/2004 - netkit-telnet invalid free(3) Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. http://www.linuxsecurity.com/advisories/debian_advisory-4886.html 10/4/2004 - rp-pppoe, pppoe missing privilegue dropping Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system. http://www.linuxsecurity.com/advisories/debian_advisory-4887.html 10/6/2004 - libapache-mod-dav potential denial of service Julian Reschke reported a problem in mod_dav of Apache 2 in connection with a NULL pointer dereference. When running in a threaded model, especially with Apache 2, a segmentation fault can take out a whole process and hence create a denial of service for the whole server. http://www.linuxsecurity.com/advisories/debian_advisory-4910.html 10/6/2004 - net-acct insecure temporary file creation Stefan Nordhausen has identified a local security hole in net-acct, a user-mode IP accounting daemon. Old and redundant code from some time way back in the past created a temporary file in an insecure fashion. http://www.linuxsecurity.com/advisories/debian_advisory-4913.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 10/5/2004 - cups-1.1.20-11.4 Update This update fixes an information leakage problem when printing to SMB shares requiring authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0923 to this issue. http://www.linuxsecurity.com/advisories/fedora_advisory-4908.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 10/4/2004 - syscons Boundary checking errors in syscons The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior. http://www.linuxsecurity.com/advisories/freebsd_advisory-4904.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 10/1/2004 - sharutils Buffer overflows sharutils contains two buffer overflow vulnerabilities that could lead to arbitrary code execution. http://www.linuxsecurity.com/advisories/gentoo_advisory-4883.html 10/4/2004 - netpbm Multiple temporary file issues Utilities included in old Netpbm versions are vulnerable to multiple temporary files issues, potentially allowing a local attacker to overwrite files with the rights of the user running the utility. http://www.linuxsecurity.com/advisories/gentoo_advisory-4898.html +---------------------------------+ | Distribution: RedHat | ----------------------------// +---------------------------------+ 10/4/2004 - kdelibs and kdebase security issues Updated kdelib and kdebase packages that resolve multiple security issues are now available. http://www.linuxsecurity.com/advisories/gentoo_advisory-4899.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 10/5/2004 - NetKit-telnetd buffer overflows in telnet and telnetd and kdebase security issues Buffer overflows exist in the telnet client and daemon provided by netkit-telnetd, which could possibly allow a remote attacker to gain root privileges and compromise the system. http://www.linuxsecurity.com/advisories/gentoo_advisory-4909.html 10/5/2004 - PHP Memory disclosure and arbitrary location file upload Two bugs in PHP may allow the disclosure of portions of memory and allow remote attackers to upload files to arbitrary locations. http://www.linuxsecurity.com/advisories/gentoo_advisory-4911.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 10/1/2004 - samba fix vulnerability Karol Wiesek discovered a bug in the input validation routines used to convert DOS path names to path names on the Samba host's file system. This bug can be exploited to gain access to files outside of the share's path as defined in the smb.conf configuration file. http://www.linuxsecurity.com/advisories/mandrake_advisory-4888.html 10/5/2004 - kernel various enhancements New kernels are available for Mandrakelinux 10.0 that fix a few bugs and/or adds enhancements. http://www.linuxsecurity.com/advisories/mandrake_advisory-4906.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 10/4/2004 - XFree86 security issues and bugs Updated XFree86 packages that fix several security flaws in libXpm, as well as other bugs, are now available for Red Hat Enterprise Linux 3. http://www.linuxsecurity.com/advisories/redhat_advisory-4900.html 10/4/2004 - samba security issue Updated samba packages that fix an input validation vulnerability are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4901.html 10/6/2004 - XFree86 security issues and bugs Updated XFree86 packages that fix several security issues in libXpm, as well as other bug fixes, are now available for Red Hat Enterprise Linux 2.1. http://www.linuxsecurity.com/advisories/redhat_advisory-4914.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 10/4/2004 - getmail security issue New getmail packages are available for Slackware 9.1, 10.0 and -current to fix a security issue. If getmail is used as root to deliver to user owned files or directories, it can be made to overwrite system files. http://www.linuxsecurity.com/advisories/slackware_advisory-4902.html 10/4/2004 - zlib DoS New zlib packages are available for Slackware 10.0 and -current to fix a possible denial of service security issue. http://www.linuxsecurity.com/advisories/slackware_advisory-4903.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 10/5/2004 - samba remote file disclosure The Samba server, which allows to share files and resources via the SMB/CIFS protocol, contains a bug in the sanitation code of path names which allows remote attackers to access files outside of the defined share. http://www.linuxsecurity.com/advisories/suse_advisory-4907.html 10/6/2004 - mozilla various vulnerabilities During the last months a number of security problems have been fixed in Mozilla and Mozilla based brwosers. http://www.linuxsecurity.com/advisories/suse_advisory-4912.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 10/1/2004 - samba access files outside of defined path A security vulnerability has been located in Samba 2.2.x <= 2.2.11 and Samba 3.0.x <= 3.0.5. A remote attacker may be able to gain access to files which exist outside of the share's defined path. http://www.linuxsecurity.com/advisories/trustix_advisory-4884.html 10/1/2004 - mod_php4, hwdata bugfix update access files outside of defined path This update contains bug fixes and additional features for mod_php4 and hwdata. http://www.linuxsecurity.com/advisories/trustix_advisory-4885.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 10/5/2004 - squid DoS vulnerability A vulnerability in the NTLM helpers in squid. The vulnerabilities allow remote attackers to cause a denial of service of sauid server services. http://www.linuxsecurity.com/advisories/turbolinux_advisory-4905.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Sat Oct 9 05:02:58 2004 From: isn at c4i.org (InfoSec News) Date: Sat Oct 9 05:38:42 2004 Subject: [ISN] Security concerns put MSN Messenger beta on hold Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96475,00.html By Joris Evers OCTOBER 07, 2004 IDG NEWS SERVICE Microsoft Corp. has suspended the beta testing of the next version of its MSN Messenger client because of a potential security problem, a company spokeswoman said yesterday. Testers discovered a potential security issue in the early version of MSN Messenger 7 shortly after Microsoft made the instant messaging client available to a select group of testers over the weekend, according to postings on MSN Messenger enthusiast Web site Mess.be. The problem lies in a new MSN Messenger feature dubbed "winks" that allows users to send each other sound animations. The feature can be abused to overwhelm a user's system, according to Mess.be. The company has decided to put the test on hold and pull the software while it looks into the issue. It will make available a new version of the client, one without the winks feature, probably some time next week, the spokeswoman said. The test version of MSN Messenger 7 was designed to only allow approved animations to be sent. However, Microsoft is investigating the possibility that the feature may be exploited to send "rogue winks that could cause security issues," the spokeswoman said. Although winks will no longer be in this test version of MSN Messenger, Microsoft still plans to include the feature in the final version of the product, she said. It is unclear how many people downloaded the potentially vulnerable version of MSN Messenger. The software had not officially been released to testers and only a small group of people was given access to the download, according to Microsoft. However, the potentially vulnerable instant messaging client has popped up elsewhere on the Web. Microsoft announced the limited beta of MSN Messenger 7 last week. The test is a significant step in the release process for MSN Messenger, which has 135 million active users per month. Microsoft hopes to release a final version of the software in the first quarter of 2005, after a public beta test scheduled for later this year. While Microsoft's MSN group has pulled one trial version of its products, another is back. The company on Monday quietly launched a second "technology preview" of its upcoming Internet search engine, MSN Search. The first preview went online in early July with an index of 1 billion Web pages and was taken offline in August. The second preview is similar, but Microsoft has now indexed 5 billion Web pages, the spokeswoman said. In addition to the larger index, MSN Search has been improved to provide more relevant search results, the spokeswoman said. The service also offers results from more Internet domains, as well as spelling correction and cached pages, she said. The launch of the final version of the MSN Search product, Microsoft's answer to Google Inc.'s search success, is expected later this year or early next year. The MSN Search preview page is available at http://techpreview.search.msn.com/. From isn at c4i.org Sat Oct 9 05:03:11 2004 From: isn at c4i.org (InfoSec News) Date: Sat Oct 9 05:38:44 2004 Subject: [ISN] Microsoft Probes Flaw in ASP.NET Message-ID: http://www.eweek.com/article2/0,1759,1668443,00.asp By Simone Kaplan October 7, 2004 Microsoft Corp. is investigating a reported security flaw in its ASP.NET technology that could allow intruders to access password-protected sections of a Web site simply by altering a URL. The hole involves a glitch in ASP.NET's processing of URLs, a process known as canonicalization. According to an advisory posted Tuesday on Microsoft's Web site, "an attacker can send specially crafted requests to the server and view secured content without providing the proper credentials." ASP.NET, the latest iteration of Microsoft's ASP (Active Server Pages) technology, is a Web development platform for building Web-centric applications. Microsoft has yet to post a fix for the problem, but in its advisory, the company offered guidelines to help users temporarily secure their sites against intrusion attempts until a permanent patch is delivered. "It has been reported that a malicious user could provide a specially formed URL that could result in the unsecured serving of unintended content," a Microsoft spokeswoman said. "It's under investigation, and we're working on finding an appropriate solution." The company has yet to determine what the permanent fix will be or when it will be posted, she said. According to Microsoft, the problem exists in ASP.NET running on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional and Windows Server 2003, but it does not affect ASP. That means the problem affects a lot of users. A story on Netcraft.com reports that ASP.NET is now running on more than 2.9 million active sites. The reported security hole allows visitors to a password-protected ASP.NET site to put a forward-slash, a space or "%5c" in the place of the backslash in the site's URL and bypass the password login screen, as well as bypass protections on administrative areas of the site. Microsoft is asking ASP.NET users to add an event handler to force real path validation for all Web server requests.an approach that will keep intruders from gaining access to sensitive data but could result in a performance or security tradeoff of its own, said Arian Evans, senior security engineer at Kansas City, Mo.-based FishNet Security. "[The fix] will impact performance because every single request that's made to the Web server will have to be validated before it's either authenticated or rejected," Evans said. "That's a lot of requests to be processed." Evans pointed out that Microsoft is no stranger to security problems related to password or directory traversal. In December, the company discovered a bug in Internet Explorer that let crackers rip off Web pages more easily. The vulnerability has generated lively discussion on Slashdot. While many are lamenting that it's yet another Microsoft security breach, one poster noted that the vulnerability is fairly easy to remedy: "While I think the flaw itself is a concern, the 'rewrite their applications' quote is pure drivel. All that's required is a couple of lines in Global.asax. That's hardly a rewrite," said a poster identified as Timesprout. From isn at c4i.org Sat Oct 9 05:04:05 2004 From: isn at c4i.org (InfoSec News) Date: Sat Oct 9 05:38:45 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-41 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-09-30 - 2004-10-07 This week : 60 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia has implemented new features at Secunia.com SECUNIA ADVISORIES NOW INCLUDE "Solution Status": In addition to the extensive information Secunia advisories already include, Secunia has added a new parameter: "Solution Status". This simply means that all Secunia advisories, including older advisories, now include the current "Solution Status" of a advisory, i.e. if the vendor has released a patch or not. IMPROVED PRODUCT PAGES: The improved product pages now include a detailed listing of all Secunia advisories affecting each product. The listings include a clear indication of the "Solution Status" each advisory has ("Unpatched", "Vendor patch", "Vendor workaround", or "Partial fix"). View the following for examples: Opera 7: http://secunia.com/product/761/ Internet Explorer 6: http://secunia.com/product/11/ Mozilla Firefox: http://secunia.com/product/3256/ EXTRA STATISTICS: Each product page also includes a new pie graph, displaying the "Solution Status" for all Secunia advisories affecting each product in a given period. View the following for an example: Internet Explorer 6: http://secunia.com/product/11/#statistics_solution FEEDBACK SYSTEM: To make it easier to provide feedback to the Secunia staff, we have made an online feedback form. Enter your inquiry and it will immediately be sent to the appropriate Secunia department. Ideas, suggestions, and other feedback is most welcome Secunia Feedback Form: http://secunia.com/contact_form/ ======================================================================== 2) This Week in Brief: ADVISORIES: Apple has issued a security update for Mac OS X, which fixes several vulnerabilities in various software included in Mac OS X. Additional details about the affected software and patch instructions can be found in the Secunia advisory below. Reference: http://secunia.com/SA12690 -- Mozilla Foundation has fixed a moderately critical vulnerability in Mozilla Firefox, which can be exploited by malicious people to delete files on a vulnerable system. Successful exploitation will result in recursive deletion of all files in the user's download directory. Reference: http://secunia.com/SA12708 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 2. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 3. [SA12708] Mozilla Firefox Download Directory File Deletion Vulnerability 4. [SA12526] Mozilla Multiple Vulnerabilities 5. [SA12580] Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability 6. [SA12635] Symantec Firewall/VPN Products Multiple Vulnerabilities 7. [SA12672] RealOne Player / RealPlayer / Helix Player Multiple Vulnerabilities 8. [SA11978] Multiple Browsers Frame Injection Vulnerability 9. [SA12680] Microsoft SQL Server Denial of Service Vulnerability 10. [SA12403] Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12755] TriDComm FTP Server Directory Traversal Vulnerability [SA12753] AtHoc Toolbar Unspecified Vulnerabilities [SA12710] Judge Dredd Client Message Handling Format String Vulnerability [SA12702] Kerio MailServer Unspecified Security Issue [SA12689] MyWebServer Multiple Connection Denial of Service Vulnerability [SA12719] NetworkActiv Web Server Denial of Service Vulnerability [SA12734] Symantec Norton AntiVirus MS-DOS Device Name Handling Weakness UNIX/Linux: [SA12750] Mandrake update for xine-lib [SA12747] SuSE update for mozilla [SA12745] HP VirtualVault / Webproxy mod_ssl Format String Vulnerability [SA12742] Mozilla Application Suite for Tru64 UNIX Multiple Vulnerabilities [SA12741] Gentoo update for netkit-telnetd [SA12727] Red Hat update for XFree86 [SA12698] Red Hat update for mozilla [SA12694] AIX Network Authentication Service Multiple Vulnerabilities [SA12690] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA12739] Gentoo update for PHP [SA12725] Red Hat update for kdelibs/kdebase [SA12699] Red Hat update for squid [SA12743] Debian update for libapache-mod-dav [SA12700] Red Hat update for spamassassin [SA12688] Gentoo update for subversion [SA12754] Fedora update for squid [SA12748] Debian update for samba [SA12735] SuSE update for samba [SA12726] Red Hat update for samba [SA12718] Mandrake update for samba [SA12711] distcc IP-based Access Control Rules Security Bypass [SA12707] Trustix update for samba [SA12696] Samba Arbitrary File Access Vulnerability [SA12746] Debian update for net-acct [SA12744] Sun Solaris update for gzip [SA12737] Fedora update for cups [SA12736] CUPS Logfile User Credentials Disclosure [SA12724] Slackware update for getmail [SA12723] Gentoo update for netpbm [SA12722] FreeBSD syscons Kernel Memory Disclosure Vulnerability [SA12705] Debian freenet6 Insecure Configuration File Permissions [SA12701] Red Hat update for ruby [SA12697] Trustix Linux Multiple Packages Insecure Temporary File Handling [SA12716] spider "read_file()" Potential Privilege Escalation Vulnerability Other: Cross Platform: [SA12738] PHPLinks SQL Injection and Arbitrary Local File Inclusion Vulnerabilities [SA12732] AWS MySQLguest Script Insertion Vulnerability [SA12730] BugPort Unspecified Attachment Handling Vulnerability [SA12721] Real Estate Management Software Unspecified Vulnerabilities [SA12720] Online Recruitment Agency Unspecified Vulnerabilities [SA12709] yappa-ng Unspecified "Show Random Image" Vulnerability [SA12708] Mozilla Firefox Download Directory File Deletion Vulnerability [SA12704] Silent Storm Portal Cross-Site Scripting and Security Bypass Vulnerabilities [SA12703] IBM Trading Partner Interchange Arbitrary File Access Vulnerability [SA12695] w-Agora Multiple Vulnerabilities [SA12691] bBlog "p" SQL Injection Vulnerability [SA12733] DB2 Universal Database Multiple Vulnerabilities [SA12740] Invision Power Board Referer Header Cross-Site Scripting Vulnerability [SA12729] My Blog Unspecified Cross-Site Scripting Vulnerabilities [SA12728] Online-Bookmarks Security Bypass Vulnerability [SA12715] Xerces-C++ XML Parser Denial of Service Vulnerability [SA12693] Macromedia ColdFusion MX Security Bypass Vulnerability [SA12692] MediaWiki "raw" Page Output Mode Cross-Site Scripting Vulnerability [SA12756] MaxDB Web Agent "Server" Field Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12755] TriDComm FTP Server Directory Traversal Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2004-10-07 Luigi Auriemma has reported a vulnerability in TriDComm, which can be exploited by malicious users to access arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12755/ -- [SA12753] AtHoc Toolbar Unspecified Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-07 NGSSoftware has reported two vulnerabilities in AtHoc Toolbar, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12753/ -- [SA12710] Judge Dredd Client Message Handling Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-04 Luigi Auriemma has reported a vulnerability in Judge Dredd: Dredd vs. Death, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12710/ -- [SA12702] Kerio MailServer Unspecified Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-01 An unspecified security issue with an unknown impact has been reported in Kerio MailServer. Full Advisory: http://secunia.com/advisories/12702/ -- [SA12689] MyWebServer Multiple Connection Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-09-30 The unl0ck team has discovered a vulnerability in MyWebServer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12689/ -- [SA12719] NetworkActiv Web Server Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-10-05 Ziv Kamir has reported a vulnerability in NetworkActiv Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12719/ -- [SA12734] Symantec Norton AntiVirus MS-DOS Device Name Handling Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2004-10-06 Kurt Seifried has reported a weakness in Symantec Norton AntiVirus, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12734/ UNIX/Linux:-- [SA12750] Mandrake update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-07 MandrakeSoft has issued an update for xine-lib. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12750/ -- [SA12747] SuSE update for mozilla Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2004-10-07 SuSE has issued an update for mozilla. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), spoof content of websites, conduct cross-site scripting attacks, access and modify sensitive information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12747/ -- [SA12745] HP VirtualVault / Webproxy mod_ssl Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-06 HP has confirmed a vulnerability in Apache affecting HP VirtualVault and HP Webproxy, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12745/ -- [SA12742] Mozilla Application Suite for Tru64 UNIX Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2004-10-06 HP has confirmed some vulnerabilities in the Mozilla Application Suite for Tru64 UNIX, which can be exploited to conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/12742/ -- [SA12741] Gentoo update for netkit-telnetd Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-06 Gentoo has issued an update for netkit-telnetd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12741/ -- [SA12727] Red Hat update for XFree86 Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2004-10-05 Red Hat has issued an update for XFree86. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12727/ -- [SA12698] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2004-10-01 Red Hat has issued an update for mozilla. This fixes multiple vulnerabilities, which can be exploited to conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/12698/ -- [SA12694] AIX Network Authentication Service Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-01 IBM has acknowledged some vulnerabilities in IBM Network Authentication Service for AIX, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12694/ -- [SA12690] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2004-10-05 Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/12690/ -- [SA12739] Gentoo update for PHP Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2004-10-06 Gentoo has issued an update for PHP. This fixes two vulnerabilities, which can be exploited by malicious people to disclose sensitive information or potentially upload files to arbitrary locations. Full Advisory: http://secunia.com/advisories/12739/ -- [SA12725] Red Hat update for kdelibs/kdebase Critical: Moderately critical Where: From remote Impact: Hijacking, Spoofing, Privilege escalation Released: 2004-10-05 Red Hat has issued updates for kdelibs and kdebase. These fix multiple vulnerabilities, which can be exploited to perform certain actions on a vulnerable system with escalated privileges, spoof the content of websites, or hijack sessions. Full Advisory: http://secunia.com/advisories/12725/ -- [SA12699] Red Hat update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-10-01 Red Hat has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12699/ -- [SA12743] Debian update for libapache-mod-dav Critical: Less critical Where: From remote Impact: DoS Released: 2004-10-06 Debian has issued an update for libapache-mod-dav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12743/ -- [SA12700] Red Hat update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2004-10-01 Red Hat has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12700/ -- [SA12688] Gentoo update for subversion Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-09-30 Gentoo has issued an update for subversion. This fixes a security issue, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/12688/ -- [SA12754] Fedora update for squid Critical: Less critical Where: From local network Impact: DoS Released: 2004-10-07 Fedora has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12754/ -- [SA12748] Debian update for samba Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-10-07 Debian has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to access arbitrary files and directories. Full Advisory: http://secunia.com/advisories/12748/ -- [SA12735] SuSE update for samba Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-10-05 SuSE has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to access arbitrary files and directories. Full Advisory: http://secunia.com/advisories/12735/ -- [SA12726] Red Hat update for samba Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-10-05 Red Hat has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to access arbitrary files and directories. Full Advisory: http://secunia.com/advisories/12726/ -- [SA12718] Mandrake update for samba Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-10-04 MandrakeSoft has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to access arbitrary files and directories. Full Advisory: http://secunia.com/advisories/12718/ -- [SA12711] distcc IP-based Access Control Rules Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-10-04 A vulnerability has been reported in distcc, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12711/ -- [SA12707] Trustix update for samba Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-10-01 Trustix has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to access arbitrary files and directories. Full Advisory: http://secunia.com/advisories/12707/ -- [SA12696] Samba Arbitrary File Access Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-10-01 Karol Wiesek has reported a vulnerability in Samba, which can be exploited by malicious users to access arbitrary files and directories. Full Advisory: http://secunia.com/advisories/12696/ -- [SA12746] Debian update for net-acct Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-06 Debian has issued an update for net-acct. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12746/ -- [SA12744] Sun Solaris update for gzip Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2004-10-06 Sun has issued an updated for gzip. This fixes a vulnerability, which can be exploited by malicious, local users to access sensitive information. Full Advisory: http://secunia.com/advisories/12744/ -- [SA12737] Fedora update for cups Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-06 Fedora has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12737/ -- [SA12736] CUPS Logfile User Credentials Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-06 Gary Smith has reported a vulnerability in CUPS, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12736/ -- [SA12724] Slackware update for getmail Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-05 Slackware has issued an update for getmail. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12724/ -- [SA12723] Gentoo update for netpbm Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-05 Gentoo has issued an update for netpbm. This fixes a vulnerability, which can be exploited by malicious, local users to escalate their privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/12723/ -- [SA12722] FreeBSD syscons Kernel Memory Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2004-10-05 Christer Oberg has reported a vulnerability in FreeBSD, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12722/ -- [SA12705] Debian freenet6 Insecure Configuration File Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-01 Debian has issued an update for freenet6. This fixes a security issue, which can be exploited by malicious, local users to access sensitive information. Full Advisory: http://secunia.com/advisories/12705/ -- [SA12701] Red Hat update for ruby Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-01 Red Hat has issued an update for ruby. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12701/ -- [SA12697] Trustix Linux Multiple Packages Insecure Temporary File Handling Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-01 Trustix has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12697/ -- [SA12716] spider "read_file()" Potential Privilege Escalation Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2004-10-04 Emuadmin Security Team has reported a vulnerability in spider, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12716/ Other: Cross Platform:-- [SA12738] PHPLinks SQL Injection and Arbitrary Local File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2004-10-06 LSS Security Team has discovered two vulnerabilities in PHPLinks, which can be exploited by malicious people to conduct SQL injection attacks and execute arbitrary local PHP scripts. Full Advisory: http://secunia.com/advisories/12738/ -- [SA12732] AWS MySQLguest Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-05 BliZZard has reported a vulnerability in AWS MySQLguest, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12732/ -- [SA12730] BugPort Unspecified Attachment Handling Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-05 Eduardo Correia has reported a vulnerability with an unknown impact in BugPort. Full Advisory: http://secunia.com/advisories/12730/ -- [SA12721] Real Estate Management Software Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-05 Some unspecified vulnerabilities with unknown impacts have been reported in Real Estate Management Software. Full Advisory: http://secunia.com/advisories/12721/ -- [SA12720] Online Recruitment Agency Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-05 Some vulnerabilities with an unknown impact have been reported in Online Recruitment Agency. Full Advisory: http://secunia.com/advisories/12720/ -- [SA12709] yappa-ng Unspecified "Show Random Image" Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-04 Georg Ragaz has reported a vulnerability with an unknown impact in yappa-ng. Full Advisory: http://secunia.com/advisories/12709/ -- [SA12708] Mozilla Firefox Download Directory File Deletion Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-10-04 Alex Vincent has reported a vulnerability in Mozilla Firefox, which can be exploited by malicious people to delete files on a user's system. Full Advisory: http://secunia.com/advisories/12708/ -- [SA12704] Silent Storm Portal Cross-Site Scripting and Security Bypass Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-01 R00tCr4ck has reported two vulnerabilities in Silent Storm Portal, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12704/ -- [SA12703] IBM Trading Partner Interchange Arbitrary File Access Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-10-05 A vulnerability has been reported in Trading Partner Interchange, which can be exploited by malicious people to access arbitrary files Full Advisory: http://secunia.com/advisories/12703/ -- [SA12695] w-Agora Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-01 Positive Technologies has reported some vulnerabilities in w-Agora, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12695/ -- [SA12691] bBlog "p" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-10-01 James McGlinn has reported a vulnerability in bBlog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12691/ -- [SA12733] DB2 Universal Database Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Unknown, Security Bypass, DoS, System access Released: 2004-10-06 Multiple vulnerabilities have been reported in DB2 Universal Database, where some of the vulnerabilities can be exploited to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12733/ -- [SA12740] Invision Power Board Referer Header Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-06 Alexander Antipov has reported a vulnerability in Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12740/ -- [SA12729] My Blog Unspecified Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Unknown, Cross Site Scripting Released: 2004-10-05 Some vulnerabilities have been reported in My Blog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12729/ -- [SA12728] Online-Bookmarks Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-10-05 A vulnerability has been reported in Online-Bookmarks, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12728/ -- [SA12715] Xerces-C++ XML Parser Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2004-10-04 Amit Klein has reported a vulnerability in Xerces-C++, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12715/ -- [SA12693] Macromedia ColdFusion MX Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-10-04 Eric Lackey has reported a vulnerability in ColdFusion MX, which can be exploited by malicious, authenticated users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12693/ -- [SA12692] MediaWiki "raw" Page Output Mode Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-01 A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12692/ -- [SA12756] MaxDB Web Agent "Server" Field Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-10-07 Patrik Karlsson has reported a vulnerability in MaxDB, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12756/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Sat Oct 9 05:09:25 2004 From: isn at c4i.org (InfoSec News) Date: Sat Oct 9 05:38:47 2004 Subject: [ISN] Wanted: Simple home security Message-ID: Forwarded from: Dave Close InfoSec News wrote: >By Jon Oltsik >What's needed is a simple home security service with two dominant >features: If such security can be provided by a black box at the consumer end, then why can't it also be provided by a black box at the ISP end? The cost should be even lower due to scale, and the reliability should be higher due to active management. I think the real problem is that this author hasn't bothered to define "security". Implicitly, he seems to mean that bandwidth won't be choked by viruses and spam. Of course, in itself that does nothing to protect a home network. And so long as bandwidth is not metered, the home user has no incentive to help. -- Dave Close, Compata, Costa Mesa CA +1 714 434 7359 dave@compata.com dhclose@alumni.caltech.edu "It will take more than an Act of Congress to persuade me that women and men are the same." - Oliver Wendell Holmes From isn at c4i.org Sat Oct 9 05:10:47 2004 From: isn at c4i.org (InfoSec News) Date: Sat Oct 9 05:38:48 2004 Subject: [ISN] Howard Schmidt returns to DHS as USCERT head Message-ID: Forwarded from: Richard Forno http://www.securityfocus.com/news/9660 By Ted Bridis The Associated Press Oct 6 2004 Howard Schmidt, a highly regarded technology executive who was former special adviser to President Bush for cybersecurity, is returning to work with the Homeland Security Department on efforts to protect the nation's computer networks. Schmidt, the chief security officer for eBay Inc., will be named chairman of the U.S. Computer Emergency Response Team, an organization jointly run by the Homeland Security Department and private technology groups, including Carnegie Mellon University. He will work with the technology industry on U.S. cybersecurity policies. The announcement was expected Monday in San Francisco, according to officials who met Wednesday for a briefing about the announcement with Schmidt and Robert Liscouski, an assistant secretary at the Homeland Security Department. The officials spoke only on condition of anonymity, noting the DHS announcement was next week. Schmidt, who will be paid through Carnegie Mellon as a government contractor, was expected to remain at eBay. As Bush's former special adviser, Schmidt helped create the administration's "National Strategy to Secure Cyberspace," a set of dozens of recommendations to better protect computer networks. "It's great he's willing to come back to public service," said Harris Miller, head of the Information Technology Association of America, a leading trade group. Last week, the Bush administration's top U.S. cybersecurity official, Amit Yoran, resigned abruptly as director of the National Cyber Security Division within DHS. The office to be headed by Schmidt is the operational arm of that division, which has an $80 million budget and 60 employees. Liscouski has appointed Donald A. "Andy" Purdy, Yoran's former deputy, as acting director of the division. In an e-mail from Liscouski to DHS employees obtained by The Associated Press, Lisouski said Purdy was "highly regarded for his technical expertise and is well-known to the cyber community both in the private and government sectors." Schmidt declined to comment when contacted by the AP, referring inquires to DHS. Schmidt formerly was chief security officer at Microsoft Corp. before coming to work for the White House. He succeeded Richard Clarke, a former senior counterterrorism adviser to President Bush who quit and wrote a book containing scathing criticisms of the administration's response to terrorism. From isn at c4i.org Tue Oct 12 02:18:55 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 12 02:32:55 2004 Subject: [ISN] Linux Security Week - October 11th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 11th, 2004 Volume 5, Number 40n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Secure E-Mail and Public Key Cryptography: Together At Last," "Nessus Network Auditing," and "The Twenty Most Critical Internet Security Vulnerabilities." ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ---- LINUX ADVISORY WATCH: This week, advisories were released for syscons, shareutils, netpbm, kdelibs, PHP, samba, kernel, XFree86, samba, getmail, zlib, mozilla, and squid. The distributors include Debian, Slackware, SuSE, Trustix, and Turbolinux. http://www.linuxsecurity.com/articles/forums_article-10045.html AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html ---- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Secure E-Mail and Public Key Cryptography: Together At Last? October 6th, 2004 With its ability to authenticate, digitally sign, and encrypt messages, public key cryptography seems like a natural fit for protecting e-mail: With one solution, you can ensure the integrity of the content and prove the identity of the sender. But public key cryptography is akin to peace in the Middle East--everyone agrees it's a good idea, but the associated complexities can derail implementation. http://www.linuxsecurity.com/articles/cryptography_article-10021.html * Anti-virus program detects GNU Public Licence October 6th, 2004 POPULAR OPEN SOURCE virus scanner Clamav has been hastily updated this morning to remove a 'false positive': the scanner was detecting the GNU Public Licence as a virus. Thousands of Open Source programs, including Clamav itself, include a copy of this licence, and since it is a plain text file it is incapable of containing a virus. http://www.linuxsecurity.com/articles/vendors_products_article-10035.html * Role-based Windows subsets will compete more directly with Linux October 5th, 2004 Microsoft is developing versions of its Windows operating system with only a subset of the Windows code base, designed for specific server tasks, in a move that could reduce maintenance costs for customers and create products that are less vulnerable to attack. http://www.linuxsecurity.com/articles/vendors_products_article-10013.html +------------------------+ | Network Security News: | +------------------------+ * Nessus Network Auditing October 8th, 2004 Syngress Publishing, Inc., today announced the publication of "Nessus Network Auditing" (ISBN: 1-931836-08-6), co-authored by Nessus Project Founder Renaud Deraison and a team of leading Nessus developers. http://www.linuxsecurity.com/articles/documentation_article-10046.html +------------------------+ | General Security News: | +------------------------+ * The Twenty Most Critical Internet Security Vulnerabilities October 8th, 2004 The vast majority of worms and other successful cyber attacks are made possible by vulnerabilities in a small number of common operating system services. Attackers are opportunistic. http://www.linuxsecurity.com/articles/projects_article-10047.html * Indian government outsources Linux security to New Jersey firm October 8th, 2004 Indian Space Research Organization (ISRO) headquarters. And, according to Guardian Digital spokesperson Nicole Pearson, ISRO made the first contact. were originally looking for a secure mail server," says Pearson, who noted that ISRO found Guardian Digital through its online presence, not because of a sales call or other direct marketing efforts. http://www.linuxsecurity.com/articles/vendors_products_article-10048.html * Vendors sharpen vulnerability-assessment tools October 7th, 2004 A pair of vulnerability-assessment and remediation tool vendors are separately upgrading their products so that customers more easily can prioritize which networked systems need to be fixed. http://www.linuxsecurity.com/articles/network_security_article-10037.html * A Seven-Step Plan For Protecting Corporate Data October 7th, 2004 A pharmaceutical researcher develops a new product formula, recording his work in an electronic notebook. The company e-mails the new formula to its contract manufacturers and must assure that they don't mistakenly revert to older, out-of-date formulas. http://www.linuxsecurity.com/articles/security_sources_article-10044.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Oct 12 02:19:40 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 12 02:32:57 2004 Subject: [ISN] The IT security vuln league table of fear Message-ID: http://www.theregister.co.uk/2004/10/11/sans_top_20/ By John Leyden 11th October 2004 A list of the worst 20 security vulnerabilities bedevilling Windows and *Nix systems was unveiled last Friday by the SANS (SysAdmin, Audit, Network, Security) Institute. The list, now in its fifth year, is designed to help admins to prioritise their efforts so that they can close the most dangerous security holes first. It highlights the top 10 Windows and top 10 Unix issues in their relative order of importance. The roll of infamy is decided by a panel of IT security industry reps, academics, users organisations and the SANS Institute. Top Vulnerabilities to Windows Systems 1. Web servers & services 2. Workstation service 3. Windows remote access services 4. Microsoft SQL Server 5. Windows authentication 6. Web browsers 7. File-sharing applications 8. Window's Local Security Authority Subsystem Service risks 9. Mail client 10. Instant messaging Top Vulnerabilities in Unix and Linux Systems 1. BIND Domain Name System 2. Web server 3. Authentication 4. Version control systems 5. Mail transport service 6. Simple Network Management Protocol (SNMP) 7. Open Secure Sockets Layer (SSL) 8. Misconfiguration of Enterprise Services NIS/NFS 9. Databases 10. Kernel As with previous years the list is fairly general and will generate few surprises among security pros. Despite this the vulnerabilities it recounts are frequently ignored. These ommissions are a key factor in the spread of destructive worms. SANS line is that simple precautions, prompted by raised awareness, can save far greater problems further down the line. In a statement SANS said: "The vast majority of worms and other successful cyber attacks are made possible by vulnerabilities in a small number of common operating system services. Attackers are opportunistic. They take the easiest and most convenient route and exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems. The easy and destructive spread of worms, such as Blaster, Slammer, and Code Red, can be traced directly to exploitation of unpatched vulnerabilities." "Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services," it added. From isn at c4i.org Tue Oct 12 02:19:53 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 12 02:32:59 2004 Subject: [ISN] Top Korean Hacker Arrested Message-ID: http://english.chosun.com/w21data/html/news/200410/200410110016.html Han Jae-hyun Oct 11, 2004 A man thought to be one of the most flagrant hackers in Korea has been apprehended. The Cyber Terror Response Center (CTRC) of the National Police Agency on Monday arrested a 30-year-old man identified as Lee, a former employee of an information security company, on suspicion of hacking into 1,152 public and private computer systems since March, 2003. The number represents the most successful hacking attempts by an individual in this country. According to the CTRC, Lee left the security company in late 2002 and lost himself in computer hacking and collecting pornography. Later, he sent a hacking program embedded in a photograph to a woman he had met online -- the hacking program was activated once the picture was opened on her computer. Lee is also charged with hacking 260,000 screen output data and keyboard input data at universities, public organizations and businesses. Police say that Lee was skilled enough to break into his university computer network and forge school records in 2001. Police add that he may have sold information and that they are currently investigating that possibility. Universities that were targets of his hacking include well-known institutions like Seoul National University, Pohang University of Science and Technology and Korea Advanced Institute of Science and Technology. From isn at c4i.org Tue Oct 12 02:20:04 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 12 02:33:00 2004 Subject: [ISN] NIST details minimum security controls Message-ID: http://www.fcw.com/fcw/articles/2004/1011/web-nist-10-11-04.asp By Florence Olsen Oct. 11, 2004 Guidelines for setting computer security controls to protect federal information systems are described in a new publication from the National Institute of Standards and Technology. NIST officials said the document forms the basis for security controls that will become mandatory in December 2005. The 88-page publication, known as Special Publication 800-53 [1], spells out the minimum security controls that federal agency officials must use to comply with the statutory requirements of the Federal Information Security Management Act of 2002, which applies to all federal information systems that are not national security systems. The document, which NIST officials released late last month, is the second version of a draft that NIST officials revised after receiving public comments. The latest document, still not considered final, will be available until Nov. 30 for the public to review and submit additional suggestions for revision. NIST officials said they are especially interested in receiving comments about the cost and potential impact that the recommended computer security controls could have on federal agencies. The document describes not only technical controls, such as intrusion-detection tools, but also a multitude of recommended management and operational controls for safeguarding the confidentiality, integrity and availability of federal information and the systems that provide that information. Recommended controls vary, depending on the importance of a particular information system to an agency's mission. But the list is extensive and includes 17 categories of security controls. Among them are access and audit controls, configuration management, user identification and authentication, and media protection. The guidelines suggest that minimum security controls required for broad classes of information systems, whether they are classified as high, moderate or low-risk, can be centrally managed and the costs amortized across multiple systems. [1] http://csrc.nist.gov/publications/drafts/SP800-53-Draft2nd.pdf From isn at c4i.org Tue Oct 12 02:20:16 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 12 02:33:02 2004 Subject: [ISN] Push Microsoft for W2K security, Gartner says Message-ID: http://www.theinquirer.net/?article=19021 By Mike Magee in Dublin 11 October 2004 HERE IN DUBLIN, not too many miles away from the forbidden zone - Intel's Leixlip fab - Annette Jump, a senior analyst at Gartner has delivered a presentation on what corporations and system builders should do given the current confusion over Windows clients. Jump didn't say this but the Gartner graph of Microsoft support certainly suggests that if you're confused as a corporation or an end user, it's not really your fault at all. Jump said that corporations and other Windows users should push Microsoft to introduce similar features in XP SP2 to reassure corporations deploying Windows 2000 and wondering which step to take. She said that with an increased focus on security, Microsoft was forced to release Windows XP SP2, which is not a typical service pack. Sixty per cent of it is security, 20 per cent are fixes, and 20 per cent are functional additions, said Jump. But there are some problems with SP2 - it crashes some of the applications. She said that Gartner believed only three per cent of shrink wrapped applications will be broken by SP2, and five per cent of custom written apps. Given the large number of apps, that might not matter too much, she said. But we suppose this is a little like someone breaking a leg. Most people's legs take eight weeks to heal, but some people's legs take years to heal. That might be a minor percentage of the whole, but for the minority it's 100 per cent. Corporations need to thoroughly test all application s before installing SP2. Microsoft hasn?t delivered anything like this level of security for Windows 2000. She said that users, whether corporate or system integrator users, should persuade Microsoft to offer similar functionality in Windows 2000 - which, after all, many companies moved to to escape software compatibility problems with Windows 98, et al. Companies should introduce new machines with XP, rather than wait for Longhorn, by introducing operating systems into the enterprise which have current and future Windows supported clients. From isn at c4i.org Tue Oct 12 02:20:31 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 12 02:33:03 2004 Subject: [ISN] Schmidt to take greater role in U.S. cybersecurity Message-ID: http://news.com.com/Schmidt+to+take+greater+role+in+U.S.+cybersecurity/2100-7348_3-5406220.html By Robert Lemos Staff Writer, CNET News.com October 11, 2004 The United States' former cybersecurity czar, Howard Schmidt, has agreed to take a greater role in the U.S. Computer Emergency Readiness Team (US-CERT) as an adviser, he said Monday. Schmidt, the chief security officer of online auctioneer eBay, currently cooperates with Carnegie Mellon University's Software Engineering Institute and that group's Computer Emergency Response Team (CERT) Coordination Center to advise the nation's incident response team. The Department of Homeland Security has asked him to play a greater part, he said. He has agreed but is currently discussing the details with the Department of Homeland Security and eBay. "I will take a more active role," he said. Schmidt will probably help manage the communication between the government group and the private companies that own more than 80 percent of the nation's Internet and communications infrastructure, expanding the role he has taken as a working group co-chairman in the National Cyber Security Partnership and as the founder of the Global CSO Council. "The pieces that are in place are going to require more activity and a more in-depth role that you can't do by meeting only once a quarter," he said. The details are still being discussed, he said, adding that no title has yet been decided upon. He will not be working as part of the U.S. Department of Homeland Security, but rather with Carnegie Mellon's CERT Coordination Center. DHS officials did not immediately reply to requests for comment on Schmidt's role. Amit Yoran, who succeeded Schmidt as top cybersecurity official in the United States, resigned this month, a little more than a year after joining the Department of Homeland Security. He was tasked with carrying out a major part of the initiatives outlined in President Bush's cybersecurity plan, which some argue he couldn't accomplish because he lacked direct access to Homeland Security Secretary Tom Ridge. Schmidt worked as Microsoft's chief security officer and then, from January 2002 to April 2003, as the vice chairman of the White House's National Critical Infrastructure Protection Board. Schmidt stressed that with this latest move, he is not "going back to government," but rather working with government and private industry. From isn at c4i.org Tue Oct 12 02:21:51 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 12 02:33:06 2004 Subject: [ISN] REVIEW: "A Practical Guide to Managing Information Security", Steve Purser Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKPGTMIS.RVW 20040514 "A Practical Guide to Managing Information Security", Steve Purser, 2004, 1-58053-702-2, C$120.50 %A Steve Purser %C 685 Canton St., Norwood, MA 02062 %D 2004 %G 1-58053-702-2 %I Artech House/Horizon %O C$120.50 800-225-9977 fax: 617-769-6334 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580537022/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580537022/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580537022/robsladesin03-20 %P 259 p. %T "A Practical Guide to Managing Information Security" After years of reviewing security books there were a number of red warning flags in the preface: the perception that a book was needed to address the "entire" subject of security, an insistence on a "pragmatic" and management oriented approach, and the use of a "fictitious but realistic case study" to support the arguments in the work. The final omen came in the author's bio on the back cover: he's a banker. Chapter one is a vague statement that the information technology world is getting riskier, but states outright the irresponsible notion that it is better to provide a less secure product to customers as long as that reduces your "time to market." This is backed up by a great deal of waffling managementspeak that boils down to the idea that we have to learn to work faster *and* cheaper *and* better *and* smarter. The footnotes and references intended to demonstrate that this is a scholarly and researched effort are, instead, a grab bag of varying origin and quality, indicating that the author isn't really familiar with security literature, and used whatever he happened to read. A few security information sources and generic advice on planning is in chapter two. The taxonomy of technical tools, in chapter three, contains no entries for accounting, application development, operations, physical security, assurance, or business continuity, thus indicating the enormous gaps in this work. The artificial structure imposed on the list works against an integrated view of the tools: Purser obviously doesn't understand intrusion detection divisions, or that host-based and net-based systems both provide details--but of differing views. In chapter four, Purser obviously thinks that he is giving us new insight into security assessment, when all that is really being delivered is a generic project planning cycle. Similarly, chapter five deals with business and threat analysis. A vague review of policy documents is in chapter six. Chapter seven takes on that wonderful buzzphrase, "process re-engineering," having almost nothing to do with security at all. A planning cycle comes up again when chapter eight supposedly looks at security architecture. Chapter nine covers security training, in an overly formal way. This book adds almost nothing to the existing security literature, except for a lot of management directed verbiage. copyright Robert M. Slade, 2004 BKPGTMIS.RVW 20040514 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu It's a kind of spiritual snobbery that makes people think they can be happy without money. - Albert Camus (1913-60) http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Oct 13 04:52:37 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 13 05:03:11 2004 Subject: [ISN] Foreign Police Vying to Learn Cyber Crime Investigation Skills Message-ID: http://times.hankooki.com/lpage/nation/200410/kt2004101216411011960.htm By Lee Jin-woo Staff Reporter 10-12-2004 As Korea is one of the strongest Internet powerhouses in the world, foreign cyber crime investigators are rushing to the country to learn about the advanced investigation skills and systems in place here. According to the National Police Agency, a French team comprising police officers, prosecutors and computer experts arrived in Seoul Monday for a five-day visit. They are scheduled to learn about cyber crime cases, investigation skills and systems from the Cyber Terror Response Center. Earlier this month, some 40 Thai police officers, Justice Ministry officials and computer experts visited the center in order to discuss how to set up a similar system in Thailand. In addition, British police officers have visited Korea three times since 2002 and a key official of the U.S. Federal Bureau of Investigation (FBI) in charge of cyber terrorism came here early this year. Next month, police officers from Southeast Asian countries are scheduled to take two-week-long training courses here to learn about Korea??s advanced system against cyber crimes. ``As Korea has set up one of the fastest developed online systems in the world and related crimes on the Internet have also greatly increased, our anti-cyber crime center has also developed one of the most advanced investigation methods and is a well-organized system,???? a police officer said. The center was established as the Hacker Investigation Squad in 1995 and later changed its name and system a few times until it was transformed into the current center in 2000. The number of people arrested for committing crimes on the Internet has increased seven times in the last three years in Korea. South Korea boasts of 29.22 million Internet users, accounting for 64.5 percent of its total population. From isn at c4i.org Wed Oct 13 04:52:59 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 13 05:03:14 2004 Subject: [ISN] Cyber-Security to Get Higher-Profile Leader Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A28019-2004Oct12.html By Jonathan Krim Washington Post Staff Writer October 13, 2004 Homeland Security Secretary Tom Ridge said yesterday that the role of overseeing computer security and the Internet should have a higher profile at the agency, in the face of increasing concern from technology executives and experts that cyber-security is getting inadequate attention. Ridge told an industry council that advises the White House that the agency was creating a new position of assistant secretary to be responsible for both cyber- and telecommunications security, according to two executives who heard the remarks. But hours later, Homeland Security spokesman Brian Roehrkasse said that despite Ridge's comments, final details on the title and responsibilities of the elevated position had not been decided. An administration source who spoke on the condition of anonymity later said Ridge misspoke; the job will instead be deputy assistant secretary. Cyber-security has been a flashpoint ever since the Department of Homeland Security was created in the wake of the Sept. 11, 2001, terrorist attacks. Before then, a cyber-security office was an integral part of the White House. The decision to move it was regarded by many in the technology security industry as a downgrade of the issue's importance by the Bush administration. Although no full-scale cyber-attacks have occurred, terrorists make extensive use of the Internet for everything from passing messages to transferring money. And because so many networks interconnect, cyber-security experts warn that a weak link in one place could be exploited and threaten major avenues of commerce. Moreover, attacks by apolitical but malicious hackers against governments, businesses and consumers have continued unabated, costing companies and individuals tens of millions of dollars a year. The controversy over how best to handle cyber-security reached a boiling point on Oct. 1, when Amit Yoran, head of Homeland Security's National Cyber Security Division, quit in frustration over his inability to get the department to be more aggressive on the issue. Yoran had reported to Robert P. Liscouski, assistant secretary for infrastructure protection, and was not responsible for telecommunication networks, which are the backbone of the Internet. Liscouski has staunchly resisted calls for giving cyber-security separate attention, arguing that it should be integrated with all other security considerations. If the department were to create an assistant secretary position for cyber-security, Liscouski would be responsible only for other physical infrastructure. Before Homeland Security issued its statement, Ridge's remarks met with wide acclaim. Yoran called the change "a fantastic move" and evidence that the department is able to change its operations to meet the mounting cyber-threat. Paul Kurtz, head of the Cyber Security Industry Alliance, said it was "a solid development." Rep. Zoe Lofgren (D-Calif.), who along with Rep. William M. "Mac" Thornberry (R-Tex.) sponsored House legislation to elevate the cyber-security job, said it would be "good news for a more secure America." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Oct 13 04:53:10 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 13 05:03:15 2004 Subject: [ISN] Companies risk security by not introducing wireless Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96597,00.html By Laura Berrill OCTOBER 12, 2004 TECHWORLD.COM Enterprise IT managers are interested, but reluctant, to introduce wireless technology to their business for no good reason -- and as a result could be risking security breaches. At least according to a survey by researchers at IDC. IDC's research director, Lars Vestergaard, said the research found that interest by businesses in wireless LAN usage was widespread. However, "Unfortunately IT managers are being uncertain about using this technology, but they use a lot of bad excuses," he said. "This is because they often fear a lack of security as well as an increase in transaction costs, for example, having to spend a lot of time and money on introducing the technology to new users. "They are worried about the time they would have to spend educating and training users," he explained, and this could cause all sorts of security problems for an enterprise. "Wireless technology can be fully taken care of and encrypted, although it does not come as standard. What is happening is that IT managers are rejecting it on behalf of the company, but employees are still using the technology and that is not secure," he said. In particular, "employees are using connect cards and posing a security risk by doing so because they don't know how their security works, so someone could hack into the enterprise LAN. In this way, enterprises are exposing themselves to risks by ignoring interest by others in WLANs." The solution, according to IDC, is for IT departments to make strategies on how to deal with incorporating wireless technology, adding that the technology was hugely successful already and was inevitably going to be used as standard by the enterprise in the near future. Vestergaard admitted there was a need for more education in the workplace, but this was increasing with more IT managers being educated and passing their knowledge on to all departments of a possibly wavering enterprise. He concluded, "It's inevitable people will start using wireless technology on a big scale and on the business side it is visibly needed. What's needed now is flexibility of pricing, an increase in hot spots and an increased understanding of how the technology can be used." From isn at c4i.org Wed Oct 13 04:53:20 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 13 05:03:16 2004 Subject: [ISN] Microsoft Patch Rollout Addresses A Dozen Flaws, Nine of Them 'Critical' Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=JS3VPVI4GV45WQSNDBCSKHSCJUMEKJVN?articleID=49901123 By Gregg Keizer TechWeb News Oct. 12, 2004 In the biggest monthly patch roll-out of the year, Microsoft on Tuesday posted information about a dozen flaws in Windows, Exchange, and Office, and said that users needed to "install the update immediately" for the nine tagged as "Critical." In the 12 security bulletins posted on its Web site, Microsoft outlined critical bugs in almost every supported edition of Windows, in Excel, and in Exchange. Only three of the dozen are not rated as "Critical," Microsoft's highest alert level in its four-step ranking. That trio was labeled as "Important," the second-highest warning used when Microsoft urges users to "install the update at the earliest opportunity." The previous 2004 record for the largest number of security bulletins released in a month was July, when the Redmond, Wash.-based developer posted eight. Patches for the bugs can be downloaded via the Windows Update service or through Automatic Update, Windows' in-the-background patching system. From isn at c4i.org Thu Oct 14 04:52:15 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 14 05:07:31 2004 Subject: [ISN] Security UPDATE-- Group Policy and Corporate Policy--October 13, 2004 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. The Unofficial Guide to IM for Executives http://list.windowsitpro.com/cgi-bin3/DM/y/ehpk0MfYqv0Kma0BMDN0Ad Security Administrator http://list.windowsitpro.com/cgi-bin3/DM/y/ehpk0MfYqv0Kma0BFMs0AI ==================== 1. In Focus: Group Policy and Corporate Policy 2. Security News and Features - Recent Security Vulnerabilities - Modify Your ASP.NET Applications for Added Security - Microsoft Working on Spyware Solution 3. Security Matters Blog - Security Fixes Available for Mac OS X - Security Update for Firefox Preview Release 4. Security Toolkit - FAQ - Security Forum Featured Thread 5. New and Improved - Use Certificates to Secure Your Files - Monitor Keystrokes, Passwords, Emails, and Web Site Visits ==================== Dear READER, In September, we converted our email newsletters to HTML. This change was based on audience feedback that led us to believe the scale had tipped in the favor of HTML email newsletters. Wow, did you ever chime in with feedback on this one! You resoundingly told us, "Don't take away my text newsletters!" More than 1000 (and counting) of you have taken time out of your busy day to tell how you want your email newsletters delivered. Now we're moving email newsletters back to text format. At the top of this newsletter, we've included a link for any reader who wants to sign up for the HTML format, which we will offer again when demand for this format has built up. It's wonderful to see how responsive our audience is and how much you care about the content. We want to continue providing high-value content in these free email newsletters. Our sponsors and your clicks are what allow us to produce this high-quality content for free in the email newsletters. We have been overwhelmed by your response and appreciate this incredible testament to the deep community relationship we have with you. In a meeting the other day, we were discussing how cool it is that thousands of you felt strongly enough to take the time to write us an email and tell us your thoughts! We work really hard to listen to you, our loyal (and opinionated!) audience, and we feel privileged to have been the hub of this incredibly active Windows IT community over the past 10 years. Keep the feedback coming, because you know we're listening! Best regards, Karen Forster ==================== ==== Sponsor: Akonix ==== The Unofficial Guide to IM for Executives This free white paper will help managers, directors and executives in all types of businesses understand Instant Messaging and the powerful benefits it brings to the workplace when properly managed and controlled. According to Giga Information Group, a large majority of mid- to large-sized organizations have no formal IT support for IM. This means employees are often logging onto public IM networks without permission and without protection from viruses and worms, corporate policy control or the ability to monitor and log conversations. Start protecting your organization and get the white paper now! http://list.windowsitpro.com/cgi-bin3/DM/y/ehpk0MfYqv0Kma0BMDN0Ad ==================== ==== 1. In Focus: Group Policy and Corporate Policy ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Recently on a popular mailing list devoted to security on Microsoft platforms, a member explained that he had configured Group Policy to prevent people from installing unapproved software on their systems. He wrote that he wasn't content with Group Policy Objects (GPOs), because they only block the installation of software packaged in Windows Installer (.msi) files, which means that executables could still run and install programs. In response, another list member suggested that administrators could adjust ACLs on areas of the registry (such as the HKEY_LOCAL_MACHINE\SOFTWARE subkey or HKEY_CURRENT_USER\Software subkey) and on directories (such as the Program Files directory) to restrict regular user accounts from having write access, which would prevent the installation of software. These actions could work but might break some applications that need to write to those areas of the registry and file system. Another list member suggested that administrators could configure restrictions that prevent programs such as setup.exe and install.exe from running. This might work too, but some users will realize they can simply rename typical installation programs and the programs will run just fine. Obviously, a combination of tactics is required. Completely restricting people from installing software on their systems, whether you use controls built into the OS or add-on controls from third parties, is challenging. The further you programmatically restrict activity on a system, the greater chance you have of breaking some application that users need. As I read the message thread, it became clearer how much administrators struggle to outmaneuver the people who use the computers on their networks. It seems to me that there is an additional, less stressful way to address this particular problem. Companies can establish written guidelines that explain exactly what employees are allowed and not allowed to do with company computers and make employees liable for any misuse of company computers to deter employees from acting outside the guidelines. If someone installs software on a computer without permission, somewhere along the line, an administrator will probably have to uninstall that software or rebuild the system to ensure some desired level of system integrity. This work costs the company money and is basically a waste of company time. So why not consider a corporate policy that lets you charge the negligent employee for the time and labor needed to restore a system to its original configuration? Of course, you could also add even stronger deterrents to your policies if your situation warrants them. ==================== ==== Sponsor: Security Administrator ==== Try a Sample Issue of Security Administrator! Security Administrator is the monthly newsletter from Windows IT Pro that shows you how to protect your network from external intruders and control access for internal users. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here! http://list.windowsitpro.com/cgi-bin3/DM/y/ehpk0MfYqv0Kma0BFMs0AI ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html Modify Your ASP.NET Applications for Added Security The new Microsoft article "Programmatically check for canonicalization issues with ASP.NET" ( http://support.microsoft.com/?kbid=887459 ) recommends program code adjustments for applications that use ASP.NET. The changes will help strengthen overall security because they prevent intruders from gaining access to files they shouldn't be able to access. http://www.winnetmag.com/Article/ArticleID/44182/44182.html Microsoft Working on Spyware Solution During a recent trip to the Computer History Museum in Mountain View, California, Microsoft Chairman and Chief Software Architect Bill Gates revealed that his company is working on an antispyware software solution. Gates didn't say when the company would ship the technology or whether it would be bundled with Windows or shipped as a standalone product. http://www.winnetmag.com/Article/ArticleID/44141/44141.html ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get the Charter Issue of Windows IT Pro! Windows & .NET Magazine is now Windows IT Pro! Act now to get our special charter issue rate of just $39.95--that's 52% off the cover price! The September issue shows you how to plug DNS holes and select the best scripting editor, plus learn more about the business side of IT. And discover the top 10 PC trends we think you need to keep an eye on. This is a limited-time offer, so order today! http://list.windowsitpro.com/cgi-bin3/DM/y/ehpk0MfYqv0Kma0BKrg0Am Microsoft Exchange Connections October 24-27 in Orlando, FL Microsoft and Windows IT Pro team up to produce the essential conference for network administrators and IT managers on Exchange Server and Outlook technology. Register early, and attend sessions at concurrently run Windows Connections for free. See the complete conference brochure online or call 800-505-1201 for more information. http://list.windowsitpro.com/cgi-bin3/DM/y/ehpk0MfYqv0Kma0KXQ0As Join Itzik Ben-Gan, William Vaughn, and Gert Drapers in Brussels! Learn from SQL Server Magazine experts at Europe's premiere SQL Server event--Brussels SQL Server Day on October 26. Join Microsoft and SQL Server Magazine for a free, full-day event that gives SQL Server users the tools they need to unleash the power of SQL Server 2000, deploy SQL Server Express, and get ready for SQL Server 2005. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/ehpk0MfYqv0Kma0BL8D0AG ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Check out these recent entries in the Security Matters blog: Security Fixes Available for Mac OS X For those of you who support Apple systems on your network, be aware that a new set of security patches for Apple Mac OS X is available now. http://www.winnetmag.com/Article/ArticleID/44181/44181.html Security Update for Firefox Preview Release If you're using the Mozilla Firefox Web browser, you might need to install an update to protect your systems against possible attacks. On September 29, Alex Vincent reported a vulnerability that might let intruders delete files on a user's system. Mozilla issued an update for the browser on October 1. http://www.winnetmag.com/Article/ArticleID/44139/44139.html ==== 4. Security Toolkit ==== FAQ by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: Why can't clients view a Web site that I'm hosting on a system that has Windows XP Service Pack 2 (SP2) installed? Find the answer at http://www.winnetmag.com/Article/ArticleID/44146/44146.html Security Forum Featured Thread A reader writes that he wants to move some data into a shared read-only area in his file system. The data should ideally retain its current permissions to the extent that only those with access now can still access the data after the migration. To achieve this goal, he proposes to use the Everyone group with a "deny" attribute to ensure that, despite existing permissions, the highest level of access available to the user community will be read-only. He would also like to prevent anyone from mass-copying data out of this area. He wants to know whether what he's trying to achieve is possible and, if so, how he can do it. Join the discussion at http://www.winnetmag.com/Forums/messageview.cfm?catid=42&threadid=125757 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events ) Are You "Getting By" Using Fax Machines or Relying on a Less Savvy Solution That Doesn't Offer Truly Integrated Faxing from Within User Applications? Attend this free Web seminar and learn what questions to ask when selecting an integrated fax solution, discover how an integrated fax solution is more efficient than traditional faxing methods, and discover how to select the fax technology that's right for your organization. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/ehpk0MfYqv0Kma0BL8a0Aj ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Use Certificates to Secure Your Files EldoS offers EldoS PKI Tools, which encrypts and signs files using X.509 certificates and manages the certificates. EldoS PKI Tools lets you perform simple file operations such as packing files into a .zip archive, sending files as email attachments, and securely deleting files. You can also perform advanced security operations such as signing and encrypting files and folders. All operations are performed with just a few clicks. EldoS PKI Tools uses digital certificates instead of passwords to provide better information security and integrity. EldoS PKI Tools supports smart cards and USB tokens for storing certificates. EldoS PKI Tools runs on Windows 2003/XP/2000/Me/98. For more information, or to purchase and download EldoS PKI Tools, go to http://www.eldos.org Monitor Keystrokes, Passwords, Emails, and Web Site Visits iOpus Software's ActMon replaces STARR PC & Internet Monitor. ActMon monitoring software claims several unique features: "kernel-level" file protection that makes files completely inaccessible and invisible to unauthorized users, "kernel-level" keyboard recording that even logs the keystrokes entered during Windows XP/2000 logon, and an activity data log that's protected with 256-bit encryption and that can run in an endless loop. In addition to its unique features, ActMon performs the usual monitoring tasks, tracking keyboard strokes, passwords, incoming and outgoing chat conversations, email messages, and visited Web sites. The ActMon PRO Edition adds advanced features such as flexible network functions to send and receive reports via the Internet or a local network. ActMon PRO costs $69.95, with discounts available for multiple users, sites, and nonprofit organizations. ActMon runs under Windows 2003/XP/2000/Me/98. You can purchase ActMon or download a free 30-day trial version at http://www.iopus.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://www.windowsitpro.com/forums About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today. http://www.windowsitpro.com/sub.cfm?code=wswi201x1z View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Oct 14 04:52:30 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 14 05:07:33 2004 Subject: [ISN] Enterprise security is worst ever, experts say Message-ID: http://www.nwfusion.com/news/2004/1012etreent.html By Scarlet Pruitt IDG News Service 10/13/04 Despite the number of IT security products and services cramming the market, businesses are more exposed than ever to emerging threats, according to industry experts speaking at the Etre technology conference in Cannes. "Enterprises are more exposed than a year ago.The hackers have won!" said Eli Barkat, managing director of venture capital firm BRM Capital, who has been involved in investing in security firms. Barkat cited a lack of innovation in the security industry as why the situation has not improved. Mike Dalton, president of McAfee in Europe, the Middle East, and Africa, agreed that the security situation is dire, but said that innovation was not necessarily the roadblock. A major problem is a lack of integration in security products, he said. And while all the experts predicted further consolidations among security companies, that will not necessarily lead to more comprehensive, integrated products, they said. "Today the security business is very diverse and very complex," said Phillip Dunkelberger, president and CEO of encryption company PGP. "You have four or five different point solutions and they don't all work together." Yanki Margalit, president and CEO of digital rights management provider Aladdin Knowledge Systems, agreed that enterprises are more exposed than ever, but did not put the blame squarely on security company's shoulders. "This is a long-term fight. There are so many threats," Margalit said. Part of the remedy would be widely available tools that help developers check the security of the applications they are building, commented Barkat, adding that he hopes Microsoft takes a leading role. On the subject of the software giant, the experts were divided on the work the company is presently doing on the security front. "Microsoft is clearly not doing a good job at security. Most people in this room who work in security have their jobs because of Microsoft," Dalton said. Margalit disagreed. "Microsoft is getting its act together. They did a horrible, terrible job (in the past) but now they are serious. I believe that they will be a very strong security player and force the rest of the industry to be niche players," Margalit said. While the speakers gave no clear direction on the path the industry needs to take to truly alleviate companies' security woes, they did have some words of advice. Invest in integrated security products and avoid security appliances whose architecture changes after a few years, Barkat said. Forget about white lists, which normally refers to a list of e-mail address from which you agree to get mail, thinking they are safe. You will fail if you try to define everything you can do, Margalit said. "We need to get out of the defense mode and allow companies to go on the offensive," Dunkelberger said. From isn at c4i.org Thu Oct 14 04:52:42 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 14 05:07:34 2004 Subject: [ISN] Bad Protocol - Freedom to Tinker Message-ID: http://www.freedom-to-tinker.com/archives/000699.html Edward W. Felten October 13, 2004 Dan Wallach from Rice University was here on Monday and gave a talk on e-voting. One of the examples in his talk was interesting enough that I thought I would share it with you, both as an introductory example of how security analysts think, and as an illustration of how badly Diebold botched the design of their voting system. One of the problems in voting system design is making sure that each voter who signs in is allowed to vote only once. In the Diebold AccuVote-TS system, this is done using smartcards. (Smartcards are the size and shape of credit cards, but they have tiny computers inside.) After signing in, a voter would be given a smartcard -- the "voter card" -- that had been activated by a poll worker. The voter would slide the voter card into a voting machine. The voting machine would let the voter cast one vote, and would then cause the voter card to deactivate itself so that the voter couldn't vote again. The voter would return the deactivated voter card after leaving the voting booth. This sounds like a decent plan, but Diebold botched the design of the protocol that the voting terminal used to talk to the voter card. The protocol involved a series of six messages, as follows: terminal to card: "My password is [8 byte value]" card to terminal: "Okay" terminal to card: "Are you a valid card?" card to terminal: "Yes." terminal to card: "Please deactivate yourself." card to terminal: "Okay." Can you spot the problem here? (Hint: anybody can make their own smartcard that sends whatever messages they like.) As most of you probably noticed -- and Diebold's engineers apparently did not -- the smartcard doesn't actually do anything surprising in this protocol. Anybody can make a smartcard that sends the three messages "Okay; Yes; Okay" and use it to cast an extra vote. (Do-it-yourself smartcard kits cost less than $50.) Indeed, anybody can make a smartcard that sends the three-message sequence "Okay; Yes; Okay" over and over, and can thereby vote as many times as desired, at least until a poll worker asks why the voter is spending so long in the booth. One problem with the Diebold protocol is that rather than asking the card to prove that it is valid, the terminal simply asks the card whether it is valid, and accepts whatever answer the card gives. If a man calls you on the phone and says he is me, you can't just ask him "Are you really Ed Felten?" and accept the answer at face value. But that's the equivalent of what Diebold is doing here. This system was apparently used in a real election in Georgia in 2002. Yikes. From isn at c4i.org Thu Oct 14 04:53:00 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 14 05:07:37 2004 Subject: [ISN] NSA: Global grid will have data assurance baked in Message-ID: http://www.gcn.com/vol1_no1/daily-updates/27627-1.html By Susan M. Menke GCN Staff 10/13/04 The National Security Agency is revising its 2-month-old, 2,200-page information assurance roadmap for the Defense Department.s Global Information Grid, NSA's Daniel G. Wolf said today at the Microsoft Security Summit East in Washington. After incorporating feedback from government and industry, NSA will release a three-phase architectural plan for secure worldwide data sharing among and across military and intelligence agencies over the next two decades. Wolf, the agency's IA director, said producing the architectural plan has taken 40 staff-years so far. It spells out no specific solutions at this point, but it will ensure that IA is baked in. by authenticating credentials, security clearances, roles and situational awareness throughout the GIG, he said. Some form of user token will be part of the security architecture. It's not only architecture, it will be products and services,. he said. For example, NSA will design the initial 1-Gbps backbone encryptors for major GIG communications links. As envisioned, later phases of the grid eventually could scale up to backbone rates of 40 Gbps and then 100 Gbps. Although data traveling on the grid will be encrypted by two separate suites of high-grade and top-secret algorithms including the Advanced Encryption Standard, there still are potential risks from IPv6 packet headers and traffic disruption. More than 160 military systems are supposed to interact via the GIG, Wolf said. As more and more IP-addressable devices.even some weapons.join the grid, cell phone voice calls could use its transport capacity, he said. The revised plan will identify the things to do, the timeframe, and the products and services. We want to monitor and manage devices over the network. with automatic updates and hardware and software problem alerts. Because NSA lacks the resources to evaluate increasingly complex commercial software, Wolf has formed industry partnerships to make safer software a top priority. He said NSA has taken advantage of Microsoft Corp's offer to let governments examine its source code, which grew from 6 million lines of code in Windows 3.1 to more than 30 million lines in XP. Buffer overflows are a major source of failures and vulnerabilities. in software, said Wolf, who has recruited 59 colleges and universities to set up an IA curriculum and teach safe programming practices. We have a cadre of IA students, he said. We hired about 30 graduates this year. They understand IA and hit the ground running. The Homeland Security Department has joined DOD as a joint sponsor of the IA curriculum program, he said. Another initiative for which he currently has no funding would be a high-assurance software office that could drive standards and develop automated tools and metrics. We need people interested in policy and business and international relations, as well as programmers, he said. More than 50 percent of custom development will go offshore by 2007. There are foreign nationals developing software in the United States, and there are many third-party utilities and drivers.. Wolf added, It's almost like the Manhattan Project. I see this as the modern equivalent to the national labs set up under the threat of thermonuclear war in the 1940s.. From isn at c4i.org Thu Oct 14 04:53:24 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 14 05:07:39 2004 Subject: [ISN] Microsoft security chief quits UK role Message-ID: http://management.silicon.com/itpro/0,39024675,39124956,00.htm By Graeme Wearden and Dan Ilett October 13 2004 Stuart Okin, the public face of Microsoft UK's security work, has resigned from the software giant. In an email sent by Okin on Wednesday afternoon, and seen by silicon.com sister site ZDNet UK he revealed he was "moving on to pastures new" after eight years at Microsoft. Okin confirmed those "pastures" will be within Accenture. Okin was appointed as Microsoft UK's first chief security officer in February 2002, and is well respected by security professionals. Simon Perry, vice-president of security strategy at Computer Associates, said: "This should definitely be seen as a positive move for Stuart's ability and ambition." "It should also be seen as a show of initiative for Accenture and not interpreted as Microsoft backing off from their security initiatives in any way." During Okin's time at the helm Microsoft has been under growing pressure and criticism for the state of some of its software, especially Internet Explorer. Okin's shoes will be partially filled by Nick McGrath, Microsoft's head of platform strategy, who will now become the "security orchestration lead", according to Okin's email. McGrath told ZDNet UK that Okin was moving to become an associate partner at Accenture, the management consultancy firm. "This is an incredibly good move for Stuart, and I'm incredibly pleased for him," said McGrath, adding that Okin will be continuing his security work at Accenture. Yesterday Microsoft admitted that a further 22 flaws had been found in its Office software. Despite this, McGrath believes the security battle can be won. "The security challenge facing the industry is the same for all software products," insisted McGrath. From isn at c4i.org Thu Oct 14 04:54:01 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 14 05:07:41 2004 Subject: [ISN] Prosecutor resigns over hacked PC Message-ID: http://www.theregister.co.uk/2004/10/13/dutch_prosecutor_hacked/ By Jan Libbenga 13th October 2004 A leading Dutch prosecuter resigned yesterday after hackers entered his mail box and revealed yet another classified letter addressed to the public prosecutor's office. This was the second security lapse in recent days for Joost Tonino, a specialist prosecutor in white collar crime. Just last week Tonino was left red faced after it emerged he had put his old PC out with the trash. The hard disk, which should have been destroyed, contained hundreds of pages of confidential information about high profile cases, as well as his credit card number, social security number and personal tax files. A taxi driver who discovered the PC decided to sell the information to a Dutch TV crime reporter, who last week revealed on Dutch television what was on the hard disk. The reporter also managed to open his email box. Although Tonino changed his password immediately after this painful incident, Dutch hackers were able to get access his mail box and published yet another letter by Tonino on a Dutch weblog. In this letter Tonino downplayed the importance of the information found on his PC, claiming "it was material of little importance". Although Dutch Justice Minister Piet Hein Donner did not intend to prosecute Tonino, the top justice official decided to resign as public prosecutor yesterday, because he believed his dignity had been compromised. Tonino says he will accept another job at the public prosecutor's office. From isn at c4i.org Thu Oct 14 04:55:13 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 14 05:07:42 2004 Subject: [ISN] India, U.S. discuss anti-hacker alerts Message-ID: http://newsobserver.com/24hour/technology/story/1732744p-9556193c.html By LAURINDA KEYS ASSOCIATED PRESS WRITER Oct 13, 2004 NEW DELHI (AP) - India and the United States agreed Wednesday to develop new ways of securing data and to expand cooperation to protect networks from destructive viruses and computer hackers. The two countries reached the agreement at the end of a two-day conference Wednesday of the main information technology industry organizations of India and the United States. "The United States is willing to begin cooperation with appropriate government entities, including in India," said Michele Markoff, the senior coordinator for international critical infrastructure protection in the U.S. State Department. "Protection of networks and information structures is as essential to the safety of our citizens and economy as our buildings ... and airports," Markoff told the closing session of the conference. Markoff said that only a few months ago, the United States set up a 24-hour, seven-day-a-week monitoring system to watch for hacking or destructive computer and software viruses. But she said monitoring is more effective if done across the globe, with every nation setting up a system to protect its own data and networks and quickly sharing information on attacks. Markoff said most nations already have someone in government or the military on 24-hour alert who could also watch for a cyber attack. Just how it would work will be discussed in November when the Information Technology Association of America hosts its Indian counterpart, the National Association of Software and Service Companies, or NASSCOM, the two groups that met in New Delhi this week. While governments are concerned about protecting networks against attacks by terrorist hackers, industry leaders also want to tackle data theft by employees or commercial hackers, computer viruses and unwanted e-mail - or "spam" - that hurts productivity. "We all talk about (the potential threat of) al-Qaeda, but nine out of 10 problems are employees, ex-employees, ex-partners, ex-partners of employees, buddies they gave a password to," said Jerry Rao, the NASSCOM chairman and founder of India's Infosys software giant. He said NASSCOM will have "the kernel" of a voluntary employee registry in place by March - to be handled by an outside agency - that would confirm the background and identity of employees in India's information technology industry, while safeguarding their privacy. From isn at c4i.org Fri Oct 15 06:28:09 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 15 06:38:35 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-42 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-10-07 - 2004-10-14 This week : 57 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Microsoft's latest patch release may leave the impression that the new Service Pack 2 (SP2) for Windows XP is a uniform patch that removes many security issues that affect previous versions of Windows. While security has improved in many ways with SP2, there is no reason to believe that most of the future vulnerabilities discovered in other versions of Windows won't affect Windows XP SP2 as well. According to eEye and others, Microsoft has known about the vulnerabilities fixed by the latest patches since Q1 and Q2 2004. Some, if not all, of the patches were already included in Service Pack 2 when it was released in August. In other words, all of the issues weren't "eliminated" by SP2 through change of security models and general review of code, but through traditional patching bundled in a Service Pack. ======================================================================== 2) This Week in Brief: ADVISORIES: Microsoft has released their monthly security updates, which correct vulnerabilities in almost all core components of the Microsoft product line. In other words, if you are a Microsoft user, then it is required that you check Windows-Update for the latest patches. Additional details about all security updates can be found in the referenced Secunia advisories below. References: http://secunia.com/SA12808 http://secunia.com/SA12807 http://secunia.com/SA12806 http://secunia.com/SA12804 http://secunia.com/SA12803 http://secunia.com/SA12805 http://secunia.com/SA12802 http://secunia.com/SA12801 http://secunia.com/SA12800 http://secunia.com/SA12799 -- Jelmer has discovered a vulnerability in Adobe Acrobat and Adobe Reader, which can be exploited by malicious people to read content of local files. Currently, the vendor has not issued a fix for this vulnerability, for an alternate solution please read Secunia advisory below. Reference: http://secunia.com/SA12809 -- Georgi Guninski has found a Microsoft patch for a 2 year old vulnerability in Internet Explorer to be insufficient. The vulnerability, which was first discovered by GreyMagic Software, can be exploited by a malicious web site to read contents of XML files located on arbitrary web sites in the context of a user's session. Reference: http://secunia.com/SA12765 -- Microsoft Word is vulnerable to a buffer overflow, which potentially can be exploited to compromise a vulnerable system. Microsoft has not released a patch for this issue, and users are therefore advised to only open trusted documents. In addition, for Internet Explorer users another attack vector is enabled, which increases the severity of this issue slightly. Please read Secunia advisory below for details. Reference: http://secunia.com/SA12758 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 2. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability 3. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 4. [SA12806] Internet Explorer Multiple Vulnerabilities 5. [SA11978] Multiple Browsers Frame Injection Vulnerability 6. [SA12765] Microsoft Internet Explorer Disclosure of Sensitive XML Information 7. [SA12804] Microsoft Windows Multiple Vulnerabilities 8. [SA12048] Microsoft Internet Explorer Multiple Vulnerabilities 9. [SA12749] ASP.NET Canonicalization Vulnerability 10. [SA12027] Mozilla Fails to Restrict Access to "shell:" ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12806] Internet Explorer Multiple Vulnerabilities [SA12808] Microsoft Windows Shell and Program Group Converter Vulnerabilities [SA12807] Microsoft Windows SMTP Component Buffer Overflow Vulnerability [SA12805] Microsoft Windows Compressed Folders Buffer Overflow Vulnerability [SA12804] Microsoft Windows Multiple Vulnerabilities [SA12802] Microsoft Windows NNTP Component Buffer Overflow Vulnerability [SA12772] Crystal Reports JPEG Processing Buffer Overflow Vulnerability [SA12801] Microsoft Windows WebDAV XML Message Handler Denial of Service [SA12790] GoSmart Message Board SQL Injection and Cross-Site Scripting [SA12789] IceWarp Web Mail Cross-Site Scripting Vulnerabilities [SA12776] Monolith Multiple Games Buffer Overflow Vulnerability [SA12803] Microsoft Windows NetDDE Buffer Overflow Vulnerability [SA12816] Cabinet Tool "Cabarc.exe" Directory Traversal Vulnerability [SA12765] Microsoft Internet Explorer Disclosure of Sensitive XML Information [SA12799] Microsoft Windows NT RPC Runtime Library Vulnerability [SA12759] Flash Messaging Server Denial of Service Vulnerability UNIX/Linux: [SA12820] Debian update for mpg123 [SA12811] ocPortal "index.php" Arbitrary File Inclusion Vulnerability [SA12810] UnixWare update for libpng [SA12782] Sun Solaris libXpm Vulnerabilities [SA12781] Debian update for xfree86 [SA12777] Gentoo update for lesstif [SA12763] Debian update for lesstif [SA12762] Gentoo update for cyrus-sasl [SA12819] Debian update for sox [SA12779] Gentoo update for ncompress [SA12770] BNC IRC Proxy Backspace User Identity Spoofing Vulnerability [SA12797] Slackware update for rsync [SA12795] Yeemp Spoofed Sender File Transfer Vulnerability [SA12788] Unarj Directory Traversal Vulnerability [SA12821] Fedora update for squid [SA12812] UnixWare update for CUPS [SA12791] Squid "asn_parse_header()" Function Denial of Service Vulnerability [SA12784] Debian update for mysql [SA12798] Debian update for cyrus-sasl [SA12780] Gentoo update for ed [SA12775] Gentoo update for gettext [SA12774] GNU gettext Insecure Temporary File Creation Vulnerability [SA12771] Fedora update for cyrus-sasl [SA12768] Gentoo update for cups [SA12767] Red Hat update for cyrus-sasl [SA12761] Mandrake update for cyrus-sasl [SA12778] renattach "pipe" Potential Shell Command Injection Security Issue Other: Cross Platform: [SA12813] phpMyAdmin Unspecified Arbitrary Command Execution Vulnerability [SA12800] Microsoft Excel Unspecified Code Execution Vulnerability [SA12792] ZanfiCmsLite "index.php" Arbitrary File Inclusion Vulnerability [SA12760] Cyrus SASL Library Buffer Overflow and "SASL_PATH" Privilege Escalation [SA12809] Adobe Acrobat / Adobe Reader Disclosure of Sensitive Information [SA12794] The ASN.1 Compiler Unspecified Security Issues [SA12785] Turbo Traffic Trader Nitro Cross-Site Scripting and SQL Injection [SA12773] Wordpress "wp-login.php" HTTP Response Splitting Vulnerability [SA12769] Rippy the Aggregator Unspecified Filter Dependence Security Issue [SA12766] RealNetworks Helix Universal Server Denial of Service Vulnerability [SA12764] CubeCart "cat_id" SQL Injection Vulnerability [SA12787] Apache2 mod_ssl SSLCipherSuite Security Bypass [SA12786] CJOverkill "trade.php" Cross-Site Scripting Vulnerabilities [SA12783] MySQL Two Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12806] Internet Explorer Multiple Vulnerabilities Critical: Extremely critical Where: From remote Impact: Spoofing, Exposure of sensitive information, System access Released: 2004-10-12 Multiple vulnerabilities have been reported in Internet Explorer, where the most critical can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12806/ -- [SA12808] Microsoft Windows Shell and Program Group Converter Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-13 Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12808/ -- [SA12807] Microsoft Windows SMTP Component Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-12 A vulnerability has been reported in the Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12807/ -- [SA12805] Microsoft Windows Compressed Folders Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-12 eEye Digital Security has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12805/ -- [SA12804] Microsoft Windows Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2004-10-12 Multiple vulnerabilities have been reported in Microsoft Windows, which can be exploited to cause a DoS (Denial of Service), gain escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12804/ -- [SA12802] Microsoft Windows NNTP Component Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-12 Core Security Technologies has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12802/ -- [SA12772] Crystal Reports JPEG Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-09 BusinessObjects has acknowledged a vulnerability in Crystal Reports, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12772/ -- [SA12801] Microsoft Windows WebDAV XML Message Handler Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-10-12 Amit Klein has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12801/ -- [SA12790] GoSmart Message Board SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-11 Positive Technologies has reported some vulnerabilities in GoSmart Message Board, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12790/ -- [SA12789] IceWarp Web Mail Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting Released: 2004-10-12 Some vulnerabilities have been reported in IceWarp Web Mail, where some can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12789/ -- [SA12776] Monolith Multiple Games Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2004-10-11 Luigi Auriemma has reported a vulnerability in multiple games, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12776/ -- [SA12803] Microsoft Windows NetDDE Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-10-12 John Heasman has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12803/ -- [SA12816] Cabinet Tool "Cabarc.exe" Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2004-10-13 Jelmer has discovered a vulnerability in Cabinet Tool, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12816/ -- [SA12765] Microsoft Internet Explorer Disclosure of Sensitive XML Information Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2004-10-09 Georgi Guninski has reported that a two year old vulnerability has been reintroduced in Microsoft Internet Explorer and can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/12765/ -- [SA12799] Microsoft Windows NT RPC Runtime Library Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2004-10-12 BindView has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service) or expose sensitive information. Full Advisory: http://secunia.com/advisories/12799/ -- [SA12759] Flash Messaging Server Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2004-10-08 Luigi Auriemma has reported a vulnerability in Flash Messaging server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12759/ UNIX/Linux:-- [SA12820] Debian update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-13 Debian has issued an update for mpg123. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12820/ -- [SA12811] ocPortal "index.php" Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-13 Exoduks has reported a vulnerability in ocPortal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12811/ -- [SA12810] UnixWare update for libpng Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-13 SCO has issued an update for libpng. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12810/ -- [SA12782] Sun Solaris libXpm Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-11 Sun has acknowledged some vulnerabilities in Solaris, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12782/ -- [SA12781] Debian update for xfree86 Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-11 Debian has issued an update for XFree86. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12781/ -- [SA12777] Gentoo update for lesstif Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-11 Gentoo has issued an update for lesstif. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12777/ -- [SA12763] Debian update for lesstif Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-08 Debian has issued an update for lesstif. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12763/ -- [SA12762] Gentoo update for cyrus-sasl Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2004-10-08 Gentoo has issued an update for cyrus-sasl. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system and by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12762/ -- [SA12819] Debian update for sox Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-13 Debian has issued an update for SoX. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12819/ -- [SA12779] Gentoo update for ncompress Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-11 Gentoo has issued an update for ncompress. This fixes an old vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12779/ -- [SA12770] BNC IRC Proxy Backspace User Identity Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-10-09 Yak has reported a vulnerability in BNC IRC proxy, which can be exploited by malicious users to spoof their identity. Full Advisory: http://secunia.com/advisories/12770/ -- [SA12797] Slackware update for rsync Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2004-10-12 Slackware has issued an update for rsync. This fixes a vulnerability, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12797/ -- [SA12795] Yeemp Spoofed Sender File Transfer Vulnerability Critical: Less critical Where: From remote Impact: Spoofing Released: 2004-10-12 A vulnerability has been reported in Yeemp, which can be exploited by malicious people to spoof their identity. Full Advisory: http://secunia.com/advisories/12795/ -- [SA12788] Unarj Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2004-10-12 Doubles has reported a vulnerability in Unarj, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12788/ -- [SA12821] Fedora update for squid Critical: Less critical Where: From local network Impact: DoS Released: 2004-10-13 Fedora has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12821/ -- [SA12812] UnixWare update for CUPS Critical: Less critical Where: From local network Impact: DoS Released: 2004-10-13 SCO has issued an update for CUPS. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12812/ -- [SA12791] Squid "asn_parse_header()" Function Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-10-12 A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12791/ -- [SA12784] Debian update for mysql Critical: Less critical Where: From local network Impact: Security Bypass, DoS, System access Released: 2004-10-11 Debian has issued an update for mysql. This fixes multiple vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise the system. Full Advisory: http://secunia.com/advisories/12784/ -- [SA12798] Debian update for cyrus-sasl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-12 Debian has issued an update for cyrus-sasl. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12798/ -- [SA12780] Gentoo update for ed Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-11 Gentoo has issued an update for ed. This fixes an old vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12780/ -- [SA12775] Gentoo update for gettext Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-11 Gentoo has issued an update for gettext. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12775/ -- [SA12774] GNU gettext Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-11 A vulnerability has been reported in gettext, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12774/ -- [SA12771] Fedora update for cyrus-sasl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-09 Fedora has issued an update for cyrus-sasl. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12771/ -- [SA12768] Gentoo update for cups Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-09 Gentoo has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12768/ -- [SA12767] Red Hat update for cyrus-sasl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-08 Red Hat has issued an update for cyrus-sasl. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12767/ -- [SA12761] Mandrake update for cyrus-sasl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-08 MandrakeSoft has issued an update for cyrus-sasl. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12761/ -- [SA12778] renattach "pipe" Potential Shell Command Injection Security Issue Critical: Not critical Where: From remote Impact: Unknown Released: 2004-10-11 A security issue has been reported in renattach, which has an unknown impact, but potentially could allow execution of arbitrary commands. Full Advisory: http://secunia.com/advisories/12778/ Other: Cross Platform:-- [SA12813] phpMyAdmin Unspecified Arbitrary Command Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-13 A vulnerability has been reported in phpMyAdmin, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12813/ -- [SA12800] Microsoft Excel Unspecified Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-12 Brett Moore has reported a vulnerability in Microsoft Excel, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12800/ -- [SA12792] ZanfiCmsLite "index.php" Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-12 Cracklove has reported a vulnerability in ZanfiCmsLite, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12792/ -- [SA12760] Cyrus SASL Library Buffer Overflow and "SASL_PATH" Privilege Escalation Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2004-10-08 Two vulnerabilities have been reported in Cyrus SASL library, which can be exploited by malicious people to compromise a vulnerable system and by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12760/ -- [SA12809] Adobe Acrobat / Adobe Reader Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-10-13 Jelmer has discovered a vulnerability in Adobe Acrobat and Adobe Reader, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/12809/ -- [SA12794] The ASN.1 Compiler Unspecified Security Issues Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-12 Two security issues with unknown impacts have been reported in The ASN.1 Compiler. Full Advisory: http://secunia.com/advisories/12794/ -- [SA12785] Turbo Traffic Trader Nitro Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-11 aCiDBiTS has reported some vulnerabilities in Turbo Traffic Trader Nitro, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12785/ -- [SA12773] Wordpress "wp-login.php" HTTP Response Splitting Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-11 Chaotic Evil has reported a vulnerability in Wordpress, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12773/ -- [SA12769] Rippy the Aggregator Unspecified Filter Dependence Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-09 A security issue with an unknown impact has been reported in Rippy the Aggregator. Full Advisory: http://secunia.com/advisories/12769/ -- [SA12766] RealNetworks Helix Universal Server Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-10-08 A vulnerability has been reported in Helix Universal Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12766/ -- [SA12764] CubeCart "cat_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-10-08 Pedro Sanches has reported a vulnerability in CubeCart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12764/ -- [SA12787] Apache2 mod_ssl SSLCipherSuite Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-10-11 A security issue has been reported in Apache2, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12787/ -- [SA12786] CJOverkill "trade.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-11 aCiDBiTS has reported some vulnerabilities in CJOverkill, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12786/ -- [SA12783] MySQL Two Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2004-10-11 Two vulnerabilities have been reported in MySQL, which can be exploited by malicious users to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12783/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Oct 15 06:28:45 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 15 06:38:37 2004 Subject: [ISN] Prosecutor resigns over hacked PC Message-ID: Forwarded from: Jan Meijer Hi, Couple of small clarifications: On Thu, 14 Oct 2004, InfoSec News wrote: > http://www.theregister.co.uk/2004/10/13/dutch_prosecutor_hacked/ > > By Jan Libbenga > 13th October 2004 > > A leading Dutch prosecuter resigned yesterday after hackers entered > his mail box and revealed yet another classified letter addressed to > the public prosecutor's office. > > This was the second security lapse in recent days for Joost Tonino, > a specialist prosecutor in white collar crime. Just last week Tonino > was left red faced after it emerged he had put his old PC out with > the trash. The hard disk, which should have been destroyed, > contained hundreds of pages of confidential information about high > profile cases, as well as his credit card number, social security > number and personal tax files. A social security number in .nl doesn't get you as much profit as I believe it does in .us. > A taxi driver who discovered the PC decided to sell the information > to a Dutch TV crime reporter, who last week revealed on Dutch > television what was on the hard disk. The reporter also managed to > open his email It's nicer then that. The taxi driver tried to sell it to the local Amsterdam TV station AT5. The chief editor of the local news program refused it. Rumour goes this was because his wife holds a position (what I forgot :( at the same court Tonino worked. After he saw there was no money in it the taxi driver went to the crime reporter. The other editors at the local TV station now want their chief to leave..... > box. Although Tonino changed his password immediately after this > painful incident, Dutch hackers were able to get access his mail box > and published yet another letter by Tonino on a Dutch weblog. In > this letter Tonino downplayed the importance of the information > found on his PC, claiming "it was material of little importance". His email-account was hacked. Which is illegal. And will be prosecuted. One still wonders why a prosecutor has a private email account that is easy to hack according to the kiddies, why proper security measures were not used on his home PC and why he uses his private emailaccount for work related matters (one can guess, this is probably due to prohibitive security measures at his workaccount preventing him from being productive....). Jan -- http://www.surfnet.nl/organisatie/jame From isn at c4i.org Fri Oct 15 06:29:04 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 15 06:38:38 2004 Subject: [ISN] 'Trustworthiness' still a goal for Microsoft Message-ID: http://www.nwfusion.com/news/2004/1013trusstill.html By Paul Roberts IDG News Service 10/14/04 January 15, 2005 - a Saturday - will almost certainly pass quietly on the bucolic Redmond, Wash., campus of Microsoft. But for those in the field of information technology security, who often make a sport of following the company's struggles to secure its products, the date is certain to attract some notice: it's the third anniversary of a now-famous internal Microsoft e-mail dubbed the "Trustworthy Computing" memo. Three years after the release of the 1,500 word memo from the company's founder and Chief Software Architect , Bill Gates, those inside and outside Microsoft credit Trustworthy Computing with setting in motion vast changes that have improved the security of many of Microsoft's products. At the same time, customers and industry experts wonder aloud whether Microsoft will ever fully realize Gates' vision, taming the company's massive stores of legacy software code and reconciling its desire to please consumers with its duty to protect them from threats. Addressed to all full-time employees at Microsoft and its subsidiaries, Gates' Trustworthy Computing memo announced an ambitious program to make Microsoft's technology more secure and reliable, and signalled a profound change in the culture of the world's leading software maker. In it, Gates re-oriented the priorities of the company he founded in 1978, and which made him into the world's richest man in the 1990s by turning out easy-to-use software applications that were tightly integrated with the company's dominant Windows operating system. Written just months after the Sept. 11, 2001 terrorist attacks in the U.S., the Trustworthy Computing memo likened the need to secure his company's software to the new imperatives of securing the nation's critical infrastructure such as airlines, electrical, telephony and water services. Compared to the reliability of such critical services, "computing falls well short," Gates said, noting that the insecurity and instability of computing systems had a subtle but pernicious effect on technology adoption. As explained by Gates in the memo, four important aspects comprised the new initiative: availability, security, privacy and trustworthiness. On the issues of availability and security, Gates proposed an end to two of the most frequently heard complaints about his company's software: that it crashed far too frequently, and that it was riddled with vexing security holes that exposed customer information to harm. Microsoft should also protect the privacy of its customers' data and allow them to control how their data is used, Gates said. Finally, Microsoft needed to look beyond bugs and availability, creating an industry-wide computing ecosystem that was "trustworthy" from "smart" software and services down to the processor chip, Gates said. Within Microsoft, the memo "absolutely changed the mindset of the company," said Gytis Barzdukas, director of product management in Microsoft's Security Business and Technology Unit. Barzdukas worked in Microsoft's Office product group when the memo was sent. As an example, he recalls halting development on Version 11 of Microsoft Office, the company's most profitable product, for an entire month in 2003 to conduct a security review of all Office components. That kind of decision would have been unheard of in the go-go days of the 1990s, when Microsoft's focus was on shipping its products fast and on crushing the competition, such as rival Web browser Netscape, with key features, said John Pescatore, vice president at Gartner. "Microsoft was of the opinion that nobody cared about security - what they wanted was integration ... something so easy that (their grandmother) can use it," he said. At the organizational level, Microsoft shook up its product-focused development groups, creating the cross-product Trustworthy Computing group to develop policies for the entire company. Security experts in that group consult with Microsoft's key customers in the private and public sectors, and provide guidance on developing security strategy and architecture for Microsoft products, he said. Internally, the company also devoted resources and people to security. For example, in addition to stopping development on both its Windows and Office products for a review of code security, Microsoft began investing more energy and resources into automated code scanning tools that can spot the mistakes that create security vulnerabilities in the company's products, Barzdukas said. The result has been a 69% reduction in the number of critical security vulnerabilities in bulletins since Trustworthy Computing began, he said. In three years, Microsoft has also trained legions of security experts within the company's ranks. To date, the company has more than 400 employees on staff with Certified Information Systems Security Professional (CISSP) certification, compared with just a dozen before the Trustworthy Computing memo was released, Barzdukas said. For its consumer and enterprise customers, Microsoft also streamlined its processes for distributing software updates and emergency security patches. The company began aggressively pushing its automatic software update, available with the Windows 2000 and subsequent operating system releases. To date, the company has increased the number of people using the Autoupdate feature by between 300% and 400%, Barzdukas said. Microsoft also improved its policies for releasing security patches, moving from a scattershot system of "as needed" software updates to a predictable, monthly schedule of software security updates and a clearly articulated rating system for security updates. On the subject of "trustworthiness," Microsoft has taken pains to share information and best practices with other companies in industries such as antivirus software, Barzdukas said. Today, the company takes an active roll in a number of industry groups, from the Virus Information Alliance, a group of leading antivirus and e-mail security companies that share information on new virus outbreaks, to the Global Infrastructure Alliance for Internet Safety, a security-focused working group of global ISPs. The company also took the lead on important industry standards, including WS Security, a Web services security standard Microsoft co-authored with IBM, and Sender ID, an e-mail sender authentication standard that the company has aggressively promoted to ISPs and e-mail technology companies as a partial fix for phishing scams and spam. Perhaps the biggest accomplishment of Trustworthy Computing, though, has been making security matter - not just to the company's founder, but to its executives and product managers, Gartner's Pescatore said. Citing a recent visit to the Redmond campus to discuss the upcoming release of the company's SQL Server product, code named "Yukon," Pescatore said that security is still one of the top three features of the product. That continued focus on security will, over time, foster a more security-conscious culture at Microsoft, Pescatore said. Jeff Payne, CEO of Cigital in Dulles, Va., which provides software security consulting, agrees with that assessment. "Trustworthy computing has started to get (Microsoft) to realize that you have to balance speed to market with the security people expect," he said. Microsoft's investments in technology and processes since the Trustworthy Computing memo came out have made life easier for John Halamka, CIO at CareGroup Healthcare System in Boston. Halamka said that CareGroup hospitals, such as the Beth Israel Deaconess Hospital in Boston have had fewer issues with security breaks and viruses in recent years, due in part to Microsoft's improved patch delivery program and what appears to be tighter software development practices. "You don't get the egregious (software holes) that you used to get in beta releases. It seems like they've put a significant amount of research and development dollars into better security and to ensure the integrity of their core products," Halamka said. Payne voiced a similar opinion. "The severity of (Microsoft) bugs and issues in patches has been going down significantly - and that's what you want to see happen," he said. Despite unquestioned improvements in both the security of its products and its internal processes for addressing security issues, however, Microsoft is still far from realizing the vision set out by Gates in the Trustworthy Computing memo, experts agree. Chief among the challenges facing the software giant is shoring up the millions of lines of existing, or "legacy" computer code, some of it dating back to the early or mid-1990s. "The big problem (Microsoft) has is just that Windows has been so bad for so long. There's a huge mass of (insecure) code," Pescatore said, noting that the company's decades-old obsession with features and integration is to blame. "Lots of Microsoft's strategy entailed jamming applications into the operating system - a Web browser, a media player - and that violates the principle that keeping something small makes it more secure than something big," he said. "They're trying very hard," said CareGroup's Halamka, "but they're also fighting the legacy of highly complex code that's going to make ongoing maintenance of their products hard." At a deeper level, Microsoft also has to find a way to reconcile the diverging needs of its two main customer groups: consumers and businesses, Pescatore and others said. "If you think about how Microsoft became great, it was by putting control in the hands of users - helping users overcome the IT organization that wanted everything to run on a mainframe in the basement," Pescatore said. However, in enterprise computing, putting power in the hands of users is the last thing IT administrators want, and Microsoft essentially sells the same products to both groups, he said. The August release of a massive software update for the Windows XP operating system was a good example of Microsoft's often awkward attempts to meet the needs of both communities. Almost two years in the making and months overdue, Windows XP Service Pack 2 (SP2) featured a new security interface, a much-enhanced version of the Windows firewall and a number of configuration changes that make it harder for Windows systems to be compromised. The update was good news for most home users of Windows, whose machines make up the bulk of compromised hosts on the Internet. However, security experts and even Microsoft itself began warning well in advance of SP2's release that some changes could affect other installed software. Almost as soon as the update was available to Microsoft's enterprise customers, companies - including IBM - warned their employees not to download it, for fear that installing SP2 would break or destabilize critical enterprise applications. Microsoft also found itself in hot water over its decision to push out the 75M-byte to 100M-byte update to user desktops through its automatic update feature, potentially circumventing the IT policies of many of its enterprise customers, and causing a huge bandwidth crunch. Seemingly unaware that many enterprises used the automatic update feature to distribute software patches to their users, Microsoft was forced to delay distribution of SP2 over automatic update for nine days, while customers used a Redmond-developed tool to deactivate the delivery of SP2 using the automatic update feature. Microsoft also faces challenges on the issue of "trustworthiness," experts agree. While ostensibly agnostic in its efforts to promote better security across the computing world, Microsoft has also engaged in a war of words with the open source software community over the question of whether its proprietary software is less secure than Linux. In recent years, Microsoft funded a study by Forrester Research Inc. that found Linux more expensive to develop applications for than Windows. The company also raised eyebrows when it purchased $21 million in licenses from Unix provider The SCO Group in May 2003, shortly before that company renewed threats to sue IBM over portions of the Linux code SCO claims to own. On the question of standards, Microsoft is still widely perceived as a company that wants to go its own way and use its dominance of the desktop operating system market to force adoption of its own standards, Pescatore said. An example of this can be found in its strong backing of the Sender ID e-mail sender authentication, a nascent standard that Microsoft is aggressively promoting. The company won praise from the standards community after it agreed to combine a Redmond-developed technology standard called Caller ID with a very similar technology called Sender Policy Framework, developed by Meng Weng Wong at e-mail forwarding company Pobox.com. However, the merged Sender ID standard soon ran into trouble after talks between Microsoft and leading open-source software groups to resolve concerns about patent and licensing issues with the proposed standard broke down, prompting the Internet Engineering Task Force and major corporate backers, such as AOL, to withdraw support. From isn at c4i.org Fri Oct 15 06:29:15 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 15 06:38:40 2004 Subject: [ISN] Oracle Warns of Critical Exploits Message-ID: http://www.eweek.com/article2/0,1759,1676500,00.asp By Lisa Vaas October 14, 2004 Critical Oracle Corp. technology vulnerabilities have been publicly exploited, the company advised in a recent security update that urged users to apply the patches contained in its Security Alert 68. [1] "Oracle is aware of public exploits (as indicated in the latest version of the alert) for several of the vulnerabilities, and more exploits may be created," the company said in the e-mail alert. "Security Alert 68 is a critical security update and should be applied as soon as possible." The vulnerabilities were addressed in the Redwood Shores, Calif., company's first monthly patch rollup, which was released on Aug. 31. At the time this story was posted, Oracle had not returned phone calls seeking details of the exploits. The vulnerabilities in question, however, included the potential for buffer overflow attacks, SQL injection techniques for gaining access to Oracle databases, and the ability for a remote attacker to take advantage of a known, default user account and password. Other flaws allow databases to be exploited by regular users, who can crash the database or escalate privileges to administrator level. Multiple versions of Oracle's Database Server, Application Server and Enterprise Manager software are at risk. Security experts and Oracle watchers are pricking up their ears as they spot message board posts such as this one that request further information on the bugs. "If this increases or the information becomes more readily available, then some companies are going to have problems," said a Weblog [2] entry posted by the Oracle security company PeteFinnigan.com Ltd. "Exploits are not just used by Internet-based hackers; they can also be used internally by employees." [1] http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf [2] http://petefinnigan.com/weblog/entries/index.html From isn at c4i.org Fri Oct 15 06:29:37 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 15 06:38:42 2004 Subject: [ISN] Thoughts About "Protection Against BIND" Message-ID: http://www.circleid.com/article/774_0_1_0_C/ By Paul Vixie Oct 11, 2004 Imagine my surprise upon reading a BBC article which identified ISC BIND as the top security vulnerability to UNIX systems. At ISC, we have striven for a decade to repair BIND's reputation, and by all accounts we have made great progress. "What could this be about," I wondered, as I scanned the BBC article for more details. It turns out that BBC was merely parroting what it had been told by SANS. OK, let's see what SANS has to say: Top Vulnerabilities to UNIX Systems (U) U1. BIND Domain Name System Ouch! So at this point I'm asking, "OK, what have we done wrong this time?" U1.1 Description The Berkeley Internet Name Domain (BIND) package has become the worlds most widely used implementation of the Domain Name Service (DNS). DNS is a critical system that facilitates the conversion of hostnames (e.g. www.sans.org) into the corresponding registered IP address. Yeah, yeah, so far, so good. What's the problem, though? Due to the ubiquity and critical nature of BIND, it has been made the target of frequent attack. Ubiquity isn't a vulnerability, though... So, I kept reading: Denial of Service (DoS) attacks, which generally result in a complete loss of naming services to Internet sites, have long plagued BIND. Um. Actually, DDoS attacks do not plague BIND. In fact, DDoS attacks have nothing to do with BIND per se -- a DDoS is an attack on a network, and will affect all services offered by that network, including web services like those offered by Amazon and Ebay. So, what can they mean? Are they among the many people who are confused about the difference between BIND (which is software) and DNS (which is a protocol and a service)? In other words, do they really mean that DDoS attacks have long plagued DNS? If so, then the mystery actually just deepens. UltraDNS and Akamai both offer DNS services and both of them wrote their own software (so, they are not running BIND), yet both of them have been the victim of high profile DDoS attacks which affected very visible customers including Google. Why would SANS single out BIND as a DDoS target, when DDoS attacks are not against software, and recent DDoS attacks against DNS have not involved BIND? So, still mystified, I kept reading: Various other attacks such as buffer overflows and cache poisoning have been discovered within BIND. Well, OK, they've got that part right at least. The BIND software that was part of BSD was terrible. And after wrestling with it for a decade, ISC decided to rewrite it from scratch. The result, BIND9, is pretty solid. Although the BIND development team has historically been quick to respond to and/or repair vulnerabilities, an excessive number of outdated, mis-configured and/or vulnerable servers still remain in production. By the above-quoted text, this whole article is due to older versions of BIND and mis-configured servers running BIND, yet the title of the article was simply "BIND Domain Name System". This seems somewhat disingenuous. But I kept reading. A number of factors contribute to this condition. Chief among them are administrators who are not aware of security upgrades, systems which are running BIND daemon (called "named") unnecessarily, and bad configuration files. Any of these can affect a denial of service, a buffer overflow or DNS cache poisoning. Yes, that's all true. I heard someone from Microsoft say that if they could just get people to upgrade from Win/95 and apply published patches, the whole Internet would be safer. And that's also true. I don't quite understand SANS's reason for mentioning it, though. "Unpatched Or Misconfigured Software Is Unsafe" is not exactly headline news. But if they like that one, how does "Either A Democrat Or A Republican Will Be Next U.S. President" sound? It's disturbing, it's true, and everybody already knows it, so, "so what?" But you've got to understand something -- I know some people who work at SANS and those people -- the ones I know -- are not idiots. So, I kept reading: Among the most recently discovered BIND weaknesses was a denial of service discussed in CERT Advisory CA-2002-15. In this case, an attacker could send specific DNS packets to force an internal consistency check which itself is vulnerable, causing the BIND daemon to shut down. Another was a buffer overflow attack, discussed in CERT Advisory CA-2002-19, in which an attacker could utilize vulnerable implementations of the DNS resolver libraries. By sending malicious DNS responses, the attacker could exploit this vulnerability and execute arbitrary code or even cause a denial of service. I love this! Thank you, SANS, for helping to get the word out. We've been telling our vendors and our user community to stop running or shipping BIND versions containing these vulnerabilities for years now. Several years, in fact. Ever since we cooperated in disclosing and repairing those problems. But it's 2004, and those two vulnerabilities were published in 2002, so why would it make any sense to announce them in 2004? Are they still newsworthy? A further risk is posed by a vulnerable BIND server, which may be compromised and used as a repository for illicit material without the administrator's knowledge, or in stepping-stone attacks which use the server as a platform for further malicious activity. I hate this! Damn you, SANS, for making me remember the fictional State Science Institute and its condemnation-without-facts of Reardon Metal. For the record, there has never been an exploit of the kind you're describing in any version of BIND9, and there is no known exploit of this kind in the latest version of BIND8, or even the latest BIND4. OK, so by this point in reading SANS's article, I'm angry, and I'm starting to think of the article as a "hit piece". But I kept reading: U1.2 Operating Systems Affected Just about every UNIX and Linux system is distributed with some version of BIND. The installation of BIND can be intentional for server purposes or unintentional in a general installation. A binary version of BIND is also available for the Windows platform. It is widely considered to be good practice to run a non-authoritative BIND server on every host, for the purpose of caching-for-reuse all data fetched from the global DNS. And for the record, full buildable open source code is available for BIND on Windows -- not just binaries. "What can they be thinking?" is what I was thinking at this point. Onward: U1.4 How to Determine if you are Vulnerable Any DNS server running a version of BIND that was bundled with the operating system, should be compared against the current patches released by the appropriate vendor. If a running version of BIND is compiled from source from the Internet Software Consortium (ISC), it should be checked to ensure it is the latest version. Outdated and/or un-patched versions of BIND are most likely vulnerable. All true, every word of it. On most system implementations, the command "named -v" will show the installed BIND version enumerated as X.Y.Z where X is the major version, Y is the minor version, and Z is a patch level. Currently the three major versions for BIND are 4, 8 and 9. If on is running a BIND server built from source, one should avoid using version 4, opting instead for version 9. You can retrieve the latest source, version 9.3.0rc2, from the ISC. Actually, the latest version is 9.3.0 (it's not just a release candidate any more). But it's sure nice to hear them calling us ISC. Just "ISC", though, please, and never "the ISC". (A lawyer told me to say that.) A proactive approach to maintaining the security of BIND is to subscribe to customized alerting and vulnerability reports, such as those available from SANS or by keeping up with advisories posted at OSVDB. In addition to security alerts, an updated vulnerability scanner can be highly effective in diagnosing any potential vulnerabilities within DNS systems. Or, interested parties could join ISC's BIND Forum, with or without the Advanced Security Notification option. You'll not only get the straight scoop on upcoming releases, you can help set our priorities, and help pay the production cost of BIND. We (ISC) are a nonprofit corporation, and BIND is completely free software -- more free even than FSF/GNU/Linux, since it can be bundled or repackaged or otherwise redistributed with or without source code, and with no license or royalty payments of any kind. Or, interested parties could engage ISC in a support contract for BIND, which would include several of the above-described benefits of the our BIND Forum, but would also get you high-quality phone/e-mail support. (I'm not just setting the record straight -- a lot of folks just don't know about ISC's BIND Forum and BIND Support offerings.) Onward: U1.5 How to Protect Against It OK, wait just a minute. They've got a section entitled "How to Determine if you are Vulnerable" and now one entitled "How to Protect Against It" and the "it" in question is (from the title of this article) "BIND Domain Name System". Do folks really need to determine if they are vulnerable to BIND? And, for that matter, do folks really need to be protected against BIND? But I digress. Fortunately we're almost at the end of this thing. Onward: To generally protect against BIND vulnerabilities: Disable the BIND daemon (called "named") on any system which is not specifically designated and authorized to be a DNS server. This would be a mistake. If your local DNS policy makes every workstation and every server into its own "caching recursive forwarding name server" then you are helping yourself and helping the Internet and you shouldn't stop just because SANS tells you to. But one of the other things they recommend is a great idea: Apply all vendor patches or upgrade DNS servers to the latest version. For more information about hardening a BIND installation, see the articles about securing name services as referenced in CERT's UNIX Security Checklist. For patches and checklists, you can also just visit ISC's BIND Home Page at . ISC publishes links to useful things about BIND configuration, even if they originate elsewhere. To complicate automated attacks or scans of a system, hide the "Version String" banner in BIND by replacing the actual version of BIND with a bogus version number in the "named.conf" file options statement. This is just foolishness. Any attacker whose age is requires more than one digit to describe will just "fingerprint" your system, including your kernel and all of your services including DNS. They don't need to know what version string you report, and they wouldn't believe it, and they've stopped asking. And SANS ought to *know* that; moreover, they ought to be telling *you* that. Permit zone transfers only to secondary DNS servers in trusted domains. I'm not sure what this means but I think I don't like the sound of it. You should not do anything special about parent or child domains -- just create them, properly delegate them, and let DNS figure out where they are and how to reach them. Jail: To prevent a compromised BIND service from exposing ones entire system, restrict BIND so that it runs as a non-privileged user in a chroot()ed directory. For BIND 9, see: http://www.losurs.org/docs/howto/Chroot-BIND.html This is a great idea, which is why we have it as a standard BIND9 feature, and why we describe it in the standard BIND documentation. Disable recursion and glue fetching to defend against DNS cache poisoning I think that what they mean is "don't run authority service and recursive service in the same name server", and this is good advice. It's so good in fact that we wrote about it in , specifically ISC-TN-2002-2. Yup, two years ago. I guess it isn't news? To protect against recently discovered BIND vulnerabilities: For the Denial of Service Vulnerability on ISC BIND 9: http//www.cert.org/advisories/CA-2002-15.html I'm sorry, I know this sounds catty, but... 2002 is "recent"? Multiple Denial of Service vulnerabilities on ISC BIND 8: http://www.isc.org/products/BIND/bind-security.html Better still, just don't run BIND8 now that BIND9 is solid. But the URL they give makes good reading, even if I do say so myself. Cache poisoning via negative responses: http://www.kb.cert.org/vuls/id/734644 OK, to give SANS credit, they found something that's less than two years old. However, it's in BIND8. Oops. You should all upgrade to BIND9 now. Even FreeBSD now ships BIND9 as their default name server. BIND8 is dead! Long live the king! There exist many excellent guides to hardening BIND. One excellent guide on hardening BIND on Solaris systems, as well as additional references for BIND documentation, can be viewed at Running the BIND9 DNS Server Securely and the archives of BIND security papers available from Afentis. You can also view documentation covering general BIND security practices. Those are good articles. But Jacco's site at is also very good, and includes all kinds of useful links. Education is good. Administrators can also look at alternatives to BIND such as DJBDNS located at http://cr.yp.to/djbdns.html. OK, so some of you were wondering why I bothered to respond to this obvious "hit piece" written by someone without much background in the field -- maybe the same yet-to-be-fired marketing wizard who came up with the name "Internet Storm Center" when the term ISC had another, much stronger, much older, meaning. I was going to Just Hit Delete -- something you should never do with spam, by the way! Until I saw the DJBDNS reference. Mr. Bernstein has what could politely be called a grudge against... well, almost everybody. His software seems to work, and it has a loyal and committed user base. But if you're going to look at alternatives to BIND, you need more options, and you need a better reason. For more options, check out Nominum's ANS and CNS products, and NLNetLabs' "NSD", and Cisco's DNS/DHCP Manager, and Microsoft's Advanced Server product. (I'm sorry if I'm leaving somebody out, that's off the top of my head.) For a better reason, discard "I don't want to have to learn about patches and apply them every year or two" since no vendor will ever be able to guaranty this. If you want help staying patched, talk to ISC about BIND support, or talk to your operating system vendor, or talk to your ISP. Help is out there. My faith in and charity toward SANS has taken a sharp step downward today. Paul Vixie Maintainer/author, BIND4.9 - BIND8.1 Co-founder and President, ISC From isn at c4i.org Mon Oct 18 02:23:04 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 18 02:49:08 2004 Subject: [ISN] Infowarrior-L Subscriber Refresh Message-ID: [Due to a catastrophic event with Rick's hardware, he is forced to rebuild the INFOWARRIOR list. So if you were on his list, follow the instructions below, and if you were never aware of his list before, now might be a good time to sign-up! - WK] -=- Richard Forno's INFOWARRIOR-L List FAQ 4.1 (15 Oct 04) The list is relatively low-volume (a few messages per day) and subscribers include journalists, geeks, political folks, and other interested people. Items covered include distributing new commentary, articles and other items of interest in the technology, security, policy, and current events areas. Currently, this is an announce-only list - if you want an item posted, send to me for consideration. - Richard Forno SUBSCRIBE by sending email to lists@infowarrior.org with SUBSCRIBE INFOWARRIOR in the Subject field. UNSUBSCRIBE by sending email to lists@infowarrior.org with UNSUBSCRIBE INFOWARRIOR in the Subject field. From isn at c4i.org Mon Oct 18 02:23:25 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 18 02:49:10 2004 Subject: [ISN] On Trial - Prosecuting cybercrime puts your organization--and your security--on the hot seat. Message-ID: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1001,00.html By Carole Fennelly October 2004 Attorney: Is it fair to say that, prior to March 24, 2000, you were not aware of [a] bug that allowed someone to enter the system? Bloomberg: That's correct. It's not just someone. You would have to work pretty hard to do it and have to be reasonably competent to do it. Attorney: Would it be fair to say that that bug was a dangerous threat to the security of your system? Bloomberg: Absolutely. -Testimony of Michael Bloomberg, U.S. v. Zezev New York City Mayor Michael Bloomberg endured more than an hour of cross-examination during the 2003 criminal trial of Oleg Zezev, a Russian citizen later convicted of hacking Bloomberg LLP's network and making extortion demands. Bloomberg didn't make excuses for weaknesses in the company's digital infrastructure. He met the issue head-on. Is your CEO prepared to do that? Your company will undergo intense scrutiny if a case against a cybercrime suspect goes to trial. Your employees, from the IT staff to the corner office, will be cross-examined by defense attorneys, who will attack their competence, challenge their statements and attempt to discredit corporate polices and processes. Internal, often sensitive, documents and information may become part of the public record, and, if the case generates enough buzz, it's fair game for CNN and The New York Times. When your company takes the stand, you're asking for an open--and very public--security audit. Although you can't control everything that goes on in the courtroom, you can prepare your employees for the concentrated defense questioning. If your IT security policies are strong, and if you have solid incident response plans, you'll be ready for the onslaught. If not, your secrets and flaws may be exposed in the worst possible light. Fair Game Prosecutors rely on corporate cooperation to convict cybercriminals, and most will try to limit the admissible evidence to avoid unnecessarily embarrassing the company or revealing sensitive information. Through the discovery process, the defense counsel has access to all seized evidence and can subpoena anything that may show negligence or weaken the case--possibly revealing holes in IT security policies, processes and infrastructure. If your security is weak, it's much more difficult to prove that a particular individual was responsible for the crime. Much of what happens in court is dependent on pretrial maneuverings--when admissibility is argued and judges rule on motions to suppress evidence. This is the stage at which you can try to avoid exposing sensitive corporate security data. "The company can communicate the big stuff that it doesn't want to come out--company trade secrets, information about response policies or vulnerabilities--to the [law enforcement] agent," says Richard Salgado, former senior counsel with the Computer Crime and Intellectual Property Section of the U.S. Department of Justice. "A motion may be made to exclude that kind of questioning." [...] From isn at c4i.org Mon Oct 18 02:23:40 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 18 02:49:11 2004 Subject: [ISN] Expert: Online extortion growing more common Message-ID: Forwarded from: "security curmudgeon" : http://news.com.com/Expert+Online+extortion+growing+more+common/2100-7349_3-5403162.html : : By Dan Ilett : Special to CNET News.com : October 8, 2004 : : "Six or seven thousand organizations are paying online extortion : demands," Alan Paller said at the SANS Institute's Top 20 : Vulnerabilities conference in London. "The epidemic of cybercrime is : growing. You don't hear much about it because it's extortion, and : people feel embarrassed to talk about it." If they don't like to talk about it, where does the figure of 6 to 7000 come from? Is there any real basis for this number or is this a complete ballpark guess based on a few news articles mentioning it? : "Every online gambling site is paying extortion," Paller asserted. : "Hackers use DDoS (distributed denial-of-service) attacks, using : botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.'" Seems like that kind of money could buy you a pretty fat pipe to sit on and would potentially mitigate all but the hardcore attacks? Or let you hire someone that is familiar with such attacks to help you better prepare for them? Or encourage your ISP to buy more bandwidth or hire someone that can help address the problems? And if these sites aren't doing that, and they aren't reporting the crime then they deserve what they get. Paying off the DDoS crews is only encouraging them. If it is that fullproof of a money making scheme for them, why are they going to stop? If law enforcement is involved in the case it seems like they will have a significant chance of determining who is involved the first time they monitor a company paying off the attackers. : Paller called for tech companies to do better. He said that security : vulnerabilities are vendors' responsibility to fix and that their : products should reflect the suggestions associated with the SANS top 20 : vulnerabilities list. Uh.. how do the SANS Top 20 vulnerabilities affect or mitigate DDoS attacks? The 10 windows and 10 unix are fairly specific, and none of them cover protecting against a DDoS attack. This 'news' piece quickly becomes a glorified product pitch. : "Applications breaking after patching is the operating system vendor's : fault," he said. "They tell developers to build applications on : unprotected systems. But the other half of the game is that application : vendors should have to test their products on safer systems. You do : that with procurement." Yes, get more money and then spend it on an organization such as SANS i'm guessing. *yawn* From isn at c4i.org Mon Oct 18 02:23:56 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 18 02:49:13 2004 Subject: [ISN] NSA plots software center Message-ID: http://www.fcw.com/fcw/articles/2004/1011/web-manh-10-15-04.asp By Florence Olsen Oct. 15, 2004 The National Security Agency's top information security official disclosed plans this week for a government-funded research center devoted to improving the security of commercial software, calling the initiative a modern-day Manhattan Project. Comparing the proposed high-assurance software initiative to the famous atomic bomb research project of the 1940s, NSA's director for information assurance, Daniel Wolf, said the research would focus on tools and techniques for writing secure software and detecting malicious code hidden in software. Before NSA officials can create the center, the Defense secretary must approve the concept and find money for the project, Wolf said. He gave the keynote address at the Microsoft Corp. Security Summit East in Washington, D.C., earlier this week. The quality and trustworthiness of commercial software has become a matter of increasing concern to NSA officials, who are responsible for the security of Defense Department and intelligence software. NSA officials anticipate that many companies on whose software DOD and intelligence users rely will be moving significant portions of their commercial software development overseas within a few years. NSA officials cannot force companies to develop software a certain way, Wolf said, "but we would like to get them to a point where they are producing commercial products that meet the needs of our users." About 95 percent of the agency's desktop PCs run Microsoft's Windows operating system, Wolf said. The high-assurance software center would have a small staff of researchers who would work with other researchers at NSA, the Defense Advanced Research Projects Agency, the Homeland Security Department, the National Institute of Standards and Technology, federally funded research centers, academic institutions, and corporations. "We talk about something like a Manhattan Project because of the magnitude of what we're trying to do," Wolf said. Creating commercial software of high quality and trustworthiness is immensely difficult using existing tools and techniques, he said. "You want software that does all the things that it is supposed to do and nothing more," he said. It is especially difficult to know whether commercial software contains hidden malicious code. Current detection tools produce too many false positives, he said. As an agency, NSA has 50 years' experience with writing cryptographic code, Wolf said. "What we bring to the table is the ability to analyze software and find vulnerabilities," he said. From isn at c4i.org Mon Oct 18 02:24:12 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 18 02:49:15 2004 Subject: [ISN] Feds create new force to fight cyber-terrorism Message-ID: http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1097878208404_93287408/?hub=SciTech Canadian Press Oct. 15, 2004 OTTAWA - A high-level national task force is being assembled to help Canada steel its defences against potential cyber-attacks by terrorists. The head of Canada's electronic spy agency said the panel of private- and public-sector officials will help the country catch up to the United States in securing cyberspace. Communications Security Establishment chief Keith Coulter noted Washington has already begun moving to protect their own key grids and networks. "From my perspective, it is essential that we take this step as well,'' Coulter said Friday in a speech to members of the Canadian Association for Security and Intelligence Studies. Elements of Canada's critical infrastructure -- including power grids, hospitals, banks and other businesses -- rely on digital networks to conduct their affairs, he said. Shoring up those systems cannot be accomplished by the federal government alone, he added. The national task force, now being planned by the Public Safety Department, will be established in the coming months. CSE, perhaps Canada's most secretive agency, has the dual role of helping protect crucial information-technology systems and eavesdropping on foreign communications. Coulter noted Canada's recently released national security policy commits it to strengthening its approach to cyber-protection. "As the policy points out, the threat of cyber-attacks is real, and the consequences can be severe.'' As part of its mission, CSE collects and processes telephone, fax and computer communications of foreign states, corporations and individuals. The federal government uses intelligence sifted from the data to support troops abroad, catch terrorists and further Canada's economic goals. Coulter lifted the veil of secrecy shrouding the spy agency, at least part way, in describing a low point following the Sept. 11, 2001, attacks on the United States. Various trends had caused "a serious erosion'' of CSE's ability to intercept valuable intelligence, he said. "By late 2001, as we faced the implications of 9/11, the resources needed to keep up -- human as well as technical -- were in too short supply at CSE. "Our workforce was thinly spread, and we were hurting in terms of keeping pace with changing technologies. We needed financial investment to move ahead.'' The federal government provided cash infusions and lifted a restriction on the spy service's ability to tap into any communication involving Canadians. Previously, for example, if a known member of the al-Qaida terrorist group communicated with someone in Canada, even if the person was a foreign operative, CSE could not listen in. CSE must still focus on foreign people and organizations, but may now intercept a conversation that happens to include a person in Canada. Coulter rejected the popular suggestion spy agencies like CSE are giant vacuum cleaners. "We're reported to suck up all communications. But that is not how the business works today,'' he insisted. "What we really do is to use our brain power and the latest in technology to selectively hunt for what we are looking for within virtually endless communications haystacks and electronic highways, all of which are in virtually constant flux.'' CSE and agencies in the United States, Britain, Australia and New Zealand share intercepted communications of interest with one another. Of particular importance is CSE's relationship with its American counterpart, the National Security Agency, Coulter said. "At all levels, this co-operation is close and productive. CSE and NSA share intelligence, tackle common problems posed by changing technology and track threats to our collective security. "This partnership provides Canada with invaluable access to American intelligence and technology. While CSE is by far the smaller partner in this relationship, both sides derive significant benefit from it,'' he added. "Indeed, at this juncture, the sharing of some of CSE's unique capabilities represents a significant element of Canada's contribution to the global war on terrorism.'' From isn at c4i.org Mon Oct 18 02:24:38 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 18 02:49:16 2004 Subject: [ISN] Linux Advisory Watch - October 15th 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 15th, 2004 Volume 5, Number 41a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for cups, samba, mysql, mpg123, sox, Ed, ncompress, LessTif, gettext, xfree86, tiff, wordpress, BNC, libpng, and rsync. The distributors include Conectiva, Debian, Fedora, Gentoo, Slackware, and Trustix. ----- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ----- Storing Log Data Securely It is also a good idea to store log data at a secure location, such as a dedicated log server within your well-protected network. Once a machine has been compromised, log data becomes of little use as it most likely has also been modified by the intruder. It most likely of little value in a criminal investigation. It helps if the log data, which has been stored remotely, indicates when root access was gained so that logs before that point are okay. The syslogd daemon can be configured to automatically send log data to a central syslogd server, but this is typically sent in cleartext data, allowing an intruder to view data as it is being transferred. This may reveal information about your network that is not intended to be public. There are syslog daemons available that encrypt the data as it is being sent. Also be aware that faking syslog messages has been reported, with an exploit program having been published. Syslog even accepts net log entries claiming to come from the local host without indicating their true origin. A more secure implementation has been written by CORE-SDI, and is available at: http://oss.coresecurity.com/projects/msyslog.html If possible, configure syslogd to send a copy of the most important data to a secure system. This will prevent an intruder from covering his tracks by deleting his login, su, ftp, etc attempts. See the syslog.conf(5) man page, and refer to the ``@'' option. If you've already decided to use a central syslog server, the additional security this provides is well worth it. However, you should consider the additional overhead involved with sending this data real-time across your network. Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com) ----- AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. http://www.linuxsecurity.com/feature_stories/feature_story-173.html --------------------------------------------------------------------- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 10/14/2004 - cups denial of service vulnerability fix Alvaro Martinez Echevarria found a vulnerability[2] in the CUPS Internet Printing Protocol (IPP) implementation that allows remote attackers to make CUPS stop listening on the IPP port by sending an empty UDP datagram packet to the IPP port, causing a denial of service situation. http://www.linuxsecurity.com/advisories/conectiva_advisory-4948.html 10/14/2004 - samba vulnerabilities fix This announcement fixes two denial of service vulnerabilities via certain malformed requests[2] and via a SAM_UAS_CHANGE request with a big length value[3] when domain logons are enabled. http://www.linuxsecurity.com/advisories/conectiva_advisory-4949.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 10/10/2004 - python2.2 buffer overflow and restore functionality fix vulnerabilities fix This security advisory corrects DSA 458-2 which caused a problem in the gethostbyaddr routine. http://www.linuxsecurity.com/advisories/debian_advisory-4917.html 10/11/2004 - mysql several vulnerabilities fix Severl problems have been discovered in MySQL, a commonly used SQL database on Unix servers. http://www.linuxsecurity.com/advisories/debian_advisory-4931.html 10/12/2004 - cyrus-sasl arbitrary code execution fix several vulnerabilities fix A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. http://www.linuxsecurity.com/advisories/debian_advisory-4936.html 10/12/2004 - cyrus-sasl arbitrary code execution real fix several vulnerabilities fix This advisory corrects DSA 563-1 which contained a library that caused other programs to fail unindented. http://www.linuxsecurity.com/advisories/debian_advisory-4937.html 10/13/2004 - mpg123 arbitrary code exceution fix Davide Del Vecchio discovered a vulnerability mpg123, a popular (but non-free) MPEG layer 1/2/3 audio player. A malicious MPEG layer 2/3 file could cause the header checks in mpg123 to fail, which could in turn allow arbitrary code to be executed with the privileges of the user running mpg123. http://www.linuxsecurity.com/advisories/debian_advisory-4941.html 10/13/2004 - sox buffer overflow fix Ulf Harnhammar has reported two vulnerabilities in SoX, a universal sound sample translator, which may be exploited by malicious people to compromise a user's system with a specially crafted .wav file. http://www.linuxsecurity.com/advisories/debian_advisory-4942.html 10/14/2004 - cyrus-sasl arbitrary code execution fix buffer overflow fix This advisory is an addition to DSA 563-1 and 563-2 which weren't able to supersede the library on sparc and arm due to a different version number for them in the stable archive. http://www.linuxsecurity.com/advisories/debian_advisory-4950.html 10/14/2004 - CUPS information leak fix An information leak has been detected in CUPS, the Common UNIX Printing System, which may lead to the disclosure of sensitive information, such as user names and passwords which are written into log files. http://www.linuxsecurity.com/advisories/debian_advisory-4952.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 10/11/2004 - squid-2.5.STABLE5-4.fc2.1 update information leak fix This update fixes a potential DoS against squid that was reported by Secunia. http://www.linuxsecurity.com/advisories/fedora_advisory-4920.html 10/8/2004 - cyrus-sasl-2.1.18-2.2 update information leak fix In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. http://www.linuxsecurity.com/advisories/fedora_advisory-4922.html 10/11/2004 - pcmcia-cs-3.2.7-1.8.2.1 update information leak fix This update fixes a few problems in the PCMCIA init script. http://www.linuxsecurity.com/advisories/fedora_advisory-4933.html 10/11/2004 - gimp-2.0.5-0.fc2.1 update information leak fix The GIMP (GNU Image Manipulation Program) is a powerful image composition and editing program, which can be extremely useful for creating logos and other graphics for webpages. http://www.linuxsecurity.com/advisories/fedora_advisory-4934.html 10/12/2004 - tzdata-2004e-1.fc2 update information leak fix This package contains data files with rules for various timezones around the world. http://www.linuxsecurity.com/advisories/fedora_advisory-4940.html 10/13/2004 - libuser-0.52.5-0.FC2.1 update information leak fix This update fixes many bugs, mostly in the LDAP backend and the Python bindings. http://www.linuxsecurity.com/advisories/fedora_advisory-4944.html 10/13/2004 - squid-2.5.STABLE5-4.fc2.2 update information leak fix Backport fix for CAN-2004-0918 (Remote Denial of Service attack) http://www.linuxsecurity.com/advisories/fedora_advisory-4945.html 10/13/2004 - system-config-users-1.2.25-0.fc2.1 update information leak fix when renaming users, ensure that groups forget about the old user name (#135280) http://www.linuxsecurity.com/advisories/fedora_advisory-4946.html 10/14/2004 - k3b-0.11.14-0.FC2.2 version string parsing fix information leak fix K3b provides a comfortable user interface to perform most CD/DVD burning tasks. While the experienced user can take influence in all steps of the burning process the beginner may find comfort in the automatic settings and the reasonable k3b defaults which allow a quick start. http://www.linuxsecurity.com/advisories/fedora_advisory-4951.html 10/14/2004 - gimp-2.0.5-0.fc2.2 update information leak fix This update fixes the bug that catches the wrong values of bpp in the BMP plugin. http://www.linuxsecurity.com/advisories/fedora_advisory-4953.html 10/14/2004 - libtiff-3.5.7-20.2 update information leak fix Chris Evans discovered a number of integer overflow bugs that affect libtiff. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. http://www.linuxsecurity.com/advisories/fedora_advisory-4954.html 10/14/2004 - w3m-0.5.1-3.1 update information leak fix The w3m program is a pager (or text file viewer) that can also be used as a text-mode Web browser. http://www.linuxsecurity.com/advisories/fedora_advisory-4955.html 10/14/2004 - ruby-1.8.1-6 update information leak fix A security fix [CAN-2004-0755]. ruby-1.8.1-cgi_session_perms.patch: sets the permission of the session data file to 0600. (#130063) http://www.linuxsecurity.com/advisories/fedora_advisory-4956.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 10/9/2004 - CUPS Leakage of sensitive information CUPS leaks information about user names and passwords when using remote printing to SMB-shared printers which require authentication. http://www.linuxsecurity.com/advisories/gentoo_advisory-4926.html 10/9/2004 - Ed Insecure temporary file handling The ed utility is vulnerable to symlink attacks, potentially allowing a local user to overwrite or change rights on arbitrary files with the rights of the user running ed, which could be the root user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4927.html 10/9/2004 - ncompress Buffer overflow compress and uncompress, which could be used by daemon programs, contain a buffer overflow that could lead to remote execution of arbitrary code with the rights of the daemon process. http://www.linuxsecurity.com/advisories/gentoo_advisory-4928.html 10/9/2004 - LessTif Integer and stack overflows in libXpm Multiple vulnerabilities have been discovered in libXpm, which is included in LessTif, that can potentially lead to remote code execution. http://www.linuxsecurity.com/advisories/gentoo_advisory-4929.html 10/10/2004 - gettext Insecure temporary file handling The gettext utility is vulnerable to symlink attacks, potentially allowing a local user to overwrite or change permissions on arbitrary files with the rights of the user running gettext, which could be the root user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4930.html 10/11/2004 - xfree86 integer and stack overflows Chris Evans discovered several stack and integer overflows in the libXpm library which is provided by X.Org, XFree86 and LessTif. http://www.linuxsecurity.com/advisories/gentoo_advisory-4932.html 10/13/2004 - tiff Buffer overflows in image decoding Multiple heap-based overflows have been found in the tiff library image decoding routines, potentially allowing to execute arbitrary code with the rights of the user viewing a malicious image. http://www.linuxsecurity.com/advisories/gentoo_advisory-4943.html 10/14/2004 - wordpress HTTP response splitting and XSS vulnerabilities WordPress contains HTTP response splitting and cross-site scripting vulnerabilities. http://www.linuxsecurity.com/advisories/gentoo_advisory-4947.html 10/15/2004 - BNC Input validation flaw BNC contains an input validation flaw which might allow a remote attacker to issue arbitrary IRC related commands. http://www.linuxsecurity.com/advisories/gentoo_advisory-4957.html +---------------------------------+ | Distribution: Other | ----------------------------// +---------------------------------+ 10/12/2004 - CUPS before 1.1.21 allows remote attackers to cause a denial of service The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service via a certain UDP packet to the IPP port. http://www.linuxsecurity.com/advisories/other_advisory-4938.html 10/12/2004 - libpng Multiple Vulnerabilities Several vulnerabilities exist in the libpng library, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. http://www.linuxsecurity.com/advisories/other_advisory-4939.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 10/12/2004 - rsync security update New rsync 2.6.3 packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to a fix security issue when rsync is run as a non-chrooted server. http://www.linuxsecurity.com/advisories/slackware_advisory-4935.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 10/8/2004 - cyrus-sasl Insecure handling of environment variable security update Kurt Lieber reported that libsasl honors the environment variable SASL_PATH blindly, allowing a local user to compile a "library" locally that is executed with the EID of SASL. http://www.linuxsecurity.com/advisories/trustix_advisory-4919.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Oct 18 02:25:02 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 18 02:49:18 2004 Subject: [ISN] REVIEW: "Network Security Assessment", Chris McNab Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKNTSCAS.RVW 20040511 "Network Security Assessment", Chris McNab, 2004, 0-596-00611-X, U$39.95/C$57.95 %A Chris McNab chris.mcnab@trustmatta.com %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2004 %G 0-596-00611-X %I O'Reilly & Associates, Inc. %O U$39.95/C$57.95 707-829-0515 fax: 707-829-0104 nuts@ora.com %O http://www.amazon.com/exec/obidos/ASIN/059600611X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/059600611X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/059600611X/robsladesin03-20 %P 507 p. %T "Network Security Assessment" In general, "learn to hack in order to secure" books provide very little useful material for helping security administrators to protect their systems. McNab's work is somewhat different: his descriptions (though not perfect) have a conceptual component, and the details often use accessible system tools, rather than relying on blackhat tools (of unknown reliability) or an extensive range of commercial utilities. Chapter one defines network security assessment somewhere between vulnerability scanning and penetration testing, and outlines the general campaign. A list of scanning tools, with very terse descriptions, is in chapter two. The querying of public information, using search engines and network information centres, is in chapter three. Chapter four provides details on IP network scanning, although the explanations are not always clear, seemingly missing particulars or skipping steps. This lack of description is even more evident in the material on remote information services (DNS - Domain Name Services, SNMP - Simple Network Management Protocol, LDAP - Lightweight Directory Access Protocol, and the like) in chapter five. Chapter six provides content on obtaining information about a number of Web utilities, products, and services, and lists a number of specific exploits. Chapter seven gives advice on identifying and exploiting specific terminal and terminal-like remote services. ftp and database exploits are listed in chapter eight. Chapter nine describes some tools for assessing and exploiting network (and particularly SMB (Server Message Block) services in Windows NT and 2000. Gathering information from SMTP (Simple Mail Transfer Protocol) is described in chapter ten, as well as a way to code MIME (Multipurpose Internet Mail Extensions) fields in order to defeat virus scanning on email. The exploits for VPN (Virtual Private Network) products, in chapter eleven are product specific and unstructured. Chapter twelve lists certain UNIX RPC (Remote Procedure Call) bugs. The explanation of general overflow and overwriting attacks in chapter thirteen provides thorough descriptions, but relies unnecessarily on coded C language references rather than broader explanations, reducing the conceptual clarity. Chapter fourteen reviews a combination of some of the techniques listed earlier in the book as an integrated attack example. The material could be helpful to security instructors, and fascinating for those interested in the topic, but may not be presented in a manner useful to network security administrators as direction for protection of their resources. The book is demanding of the reader, but it does do a better job than most of demonstrating the value of knowing how to find weaknesses in order to build defence. copyright Robert M. Slade, 2004 BKNTSCAS.RVW 20040511 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu The Internet may promise to improve the way we educate and learn, but so did early television. TV technology has instead reduced our attention spans, reduced intellectual conversations to sound bits, and left us with the impression that in order to be informed, we must first be entertained. - Lew Platt, of HP http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Tue Oct 19 22:39:25 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 20 02:56:48 2004 Subject: [ISN] On Trial - Prosecuting cybercrime puts your organization--andyour security--on the hot seat. Message-ID: Forwarded from: "smoshlak@interserv.com" To: abriney@infosecuritymag.com TAC- Although defense counsel can subpoena records and perform depositions (within reason), there has to be something known as relevance to the matter. Any competant counsel can have this type of scenario blown out of the water, using the following analogy. A person has entered upon another's property and is charged with trespass. Did he crawl over the fence, drive through the fence or parachute onto the property? Shall we call in the gate builder, the architect or the manufacturer to testify about the security of gate and fence? Whether it was made of wood, chain link or of the "concertina-wire" type? It doesn't matter, since he has trespassed. In this case, they were able to identify the who, where and the what. Whether or not an institution has a security plan (for purposes of the Court), is irrelevant. A computer network is not a swimming pool, which is defined by law as an "attractive nuisance." This individual allegedly tried to extort money from an entity, whether the threat is real or perceived. Specifically speaking, if one walks into a bank and states to the teller, "I have a pistol in my pocket and to fill the bag up with money..," and doesn't have a pistol, but takes the bank's money, begs the question: Is it still robbery? Having Michael Bloomberg to the stand to testify about his information systems security plan or outlining, in detail, his digital infrastructure was irrelevant and immaterial, considering the circumstances. The same holds true for other employees in his office. Just my thoughts, Steven Moshlak Expert Witness, Information Security and Technology Original Message: ----------------- From: InfoSec News isn@c4i.org Date: Mon, 18 Oct 2004 01:23:25 -0500 (CDT) To: isn@attrition.org Subject: [ISN] On Trial - Prosecuting cybercrime puts your organization--andyour security--on the hot seat. http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1001,00.htm l By Carole Fennelly October 2004 Attorney: Is it fair to say that, prior to March 24, 2000, you were not aware of [a] bug that allowed someone to enter the system? Bloomberg: That's correct. It's not just someone. You would have to work pretty hard to do it and have to be reasonably competent to do it. Attorney: Would it be fair to say that that bug was a dangerous threat to the security of your system? Bloomberg: Absolutely. -Testimony of Michael Bloomberg, U.S. v. Zezev New York City Mayor Michael Bloomberg endured more than an hour of cross-examination during the 2003 criminal trial of Oleg Zezev, a Russian citizen later convicted of hacking Bloomberg LLP's network and making extortion demands. Bloomberg didn't make excuses for weaknesses in the company's digital infrastructure. He met the issue head-on. Is your CEO prepared to do that? Your company will undergo intense scrutiny if a case against a cybercrime suspect goes to trial. Your employees, from the IT staff to the corner office, will be cross-examined by defense attorneys, who will attack their competence, challenge their statements and attempt to discredit corporate polices and processes. Internal, often sensitive, documents and information may become part of the public record, and, if the case generates enough buzz, it's fair game for CNN and The New York Times. When your company takes the stand, you're asking for an open--and very public--security audit. Although you can't control everything that goes on in the courtroom, you can prepare your employees for the concentrated defense questioning. [...] From isn at c4i.org Tue Oct 19 22:39:48 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 20 02:56:50 2004 Subject: [ISN] FEEDBACK: Expert: Online extortion growing more common Message-ID: Forwarded from: Harlan Carvey To: mailroomuk@zdnet.com > : "Six or seven thousand organizations are paying online extortion > : demands," Alan Paller said at the SANS Institute's Top 20 > : Vulnerabilities conference in London. "The epidemic of cybercrime > : is growing. You don't hear much about it because it's extortion, > : and people feel embarrassed to talk about it." > > If they don't like to talk about it, where does the figure of 6 to > 7000 come from? Agreed. And I have to wonder, as well...why isn't the media asking this question? It's not a biased question at all, to ask where the numbers come from. In fact, by not asking the question *and* by referring to Mr. Paller as an expert, isn't that demonstrating bias? > : "Every online gambling site is paying extortion," Paller asserted. Note: "asserted". This makes you wonder...how accurate is this assertion? Does Mr. Paller have inside information? Look at it this way...if Mr. Paller has some sort of relationship w/ online gambling sites, might they then feel somewhat betrayed (and exposed) by his making this statement? Wouldn't his professional reputation with them suffer? Therefore, one should expect that his assertion is just that...an assertion. > And if these sites aren't doing that, and they aren't reporting the > crime then they deserve what they get. Paying off the DDoS crews is > only encouraging them. Exactly. One would expect that since $40K greatly exceeds the Attorney General-mandated threshold of $5K, such things would be reported. > If it is that fullproof[sic] of a money making scheme for them, why > are they going to stop? True. Excellent question. I have to wonder why the author doesn't seem to have asked that question. > : Paller called for tech companies to do better. Do better at what?? I think it's a fairly pretty belief that most companies need to do a better job of securing their (information) assets, but when an "expert" calls for companies to do better, wouldn't it be a good idea to be a little bit more explicit? > : He said that security vulnerabilities are vendors' > : responsibility to fix and that their products should reflect the > : suggestions associated with the SANS top 20 vulnerabilities > : list. I'm not sure that I agree with Mr. Paller...I think that his comment feeds off of the atmosphere of tranferring responsibility, rather than accepting it. Security vulnerabilities in products may be the responsibility of the vendor to fix, but shouldn't those who use the products understand their strengths and weaknesses, and design their infrastructure to mitigate the weaknesses as much as possible? > Uh.. how do the SANS Top 20 vulnerabilities affect or mitigate DDoS > attacks? The 10 windows and 10 unix are fairly specific, and none of > them cover protecting against a DDoS attack. This 'news' piece > quickly becomes a glorified product pitch. No kidding! ===== ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/ "Meddle not in the affairs of dragons, for you are crunchy, and good with ketchup." "The simplicity of this game amuses me. Bring me your finest meats and cheeses." ------------------------------------------ From isn at c4i.org Tue Oct 19 22:40:06 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 20 02:56:51 2004 Subject: [ISN] NZ jails Aussie bank hacker Message-ID: http://australianit.news.com.au/articles/0,7204,11087415%5E15331%5E%5Enbv%5E15306%2D15318,00.html Amanda Hodge OCTOBER 16, 2004 AN Australian IT whiz who stole $2.15 million after hacking into the New Zealand Health Ministry's bank account and then offered to brief the department on the weaknesses in its computer security system was yesterday jailed for three years. With university degrees in science and mathematics, an MBA and years of international computer experience, John Denison, 49, cruised into a senior job with the NZ Health Ministry in March. But in six months of service, in which he headed a national meningococcal B vaccination program, Denison tried unsuccessfully five times to crack the ministry's computer banking system. On his final attempt, in late September, he found fleeting success, hacking into the system and redirecting $2.15 million bound for doctors and medical laboratories to his own bank account, which he set up with a false passport and driver's licence in the name of Alan Bennett. Denison tried to use almost $800,000 as a down payment on a luxury apartment overlooking Sydney's Hyde Park before he was caught. He had been planning to return to Sydney to be near his critically ill sister but confessed to the thefts and passport fraud shortly after several laboratories rang the ministry to complain about the missing money. All the money has since been recovered. Wellington District Court judge Robert Kerr permanently suppressed details of how Denison hacked into the system. The crime was a gross abuse of trust that was partly motivated by a desire to maintain a certain quality of life, Judge Kerr said. Denison's lawyer, Greg King, argued the offence had arisen out of "something of a mid-life crisis" because his client's annual income had plunged from $200,000 to $103,000 when he took the new job. But Denison had also been under extreme financial pressure, supporting an acutely deaf and depressed brother, a sister who was still in hospital after suffering a brain aneurism in July, and also paying child maintenance. Yesterday, Denison's NSW-based former wife said she and her three children were devastated by the outcome but were trying to keep the news from Denison's brother and sister, who were too ill to withstand the trauma. Mr King said the Health Ministry had acted arrogantly by refusing an offer by a penitent Denison to talk them through the security gaps in its system. Crown prosecutor Cherie Clarke said the ministry did not want or need Denison's help. From isn at c4i.org Tue Oct 19 22:40:22 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 20 02:56:53 2004 Subject: [ISN] 2-Fingerprint Border ID System Called Inadequate Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A43276-2004Oct18.html By Robert O'Harrow and Jr. Scott Higham Washington Post Staff Writers October 19, 2004 Terrorists who alter their fingerprints have about an even chance of slipping past U.S. border watch-list checks because the government is using a two-fingerprint system instead of one that relies on all 10 prints, a lawmaker said in a letter he made public yesterday to Homeland Security Secretary Tom Ridge. Rep. Jim Turner (D-Tex.) wrote that a study by researchers at Stanford University concluded the two-finger system "is no more than 53 percent effective in matching fingerprints with poor image quality against the government's biometric terrorist watch-list." Turner said the system falls far short of keeping the country secure. "It's going to be a coin toss as to whether we can identify terrorists," Turner, the ranking member of the House Select Committee on Homeland Security, said in an interview yesterday. "It's a 50-50 chance, and that's not good enough." Turner's Oct. 15 letter comes as government officials supervising the burgeoning border security system, known as US-VISIT, have been touting their use of fingerprints for identifying people crossing the border and checking them against watch lists of suspected terrorists. The US-VISIT program aims to create a "virtual border" using computer networks, databases, fingerprints and other biometric identifiers. The program requires foreign visitors to register their names before traveling to the United States and have their fingerprints checked when they arrive and depart. Officials estimate the system could cost up to $10 billion and take a decade to build. The border security program is relying on technology first developed for a program at the former Immigration and Naturalization Service called IDENT. Government officials have known for years that IDENT did not work well with the identification system used by the Justice Department, a 10-fingerprint system called the Integrated Automated Fingerprint Identification System. That system is known for producing good results, even with poor-quality fingerprint images, Turner's letter said. But homeland security officials have told Congress they decided to use the IDENT system for the first phase of US-VISIT as a way to quickly improve security at the borders, and move to a 10-fingerprint system later. "It was a logistical issue we had to deal with," said Robert A. Mocny, deputy director of US-VISIT. "It will get better. . . . It's a matter of what we can do right now." Turner's letter said the Department of Homeland Security ignored numerous warnings from the "government's top biometric scientists" that the "two-fingerprint system could not accurately perform watch list searches and the ten-fingerprint system was far preferable." The letter quotes Stanford researcher Lawrence M. Wein, who said his study found that at best, with a software fix, the two-finger system would properly identify only about three of four people. Two weeks ago, Wein told the Homeland Security Committee that the "implications of our findings are disturbing." Turner accused homeland security officials of failing to be "more forthcoming" about the limitations of their approach. Turner asked Ridge to direct homeland security officials to "preserve all documents and electronic communications" relating to their decision on fingerprints. "I understand your desire to deploy biometric screening at our borders as quickly as possible," Turner said in his letter. "But more than three years after the 9/11 attacks, we have invested more than $700 million in an entry-exit system that cannot reliably do what the Department so often said it would: Use a biometric watch-list to keep known terrorists out of the country." A spokesman for the Republican-controlled Homeland Security Committee, Ken Johnson, said the release of Turner's letter was driven by election-year politics. Johnson acknowledged that there are "some concerns" with the current system, but he said US-VISIT continues to evolve. "In a perfect world, where money is not an issue, and people wouldn't mind spending countless hours or days at the border, the 10-fingerprint system would be preferable. But that's not reality," Johnson said. "They're playing politics with some very sensitive issues." From isn at c4i.org Wed Oct 20 02:41:32 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 20 02:56:55 2004 Subject: [ISN] Worldwide Phishing Attacks May Stem from Few Sources Message-ID: http://www.eweek.com/article2/0,1759,1679953,00.asp By Dennis Fisher October 19, 2004 Research from an e-mail security provider suggests that a handful of people are responsible for the vast majority of the phishing attacks on the Internet and the perpetrators are using a rotating series of zombie networks to launch them. Researchers at CipherTrust Inc. analyzed more than four million e-mails collected from the company's customers during the first two weeks of October and found that nearly a third of all of the zombie machines sending the phishing messages are based in the United States. That's twice as many as the 16 percent that are found in South Korea. However, these findings do not mean that these attacks are originating from inside these countries. The global nature of the Internet allows attackers anywhere in the world to compromise machines in any location. In fact, many experts believe that the majority of phishers are in some way connected to organized crime groups in Russia or Eastern Europe and that most such attacks begin there. The most surprising conclusion of the research is that the attackers sending out the phishing messages are using zombie networks of only about 1,000 PCs. "That's a pretty small bot network for the volume of stuff that these guys are doing," said Dmitri Alperovitch, the research engineer at Atlanta-based CipherTrust Inc. who conducted the study. "But the trick is that they rotate to a different set of compromised machines each day. They don't keep going to the same ones each time." Crackers for years have been accumulating large networks of machines compromised with small programs that give them the ability to control the PCs remotely. They routinely sell or trade access to the networks to others in the cracker underground and the PCs typically are used either for launching DDoS (distributed denial of service attacks). But as authorities began cracking down on spammers in recent years, the spammers have begun relying on these networks to send out their messages, too. Now, phishers have gotten into the game. Alperovitch said that there are fewer than five operators in control of the zombie networks that he identified in his research. And, even though they're generating thousands of fraudulent e-mails every day, their output was still a tiny fraction.less than one percent--of the four million messages CipherTrust examined. Phishers seem to be concentrating their efforts on a few high-profile targets, as well. In the sample CipherTrust looked at, 54 percent of the phishing messages used CitiGroup's Citibank name to entice recipients. Another 13 percent use Citigroup Global Markets Inc.'s Smith Barney's brand and eBay Inc. is the victim in about four percent of the scams. From isn at c4i.org Wed Oct 20 02:41:43 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 20 02:56:56 2004 Subject: [ISN] UK preps major security awareness campaign Message-ID: http://www.theregister.co.uk/2004/10/19/it_sec_education/ By John Leyden 19th October 2004 A major UK government campaign to help small businesses and consumers protect themselves from Internet security threats will launch in the UK next year. The National High-Tech Crime Unit (NHTCU) is co-ordinating the ?2m three-year security awareness campaign, codenamed Project Endurance, and it is seeking business sponsorship. So it is off to rattle the tin at a Confederation of British Industry conference on 8 November. Public launch is scheduled for the second quarter of 2005. John Lyons, crime co-ordinator at the NHTCU, said the campaign will aim to arrest the growth in computer security risks that threatens to slow down the rise of ecommerce. "The aim is to reduce fraud losses and to consolidate information, which is currently fragmented," he said. Project Endurance will focus on the basics of Internet security. Subjects covered will include advising users to maintain up-to-date anti-virus signatures, patch operating systems and use firewalls. Protecting personal information, password usage and protection and counter-fraud measures will also be covered. The campaign will aim to educate users about spyware and adware risks. Another planned element will emphasise the importance of backing up systems. Lyons compares Project Endurance to government campaigns against drink driving, or the "clunk, click" campaign advising users to use safety belts in cars. Early ideas for the scheme were outlined last week at the Information Assurance Advisory Council's fifth annual symposium in London. Andrew Miller MP, Joint vice-chairman of the Parliamentary Information Technology Committee, backed Project Endurance's wide-ranging approach. "Spam, virus and extortion are intellectually separate but are all tied together. You can't pick out one part of the [cybercrime] spectrum because they are all interlinked," he said. Paul King, principal security consultant at Cisco Systems UK, said the UK scheme is similar in aims to the US National Cyber Security Alliance's StaySafeOnline scheme. Peter Sommer, a security expert from the London School of Economics, asked how the scheme would avoid to risk of overlap with the "proliferation of initiatives" around computer security already underway. Lyons said the programme would concentrate on basic IT security and focus on the UK. The scheme will not look at child protection issues, which are well-covered by other programmes, he added. From isn at c4i.org Wed Oct 20 02:41:53 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 20 02:56:58 2004 Subject: [ISN] Hacker Hits California University Computer Message-ID: http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=6548348 Oct 19, 2004 SAN FRANCISCO (Reuters) - A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said on Tuesday. "The investigation is continuing but we have no idea if the (personal) information has been compromised," said Carlos Ramos, assistant secretary at the California Health and Human Services Agency. He said state agencies and the Federal Bureau of Investigation were investigating but the hacker had not been found. The names accessed by the hacker were being used by a UC Berkeley researcher who had collected data on elderly people and individuals who provide in-home care to seniors to study the impact of wages on in-home care, Ramos said. The data, which included home addresses, telephone numbers and dates of birth, was being used at the state's authorization but without the consent of the individuals whose information was being used in the study. Ramos said the state is authorized to share with researchers the personal information of individuals who participate in state programs administered by the state social services department. George Strait, a university spokesman, confirmed the school's computer system had been penetrated in what he believed was the most significant hacking job the university had experienced. The university detected its computer system had been broken into at the end of August, but did not notify the state until Sept. 27 after the school had done its own investigation with the FBI, Strait said. From isn at c4i.org Wed Oct 20 02:42:15 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 20 02:57:00 2004 Subject: [ISN] Hackers' product recall message 'sabotage' - Aria Farm Message-ID: http://www.stuff.co.nz/stuff/0,2106,3070607a13,00.html 20 October 2004 A Waikato food company, Aria Farm, faces potential ruin following industrial sabotage, says director Erik Arndt. Computer hackers have emailed 3000 of the company's customers, saying a company product . lamb chips . are being recalled due to an infectious agent, and the warning has since been posted on internet message boards. Mr Arndt said the full product recall was emailed to his customers at the weekend as coming from his own company's computers, and had the potential to destroy a business. The hacker also announced free chips were available at a Takapuna coffee bar, but they tasted awful. The first Mr Arndt and wife Anna knew about the fake recall notice was on Monday morning through replies to the email message. "We got in touch with supermarkets straight away and let them know it was all a hoax," he said. Mr Arndt also reported the incident to police, who have said they are investigating. Aria Farm employs 14 people at its Hamilton factory and has an annual turnover of $3 million. The company was formed in 1997 after Mr and Mrs Arndt, who became frustrated by low returned from their 526ha dry stock farm at Aria in the King Country. They now produce beef, lamb and chicken chips; lamb strips with basil and mint; and easy-flow mince. Last year they launched some of the products in Britain through supermarket chain Sainsburys. Their UK company was reported to have invested $NZ3 million in a processing plant in Blaenavon, near Pontypool in Wales, where it also received a grant of over $NZ1 million from the Welsh Development Agency towards establishment costs and for marketing. In New Zealand, the company has also received a Government "enterprise award" to help it develop export markets in Australia and South America. Mr Arndt said computer hacking was not something a small family business in Hamilton would expect. "We're busy going for export licences. We were busy focusing on food safety. . . We weren't focused at all on anything like a computer hacker. "Here's someone using their creative energy to do nasty things like this." Mr Arndt said the company spent $7000 upgrading its computer firewall security four months ago. "I'm just trying to get to the bottom of this to see how it happened." He said only two people . he and his wife . knew the password to the database. From isn at c4i.org Wed Oct 20 02:47:19 2004 From: isn at c4i.org (InfoSec News) Date: Wed Oct 20 02:57:01 2004 Subject: [ISN] Computer hacker gets prison term Message-ID: http://www.cincypost.com/2004/10/19/baas101904.html By Kimball Perry Post staff reporter 10-19-2004 Daniel Baas' computer skills were expert enough that he was able to make a living using them. But, he admitted Monday, he used those same skills to penetrate the computers and networks of lawyers and companies. For that, Hamilton County Common Pleas Court Judge Dennis Helmick sentenced him to 2? years in prison. "In essence, he was hacking into their systems," assistant prosecutor Andrew Berghausen told Helmick after Baas accepted a deal to plead guilty to unauthorized use of property. Baas, 25, hacked into personal computers and networks to view legal documents, financial data -- even pictures, including honeymoon photos from one couple. "He was then copying (that information) for his own use," Berghausen said. Hamilton County sheriff's deputies, led by Detective Rick Sweeney, found that information when they raided Baas' Milford home in connection with an investigation of a charge that he hacked into one of the world's largest consumer database companies. He's been convicted in federal court of that crime and will be sentenced Nov. 3. Baas pleaded guilty Monday to hacking into computers or networks of attorneys Gary Lewis and John Brinker, and two companies -- Court Street Title Agency and JSR American. In exchange for Baas' guilty plea, Berghausen agreed to drop two similar charges against him. Helmick told Baas he would reject any attempt to get out of prison early, and didn't credit him for the year he's already spent in jail. "I intended to cause no harm," Baas told the judge. But Helmick noted that Baas -- known as "Epitaph" when he was on-line -- had committed serious crimes. "This is not just a lark on your behalf thinking that you're a little more intelligent than those who created the software," Helmick told him. "If you had personal information on your computer and I hacked into it, you'd be pretty (upset), wouldn't you?" Among the evidence that police seized from Baas were chat logs -- or computer conversations -- he had with Jesse Tuttle, who is accused of illegally hacking into the Web sites of Hamilton County Sheriff Simon Leis Jr. and the main Hamilton County government site. Police said they also found 10 images of kiddie porn on Tuttle's computer. Tuttle has insisted that he is working for the FBI looking for on-line perverts and possible terrorists. Baas faces up to a five-year sentence Nov. 3 when he's sentenced in federal court for hacking into and stealing data from Acxiom, one of the world's largest credit card data base users. That company provides services to 14 of the 15 top credit cards companies, five of the six biggest retail banks and seven of the top 10 car makers. All share the credit card and other information of their customers with Acxiom. In that case, Baas admitted his actions cost Acxiom, of Little Rock, Ark., about $6 million, including $1.3 million for security audits and encryptions upgrades for Acxiom's computer system. Baas was able to access Acxiom's network because he was an employee of Market Intelligence Group, a downtown Cincinnati company that was a customer of Acxiom. From isn at c4i.org Thu Oct 21 04:10:02 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 21 04:27:10 2004 Subject: [ISN] On Trial - Prosecuting cybercrime puts your organization--andyour security--on the hot seat. Message-ID: Forwarded from: Carole Fennelly Cc: abriney@infosecuritymag.com Relevence is definatly important, and I thought that was the point I made here (though it could have been clearer): "Through the discovery process, the defense counsel has access to all seized evidence and can subpoena anything that may show negligence or weaken the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ case--possibly revealing holes in IT security policies, processes and infrastructure. If your security is weak, it's much more difficult to prove that a particular individual was responsible for the crime. " As to the issue of trespass, we don't know that the defendant *has* trespassed, which is why we're in trial (innocent till proven guilty?).The trespass is a matter of fact to be determined by the jury. And it is perfectly relevent to get the architect of the gate in to determine if someone else could have been the guilty party because of a weakness in the gate. 18 USC 1030 states that you have to deliberately trespass or attempt to trespass in order to be found guilty. If through a buggy interface, you inadvertently trespass, there is no guilt under 18 USC 1030. As to the Bloomberg case, the point the defense was making was that the defendant performed a service to demonstrate his skills by reviewing the security of the system and documenting its failings. The Bloomberg people were not aware of the failings before the defendant informed them and were able to redesign the system to be more secure. The defense contention was that the defendant very naively thought they would be pleased by his unsolicited "service" and pay him for his time (and hire him to do more work). The argument was also on the extortion charge, not just the trespass (there was also argument that he was a valid trial user of the Bloomberg software and was checking the security). Defense contended that extortion was not intended, but there were communication problems (defendant's English wasn't good) and the defendant was being an agressive "risk taker", much like Michael Bloomberg was himself when he started his company. The US vs. Zezev case is a matter of public record and makes interesting reading, if you are a computer crime geek. The judge, Kimba Wood, did rule that Bloomberg's testimony was relevent, especially regarding his perception on extortion. Bloomberg stated in a previous deposition, unrelated to this case, that he felt a sexual harrassment suit filed against his company by a former female executive was a form of extortion. The defense tried to show that Bloomberg saw an extortion attempt where there was none. The point I was making is that you really don't know how the judge will rule on relevence until it comes up. That's why attorneys get to say "Objection: Relevance" and the judge can say "Sustained" or "Overruled". -cf >---------- Forwarded message ---------- >Date: Mon, 18 Oct 2004 06:56:25 -0400 >From: "smoshlak@interserv.com" >To: abriney@infosecuritymag.com >Cc: isn@c4i.org, isn@attrition.org >Subject: RE: [ISN] On Trial - Prosecuting cybercrime puts your > organization--andyour security--on the hot seat. > >TAC- > >Although defense counsel can subpoena records and perform depositions >(within reason), there has to be something known as relevance to the >matter. Any competant counsel can have this type of scenario blown out of >the water, using the following analogy. > >A person has entered upon another's property and is charged with trespass. >Did he crawl over the fence, drive through the fence or parachute onto the >property? Shall we call in the gate builder, the architect or the >manufacturer to testify about the security of gate and fence? Whether it >was made of wood, chain link or of the "concertina-wire" type? It doesn't >matter, since he has trespassed. > >In this case, they were able to identify the who, where and the what. >Whether or not an institution has a security plan (for purposes of the >Court), is irrelevant. A computer network is not a swimming pool, which is >defined by law as an "attractive nuisance." This individual allegedly >tried to extort money from an entity, whether the threat is real or >perceived. Specifically speaking, if one walks into a bank and states to >the teller, "I have a pistol in my pocket and to fill the bag up with >money..," and doesn't have a pistol, but takes the bank's money, begs the >question: Is it still robbery? > >Having Michael Bloomberg to the stand to testify about his information >systems security plan or outlining, in detail, his digital infrastructure >was irrelevant and immaterial, considering the circumstances. The same >holds true for other employees in his office. > >Just my thoughts, > >Steven Moshlak >Expert Witness, Information Security and Technology > >Original Message: >----------------- >From: InfoSec News isn@c4i.org >Date: Mon, 18 Oct 2004 01:23:25 -0500 (CDT) >To: isn@attrition.org >Subject: [ISN] On Trial - Prosecuting cybercrime puts your >organization--andyour security--on the hot seat. > > >http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss486_art1001,00.htm >l > >By Carole Fennelly >October 2004 > >Attorney: Is it fair to say that, prior to March 24, 2000, you were >not aware of [a] bug that allowed someone to enter the system? > >Bloomberg: That's correct. It's not just someone. You would have to >work pretty hard to do it and have to be reasonably competent to do >it. > >Attorney: Would it be fair to say that that bug was a dangerous threat >to the security of your system? > >Bloomberg: Absolutely. > >-Testimony of Michael Bloomberg, U.S. v. Zezev From isn at c4i.org Thu Oct 21 04:11:13 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 21 04:27:13 2004 Subject: [ISN] Security UPDATE--New Patches, Old Patches, and Loading Patches--October 20, 2004 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. BindView Corporation http://list.windowsitpro.com/cgi-bin3/DM/y/ehuC0MfYqv0Kma0BML50Al IT Security Solutions Roadshow - Coming to your city soon! http://list.windowsitpro.com/cgi-bin3/DM/y/ehuC0MfYqv0Kma0BML60Am ==================== 1. In Focus: New Patches, Old Patches, and Loading Patches 2. Security News and Features - Recent Security Vulnerabilities - Bleeding Edge of Snort - The Blended Threat - A Forgotten Caveat of Patches 3. Security Matters Blog - New JPEG GDI+ Scanning Tool - SANS Top 20 Vulnerabilities 4. Instant Poll 5. Security Toolkit - FAQ - Security Forum Featured Thread 6. New and Improved - Encrypt Sensitive Files ==================== ==== Sponsor: BindView Corporation ==== Hear Simple Nomad speak on assessing and overcoming internal IT threats at a free BindView Corporation web seminar on November 11. He'll cover the things you need to evaluate and do to protect your company's data. He'll cover asset assessment and attack vectors such as direct network assaults, common services attacks and attacks against non-controlled assets. But he won't leave you in the dark. Once he explains the threats, he'll also cover effective ways to mitigate against them. Known throughout the security community, Simple Nomad always provides candid insight into the threats that matter most. http://list.windowsitpro.com/cgi-bin3/DM/y/ehuC0MfYqv0Kma0BML50Al ==================== ==== 1. In Focus: New Patches, Old Patches, and Loading Patches ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You probably know that last week, Microsoft released 10 security bulletins that include a barrage of new security patches, many of which the company considers to be of a critical nature. The patches pertain to a wide variety of system components including RPC, Network Dynamic Data Exchange (NetDDE), Web Distributed Authoring and Versioning (WebDAV), the Windows shell, Excel, and much more. When new security vulnerabilities are brought to light, somebody soon releases an exploit to take advantage of unprotected systems. So if you haven't checked into the new bulletins, consider doing so soon if you expect to keep your systems protected. http://www.microsoft.com/technet/security/default.mspx Some of you might still be working to determine which of your systems are affected by the JPEG GDI+ vulnerability that was announced in last month's security bulletins from Microsoft. The company recently released new articles and a new scanning tool to help you identify and replace vulnerable DLLs. If you use the original JPEG GDI+ scanning tool from Microsoft, you've probably figured out that the tool has some significant shortcomings. It might have left you wondering whether you'd really replaced all the vulnerable DLLs on your system. The new tool is an improvement over the original tool, and it can work in conjunction with Microsoft Systems Management Server (SMS). You can link to more information about the new tool in the "New JPEG GDI+ Scanning Tool" blog entry below. If you're still working to install Windows XP Service Pack 2 (SP2), you might come across instances in which certain applications cease to function the way they did before you installed the new service pack. Some applications stop working correctly because of the new Windows Firewall. The Microsoft article "Some programs seem to stop working after you install Windows XP Service Pack 2" ( http://support.microsoft.com/?kbid=842242 ) offers a list of some of the more popular applications that might be affected. The article describes which ports need to be open for a listed application and why they need to be open. The article also provides advice about how to determine which ports need to be open for applications that aren't listed. And since I mentioned XP SP2, did you know that the service pack adds a new option to the system shutdown dialog box? The new option lets any newly downloaded updates be installed before the system is shut down and the computer is powered off. This way, the updates can be installed when you're finished using the system instead of when you're trying to get some work done in the middle of the day. You can adjust registry settings to control whether the new option is displayed to users and whether the option is the default setting. You can read about this feature and other changes introduced by XP SP2 in "Changes to Functionality in Microsoft Windows XP Service Pack 2" ( http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx ). ==================== ==== Sponsor: IT Security Solutions Roadshow - Coming to your city soon! ==== Viruses and security intrusions are always a threat. Take action before they reach your network. Join McAfee and Microsoft for a free half-day event that will give you the practical hands-on experience you need to help secure your organization. If you've joined us for our past security events, you won't want to miss this Roadshow. Take your security to the next level. We'll help you implement a step-by-step action plan to secure your network with antivirus and intrusion prevention strategies. Register today! http://list.windowsitpro.com/cgi-bin3/DM/y/ehuC0MfYqv0Kma0BML60Am ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html News: Bleeding Edge of Snort A new Web site, The Bleeding Edge of Snort, is available for those who use the Snort open source Intrusion Detection System (IDS). Among other things, the site offers new Snort rules that aren't necessarily part of the regular Snort rules distribution. http://www.winnetmag.com/Article/ArticleID/44208/44208.html Feature: The Blended Threat One of Alan Sugano's clients recently had a laptop that was infected with a virus and lots of spyware. The company cleaned the laptop and gave it back to the user. A few days later, the client called to tell Sugano that Internet access was down at one of its remote locations. He went to the remote site to troubleshoot the Internet connection. The firewall was getting bombarded with so many packets that it was crashing. Read this article to learn what Sugano discovered and how he remedied the situation. http://www.winnetmag.com/Article/ArticleID/44206/44206.html Feature: A Forgotten Caveat of Patches David Chernicoff tends to be somewhat obsessive about keeping all the computers he's directly responsible for updated with patches and hotfixes. This attention to detail has paid off: he has yet to have a virus or security exploit on one of his personal computers, nor has he had to deal with malware outbreaks or anything of that nature. Unfortunately, he's not always able to convey his sense of urgency to his friends and clients. Read what Chernicoff discovered about one of his clients' mission-critical computer systems. http://www.winnetmag.com/Article/ArticleID/44211/44211.html ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Free Exchange Server 2003 eBook--Chapter 7 Now Available Download the latest chapter, "Administration Best Practices." Learn easy steps to prevent disasters and maintain a healthy system. You'll learn how to understand message stores, backup and restore procedures, performance, and the recovery process. Get the latest chapter now! http://list.windowsitpro.com/cgi-bin3/DM/y/ehuC0MfYqv0Kma0BMKN0AB Do You Have What It Takes to Compete in the IT Prolympics? Compete in the first-ever IT Prolympics to test your Active Directory knowledge against your peers. You could win recognition and great prizes. The IT Prolympian grand prize is an expense-paid trip to TechEd 2005. Enter the competition at http://list.windowsitpro.com/cgi-bin3/DM/y/ehuC0MfYqv0Kma0BMKO0AC New half-day seminar! The Enterprise Alliance Roadshow Come and join us for this free event and find out how a more strategic and holistic approach to IT planning helps organizations increase operational efficiency and facilitate the implementation of new technology. Sign up today. Space is limited. http://list.windowsitpro.com/cgi-bin3/DM/y/ehuC0MfYqv0Kma0BMH40Ag ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Check out these recent entries in the Security Matters blog: New JPEG GDI+ Scanning Tool Microsoft released a new tool, the MS024-028 Enterprise Update Scanning Tool, that can help you scan your systems for DLLs that are vulnerable to JPEG GDI+ exploits. The tool also updates the outdated DLLs discovered in the scanning process. Microsoft also released a new article, "GDI+ 1.0 Security Update Overview," that offers an overview of the recent GDI+ fixes and other relevant information. http://www.winnetmag.com/Article/ArticleID/44253/4425.html SANS Top 20 Vulnerabilities SANS released its annual Top 20 list of Internet security vulnerabilities. According to SANS, the list is compiled by consensus of contributors from "government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute." http://www.winnetmag.com/Article/ArticleID/44214/44214.html ==== 4. Instant Poll ==== Results of Previous Poll: Have you been affected by a recent JPEG GDI+ exploit? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 72 votes. - 1% Yes - 50% No, we've patched our systems - 3% No, we've patched our systems and removed vulnerable JPEG images - 29% No - 17% I'm not certain New Instant Poll: Do you use Mac OS X on your network? Go to the Security Hot Topic and submit your vote for - Yes - No, but we intend to - No - I'm not sure http://www.windowsitpro.com/windowssecurity#poll ==== 5. Security Toolkit ==== FAQ by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: When I run Norton AntiVirus 2005, why do I receive an error stating that the program can't be repaired and must be reinstalled? Find the answer at http://www.winnetmag.com/Article/ArticleID/44191/44191.html Security Forum Featured Thread A reader needs to create 84 new folders and assign certain NTFS permissions to each of those folders. He's written a simple batch script that creates all the folders, but he doesn't know how to make the script assign appropriate permissions. Join the discussion at http://www.winnetmag.com/Forums/messageview.cfm?catid=42&threadid=126434 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events ) Get the Inside Secrets to Assuring Policy Compliance In this free Web Seminar, you'll learn the secrets to keeping up with the latest knowledge on security regulations, vulnerabilities, exploits, and best practices to create an effective policy management lifecycle in your organization. Discover how to reduce risks and secure assets in your IT environment to improve policy compliance. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/ehuC0MfYqv0Kma0BMH50Ah ==================== ==== 6. New and Improved ==== by Renee Munshi, products@windowsitpro.com Encrypt Sensitive Files CadabraSoftware offers P-Encryption Suite 2.2.4, a Windows encryption program that stores all private and sensitive documents in one encrypted file. Emphasizing usability, P-Encryption Suite lets you view or edit a file that's been encrypted by using a plug-in from the program's library or by using the file's default application. You can choose from four encryption algorithms, including 256-bit Advanced Encryption Standard (AES--Rijndael) and 448-bit BlowFish encryption. P-Encryption Suite provides additional privacy solutions, including encrypted email, an encrypted address book, and anti-keystroke-logging protection. P-Encryption Suite runs under Windows 2003/XP/2000/NT 4.0/Me/98 and costs $34.95 for a single-user license (multi-user discounts are available). You can download a free, fully-functional 30-day trial version. For more information, go to http://www.cadabrasoftware.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://www.windowsitpro.com/forums About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://www.secadministrator.com/rd.cfm?code=00ep254xeb View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Oct 21 04:11:29 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 21 04:27:14 2004 Subject: [ISN] What your CEO thinks about security (and how to change it) Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96803,00.html Advice by Larry Ponemon OCTOBER 20, 2004 COMPUTERWORLD Up to now, enterprises' security budgets have been so lean they could almost be considered anorexic. That's because CEOs have considered security as necessary but haven't bought the argument that there is an economic advantage to going above a minimal level of security. Unfortunately, CEOs have persisted in focusing on four basic questions that too often stump the most savvy IT professionals: * What is the security return on investment? * What is the probability of a catastrophic security failure? * What is the cost of self-insuring against security risks? * What are the tangible benefits of being an industry leader for security? To help IT professionals talk to CEOs about security issues, a newly formed think tank called the Security Leadership Institute, sponsored by Unisys Corp., has conducted in-depth interviews with CEOs and board members. Board members of the institute (including myself) -- recognized security experts from business and government -- interviewed more than 25 CEOs and public-sector agency chiefs, focusing on what they think the value proposition of security is to their enterprise. We believe that the results from our work will help IT professionals make the case for the many benefits that can be realized from a more robust investment in security. What We Learned Most CEOs interviewed in our study viewed both physical and information security as purely tactical, rather than as a strategic imperative. In their minds, security means either protection of assets or prevention of IT-related risks, such as hacking attacks and other cybercrime. Some CEOs viewed security as an element of a larger business risk-management process. In almost all cases, though, CEOs in the private and public sectors did not embrace security as something directly related to corporate mission or strategy. In short, the CEO perspective was consistent with what we already knew. That is, they view security as an operating necessity, not as a business opportunity or marketplace advantage. The following are a few of the comments these leaders made when asked to explain, in their own words, the value proposition of security: * Security is all about preventing bad behavior from affecting our organization. * The only value of security is the prevention or fast detection of a breach or violation. * There is no real value in becoming the industry leader or exemplar for security. * Too much security and a control orientation will prevent our organization from taking justifiable risks. * Most security technologies don't work and are a waste of time and resources for our company. * Security spending is a pure cost of compliance. * Security is best handled as a middle management responsibility. * Most security problems occur because of sloppy internal procedures rather than poor IT controls and safeguards. Despite the consistently nonstrategic tone of the responses, we decided to probe further based on our gut instinct that there was something more to learn. We believed that CEOs understood the consequences of bad security practices but couldn't quite articulate the value proposition of good security. So we asked questions that focused on outcomes or consequences of maintaining a secure environment. The Trust Factor The answers to those additional questions revealed that CEOs fully acknowledge the value of having a secure environment as a way to protect brand and reputation. In their minds, superior IT and physical security practices are necessary to achieve organizational trustworthiness in the eyes of key stakeholders. According to our interviewees, organizations that do it "right" in reaching a high trust status achieve real advantages, such as employee productivity, customer loyalty, product or service innovation, reduced failure and decreased compliance risks. We asked them to define what they would consider to be a trusted enterprise. The definition below is based on common themes that emerged from our discussions. "The trusted enterprise is an organization embracing a set of corporate values and behaviors that guide all business practices. It is a highly ethical organization that treats its customers, employees, partners and shareholders with respect and stewardship. The CEO and board are deeply engaged in managing the organization's operating risk in a way that delivers maximum value in a safe and secure environment." We collected several interesting case histories from CEOs that help explain their view of the benefits of becoming a trusted enterprise. Here are just two examples: * A regional hospital is investing heavily in technology to increase facility security and protect its patients, particularly infants. It recently implemented a wireless solution to track employee movement within the hospital. Although there were initial concerns from nurses that tracking would be used as a tool to measure productivity surreptitiously, they soon discovered the real benefits. Not only did patients and newborns' parents gain greater security and peace of mind; the messaging capabilities also allowed more mature patients to communicate their care needs directly to their nurses rather than through room-to-room paging systems. Nurses found that the tool helped them deliver superior patient care. * A Canadian technology company working to comply with U.S. Department of Justice security requirements discovered the unintended benefits of speed and operational excellence. As they sought to meet security and network availability requirements, they developed new processes and applications that reduced their computer restore and repair time from a day to minutes. They are now exploring packaging these applications to create a new set of products and services to offer their customers. Becoming a Trusted Enterprise So, what does it take to become a trusted enterprise? First, according to the CEOs, a trusted enterprise manages its security responsibilities in a more holistic way than less trusted ones. For example, trusted organizations are more likely to integrate security into core business processes and to establish oversight and governance through cross-functional teams that span the entire enterprise. Second, they know it is important to have a highly secure environment to protect brand and image in the marketplace. For example, trusted organizations are more likely to have implemented IT resilience to endure attacks by malicious employees or hackers. According to CEOs, the trusted enterprise achieves harmony between security and business goals by pursuing four basic operating principles. * Proactive management of operational risks, such as security and internal controls, by paying close attention to early indicators of problems that might diminish the entity's brand or reputation in the marketplace. * Transparency in core operating practices, especially those concerning the ethical use and sharing of sensitive or confidential business information. * CEO and board understanding of the organization's risk profile, providing executive-level support and necessary resources to achieve security goals. * Compliance-savvy culture, with clear accountabilities for security and control promoted and vigorously monitored throughout the enterprise. Take Action If you find it hard to talk security with your CEO, here are five issues with potential business impact that resonate with top executives and could be excellent points to include at your next meeting: 1. We need to stay ahead of the curve on new and emerging regulatory requirements. 2. We will aim to have fewer network security breaches and downtime from network failure. 3. Our programs will provide better control over assets and our intellectual properties. 4. We will empower employees to understand their responsibility in creating a secure workplace. 5. We will create a culture that respects the importance of protecting information entrusted to the company's care. While security may not be a top-of-mind consideration for senior executives, the Security Leadership Institute's research indicates that trust will get their attention. We now believe that CEOs really can see the need to incorporate security as a foundation for their trusted enterprise. Dr. Larry Ponemon is chairman of Ponemon Institute, a think tank in Tucson, Ariz., dedicated to ethical information management practices and research. Ponemon is an adjunct professor of ethics and privacy at Carnegie Mellon University's CIO Institute and is a CyLab faculty member. He can be reached at larry@ponemon.org. From isn at c4i.org Thu Oct 21 04:11:39 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 21 04:27:15 2004 Subject: [ISN] Google fixes security hole Message-ID: http://news.com.com/Google+fixes+security+hole/2100-1038_3-5420211.html By Stefanie Olsen Staff Writer, CNET News.com October 20, 2004 Google on Thursday fixed a security flaw in its Web search service that could have allowed malicious hackers to modify its pages. According to a report posted to the Bugtraq Security Focus list on Wednesday, Google's new Desktop Search tool did not prevent a hacker from inserting JavaScript, a programming language, into the Web address of its page image, or logo. That vulnerability could have allowed any rogue third party to change the appearance of Google's Web page to ask for personal data such as credit card numbers from its visitors, what's known as a phishing scam, according to the warning. Mountain View, Calif.-based Google said it has fixed the problem. "Google was recently alerted to a potential security vulnerability affecting users of our Web site," a company representative said. "We have since fixed this vulnerability, and all current and future Google.com users are protected." The warning came only a week after Google released its newest Web search product--a tool to search the files on a PC alongside Web pages. Security experts have scrutinized the technology, with some interesting finds. Last week, security consultant Richard Smith found clues that could point to a coming instant chat client from the search giant. Jim Ley, who runs a Web log, posted the warning about Google's script-insertion flaw, which he said has affected Google's main site for as long as two years. But with the addition of Google Desktop, the flaw became more serious, he said, because "it places the results of a desktop search into the output of a regular Google search." He said that the flaw could have allowed third parties to make a record of all the searches people make. The flaw primarily had affected people using Microsoft's Internet Explorer Web browser, Ley said. From isn at c4i.org Thu Oct 21 04:11:48 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 21 04:27:17 2004 Subject: [ISN] New IE Bugs Open Up XP SP2 To Attack Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=OLRHTRVYFRIOGQSNDBGCKH0CJUMEKJVN?articleID=50900322 By TechWeb.com Oct. 20, 2004 Two new vulnerabilities in Internet Explorer 6.0 were unveiled by a security firm Wednesday that hackers could exploit to bypass security features even in Microsoft's most secure OS, Windows XP SP2. According to Danish security company Secunia, the "highly critical" vulnerabilities stem from a flaw in IE's drag-and-drop feature and in the browser's security zone. Hackers could exploit these bugs by enticing users to malicious Web sites, where specially crafted files--including image and help files--could compromise the PC, leaving it open to attack or hijack. Both bugs can be exploited to circumvent Windows XP SP2's Local Computer zone lockdown security feature, said Secunia. "This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2," wrote Secunia in its online alert. As is its usual practice when it touts critical problems in IE, Secunia recommended that users either disable Active Scripting in the browser, or switch to an alternate, such as Mozilla's Firefox. From isn at c4i.org Thu Oct 21 04:12:06 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 21 04:27:19 2004 Subject: [ISN] ATMs in peril from computer worms? Message-ID: http://www.theregister.co.uk/2004/10/20/atm_viral_peril/ By John Leyden 20th October 2004 Some anti-virus firm are trying to carve out a new market for their technology by trying to persuade that banks Automatic Teller Machines (ATMs) running Windows need protecting from computer worms. Trend Micro and Computer Associates have both identified this niche, but some rivals question the immediate need for content filtering on cash points. The new generation of Automatic Teller Machines (ATMs) are migrating from the IBM OS/2 operating system to Microsoft Windows and IP networks. This saves costs and enhances customer services. But it also means that ATMs are now at risk from computer worms, according to Trend Micro. "Previously isolated cash machines can now be infected by self-launching network viruses via the banks' IP networks. Infections have the potential to bring down ATM machines, incurring downtime, customer dissatisfaction and increased costs fixing infected machines," it warns. Last August, the Nachi (Welchia) worm contaminated the cash machines at two financial institutions. When the Slammer virus hit the back end systems of the Bank of America in January 2003, 13,000 US ATMs became unavailable. Scary stuff. But never fear, Trend Micro is on hand to offer assistance. The Japanese-based firm is launching hardware-based network worm filtering technology specially designed for ATMs at a conference later this month. As well as launching its Network VirusWall 300 hardware, Trend will also be exhibiting at the annual ATM security conference (ATM Sec 4) in London on 25 and 26 October. Raimund Genes, European president of Trend Micro, said that 70 per cent of ATMs are based on either XP or embedded XP. "That's the way manufacturers are taking the ATM and ticketing machine market," he said. "There really isn't much choice." Computer Associates offers a software development kit that can be applied to systems based on embedded XP. Genes argued that producing AV systems for embedded XP terminals is far from straightforward: using existing enterprise content filtering gateways to protect ATMs would be "overkill". Hardware-based network worm filtering, such as Trend intends to launch offers a better approach, he argued. But other security vendors question the need for the technology. Nigel Hawthorn, of security appliance firm Blue Coat Systems, said that ATMs commonly operate on a separate physical network, which is closed. "Sasser hit the back-end systems of banks, not ATM machines," he said. David Emm, senior technology consultant at anti-virus supplier Kaspersky, agrees. "The threat to ATMs is related to how closely they are integrated with the outside world. Normally ATMS are kept on separate systems. Online financial (ebanking) systems are far more at risk," he said. Trend's Genes said the barriers between the network used by ATMs and the wider Internet are been lowered as banks switch from older telecoms technologies to IP-based networks. He acknowledged that widely deployed AV technology alone is failing to protect enterprises from fast-spreading worms. But Trend's worm filtering tech would prove far more successful in keeping cashpoints up and running in the face of viral onslaught, he says. From isn at c4i.org Thu Oct 21 04:17:25 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 21 04:27:20 2004 Subject: [ISN] 50 hackers 'stole' $28m Message-ID: http://www.news24.com/News24/World/News/0,,2-10-1462_1608465,00.html Edited by Andiswa Mesatywa 21/10/2004 Rio De Janeiro - Brazil's federal police on Wednesday arrested 50 hackers who were accused of using the internet to syphon off $28m from bank accounts of private citizens. Authorities said that hackers attacked some of the leading technology users in Brazil's financial sector: Caixa Economica Federal, Banco do Brasil, HSBC, Bradesco, Unibanco and Itau. Most of the suspects are under 25-years-old, a police spokesperson said. Investigators found that the online thieves sent their victims email messages. Once the unsuspecting depositors opened the messages, their banking information and personal access codes became available to the hackers, who were able to transfer money out of the accounts to other bank accounts. From isn at c4i.org Fri Oct 22 02:07:03 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 22 02:19:03 2004 Subject: [ISN] Presidential candidates differ in IT questionnaire Message-ID: http://www.nwfusion.com/news/2004/1021presicandi.html By Grant Gross IDG News Service 10/21/04 President George W. Bush and Democratic challenger John Kerry both advocate universal access to broadband and stronger cybersecurity but the two candidates disagree in their approaches in answers given in a tech policy questionnaire released by the Computing Technology Industry Association. The Bush campaign, answering a question about broadband adoption, talked about pushing for an Internet tax moratorium and deregulating broadband infrastructure. Bush also noted broadband deployment has grown from 7 million U.S. homes in December 2000 to 28 million homes in December 2003. "By applying 21st century policy to 21st century technology, we will encourage new investment that will bring broadband to more homes in more areas of America," the Bush campaign said in its answer. Kerry, a Massachusetts senator, advocated a 10% tax credit for investments in broadband technology in rural areas and inner cities. Investments in broadband technologies that are 20 times faster than current broadband technologies would receive a 20% tax credit under the Kerry plan. "I support a telecommunications policy that will promote investment, encourage competition, deliver new services, unleash innovation, and accelerate the development of universal, affordable broadband networks and applications," the Kerry campaign wrote in its response. "By bringing more opportunity to rural America, the telecommunications revolution can strengthen the social fabric of many communities." CompTIA's questionnaire [1] asked both campaigns to answer 12 technology-related questions, and both campaigns returned responses within about 10 days. The questionnaire is designed to help the trade group's 20,000 business members quickly get information about the candidates' views on tech-related issues, said Roger Cochetti, CompTIA's group director of public policy. Asked about cybersecurity, Kerry called for a "real partnership" between government and private industry. He also said he plans to push global standards and practices, although he didn't give details. "We need a president who will devote the energy of the White House to making our networks . our 21st century infrastructure . stronger and more secure," the Kerry campaign wrote. "That means supporting a cyber security intelligence system ready to detect these threats. I will implement global standards and best practices so that weak links are strengthened." Bush's response about cybersecurity focused on his National Strategy to Secure Cyberspace, released in February 2003. The Bush campaign answer noted the strategy includes priorities such as a national security response system, and a government cyberspace security program. Some pieces of the strategy have been implemented or are being developed. "Given the enormous importance of e-commerce, Internet-based communications, and the use of cyberspace to control portions of our physical infrastructure, cyber security is critical," the Bush campaign wrote. "The investments being made today in securing our Nation.s cyber infrastructure and in cyber security R&D are working to ensure that future generations of network software and hardware are less vulnerable to an attack and can maintain critical operations even when compromised." The questionnaire also asked the candidates what the federal policy should be toward protecting intellectual property. Bush answered that violations of intellectual property law need to be enforced without outlawing technologies. "Technology is a critical conduit of information and sometimes can be misused for illegal copyright infringement," the Bush campaign wrote. "Blaming the technology does not address the issue. We must vigorously enforce intellectual property protections and prosecute the violations, not the technology." Kerry also advocated laws that protect intellectual property, but he said he's open to new legislation that would protect consumers by allowing them to back up digital works or transfer digital works to other devices. "We must ensure that our laws protect the creations of individuals and companies while not unreasonably stifling technological innovation," the Kerry campaign wrote. Many of the answers the candidates provided CompTIA are available in various places elsewhere, but most technology issues have not been among the top concerns during the campaign. Bush has pushed for the healthcare industry to adopt electronic medical records and other technology advances in his stump speech recently, while Kerry has hammered the Bush administration on offshore outsourcing, saying Bush has done nothing to discourage U.S. companies from moving jobs overseas. The relative lack of attention to IT issues has caused some grumbling in the tech community. On Tuesday, Intel CEO Craig Barrett complained of a lack of attention from the two presidential candidates. He reportedly complained of "the lack of attention by the presidential nominees to how the United States is losing its competitive edge over other nations on education, technological infrastructure and research and development." But CompTIA's Cochetti argued that both campaigns' quick response to the questionnaire means the candidates are interested in technology issues. "Both of them recognize that the technology sector is a very important segment of the economy," he said. "Technology-oriented workers and voters are really part of a very key target for both campaigns, because they are widely perceived to be one of the undecided segments." [1] http://www.comptia.org/pressroom/election_2004.aspx From isn at c4i.org Fri Oct 22 02:07:14 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 22 02:19:06 2004 Subject: [ISN] Purdue computer system hacked Message-ID: http://www.indystar.com/articles/7/188156-5277-102.html Associated Press October 21, 2004 WEST LAFAYETTE, Ind. -- Someone gained unauthorized access to Purdue's computers, prompting school officials today to urge all students, staff and faculty to change their passwords. "We have confirmed that some computer passwords have been obtained by unauthorized users accessing a number of computer systems," said Scott Ksander of Purdue's information technology office. "The full extent of the problem is still being analyzed, but we think it is important to exercise caution, and the best action to take is for all users to change their passwords at this time." Purdue officials said that after the initial breach was detected, an investigation found that computers in several locations on the 38,000-student West Lafayette campus had been accessed. The Purdue police department was notified of the hacking Wednesday. The school has not been able to determine whether personal information was copied by the hacker. Ksander said computer users should watch for signs that their personal information might have been obtained by others. "Purdue's information technology professionals identified the situation quickly and now are working hard to determine the extent of the problem," said Joseph Bennett, vice president for university relations. From isn at c4i.org Fri Oct 22 02:07:31 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 22 02:19:07 2004 Subject: [ISN] Five mistakes of log analysis Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96587,00.html Opinion by Anton Chuvakin netForensics Inc. OCTOBER 21, 2004 COMPUTERWORLD As the IT market grows, organizations are deploying more security solutions to guard against the ever-widening threat landscape. All those devices are known to generate copious amounts of audit records and alerts, and many organizations are setting up repeatable log collection and analysis processes. However, when planning and implementing log collection and analysis infrastructure, the organizations often discover that they aren't realizing the full promise of such a system. This happens due to some common log-analysis mistakes. This article covers the typical mistakes organizations make when analyzing audit logs and other security-related records produced by security infrastructure components. No. 1: Not looking at the logs Let's start with an obvious but critical one. While collecting and storing logs is important, it's only a means to an end -- knowing what 's going on in your environment and responding to it. Thus, once technology is in place and logs are collected, there needs to be a process of ongoing monitoring and review that hooks into actions and possible escalation. It's worthwhile to note that some organizations take a half-step in the right direction: They review logs only after a major incident. This gives them the reactive benefit of log analysis but fails to realize the proactive one -- knowing when bad stuff is about to happen. Looking at logs proactively helps organizations better realize the value of their security infrastructures. For example, many complain that their network intrusion-detection systems (NIDS) don't give them their money's worth. A big reason for that is that such systems often produce false alarms, which leads to decreased reliability of their output and an inability to act on it. Comprehensive correlation of NIDS logs with other records such as firewalls logs and server audit trails as well as vulnerability and network service information about the target allow companies to "make NIDS perform" and gain new detection capabilities. Some organizations also have to look at log files and audit tracks due to regulatory pressure. No. 2: Storing logs for too short a time This makes the security team think they have all the logs needed for monitoring and investigation (while saving money on storage hardware) and then leading to the horrible realization after the incident that all logs are gone due to its retention policy. The incident is often discovered a long time after the crime or abuse has been committed. If cost is critical, the solution is to split the retention into two parts: short-term online storage and long-term off-line storage. For example, archiving old logs on tape allows for cost-effective off-line storage, while still enabling future analysis. No. 3: Not normalizing logs What do we mean by "normalization"? It means we can convert the logs into a universal format, containing all the details of the original message but also allowing us to compare and correlate different log data sources such as Unix and Windows logs. Across different application and security solutions, log format confusion reigns: some prefer Simple Network Management Protocol, others favor classic Unix syslog. Proprietary methods are also common. Lack of a standard logging format leads to companies needing different expertise to analyze the logs. Not all skilled Unix administrators who understand syslog format will be able to make sense out of an obscure Windows event log record, and vice versa. The situation is even worse with security systems, because people commonly have experience with a limited number of systems and thus will be lost in the log pile spewed out by a different device. As a result, a common format that can encompass all the possible messages from security-related devices is essential for analysis, correlation and, ultimately, for decision-making. No. 4: Failing to prioritize log records Assuming that logs are collected, stored for a sufficiently long time and normalized, what else lurks in the muddy sea of log analysis? The logs are there, but where do we start? Should we go for a high-level summary, look at most recent events or something else? The fourth error is not prioritizing log records. Some system analysts may get overwhelmed and give up after trying to chew a king-size chunk of log data without getting any real sense of priority. Thus, effective prioritization starts from defining a strategy. Answering questions such as "What do we care about most?" "Has this attack succeeded?" and "Has this ever happened before?" helps to formulate it. Consider these questions to help you get started on a prioritization strategy that will ease the burden of gigabytes of log data, collected every day. No. 5: Looking for only the bad stuff Even the most advanced and security-conscious organizations can sometimes get tripped up by this pitfall. It's sneaky and insidious and can severely reduce the value of a log-analysis project. It occurs when an organization is only looking at what it knows is bad. Indeed, a vast majority of open-source tools and some commercial ones are set up to filter and look for bad log lines, attack signatures and critical events, among other things. For example, Swatch is a classic free log-analysis tool that's powerful, but only at one thing -- looking for defined bad things in log files. However, to fully realize the value of log data, it needs to be taken to the next level -- to log mining. In this step, you can discover things of interest in log files without having any preconceived notion of what you need to find. Some examples include compromised or infected systems, novel attacks, insider abuse and intellectual property theft. It sounds obvious: How can we be sure we know of all the possible malicious behavior in advance? One option is to list all the known good things and then look for the rest. It sounds like a solution, but such a task is not only onerous, but also thankless. It's usually even harder to list all the good things than it is to list all the bad things that might happen on a system or network. So many different events occur that weeding out attack traces just by listing all the possibilities is ineffective. A more intelligent approach is needed. Some of the data mining (also called "knowledge discovery in databases") and visualization methods actually work on log data with great success. They allow organizations to look for real anomalies in log data, beyond "known bad" and "not known good." Avoiding these mistakes will take your log-analysis program to the next level and enhance the value of your company's security and logging infrastructures. Anton Chuvakin is a security strategist at netForensics Inc., a security information management company in Edison, N.J. His areas of expertise include intrusion detection, Unix security, forensics and honeypots. Chuvakin is the co-author of Security Warrior (O'Reilly, 2004) and a contributor to Know Your Enemy: Learning About Security Threats, Second Edition by the Honeynet Project (Addison-Wesley Professional, 2004) and Information Security Management Handbook (Auerbach Publishing, 2004). In his spare time, he maintains his security portal www.info-secure.org. From isn at c4i.org Fri Oct 22 02:08:27 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 22 02:19:09 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-43 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-10-14 - 2004-10-21 This week : 71 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Secunia Research has discovered two spoofing vulnerabilities, affecting most browsers supporting tabbed browsing. The first vunerability allows inactive tabs to spawn dialog boxes, which appear to be from a web site in another tab e.g. a trusted bank site. The second vulnerability allows inactive tabs to "steal" focus from input fields from other tabs, which can lead the user into sending sensitive information to a malicious web site. Secunia has developed tests for both vulnerabilities, which can be found below. Dialog Box Spoofing Vulnerability Test: http://secunia.com/multiple_browsers_dialog_box_spoofing_test/ Form Field Focus Vulnerability Test: http://secunia.com/multiple_browsers_form_field_focus_test/ References: http://secunia.com/SA12706 http://secunia.com/SA12712 http://secunia.com/SA12713 http://secunia.com/SA12714 http://secunia.com/SA12717 http://secunia.com/SA12731 http://secunia.com/SA12892 -- Microsoft's patch for the Drag'n'Drop vulnerability in Internet Explorer has been proven insufficient by security researchers http-equiv and Andreas Sandblad, Secunia Research. Prior variants of the Drag'n'Drop vulnerability have been used on the Internet to compromise vulnerable systems. It is therefore very likely that this new unpatched variant of this issue, also will be used by malicious people to compromise systems. Currently, Microsoft has no solution to this issue, and users are therefore advised to disable Active Scripting or to use another browser. Reference: http://secunia.com/SA12889 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12712] Mozilla / Mozilla Firefox / Camino Tabbed Browsing Vulnerabilities 2. [SA12806] Internet Explorer Multiple Vulnerabilities 3. [SA12809] Adobe Acrobat / Adobe Reader Disclosure of Sensitive Information 4. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 5. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 6. [SA12804] Microsoft Windows Multiple Vulnerabilities 7. [SA12863] Symantec Norton AntiVirus Unprivileged Auto-Protection Deactivation 8. [SA12793] Windows XP Internet Connection Firewall Bypass Weakness 9. [SA12892] Safari Dialog Box Spoofing Vulnerability 10. [SA12304] Internet Explorer Address Bar Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12889] Microsoft Internet Explorer Two Vulnerabilities [SA12900] Abyss Web Server MS-DOS Device Names Denial of Service Vulnerability [SA12844] AliveSites Forum Unspecified Cross-Site Scripting and SQL Injection [SA12841] Dmxready Site Chassis Manager Unspecified Cross-Site Scripting and SQL Injection [SA12835] Ideal BB Multiple Unspecified Vulnerabilities [SA12834] NatterChat Unspecified SQL Injection Vulnerability [SA12883] Saleslogix Multiple Vulnerabilities [SA12849] Yak! File Upload Directory Traversal Vulnerability [SA12881] Nortel Contivity VPN Client Open Tunnel Certificate Verification Issue [SA12842] CyberStrong eShop ASP Shopping Card Unspecified Cross-Site Scripting [SA12839] Express-Web Content Management System Unspecified Cross-Site Scripting [SA12890] Vypress Tonecast Client Denial of Service Vulnerability [SA12894] Protector Plus 2000 Antivirus MS-DOS Device Name Handling Weakness [SA12893] AntiVir Antivirus MS-DOS Device Name Handling Weakness [SA12870] Twister Anti-TrojanVirus MS-DOS Device Name Handling Weakness [SA12863] Symantec Norton AntiVirus Unprivileged Auto-Protection Deactivation UNIX/Linux: [SA12910] Red Hat update for gaim [SA12887] Gaim MSN SLP Message Handling Buffer Overflow Vulnerability [SA12886] Mandrake update for mozilla [SA12885] Mandrake update for libtiff [SA12872] Conectiva update for gtk+ [SA12864] Debian update for netkit-telnet-ssl [SA12859] Gentoo update for phpMyAdmin [SA12851] Debian update for tiff [SA12833] VERITAS Cluster Server Unspecified System Compromise Vulnerability [SA12832] Fedora update for libtiff [SA12831] WeHelpBUS Arbitrary Command Execution Vulnerability [SA12892] Safari Dialog Box Spoofing Vulnerability [SA12871] UnixWare update for zlib [SA12855] Gnofract 4D ".fct" Arbitrary Code Execution Vulnerability [SA12845] Gentoo update for bnc [SA12827] Gentoo update for wordpress [SA12825] MediaWiki Multiple Vulnerabilities [SA12896] HP-UX Java XSLT Processor Privilege Escalation Vulnerability [SA12882] cabextract Directory Traversal Vulnerability [SA12865] cPanel Manipulation and Disclosure of Sensitive information Vulnerabilities [SA12857] Unzoo Directory Traversal Vulnerability [SA12847] mod_ssl SSLCipherSuite Security Bypass [SA12895] HP CIFS Server Arbitrary File Access Vulnerability [SA12866] Gentoo update for squid [SA12848] Trustix update for mysql [SA12830] Conectiva update for cups [SA12829] Conectiva update for samba [SA12914] Gentoo update for openoffice [SA12873] Sun Solaris LDAP and RBAC Privilege Escalation Vulnerability [SA12867] Gentoo update for postgresql [SA12860] PostgreSQL "make_oidjoins_check" Insecure Temporary File Handling [SA12852] Debian update for cyrus-sasl-mit [SA12838] Debian update for cupsys [SA12837] Fedora update for ruby [SA12828] KDocker "kdocker.cpp" Privilege Escalation Vulnerability [SA12884] Mandrake update for cvs [SA12836] ProFTPD User Enumeration Weakness Other: [SA12846] 3Com OfficeConnect ADSL Wireless 11g Firewall Router Information Disclosure Cross Platform: [SA12880] PBLang Unspecified Vulnerabilities [SA12879] RAV Antivirus Zip Archive Virus Detection Bypass Vulnerability [SA12878] NOD32 Antivirus Zip Archive Virus Detection Bypass Vulnerability [SA12877] eTrust Antivirus Zip Archive Virus Detection Bypass Vulnerability [SA12876] McAfee Anti-Virus Zip Archive Virus Detection Bypass Vulnerability [SA12874] Kaspersky Anti-Virus Zip Archive Virus Detection Bypass Vulnerability [SA12868] PSCRIPT Forum SQL Injection Vulnerabilities [SA12861] Anaconda Foundation Directory "template" Disclosure of Sensitive Information [SA12850] CoolPHP Cross-Site Scripting and Arbitrary Local File Inclusion Vulnerabilities [SA12843] WowBB Forum Unspecified SQL Injection and Cross-Site Scripting [SA12840] DevoyBB Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities [SA12891] IBM Lotus Notes/Domino Cross-Site Scripting Vulnerability [SA12858] YaPiG comments Cross-Site Scripting Vulnerability [SA12854] MediaWiki Unspecified Security Issue [SA12826] SCT Campus Pipeline Cross-Site Scripting Vulnerability [SA12875] Sophos Anti-Virus Zip Archive Virus Detection Bypass [SA12862] ClientExec Exposure of Sensitive Information ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12889] Microsoft Internet Explorer Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2004-10-20 http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2. Full Advisory: http://secunia.com/advisories/12889/ -- [SA12900] Abyss Web Server MS-DOS Device Names Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-10-21 R00tCr4ck has reported a vulnerability in Abyss Web Server for Windows, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12900/ -- [SA12844] AliveSites Forum Unspecified Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-15 Positive Technologies has reported some vulnerabilities in AliveSites Forum, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12844/ -- [SA12841] Dmxready Site Chassis Manager Unspecified Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-15 Positive Technologies has reported some vulnerabilities in Dmxready Site Chassis Manager, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12841/ -- [SA12835] Ideal BB Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-15 Positive Technologies has reported some vulnerabilities in Ideal BB, which can be exploited by malicious people to conduct SQL injection, cross-site scripting and HTTP response splitting attacks. Full Advisory: http://secunia.com/advisories/12835/ -- [SA12834] NatterChat Unspecified SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-10-15 Positive Technologies has reported a vulnerability in NatterChat, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12834/ -- [SA12883] Saleslogix Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2004-10-19 Carl Livitt has reported some vulnerabilities in SalesLogix, which can be exploited by malicious people to spoof users, cause a DoS (Denial of Service), disclose system and sensitive information, conduct SQL injection, bypass certain security restrictions, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12883/ -- [SA12849] Yak! File Upload Directory Traversal Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-10-15 Luigi Auriemma has reported a vulnerability in Yak!, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12849/ -- [SA12881] Nortel Contivity VPN Client Open Tunnel Certificate Verification Issue Critical: Less critical Where: From remote Impact: Spoofing Released: 2004-10-20 Roger Sylvain has reported a vulnerability in Nortel Contivity VPN Client, potentially allowing malicious people to open a VPN tunnel to the client. Full Advisory: http://secunia.com/advisories/12881/ -- [SA12842] CyberStrong eShop ASP Shopping Card Unspecified Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-15 Positive Technologies has reported a vulnerability in CyberStrong eShop ASP Shopping Card, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12842/ -- [SA12839] Express-Web Content Management System Unspecified Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-15 Positive Technologies has reported a vulnerability in Express-Web Content Management System, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12839/ -- [SA12890] Vypress Tonecast Client Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2004-10-20 Luigi Auriemma has reported a vulnerability in Vypress Tonecast, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12890/ -- [SA12894] Protector Plus 2000 Antivirus MS-DOS Device Name Handling Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2004-10-20 Sowhat has reported a weakness in Protector Plus 2000 Antivirus Software, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12894/ -- [SA12893] AntiVir Antivirus MS-DOS Device Name Handling Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2004-10-20 Sowhat has reported a weakness in Antivir Antivirus, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12893/ -- [SA12870] Twister Anti-TrojanVirus MS-DOS Device Name Handling Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2004-10-20 Sowhat has reported a weakness in Twister Anti-TrojanVirus, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12870/ -- [SA12863] Symantec Norton AntiVirus Unprivileged Auto-Protection Deactivation Critical: Not critical Where: Local system Impact: Unknown Released: 2004-10-18 Daniel Milisic has reported an issue in Symantec Norton AntiVirus / Norton Internet Security. Full Advisory: http://secunia.com/advisories/12863/ UNIX/Linux:-- [SA12910] Red Hat update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-21 Red Hat has issued an update for gaim. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12910/ -- [SA12887] Gaim MSN SLP Message Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-20 A vulnerability has been reported in Gaim, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12887/ -- [SA12886] Mandrake update for mozilla Critical: Highly critical Where: From remote Impact: System access, Exposure of system information, Manipulation of data, Cross Site Scripting Released: 2004-10-20 MandrakeSoft has issued an update for mozilla. This fixes several vulnerabilities, which potentially can be exploited by malicious people to conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/12886/ -- [SA12885] Mandrake update for libtiff Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-20 MandrakeSoft has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12885/ -- [SA12872] Conectiva update for gtk+ Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-19 Conectiva has issued an update for gtk+. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12872/ -- [SA12864] Debian update for netkit-telnet-ssl Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-18 Debian has issued an update for netkit-telnet-ssl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12864/ -- [SA12859] Gentoo update for phpMyAdmin Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-19 Gentoo has issued an update for phpMyAdmin. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12859/ -- [SA12851] Debian update for tiff Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-18 Debian has issued an update for tiff. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12851/ -- [SA12833] VERITAS Cluster Server Unspecified System Compromise Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-15 A vulnerability has been reported in VERITAS Cluster Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12833/ -- [SA12832] Fedora update for libtiff Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-15 Fedora has issued an update for libtiff. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12832/ -- [SA12831] WeHelpBUS Arbitrary Command Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-15 A vulnerability has been reported in WeHelpBUS, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12831/ -- [SA12892] Safari Dialog Box Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-10-20 Secunia Research has discovered a vulnerability in Safari, which can be exploited by malicious web sites to spoof dialog boxes. Full Advisory: http://secunia.com/advisories/12892/ -- [SA12871] UnixWare update for zlib Critical: Moderately critical Where: From remote Impact: DoS Released: 2004-10-19 SCO has issued an update for zlib. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12871/ -- [SA12855] Gnofract 4D ".fct" Arbitrary Code Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-18 A vulnerability has been reported in Gnofract 4D, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12855/ -- [SA12845] Gentoo update for bnc Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-10-15 Gentoo has issued an update for bnc. This fixes a vulnerability, which can be exploited by malicious users to spoof their identity. Full Advisory: http://secunia.com/advisories/12845/ -- [SA12827] Gentoo update for wordpress Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-14 Gentoo has issued an update for wordpress. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct script insertion and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12827/ -- [SA12825] MediaWiki Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-14 Multiple vulnerabilities have been reported in MediaWiki, which can be exploited by malicious people to conduct script insertion, cross-site scripting, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12825/ -- [SA12896] HP-UX Java XSLT Processor Privilege Escalation Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation Released: 2004-10-20 HP has acknowledged a vulnerability in the Java Runtime Environment software for HP-UX, which can be exploited by untrusted applets to gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/12896/ -- [SA12882] cabextract Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-10-19 A vulnerability has been reported in cabextract, which potentially can be exploited to overwrite arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/12882/ -- [SA12865] cPanel Manipulation and Disclosure of Sensitive information Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2004-10-19 Karol Wiesek has reported two vulnerabilities in cPanel, which can be exploited by malicious, authenticated users to manipulate and disclose sensitive information. Full Advisory: http://secunia.com/advisories/12865/ -- [SA12857] Unzoo Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2004-10-18 Doubles has discovered a vulnerability in Unzoo, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12857/ -- [SA12847] mod_ssl SSLCipherSuite Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-10-15 Hartmut Keil has reported a security issue in mod_ssl, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12847/ -- [SA12895] HP CIFS Server Arbitrary File Access Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2004-10-20 HP has acknowledged a vulnerability in HP CIFS Server, which can be exploited by malicious users to access arbitrary files and directories. Full Advisory: http://secunia.com/advisories/12895/ -- [SA12866] Gentoo update for squid Critical: Less critical Where: From local network Impact: DoS Released: 2004-10-19 Gentoo has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12866/ -- [SA12848] Trustix update for mysql Critical: Less critical Where: From local network Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2004-10-15 Trustix has issued an update for mysql. This fixes multiple vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise the system. Full Advisory: http://secunia.com/advisories/12848/ -- [SA12830] Conectiva update for cups Critical: Less critical Where: From local network Impact: DoS Released: 2004-10-14 Conectiva has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12830/ -- [SA12829] Conectiva update for samba Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2004-10-14 Conectiva has issued an update for samba. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and access arbitrary files and directories. Full Advisory: http://secunia.com/advisories/12829/ -- [SA12914] Gentoo update for openoffice Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-21 Gentoo has issued an update for openoffice. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12914/ -- [SA12873] Sun Solaris LDAP and RBAC Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-19 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to escalate their privileges. Full Advisory: http://secunia.com/advisories/12873/ -- [SA12867] Gentoo update for postgresql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-19 Gentoo has issued an update for PostgreSQL. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12867/ -- [SA12860] PostgreSQL "make_oidjoins_check" Insecure Temporary File Handling Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-19 A vulnerability has been reported in PostgreSQL, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12860/ -- [SA12852] Debian update for cyrus-sasl-mit Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-18 Debian has issued an update for cyrus-sasl-mit. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12852/ -- [SA12838] Debian update for cupsys Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-15 Debian has issued an update for cupsys. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12838/ -- [SA12837] Fedora update for ruby Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-15 Fedora has issued an update for ruby. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12837/ -- [SA12828] KDocker "kdocker.cpp" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-14 A vulnerability has been reported in KDocker, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12828/ -- [SA12884] Mandrake update for cvs Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-10-20 MandrakeSoft has issued an update for cvs. This fixes a weakness, which potentially can be exploited by malicious users to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/12884/ -- [SA12836] ProFTPD User Enumeration Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-10-15 LSS Security Team has reported a weakness in ProFTPD, which potentially can be exploited by malicious people to determine valid usernames. Full Advisory: http://secunia.com/advisories/12836/ Other:-- [SA12846] 3Com OfficeConnect ADSL Wireless 11g Firewall Router Information Disclosure Critical: Moderately critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2004-10-15 Karb0nOxyde has reported a security issue in 3Com OfficeConnect ADSL Wireless 11g Firewall Router, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12846/ Cross Platform:-- [SA12880] PBLang Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-19 Some vulnerabilities with an unknown impact have been reported in PBLang. Full Advisory: http://secunia.com/advisories/12880/ -- [SA12879] RAV Antivirus Zip Archive Virus Detection Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-10-20 A vulnerability has been reported in RAV Antivirus, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12879/ -- [SA12878] NOD32 Antivirus Zip Archive Virus Detection Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-10-20 A vulnerability has been reported in NOD32 Antivirus, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12878/ -- [SA12877] eTrust Antivirus Zip Archive Virus Detection Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-10-20 A vulnerability has been reported in eTrust Antivirus, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12877/ -- [SA12876] McAfee Anti-Virus Zip Archive Virus Detection Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-10-20 A vulnerability has been reported in McAfee Anti-Virus Engine, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12876/ -- [SA12874] Kaspersky Anti-Virus Zip Archive Virus Detection Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-10-20 A vulnerability has been reported in Kaspersky Anti-Virus, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12874/ -- [SA12868] PSCRIPT Forum SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2004-10-19 Christoph Jeschke has reported some vulnerabilities PSCRIPT Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12868/ -- [SA12861] Anaconda Foundation Directory "template" Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-10-19 Zero X has discovered a vulnerability in Anaconda Foundation Directory, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/12861/ -- [SA12850] CoolPHP Cross-Site Scripting and Arbitrary Local File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2004-10-18 R00tCr4ck has reported some vulnerabilities in CoolPHP, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/12850/ -- [SA12843] WowBB Forum Unspecified SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-15 Positive Technologies has reported some vulnerabilities in WowBB Forum, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12843/ -- [SA12840] DevoyBB Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-15 Positive Technologies has reported some vulnerabilities in DevoyBB, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12840/ -- [SA12891] IBM Lotus Notes/Domino Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-20 Juan C Calderon has reported a vulnerability in IBM Lotus Notes/Domino, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12891/ -- [SA12858] YaPiG comments Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-18 A vulnerability has been reported in YaPiG, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12858/ -- [SA12854] MediaWiki Unspecified Security Issue Critical: Less critical Where: From remote Impact: Unknown Released: 2004-10-18 The vendor has reported a security issue in MediaWiki, with an unknown impact. Full Advisory: http://secunia.com/advisories/12854/ -- [SA12826] SCT Campus Pipeline Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-14 Spiffomatic64 has reported a vulnerability in SCT Campus Pipeline, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12826/ -- [SA12875] Sophos Anti-Virus Zip Archive Virus Detection Bypass Critical: Not critical Where: From remote Impact: Security Bypass Released: 2004-10-20 A weakness has been reported in Sophos Anti-Virus, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/12875/ -- [SA12862] ClientExec Exposure of Sensitive Information Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2004-10-18 A security issue has been reported in ClientExec, which can be exploited by malicious people to gain knowledge of various system information. Full Advisory: http://secunia.com/advisories/12862/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Oct 22 02:08:38 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 22 02:19:11 2004 Subject: [ISN] Source code thefts, hacking on the rise Message-ID: http://www.financialexpress.com/fe_full_story.php?content_id=72054 SRINIVAS R October 22, 2004 Bangalore - Cyber crimes in India are slowly evolving from a simple e-mail crime (sending obscene materials over e-mail) to more serious crimes like hacking and source code theft. The Bangalore cyber crime police station has registered around 22 hacking cases and around five source code theft cases in the last three years. "Usually it is employees of the company who steal source code and try to sell it for easy money," said Susant Mahapatra, IGP-Economic Offences- Corps of Detectives (CoD). For instance, last year an employee of Zygox in Bangalore allegedly stole the source code of the product called "DigiBeat", which was being developed by the company and started his own company as Techmach Engineers and developed a product called "E-beat" with the source code. In another instance, an engineer from IT Must Consultancy services Pvt Ltd, allegedly stole the source code of one the company's sports betting software. "Theft of intellectual property is increasing, " said police official. Intellectual property rights (IPR) of computer software are covered under the Copyright Law in 1994 in India. The Act clearly explains the rights of copyright holder, position on rentals of software, the rights of the user to make backup copies and the heavy punishment and fines on infringement of copyright of software. If a person is convicted of hacking or IP theft, he can be convicted under either Section 66 (imprisonment for three years and a fine of Rs 1 lakh) or section 67 (five year imprisonment with Rs 2 lakh fine). Threats from employees for an organisation doesn't stop here. The CoD has also registered cases involving sending obscene e-mails to women colleagues from their male counterparts. Interestingly it discovered that most cyber crime involving sending obscene messages arise from "triangluar love stories" within the orgnisations. "It is just like a Hindi movie story. When romantic attemps fails, some people start sending obscene photos by e-mail to lady colleagues as a "revenge"," said police officials. Usually such messages are sent out from cyber cafes. "With the help of internet service providers, we can trace where mails have been sent from," said Mr Mahapatra. While technology can even help pinpoint which computer it has been sent from, it is still not possible to identify the individual who has sent it. The Karnataka government is planning to bring a law, where persons wanting to browse at Internet cafes will be asked for some identification (a driving licence, or identity card). The cyber centre operator would also have to maintain a list for a year of persons who have used the computers. From isn at c4i.org Fri Oct 22 02:08:50 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 22 02:19:13 2004 Subject: [ISN] Hospital's computer security given poor grade in April report Message-ID: http://www.thetimesonline.com/articles/2004/10/20/news/top_news/87e009eb749c7fd186256f3200836776.txt BY MATTHEW VAN DUSEN Times Staff Writer October 20, 2004 VALPARAISO -- A damning assessment of Porter hospital's computer security never publicly released became a test that Porter County Commissioner Robert Harper posed Tuesday to candidates for the hospital board . Harper read from an April 2004 Deloitte & Touche assessment that identified 30 problems with the hospital's information systems, nine of them classified as "high risk." The assessment concludes, "Porter does not know whether someone could be accessing critical medical, financial and management systems without being detected." Harper asked the candidates, "Do you think the public has the right to know something like that?" He made it clear the right answer was "yes." Hospital Chief Executive Officer Ron Winger did not return a call requesting comment and spokesman Andrew Snyder also did not comment. Harper also read a separate statement from Deloitte, which audits the hospital's finances, that said if the problems weren't fixed the hospital would not meet "appropriate accounting controls," and that Deloitte might not be able to certify the hospital's books. David Schroeder, an associate professor at the Valparaiso University business school, reviewed the PowerPoint presentation at The Times' request. Schroeder said if the hospital made the changes Deloitte suggested, its computer systems are in good shape. If officials had not made the changes, the systems are in poor shape, he said. The assessment, for example, found that some systems were protected by program default passwords, such as "QUSER." A person could access a system with the default password and make changes or learn information and the hospital would not know who they are. This problem would be easy to fix. Other problems with the system were more complicated, such as not knowing what an employee can access and not being able to eliminate those access rights if the employee is fired. The assessment notes that it would not be clear if someone had accessed the systems illegally unless there was a noticeable effect from it. From isn at c4i.org Mon Oct 25 05:58:10 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 25 06:11:46 2004 Subject: [ISN] High-Tech Crimes Revealed: An Interview with Stephen Branigan Message-ID: http://www.informit.com/articles/article.asp?p=342259 By Steven Branigan, Seth Fogie. Date: Oct 22, 2004 Stephen Branigan, one of the founders of the New York City task force on cybercrime and author of High-Tech Crimes Revealed: Cyberwar Stories from the Digital Front [1], talks to Seth Fogie about hacker motivations and how to solve cyber crimes. Seth: Who are your real-life influencers? Fictional influencers? (With regard to this book's subject, that is.) Steven: Real life influencers: * Police: Sergeants J. Cheney and Richard "Fox" Foster taught me all the real-life lessons of patrolling the streets that the academy hadn't. * Network security: My friends Bill Cheswick, Matt Blaze, Steve Bellovin, Avi Rubin, and Hal Burch have helped shaped my views on how to conduct secure networking and secure computing. * Legal: Scott Charney and Martha Stansel-Gamm have each led the Computer Crime and Intellectual Property Section of the Department of Justice, and they always seem to know how to balance the competing forces of protecting the innocent and convicting the guilty. Seth: If you can give us a name and brief summary, who was the most talented hacker you ever caught and what did he/she/they do? Steven: I'm generally uncomfortable with giving the names of the hackers caught, as I would be hesitant to provide the names of anyone I arrested. It's better for the subjects, should they wish, to provide that information. With that said, I believe that one of the best was the "hot-ice" character detailed in Chapter 2 of my book. Technically very competent, and able to maneuver across country boundaries very well. The character "Bob" from Chapter 6 was possibly the brightest hacker I ever met. Seth: Do you attend any hacker conferences? What's your opinion about their focus and content? Have you ever been tagged in "Spot the Fed"? Steven: Actually, I haven't been to a single hacker conference. I guess it's because I would expect to be handed a "Fed" T-shirt at the door as I walked in! Seth: There's a lot of discussion in this book about the motivators of a hacker, and most of it is right on! I myself would fall into the curious category. :) However, IMHO, these are the same motivators that drive almost everything and everyone.... What motivated you to write this book? Steven: Motivations for me? Here goes: * I think that computer crimes are very misunderstood. This book explains who does them, why they do them, and what the impacts can be. * Further, I know that as people become more aware of what computer crimes are, they will be able to make better decisions about how to protect their networks. Seth: Throughout the book, chance seems to play a paramount role in finding and catching talented hackers. What's your experience with the reality of this unnerving concept? What chance do we have if we never see them coming? Steven: An over-used clich applies here: It's better to be lucky than good. I believe that there's an element of luck in catching criminals. And that really is a frightening concept. The good news is that criminals always take a chance when they commit a crime. We can use that in our favor. That's why I'm a big fan of improved logging and surveillance. Audit trails are an incredible resource for trying to catch a hacker after you discover the problem. Seth: The book discusses how to handle a break-in and the significant damage that can be done by not following proper protocol. However, in many of your cases, you have prior evidence of hacker activity. What's the proper protocol for addressing a computer that may or may not be a hacker tool-for example, troubleshooting a malfunctioning computer and finding 3GB of warez and four rootkits causing the problem? Steven: I would suggest that in a couple of the cases, it wasn't that there was initial evidence of hacker activity. For example, in Chapter 3, our friend Wesley's hacking was discovered because he hadn't paid his rent. Let me say that it was the methodical investigations that ultimately led to us uncovering the hacker activities in Chapters 1 and 3. My best advice is to walk that fine line between trust and suspicion when investigating computer malfunctions. Maybe it's nothing, or maybe it's the work of a hacker... Seth: While it would be nice for everyone to get fair play with the FBI when a hack occurs, they're limited on time and resources, and not everything requires FBI-level attention. Based on your experience, what kind of support/interest can a SOHO user expect from the authorities (local police, FBI, state police, and so on)? Steven: I agree that not everything needs FBI-level attention! That's a very important point. Law enforcement really, really wants to do the right thing. I have been very fortunate to have worked with many cops around the world who work hard to protect their citizens. Many state and local police agencies are getting much better at handling computer crime issues. They're very interested in dealing with these issues, and the issues they deal with directly translate into the training they'll receive in the future! My best advice, should you find yourself in a position where you need [law enforcement assistance], is to be sure to take the time to explain how the crime has affected you personally. Seth: I grew up in a cop's family, and I know a little of how being a cop changes your perspective on life. I can see some of this perspective in your book, and it's a refreshing reading experience, especially since most other books are written by "hackers." What's your take on these other books? Steven: I spent a lot of time reading publications such as 2600, phrack, and the like. To be honest, I have never really been sure what the justification is for hacking into telephone systems, cellular systems, banks, and so on. Whether it's invasion of privacy, theft of services, or even fraud, computer crimes usually result in real victims. I think that is often missed with the anonymity that computers and the Internet provide. Seth: This book addresses the options available to a company after a system compromise. What's your personal recommendation to companies facing that catch-22 situation where they learn their server is host to hacker activity, but they can't shut it down until the end of the day or even week? Steven: Hmm... No matter which option you choose, at some point the other option will have seemed better! It's a tough call that needs to be made by the business leaders with expert consultation from their technical people, because either option is a business-impacting operation. Usually it depends on the severity of the suspected attack and the ability to investigate while continuing operations. Those are the most relevant factors. Seth: One of the first pages in the book outlines your work experience based on your attire. I noticed that you served time as a cop (pun intended). How has this helped and hindered your computer security experience? Steven: Served time indeed! * Helpful: Law enforcement encourages you to document your activities, and that's very helpful for computer security. It taught me to follow up on even the smallest of suspicious items. I remember very well the story from my academy days of a police officer who broke a large cocaine ring just by stopping a car with an expired inspection sticker. That one stop led to the discovery that the driver's license was revoked. That led to finding there was a warrant for his arrest. And that led to the subject giving up information... It taught me that even when you may think someone has done something wrong, always treat all people equally until you have proof. * Harmful: I get suspicious very easily, perhaps too easily. Seth: On the subject of careers, what advice can you give to people who find computer security an attractive field? Is there a fast path to getting a job as a forensics specialist with a police department? Steven: Free advice (and remember, money back if you are not delighted!): I will limit this to legitimate jobs with the police, and exclude the attractive career of confidential informants. Law enforcement is looking for reliable, trustworthy people with excellent technical skills. Look into a computer security or forensic problem and help solve it. Present your results at a conference. That will help to get you noticed. Seth: On the same subject, you [wondered] why anyone would write a program like NetStumbler. Why do you think NetStumbler was written? Steven: I have no idea why it was written and given away for free! While I imagine that curiosity and conquering the technical challenge inspired the initial writing, I'm not sure why the authors didn't release it as a commercial product. Seth: What are your interests outside your industry? Steven: Sports. In particular, soccer (which I play often), baseball, and football. I find that I'm always learning from playing or watching team sports. Seth: Have you ever downloaded an "illegal" MP3? Steven: I have tried napster/aimster and gnutella. I discovered that it was incredibly easy to find and download MP3s. They certainly proved a serious threat to the music industry. I downloaded "The Cars-Door to Door" (from a CD that I had already purchased). The quality of the download was not very good. The version I ripped from my CD was better. Ultimately, it's important that artists have the chance to be rewarded for their work. That's why downloading copyrighted MP3s is wrong, and is a problem for the industry. And that's why I'm pleased to see that iTunes, Musicmatch, Wal-mart, Amazon.com, and others are now selling MP3 singles over the Internet. I think that most people want to do the right thing and pay for a song, and now they have the opportunity to do so. I think that this will be the most effective strategy to get the majority of the people to stop illegal copying of music. Seth: The book discusses some of the difficulties authorities face as a result of boundaries. How is globalization changing this situation? Are things getting easier for the good guys when trying to track down and stop the bad guys? Or is globalization not affecting this arena? Steven: Globalization and the Internet are inseparable. I am cautiously optimistic about the progress that has been made over the past few years with multinational organizations such as the G-8, North Atlantic Treaty Organization (N.A.T.O.), and the Organization of American States (OAS). They're working very hard at making transnational computer crime investigations easier for law enforcement. Seth: Government and big business are repeated targets for the hackers in the book. Are they easier targets, and are they aware of the threats of a hacker attack? How are they dealing with it? Steven: I don't think it's that they're easier targets. I think that both government and big business are attractive targets because they're perceived to have interesting information. They're also better able to detect attacks than home users are. Not many home users track the number of times hackers are attacking them. But I do! Just a quick look at my August 2004 stats [2] reveals that this one system was attacked 154 times in one month! The best I've seen are dealing with the threats by: * Improving awareness among their people * Improving the technology that they use to secure their networks * Re-architecting their infrastructure to limit the damage from a single hacker attack Seth: What's your normal workday like? Do you spend a lot of time traveling? Steven: There's no such thing as a normal workday for me! I'm devoting my efforts to growing CyanLine [3], my new company which is focused on "untethered" security. Seth: What are some of your favorite security books? Steven: * Firewalls and Internet Security: Repelling the Wily Hacker by William Cheswick, Steven M. Bellovin, and Aviel D. Rubin (Addison-Wesley, 2003, ISBN 020163466X) http://www.amazon.com/exec/obidos/ASIN/020163466X/c4iorg * Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Cliff Stoll (Pocket, 2000) 0743411463 http://www.amazon.com/exec/obidos/ASIN/0743411463/c4iorg * Masters of Deception: The Gang That Ruled Cyberspace by Michelle Slatalla and Joshua Quittner (Perennial, 1996) http://www.amazon.com/exec/obidos/ASIN/0060926945/c4iorg Seth: Do you ever work with "Whitehat" hackers? What do you think of this practice (hacking with the intention of bringing security holes to light, without the intention to cause harm)? Steven: I am a little uncomfortable with the term Whitehat hacker. I love the computer security research community that has proven their ability to discover weaknesses and bring them to light in a way that doesn't cause harm. They're successful because they're self-policing and they use peer review. Without these controls in place, it's hard to ensure that you're truly not causing harm [1] http://www.amazon.com/exec/obidos/ASIN/0321218736/c4iorg [2] http://www.sbranigan.com/stats/Aug-2004.html [3] http://www.cyanline.com/ From isn at c4i.org Mon Oct 25 05:58:26 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 25 06:11:48 2004 Subject: [ISN] Security for Internet Users Deemed Weak Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A60199-2004Oct25.html By TED BRIDIS The Associated Press October 25, 2004 WASHINGTON - Internet users at home are not nearly as safe online as they believe, according to a nationwide inspection by researchers. They found most consumers have no firewall protection, outdated antivirus software and dozens of spyware programs secretly running on their computers. One beleaguered home user in the government-backed study had more than 1,000 spyware programs running on his sluggish computer when researchers examined it. Bill Mines, a personal trainer in South Riding, Va., did not fare much better. His family's 3-year-old Dell computer was found infected with viruses and more than 600 pieces of spyware surreptitiously monitoring his online activities. "I was blown away," Mines said. "I had a lot of viruses and other things I didn't know about. I had no idea things like this could happen." The Internet always has had its share of risky neighborhoods and dark alleys. But with increasingly sophisticated threats from hackers, viruses, spam e-mails and spyware, trouble is finding computer users no matter how cautiously they roam online. The technology industry is feeling the pain, too. Spurred by the high costs of support calls from irritated customers - and fearful that frustrated consumers will stop buying new products - Internet providers, software companies and computer-makers are making efforts to increase awareness of threats and provide customers with new tools to protect themselves. Still, many computer users appear remarkably unprepared for the dangers they face. The study being released Monday by America Online and the National Cyber Security Alliance found that 77 percent of 326 adults in 12 states assured researchers in a telephone poll they were safe from online threats. Nearly as many people felt confident they were already protected specifically from viruses and hackers. When experts visited those same homes to examine computers, they found two-thirds of adults using antivirus software that was not updated in at least seven days. Two-thirds of the computer users also were not using any type of protective firewall program, and spyware was found on the computers of 80 percent of those in the study. The survey participants all were AOL subscribers selected in 22 cities and towns by an independent market analysis organization. The alliance, a nonprofit group, is backed by the Homeland Security Department and the Federal Trade Commission, plus leading technology companies, including Cisco Systems, Microsoft, eBay and Dell. The group's chief, Ken Watson, said consumers suffer from complacency and a lack of expert advice on keeping their computers secure. "Just like you don't expect to get hit by a car, you don't believe a computer attack can happen to you," Watson said. "There really is quite a perception gap," agreed Daniel W. Caprio, the Commerce Department's deputy assistant secretary for technology policy. "Clearly there is confusion. We need to do a better job making information and practical tips for home users and small businesses available." Wendy Avino, an interior decorator in Lansdowne, Va., said researchers found 14 spyware programs on her borrowed laptop and noticed that her $50 antivirus software was not properly configured to scan her computer at least monthly for possible infections. "We don't go in funny chat rooms, I don't open funny mail," Avino said. "If it says 'hot girls,' I delete it. We do everything in the right way, so how does stuff get in there?" She complained she was misled believing her commercial antivirus and firewall programs would protect her from all varieties of online threats; most do not detect common types of spyware. "It is very complicated for the average home user," said Ari Schwartz, an expert on Internet threats for the Center for Democracy and Technology, a Washington civil liberties group. "There's a lack of accountability all around, from consumers who don't believe they should have to do this to companies who blame the consumer. It's finger-pointing back and forth," Schwartz said. Microsoft's chairman, Bill Gates, said the company spent nearly $1 billion on its recent upgrade to improve security for customers using the latest version of its Windows software. AOL purchased full-page advertisements in major newspapers this month pledging better security for its subscribers. Dell has begun a campaign to educate customers how to detect and remove spyware themselves. The government is increasingly involved, too. The FTC this month filed its first federal court case over spyware. The House overwhelmingly approved two bills to increase criminal penalties and fines over spyware. The Homeland Security Department offers free e-mail tips for home Internet users to keep themselves secure. -=- On the Net: Cyber Security Alliance: www.staysafeonline.info Homeland Security tips: www.uscert.gov From isn at c4i.org Mon Oct 25 05:58:55 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 25 06:11:50 2004 Subject: [ISN] Linux Advisory Watch - October 22nd 2004 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 22nd, 2004 Volume 5, Number 42a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for libtiff, libpng, ecartis, cupsys, BNC, phpMyAdmin, Squid, PostgreSQL, Ghostscript, glibc, mod_ssl, mozilla, cvs, gaim, wxGTK2, squid, wxGTK2, xpdf, gpdf, kdegraphics, ImageMagick, and mysql. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, and Trustix. ----- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 ----- xlock and vlock If you wander away from your machine from time to time, it is nice to be able to "lock" your console so that no one tampers with or looks at your work. Two programs that do this are: xlock and vlock. Xlock is a X display locker. It should be included in any Linux distributions that support X. Check out the man page for it for more options, but in general you can run xlock from any xterm on your console and it will lock the display and require your password to unlock. vlock is a simple little program that allows you to lock some or all of the virtual consoles on your Linux box. You can lock just the one you are working in or all of them. If you just lock one, others can come in and use the console, they will just not be able to use your virtual TTY until you unlock it. vlock ships with Red Hat Linux, but your mileage may vary. Of course locking your console will prevent someone from tampering with your work, but does not prevent them from rebooting your machine or otherwise disrupting your work. It also does not prevent them from accessing your machine from another machine on the network and causing problems. More importantly, it does not prevent someone from switching out of the X Window System entirely, and going to a normal virtual console login prompt, or to the VC that X11 was started from, and suspending it, thus obtaining your privileges. For this reason, you might consider only using it while under control of xdm. At the very least, start X in the background, and log out of the console Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com) ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/feature_stories/feature_story-175.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 10/18/2004 - gtk+ image loading vulnerabilities fix A vulnerability found in the gdk-pixbuf bmp loader could allow a specially crafted BMP image to hang applications in an infinite loop (CAN-2004-0753[2]). http://www.linuxsecurity.com/advisories/conectiva_advisory-4965.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 10/15/2004 - libtiff remote code execution fix Several problems have been discovered in libtiff, the Tag Image File Format library for processing TIFF graphics files. An attacker could prepare a specially crafted TIFF graphic that would cause the client to execute arbitrary code or crash. http://www.linuxsecurity.com/advisories/debian_advisory-4960.html 10/16/2004 - cyrus-sasl-mit arbitrary code execution fix remote code execution fix A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. http://www.linuxsecurity.com/advisories/debian_advisory-4961.html 10/18/2004 - netkit-telnet-ssl denial of service fix remote code execution fix Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. http://www.linuxsecurity.com/advisories/debian_advisory-4963.html 10/18/2004 - netkit-telnet denial of service real fix remote code execution fix Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. http://www.linuxsecurity.com/advisories/debian_advisory-4964.html 10/20/2004 - libpng several vulnerabilities fix Several integer overflows have been discovered by its upstream developers in libpng, a commonly used library to display PNG graphics. They could be exploited to cause arbitrary code to be executed when a specially crafted PNG image is processed. http://www.linuxsecurity.com/advisories/debian_advisory-4974.html 10/20/2004 - libpng3 several vulnerabilities fix Several integer overflows have been discovered by its upstream developers in libpng, a commonly used library to display PNG graphics. They could be exploited to cause arbitrary code to be executed when a specially crafted PNG image is processed. http://www.linuxsecurity.com/advisories/debian_advisory-4975.html 10/21/2004 - ecartis unauthorised access to admin interface fix A problem has been discovered in ecartis, a mailing-list manager, which allows an attacker in the same domain as the list admin to gain administrator privileges and alter list settings. http://www.linuxsecurity.com/advisories/debian_advisory-4986.html 10/21/2004 - cupsys arbitrary code execution fix Chris Evans discovered several integer overflows in xpdf, that are also present in CUPS, the Common UNIX Printing System, which can be exploited remotely by a specially crafted PDF document. http://www.linuxsecurity.com/advisories/debian_advisory-4988.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 10/15/2004 - gimp-2.0.5-0.fc2.3 update arbitrary code execution fix A brown paper bag release -- I missed that 1bpp and 24bpp are also valid for BMP. http://www.linuxsecurity.com/advisories/fedora_advisory-4958.html 10/18/2004 - glib2-2.4.7-1.1 update arbitrary code execution fix Glib 2.4.7 contains many bug fixes, notably a fix for bug 126666. http://www.linuxsecurity.com/advisories/fedora_advisory-4966.html 10/18/2004 - gtk2-2.4.13-2.1 update arbitrary code execution fix GTK+ 2.4.13 contains many bug fixes, with an emphasis on making the new file chooser work better. http://www.linuxsecurity.com/advisories/fedora_advisory-4967.html 10/21/2004 - tzdata-2004e-1.fc2 update arbitrary code execution fix Previous tzdata-2004e-1.fc2 announcement from 2004-10-12 had wrong md5sums (before signing). http://www.linuxsecurity.com/advisories/fedora_advisory-4991.html 10/21/2004 - xpdf-3.00-3.4 update arbitrary code execution fix Chris Evans and others discovered a number of integer overflow bugs that affected all versions of xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. http://www.linuxsecurity.com/advisories/fedora_advisory-4992.html 10/21/2004 - openoffice.org-1.1.2-10.fc2 update arbitrary code execution fix This update is equivalent to the Fedora Core 3 version of OpenOffice.org. The changes since the previous version of OpenOffice.org in Fedora Core 2 are too numerous to list here, but there are quite a few notable improvements. http://www.linuxsecurity.com/advisories/fedora_advisory-4996.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 10/15/2004 - BNC Input validation flaw BNC contains an input validation flaw which might allow a remote attacker to issue arbitrary IRC related commands. http://www.linuxsecurity.com/advisories/gentoo_advisory-4957.html 10/18/2004 - phpMyAdmin Vulnerability in MIME-based transformation system A vulnerability has been found in the MIME-based transformation system of phpMyAdmin, which may allow remote execution of arbitrary commands if PHP's "safe mode" is disabled. http://www.linuxsecurity.com/advisories/gentoo_advisory-4962.html 10/18/2004 - Squid Remote DoS vulnerability Squid contains a vulnerability in the SNMP module which may lead to a denial of service. http://www.linuxsecurity.com/advisories/gentoo_advisory-4968.html 10/18/2004 - PostgreSQL Insecure temporary file use in make_oidjoins_check The make_oidjoins_check script, part of the PostgreSQL package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility. http://www.linuxsecurity.com/advisories/gentoo_advisory-4969.html 10/20/2004 - OpenOffice.org Temporary files disclosure Insecure temporary file use in make_oidjoins_check OpenOffice.org uses insecure temporary files which could allow a malicious local user to gain knowledge of sensitive information from other users' documents. http://www.linuxsecurity.com/advisories/gentoo_advisory-4982.html 10/20/2004 - Ghostscript Insecure temporary file use in multiple scripts Multiple scripts in the Ghostscript package are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the script. http://www.linuxsecurity.com/advisories/gentoo_advisory-4983.html 10/21/2004 - glibc Insecure tempfile handling in catchsegv script The catchsegv script in the glibc package is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the script. http://www.linuxsecurity.com/advisories/gentoo_advisory-4989.html 10/21/2004 - CUPS Multiple integer overflows Multiple integer overflows were discovered in Xpdf, potentially resulting in execution of arbitrary code upon viewing a malicious PDF file. CUPS includes Xpdf code and therefore is vulnerable to the same issues. http://www.linuxsecurity.com/advisories/gentoo_advisory-4990.html 10/21/2004 - mod_ssl Bypass of SSLCipherSuite directive In certain configurations, it can be possible to bypass restrictions set by the "SSLCipherSuite" directive of mod_ssl. http://www.linuxsecurity.com/advisories/gentoo_advisory-4995.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 10/20/2004 - mozilla update fix A number of vulnerabilities were fixed in mozilla 1.7.3. http://www.linuxsecurity.com/advisories/mandrake_advisory-4971.html 10/20/2004 - libtiff update fix Several vulnerabilities have been discovered in the libtiff package. http://www.linuxsecurity.com/advisories/mandrake_advisory-4972.html 10/20/2004 - cvs update fix iDEFENSE discovered a flaw in CVS versions prior to 1.1.17 in an undocumented switch implemented in CVS' history command. The -X switch specifies the name of the history file which allows an attacker to determine whether arbitrary system files and directories exist and whether or not the CVS process has access to them. http://www.linuxsecurity.com/advisories/mandrake_advisory-4973.html 10/20/2004 - libtiff multiple vulnerabilities fix Several vulnerabilities have been discovered in the libtiff package. http://www.linuxsecurity.com/advisories/mandrake_advisory-4976.html 10/21/2004 - cvs vulnerability fix iDEFENSE discovered a flaw in CVS versions prior to 1.1.17 in an undocumented switch implemented in CVS' history command. The -X switch specifies the name of the history file which allows an attacker to determine whether arbitrary system files and directories exist and whether or not the CVS process has access to them. http://www.linuxsecurity.com/advisories/mandrake_advisory-4984.html 10/21/2004 - mozilla vulnerabilities fix A number of vulnerabilities were fixed in mozilla 1.7.3. http://www.linuxsecurity.com/advisories/mandrake_advisory-4985.html 10/21/2004 - gaim vulnerabilities fix More vulnerabilities in gaim include nstalling smiley themes could allow remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector. There is also a buffer overflow in the way gaim handles receiving very long URLs. http://www.linuxsecurity.com/advisories/mandrake_advisory-4993.html 10/21/2004 - wxGTK2 vulnerabilities fix Several vulnerabilities have been discovered in the libtiff package; wxGTK2 uses a libtiff code tree, so it may have the same vulnerabilities. http://www.linuxsecurity.com/advisories/mandrake_advisory-4994.html 10/21/2004 - squid SNMP processing vulnerability fix iDEFENSE discovered a Denial of Service vulnerability in squid version 2.5.STABLE6 and previous. The problem is due to an ASN1 parsing error where certain header length combinations can slip through the validations performed by the ASN1 parser, leading to the server assuming there is heap corruption or some other exceptional condition, and closing all current connections then restarting. http://www.linuxsecurity.com/advisories/mandrake_advisory-4997.html 10/21/2004 - wxGTK2 vulnerabilities fix Several vulnerabilities have been discovered in the libtiff package; wxGTK2 uses a libtiff code tree, so it may have the same vulnerabilities. http://www.linuxsecurity.com/advisories/mandrake_advisory-4998.html 10/21/2004 - gaim vulnerabilities fix More vulnerabilities have been discovered in the gaim instant messenger client. http://www.linuxsecurity.com/advisories/mandrake_advisory-4999.html 10/22/2004 - xpdf vulnerabilities fix Chris Evans discovered numerous vulnerabilities in the xpdf package which can result in DOS or possibly arbitrary code execution. http://www.linuxsecurity.com/advisories/mandrake_advisory-5000.html 10/22/2004 - gpdf DoS vulnerability fix Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as gpdf. http://www.linuxsecurity.com/advisories/mandrake_advisory-5001.html 10/22/2004 - cups DoS vulnerabilities fix Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code. http://www.linuxsecurity.com/advisories/mandrake_advisory-5002.html 10/22/2004 - kdegraphics DoS vulnerability fix Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as kpdf. http://www.linuxsecurity.com/advisories/mandrake_advisory-5003.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 10/20/2004 - ImageMagick security vulnerabilities fix Updated ImageMagick packages that fix various security vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4977.html 10/20/2004 - mysql minor security issues and bugs fix Updated mysql packages that fix various temporary file security issues, as well as a number of bugs, are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4978.html 10/20/2004 - squid vulnerability fix An updated squid package that fixes a remote denial of service vulnerability is now avaliable. http://www.linuxsecurity.com/advisories/redhat_advisory-4979.html 10/20/2004 - mysql security issues and bugs fixes Updated mysql packages that fix various security issues, as well as a number of bugs, are now available for Red Hat Enterprise Linux 2.1. http://www.linuxsecurity.com/advisories/redhat_advisory-4980.html 10/20/2004 - gaim security issues and bugs fixes An updated gaim package that fixes security issues, fixes various bugs, and includes various enhancements for Red Hat Enterprise Linux 3 is now avaliable. http://www.linuxsecurity.com/advisories/redhat_advisory-4981.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 10/21/2004 - kernel remote denial of service An integer underflow problem in the iptables firewall logging rules can allow a remote attacker to crash the machine by using a handcrafted IP packet. This attack is only possible with firewalling enabled. http://www.linuxsecurity.com/advisories/suse_advisory-4987.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 10/15/2004 - libtiff, mysql, squid, cyrus-sasl Multiple security vulnerabilities remote denial of service Multiple security vulnerabilities in mysql, squid, cyrus-sasl and libtiff. http://www.linuxsecurity.com/advisories/trustix_advisory-4959.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Oct 25 05:59:07 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 25 06:11:52 2004 Subject: [ISN] Hacker's method found Message-ID: http://www.stuff.co.nz/stuff/0,2106,3074329a28,00.html By MARY ANNE GILL 23 October 2004 The hacker who got into Hamilton food company Aria Farm's website knew the password. Web host Ultimate Design of Hamilton says logs they produced a day after hackers got in to send out 3000 hoax emails saying Aria Farm's product was contaminated, clearly show an IP address and time the hacking took place. Systems engineer Chris Cunningham would not say when it was done other than it was last Saturday and it took the hacker very little time. The password was a default one, he said. IP addresses are a 32-bit numeric address written as four sets of numbers separated by periods. When you connect to the internet, you are assigned an IP address. This identifies your computer from others on the internet. The Waikato Times understands police now have a copy of that log and can identify where and who logged onto the site. Routers are needed to run computer systems on broadband. Most came from the factory with default passwords which are often never changed. Earlier this year Dennis Jones from Computer Troubleshooters in Te Rapa estimated that 95 per cent of Hamilton routers were still sitting on their default passwords. From isn at c4i.org Mon Oct 25 05:59:24 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 25 06:11:54 2004 Subject: [ISN] Second sight Message-ID: http://www.guardian.co.uk/online/comment/story/0,,1331820,00.html Dave Birch October 21, 2004 The Guardian I was involved in a discussion about internet policing and child pornography the other day. There were a number of suggestions: ID cards, expanding police IT training and so on. None, in my opinion, were likely to have much impact. A cursory search on any of the file-sharing networks reveals the IP addresses of servers distributing child pornography. These "sick servers" change frequently, but they are discoverable. That is obvious, otherwise the judges, teachers, policemen et al, convicted of downloading such material wouldn't be able to find it. But what to do about them? Knowing that a sick server in some far-flung former Soviet province is distributing child pornography is one thing, stopping it is another. The scale and distributed nature of this problem makes conventional policing impossible. There are simply not enough resources to track down every sick server, find the people behind them (even if you could), and then prosecute. A more realistic goal may be to disrupt the servers. In many cases, the owners of the servers have no idea they are being used in this way. But if their servers go down, then the distribution of the material will be halted and the owners alerted to the problem. If a web-hosting company sees a server go down, I am sure they will do something about it. One approach might be to capitalise on the internet dynamic of decentralised cooperation. Instead of internet users calling for someone else to police their environment, perhaps they should band together to tackle it themselves. Internet users already cooperate in a distributed, coordinated way to tackle other big problems. The canonical example is the search for extra-terrestrial intelligence (Seti). Around the world, users have downloaded screensavers that crunch through the signals picked up from outer space, searching for patterns that could indicate unnatural sources. When they find one, as happened earlier this year, they report the signal to a central system for further investigation. Suppose they were, instead, searching for sick servers? Instead of merely reporting the problem, they could launch a distributed denial of service (DDoS) attack. A DDoS attack occurs when PCs connected to the internet (often because of a malicious virus, of which users are unaware) simultaneously try to connect to a website. The target site is swamped, and legitimate users cannot get through. Why not link the automated scouring of the internet for sick servers with the distributed power of screensavers and the DDoS? I am writing this on a plane: at home there are two G4s doing nothing. If I could download a screensaver that either searched for sick servers or obtained a list (from the Internet Watch Foundation) of servers to attack and then cooperated with thousands of other machines to launch DDoS attacks against those servers, I would be doing something to help. The police could spend their time chasing the paedophile sources of the sick content rather than trying to put their fingers in the dyke. My screensaver might become a life saver. Second From isn at c4i.org Mon Oct 25 05:59:48 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 25 06:11:55 2004 Subject: [ISN] Report: Corporate security undermined by lack of cooperation Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96876,00.html By Jaikumar Vijayan OCTOBER 22, 2004 COMPUTERWORLD A lack of information sharing and cooperation between IT security, physical security and risk management functions is hindering efforts to upgrade corporate security, according to a report released this week by The Conference Board Inc. The separate silos in which many businesses put those functions can create a corporate culture that encourages the hoarding of vital security information, said the report, which was based on interviews with more than 200 senior executives at major companies. Businesses need to bridge the gap and develop a "common frame of reference," said Tom Cavanagh, a security expert at The Conference Board, a New York-based research organization. "What you need to have is a way for everybody to be on the same page and speaking the same language" when it comes to implementing companywide security policies, he said. Cavanagh's advice echoed comments made at last month's ASIS International 2004 conference in Dallas, where corporate managers and analysts cited a growing need to unify the management of IT and physical security. That viewpoint is "absolutely right," said Dennis Treece, director of corporate security at the Massachusetts Port Authority (Massport) in Boston. "Until the various factions stop bickering over turf, we're going to find any holistic security improvements terribly difficult" to achieve, he said. Treece, who oversees both physical and IT security at Massport, said that the separate security-related functions within companies "all have different points of view, different cultures, different career paths, different educations and even different vocabularies." Physical security practitioners who typically deal with human intelligence issues and technologies such as intruder alarm systems often have little in common with IT security professionals, said Eddie Schwartz, chief technology officer at Securevision LLC, a consultancy in Fairfax, Va. Similarly, risk management executives tend to come from financial backgrounds and often have little technology savvy, said Schwartz, a former chief information security officer at Nationwide Insurance Co. in Columbus, Ohio. The resulting communications breakdowns often lead to gaps in security, said Lew Wagner, CISO at Clarian Health Partners Inc. in Indianapolis. "The secret to any long-lasting and effective security practice is to have IT security dovetail with physical security, risk management and human resources" functions, he said. Wagner added that long-established corporate hierarchies and territorial boundaries make this integration hard to achieve. "Each of these groups have already carved out their niches and protected areas and are resistant to change and have to be shown that this [integration] is a way to enhance what they are doing," Wagner said. Demonstrating the value of information integration to all stakeholders in corporate security can be a challenge, Schwartz said. "But one of the mistakes that people often make is to assume that everybody needs to be in the same room with the same color shirt to make this work," he said. Instead of necessarily breaking down silos and establishing chains of command, companies should emphasize building a comprehensive "situational awareness" capability, where executives from different groups can compare high-level information and look for trends, Schwartz said. "Most firms don't understand how and why holistic security is a profit multiplier and a market differentiator," said Thomas Varney, vice president of forensic services at TrustWave Corp. in Annapolis, Md. Varney served most recently in the U.S. Office of the Secretary of Defense and the Coalition Provisional Authority in Iraq, "where we understood the necessity of the holistic security perspective," he said. From isn at c4i.org Mon Oct 25 05:59:59 2004 From: isn at c4i.org (InfoSec News) Date: Mon Oct 25 06:11:57 2004 Subject: [ISN] Hackers stop Guardian campaign Message-ID: http://www.theinquirer.net/?article=19252 By Nick Farrell 25 October 2004 US CRACKERS have managed to do what governments, business people, and individuals have tried for years - get a British newspaper to stop printing things that they don't like. The Grauniad miffed voters in Ohio by suggesting which way they should use their power as a swing state to influence the course of the presidential election. The newspaper's website said letter writers were free to support either the Republican incumbent, US President George W. Bush, or Democratic challenger Senator John Kerry. But it noted a Guardian poll showed overwhelming support for Kerry. The Guardian had invited its readers to contact voters in Clark County, Ohio, a swing state, about the importance of the November 2 election. Within the first day, more than 3,000 readers logged on to the newspaper's Web site to obtain the name and address of an unaffiliated voter taken from electoral rolls. By the time the news got over to the Americans, the campaign was interpreted as a bid by the evil left wing English press telling US people to vote for Kerry. Not only did they get thousands of angry phlegms and snottograms from Americans who apparently read the august organ across the pond. They also received the attentions of crackers who believed it was their patriotic duty to silence a free press, who they thought was talking ill of their candidate. The site was hacked and shut down. However, with true British stiff upper lip and in the traditions of sticking to your point of view no matter what the cost, the Guardian has decided against ploughing ahead regardless. The editors have decided that enough is enough and they are calling it quits. So just remember if a paper says something you don't like, don't bother with defamation courts. A simple denial of service attack is all that is required to stop a media campaign. From isn at c4i.org Tue Oct 26 02:41:33 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 26 03:08:47 2004 Subject: [ISN] Hackers post achievements online Message-ID: http://star-techcentral.com/tech/story.asp?file=/2004/10/26/itfeature/9173356&sec=itfeature BY M. MADHAVAN October 26, 2004 Malaysia was the centre of 'hacker activities' on Oct 6 and 7 when hackers from around the world attended the Hack-In-The-Box Security Conference (HITBSecConf 2004) in Kuala Lumpur. This year's lineup of speakers included John Draper, infamous for his early phone phreaking exploits; Theo de Raadt, creator and project leader of OpenBSD; and Adam Gowdiak, formerly of The Last Stage of Delirium - the group that 'broke' Windows. About 300 people attended the security conference organised by Hack In The Box (M) Sdn Bhd. -=- ZONE-H (www.zone-h.org) is doing its part to keep the Internet safe but in a very unusual fashion - it encourages hackers who deface websites to log on to its site to post the details of their attacks. A lot of people might think that this would encourage hackers to deface more websites, and it does, according to zone-h founder Roberto Rangoni Preatoni. But it also does more good than harm because it encourages hackers to find security holes in websites, which the owners would not be aware of otherwise, he said. These hackers are mainly interested in defacing websites, not causing serious harm, said Preatoni. Zone-h, which calls itself "the Internet thermometer," monitors Internet attacks and keeps an archive of defaced websites, including a snapshot of tampered websites. Once the site owner is aware of the security flaw, he has a chance to patch the flaw before it is exploited by someone who means to cause real damage, said Preatoni. "Website owners have to ask themselves which is better - being attacked by a hacker who does some serious damage or just some script kiddie defacing their website," he said. "Imagine if a hacker manages to get access to a corporate website and uses it to distribute porn. Chances are the company won't know about it for some time and by the time someone finds out, severe damage would have been done to the image of the company," said Preatoni. He feels having your website defaced is a small price to pay to enjoy better security in the long term. A defaced website is a wakeup call to the systems administrator. It has the effect of motivating him or her to be more diligent in monitoring the website and applying security patches on time, he said. In some cases, Preatoni said he managed to get in touch with the hackers and convinced them to change their ways. He even employs several to run his zone-h website. Reasons behind the attack By giving hackers an avenue to post their "victories," zone-h is also able to collect useful information, such as the hacker's motive, which top domain levels are popular targets, and which methods were used. According to the statistics posted on zone-h, the most popular reason given for defacing a website is "for fun" - which accounts for 32.1%. Another 17.6% did not want to reveal their reasons, while 14.7% said they did it because they wanted to be the best "defacer," and 12.1% were motivated by political reasons. Surprisingly, most of the defaced websites were hosted on Linux. The popular open source operating system, which has been touted for its security features, took the top spot at 60.7%. On the other hand, the Windows operating system which has been criticised for having too many security holes came in a distant second at 19.3%, according to the zone-h site. In 29.9% of the attacks, hackers took advantage of configuration errors or administration mistakes to "break" into websites. While 25.3% took advantage of a known system vulnerability that was left unpatched by the systems administrator, 23.1% took advantage of new vulnerabilities and 14.6% used brute force. Brute force attacks rely on sheer computing power to break in, usually by trying all the possible combinations for a password. Most of the defaced websites - or 38.3% - were hosted on .com domains, while the next highest number - or 8.9% - were hosted on .de domains and the third highest - or 6.5% - were hosted on .net domains. The Malaysian top-level domain, .my, was not on the list. From isn at c4i.org Tue Oct 26 02:41:53 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 26 03:08:49 2004 Subject: [ISN] Scan design called portal for hackers Message-ID: http://www.eedesign.com/story/showArticle.jhtml?articleID=51200154 Richard Goering EE Times Oct 25, 2004 Santa Cruz, Calif. -- Think your "smart" credit cards are safe from hackers, that your company firewall is secure and that no one can steal the intellectual property in your latest chip design? Think again. Any chip that uses scan design - and any system built around it - may be vulnerable to hackers or to other interested third parties, according to research that will be presented at this week's International Test Conference in Charlotte, N.C. (www.itctestweek.org). There's a growing recognition in the industry that the very scan chains that make ICs testable can potentially be used to break their encryption algorithms and steal their intellectual property. Opinions differ on how solvable the problem is and on what approach provides the best possible trade-off between test and security concerns. An ITC panel scheduled for tomorrow will air different views on a growing dilemma: that while design-for-test methodologies aim at making internal IC logic states visible to testers, those very same features make chips much more vulnerable to hackers. "Good test quality requires full access to all elements that determine the internal state of an IC," said Erik Jan Marinessen, principal scientist at Philips Research Labs in Eindhoven, Netherlands, and moderator of the Tuesday panel. "Full access means full controllability and full observability. These test requirements are in complete contradiction to security requirements, where neither full controllability nor observability should be given to the world external to the IC." Marinessen is optimistic about resolving the dilemma, however. "A proper control of the IC's life cycle prevents the use of such test features during application mode when secrets are in use," he said. But one of the panelists is far more pessimistic. Ramesh Karri, associate professor of electrical and computing engineering at the Polytechnic University in Brooklyn, N.Y., is co-author of an ITC paper titled "Scan-based side channel attack on dedicated hardware implementations of data encryption standard." The paper shows how scan chains can be used as a "side channel" to recover secret keys from a hardware implementation of any cryptographic algorithm. It details a two-phased attack that can nab a secret DES encryption key even when the architecture of the scan chain is unknown and the key is stored in secure memory. A similar paper on Karri's Web site describes a two-phased attack that can recover AES encryption keys (see http://cad.poly.edu/encryption). Karri is a man with a mission. "We want to get to the design and test communities and tell them that scan is a terrible thing to do," he said. "Scan is a very bad design-for-test methodology. It is a very good design-for-hacking methodology." "It's a real problem," concurred Rohit Kapur, scientist at EDA vendor Synopsys Inc. Kapur believes, however, that there's a solution, and at the ITC panel he will propose a scheme that uses decoding and encoding logic to protect the data in scan chains. "Scan chains provide a window into the chip," said Yervant Zorian, CTO of Virage Logic. "But that window can be used off- or online to extract information from the chip." Like Kapur, Zorian believes one possible solution is to add encryption and decryption logic to scan chains. "It's well known that scan chains are a major source of vulnerability in embedded systems," said Srinivas Ravi, research staff member at NEC Laboratories America and a security architect for NEC's mobile-terminal applications chips. Karri hasn't uncovered a new problem, Ravi said, but his work is important because it provides a detailed independent analysis of the issue. Most ASICs use scan design because it's a relatively easy way to give testers access to internal states. According to a recent Gartner Dataquest study, 82 percent of ASIC designers reported that their most recent designs used scan chain insertion. The primary alternative is built-in self-test (BIST), which is more secure because it doesn't require visible scan chains. But BIST is more complicated to implement and has yet to be widely adopted for logic. Opinions differ on whether BIST could be an effective alternative to scan for security-conscious designs. Trouble with scan Scan design is based on a relatively simple concept. One or more scan chains are constructed within a chip by tying together some internal registers and flip-flops and then connecting them to the serial JTAG boundary scan interface. During testing, test vectors are scanned in through the scan input pin, and the contents of internal registers are scanned out through the scan output pin. The good news is that automatic test equipment can thus find stuck-at-1 or stuck-at-0 faults that would otherwise lie hidden within the device, just waiting to make it fail in the field. The bad news is that hackers can see the internals of the device too, Karri says. "By providing a scan chain, you are providing access to the internal state of a chip," he said. "If you know the algorithm that's being implemented, any proprietary data that's part of that algorithm can be easily compromised and discovered." Thus, said Synopsys' Kapur, "if you have a chip that goes into a credit card and you are able to scan out information, you might be able to replicate that card." Although Karri's paper focuses on a methodology for breaking encryption algorithms, the problem is far broader, he said: Any kind of intellectual property can be compromised with scan design. "Think of a filter with a fancy coefficient that you worked hard to design," he said. "If you put it into an IC and use scan for testing, the coefficient can be scanned out. Somebody else can easily come up with an equally fancy filter based on your IP." Karri said he wasn't aware of any actual hacker attacks using scan chains, but he said the security community knows about the problem and that some of the high-end smart-card vendors are now avoiding scan chains. He also noted that the Federal Information Processing Standard (FIPS) for cryptographic modules states that access to the "contents" of the module must be restricted. Karri maintains that this essentially prohibits scan design, even though FIPS does not explicitly mention it. Kapur said that a few Synopsys customers who are concerned about security have said they didn't want to insert scan but that it's not a "mainstream" concern yet. Thus far the concern is mainly for financial applications, such as smart credit cards. NEC's Ravi observed that many smart-card providers disable JTAG circuitry once the chips are in production. This may not be acceptable for other kinds of systems, he noted, because debug circuitry is needed to examine failures in the field. Countermeasures Marinessen said providers of security-conscious applications, including Philips, take "countermeasures" to prevent hacking. But he declined to comment on the exact nature of those countermeasures. "I think that in his ITC '04 paper, Professor Karri assumes that it is relatively easy to find out which IC pins serve as scan chain inputs/outputs and how the scan operation of the scan chains should be controlled," Marinessen said. "This is not possible for state-of-the-art security devices, and hence provides no attack path." Karri's ITC paper outlines two phases to breaking a DES encryption algorithm. In the first phase, the paper describes a five-step plan for applying selected user inputs, or "plaintexts," to determine the scan chain structure. The paper assumes the hacker has access to high-level timing diagrams from an ASIC vendor but does not know the structure of the scan chain. The second phase shows how a hacker could break the DES algorithm by applying three known plaintexts. It's an iterative process that involves four basic steps. Using Mentor Graphics Corp.'s ModelSim simulator, Karri and his co-authors determined that close to 42,000 clock cycles are required to discover the secret user key. A hacker would obviously need some knowledge of encryption algorithms and chip design, but it would not take a lot of sophistication, Karri said. "It doesn't take a chip designer," he said. "It's quite straightforward." Far from being concerned that his paper will encourage hackers, Karri said that what's important is getting word to the design and test community, which is largely unaware of the problem. Karri said he's not optimistic that scan chains can be made more secure. His paper notes that even when scan chains are unbound after testing, they can still be accessed by breaking the IC package open. Kapur of Synopsys, however, believes there is a solution. His idea involves putting some decoding logic at the scan chain input and encoding logic at the scan chain output. "As long as the encoding logic is different from the decoding logic," he said, "what you scan in, you can't scan out." This scheme, however, would require support from both scan insertion tools and from ATE providers, Kapur noted. "The requirement has to get mainstream for it to take off, but it's all doable," he said. Karri is skeptical. He said that compression and decompression circuitry doesn't have security features and can be easily broken. And he expressed doubt that scan with added encryption and decryption circuitry would maintain its cost or area advantage over BIST. Karri believes that BIST offers much more security than scan, but Kapur termed BIST "low quality" because it requires random patterns and more test application time. "If you want high quality, you need deterministic ATPG-based testing, which requires scan," he said. The real issue, Karri believes, is that design-for-test needs some fresh thinking. "We need to think outside the box about what might be a good test methodology," he said. "We have all these great conferences on DFT and scan. I don't think any of this is correct." From isn at c4i.org Tue Oct 26 02:42:30 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 26 03:08:50 2004 Subject: [ISN] CanSecWest/core05 Call for Papers - May 4-6 2005 - Deadline December 6 2004 Message-ID: Forwarded from: Dragos Ruiu CALL FOR PAPERS CanSecWest/core05 Network Security Training Conference http://cansecwest.com May 4-6 2005 Vancouver, B.C. Canada CanSecWest would like to announce the call for papers of the spring, sixth annual, CanSecWest/core05 network security training conference and the announcement of the final set of presentations for the PacSec.jp/core04 conference. The CanSecWest/core05 conference will be held on May 4-6 at the Mariott Renaissance in downtown Vancouver, British Columbia, Canada. The conference focuses on emerging information security tutorials and technology. Please submit all proposals for presentations by December 6. This year we will continue to also have two kinds of presentations, the normal one hour tutorials, and there will again be a session of the popular "lightning talks": 5 minutes max (BigHook/Gong enforced) and 1-3 slides. Selected "lightning talk" presenters will receive registration discounts (or rebates) - travel and accomodations are their responsibility. "Ligntning talk" submissions should follow the same submission guidelines below. Deadline for "lightning talk" submissions is January 17th, 2005. The conference is responsible for travel and accomodations for the tutorial speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers, and speaking background to core05@cansecwest.com. Tutorials are one hour in length. Only slides will be needed for the April paper deadline, full text does not have to be submitted. The CanSecWest/core05 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of overt product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. Please forward the above information to core05@cansecwest.com. to be considered for placement on the speaker roster. The selected papers for PacSec.jp/core04 are: George Kurtz - Google Hacking: Searching for ways to stop hackers. Shane "K2" Macaulay & Dino Dai Zovi - Wireless vulnerabilities from rogue access points. Nico Fischbach - Voice Over IP Security Maximillian Dornseif - 0wn3d by an iPod: Firewire/1394 Issues Nico Fischbach & Toby Kohlenberg - Best methods for detecting anomalies in global networks David Meltzer - Hybrid approaches for optimized network discovery Nicolas Brulez - Windows virus executable file infections and heuristic detection. Ivan Arce - Analyzing exploit code quality. Hiroaki Etoh - Stack Protection Systems (ProPolice, XP SP2...). Laurent Oudot - Countering Attack Deception Techniques. Greg Smith - Security Tutorial for Administrators. Ejovi Nuwhere - Inside Jyukinet: The Audit. More information on the PacSec.jp/core04 conference in Tokyo on November 11-12 can be found at http://pacsec.jp Advance discount registration is now open for CanSecWest/core05 at http://cansecwest.com thanks, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan Nov 11-12 2004 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Tue Oct 26 02:42:45 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 26 03:08:52 2004 Subject: [ISN] Mac users face rare threat Message-ID: http://news.zdnet.com/2100-1009_22-5424883.html By Munir Kotadia ZDNet Australia October 25, 2004 A script-based threat that spies on Mac users caught the attention of some security watchers last week. The malware, which has been dubbed Opener by Mac user groups, can disable Mac OS X's built-in firewall, steals personal information and can destroy data. It is not yet a widespread danger, however. Security experts say those traits are common among the thousands of online threats targeting Microsoft's ubiquitous Windows operating system but are virtually unheard of on Apple Computer's Mac OS. Paul Ducklin, Sophos' head of technology in the Asia-Pacific region, said that the software, which Sophos calls Renepo, is designed to affect Mac OS X drives connected to an infected system and that it leaves affected computers vulnerable to further attack. Ducklin said Opener disables Mac OS X's built-in firewall, creates a back door so the malware author can control the computer remotely, locates any passwords stored on the hard drive, and downloads a password cracker called JohnTheRipper. Opener is a "rootkit," or a set of software tools that intruders can use to gain access to a computer; it's installed either through a known vulnerability or password-cracking. Rootkits don't spread on their own, as viruses do, and require administrator access to be installed. According to Ducklin, Opener could try to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer. It could also be the start of a spate of attacks that use Mac OS X?s scripting features against its users, he said. "The existence of Unix shells--such as Bash, for which this virus is written--and the presence of powerful networking commands opens up the game a little bit for Mac users. It is no longer necessary to know about Mac file formats or executables. You can write your malware in script. And if you really wanted to, you could probably write a portable virus that would run on many flavors of Unix" and Mac, said Ducklin. Chris Waldrip, president of the U.S.-based Atlanta Macintosh Users Group, posted a detailed description of Opener on the MacInTouch Web site. Waldrip, who acknowledges that the threat has him "a bit spooked," said Opener seems to have started out with a "legitimate purpose" but has now been developed into a replicating piece of malware. Waldrip's site also cautions against overreacting to Opener and advises people to use proper security techniques: "As readers take pains to point out, the threat has not yet been incorporated into a widespread virus, worm or Trojan horse, but that's a fairly short step from what we've already seen, and it's important to implement good security procedures." Mikko Hypponen, director of antivirus research at F-Secure, said that viruses targeting the Macintosh system virtually disappeared in the late 1980s. "Things have been really quiet on Macintosh front, virus-wise. Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out," said Hypponen. Symantec said users of Norton AntiVirus for Mac OS X were protected as long as they had updated their signatures over the weekend. A representative for the company said the relevant signature files had been available since Friday evening. Munir Kotadia of ZDNet Australia reported from Sydney. From isn at c4i.org Tue Oct 26 02:42:57 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 26 03:08:54 2004 Subject: [ISN] IBM offers companies monthly security report Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,96925,00.html By Scarlet Pruitt OCTOBER 25, 2004 IDG NEWS SERVICE IBM today introduced a security service that offers a concise, monthly global-network threat report designed to help organizations assess security needs and vulnerabilities from a business perspective. The IBM Global Business Security Index will compile threat information from some 2,700 IBM security professionals and half a million monitored devices, the company said. The data will then be analyzed by IBM security intelligence and consulting experts to rate the potential severity of IT threats. IBM is selling the report to businesses as an IBM Security Intelligence Services offering. The report can be customized by industry and starts at a base price of around $10,000 to $15,000 a year, according to a company spokeswoman. Additionally, a portion of the report will be available every month for free on the company's Web site, the spokeswoman said. The Global Business Security Index was introduced on the same day that the company named Stuart McIrvine as the new director of its Global Security Strategy division. McIrvine said that the Global Business Security Index is the kind of new service customers can expect to see more of under his reign. "We are getting a lot of feedback from customers that they need help with a companywide security strategy," McIrvine said. The index is aimed at the "boardroom" rather than IT departments because it helps companies assess their security vulnerabilities from a business perspective, he said. The monthly report is about a page and a half long, with a threat level score and a few lines about how to resolve critical issues. Its advantage over security warnings issued by various antivirus companies is that it is concise and avoids "information overload," McIrvine said. IBM's introduction of a new security offering comes amid warnings from the company that network attacks have surged in recent months. Attacks against critical infrastructure providers such as telecommunications companies, utilities and government agencies increased 55% from July to August of this year, IBM said. Meanwhile, overall attacks against enterprises and businesses IBM monitors have increased 27% since July, the company said. The most prevalent attacks came from worms such as Sasser and Korgo and attackers seeking to exploit vulnerabilities in Web server software, IBM said. From isn at c4i.org Tue Oct 26 02:43:11 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 26 03:08:56 2004 Subject: [ISN] A chief who lacks clout Message-ID: http://www.nwfusion.com/news/2004/1023achief.html By Paul Roberts IDG News Service 10/23/04 Steven Cooper, the first CIO of the U.S. Department of Homeland Security, is responsible for the IT assets used by 190,000 federal employees, but he's in a position that doesn't wield a lot of power. In fact, a July 2004 report from the DHS Office of the Inspector General found that the CIO lacks the authority to manage the department's technology assets and programs. The report, titled "Improvements Needed to DHS's Information Technology Management Structure," says the CIO is responsible for the creation of the department's communications infrastructure - consolidating disparate networks, data centers and systems inherited from member agencies. He oversees eight of the top 25 IT projects being implemented by civilian federal agencies, including the controversial US-VISIT visa program and the Integrated Wireless Network project that involves the Departments of Justice, Treasury and Homeland Security. (Then there's the matter of IT security: A 2003 Inspector General report found that none of DHS's constituent parts had fully functioning IT security programs.) Despite these challenges, Cooper's office has been allotted limited resources - fewer than 65 employees to support a 180,000-person department. CIOs for member organizations within DHS have larger staffs than that. To make matters worse, the report noted that the CIO doesn't report to either the DHS secretary or deputy secretary, but to the undersecretary of management. That means the CIO has no authority over the CIOs for DHS member organizations, whom he is charged with overseeing. Furthermore, there is no written policy to formalize the DHS CIO's role toward CIOs of member organizations. But there's always a positive side. The report noted the creation of an Enterprise Infrastructure Board, which meets periodically to discuss IT integration strategies. And Cooper published an enterprise architecture and implementation plan. Still, changes are needed. OIG recommended that the CIO report to the Deputy Secretary. DHS also needs to make it clear that CIOs in DHS member agencies report to Cooper's office along with the head of their agencies. And the DHS CIO should be given a staff that can carry out its enormous responsibilities. From isn at c4i.org Tue Oct 26 02:43:49 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 26 03:08:58 2004 Subject: [ISN] Hackers stop Guardian campaign Message-ID: Forwarded from: GertJan Hagenaars Funny that. Right on the heels of this article (on ISN) "Second Sight", where someone from the Guardian argues that using a DDOS is a good way of dealing with a "sick" server. http://www.guardian.co.uk/online/comment/story/0,,1331820,00.html Shoe on other foot; foot in mouth. Perfect. Apparently, InfoSec News wrote: % http://www.theinquirer.net/?article=19252 % % By Nick Farrell % 25 October 2004 % % US CRACKERS have managed to do what governments, business people, and % individuals have tried for years - get a British newspaper to stop % printing things that they don't like. % % The Grauniad miffed voters in Ohio by suggesting which way they should % use their power as a swing state to influence the course of the % presidential election. % % The newspaper's website said letter writers were free to support % either the Republican incumbent, US President George W. Bush, or % Democratic challenger Senator John Kerry. But it noted a Guardian poll % showed overwhelming support for Kerry. % % The Guardian had invited its readers to contact voters in Clark % County, Ohio, a swing state, about the importance of the November 2 % election. % % Within the first day, more than 3,000 readers logged on to the % newspaper's Web site to obtain the name and address of an unaffiliated % voter taken from electoral rolls. % % By the time the news got over to the Americans, the campaign was % interpreted as a bid by the evil left wing English press telling US % people to vote for Kerry. % % Not only did they get thousands of angry phlegms and snottograms from % Americans who apparently read the august organ across the pond. % % They also received the attentions of crackers who believed it was % their patriotic duty to silence a free press, who they thought was % talking ill of their candidate. % % The site was hacked and shut down. However, with true British stiff % upper lip and in the traditions of sticking to your point of view no % matter what the cost, the Guardian has decided against ploughing ahead % regardless. % % The editors have decided that enough is enough and they are calling it % quits. So just remember if a paper says something you don't like, % don't bother with defamation courts. A simple denial of service attack % is all that is required to stop a media campaign. % % % % _________________________________________ % Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ CHeers, GertJan. -- +++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++ sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com /^...[discover].$/d Remembering Mike Carty 1968-1994 /^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix ' /usr/dict/words I'm Dutch, what's _your_ excuse? From isn at c4i.org Tue Oct 26 02:58:01 2004 From: isn at c4i.org (InfoSec News) Date: Tue Oct 26 03:09:00 2004 Subject: [ISN] Calling for participants Capture The Flag Event NYC Message-ID: Forwarded from: jwoloz We are having a capture the flag event at Polytechnic University in Brooklyn, NY. If you would like to participate please visit http://isis.poly.edu/csaw/ to register. Its going to be Nov 8-9 and the first prize is 500.00 bucks. Email me if you have any questions. -Jason From isn at c4i.org Thu Oct 28 04:31:23 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 28 04:53:57 2004 Subject: [ISN] Professor 'horrified' by poor security Message-ID: Forwarded from: William Knowles http://www.theage.com.au/articles/2004/10/25/1098667678959.html By Edmund Tadros October 26, 2004 Next Western computer systems are becoming more vulnerable to cyber-attacks, according to an information technology expert. Most commercial software makers have "abrogated" their responsibility to create truly secure software, says Professor William Caelli, head of the school of software engineering and data communications at the Queensland University of Technology. Caelli told last week's Australian Institute of Professional Intelligence Officers conference that he was "horrified" at the thought that intelligence-related systems might be developed on unprotected off-the-shelf platforms. "Under no conditions should anyone in their sane mind run intelligence analytical systems on a Microsoft platform," he says. He recommends "Solaris version eight or better" as a secure platform for intelligence systems and says the only way to secure a Microsoft-based system would be by "air gapping", or disconnecting the computer system completely from the internet. "I'm talking about the problem of putting highly security-relevant systems on a totally insecure base," Caelli says. He believes there is no commercial motivation for the information technology industry to develop truly secure systems. "The problem is, essentially, the (information technology) industry itself abrogated its responsibility relating to security some 20 years ago. Today's servers and client systems are less secure than (the) mainframes I used in the 1970s." He says manufacturers are unlikely to improve their standards unless there is "some sort of legislation" to mandate security levels. Outsourcing and moving systems offshore also increase the risk of cyber-attack because it is a "delegation of information security to a third party". Caelli is also critical of the lack of deep technology skills being produced by universities, singling out the US, Japan and Australia as being too focused on producing "business ready" IT graduates. "There are many cases now where (the universities) are training IT personnel and IT professionals who really have no idea how the underlying structure of their systems work." Caelli contrasts this with the deep technology skills coming out of countries such as Russia, Estonia and Hungary. "I've seen code coming out from these guys written in assembler language. We don't do that any more. They do. They have (the) advantage." He says similar skills will emerge from countries such as India, China and Indonesia, and warns that automated spyware will become a "major threat over the next five years". *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Oct 28 04:30:34 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 28 04:53:59 2004 Subject: [ISN] Security UPDATE--Passphrases vs. Passwords--October 27, 2004 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free Patch Management White Paper from St. Bernard Software http://list.windowsitpro.com/cgi-bin3/DM/y/eh3n0MfYqv0Kma0BMVe0AM Free Solution Brief: Security Protection Strategies for NT4 Devices http://list.windowsitpro.com/cgi-bin3/DM/y/eh3n0MfYqv0Kma0BMVf0AN ==================== 1. In Focus: Passphrases vs. Passwords 2. Security News and Features - Recent Security Vulnerabilities - Using WMI Filters with GPOs - Windows XP Pro x64 Data Protection Features 3. Security Matters Blog - Malware for Macs - MSDN Magazine: Coding Your Way to Better Security 4. Security Toolkit - FAQ - Security Forum Featured Thread 5. New and Improved - Lock Out Unwanted USB and Other Devices - Help Users Self-Manage Passwords ==================== ==== Sponsor: St. Bernard Software ==== Free Patch Management White Paper from St. Bernard Software Successful patch management is a core component of maintaining a secure computing environment. With a growing number of patches being released by Microsoft weekly, IT administrators must be vigilant in assuring that the machines on their networks are accurately patched. Although Microsoft offers tools to assist administrators with the tasks of patching, they are often time-consuming and far from comprehensive. However there are solutions on the market that can reliably and accurately automate the tasks involved in successful patch management. In this free white paper, learn more about the patch management dilemma and patch management solutions. Download this free white paper now! http://list.windowsitpro.com/cgi-bin3/DM/y/eh3n0MfYqv0Kma0BMVe0AM ==================== ==== 1. In Focus: Passphrases vs. Passwords ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net For a long time, people have argued the need for longer and more complex passwords. The idea behind the argument is that short, simple passwords are far easier to crack than long, complex passwords. Some people even prefer randomly generated passwords, which can be even more difficult to crack because they typically aren't based on some alteration of a known word in a given language. You might already know that Windows 2000 and later allow for a maximum password length of 127 characters. The allowed characters include punctuation, special characters, and even Unicode characters. The reason for the 127-character limit is that the password character array is a set of 256 bytes. Because Unicode characters require two bytes to represent one character, the maximum number of characters that can be stored in the array is 127, or half the size of the array itself. The ability to use 127 characters allows far more complex passwords or passphrases than many of us use. I suppose the only real difference between a password and a passphrase is that a passphrase is a series of words with a space between them, and passphrases might tend to be longer than passwords. Some of you might know of Robert Hensing, who works as a member of Microsoft's Security Incident Response Team. Hensing has a blog (syndicated at the first URL below, unsyndicated at the second URL below), and back in July, he wrote an interesting blog article (at the third URL below) that argues for the use of passphrases instead of passwords. http://weblogs.asp.net/robert_hensing/Rss.aspx http://weblogs.asp.net/robert_hensing/ http://weblogs.asp.net/robert_hensing/archive/2004/07/28/199610.aspx In his article, Hensing explains why he thinks longer passphrases are superior. Essentially, it's because they take longer to crack. One can precompute a huge set of possible password hashes, then use these to minimize the time necessary to crack a given password. So shorter, single-word passwords are less secure because people can crack them really fast with precomputed hashes and other password-cracking tools. But the hashes of longer passphrases that include a series of words or random character combinations are far more difficult to crack because they require far more time. One premise behind password security is that a password should probably have a life span that's shorter than the time necessary to crack it. That way, the password will have been changed to something else before someone can crack it. Granted, an entity that really wants to know your password can use certain methods, such as distributed computing and super-fast computers, to crack it much faster than the average intruder could, no matter the length. But most intruders probably aren't capable of attaining such resources, so passphrases and short passphrase life spans could keep a large percentage of intruders completely at bay. Thus, they're worth considering. To enforce the use of passphrases, you can establish policies that require a certain minimum number of characters. For example, if you require at least two dozen characters in a password, your computer users might be inclined to think of a phrase, which is of course easier to remember than a long string of characters. If you're interested in the concept, read Hensing's blog article and consider the comments from various readers. ==================== ==== Sponsor: eEye Digital Security==== Free Solution Brief: Security Protection Strategies for NT4 Devices Do you have legacy applications running on NT4? Did you know that Microsoft will no longer support the platform with security hot-fixes leaving many organizations without a credible protection strategy? Enterprises worldwide are frequently faced with the task of migrating their critical digital assets to newer, more advanced, platforms as vendors 'sunset' or 'end of life' older platforms and versions. Unfortunately, this upgrade is not always an option for certain market verticals or types of assets within the enterprise. Download this free white paper to learn how to protect the Windows platform without relying on patching. http://list.windowsitpro.com/cgi-bin3/DM/y/eh3n0MfYqv0Kma0BMVf0AN ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html Using WMI Filters with GPOs Most IT pros are familiar with the two most common methods for applying Group Policy: directly on the container (e.g., site, domain, organizational unit--OU, local object) and indirectly through security permission restrictions. In Windows Server 2003, Microsoft added Windows Management Instrumentation (WMI)-filtering capabilities to let you further hone the scope of a Group Policy Object (GPO). WMI filters let you apply a GPO to only certain members of a container that satisfy the criteria that the filter specifies. Jeff Fellinge explains how WMI works in this article on our Web site. http://www.winnetmag.com/Article/ArticleID/44066/44066.html Windows XP Pro x64 Data Protection Features Due in the first half of 2005, Windows XP Professional x64 Edition will include virtually all the features from the 32-bit Windows XP Professional except for the 16-bit subsystem that enables DOS application compatibility and various legacy protocols such as Apple Computer's AppleTalk and NetBEUI. In this article, Paul Thurrott takes a look at the data-protection features in XP Pro x64. http://www.winnetmag.com/Article/ArticleID/44134/44134.html ==================== ==== Announcements ==== (from Windows IT Pro and its partners) IT Security Solutions Roadshow--Best Practices for Securing Your Business from McAfee, Microsoft, and RSA Security Join us for this free half-day event that will give you the practical hands-on experience you need to help secure your organization. Take your security to the next level with topics such as antivirus, intrusion prevention, vulnerability discovery, management, and more. Attend and enter to win tickets to a professional sports game. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eh3n0MfYqv0Kma0BMNB0Ad Enter to Win a TiVo at the Windows IT Pro eNewsletter Center Did you know Windows IT Pro has 12 free email newsletters to help you find up-to-date, fast information about the topics you care about? Sign up now for any of our email newsletters and be entered for a chance to win a TiVo and a lifetime subscription to TiVo service. http://list.windowsitpro.com/cgi-bin3/DM/y/eh3n0MfYqv0Kma0BKxp0A4 The Email Security Center--Your First Line of Defense Against Unwanted Email The Email Security Center provides valuable tools and expertise to help secure your messaging services against attacks and unsolicited email. Our experts share the latest trends, guidance, and resources for understanding and blocking spam, viruses, and attacks while saving bandwidth, conserving server capacity, and minimizing administration costs. Sign up today! http://list.windowsitpro.com/cgi-bin3/DM/y/eh3n0MfYqv0Kma0BMQ80AW New half-day seminar! The Enterprise Alliance Roadshow Come and join us for this free event and find out how a more strategic and holistic approach to IT planning helps organizations increase operational efficiency and facilitate the implementation of new technology. Sign up today. Space is limited. http://list.windowsitpro.com/cgi-bin3/DM/y/eh3n0MfYqv0Kma0BMRA0Ag ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Check out these recent entries in the Security Matters blog: Malware for Macs If you use Macintosh systems on your Windows networks, be aware that a group of people have been developing a "rootkit" for Mac OS X. The kit performs a variety of actions you might want to try to prevent. http://www.winnetmag.com/Article/ArticleID/44311/44311.html MSDN Magazine: Coding Your Way to Better Security The new issue of MSDN Magazine has been released. This month's content focuses almost entirely on security concerns as they pertain to developers. http://www.winnetmag.com/Article/ArticleID/44274/44274.html ==== 4. Security Toolkit ==== FAQ by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: How do I set a domain to interim mode? Find the answer at http://www.winnetmag.com/Article/ArticleID/44199/44199.html Security Forum Featured Thread A forum participant has a problem when moving files and folders from an area that has write access to an area on the same shared drive that has read-only access. The files and folders are maintaining their original write permissions even though they were moved to a read-only area. He wants to know how he can make sure that the moved files and folders have read-only access. Join the discussion at http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=126705 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events ) New! Beware the Exchange Strangler: How a Silent Killer Is Taking Names and Bringing Down Email Servers There is a silent killer stalking Exchange Servers in the form of "directory harvest attacks" that steal email directory names and quickly strangle server performance. In this free Web seminar, learn how to stop this "Exchange Strangler" before it can pilfer your email directory names and bring your email system to its knees. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eh3n0MfYqv0Kma0BMRB0Ah ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Lock Out Unwanted USB and Other Devices SmartLine offers DeviceLock 5.62, which controls which users or groups can access USB and FireWire devices, Wi-Fi and Bluetooth devices, CD-ROMs, floppy disks, and other removable devices. You can control access to devices depending on the time of day and day of the week and create a white list of USB devices that won't be locked regardless of any other settings. New in DeviceLock 5.62, you can use Group Policy to install the DeviceLock Service on target computers in an Active Directory (AD) domain. DeviceLock runs on Windows 2003/XP/2000/NT 4.0 computers. A single license is $35, and discounts are available for multiple licenses. For more information, go to http://www.protect-me.com Help Users Self-Manage Passwords ANIXIS has released ANIXIS Password Reset 1.1, which lets users reset their own passwords without having to contact the Help desk or a network administrator. Users who've forgotten their passwords can use a standard Web browser to access Password Reset, which asks them to answer questions about themselves. Password Reset doesn't store the users' passwords or the answers to their password-verification questions; it stores the hashes of these answers. Password Reset uses the RSA and AES (Rijndael) encryption algorithms and runs on Windows Server 2003/2000/NT 4.0. Multi-user and enterprise-level licenses are available, with prices beginning at $360 for a 50-user license. You can download a free, fully functional evaluation version from http://www.anixis.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://www.windowsitpro.com/forums About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://www.secadministrator.com/rd.cfm?code=00ep254xeb View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Oct 28 04:32:30 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 28 04:54:01 2004 Subject: [ISN] Hacking: the must-have business tool Message-ID: http://www.theregister.co.uk/2004/10/26/competitive_hacking/ By Mark Rasch SecurityFocus 26th October 2004 Your competitor has a wildly successful web-based tool which is being used by many of your customers. Do you (A) give up and get out of the business; (B) set up a team of product developers to make a competing product; or (C) hack into the competitor's website, steal the code, and for good measure hire their critical employees to develop an exact duplicate of their website. If you answered (C) then congratulations and welcome to the new world of competitive hacking. On 15 October, the United States Court of Appeals for the Ninth Circuit in Seattle, Washington had to deal with the case of two competing websites geared at helping long-distance truckers take on additional revenue-producing load to avoid the unprofitable practice of "dead-heading" - driving a truck that was less than full. One company, Creative Computing, created a successful website called Truckstop.com to help match truckers with loads. In the words of the court, a second company, Getloaded.com, "decided to compete, but not honestly". Getloaded.com used many mechanisms to acquire data from the Truckstop.com website. Initially, they just copied the most current lists of unmatched drivers and loads. When Truckstop started using user IDs and passwords, Getloaded did the same. Reasoning correctly that truckers using both sites would create the same userid's and passwords, Getloaded officials logged into Truckstop's site using their customers' IDs. Then they registered a defunct company as a subscriber as another route to getting access to the data. But this wasn't enough. As the court of appeals noted: "Getloaded's officers also hacked into the code Creative used to operate its website. Microsoft had distributed a patch to prevent a hack it had discovered, but Creative Computing had not yet installed the patch on truckstop.com. Getloaded's president and vice-president hacked into Creative Computing's website through the back door that this patch would have locked." Sound familiar? We in the security business have long preached patch management and access control. This case demonstrates the consequences of failure. Increasingly, companies are keeping confidential and competitive information either on web-accessible databases, or on databases that are vulnerable to unauthorized access via standard Internet protocols and their vulnerabilities. Some of this in unavoidable: for truckers to have access to the website, it must necessarily be open and accessible. Access control for the general public is almost always accomplished via a user-defined userid and password, and users almost always select the same userids and passwords on multiple sites. Accounts are compromised as a result. Software robots can then be used to scrape competitive data off the site. Economic Espionage The answer to these problems is partly technical and partly legal. From a technical standpoint, companies must do a better job in selecting access control methodologies and auditing potential unauthorized access to a website. If you suddenly see thousands of attempted Web accesses from a small range of IP addresses (especially those associated with your competitor) its likely that something fishy is going on. Intrusion detection, log monitoring, and of course patch management all become part of the overall security of the website and the contents. Its not enough to simply patch, you also have to employ technologies that will alert you to new vulnerabilities, new ports opening, and verify and validate the fact that patches have been applied properly. From a legal standpoint, blocking competitors is tricky. You essentially have created a "public" space, but want to put terms and conditions on what can be done in that space. It's sort of like the porn sites that say, as a condition of access, that you certify that you are not a cop, that naked pictures don't offend you, that you are over 18, and that you are aware of the contemporary community standards of wherever you live. Presumably, if you lie to obtain such access, you are violating the law. Thus, part of your overall website defense is to create terms and conditions that prevent data on your site from being used against you: by entering the site the visitor agrees not to commercially use the data on the site, not to reverse engineer the software, or for that matter, not to do anything else that you want to prohibit. Making "fair use" of copyrighted materials is not a copyright violation, but here you are setting terms and conditions of entry into your space. If these terms and conditions are not unreasonable or oppressive, or don't otherwise violate some compelling public policy, then a court is likely to find them enforceable. This was exactly what the courts did in a series of cases going back several years. For example, a court in San Francisco in 2000 found that an eBay competitor could not use an autobot to scan the eBay site for auction materials, as this constituted an "unauthorized access" to the site, and therefore a "trespass to chattels" which resulted in injury to eBay. Similarly, when a travel agents site was likewise scoured by a competitor, a federal court in Boston found that the competitor had exceeded the scope of their authorization, and had not only committed a tort, but also a criminal violation of the federal computer crime law. Automated spam programs have likewise resulted in "unauthorized access" or "exceeding authorized access" claims. The problem with such website policies is demonstrating in court that visitors agreed to be bound by them. A standard "clickwrap" agreement is sufficient. If you have a portion of your website that you want to protect with a userid and password, you should force subscribers to agree to a set of reasonable terms and conditions of use of the website and its content - one that could be enforceable in court. In the trucking case, hacking alone wasn't sufficient, and Getloaded also "hired away a Creative Computing employee who had given Getloaded an unauthorized tour of the truckstop.com website," the court noted. "This employee, while still working for Creative, accessed confidential information regarding several thousand of Creative's customers. He downloaded, and sent to his home e-mail account, the confidential address to truckstop.com's server so that he could access the server from home and retrieve customer lists." The Getloaded case reflects what I believe is a growing trend in hacking: intrusion for competitive advantage. But the case also reinforces that old-fashioned techniques of competitive espionage remain a threat. SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. From isn at c4i.org Thu Oct 28 04:36:10 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 28 04:54:02 2004 Subject: [ISN] NIAP chief touts Common Criteria Message-ID: http://www.fcw.com/fcw/articles/2004/1025/web-niap-10-27-04.asp By Rutrell Yasin Oct. 27, 2004 Officials at the National Information Assurance Partnership have effectively raised the level of security in many information technology products used by the government, the security group's director said today. The aim of NIAP, an initiative of the National Institute of Standards and Technology and the National Security Agency, is to increase the level of trust users have in their information systems through the use of security testing, evaluation and validation programs. To that end, NIAP officials are responsible for implementing the Common Criteria Evaluation and Validation Scheme, a rigorous set of security tests that adhere to international standards. NIAP officials provide technical guidelines to eight commercial laboratories which conduct the tests. Statistics gleaned from the labs' Common Criteria work indicates that the testing is improving security, said Jean Schaffer, director of NIAP. Schaffer spoke during a session at a Federal Information Assurance Conference held this week at the University of Maryland. So far, 100 percent of the products evaluated have been approved, she said. The testing directly improved 30 percent of the products tested by eliminating security flaws that could have been exploited by attackers. About 40 percent of the products evaluated were improved by the addition or extension of security features, Schaffer said. Critics say Common Criteria testing costs too much and takes too long, but Schaffer argued that these claims are made by those who do not have firsthand knowledge about the testing. Feedback from the labs shows that testing for Evaluation Assurance Level (EAL) 2 ? the minimum level of security, which includes products such as firewalls, intrusion-detection systems, routers and switches ? costs $100,000 to $170,000 and takes four to six months. The highest level of security ? EAL 4, which includes operating systems that support peer-to-peer communications ? costs $300,000 to $750,000 and takes one year to two years. The time and cost is driven not so much by the process, but by the commercial market, she said. NIAP officials want to develop protection profiles for a range of environments, but they lack the resources. For now, they are focused on Defense Department and intelligence agencies, Schaffer said. NIAP officials also want to develop a curriculum that would help software developers better understand security design principles and apply them within the vendor community. The Common Criteria evaluation program continues to grow with 126 products in evaluation as of September 2004 compared with about 60 products at this time last year. "We're taking in six new products or more per month," she said. NIAP has an important role to play but is not the only player. There are some things Common Criteria does not address, such as testing software code that might have been developed in foreign countries, she said. From isn at c4i.org Thu Oct 28 04:36:48 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 28 04:54:04 2004 Subject: [ISN] Bush website conspiracy theories darken skies Message-ID: http://www.theregister.co.uk/2004/10/27/bushwhacked/ By John Leyden 27th October 2004 The official Bush re-election website - which blocked access to most of the world outside the US this week - is still visible to Canadians. We don't know if it's fears about future attacks by hackers, concerns about keeping bandwidth costs to a minimum or an aggressive response to pinko UK broadsheet The Guardian's recent shameful pro-Kerry political lobbying efforts in Ohio which are behind moves that have rendered GeorgeWBush.com inaccessible to world + dog. Or, to be strictly accurate, most of the world bar the US and Canada which is presumably considered bandwidth-friendly, hacker-free and mercifully bereft of pinko broadsheets. We called the Republican National Committee for comment but they couldn't get back to us because campaign volunteers are not allowed to phone outside the US. So, we can't see Bush's website because of reckless politicking by pinko broadsheet agitators, Republicans can't call outside the US lest they be corrupted by pinko broadsheet agitators, but Canadians are exempt because - well, readers will have to answer that for themselves but a massive black swarm of black helicopters is already hovering menacingly on the horizon. Meanwhile, the official website of the Kerry/Edwards campaign (JohnKerry.com) is still accessible to all and sundry - as is the satire site GeorgeWBush.org. How many would-be visitors to GeorgeWBush.com - including US service men and citizens living abroad and now denied their God-given right to freely surf the Land of the Free - will wind up at the satire site, we wonder? We weep for democracy. From isn at c4i.org Thu Oct 28 04:37:15 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 28 04:54:06 2004 Subject: [ISN] Hospital computer failure could be hackers, board told Message-ID: http://www.nzherald.co.nz/storydisplay.cfm?storyID=3604834 28.10.2004 Hackers may have been responsible for a major computer failure at Waikato Hospital two weeks ago. It was the longest unplanned blackout of the Waikato Health Board's core computer systems and the worst reported to Hewlett Packard -- the company that sold the computers -- in the Asia-Pacific region. Technicians from Australia and Waikato Hospital have identified possible causes ranging from hackers through to a failure of the embedded software that instructs the electronic components how to process commands. Health board staff across the region were forced to handwrite patient information and staff had their wages delayed after the computer system failure took the payroll and patient management systems down for 34 hours. No patient records were lost and the handwritten records have been entered into the system. The systems were stored on new servers thought to have a 99 per cent resistance to technical faults. Board chief executive Jan White told a board meeting yesterday it was difficult to find the cause of the fault because it was such a rare occurrence. It was important the fault was found so future breakdowns could be avoided. "It's still a major issue for us and until we get a diagnosis, it still has a major impact on where we should be going with our systems," she said. Independent computer experts were to be hired to review the computer systems to make sure nothing had been overlooked. "We have to be aware that we may never find the fault, but we do need an independent view," Dr White said. From isn at c4i.org Thu Oct 28 04:39:06 2004 From: isn at c4i.org (InfoSec News) Date: Thu Oct 28 04:54:07 2004 Subject: [ISN] Deleting Online Extortion Message-ID: http://www.latimes.com/news/yahoo/la-fi-extort25oct25,1,6874439.story By Joseph Menn Times Staff Writer October 25, 2004 To an old-time bookie like Mickey Richardson, $500 in protection money was chump change. So when he got an e-mail from gangsters threatening to bring his online sports betting operation to its knees, he paid up. Before long, though, the thugs wanted $40,000. And that ticked him off. "I'm stubborn," said Richardson, who runs Costa Rica-based BetCRIS.com. "I wanted to be the guy that says, 'I didn't pay, and I beat them.' " Richardson couldn't figure the odds, but he was determined to fight what's fast becoming the scourge of Internet-based businesses: high-tech protection rackets in which gangs of computer hackers choke off traffic to websites whose operators refuse their demands. Rather than brass knuckles and baseball bats, the weapons of choice for these digital extortionists are thousands of computers. They use them to launch coordinated attacks that knock targeted websites off-line for days, or even weeks, at a time. The shakedowns generate millions of dollars. Many Internet operators would rather pay protection money than risk even greater losses if their websites go down. After more than a year perfecting their techniques on gambling and pornographic websites, the gangs are starting to turn their talents to mainstream e-commerce operations. "It's pretty much a daily occurrence that one of our customers is under attack, and the sophistication of the attacks is getting better," said Ken Silva, a vice president at VeriSign Inc., the company that maintains the ".com" and ".net" domain name servers and provides security to many firms. Last month, Authorize.net, one of the biggest credit-card-services processors for online merchants, was hit repeatedly over two weeks, leaving thousands of businesses without a means to charge their customers. * In April, hackers silenced Card Solutions International, a Kentucky company that sells credit card software over the Web, for a week after its owner refused to pay $10,000 to a group of Latvians. Only after switching Internet service providers could the company come back online. * In August, a Massachusetts businessman was indicted on charges of orchestrating attacks on three television-services companies - costing one more than $200,000. The case against Saad Echouafni is one of the rare instances in which alleged attackers have been identified and charged. Echouafni skipped bail. Many more attacks go unreported. "You're just seeing the tip of the iceberg," said Peter Rendall, chief executive of the Internet filter maker Top Layer Networks. Richardson was intent on keeping his ship afloat. BetCRIS, short for Bet Costa Rica International Sportsbook, takes about $2 billion in bets every year from gamblers around the world. Most are placed online. After customers complained early last year that the website seemed sluggish, Richardson felt a little relieved when an anonymous hacker e-mailed an admission that he had launched a denial-of-service attack against BetCRIS. The hacker wanted $500, via the Internet payment service e-Gold. That seemed like a bargain to Richardson. He paid up and promptly spent thousands more on hardware designed to weed out unfriendly Web traffic. "I was thinking if this ever happens again," he said, "we won't have a problem." The Saturday before Thanksgiving, Richardson found out how wrong he was. An e-mail demanded $40,000 by the following noon. It was the start of one of the biggest betting weeks of the year, with pro and college football as well as basketball. Richardson didn't respond. The next day, BetCRIS crashed hard. About the same time, other betting sites were getting hit too. The threats came in mangled English: "In a case if you refuse our offer, your site will be attacked still long time." Some sites were shut down for weeks. Costa Rican law enforcement was ill-equipped to deal with computer hackers thousands of miles away. Given the shaky legality of offshore betting, seeking help from U.S. authorities wasn't an attractive option. So the bookie in Costa Rica turned to Barrett Lyon, a spiky-haired philosophy major from Sacramento. Lyon had consulted for a major provider of odds to casinos, Don Best Sports, after the Las Vegas company had been hacked, and he had helped ward off a denial-of-service attack there in 2000. From his condominium in Sacramento, Lyon quickly realized how much the landscape had changed since then. Instead of using a few machines, the extortion gangs control hundreds of thousands, often the personal computers of people with high-speed DSL lines or cable modems. Most of the PCs were compromised with a series of worms and viruses that began appearing last summer. They spread most easily to machines without firewalls and automated patching from security companies. The infections force computers to listen for further instructions from a new program or direct them to check with master machines. The resulting armies of computer "bots" - short for robots - are used for sending spam and stealing financial information in addition to launching denial-of-service attacks. As the written code of instructions for the malicious programs has spread, hackers have tinkered with them to suit their own ends, even renting out their mechanical legions for as little as a few hundred dollars an hour, experts said. The attacks on BetCRIS and other offshore sports books began as modest efforts in which an unknown number of computers initiated contact with the targets over and over. Lyon and a small team installed new hardware and wrote programs to weed out such traffic. But every move they made was matched by what Lyon came to believe was a sophisticated group on the other side. The site would reappear for minutes or hours and then crash again, once going down just as Richardson had begun celebrating. Through Thanksgiving and beyond, the hackers taunted Richardson, boasting that they would make an example of him. Sleepless for nights on end, Richardson gave pep talks to the more than 200 employees at the firm. Meanwhile, Lyon and partner Glenn Lebumfacil designed a new infrastructure for BetCRIS, one that relied on massive computing power far away from Costa Rica. Based in Phoenix, the new computers absorbed mammoth assaults without crashing. And the system cloaked the target sites so the hackers could see almost nothing about where their traffic was going. That kept the bad guys from pinpointing weaknesses in specialized machines inside the network. The defenses held. But Lyon was already thinking about offense. So he turned spy. Although the individual machines used in the attacks were scattered around the world, Lyon used some common software flaws to track them further. They were all taking orders from computer servers hosting a form of anonymous online chat called IRC, for Internet Relay Chat. Lyon joined the IRC channels as "hardcore," laboring to adopt just the right persona as he gossiped with the regulars. He pretended to be a bot program author from Vancouver, Canada, who had 250 machines under his control but had been away from the scene for a while. He watched as chat participants monitored attacks on Microsoft.com and BetCRIS.com. During hours of online talks from January to March of this year, Lyon offered to improve the others' attack program and lend his own zombie computers to their efforts. "i could re write it," Lyon typed at one point. "i did it last semester in school for a test - just to see how fast I could scan large groups of machines." Some members of the chat channel accepted his overtures. One, nicknamed "eXe," began making mistakes. He logged on from his home Internet service provider. A private file transfer gave away his true Internet address. And as late-night conversations turned social, he let slip his real first name - Ivan - and that he was a 21-year-old college student in Russia. Lyon had been working with the FBI to shut down some of the U.S.-based computers used in the attacks on the bookmakers. But without a U.S. victim, the agency was unwilling to launch its own investigation. It was a different story with the British authorities. After testing the waters with the bookies in Latin America, the Russian gang had turned to similar companies based in England and Australia, where gambling firms are legal. Soon almost every significant British betting firm had been hit at least once, and the matter grew to be a top priority for the London-based National Hi-Tech Crime Unit. One of the first British firms to be targeted, CanBet Ltd., had turned to the Hi-Tech Crime Unit in the fall and agreed to send traceable money to a list of names in Latvia provided by the extortionists. The unit sent a team to watch the pickup spots, along with local police, and the crew was alarmed to see the Latvians pick up cash sent by other businesses around the world. "That was our first sign that this was big - where was all this money coming from?" said Det. Supt. Mick Deets, deputy head of the Hi-Tech Crime Unit. In a meeting in Los Angeles with the FBI and British agents, Lyon passed along what he and his team had learned. "They were of significant assistance," Deets said. The ultimate "gotcha" came shortly after the L.A. meeting, when the hacker eXe used that same handle on an IRC network that listed a private e-mail address for him. Other records showed that the domain name in that e-mail address - "security-system.cc" - was owned by an Ivan Maksakov. "eXe made a HUGE mistake!" Lyon crowed in a March 13 e-mail to the Hi-Tech Crime Unit and the FBI. Armed with the results from the money trail and Lyon's information, the British authorities went to the Russian Interior Ministry and suggested several arrests, including that of Maksakov, who lived in Saratov. In late July, police picked him up, along with a 23-year-old St. Petersburg man and a 24-year-old in Stavropol. Two other suspects are being sought. Most known members of the ring are students who communicated entirely online, Interior Ministry spokesman Anatoly Platonov said. The group had taken in hundreds of thousands of dollars in extortion money, Deets said. Including lost profits at the bookmakers, at least two major banks and other targets, the ring caused about $90 million in damage, Platonov said. Lyon has mixed feelings about the sting against Maksakov, who told Lyon he made only $2,000 a month for fairly sophisticated work. "It's not going to get better with one or two kids put in prison," Lyon said. But that's good for his new business, Prolexic Technologies Inc., which is based in Hollywood, Fla. His sting operation for BetCRIS produced a dozen clients. Prolexic is on track to bring in $2 million this year. Alexei V. Kuznetsov of The Times' Moscow Bureau contributed to this report. From isn at c4i.org Fri Oct 29 04:30:57 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 29 04:44:41 2004 Subject: [ISN] Secunia Weekly Summary - Issue: 2004-44 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-10-21 - 2004-10-28 This week : 84 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Security Researcher Chris Evans has reported multiple vulnerabilities in XPDF, which potentially can be exploited to compromise vulnerable systems. Several Linux/Unix distributions have already issued updated packages for these vulnerabilities. Please view secunia.com for details. References: http://secunia.com/SA12917 -- eEye Digital Security has reported a vulnerability in the very popular media players from RealNetworks. The vulnerability, which exists in a third party compression library, can be exploited to compromise vulnerable systems. This vulnerability is related to a Microsoft update of the "dunzip32.dll" library earlier this month. Currently, it is unknown whether or not more third party software using this library also is vulnerable to this vulnerability. Secunia will of course issue Secunia advisories if more products are found vulnerable. References: http://secunia.com/SA12869 http://secunia.com/SA12805 -- Putty has released a new version, which addresses a vulnerability, which can be exploited by malicious servers to compromise a user's system. A link to the updated version can be found in the referenced Secunia advisory below, along with additional details about the vulnerability. Reference: http://secunia.com/SA12987 VIRUS ALERTS: Secunia has not issued any virus alerts during the last week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12712] Mozilla / Mozilla Firefox / Camino Tabbed Browsing Vulnerabilities 2. [SA12889] Microsoft Internet Explorer Two Vulnerabilities 3. [SA12892] Safari Dialog Box Spoofing Vulnerability 4. [SA12713] Opera Tabbed Browsing Vulnerability 5. [SA12806] Internet Explorer Multiple Vulnerabilities 6. [SA12731] Maxthon Tabbed Browsing Vulnerabilities 7. [SA12714] Netscape Tabbed Browsing Vulnerabilities 8. [SA12717] Avant Browser Tabbed Browsing Vulnerabilities 9. [SA12706] Konqueror Tabbed Browsing Vulnerability 10. [SA12920] Internet Explorer for Mac Dialog Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA12999] MailCarrier HELO/EHLO Buffer Overflow Vulnerability [SA12990] NetObjects Fusion JPEG Processing Buffer Overflow [SA12983] Slim Browser Tabbed Browsing Vulnerabilities [SA12966] Netcaptor Tabbed Browsing Vulnerabilities [SA12941] Ability Server "STOR" FTP Command Buffer Overflow Vulnerability [SA12944] Altiris Deployment Solution Missing Server Authentication Security Issue [SA12969] Novell ZENworks for Desktops Privilege Escalation Vulnerability [SA12962] Altiris Carbon Copy Solution Privilege Escalation Vulnerability UNIX/Linux: [SA13006] Red Hat update for xpdf [SA13003] Gentoo update for mpg123 [SA12998] zgv Multiple Integer Overflow Vulnerabilities [SA12988] KOffice Multiple Integer Overflow Vulnerabilities [SA12985] SuSE update for xpdf [SA12978] Gentoo update for socat [SA12971] Slackware update for apache/mod_ssl/php [SA12964] Slackware update for gaim [SA12957] Gentoo update for gaim [SA12952] Conectiva update for mozilla [SA12949] SuSE update for libtiff [SA12947] Red Hat update for libtiff [SA12940] Mandrake update for gpdf [SA12936] socat "_msg()" Logging Format String Vulnerability [SA12935] Fedora update for xpdf [SA12931] Gentoo update for xpdf/cups [SA12929] Mandrake update for gaim [SA12928] Mandrake update for wxGTK2 [SA12926] Mandrake update for xpdf [SA12925] KDE kpdf Integer Overflow Vulnerabilities [SA12923] Mandrake update for kdegraphics [SA12917] Xpdf Multiple Integer Overflow Vulnerabilities [SA13010] Gentoo update for PuTTY [SA13002] OmniWeb Dialog Spoofing Vulnerability [SA13001] Fedora update for cups [SA13000] Libxml2 Multiple Buffer Overflows [SA12997] inetutils TFTP Client Buffer Overflow Vulnerability [SA12987] PuTTY "SSH2_MSG_DEBUG" Packet Handling Buffer Overflow Vulnerability [SA12984] Hummingbird Connectivity Two Vulnerabilities [SA12982] iCab Dialog Spoofing Vulnerability [SA12963] LinuxStat "template" Directory Traversal Vulnerability [SA12955] dadaIMC "Post An Article" Script Insertion Vulnerability [SA12950] Red Hat update for CUPS [SA12934] Debian update for cupsys [SA12924] Mandrake update for cups [SA12921] CUPS Multiple Integer Overflow Vulnerabilities [SA12920] Internet Explorer for Mac Dialog Spoofing Vulnerability [SA12919] Debian update for ecartis [SA12918] ecartis Unspecified "Same Domain" Security Bypass Vulnerability [SA12972] Sun Solaris Samba Buffer Overflow Vulnerability [SA12946] HP Serviceguard Unspecified System Compromise Vulnerability [SA13009] Debian update for cabextract [SA12951] Linux Kernel Terminal Subsystem Race Condition Vulnerabilities [SA12943] cPanel Truncated Password Brute Force Vulnerability [SA12939] Bugzilla Multiple Security Issues [SA12933] Gentoo update for apache/mod_ssl [SA13007] Red Hat update for mysql-server [SA12958] Gentoo update for mysql [SA12927] Mandrake update for squid [SA13004] Gentoo update for rssh [SA12977] Gentoo update for netatalk [SA12976] Netatalk "etc2ps.sh" Script Insecure Temporary File Creation [SA12974] GNU Troff "groffer.sh" Script Insecure Temporary File Creation [SA12973] OpenSSL "der_chop" Script Insecure Temporary File Creation [SA12968] Gentoo update for mit-krb5 [SA12967] Kerberos V5 "send-pr.sh" Script Insecure Temporary File Creation [SA12961] WindowMaker Unspecified "WMGLOBAL" Vulnerability [SA12956] Mozilla / Firefox / Thunderbird Downloaded File Content Disclosure Vulnerability [SA12954] rssh Logging Format String Vulnerability [SA12942] HP-UX stmkfont Privilege Escalation Vulnerability [SA12938] Gentoo update for glibc [SA12932] Fedora update for openoffice.org [SA12930] GNU C Library "catchsegv" Script Insecure Temporary File Creation Vulnerability [SA12916] Speedtouch USB Driver Privilege Escalation Vulnerability [SA12915] Gentoo update for ghostscript Other: [SA12945] Java 2 Micro Edition (J2ME) Bytecode Verifier Code Execution Vulnerabilities Cross Platform: [SA12995] ImageMagick EXIF Parser Buffer Overflow Vulnerability [SA12994] PHPlist Unspecified Vulnerability [SA12993] Mega Upload Unspecified "File List" Vulnerability [SA12980] Phorum Unspecified Cross-Site Scripting and SQL Injection [SA12965] SKForum Unspecified "my wiki" and "wiki" Vulnerability [SA12960] IPplan Unspecified SQL Injection Vulnerabilities [SA12992] Horde "Help Window" Cross-Site Scripting Vulnerability [SA12975] MoniWiki "wiki.php" Cross-Site Scripting Vulnerability [SA12970] OpenWFE "url" Cross-Site Scripting and Remote "Port Scanning" Vulnerabilities [SA12922] IBM HTTP Server apr-util Library and Environment Variable Expansion Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA12999] MailCarrier HELO/EHLO Buffer Overflow Vulnerability Critical: Extremely critical Where: From remote Impact: System access Released: 2004-10-28 muts has discovered a vulnerability in MailCarrier, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12999/ -- [SA12990] NetObjects Fusion JPEG Processing Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-27 A vulnerability has been discovered in NetObjects Fusion, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12990/ -- [SA12983] Slim Browser Tabbed Browsing Vulnerabilities Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-10-26 Two vulnerabilities have been reported in Slim Browser, which can be exploited by malicious web sites to obtain sensitive information and spoof dialog boxes. Full Advisory: http://secunia.com/advisories/12983/ -- [SA12966] Netcaptor Tabbed Browsing Vulnerabilities Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-10-25 Two vulnerabilities have been discovered in Netcaptor, which can be exploited by malicious web sites to obtain sensitive information and spoof dialog boxes. Full Advisory: http://secunia.com/advisories/12966/ -- [SA12941] Ability Server "STOR" FTP Command Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-25 muts has discovered a vulnerability in Ability Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12941/ -- [SA12944] Altiris Deployment Solution Missing Server Authentication Security Issue Critical: Moderately critical Where: From local network Impact: System access Released: 2004-10-25 Brian Gallagher has reported a security issue in Altiris Deployment Solution, which potentially can be exploited by malicious people to compromise certain systems. Full Advisory: http://secunia.com/advisories/12944/ -- [SA12969] Novell ZENworks for Desktops Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-26 A vulnerability has been reported in Novell ZENworks for Desktops, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12969/ -- [SA12962] Altiris Carbon Copy Solution Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-25 KF has reported a vulnerability in Altiris Carbon Copy Solution, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12962/ UNIX/Linux:-- [SA13006] Red Hat update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-27 Red Hat has issued an update for xpdf. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13006/ -- [SA13003] Gentoo update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-27 Gentoo has issued an update for mpg123. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13003/ -- [SA12998] zgv Multiple Integer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-28 infamous41md has reported multiple vulnerabilities in zgv, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12998/ -- [SA12988] KOffice Multiple Integer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-27 Multiple vulnerabilities have been reported in KOffice, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12988/ -- [SA12985] SuSE update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-26 SuSE has issued updates for xpdf, gpdf, kdegraphics3-pdf, pdftohtml, and cups. These fix some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12985/ -- [SA12978] Gentoo update for socat Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2004-10-26 Gentoo has issued an update for socat. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12978/ -- [SA12971] Slackware update for apache/mod_ssl/php Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2004-10-26 Slackware has issued updates for apache, mod_ssl, and php. These fix some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12971/ -- [SA12964] Slackware update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-25 Slackware has issued an update for gaim. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12964/ -- [SA12957] Gentoo update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-25 Gentoo has issued an update for gaim. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12957/ -- [SA12952] Conectiva update for mozilla Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2004-10-25 Conectiva has issued an update for mozilla. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), conduct spoofing and cross-site scripting attacks, access and modify sensitive information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12952/ -- [SA12949] SuSE update for libtiff Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-22 SuSE has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12949/ -- [SA12947] Red Hat update for libtiff Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-22 Red Hat has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12947/ -- [SA12940] Mandrake update for gpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-22 MandrakeSoft has issued an update for gpdf. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12940/ -- [SA12936] socat "_msg()" Logging Format String Vulnerability Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2004-10-22 CoKi has reported a vulnerability in socat, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12936/ -- [SA12935] Fedora update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-22 Fedora has issued an update for xpdf. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12935/ -- [SA12931] Gentoo update for xpdf/cups Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-22 Gentoo has issued updates for xpdf and cups. These fix some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12931/ -- [SA12929] Mandrake update for gaim Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-22 MandrakeSoft has issued an update for gaim. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12929/ -- [SA12928] Mandrake update for wxGTK2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2004-10-22 MandrakeSoft has issued an update for wxGTK2. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12928/ -- [SA12926] Mandrake update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-22 MandrakeSoft has issued an update for xpdf. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12926/ -- [SA12925] KDE kpdf Integer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-22 Chris Evans has reported multiple vulnerabilities in KDE kpdf, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12925/ -- [SA12923] Mandrake update for kdegraphics Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-22 MandrakeSoft has issued an update for kdegraphics. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12923/ -- [SA12917] Xpdf Multiple Integer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-22 Chris Evans has reported multiple vulnerabilities in Xpdf, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12917/ -- [SA13010] Gentoo update for PuTTY Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-28 Gentoo has issued an update for PuTTY. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13010/ -- [SA13002] OmniWeb Dialog Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-10-27 A vulnerability has been discovered in OmniWeb, which can be exploited by malicious web sites to spoof dialog boxes. Full Advisory: http://secunia.com/advisories/13002/ -- [SA13001] Fedora update for cups Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-27 Fedora has issued an update for cups. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13001/ -- [SA13000] Libxml2 Multiple Buffer Overflows Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-28 infamous41md has reported a vulnerability in Libxml2, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13000/ -- [SA12997] inetutils TFTP Client Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-28 infamous41md has reported a vulnerability in the inetutils TFTP client, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12997/ -- [SA12987] PuTTY "SSH2_MSG_DEBUG" Packet Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-27 A vulnerability has been reported in PuTTY, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12987/ -- [SA12984] Hummingbird Connectivity Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS Released: 2004-10-26 CESG Network Defence Team has reported two vulnerabilities in Hummingbird Connectivity, which can be exploited to gain escalated privileges or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12984/ -- [SA12982] iCab Dialog Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-10-26 A vulnerability has been discovered in iCab, which can be exploited by malicious web sites to spoof dialog boxes. Full Advisory: http://secunia.com/advisories/12982/ -- [SA12963] LinuxStat "template" Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2004-10-25 A vulnerability has been reported in LinuxStat, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/12963/ -- [SA12955] dadaIMC "Post An Article" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-25 Elac has discovered a vulnerability in dadaIMC, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/12955/ -- [SA12950] Red Hat update for CUPS Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2004-10-22 Red Hat has issued an update for cups. This fixes some vulnerabilities, which potentially can be exploited to compromise a vulnerable system or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12950/ -- [SA12934] Debian update for cupsys Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-22 Debian has issued an update for cupsys. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12934/ -- [SA12924] Mandrake update for cups Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2004-10-22 MandrakeSoft has issued an update for cups. This fixes some vulnerabilities, which potentially can be exploited to compromise a vulnerable system or gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12924/ -- [SA12921] CUPS Multiple Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2004-10-22 Chris Evans has reported some vulnerabilities in CUPS, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12921/ -- [SA12920] Internet Explorer for Mac Dialog Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2004-10-22 A vulnerability has been discovered in Internet Explorer for Mac, which can be exploited by malicious web sites to spoof dialog boxes. Full Advisory: http://secunia.com/advisories/12920/ -- [SA12919] Debian update for ecartis Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-10-21 Debian has issued an update for ecartis. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12919/ -- [SA12918] ecartis Unspecified "Same Domain" Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2004-10-21 A vulnerability has been reported in ecartis, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12918/ -- [SA12972] Sun Solaris Samba Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-10-26 Sun has acknowledged a vulnerability in Samba for Solaris, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12972/ -- [SA12946] HP Serviceguard Unspecified System Compromise Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2004-10-22 An vulnerability has been reported in HP Serviceguard, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12946/ -- [SA13009] Debian update for cabextract Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-10-28 Debian has issued an update for cabextract. This fixes a vulnerability, which potentially can be exploited to overwrite arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/13009/ -- [SA12951] Linux Kernel Terminal Subsystem Race Condition Vulnerabilities Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2004-10-22 Two vulnerabilities have been reported in the Linux kernel, which can be exploited to potentially disclose kernel data or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12951/ -- [SA12943] cPanel Truncated Password Brute Force Vulnerability Critical: Less critical Where: From remote Impact: Brute force Released: 2004-10-22 Andrey Bayora has reported a vulnerability in cPanel, which makes it easier for malicious people to brute force webmail account passwords. Full Advisory: http://secunia.com/advisories/12943/ -- [SA12939] Bugzilla Multiple Security Issues Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2004-10-25 Three security issues have been reported in Bugzilla, which can be exploited by malicious users to bypass certain security restrictions and gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/12939/ -- [SA12933] Gentoo update for apache/mod_ssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2004-10-22 Gentoo has issued updates for apache and mod_ssl. These fix a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/12933/ -- [SA13007] Red Hat update for mysql-server Critical: Less critical Where: From local network Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2004-10-27 Red Hat has issued an update for mysql-server. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13007/ -- [SA12958] Gentoo update for mysql Critical: Less critical Where: From local network Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2004-10-25 Gentoo has issued an update for mysql. This fixes multiple vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise the system. Full Advisory: http://secunia.com/advisories/12958/ -- [SA12927] Mandrake update for squid Critical: Less critical Where: From local network Impact: DoS Released: 2004-10-22 MandrakeSoft has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/12927/ -- [SA13004] Gentoo update for rssh Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-27 Gentoo has issued an update for rssh. This fixes a vulnerability, which potentially can be exploited by malicious users to gain interactive access. Full Advisory: http://secunia.com/advisories/13004/ -- [SA12977] Gentoo update for netatalk Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-26 Gentoo has issued an update for netatalk. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12977/ -- [SA12976] Netatalk "etc2ps.sh" Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-26 A vulnerability has been reported in Netatalk, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12976/ -- [SA12974] GNU Troff "groffer.sh" Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-26 A vulnerability has been reported in GNU Troff, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12974/ -- [SA12973] OpenSSL "der_chop" Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-26 A vulnerability has been reported in OpenSSL, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12973/ -- [SA12968] Gentoo update for mit-krb5 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-25 Gentoo has issued an update for mit-krb5. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12968/ -- [SA12967] Kerberos V5 "send-pr.sh" Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-25 A vulnerability has been reported in Kerberos V5, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12967/ -- [SA12961] WindowMaker Unspecified "WMGLOBAL" Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2004-10-25 A vulnerability with an unknown impact has been reported in WindowMaker. Full Advisory: http://secunia.com/advisories/12961/ -- [SA12956] Mozilla / Firefox / Thunderbird Downloaded File Content Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-25 Martin has reported a vulnerability in Mozilla, Firefox, and Thunderbird, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12956/ -- [SA12954] rssh Logging Format String Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-25 Florian Schilhabel has reported a vulnerability in rssh, which potentially can be exploited by malicious users to gain interactive access. Full Advisory: http://secunia.com/advisories/12954/ -- [SA12942] HP-UX stmkfont Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-22 NSFOCUS has reported a vulnerability in HP-UX, which can be exploited by malicious people to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12942/ -- [SA12938] Gentoo update for glibc Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-22 Gentoo has issued an update for glibc. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12938/ -- [SA12932] Fedora update for openoffice.org Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2004-10-22 Fedora has issued an update for openoffice.org. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/12932/ -- [SA12930] GNU C Library "catchsegv" Script Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-22 A vulnerability has been reported in GNU C Library (glibc), which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12930/ -- [SA12916] Speedtouch USB Driver Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-21 A vulnerability has been reported in Speedtouch USB Driver, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/12916/ -- [SA12915] Gentoo update for ghostscript Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2004-10-21 Gentoo has issued an update for ghostscript. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/12915/ Other:-- [SA12945] Java 2 Micro Edition (J2ME) Bytecode Verifier Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-22 Adam Gowdiak has reported two vulnerabilities in Java 2 Micro Edition (J2ME), which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/12945/ Cross Platform:-- [SA12995] ImageMagick EXIF Parser Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2004-10-27 A vulnerability has been reported in ImageMagick, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/12995/ -- [SA12994] PHPlist Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-27 A vulnerability with an unknown impact has been reported in PHPlist. Full Advisory: http://secunia.com/advisories/12994/ -- [SA12993] Mega Upload Unspecified "File List" Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-27 A vulnerability with an unknown impact has been reported in Mega Upload. Full Advisory: http://secunia.com/advisories/12993/ -- [SA12980] Phorum Unspecified Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2004-10-26 Positive Technologies has reported some vulnerabilities in Phorum, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/12980/ -- [SA12965] SKForum Unspecified "my wiki" and "wiki" Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2004-10-25 A vulnerability with an unknown impact has been reported in SKForum. Full Advisory: http://secunia.com/advisories/12965/ -- [SA12960] IPplan Unspecified SQL Injection Vulnerabilities Critical: Moderately critical Where: From local network Impact: Manipulation of data Released: 2004-10-25 Some vulnerabilities have been reported in IPplan, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/12960/ -- [SA12992] Horde "Help Window" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-27 A vulnerability has been reported in Horde Application Framework, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12992/ -- [SA12975] MoniWiki "wiki.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2004-10-26 Jeremy Bae has reported a vulnerability in MoniWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/12975/ -- [SA12970] OpenWFE "url" Cross-Site Scripting and Remote "Port Scanning" Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Spoofing Released: 2004-10-27 Joxean Koret has reported two vulnerabilities in OpenWFE, which can be exploited by malicious people to conduct cross-site scripting attacks and use a vulnerable system for port scanning other hosts. Full Advisory: http://secunia.com/advisories/12970/ -- [SA12922] IBM HTTP Server apr-util Library and Environment Variable Expansion Vulnerabilities Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2004-10-22 Two vulnerabilities have been reported in IBM HTTP Server, which can be exploited to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/12922/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Oct 29 04:29:41 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 29 04:44:43 2004 Subject: [ISN] ITL Bulletin for October 2004 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR OCTOBER 2004 SECURING VOICE OVER INTERNET PROTOCOL (IP) NETWORKS By Thomas J. Walsh and D. Richard Kuhn National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Voice over IP (VOIP) - the transmission of voice over traditional packet-switched IP networks - is one of the hottest trends in telecommunications. As with any new technology, VOIP introduces both opportunities and security challenges. Lower cost and greater flexibility are among the promises of VOIP for the enterprise, but security administrators will face significant issues. Administrators may assume that since digitized voice travels in packets, they can simply plug VOIP components into their already-secured networks and expect a stable and secure voice network. Unfortunately, many of the tools used to safeguard today's computer networks, namely firewalls, Network Address Translation (NAT), and encryption, don't work "as is" in a VOIP network. VOIP systems take a wide variety of forms. Just about any computer is capable of providing VOIP, and most users don't realize that they already have basic VOIP applications. Microsoft's NetMeeting, or the newer Windows Messenger, which come with Windows platforms, provides voice and video services, and Linux platforms have a number of VOIP applications from which to choose. In general, though, the term Voice Over IP is associated with equipment that provides the ability to dial telephone numbers and communicate with parties on the other end who may have either another VOIP system or a traditional analog telephone. Demand for VOIP services has resulted in a broad array of products, including: * Traditional telephone handset - Usually these products have extra features beyond a simple handset with dial pad. Some of these units may have a "base station" design that provides the same convenience as a conventional cordless phone. * Conferencing units - These provide the same type of service as conventional conference calling phone systems, but since communication is handled over the Internet, they may allow users to coordinate traditional data communication services, such as a whiteboard that displays on computer monitors at both ends. * Mobile units - Wireless VOIP units are becoming increasingly popular, especially since many organizations already have an installed base of 802.11 networking equipment. Wireless VOIP products present particularly acute security problems, given the well-known weaknesses of the 802.11 family of protocols. * PC or "softphone" - With a headset, software, and inexpensive connection service, any PC or workstation can be used as a VOIP unit, often referred to as a "softphone." In addition to end-user equipment, VOIP systems include specialized components beyond those found on an ordinary IP network: call managers and media/signaling gateways. Call managers are required to set up calls, monitor call state, handle number translation, and provide basic telephony services. Call managers also handle signaling functions that coordinate with media gateways, which are the interface between the VOIP network and the public switched telephone network (PSTN). Depending on the system, gateway functions may be implemented as a board or dedicated appliance, or may be provided through a distributed system of servers and databases. Current VOIP systems use one of two protocols, H.323 or the Session Initiation Protocol (SIP). SIP is the IETF specified protocol for initiating a two-way communication session. It was designed to be simpler than H.323, but has become increasingly complex, as the standard has evolved. SIP is text based; its messages are similar to e-mail message formats. Also, SIP is an application level protocol, that is, it is decoupled from the protocol layer it is transported across. Unlike H.323, SIP uses only one port in the call setup process. The architecture of a SIP network also differs from the H.323 structure. A SIP network is made up of end points, a proxy and/or redirect server, location server, and registrar. In the SIP model, a user is not bound to a specific host. Instead, users initially report their location to a registrar, which may be integrated into a proxy or redirect server. H.323 is the International Telecommunication Union (ITU) specification for audio and video communication across packetized networks. H.323 acts as a wrapper for a suite of media control recommendations by the ITU incorporating several other protocols, including H.225 and H.245. Each of these protocols has a specific role in the call setup process, and all but one make use of dynamic ports. An H.323 network is made up of several endpoints (terminals) that are normally bound to a specific address, a gateway, and possibly a gatekeeper, multipoint control unit, and back end service. The gateway serves as a bridge between the H.323 network and the outside world of (possibly) non-H.323 devices, including SIP networks and traditional PSTN networks. Most VOIP components have counterparts used in data networks, but the performance demands of VOIP mean that ordinary network software and hardware must be supplemented with special VOIP components. One of the main sources of confusion for those new to VOIP is the assumption that because digitized voice travels in packets just like other data, existing network architectures and tools can be used with little or no change. Unfortunately, VOIP adds a number of complications to existing network technology, and these problems are compounded by security considerations. What's Different About VOIP Security? To understand why security for VOIP isn't the same as data network security, we need to look at both the unique constraints of transmitting voice over a packet network, and at characteristics shared by VOIP and data networks. Packet networks depend on a large number of configurable parameters: IP and media access control (MAC) (physical) addresses of voice terminals, addresses of routers and firewalls. VOIP networks add specialized software such as call managers and other programs used to place and route calls. Many of the network parameters are established dynamically every time a network component is restarted, or when a VOIP telephone is restarted or added to the network. Because there are so many places in a VOIP network with dynamically configurable parameters, intruders have as wide an array of potentially vulnerable points to attack as they have with data networks. But VOIP systems have much stricter performance constraints than data networks, with significant implications for security. Quality of Service (QoS) is fundamental to the operation of a VOIP network. A VOIP application is much more sensitive to delays than its traditional data counterparts. If one downloads a file, a slowdown of a few seconds is negligible. In contrast, a delay of merely 150 milliseconds is enough to turn a crisp VOIP call into a garbled, unintelligible mess. In the VOIP vernacular, this is termed the latency problem. Latency turns traditional security measures into double-edged swords for VOIP. Tools such as encryption and firewall protection can help secure the network, but they also introduce a significant amount of delay. Latency is not just a quality of service issue, but a security issue as well, because it increases the system's susceptibility to a Denial of Service (DoS) attack. For a DoS attack to succeed in a VOIP network, it need not completely shut down the system. It must only delay voice packets for a fraction of a second. The necessary impediment is even less when latency-producing security devices are slowing down traffic. Another QoS issue, jitter, refers to non-uniform delays that can cause packets to arrive and be processed out of sequence. Real-time Transport Protocol (RTP), the protocol used to transport voice media, is based on the User Datagram Protocol (UDP), so packets received out of order cannot be reassembled at the transport level, and therefore must be reordered at the application level, introducing a significant overhead. Even when packets manage to arrive in order, high jitter causes them to arrive at their destination in spurts. This scenario is analogous to uniform road traffic coming to a stoplight. As soon as the stoplight turns green (bandwidth opens up), traffic races through in a clump. Infrastructure issues become significant with a change to VOIP. With conventional telephones, eavesdropping requires either physical access to tap a line or penetration of a switch. Attempting physical access increases the intruder's risk of being discovered, and conventional private branch exchanges (PBXs) typically use proprietary protocols, specialized software, and have fewer points of access than VOIP systems. With VOIP, opportunities for eavesdroppers are multiplied. VOIP units share physical network connections with the data network, and in many cases, VOIP and data are on the same logical portion of the network. Protocols are standardized, and tools to monitor and control packet networks are widely available. Attaching a packet sniffer, such as the freely available "voice over misconfigured internet telephony" (known by its unfortunate acronym "vomit"), to the VOIP network segment makes it easy to intercept voice traffic. Like other types of software, VOIP systems have been found to have vulnerabilities due to buffer overflows and improper packet header handling. Exploitable software flaws typically result in two types of vulnerabilities: denial of service or disclosure of critical system parameters. In some cases, the system can be crashed, producing a memory dump in which an intruder can find IP addresses of critical system nodes, passwords, or other security-relevant information. Crashing a VOIP server may also result in a restart that restores default passwords or falls prey to a rogue server attack. In addition, buffer overflows that allow the introduction of malicious code have been found in VOIP software, as in other applications. Tradeoffs between convenience and security are routine in software, and VOIP is no exception. Most, if not all, VOIP components use integrated web servers for configuration. Web interfaces can be attractive, easy to use, and inexpensive to produce because of the wide availability of good development tools. Unfortunately, most web development tools are built with features and ease of use in mind, with less attention to the security of the applications they help produce. VOIP device web applications have been discovered with weak or no access control, script vulnerabilities, and inadequate parameter validation, resulting in privacy and denial of service vulnerabilities. As VOIP gains in popularity, with implementations on devices of all types, it is almost inevitable that more administrative web applications with exploitable errors will be found. What do the Special Characteristics of VOIP Mean for Security? Meeting the security challenges of VOIP can require changes to a number of familiar security components. Firewalls are a staple of security in today's IP networks. Whether protecting a local-area network (LAN), a wide-area network (WAN), encapsulating a demilitarized zone (DMZ), or just protecting a single computer, a firewall is usually the first line of defense. Firewalls work by blocking traffic deemed to be malicious or potentially risky. Acceptable traffic is determined by a set of rules programmed into the firewall by the network administrator. These may include such commands as "Block all FTP traffic (port 21)" or "Allow all http traffic (port 80)." Much more complex rule sets are available in almost all firewalls. Firewalls also provide a central location for deploying security policies, the ultimate bottleneck for network traffic, because no traffic can enter or exit the LAN without passing through the firewall. This situation lends itself to the VOIP network where firewalls simplify security management by consolidating security measures at the firewall gateway, instead of requiring all the endpoints to maintain up-to-date security policies. This takes an enormous burden off the VOIP network infrastructure. Unfortunately, this abstraction and simplification of security measures comes at a price. The introduction of firewalls to the VOIP network complicates several aspects of VOIP, most notably dynamic port trafficking and call setup procedures. Several commercial solutions are available to alleviate this including Application Level Gateways (ALGs), that make the firewall "VOIP-aware," and Midcom Controls, which allow the firewall to be traversed by allowing it to receive instruction from an application-aware agent. That is, they can understand the VOIP protocol data carried as a payload within an ordinary packet, making it possible to do stateful filtering of call packets. Attempting to implement a VOIP system on a legacy network without such devices is generally not feasible. Firewalls, gateways, and other such devices can help keep intruders from compromising a network. However, these devices are no defense against an internal hacker and don't protect voice data as it crosses the Internet. Another layer of defense is necessary at the protocol level to protect the data itself. In VOIP, as in data networks, this can be accomplished by encrypting the packets at the IP level using Internet Protocol Security (IPsec). This way, if anyone intercepts VOIP traffic and is not the intended recipient (for instance, via a packet sniffer), such packets would be unintelligible. The IPsec suite of security protocols and encryption algorithms is the standard for securing packets against unauthorized viewers over data networks and will be supported by the protocol stack in IPv6. So it seems logical to extend IPsec to VOIP, encrypting the signal and voice packets on one end and decrypting them only when needed by their intended recipient. Unfortunately, the nature of the signaling protocols and the VOIP network itself make it necessary for routers, proxies, and other components to read the VOIP packets, so encryption is often done at the gateways to a network, rather than the endpoints. Such a scheme also allows the endpoints to be computationally simple and promotes scalability as new encryption algorithms can be overlaid on the network without upgrading the endpoints. Several factors, including the expansion of packet size, ciphering latency, and a lack of QoS urgency in the cryptographic engine itself, can cause an excessive amount of latency in the VOIP packet delivery. This leads to degraded voice quality, so once again there is a tradeoff between security and voice quality, and a need for speed. Virtual private network (VPN) tunneling of VOIP has also become popular recently, but the congestion and bottlenecks associated with encryption suggest that this solution may not always be scalable. Although great strides are being made in this area, the hardware and software necessary to ensure call quality for encrypted voice traffic may not be economically or architecturally viable for all enterprises considering the move to VOIP. What are the Prospects for Securing a VOIP Network? Thus far, we have painted a fairly bleak picture of VOIP security. The construction of a VOIP network is an intricate procedure that should be studied in great detail before being attempted. Integrating a VOIP system into an already congested or overburdened network could be disastrous for an organization's technology infrastructure. There is no easy "one size fits all" solution to the issues discussed in this bulletin. The use of VPNs, versus ALG-like solutions and the choice of SIP or H.323 are decisions that must be made based on the specific nature of the current network and the VOIP network to be. However, the technical problems are solvable, and the establishment of a secure implementation of VOIP is well worth the difficulty associated with these solutions. To implement VOIP securely today, start with these general guidelines, recognizing that practical considerations may require adjustments for the organization: * Put voice and data on logically separate networks. Different subnets with separate RFC 1918 address blocks should be used for voice and data traffic, with separate DHCP servers for each, to ease the incorporation of intrusion detection and VOIP firewall protection. * At the voice gateway, which interfaces with the PSTN, disallow H.323, SIP, or Media Gateway Control Protocol (MGCP) connections from the data network. Use strong authentication and access control on the voice gateway system, as with any other critical network management component. * A mechanism to allow VOIP traffic through firewalls is required. There are a variety of protocol-dependent and independent solutions, including ALGs for VOIP protocols, Session Border Controllers, or other standards-based solutions. Stateful packet filters can track the state of connections, denying packets that are not part of a properly originated call. * Use IPsec or Secure Shell (SSH) for all remote management and auditing access. If practical, avoid using remote management at all and do IP PBX access from a physically secure system. * Use IPsec tunneling when available instead of IPsec transport because tunneling masks the source and destination IP addresses. This secures communications against rudimentary traffic analysis (i.e., determining who is calling each other). * If performance is a problem, use encryption at the router or other gateway, not the individual endpoints, to provide for IPsec tunneling. Since some VOIP endpoints are not computationally powerful enough to perform encryption, placing this burden at a central point ensures all VOIP traffic emanating from the enterprise network has been encrypted. Newer IP phones are able to provide Advanced Encryption Standard (AES) encryption at a reasonable cost. * Look for IP Phones that can load digitally (cryptographically) signed images to guarantee the integrity of the software loaded onto the IP Phone. * "Softphone" systems, which implement VOIP using an ordinary PC with a headset and special software, should be avoided, if possible, where security or privacy are a concern. In addition to violating the separation of voice and data, PC-based VOIP applications can be vulnerable to worms and viruses that are all too common on PCs, and may infect other parts of the network. * Consider methods to "harden" any VoIP platform based on common operating systems such as Windows or Linux. This includes disabling unnecessary services and possibly using host-based intrusion detection methods. * Be especially diligent about maintaining patches and current versions of VOIP software. * Analyze the impact of VOIP adoption on the rest of the organization's infrastructure, including issues such as backup power, E-911 emergency location, and records retention policies or other legal issues. VOIP can be done securely, but the path is not smooth. It will likely be several years before standards issues are settled and VOIP systems become a mainstream commodity. Until then, organizations should proceed cautiously and not assume that VOIP components are just more peripherals for the local network. Above all, it is important to keep in mind the unique requirements of VOIP, acquiring the right hardware and software to meet the challenges of VOIP security. For more information on securing VOIP systems, see draft NIST Special Publication 800-58, Security Considerations for Voice Over IP Systems, at http://csrc.nist.gov/publications/nistpubs/index.html. Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Fri Oct 29 04:31:16 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 29 04:44:45 2004 Subject: [ISN] Report: DHS has 'significant deficiency' in info security Message-ID: http://www.fcw.com/fcw/articles/2004/1025/web-dhsig-10-28-04.asp By Florence Olsen Oct. 28, 2004 The Homeland Security Department's inspector general has completed an information security audit of the agency, which shows DHS officials are still struggling with internal cybersecurity issues. The report [1], released Oct. 27, highlights areas in which DHS officials have improved the department's information security practices and policies. But the overall tone of the report is negative. "We recommend that DHS continue to consider its information systems security program a significant deficiency for" fiscal 2004, the IG auditors state in the report's summary. The IG conducted the information security audit between April and September 2004 according to guidelines set by Office of Management and Budget officials. OMB developed the guidelines to help federal agencies comply with the Federal Information Security Management Act of 2002. The report cited the chief information officer's lack of authority to manage DHS' departmentwide information technology programs and spending as a significant factor in the department's struggle to secure its information systems. It stated that the absence of a formal reporting relationship between the CIO and the program organizations within the department continues to undermine DHS' information security program. Among the problems cited in the report, the inspector general found 12 systems had been accredited even though key documentation did not meet the requirements for accreditation. On a positive note, the IG commended DHS officials for developing departmentwide security configurations policies and procedures for Microsoft Corp. Windows 2000 and Sun Microsystems Inc. Solaris systems. But the report also noted that no DHS organization had completed configuration requirements for all of its systems. Steven Cooper, DHS' CIO, was more positive in his written response to the report. After stating that he generally concurred with the IG's findings, Cooper wrote that DHS officials have begun a comprehensive inventory of general support systems and major applications and will review data captured in the agency's automated FISMA data collection and reporting system, Trusted Agent FISMA. The IG's audit revealed problems with verifying the data in the automated system. For example, Trusted Agent FISMA does not identify applications and systems that are due for recertification and accreditation. [1] http://www.dhs.gov/interweb/assetlibrary/OIG_04-41.pdf From isn at c4i.org Fri Oct 29 04:31:38 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 29 04:44:47 2004 Subject: [ISN] Secret Service busts online organized crime ring Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,97017,00.html By Dan Verton OCTOBER 28, 2004 COMPUTERWORLD In what it called an "Information Age undercover investigation," the U.S. Secret Service today announced that it has arrested 28 people from eight U.S. states and six countries allegedly involved in a global organized cybercrime ring. Charges filed against the suspects include identity theft, computer fraud, credit card fraud and conspiracy. The investigation, code-named Operation Firewall, resulted in what the Secret Service described as a significant disruption of organized criminal activity online that was targeting the financial infrastructure of the U.S. The suspects are alleged to have collectively trafficked in at least 1.7 million stolen credit card numbers. Financial institutions have estimated their losses associated with the suspects targeted by the investigation to be more than $4.3 million. "Led by the Secret Service Newark Field Office, investigators from nearly 30 domestic and foreign Secret Service offices and their global law enforcement counterparts have prevented potentially hundreds of millions of dollars in loss to the financial and hi-tech communities," Secret Service Director W. Ralph Basham said in a statement. "These suspects targeted the personal and financial information of ordinary citizens, as well as the confidential and proprietary information of companies engaged in e-commerce." Operation Firewall began in July 2003 and quickly evolved into a transnational investigation of global credit card fraud and online identity theft. The underground criminal groups have been identified as Shadowcrew, Carderplanet and Darkprofits. The organizations operated Web sites used to traffic counterfeit credit cards and false identification information and documents. The groups allegedly used the sites to share information on how to commit fraud and sold the stolen information and the tools needed to commit such crimes. International law enforcement organizations that took part in the investigation and arrests included the U.K.'s National Hi-Tech Crimes Unit, the Vancouver Police Department's Financial Crimes Section, the Royal Canadian Mounted Police and Europol. Officials in Bulgaria, Belarus, Poland, Sweden, the Netherlands and Ukraine also were involved. From isn at c4i.org Fri Oct 29 04:31:51 2004 From: isn at c4i.org (InfoSec News) Date: Fri Oct 29 04:44:49 2004 Subject: [ISN] Net extortionists in child porn threat Message-ID: http://www.theregister.co.uk/2004/10/28/blue_sq_blackmail/ By John Leyden 28th October 2004 Extortionists have threaten to send out images of child abuse in emails in the name of Blue Square unless the online gambling site hands over 7,000 Euros ($8,900). The sick telephone threat followed a five-hour distributed denial of service attack against the popular site earlier this week, the BBC reports. This DDoS attack was accompanied by an email from Serbia on Monday threatening that the assault would be intensified unless Blue Square paid 7,000 Euros into an account. This DDoS attack was successfully thwarted only to be followed by a phone call to the firm's IT director from a man with an "East European accent" threatening to damage Blue Square's brand by distributing child porn material in its name unless money was handed over within 48 hours. "This is a new twist on the standard 'distributed denial of service' attack," Ed Pownall, communications officer at Blue Square, told BBC News. "Because we can now repel their online attacks so quickly this is obviously an attempt to ramp up the intimidation. It is just revolting." The firm has decided to speak publicly about the issue so that recipients of any depraved emails will know it is not from Blue Square. The attack against Blue Square, launched from compromised PCs in South America, is the latest in a long series of DDoS attacks against online gambling sites, which have intensified this year. In July three men suspected of masterminding a cyber-extortion racket targeting online bookies were arrested in a joint operation between the UK's National Hi-Tech Crime Unit and its counterparts in the Russian Federation. The trio, who investigators reckon netted hundreds of thousands of pounds from the shakedowns, were picked up in a series of raids both in St Petersburg, and in the Saratov and Stavropol regions in southwest Russia. Extortion is not the only motive behind DDoS attacks. In August six men were charged by the Californian courts over the first-ever case involving the use of sophisticated denial of service attacks directed against business rivals. Jay Echouafni, chief exec of Orbit Communication Corporation in Massachusetts, along with a business partner allegedly hired computer hackers in Arizona, Louisiana, Ohio, and the UK to launch computer attacks against Orbit online competitors. "These sustained attacks allegedly began in October 2003 and caused the victims to lose over $2m in revenue and costs associated with responding to the attacks," according to investigators. Echouafni, who faces a five-count federal indictment, is on the run. The modus operandi of DDoS attacks, whatever their motives, remains broadly consistent. Worms such as MyDoom and Bagle (and Trojans such as Phatbot) surrender the control of infected PCs to hackers. These expanding networks of zombie PCs (dubbed 'botnets' by the computer underground) are most often used for spam distribution but they also serve as effective platforms for DDoS attacks. Attacks typically start with crude SYN Flood attacks. If that doesn't scare targets into paying then attackers resort to more sophisticated attacks (SYN Floods, UDP Floods, NB-Gets, ICMP Ping Floods and UDP Fragment Attacks). The effect on unprotected sites can be devastating.