From isn at c4i.org Mon Apr 4 01:05:04 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 4 01:11:25 2005 Subject: [ISN] Moderators note... Message-ID: I've been out with the flu since Thursday night, so I'll be taking a few sick days... - WK Go Illini! From isn at c4i.org Tue Apr 5 01:04:22 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 5 01:13:04 2005 Subject: [ISN] How to hire an IT security consultant Message-ID: http://www.infoworld.com/article/05/03/28/13FEconsultant_1.html By Robert G. Ferrell March 28, 2005 Outsourcing IT security is all the rage these days. It's cheaper and more efficient, the prevailing theory goes, to farm out functions not directly related to your organization's core competencies. If you make nickel-plated widgets, for example, your staff must be expert in manufacturing, nickel-plating, and selling widgets, not in keeping 14-year-olds out of your network. So, frazzled managers and executives often turn to consultants, hoping they'll swoop in, do their voodoo, and make the problem disappear. Sometimes it works out that way, but too often it doesn't. Choosing the right consultant, especially in the realm of IT security, will be entirely hit or miss unless you match exact, proven skill sets to the job at hand. That objective may seem obvious: You seek out people with specific skills to come in and do stuff your permanent staff can't handle or doesn't have time for. Consultancy, however, is an arcane beast, and an ocean of uncertainties lies just beneath the surface. Before beginning the selection process, evaluate whether you really need outside help. Managers can slip into a comfortable pattern of bringing in outside talent for any security initiative that seems out of the ordinary, a practice that sometimes proves highly problematic. Unless you're entering uncharted territory where your staff has neither the time nor expertise (and they acknowledge this), you're likely to generate resentment or trepidation when broaching the subject of consultants. The ego is a fragile thing; staff members may view the move as an indictment of their competency or work ethic. Therefore, it's vital to the success of every consulting process that you get total, voluntary buy-in from the troops who will be directly affected. Friction wears down the machinery, so be open and seek consensus from all parties involved. As a general rule, hiring the services of a security consultant is justified when: 1. The services you seek lie outside the expertise of your in-house staff. These might be strategic, operational, or administrative in nature. 2. You have a highly technical project and a deadline that renders the project beyond the abilities of your staff to complete it on time. 3. You need an objective perspective of someone not enmeshed in your corporate politics and infrastructure. There are other scenarios, but these are the Big Three, which can be helpful to emphasize if you encounter resistance. You call yourself an expert? Information security is taking on new importance, as a flood of high-profile worms, viruses, Trojan horses, and Web defacements has companies and government agencies in a tailspin. The need for security services is at its peak, and this intense market pressure is creating a lot of instant "experts" with an impressive list of certifications but little practical experience in the down-and-dirty art of securing a network. To make realistic assessments, you must demand concrete proof of competency. Thoroughness is crucial when dealing with people who claim to be experts at computer security because snake oil abounds. As with any other field of human endeavor, there are good, reliable consultants who want to provide maximum return on your investment, and there are others who are far less conscientious. [...] From isn at c4i.org Tue Apr 5 01:04:37 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 5 01:13:09 2005 Subject: [ISN] UK citizens confused by security terminology Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39193691,00.htm Dan Ilett ZDNet UK April 04, 2005 Many people in the UK don't understand terms commonly used for Internet scams and hacking attacks, a study suggests. A survey conducted by Populus and entitled "Do you speak geek?" revealed that words, such as phishing, rogue dialler, Trojan and spyware were often a mystery to 1,000 people questioned, of whom over half were Internet users. A spokesman from AOL, which commissioned the study, said that home PC users were more susceptible to scams if they were unfamiliar with the concepts and words behind them. "Some of the terms being bandied around are more suitable for a computer programmers' convention than for people who want to go online at home," said Will Smith, a security professional at AOL. "If Internet users can?t understand the language used to describe these risks, they are going to find it hard to not get ripped off." Rogue diallers are software applications that are secretly installed on a computer and dial premium rate telephone numbers for Internet access. This can result in expensive phone bills. A Trojan is a seemingly innocuous application that secretly installs software or performs actions which are malicious in nature such as giving hackers control of the machine the Trojan is run on. Spyware programs secretly copy information that is entered on a computer and report it back to a third party. A high number of respondents, 83 percent, said they were worried about their personal information being stolen. Identity theft email scams ? known as phishing scams ? have been widely reported in the press, but the survey found that 84 percent of those questioned failed to understand the term. Thirty-nine percent of people surveyed were unfamiliar with the word Trojan. And although 76 percent of respondents were concerned about the number of junk emails they received, 16 percent said they had never heard of the term 'spam'. More than a fifth of respondents admitted not knowing how to tackle online security problems. AOL claimed that the majority of people surveyed understood Internet scams after they were given a simple definition of the word "phishing". From isn at c4i.org Tue Apr 5 01:04:52 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 5 01:13:12 2005 Subject: [ISN] Hacker jailed for three years Message-ID: http://www.theage.com.au/news/Breaking/Hacker-jailed-for-three-years/2005/04/05/1112489456181.html Stockholm April 5, 2005 A Hungarian who cracked the computer system of Swedish mobile telecommunications group Ericsson was sentenced to three years in prison on Monday for accessing top-secret documents, Swedish news agency TT reported. The hacker was convicted on charges of industrial espionage and illegal use of secret information, according to the report. The 26-year-old defendant, whose name was not revealed by the court, could have faced a six-year jail sentence. He admitted to gaining entry to Ericsson's intranet system illegally but said he did not think the information he had accessed there was classified. The man said he wanted to expose security failings at Ericsson "as a provocation" with the hope of being recruited for a job at the Swedish company, TT said. "The court followed my recommendations and determined that the charges were founded," Tomas Lindstrand, chief international prosecutor in Stockholm, was quoted by TT as saying. The case covered spying between the period of March 2002 and June 2004 from countries including Sweden and Hungary. Fingered by Swedish intelligence in 2003 when he tried to sell some of the information he had acquired on the internet, he was arrested in October 2004 at the airport in Malmo, southern Sweden where investigators had arranged a "business meeting". From isn at c4i.org Tue Apr 5 01:04:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 5 01:13:14 2005 Subject: [ISN] China to improve Internet safety Message-ID: http://www.chinadaily.com.cn/english/doc/2005-04/03/content_430516.htm Xinhua 2005-04-03 China is expected to pass a new set of rules and regulations to gradually establish an Internet emergency control mechanism this year in a fresh effort to curb soaring Internet hacks and attacks that have seriously threatened the safety of public and private information, Friday's China Youth Daily reported. "China should increase cooperation between different departments and arouse the entire society so as to form an Internet emergency control mechanism that is agile, sensitive and effective," said an official with the Ministry of Information Industry, for whom the paper gave no name. He said the mechanism should serve to ensure all Internet-related safety incidents are detected in time, and analyzed and responded to promptly. Soaring Internet incident reports have alarmed both the Chinese government and companies. In 2004, the National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT), a key body responsible for collecting domestic Internet incidents, received a total of 64,686 incident reports, nearly five times that of the previous year. Among all the reports, 45.91 percent were about web page modifications and the rest junk mails or viruses including 'the worm' and the 'Trojan horses' that have troubled Chinese netizens for years. Statistics from the center also found government websites turn out to be the easiest targets for attackers. "Today's Internet virus is far more contagious than those in nature," said the center. "The government should add more helpful rules to its current legal system so as to form a more favorable legal environment." The paper acknowledged that the use of visa accounts, user names, passwords and social welfare numbers has become a favorite measure of attackers to steal money. Many websites of domestic financial institutions, including the Bank of China, have been mimiced, according to early reports by local media. In 2004, CNCERT received 223 reports of mimicing, in sharp contrast to only one case in 2002 and 2003. The victims were mainly financial and electronic websites. As e-commerce, online payment services and bank business become more popular, so do the impersonations, it said. "It's simply a monster from science fictions. It can not only reproduce and spread itself but also produce offspring that are totally different in types," said Cai Jun, a Chinese anti-virus expert, describing a newly appeared "I-Worm.Jeans.a" worm which is believed to be one created by "29A", a notorious virus maker. The virus' features change frequently and automatically after infecting a computer, he said, noting that that characteristic makes the virus hard to delete. According to an Internet safety report by Symantec, a transnational that provides anti-virus solutions, of all the 50 top new computer threats it detected in 2004, 27 virus are used to steal clients' personal information. In 2003, the number was 18. "Theft of individuals' identification information such as bank account password and credit card number is quite likely to become more rampant in 2005," predicted Symantec. Like those in Western countries, both Chinese authorities and companies which have now fully realized the damage that can be caused by Internet crimes are carrying out campaigns against them. According to statistics, Internet-related counterfeit and fraud led to global losses of about US$32.2 billion in 2003. From isn at c4i.org Tue Apr 5 01:05:17 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 5 01:13:16 2005 Subject: [ISN] Malaysia car thieves steal finger Message-ID: http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm By Jonathan Kent BBC News, Kuala Lumpur 31 March, 2005 Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system. The car, a Mercedes S-class, was protected by a fingerprint recognition system. Accountant K Kumaran's ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb. The gang, armed with long machetes, demanded the keys to his car. It is worth around $75,000 second-hand on the local market, where prices are high because of import duties. Stripped naked The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off. But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner's fingerprint to disarm it. They stripped Mr Kumaran naked and left him by the side of the road - but not before cutting off the end of his index finger with a machete. Police believe the gang is responsible for a series of thefts in the area. From isn at c4i.org Tue Apr 5 01:05:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 5 01:13:20 2005 Subject: [ISN] Red Hat patches critical hole Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,100860,00.html by Matthew Broersma APRIL 04, 2005 TECHWORLD.COM Red Hat Inc. is warning enterprise Linux users to update their installations of XFree86 to fix a number of serious security bugs, some of which could allow attackers to take over a system. The affected operating systems include Enterprise Linux AS 3, Enterprise Linux ES 3 and Enterprise Linux WS 3, Red Hat said in an advisory. Separately, vendors have patched critical flaws in ImageMagick, Sylpheed and several components of Silicon Graphics Inc.'s Advanced Linux Environment. XFree86 is an implementation of the X Window System providing low-level graphics functionality for graphical user interface systems such as KDE and GNOME. The most serious flaw is an integer overflow in the libXpm library, which is used by some applications in opening XPM images, Red Hat said. An attacker could use a malicious XPM file to execute code on a user's system. Red Hat said the bug is moderately critical, but independent security firm Secunia said in an advisory that the vulnerability is serious because it could allow a remote attacker to gain system access. The latest XFree86 release, issued on March 16, fixes the libXpm vulnerability and several others. Red Hat and others are also patching a newly disclosed vulnerability in the Sylpheed e-mail client, which could allow the execution of malicious code when a message is displayed. Attackers could use a message containing an attachment with a MIME-encoded file name to trigger a boundary error, resulting in a buffer overflow, according to researchers. Versions 0.8.0 to 1.0.3 and development Versions 1.9.0 to 1.9.4 are affected, said Secunia, which gave the bug a "highly critical" rating. The fix is available from Sylpheed's Web site and from Linux vendors. MandrakeSoft SA and Red Hat have patched flaws in ImageMagick, a widely used open-source image editing suite, that could allow the remote execution of malicious code. The bugs include a format string error within the handling of file names and a boundary error in the decoding of PSD images, and they could be exploited by specially crafted image files, according to security experts. SGI issued an update for its Advanced Linux Environment to fix a number of bugs that could allow remote system takeover or denial-of-service attack or let malicious local users manipulate the contents of some files. The bugs affect the xpdf, squid and kdenetwork components, SGI said. From isn at c4i.org Tue Apr 5 01:05:54 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 5 01:13:23 2005 Subject: [ISN] Database rootkit menace looms Message-ID: http://www.theregister.co.uk/2005/04/04/database_rootkit/ By John Leyden 4th April 2005 Crackers are developing more sophisticated techniques for take over the control of corporate databases using malicious code akin to malware already common on Unix platforms. The threat also applies to repository-based software such as CRM systems and web applications, creating a need for new security tools, according to Alexander Kombrust of Red Database Security. Kombrust told a session at the Black Hat security conference in Amsterdam on Friday, 1 April that operating Systems and databases are quite similar in their architecture. Each has users, processes, jobs and executables. This similarity means forms of malicious code - like rootkits - that have long being a problem for Unix admins are also an issue for database administrators. Rootkits refer to a set of tools used by crackers after breaking into a computer system to hide logins and processes under the control of an attacker from detection. Kornbrust said a database rootkit for Oracle systems would hide the Oracle execution path, database users, processes and jobs as well as modifying internal functions. Database rootkits would be implemented by either modifying a database object or changing the execution path, for example by creating a local object with the identical name, establishing a synonym pointing to a different object or switching to a different schema. Thereafter Kornbrust showed how it would be possible for a hacker to hide database users or processes he controlled. Most internal packages from Oracle are protected from modifications but Kombrust emphasised that the threat - although hard to quantify - was real. "Knowledge is not widespread about how to hack databases but information is out there," said Kombrust. "This is not for script kiddie but internal attack is possible - a professional attacker is very difficult to detect. There are no figures on incidents," he added. Databases don't keep tabs yet, so buy our software instead Kombrust explained how to rootkits/backdoors in a database could be identified using a special tool called repscan, developed by Red Database Security. The tool finds modifications in execution paths and checks for insecure database settings. Ultimately databases or other application should check the repository for modifications themselves, according to Kombrust, who added that the rootkit threat ought to prompt more secure coding practices among developers. From isn at c4i.org Wed Apr 6 04:14:11 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 6 04:26:42 2005 Subject: [ISN] Has Dan Farmer Sold His Soul? Message-ID: http://www.businessweek.com/smallbiz/content/apr2005/sb2005045_4318_sb013.htm Edited by Rod Kurtz APRIL 5, 2005 The security guru and fiercely independent creator of free software tool SATAN explains why he teamed up with VCs to launch Elemental Software Most computer aficionados associate Dan Farmer with the word "free," both in terms of spirit and software. In the early 1990s he co-wrote and released for free a software program called SATAN (System Administrator's Tool for Analyzing Networks), which helps companies take a good look at their computer networks and identify any weak spots. When Farmer first released it, many in law enforcement worried the program would help the bad guys break into computer networks, while colleagues in the computer-security world figured he was giving them the tools to keep the bad guys out. A former Marine who applied for and received conscientious-objector status during the first Persian Gulf War, Farmer has always done things his own way. He became one of the tech industry's leading experts on computer security, working as a consultant and occasional employee for companies ranging from Sun Microsystems (SUNW) to Geffen Records (V). About two years ago, Farmer decided to start his own company, Elemental Security. He and engineers at the San Mateo (Calif.) software startup have built a package that allows corporate-tech managers to devise and implement security policies. They took the wraps off the technology at a security conference in Orlando (Fla.) on Apr. 4, but Farmer spoke with BusinessWeek Online Technology Editor Jim Kerstetter a few days earlier about his devilishly named free program, and why he's happy to be Elemental's chief technology officer rather than CEO. Edited excerpts of their conversation follow. Q: The release of SATAN generated quite a buzz. How did your work on that eventually lead to Elemental? A: We just released SATAN once, and that was in '95. I had this great idea of writing a book in '96, a compendium of security. Sort of like the project [French philosopher Jean-Jacques] Rousseau did on the Age of Enlightenment. One area we thought we knew a lot about was auditing. But we discovered after a year or two that auditing is really hard. I suggested, let's scale back and work on forensic security, because no one was working on that at the time. We put out a forensic-tool kit, back in '99, I guess. I was also doing some work for the recording industry at the time. Q: Really, on what? A: Back in I think it was '99 there was this young company just starting up called Napster. I had never heard of them before. But I was doing some work for a friend of mine at Geffen Records. And he asked me to do some technical due diligence on the thing. This turned into being an expert witness for the recording industry against Napster. People would ask me: "Hey, you gave away software. Why can't they give away music?" But it was a choice I made. Napster was predicating its business model on violation of copyright. I happen to believe in copyright. Eventually, I won a gold album from the recording industry for this whole trial thing. And this eventually led into the whole Elemental story. Q: Why did you finally start a company? A: I had been offered a lot of money over the years for things like SATAN, especially during the boom years. I thought if I could start a company now [in 2002] and make it succeed, there could be some merit to it. Bessemer [Ventures] and Mayfield [Ventures] funded it, and later in a second round they were joined by Sequoia. Q: What was your elevator pitch? A: It was about policy management. What is a policy? It's an expression of your desire. If you are talking about computer security, you know what you want: You want your systems to behave in well-defined ways. You don't want surprises. You want a list of things you wish to see happen. The hard part is expressing those desires in a way that is meaningful to computers. Automation is the key here. Express your desire, and find a way to enforce that process. That sounded like a great idea to me. Q: You've been pretty independent over the years. So there must have been a serious crossing-the-Rubicon moment for you. A: Oh, absolutely. One of the big reasons I didn't start a company before is it's a lot of responsibility. We're up to 35 employees now. I can't say all 34 other people are depending on me for their livelihood, but they wouldn't be working here if they weren't. You really have to give your heart and soul to the company for a considerable length of time. I was pretty confident the idea was sound, and the technology would work. But the real reason I started the company was, if I could have done it myself and written it and given it away, I would have done it. I had no burning desire to start a company. But the idea was so huge, there was no way I could have done it myself or with a couple of pals. The resources a company gives you allows you to take on bigger challenges. Q: Do you get sentimental about your independent days? A: Oh yeah, all the time. Elemental probably won't last forever. If it does, great. But at some point, I'll probably go back into research mode. If there's one thing I'll never run out of is ideas. I'll probably go back at some point to writing free software or something like that. Q: So it sounds like you never thought you'd be the guy running the company. In fact, security industry vet Peter Watkins is running the show. A: I'm not a business guy. I'm not a manager. I believe I understand the problems and strategic issue. But the tactical matters, how to raise the money, raise the company. I'm a really huge believer in marketing and messaging. Part of SATAN's reason for success was its name: System Administrator's Tool for Analyzing Networks. That acronym propelled it to a lot of places where it wouldn't have gotten much visibility. I think the power of names, the power of messages, the power of how people perceive things is really crucial. The technology by itself, if no one knows about it and no one uses it, is pretty useless. Q: Do you see Elemental staying independent or getting acquired by a bigger security company? A: That's a good question. I think, by and large, the investors feel if all things are equal, most people would prefer to see a company stay independent. On the other hand, acquisitions can generate a lot more cash, and people are vacuum-cleaning these companies up. But the basic model for the company was we weren't going to hit just one little niche. We started from a pretty broad base. We had to have a broad product from the start. Perhaps it makes us a little less desirable takeover target. I don't know. From isn at c4i.org Wed Apr 6 04:14:24 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 6 04:26:44 2005 Subject: [ISN] Web bookies demand higher security standards Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39193981,00.htm Dan Ilett ZDNet UK April 05, 2005 Online gambling companies are urging ISPs to do more to prevent hackers disabling computers with distributed denial-of-service (DDoS) attacks. An industry forum made up of the UK's biggest Web gambling firms has been lobbying Internet service providers for several months to provide all their customers with better security. "A lot of [ISPs] have started to address the problem of DDoS [attacks]said Peter Pedersen, chief technology officer at online betting site Blue Square, speaking at the e-Crime Congress in London. "One of the things we were trying to convince ISPs to do was distribute firewalls to their customers," he added. Criminal hackers use distributed denial-of-service attacks to flood their target servers with so much data that they are unable to operate. A firewall that can conduct stateful inspection of outgoing data packets should be able to spot when a PC has been compromised by a hacker and is being used to take part in a DDoS attack. Blue Square is one of many online gambling companies to face such an attack. Hackers typically tell e-commerce Web sites to pay up or face a series of attacks that can cripple their businesses through downtime. Pedersen's comments echo a call made by David Yu, chief technology officer of online gaming portal Betfair, in an interview with ZDNet UK last November. Pederson said that the attacks launched on the company's Web site, Bluesq.com typically comprised between one and two gigabits of data per second, which clogged their bandwidth and slowed their ISP's network. Pedersen highlighted the importance of sharing security resources with competitors. "As an industry we could appear with a united front," said Pedersen. "I cannot emphasise enough how important that is. We are all competitors but I leave that to the marketing board." The forum has also been lobbying MPs to outlaw denial-of-service attacks. The UK Parliament will have ten minutes on Tuesday to decide whether to update the Computer Misuse Act (1990). The proposals to change the law, which will be introduced by Derek Wyatt MP, would make DDoS attacks illegal, but this is highly unlikely to happen before next month's general election. "Derek Wyatt's efforts to re-start a debate in Parliament regarding the Computer Misuse Act are to be applauded, but a paltry ten minute slot is not enough time or attention to give to such an important issue. This lack of interest is an insult to British businesses, which are most at risk from cyberattacks," said Simon Perry, European vice-president of security strategy for Computer Associates. From isn at c4i.org Wed Apr 6 04:14:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 6 04:26:47 2005 Subject: [ISN] Cyber-Terrorism Analyst Warns Against Complacency Message-ID: http://www.eweek.com/article2/0,1759,1782286,00.asp By Ryan Naraine April 4, 2005 ORLANDO, Florida - Cyber-security and counterterrorism analyst Roger Cressey on Monday pleaded with IT executives not to underestimate the threat of "national cyber-event" targeting critical infrastructure in the United States. During a keynote address at the InfoSec World 2005 conference here, Cressey warned against discounting the danger of the Internet being used in a terrorist-related attack. "It may not be a terrorist attack, but a cyber-event is a very, very serious possibility. When it happens, it will have serious economic impact on our critical infrastructure." Cressey, who served as chief of staff to the president's Critical Infrastructure Protection Board at the White House, said there was enough evidence that U.S. enemies were actively using the Web to recruit, organize and communicate terrorism activities. "I don't see the Internet as a means to a mass attack [on human lives] but we have to be aware that cyber-crime is a key component of the terrorism setup. We would be foolish not to assume a targeted attack on some aspects of national infrastructure. I don't know if we can protect against this type of event today," Cressey said. The on-air counterterrorism analyst for NBC News said the rapid rate in which Internet security vulnerabilities was being detected only adds to the worry. "Software vulnerabilities are being discovered at amazingly fast rates. [The] time to exploit continues to shrink. We're getting closer and closer to zero-day exploits," Cressey warned, adding that computer operating systems had become a target-rich environment. "Before 9/11, we thought we had it all covered, but we had no idea what we're missing. There were warnings, but we never took them seriously. That's the mind set we need to have today regarding a cyber-event. We need to assume that it will happen and get ready to deal with it." He said the increase in identity theft, spam and phishing attacks has already caused a "crisis of confidence" in the e-commerce sector. "Consumers go on the Internet to read the news, but they get scared to shop online. E-commerce will never reach its full potential," he said. Cressey said the U.S. government's DHS (Department of Homeland Security) made a fundamental mistake in the early days when it threw resources on physical security assets without similar investments in critical security IT infrastructure. "The result is they sent mixed signals to the industry. Silicon Valley and the private sector looked at what was happening and figured the government was only talking the talk without walking the walk." He said the DHS must prioritize the risks before deciding on the level of spending on security and must show leadership in the area of information-sharing and advance warnings on Internet security vulnerabilities. Cressey used part of his keynote to call on VOIP (voice over IP) developers to put security on the front burner. Describing VOIP security as the great challenge of this decade, he said it would be a "big mistake" for another nascent industry to emerge without built-in protections. "VOIP is today where the Internet was 10 years ago. Everyone acknowledges that security is a big issue, but no one is making it a top priority. We know we need to worry about it, but we're not doing anything about it," he said. The growth of VOIP in the enterprise has led to several vulnerabilities in the technology, including the ability to launch denial-of-service attacks, caller-ID spoofing or the hijacking or voice sessions. "Nobody is baking security into the [VOIP] products just yet. If this truly becomes ubiquitous, it will be back to the future. We'll be scrambling to fix it just like we're scrambling today to deal with spam and viruses." Cressey urged enterprise IT leaders to take a holistic approach to managing risks, arguing that executives must resist the urge to use return on investment to drive spending on security. "Instead of ROI, you should be adopting new acronyms like ROR [Reduction of Risk] or ROC [Return on Compliance]." From isn at c4i.org Wed Apr 6 04:14:57 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 6 04:26:50 2005 Subject: [ISN] Security forum members to meet in May Message-ID: http://www.fcw.com/article88496-04-05-05-Web By Florence Olsen April 5, 2005 Members of a new public/private forum for government and industry security executives say they have wasted no time getting started on efforts to improve federal agencies' annual information security grades. The forum, known as the Chief Information Security Officers (CISO) Exchange, will hold an advisory board meeting this month and its first membership meeting in May, Stephen O'Keeffe, the group's executive director, announced today at the FOSE government information technology conference in Washington, D.C. O'Keeffe said members have already begun talking with officials in the Government Accountability Office and with federal inspectors general about ways to raise the federal government's overall security grade above a D-plus, which it received this year. The CISO Exchange is a new model of a public/private partnership "designed to move the government forward in its information security posture," O'Keeffe said. The forum offers a venue for public- and private-sector CISOs to exchange ideas for strengthening their organizations' information security policies, procedures and practices. All funding for the forum will come from industry members, O'Keeffe said. He introduced co-chairman, Vance Hitch, the Justice Department's chief information officer who is chairman of the CIO Council's Cyber Security and Privacy Committee, and co-chairwoman Melissa Wojciak, staff director of the Government Reform Committee. The forum has six government advisory board members, who will serve one-year terms. They are Daniel Galik, chief security officer at the Internal Revenue Service, representing the Treasury Department; Dennis Heretick, Justice's CISO; Robert Lentz, the Defense Department's CISO; Jane Scott Norris, the State Department's CISO; Lisa Schlosser, the Department of Housing and Urban Development's CIO; and Robert West, the Homeland Security Department's CISO. The advisory board will also have six industry members, including Austin Yerks, president of federal sector business development at Computer Sciences Corp., and Kenneth Ammon, president and co-founder of NetSec Government Solutions. Four additional advisory members have not been named. O'Keeffe stressed that the forum will have a practical agenda. Its members plan to publish an annual report on federal information security priorities and operational issues and to host an awards dinner on the evening that Rep. Tom Davis (R-Va.) announces next year's federal computer security report card grades. From isn at c4i.org Wed Apr 6 04:15:08 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 6 04:26:53 2005 Subject: [ISN] 20 Euros buys top Secret Police hard drive Message-ID: http://www.theinquirer.net/?article=22352 05 April 2005 GERMANY'S SPIEGEL magazine reported that a hard drive bought on Ebay contained info on what to do in hostage situations, how to handle kidnappings and security details on politicians. The magazine said that a high level investigation has been launched into how a student in Potsdam bought the drive containing confidential information on police measures and names of crisis management professionals in the Brandenburg police. The investigation will check whether the drive ended up on Ebay by accident or as the result of a crime. The information found is normally restricted to top spooks, the head of the police and the Minister of the Interior's team. From isn at c4i.org Thu Apr 7 02:13:58 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 7 02:23:34 2005 Subject: [ISN] Hacker cracks bank's computer code Message-ID: http://www.jpost.com/servlet/Satellite?pagename=JPost/JPArticle/ShowFull&cid=1112754019642 By DAVID RUDGE April 6, 2005 A hacker who managed to break into the computer network of the Postal Bank and transfer large sums of money to the accounts of co-conspirators was sentenced to 16 months in prison by the Haifa magistrate's court on Wednesday. David Sternberg, 24, of Haifa, was caught in January last year shortly after setting up his sophisticated computer "sting" operation that involved six collaborators who were also arrested. Sternberg apparently lived in the US for a while and was allegedly responsible for causing the collpase at the time of the "E-Bay" web site and other offenses that, according to police here, brought him to the attention of the FBI. He returned to Israel, but it was not long before he was once again up to his tricks - this time concentrating on using the computer network of the Postal Bank to try and make some easy money. It started with a mysterious break-in at the Postal Bank branch office in the exclusive Dania housing district of Haifa. Bank officials reported the apparent burglarly but found that nothing had been stolen and the case was closed. In fact, Sternberg perhaps accompanied by an accomplice, had simply opened the communications box in the bank and connected a remote controlled "access point" device to the computer network. "This gave him instant access to all of the bank's accounts and transactions nationwide," Supt. Herby Frimet of the Northern Region White Collar Fraud Squad told the Jerusalem Post on Wednesday. "The device itself could barely be seen and would not mean anything to anyone except an expert in the field, which is eventually what happened." Frimet said that in the interim Sternberg had made arrangements with six accomplices who either had accounts with the bank or opened new ones to which Sternberg transferred money from other accounts. "The deal was that they would get a percentage of the takings and he and his main partner would get the remainder," said Frimet. The range of the wire-less connector was apparently restricted but Sternberg overcame this problem by renting a small room in the offices of a real estate agents less than 30 meters away from the Postal Bank branch office in Dania. "He posed as a business representative and had a desk, a chair and his computer and that is where he worked with nobody being any the wiser as to his real activities," said Frimet. The computer fraud came to light when officials at the Tel Aviv head office of the bank noticed that certain amounts of money were being transferred on a regular basis from the bank's main account to those of certain individuals. The instructions for the transfers originated from the Dania branch and security experts, including those well versed in computers, were sent to the scene to investigate and eventually uncovered the wire-less access point device attached to the computer network. Sternberg was convicted of having stolen some NIS 70,000 from the bank's accounts in this manner, although police said the actual figure was closer to NIS 400,000. Ambushes were set up and the accomplices were caught after making withdrawals from their accounts. Sternberg was arrested while "at work" at his "office" near the bank branch in Dania. "He and his gang were caught in the early stages and we were able to seize and return a large amount of the money," said Frimet. "Sternberg is a very clever man whom some might call a genius. He knows how to break codes and break through barriers. He could have earned a great deal of money doing a regular job but he chose a different path," Frimet added. From isn at c4i.org Thu Apr 7 02:14:16 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 7 02:23:36 2005 Subject: [ISN] Russian hackers 'the best in the world' Message-ID: http://www.zdnet.com.au/news/security/0,2000061744,39187427,00.htm By Dan Ilett Special to ZDNet 07 April 2005 The Russian police's cybercrime division, known as Department K, has warned that Russian hackers are the best in the world. "Everyone knows that Russians are good at maths," said lieutenant general Boris Miroshnikov of Department K. "Our software writers are the best in the world, that's why our hackers are the best in the world." Speaking at the e-Crime Congress in London on Tuesday, Miroshnikov said that the casual teenage hackers of the past developed their techniques as they grew older. "It used to be naughty boys [doing this]," he said. "But now they've grown up. They realise if you are clever at something then you should use it to earn a living. They are hacking to get rich and uniting over networks." Miroshnikov called for unified international laws for Internet crime that would make it easier for the police to carry out arrests and charges around the world. On Tuesday the National Hi-Tech Crime Unit's said that cybercrime cost UK firms AU$5.9bn last year as consequence of online crime last year. Miroshnikov said this was alarming, but that the international police effort was starting to take effect. "The statistics are really very worrying," he said. "If you look at 2001, 2002 and 2003, computer crime was doubling. It's only this year that we've started to hold back the growth. That's because we've worked so hard. "When governments get [ISPs], law enforcement, public and private sector cooperating, then and only then will we be able to succeed in holding back this type of crime." Russian hackers have been blamed for a series of distributed denial-of-service attacks against UK gambling Web sites, who are now urging ISPs to provide all their customers with better security. From isn at c4i.org Thu Apr 7 02:15:13 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 7 02:23:39 2005 Subject: [ISN] Security UPDATE -- In Focus: Keeping Private Information Private -- April 6, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Diskeeper - The Number One Automatic Defragmenter http://list.windowsitpro.com/t?ctl=6DDE:4FB69 CrossTec http://list.windowsitpro.com/t?ctl=6DD7:4FB69 ==================== 1. In Focus: Keeping Private Information Private 2. Security News and Features - Recent Security Vulnerabilities - New Alliance Automates Attack Mitigation - Bug Hunting for Mozilla Pays - Attack Shield Worm Suppression 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Isolating Internet Activity ==================== ==== Sponsor: Executive Software ==== Diskeeper - The Number One Automatic Defragmenter Keeping your systems up and running and available to the users is vital! Slow, crash-prone systems have a devastating effect on your organization's productivity. Disk fragmentation is a major cause of crashes, slowdowns and freeze-ups, and it must be kept in check. Fortunately, there is a solution: Diskeeper, the Number One Automatic Defragmenter. Automatic defragmentation boosts performance and reliability, reducing help desk traffic by heading off problems before they become emergencies. See for yourself?download a FREE 30-day fully- functional evaluation version of Diskeeper. Install it then just "Set It and Forget It", and watch as the problems caused by fragmentation simply disappear! See why over 16 million Diskeeper licenses have been sold?get your free evaluation version of Diskeeper 9 now! http://list.windowsitpro.com/t?ctl=6DDE:4FB69 ==================== ==== 1. In Focus: Keeping Private Information Private ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You might have read the somewhat recent news stories about people's private information being either stolen or leaked from four different entities. One incident involved consumer data collector ChoicePoint, which somehow managed to divulge the personal information of more than 140,000 people. It took the company quite some time to determine how many people's data was actually leaked. Another incident involved LexisNexis. Intruders managed to break in to the company's computer systems, where they gained access to roughly 32,000 people's private information. Intruders also broke in to the computer systems of Chico State University (California) and gained access to the private information of nearly 60,000 people. And a laptop went missing from the University of California, Berkeley. As you might suspect, the laptop contained private information--of more than 96,000 people. These stories boggle the mind. In the first three incidents, the computers were accessed through the Internet. Crucial systems that, if breached, would affect thousands or even millions of people should under no circumstances be accessible via the Internet. There are other ways to provide necessary access to the information without adding the gigantic risk of a global open network. The Internet serves a fantastic and incredibly useful purpose. However, I don't think part of that purpose should include connecting every computing device on the planet. Intrusion incidents seem to make that notion very clear. The incident at Berkeley points out a different problem that has a simple solution. Don't keep sensitive information, such as the private information of more than 96,000 people, on a system that can be stolen by anybody capable of lifting a few pounds of weight. Even though the stolen laptop was supposedly in a "secure" area, it went missing. This incident points out the need for people to consider exactly what they keep on mobile computers, why they think they need to keep the data on such devices, and the worst-case scenarios of the computer and data being lost. People could argue that even a regular large server could be stolen. That's true. But someone is much more conspicuous walking out of a secure area with a big heavy computer box. On the contrary, anybody can hide a laptop in a briefcase or backpack or under a jacket. In addition, regular computers and rack-mounted systems can be bolted into place such that they can't easily be taken or their covers removed to gain access to their internal devices, such as hard drives. ==================== ==== Sponsor: CrossTec ==== FREE Download ? The Next Generation of End-Point Security is Available Today. NEW NetOp Desktop Firewall's fast 100% driver-centric design offers a tiny footprint that protects machines even before Windows loads - without slowing them down. NetOp is also the only solution to provide process control as well as application control to give you the highest level of security. The NetOp Desktop Firewall utilizes real- time centralized management and control, intelligent network detection, stateful packet filtering, port blocking, protection from process hijacking, and much more. Try it FREE. http://list.windowsitpro.com/t?ctl=6DD7:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=6DDF:4FB69 New Alliance Automates Attack Mitigation A new alliance of network service providers, hosting companies, and educational institutions have joined together to automate attack mitigation. The Fingerprint Sharing Alliance, developed by Arbor Networks, is based on the company's Peakflow SP solution and lets alliance members share attack-fingerprint information to more quickly thwart attacks. http://list.windowsitpro.com/t?ctl=6DE8:4FB69 Bug Hunting for Mozilla Pays Mozilla Foundation's Bug Bounty Program pays researchers to find security problems in Mozilla software. This week, the company awarded $2500 to German bug hunter Michael Krax. http://list.windowsitpro.com/t?ctl=6DE4:4FB69 Attack Shield Worm Suppression Sana Security's Attack Shield Worm Suppression (WS) is a software- only solution to protect workstations from worms that spread via buffer-overflow attacks. The software operates only when an exploit makes a system call. So although it prevents exploits from using a buffer overflow for actions such as privilege escalation and file- system access, it won't protect against buffer overflows that cause a crash by corrupting memory. Read the rest of Adam Carheden's mini- review on our Web site. http://list.windowsitpro.com/t?ctl=6DE7:4FB69 ==================== ==== Resources and Events ==== Meet the Risks of Instant Messaging Head On in This Free Web Seminar Don't overlook IM in your compliance planning. Attend this free Web seminar and learn how to minimize IM's authentication and auditability risks and prevent security dangers. You'll also receive a list of the top requirements to consider when choosing a secure IM solution. Sign up now! http://list.windowsitpro.com/t?ctl=6DDB:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=6DDC:4FB69 Windows Connections 2005 Conference April 17-20, 2005, Hyatt Regency, San Francisco. Microsoft and Windows experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Don't miss Mark Minasi's entertaining and insightful keynote presentation on "The State of Windows" and your chance to win a 7-night Caribbean cruise! 800-505- 1201. http://list.windowsitpro.com/t?ctl=6DED:4FB69 Overcoming "The Fiefdom Syndrome": How to Conquer the Turf Battles That Undermine Companies Can your organization benefit by overcoming turf battles? Don't miss this opportunity to hear Robert J. Herbold, former COO of Microsoft and author of "The Fiefdom Syndrome," and Jim Davis, Senior VP, SAS. Join Business Finance in welcoming these thought leaders on Tuesday, April 19th at 11:00 a.m. EST. Register here: http://list.windowsitpro.com/t?ctl=6DE2:4FB69 Keeping Critical Applications Running in a Distributed Environment Get up to speed fast with solid tactics you can use to fix problems you're likely to encounter as your network grows in geographic distribution and complexity, learn how to keep your network's critical applications running, and discover the best approaches for planning for future needs. Don't miss this exclusive opportunity--register now! http://list.windowsitpro.com/t?ctl=6DDA:4FB69 ==================== ==== Hot Release ==== An Evaluation of the Total Cost of Ownership of Email Security Solutions Quantifying the Total Cost of Ownership (TCO) of email security solutions is a notoriously difficult task. Discover how Total Cost of Ownership is much more than the initial acquisition cost of a solution, and how you can save thousands of dollars each year without sacrificing accuracy, control or effectiveness in protecting your email systems. Download this free whitepaper now! http://list.windowsitpro.com/t?ctl=6DD9:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=6DEB:4FB69 RookitRevealer Is Now a Moving Target RookitRevealer is a new tool from Sysinternals that can help sniff out rootkits. Rootkit designers quickly started creating ways to hide their rootkits from RootkitRevealer, so last week, Sysinternals released a new version that uses random executable names to make the tool a moving target. http://list.windowsitpro.com/t?ctl=6DE5:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=6DE9:4FB69 Q: How can I move users between forests? Find the answer at http://list.windowsitpro.com/t?ctl=6DE6:4FB69 Security Forum Featured Thread: File Permissions on an Archive Server A forum participant has a Windows NT archive server on which files and folders are created, moved, and deleted regularly. He would like all the root folders on the server to automatically be created with read only permission for regular users, but he'd like the files and folders below the root folders to have full permission for regular users. Join the discussion at http://list.windowsitpro.com/t?ctl=6DDD:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Check Out the New Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database! Click here to try a sample issue today: http://list.windowsitpro.com/t?ctl=6DE1:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Isolating Internet Activity GreenBorder Technologies announced the availability of GreenBorder, software that transparently isolates Internet activity performed through Microsoft Internet Explorer (IE) and Outlook from the desktop OS, user files, and the enterprise network. GreenBorder protects against damage, theft, and hijacking by Internet-delivered malicious code that uses HTTP or SMTP to break into the desktop. When users log off, GreenBorder automatically flushes the remnants of any Internet activity, including code, files, and cookies. GreenBorder Professional Edition has a desktop agent and a management server that provides centralized configuration, deployment, and reporting. GreenBorder Personal Edition will be available free for download beginning this month. For more information, go to http://list.windowsitpro.com/t?ctl=6DEF:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Quest Software Heading to Exchange from Notes or GroupWise? Get Expert Help! http://list.windowsitpro.com/t?ctl=6DF0:4FB69 NetOp ? Control PCs from a USB Drive Securely access PCs from your desktop, web, CE, or thumb drive http://list.windowsitpro.com/t?ctl=6DF1:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=6DEC:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=6DE3:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Apr 7 02:15:30 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 7 02:23:42 2005 Subject: [ISN] Warning on iPod threat Message-ID: http://www.vnunet.com/news/1162329 [I wonder if this CEO has been reading old copies of InfoSec News from about '02 - http://seclists.org/lists/isn/2002/Mar/0002.html - WK] Iain Thomson vnunet.com 06 April 2005 Portable media players like the iPod pose a significant security risk according to figures from software auditors Centennial Software. Nearly nine out of ten of the 220 IT managers questioned took no action to prevent such devices coming into the workplace even though over half of them recognised storage devices like the iPod as a threat. "External security risks are well documented, but firms must now consider internal threats, which are potentially even more damaging," said Andy Burton, chief executive of Centennial Software. "Deliberate or accidental, the damage caused by the misuse of removable media devices can be disastrous. Employees can seriously endanger the company by taking sensitive information off-site, introducing viruses, or simply creating a build up of unwanted files on the network." The survey found that many IT managers were ignoring the issue, with over a third saying they did not view the devices as a threat. Portable devices like the iPod can be used to store a whole variety of data, including documents and spreadsheets. The average word-processing file is between 25k and 30k, meaning that a 20GB player could hold more than 750,000 documents. From isn at c4i.org Thu Apr 7 02:15:51 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 7 02:23:44 2005 Subject: [ISN] Arrest made in breach of military website Message-ID: Forwarded from: William Knowles http://www.denverpost.com/Stories/0,1413,36~53~2800528,00.html By Alicia Caldwell Denver Post Staff Writer April 06, 2005 A self-described male model and member of the notorious computer hacker group World of Hell was arrested last weekend and accused of breaking into U.S. Air Force computer servers in Denver, authorities said. Rafael Nu?ez-Aponte, 25, of Venezuela bragged about bringing down a Web-based server network in 2001 that provided training for thousands of Air Force personnel, according to a federal arrest warrant unsealed Tuesday. Investigators said the telecom-security expert replaced the Air Force's Web page with his own and left the World of Hell website address. Authorities arrested Nu?ez- Aponte on Saturday at an airport in Miami, said Jeff Dorschner, spokesman for the U.S. attorney's office in Denver. Dorschner declined to reveal how authorities knew that Nu?ez-Aponte, who works for a Venezuelan telecommunications company, would be at the airport. The 24-page warrant details a litany of illicit activity that group members are said to have engaged in. They collected stolen credit-card numbers, bragged about defacing Web pages and hoarded pornographic images, including child pornography, authorities said. "It's a nefarious world," Dorschner said. The group, which took pride in proving that no site was too secure to be hacked, broke into more than 450 Web pages, according to arrest paperwork filed at U.S. District Court in Denver. Nu?ez-Aponte, who used the computer name "RaFa," is said to have hacked websites belonging to drugmaker Pfizer and Rolex, the watch company, as well as other military sites. Nu?ez-Aponte said he had been majoring in computer science at a school in Caracas until moving to Paris to pursue a career in the fashion industry, according to the arrest warrant. Investigators have snared other members in Virginia and Tennessee. Last year, Thomas DeVoss, 21, was sentenced to 27 months in federal prison for breaking into hundreds of sites belonging to the military and other federal agencies, Dorschner said. And in 2002, a minor identified only as Cowhead2000 pleaded guilty in juvenile court to 133 counts of sexual exploitation of a minor and 176 counts of identity theft. He was sentenced to a youth detention center for an unspecified period. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Apr 7 02:16:06 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 7 02:23:47 2005 Subject: [ISN] New Domain Poisoning Attacks Microsoft Servers Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=DTNWKOIODZAFMQSNDBCSKH0CJUMEKJVN?articleID=160501495 By Gregg Keizer TechWeb News April 6, 2005 The DNS cache poisoning that first struck more than a month ago and led to users being redirected from popular Web sites to malicious sites that infected their machines with spyware, is continuing, said the Internet Storm Center (ISC) Wednesday. The attacks are taking advantage of vulnerabilities and design flaws in Microsoft server software. DNS cache poisoning occurs when an attacker hacks into a domain name server, one of the machines that translate URLs such as www.techweb.com into the appropriate IP address. The attacker then "poisons" the server by planting counterfeit data in the cache of the name server. When a user requests, say, techweb.com, and the IP address is resolved by the hacked domain server, the bogus data is fed back to the browser and the user is directed to another Web site, not the intended destination. To highlight the danger, the ISC raised its Homeland Security-esque alert color code from Green to Yellow. According to ISC, Yellow represents that "we are currently tracking a significant new threat. The impact is either unknown expected to be minor to the infrastructure. However, local impact would be significant." To set the DNS cache poisoning threat in perspective, Yellow is the same alert color code that ISC used during the SQL Slammer, MSBlast, and Sasser worm outbreaks, three of the nastiest in the last two years. The newest attack, said Kyle Haugsness, one of the ISC analysts, is actually the third since March 4. Like the initial attack, the motivation is certainly money, since the result is again the installation of mass quantities of spyware on victims' PCs. "The motivation for these attacks is very simple: money," Haugsness said. "The end goal of the first attack was to install spyware/adware on as many Windows machines as possible." The second attack, he continued, "seems to have been launched by a known spammer," said Haugsness. That second attack, which took place starting March 24, redirected users from legit sites to sites selling prescription drugs. Initially, Haugsness and the other ISC analysts thought that a DNS cache poisoning attack was beyond the skills of most spammers -- and so might be proof that the original attackers were contracting their services, but now he said "they might be completely unrelated. In fact, one of the things we discovered after looking into these attacks is just how easy they are to carry off." The third, and still-ongoing attack, which began March 25, has the same goal -- install spyware -- as the first, said Haugsness. One of the DNS servers involved in the early-March attack wasn't cleaned up properly, and the attacker returned and changed the poisoning tool. "Right now this is still going on," said Haugsness. "The attackers are changing IP addresses around and poisoning other DNS servers [to stay ahead of security authorities]." Among the domains included in one of the poisoned DNS servers during the first attack were major sites such as americanexpress.com, cnn.com, redhat.com, and msn.com. "These [665] domains organizations did not have their DNS cache's poisonedthese organizations were not compromised, although it is possible that customers of these sites unknowingly gave out login information or personal information to the malicious servers," wrote Haugsness in a long report posted on the ISC site about the attacks. Although there's essentially nothing an end-user can do to protect him- or herself -- other than to regularly sweep the system for spyware and/or have real-time anti-spyware defenses up and running -- DNS server administrators, particularly those in enterprises, should scramble. Windows-based DNS servers are particularly vulnerable, since Windows NT Server 4.0 and Windows 2000 Server prior to SP3 are insecure against DNS cache poisoning attacks. Windows 2000 Server SP3 and later, as well as Windows Server 2003, are configured securely by default. (For more information, see this Microsoft Knowledgebase article. [1]) Other users that are vulnerable are those running various Symantec gateway security products who haven't patched bugs the Cupertino, Calif.-based vendor released in mid-March. But the entire Windows server software platform -- including properly configured NT/2000 and 2003 systems -- seems to have an architectural design flaw, said Haugsness, that makes them vulnerable to cache poisoning attacks. He said ISC was working with Microsoft to pin down the exact cause. "This is a lot easier to do than we thought," said Haugsness, who noted that cache poisoning isn't new. "That's the main reason we went out there with this, and bumped up to Yellow. "What's scarier is that this could be used in lot more subtle fashion, to make it difficult, or even impossible to detect." [1] http://support.microsoft.com/default.aspx?scid=kb;en-us;241352 From isn at c4i.org Thu Apr 7 02:16:23 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 7 02:23:48 2005 Subject: [ISN] =?iso-8859-1?q?Hacker_law_change_gets_elevator_pitch=92in_p?= =?iso-8859-1?q?arliament_?= Message-ID: http://www.theregister.co.uk/2005/04/06/hacker_law_pitch/ By John Leyden 6th April 2005 Measures to reform UK hacking law were aired in parliament yesterday. But a lack of mainstream political interest means that changes in the law are unlikely for some time. Derek Wyatt MP, chairman of the All Party Parliamentary Internet Group (APIG), moved a 10 Minute Rule Motion calling for amendments to the Computer Misuse Act (1990) in parliament on Tuesday. His bill called for an increase in sentences for less serious hacking attacks (involving only unauthorised access to computer systems) from six months to two years. Wyatt also wants to introduce a specific offence for launching denial of service attacks, removing a potential grey area in existing laws. The proposals are the results of a public enquiry on the Computer Misuse Act carried out by APIG in March 2004. Ten Minute Rule Motions, like all private members bills, are very unlikely to become law. In this case the bill will not even get a second reading because parliament will be dissolved next week ahead on a general election on 5 May. The All Party Parliamentary Internet Group said it will continue to campaign on this issue in the next parliamentary term. Simon Perry, VP of security strategy at Computer Associates EMEA, criticised the reluctance of political leaders on both side of the house to treat cybercrime as a political priority. "Derek Wyatt's efforts to re-start a debate in parliament regarding the Computer Misuse Act are to be applauded, but a paltry ten minute slot is not enough time or attention to give to such an important issue. This lack of interest is an insult to British businesses, which are most at risk from cyber attacks," he said. From isn at c4i.org Fri Apr 8 01:55:28 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 8 02:04:59 2005 Subject: [ISN] Computer security could be tied to agencies' funding Message-ID: http://www.govexec.com/dailyfed/0405/040705p1.htm By Daniel Pulliam April 7, 2005 House Government Reform Chairman Tom Davis, R-Va., said Thursday that agencies could have their budgets cut if their information technology security does not improve. With several agencies struggling to meet requirements of the 2002 Federal Information Security Management Act, Davis said that compliance eventually has to be tied to funding. He also said that more time is needed for agencies to fall in line with the law. "FISMA report cards are going to have to be tied to funding," Davis said. "That's often the only way to get [the agencies'] attention." In an annual review by the committee, seven agencies received failing grades, which is one less than in 2003. The overall grade inched up 2.5 points to a D+ for cybersecurity, up from a D in 2003. Davis said financial penalties only would be implemented if agencies do not continue to improve. He would not specify how much the penalties would be or at what point they would be implemented. "Even the [agencies receiving failing grades] are trying hard to get there," Davis told Government Executive. "FISMA is just a few years old. You have to give them some time." At a committee hearing Thursday, Davis questioned chief information officers from agencies that achieved the highest cybersecurity grades -- the Agency for International Development(which earned an A+) and the Transportation Department (with an A-) - - and the lowest achiever, the Homeland Security Department, which received an F. "All you need is one... cyber attack and everyone will be all over this," Davis said. "They are going to ask who the fall guy is, and it's not going to be me." Steve Cooper, DHS' chief information officer, who is leaving the agency later this month, told the panel that he is hoping the department achieves a D by fiscal 2006, but does not see its score improving in the next year because of the amount of time it takes to certify and accredit all of DHS' 3,600 systems. By comparison, Cooper said, AID must certify and accredit less than 10 systems, and Transportation must secure 480 systems. Davis told panel participant Karen Evans, the Office of Budget and Management's administrator for electronic government, that he is pleased with the efforts to standardize cybersecurity. "It's not how much money you spend, but how well you spend it," Davis said. Evans said that agency security procedures remain deficient largely due to the complexity of securing the many systems. She said inconsistency in FISMA implementation and unnecessary duplication are areas of concern for OMB. The budget agency is working on new FISMA guidances regarding the privacy of information collected and performance requirements, according to Evans. "While notable progress in resolving IT security weaknesses has been made, problems continue, and new threats and vulnerabilities continue to materialize," she said. Evans added that creating an inspector general auditing framework similar to that used for financial audits would limit information sharing and keep agencies from being flexible in how they implement their cybersecurity resources. "FISMA is an evaluation, not an audit," Evans said. "If it turns into an audit evaluation, it is less of an exchange of information." From isn at c4i.org Fri Apr 8 01:55:43 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 8 02:05:02 2005 Subject: [ISN] Indian call center workers charged with Citibank fraud Message-ID: http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,100900,00.html By John Ribeiro APRIL 07, 2005 IDG NEWS SERVICE BANGALORE, India -- Former employees of a call center in Pune, India, were arrested this week on charges of defrauding four Citibank account holders in New York, to the tune of $300,000, a police official said. The three former employees of Mphasis BPO, the business process outsourcing operation of Bangalore software and services company Mphasis BFL Group, are charged with collecting and misusing account information from customers they dealt with as part of their work at the call center, according to Sanjay Jadhav, chief of the cybercrime cell of the Pune police. "Either in goodwill or on false pretenses, they also obtained the [personal identification numbers] from these account holders in the course of their work," Jadhav said. The three former employees and their accomplices then used the services of SWIFT (Society for Worldwide Interbank Financial Telecommunication) to transfer funds from these accounts to their own accounts and fake accounts that were created for this purpose in Pune, he added. Mphasis officials declined to comment on the matter. The Pune operation of the company runs a call center for New York-based Citibank N.A., a subsidiary of Citigroup Inc. The police acted on a complaint from Citibank, which was alerted when account holders noticed suspicious transactions in their accounts, Jadhav said. Citibank officials weren't immediately available for comment. Police arrested 12 people, three of whom were employees of Mphasis BPO in Pune until December last year. When they quit their jobs, the three employees carried with them the details of the four accounts and used a number of subterfuges, including false e-mail accounts and account details to transfer funds into accounts in Pune, Jadhav said. "We caught one of them on Monday when he came to a bank in Pune to inquire about one of the accounts," Jadhav said. "After that, we were able to arrest the others." The outsourcing of call center and other business processes from the U.S. and the U.K. to Indian companies has been criticized by many organizations, including U.S and U.K. workers' unions, which complain that members are losing jobs as a result of offshore outsourcing. One of the key issues that has been raised is the danger of data theft and misuse. The threat of data theft and misuse is no higher in India than in other countries, including the U.S., according to the National Association of Software and Service Companies in Delhi. The organization maintains that Indian outsourcing companies have adequate security systems in place. From isn at c4i.org Fri Apr 8 01:56:02 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 8 02:05:05 2005 Subject: [ISN] Fake bomb 'reaches castle area' Message-ID: http://news.bbc.co.uk/1/hi/uk/4418917.stm 7 April, 2005 Metropolitan Police chief Sir Ian Blair has ordered an inquiry into claims journalists drove a van carrying a fake bomb into Windsor Castle's grounds. The Sun said the van passed St George's Chapel, where the marriage of Camilla Parker Bowles and Prince Charles will be blessed this Saturday. The "apparent security breach" raised serious concern, Scotland Yard said. The report comes after it emerged that on Sunday two tourists scaled a fence and entered a private castle area. 'Not searched' Scotland Yard said Sir Ian wanted to establish the facts surrounding the latest report in Thursday's Sun. The newspaper claimed it breached the castle's ?5m security barrier with "breathtaking ease" and got to within a "stone's throw" of the Queen's apartments. One of its reporters and a photographer say they drove up in a hire van with no security passes and no pre-arranged delivery time. On board was a brown box marked "bomb" and the reporter says he had a fake delivery note. After an attempt to check up on them failed, they were allowed to drive into the grounds - past the chapel where the royal couple will be blessed - and they were not searched, the paper said. Scotland Yard said in a statement: "It's only right the facts are established before any action is taken against any person who may be culpable." A spokeswoman for Buckingham Palace said: "Security is a matter for the police who have been asked to investigate." Windsor Castle staff are already investigating how two men were able to enter one of its private areas last weekend. Scotland Yard said the tourists were detected immediately and taken back to the public area but not arrested. "The secure area of the castle was not breached at any stage", a spokeswoman said. [...] From isn at c4i.org Fri Apr 8 01:56:15 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 8 02:05:07 2005 Subject: [ISN] Dating site hack suspect arrested Message-ID: http://www.theregister.co.uk/2005/04/07/dating_site_hack_arrest/ By John Leyden 7th April 2005 Police last week arrested a 37-year-old man from Sheffield on suspicion of hacking into the website of London dating agency loveandfriends.com. The unnamed suspect allegedly hacked into the site, took control of member?s profiles, and made demands for payment in exchange for securing the site. Working with the victim company, officers from the Computer Crime Unit at Scotland Yard traced the suspect to his home in Sheffield, where they executed a search warrant on Friday, 1 April. Met police officers seized the suspect's computers and recovered evidence that he was responsible for writing the Mirsa-A and Mirsa-B mass mailing worms, which posed as messages from campaign group Fathers 4 Justice. The suspect was arrested for computer hacking offences (contrary to section three of the Computer Misuse Act 1990), interviewed and released on police bail pending further enquiries and analysis of his computer. From isn at c4i.org Fri Apr 8 01:57:29 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 8 02:05:10 2005 Subject: [ISN] Cool Cleveland Preview - Notacon Message-ID: http://www.coolcleveland.com/index.php/Main/CCPreviewNotacon By Lee E. Batdorff Interview with Paul "Froggy" Schneider, leader of Notacon Paul "Froggy" Schneider and wife Jodie "Tyger" Schneider are the leaders of Notacon, one of a handful of "hacker conferences" in the U.S. The second annual Notacon will be held this Fri 4/8 thru 4/10 with over 300 geeks expected to attend this year at the Lakeside Holiday Inn in downtown Cleveland. This is over double the attendance of last year's Notacon. The Schneiders, both employees and graduates of Case Western Reserve University, lead a crew of 17 volunteers to produce the event. Notacon started in Cleveland last year after Rubi-Con, held annually in Detroit Mich., went defunct. Notacon is among a select group of hackers' conferences nationwide including the large Defcon in Las Vegas, HOPE in New York City (sponsored by the hacker magazine 2600 of Middle Island N.Y.), LayerOne in Los Angeles, and ShmooCon in D.C. While providing standard hacker fare of technological presentations and group discussions, Schneider says Notacon is also different from the other "cons" in that it attempts to explore the deeper issues of how technology affects society, arts and humanity. More than just a "nuts and bolts" set of technical presentations, his goal is to challenge attendees to derive new insights, questions and interests from the material presented. At the same time, his ultimate desire to build a larger culture of sharing and community among the regions technologists, musicians, artists and leaders. This year's Notacon seminars include: Steering an Art Collective; Living on the Edge: The Sources of Creativity for Security Wizards and Hackers; The Evolution of a Tune: My Process of Arranging and Composing in a Home Studio; Software Testing: The BLEEDING Edge!; Open Source Entrepreneurialism; Amateur Radio Topics; Community Radio Broadcasting; and Notacon Big-Book-O'-Fun: U.S. Copyright history and the Creative Commons. This year's DJs are Midnight Mixer, Computo, and Boston DJ team Sons of Liberty, plus during evenings there will be games and movies described as "a crowd-pleasing collage of video clips." Find more info on this three-day conference at http://www.Notacon.org Cool Cleveland: What are hackers' conferences for? Paul Schneider: Geeks often times have a hard time really finding a "place" or community. Events such as this allow us to "let our hair down", to use a tired cliche, and simply have a really good time. The seriousness of the day's events is contrasted nicely at the end of the day with non-stop games, activities and maybe a trip or two to the bar. How is Notacon different from the other hacker conferences? Well, most hacker-type cons explore the mechanics of technology and how it works; the nuts and bolts. At Notacon, we cover some of this material, but we strive to find deeper issues involved: Knowledge and insight implied by the technology being talked about, as opposed to a discussion of the technology itself. It's one thing to discuss how a Web site works that categorizes and publishes funny links, it's another to do the analysis to discover insight into what's been posted over the past years. An example is Richard Thieme's talk which will address these issues. He is a former Anglican priest who after 16 years in priestly service started exploring technology and how it interacts with humanity, spirituality, etc. More information about Mr. Thieme can be found at: http://en.wikipedia.org/wiki/Richard_Thieme and on his website. The point is, while on the surface Notacon shares attributes from other events like it, such as presentations, games and events, etc., we are subtly crafting it to promote the exploration of these other issues that lie just beneath the surface. The goal is to get people talking at a meaningful level about the material and to bring up new questions, insights and answers among themselves. It really is about community building without blaring out too loudly to everyone, "Hey, we want everyone to build a community and get along!" I believe when in the right environment, with the right material and the right "vibe," this is possible and that attendees, presenters and our staff pick up on it and see it through to its logical end. Why have hackers' conferences in Cleveland? Most hackers' conferences are either on the West or East coasts. There are a lot of really great people and things happening in the Midwest that can?t be ignored. There?s a huge market for this kind of information and entertainment that most people (with technical interests) want to have. A lot of them don?t want to have to fly to New York City or Las Vegas to get it. Also, for pragmatic reasons, I have lived in Cleveland all of my life and have become familiar and accustomed to the Midwest. I think Cleveland gets a bad rap most of the time. Hopefully, Notacon will showcase Cleveland and what it has to offer to out-of-town visitors with technical and amusement interests. This is challenging sometimes, as there often isn't as much to do, in downtown at least, as I had hoped for. Visiting downtown Cleveland on a weekend reminds one of an Old West ghost town; it's honestly rather depressing for the average 20 to 35 year old. Events such as Notacon can at least bring back a little life and vibrancy to what really can be a cool city. What is important with this year's theme: Exploring community through technology? Each year we explore a different angle of how technology affect, complement and contrast with society. Last year we focused on the arts and technology. This year we are building upon that but focusing on how community, both online and off, is influenced by the availability of cheap and effortless communication. Likewise, we also hope to show how sometimes technology can actually be a hindrance in fostering that sense of togetherness. What good are hackers for our future? If we define "hackers" to refer to people that really care about free information exchange and intellectual curiosity, then the answer is self-explanatory. We need more people who can look at problems and devise creative solutions to them. I believe we need people who are willing and able to question authority and to question the direction of society at large. Hackers are, in some ways, the best consumer advocates. While I do not condone any illegal activities or behaviors, I feel it is important that people are allowed the right to free thought personally, socially, and academically. Can the business community of Cleveland find advantages through hackers? Absolutely, if they are willing to listen. However, what hackers have to say isn't really specific to their stereotype. Business thrives upon innovation and stability, and events such as Notacon draw out people who are willing to attack both of these issues. Those with a hacker mentality, for example, are willing to challenge established practice and procedure in the interest of finding a better, more secure or more efficient way of doing things. Developing these critical skills is important to the healthy future of any business. Of course, for obvious reasons it is difficult for employers to consider a "hacker mindset" a valuable asset simply due to the stigma of the word. Hence, I have trepidation in even using the word hacker at all. Why is this conference called Notacon? Notacon's name is a hacker's inside joke. It means it is "not another con." Con as in conference. How did you come by the nickname "Froggy"? I have always been a creative person (and hence the theme of, "bridging the gap between art and technology" last year). In high school I did numerous theatrical productions. During my first production, "The Foreigner" by Larry Shue, I became associated with character's namesake, Staff Sgt. Froggy LeSeur, a British army officer. "Froggy" became different and a way for me to stand out. It just kind of stuck and I kept on with it. It became a way to market myself in new and different ways. More importantly, it became my online "handle." There are lots of Pauls in the world, but there was, at least in my online microcosm of the old Cleveland Freenet and Northeast Ohio BBS scene, only one Froggy. What are the interests of the people who attend? Those interested in an event like this come from two camps and two separate mentalities: those who are solely interested in technology and what it can do, and those who are interested in the impact that technology has upon the world around us. Also, I believe there are two other camps that intersect: those who are interested in more of the "creative" and "artistic" aspects, and those who are more interested in the utilitarian ideas and applications. How does an organizer mix different groups together? I think the key to creating a good mix is to provide a broad range of topics along a technical continuum, if you will, such that everyone has at least a few talks in which they have a good comfort level. From there, they are able to branch out into presentations that are perhaps a little more creative, or perhaps are focused on issues other than the mechanics of the system being discussed as a whole. I think Notacon does this well; our presentations are all over the map. However, by having every talk attempt to fulfill an aspect of our overall theme (this year's, of course, being "community and technology") we can further address the relevancy of each presentation such that attendees from these different mindsets can come to a greater appreciation of topics that may be out of their current knowledge base. What is the age and education level of the attendees? I have never formally surveyed either of these, as one of the hallmark events like these is privacy. However, from inspection, I say most attendees are in their twenties to early thirties. It is common to see everyone from high school students to those in the fifties or sixties attend. A great thing about this culture, if you will, is the degree to which age inclusively occurs. Education-wise, if I had to guess, I would say, again, we're all over the map. One constant, though, is those who attend want to learn. Whether they be self taught, college students or PhDs, everyone has a desire to learn about something they didn't know much about before. How does age and education level of your attendees affect their outlook? Events like these are designed to open eyes and, more importantly, open dialogue between attendees who previously had no basis for starting a discussion. Presentations and the questions they leave unanswered are perfect catalysts for further reflection and discussion. Hence, age and education level don't have as much of an impact, since most of the motivation behind attending and participating resides within attendees' personal desire to better themselves. Of course, everyone attending expects to have a good time as well, which is another important thing we try to provide. Learning is a hell of a lot easier when you're having fun. From isn at c4i.org Fri Apr 8 01:57:43 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 8 02:05:12 2005 Subject: [ISN] Warning on iPod threat Message-ID: Forwarded from: Richard Forno Same thing a (researcher but who had no security background) clown from Gartner in the UK said a few months ago. Perhaps Apple's new motto should be "ph34r the 1p0d" or something. Watch their sales rocket if they do. :) To counter such "threats" means that either employees need to show up to work naked and sans ANY items (keys, keychains, lunchbags, purses, wallets, etc.) or companies will have to quit using computers. Neither scenario is feasible. Of course, any company TRULY concerned about their data protection would want to eliminate the use of CDs, DVDs, printers, faxes, modems, and their internet connection, too. Yeah, I see that happening, too. > The survey found that many IT managers were ignoring the issue, with > over a third saying they did not view the devices as a threat. Granted, the potential for such data leaks is a valid one, but perhaps the IT managers surveyed know more about what they view as a "threat" to their information than a third party like Centennial? I take such reports with a very large grain of salt. -rick Infowarrior.org On 4/7/05 2:15 AM, "InfoSec News" wrote: > http://www.vnunet.com/news/1162329 > > [I wonder if this CEO has been reading old copies of InfoSec News > from about '02 - http://seclists.org/lists/isn/2002/Mar/0002.html - WK] > > Iain Thomson > vnunet.com > 06 April 2005 > > Portable media players like the iPod pose a significant security > risk according to figures from software auditors Centennial > Software. > > Nearly nine out of ten of the 220 IT managers questioned took no > action to prevent such devices coming into the workplace even though > over half of them recognised storage devices like the iPod as a > threat. > > "External security risks are well documented, but firms must now > consider internal threats, which are potentially even more > damaging," said Andy Burton, chief executive of Centennial Software. > > "Deliberate or accidental, the damage caused by the misuse of > removable media devices can be disastrous. Employees can seriously > endanger the company by taking sensitive information off-site, > introducing viruses, or simply creating a build up of unwanted files > on the network." [...] From isn at c4i.org Fri Apr 8 01:57:57 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 8 02:05:14 2005 Subject: [ISN] Chinese intelligence role in region is eyed Message-ID: http://www.miami.com/mld/miamiherald/11332057.htm BY PABLO BACHELET April 07, 2005 WASHINGTON - U.S. officials said Wednesday there is no evidence that China is seeking to boost its military presence in Latin America, but for the first time warned about Chinese intentions to establish an intelligence and cyberwarfare beachhead in the region. Roger Noriega, assistant secretary of state for Latin America, and Rogelio Pardo-Maurer, the top Defense Department official for the Western Hemisphere, testified before a House panel as several legislators argued that China is trying to fill the void left by the lack of U.S. involvement in the region. Noriega and Pardo-Maurer said China's interests in Latin America were mostly on the economic side, but warned that Beijing could also have an intelligence agenda as it increased trade with Latin America. ''There is no evidence of Chinese interest in establishing a continuous military presence in the region,'' Pardo-Maurer said. Gen. Bantz Craddock, head of the Pentagon's Miami-based Southern Command, told Congress last month that Chinese defense officials made 20 visits to Latin America and the Caribbean last year, while defense delegations from nine Latin American nations visited China. Pardo-Maurer added that Chinese military activity, including the sale of weapons, did not ``pose a direct conventional threat to the United States or its friends and allies.'' ''However, we need to be alert to rapidly advancing Chinese capabilities, particularly in the fields of intelligence, communications and cyberwarfare, and their possible application in the region,'' he told the Western Hemisphere subcommittee of the House International Relations Committee. The Bush administration wants other nations in the hemisphere to ''take a close look at how such activities could possibly be used against them or the United States,'' he added. DIRECT WARNING This is the first time that a senior Pentagon official warned so directly about Chinese cyberwarfare capabilities in the region. Some U.S. officials have previously and privately expressed concern that Chinese personnel may be working at an electronic listening post in Bejucal, Cuba, believed to be also capable of carrying out cyberwarfare operations. Pardo-Maurer would not elaborate during the House panel's public hearing, and offered to brief members in a classified session. But a U.S. official who requested anonymity said the Bush administration was concerned that Latin American nations could wittingly or unwittingly end up hosting Chinese communications facilities that seek to harm the United States. ''We know that China . . . has made a top priority of this knowledge-based warfare,'' the official said, adding that as Latin American countries tighten links with China, some 'may be tempted to think that, `well, we can get away with letting China do these things here.' '' REACHING OUT? Several members of Congress from both parties expressed concern that China is reaching out to Latin America's left-leaning leaders and in the process diminishing U.S. influence in the area. ''If we are not careful, Beijing's influence could easily unravel the region's hard-won, U.S.-backed reforms to fight against corruption, human rights abuses, increase government transparency and combat intellectual property violations,'' said Rep. Dan Burton, R-Ind., who chairs the Western Hemisphere subcommittee. But Noriega also noted that despite recent inroads, China's weight in Latin America was still dwarfed by U.S. influence in the region, in both military and economic terms. Besides the need for raw materials, China wants to lessen its isolation in the world, ''pursue defense and intelligence opportunities'' and isolate Taiwan, which is recognized by 12 Latin American nations, Noriega said. From isn at c4i.org Fri Apr 8 01:58:16 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 8 02:05:17 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-14 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-03-31 - 2005-04-07 This week : 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: A vulnerability has been discovered in various Mozilla based products, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/mozilla_products_arbitrary_memory_exposure_test/ References: http://secunia.com/SA14804 http://secunia.com/SA14820 http://secunia.com/SA14821 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 2. [SA14821] Mozilla Suite JavaScript Engine Information Disclosure Vulnerability 3. [SA14792] PHP Multiple Vulnerabilities 4. [SA14654] Mozilla Firefox Three Vulnerabilities 5. [SA14804] Netscape JavaScript Engine Information Disclosure Vulnerability 6. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 7. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 8. [SA14784] Cisco VPN Concentrator 3000 Series HTTPS Packet Denial of Service 9. [SA14745] MIT Kerberos Telnet Client Buffer Overflow Vulnerabilities 10. [SA14808] Windows Server 2003 Local Denial of Service Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14812] MailEnable IMAP Buffer Overflow and SMTP Denial of Service [SA14809] Star Wars Jedi Knight: Jedi Academy Message Handling Buffer Overflow [SA14839] Active Auction House Cross-Site Scripting and SQL Injection [SA14833] ProductCart Cross-Site Scripting and SQL Injection Vulnerabilities [SA14825] Comersus Cart Username Script Insertion Vulnerability [SA14811] Quake3 Engine Denial of Service Vulnerability [SA14837] CA eTrust Intrusion Detection CPImportKey Denial of Service [SA14829] DameWare NT Utilities / Mini Remote Control Privilege Escalation [SA14790] BlueSoleil Object Push Service Directory Traversal Vulnerability [SA14813] Adobe Reader / Adobe Acrobat Local Files Detection and Denial of Service [SA14808] Windows Server 2003 Local Denial of Service Vulnerabilities UNIX/Linux: [SA14819] Red Hat update for tetex [SA14816] Debian update for imagemagick [SA14807] SGI Advanced Linux Environment Multiple Updates [SA14806] Gentoo update for sylpheed / sylpheed-claws [SA14800] Mandrake update for ImageMagick [SA14791] teTeX Multiple Image Decoder Parsing Vulnerabilities [SA14855] Ubuntu update for libapache2-mod-php4/php4-cgi [SA14845] Red Hat update for curl [SA14830] Gentoo update for dnsmasq [SA14828] Slackware update for php [SA14817] Debian update for krb5 [SA14805] Gentoo update for telnet-bsd [SA14798] Ubuntu update for kernel [SA14797] SUSE update for ipsec-tools [SA14796] Mandrake update for libexif [SA14794] Mandrake update for ipsec-tools [SA14792] PHP Multiple Vulnerabilities [SA14856] AIX Unspecified NIS Client System Compromise Vulnerability [SA14826] Debian update for remstats [SA14810] remstats Insecure Temporary File Creation and Arbitrary Command Execution [SA14834] Debian update for wu-ftpd [SA14803] Mandrake update for grip [SA14799] phpMyAdmin "convcharset" Cross-Site Scripting Vulnerability [SA14795] Mandrake update for htdig [SA14847] Fedora update for mysql [SA14846] Red Hat update for mysql-server [SA14822] Conectiva update for mysql [SA14842] FreeBSD sendfile Kernel Memory Disclosure Vulnerability [SA14840] Trustix update for kernel [SA14836] SCO OpenServer nwclient Privilege Escalation Vulnerability [SA14835] SUSE update for kernel [SA14827] FreeBSD amd64 Direct Hardware Access Security Issue [SA14850] Fedora update for gaim [SA14849] Ubuntu update for gaim [SA14844] Red Hat update for gdk-pixbuf [SA14838] Ubuntu update for libgdk-pixbuf2/libgtk2.0-0 [SA14818] Red Hat update for gtk2 [SA14815] Gaim Multiple Denial of Service Weaknesses [SA14824] Ubuntu update for unshar Other: [SA14823] SonicWALL SOHO series Cross-Site Scripting and Script Injection Cross Platform: [SA14802] AlstraSoft EPay Pro Cross-Site Scripting and Arbitrary File Inclusion [SA14814] BakBone NetVault Buffer Overflow Vulnerabilities [SA14832] PayProCart Multiple Vulnerabilities [SA14821] Mozilla Suite JavaScript Engine Information Disclosure Vulnerability [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability [SA14804] Netscape JavaScript Engine Information Disclosure Vulnerability [SA14793] MX Shop / MX Kart SQL Injection Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14812] MailEnable IMAP Buffer Overflow and SMTP Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-04 Two vulnerabilities have been reported in MailEnable, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14812/ -- [SA14809] Star Wars Jedi Knight: Jedi Academy Message Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-04 Luigi Auriemma has reported a vulnerability in Star Wars Jedi Knight: Jedi Academy, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14809/ -- [SA14839] Active Auction House Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-04-06 Diabolic Crab has reported some vulnerabilities in Active Auction House, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14839/ -- [SA14833] ProductCart Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-04-05 Diabolic Crab has reported some vulnerabilities in ProductCart, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14833/ -- [SA14825] Comersus Cart Username Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-05 Zinho has discovered a vulnerability in Comersus Cart, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14825/ -- [SA14811] Quake3 Engine Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-05 Luigi Auriemma has reported a vulnerability in the Quake3 Engine, which can be exploited by malicious people to conduct a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14811/ -- [SA14837] CA eTrust Intrusion Detection CPImportKey Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-04-06 A vulnerability has been reported in CA eTrust Intrusion Detection, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14837/ -- [SA14829] DameWare NT Utilities / Mini Remote Control Privilege Escalation Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2005-04-06 A vulnerability has been reported in DameWare NT Utilities and DameWare Mini Remote Control, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14829/ -- [SA14790] BlueSoleil Object Push Service Directory Traversal Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-04-01 Kevin Finisterre has reported a vulnerability in BlueSoleil, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14790/ -- [SA14813] Adobe Reader / Adobe Acrobat Local Files Detection and Denial of Service Critical: Not critical Where: From remote Impact: Exposure of system information, DoS Released: 2005-04-04 Two weaknesses have been reported in Adobe Reader and Adobe Acrobat, which can be exploited by malicious people to enumerate files on a user's system or crash the application. Full Advisory: http://secunia.com/advisories/14813/ -- [SA14808] Windows Server 2003 Local Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2005-04-05 Two vulnerabilities have been reported in Microsoft Windows Server 2003, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14808/ UNIX/Linux:-- [SA14819] Red Hat update for tetex Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-04 Red Hat has issued an update for tetex. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/14819/ -- [SA14816] Debian update for imagemagick Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-04 Debian has issued an update for imagemagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14816/ -- [SA14807] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, DoS, System access Released: 2005-04-06 SGI has issued a patch for SGI Advanced Linux Environment. This fixes multiple vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and spoofing attacks, cause a DoS (Denial of Service), and compromise a user's system. Full Advisory: http://secunia.com/advisories/14807/ -- [SA14806] Gentoo update for sylpheed / sylpheed-claws Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-04 Gentoo has issued updates for sylpheed and sylpheed-claws. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14806/ -- [SA14800] Mandrake update for ImageMagick Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-04 MandrakeSoft has issued an update for ImageMagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14800/ -- [SA14791] teTeX Multiple Image Decoder Parsing Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-04 Some vulnerabilities have been reported in tetex, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/14791/ -- [SA14855] Ubuntu update for libapache2-mod-php4/php4-cgi Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-06 Ubuntu has issued updates for libapache2-mod-php4 and php4-cgi. These fix two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14855/ -- [SA14845] Red Hat update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-06 Red Hat has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14845/ -- [SA14830] Gentoo update for dnsmasq Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data, DoS Released: 2005-04-05 Gentoo has issued an update for dnsmasq. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or poison the DNS cache. Full Advisory: http://secunia.com/advisories/14830/ -- [SA14828] Slackware update for php Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2005-04-06 Slackware has issued an update for php. This fixes some vulnerabilities, where some have an unknown impact and others can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14828/ -- [SA14817] Debian update for krb5 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-04 Debian has issued an update for krb5. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14817/ -- [SA14805] Gentoo update for telnet-bsd Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-04 Gentoo has issued an update for telnet-bsd. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14805/ -- [SA14798] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: Hijacking, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-04-04 Ubuntu has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited to disclose information, cause a DoS (Denial of Service), gain escalated privileges, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14798/ -- [SA14797] SUSE update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-01 SUSE has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14797/ -- [SA14796] Mandrake update for libexif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-04-01 Mandrakesoft has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14796/ -- [SA14794] Mandrake update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-01 MandrakeSoft has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14794/ -- [SA14792] PHP Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2005-04-01 Multiple vulnerabilities have been reported in PHP, where some have an unknown impact and others can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14792/ -- [SA14856] AIX Unspecified NIS Client System Compromise Vulnerability Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-04-06 A vulnerability has been reported in AIX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14856/ -- [SA14826] Debian update for remstats Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-04-05 Debian has issued an update for remstats. This fixes two vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14826/ -- [SA14810] remstats Insecure Temporary File Creation and Arbitrary Command Execution Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-04-05 Jens Steube has reported two vulnerabilities in remstats, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, and by malicious people to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14810/ -- [SA14834] Debian update for wu-ftpd Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-05 Debian has issued an update for wu-ftpd. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14834/ -- [SA14803] Mandrake update for grip Critical: Less critical Where: From remote Impact: System access Released: 2005-04-04 MandrakeSoft has issued an update for grip. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14803/ -- [SA14799] phpMyAdmin "convcharset" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-04 Oriol Torrent Santiago has reported a vulnerability in phpMyAdmin, allowing malicious people to conduct cross-site scripting attack. Full Advisory: http://secunia.com/advisories/14799/ -- [SA14795] Mandrake update for htdig Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-01 Mandrakesoft has issued an update for htdig. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14795/ -- [SA14847] Fedora update for mysql Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-04-06 Fedora has issued an update for mysql. This fixes two vulnerabilities, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14847/ -- [SA14846] Red Hat update for mysql-server Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-04-06 Red Hat has issued an update for mysql-server. This fixes two vulnerabilities, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14846/ -- [SA14822] Conectiva update for mysql Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-04-05 Conectiva has issued an update for mysql. This fixes two vulnerabilities, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14822/ -- [SA14842] FreeBSD sendfile Kernel Memory Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information Released: 2005-04-06 Sven Berkvens and Marc Olzheim have reported a vulnerability in FreeBSD, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/14842/ -- [SA14840] Trustix update for kernel Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-04-06 Trustix has issued an update for kernel. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to disclose information, cause a DoS (Denial of Service), or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14840/ -- [SA14836] SCO OpenServer nwclient Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-06 Pasquale Minervini has reported a vulnerability in SCO OpenServer, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14836/ -- [SA14835] SUSE update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-05 SUSE has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14835/ -- [SA14827] FreeBSD amd64 Direct Hardware Access Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-04-06 Jari Kirma has reported a security issue in FreeBSD, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14827/ -- [SA14850] Fedora update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-06 Fedora has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14850/ -- [SA14849] Ubuntu update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-06 Ubuntu has issued an update for gaim. This fixes two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14849/ -- [SA14844] Red Hat update for gdk-pixbuf Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-06 Red Hat has issued an update for gdk-pixbuf. This fixes a vulnerability, which can be exploited by malicious people to crash certain applications on a vulnerable system. Full Advisory: http://secunia.com/advisories/14844/ -- [SA14838] Ubuntu update for libgdk-pixbuf2/libgtk2.0-0 Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-06 Ubuntu has issued updates for libgdk-pixbuf2 and libgtk2.0-0. These fix a vulnerability, which can be exploited by malicious people to crash certain applications on a vulnerable system. Full Advisory: http://secunia.com/advisories/14838/ -- [SA14818] Red Hat update for gtk2 Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-04 Red Hat has issued an update for gtk2. This fixes a vulnerability, which can be exploited by malicious people to crash certain applications on a vulnerable system. Full Advisory: http://secunia.com/advisories/14818/ -- [SA14815] Gaim Multiple Denial of Service Weaknesses Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-06 Three weaknesses have been reported in Gaim, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14815/ -- [SA14824] Ubuntu update for unshar Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-04-05 Ubuntu has issued an update for unshar. This fixes a vulnerability, which potentially can be exploited by malicious, local users to conduct certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14824/ Other:-- [SA14823] SonicWALL SOHO series Cross-Site Scripting and Script Injection Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-05 Oliver Karow has reported two vulnerabilities in SonicWALL SOHO series, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/14823/ Cross Platform:-- [SA14802] AlstraSoft EPay Pro Cross-Site Scripting and Arbitrary File Inclusion Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-04-04 Diabolic Crab has reported some vulnerabilities in AlstraSoft EPay Pro, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14802/ -- [SA14814] BakBone NetVault Buffer Overflow Vulnerabilities Critical: Highly critical Where: From local network Impact: System access Released: 2005-04-05 class101 has reported some vulnerabilities in BakBone NetVault, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14814/ -- [SA14832] PayProCart Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information Released: 2005-04-05 Diabolic Crab has reported some vulnerabilities in PayProCart, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14832/ -- [SA14821] Mozilla Suite JavaScript Engine Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-04-04 A vulnerability has been discovered in Mozilla Suite, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14821/ -- [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-04-04 A vulnerability has been discovered in Mozilla Firefox, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14820/ -- [SA14804] Netscape JavaScript Engine Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-04-05 A vulnerability has been discovered in Netscape, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14804/ -- [SA14793] MX Shop / MX Kart SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-01 Diabolic Crab has reported some vulnerabilities in MX Shop and MX Kart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14793/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Apr 11 05:24:11 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 11 05:39:34 2005 Subject: [ISN] Critical Windows patch on the way Message-ID: http://news.com.com/Critical+Windows+patch+on+the+way/2100-1002_3-5659348.html By Ina Fried Staff Writer, CNET News.com April 7, 2005 Microsoft will provide a variety of patches, some of them critical, when it delivers its monthly batch of security updates next Tuesday. In a notice posted to its Web site Thursday, Microsoft said to expect critical fixes for Windows, Office, MSN Messenger and Exchange. In all, the software maker said it is planning to release eight patches, five of them for Windows. In addition, Microsoft will release a new version of its malicious software removal tool, which is a sort of basic antiviral software that removes specific known bugs from a machine. The company said it will have two high-priority Windows upgrades that are not related to security issues that will be made available via its automatic Windows Update service. The software maker had no regularly scheduled security patches last month, after releasing a dozen updates in February. That month, the company also fixed a security hole in its the digital rights technology within Windows Media Player. In an effort to help businesses manage the company's security patches, Microsoft has gone to a once-a-month schedule for most fixes. More recently, the company has begun publicly outlining what patches to expect just prior to releasing the patches themselves. From isn at c4i.org Mon Apr 11 05:24:33 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 11 05:39:37 2005 Subject: [ISN] Brazil accuses U.S. firm of spying Message-ID: http://washingtontimes.com/world/20050407-105131-7115r.htm By Martin Arostegui THE WASHINGTON TIMES April 08, 2005 RIO DE JANEIRO -- A leading American consulting company is under investigation in Brazil on suspicion that it intercepted e-mails and used wiretaps and other illegal methods to monitor people who now hold Cabinet positions in the government of President Luiz Inacio Lula da Silva. Kroll Associates Inc. also bribed government and police officials to obtain confidential information, according to authorities investigating an industrial espionage scandal, which also involves U.S. and Italian multinational companies. Kroll's offices in Sao Paulo and Rio de Janeiro were raided in October by Federal Police searching for evidence that the world's biggest private intelligence firm had used illegal monitoring methods. The purported victims include Cassio Casseb, a former president of Banco do Brasil, and Luiz Gushiken, who serves as minister of government communications. Kroll, founded in New York in 1972, describes itself on its Web site as 'the world's leading risk consulting company,' with offices in more than 60 cities in the United States and abroad. It boasts that it can 'scrutinize accounting practices and financial documents; gather and filter electronic evidence for attorneys; recover lost or damaged data from computers and servers; conduct in-depth investigations; screen domestic and foreign-born job candidates; protect individuals and enhance security systems and procedures.' It is standard practice in some large corporations to have Kroll conduct background checks on candidates for top positions. The company also is reported to have been hired by governments to track down public funds stolen by the likes of Philippines President Ferdinand Marcos, Haitian dictator Jean-Claude 'Baby Doc' Duvalier and Iraqi dictator Saddam Hussein, all of whom have been ousted. According to the Federal Police, confiscated Kroll documents contain records of payments to officers of state-run Brazilian savings and loan institutions and the Sao Paulo city police that are thought to represent bribes, usually $100 to $200. Government prosecutors also cite witnesses who say they acted as intermediaries for Kroll's undercover efforts to obtain account numbers, banking codes and other secret information. Spokesmen for Kroll complain that the government is violating judicial procedure by disclosing evidence prior to a trial and that much of the information the company is accused of stealing is publicly available on the Internet. Kroll was hired by owners of Brazil's telecommunications firm, Brazil Telecom, to investigate suspected insider trading by business executives and government officials during a takeover bid by the Italian communications giant, Telecom Italia. It was clearly a major operation involving top-level officers of Kroll's London and New York headquarters. The head of Kroll's Milan, Italy, office also came to Rio de Janeiro to supervise the investigation, according to journalists who say they met with him. From isn at c4i.org Mon Apr 11 05:24:47 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 11 05:39:39 2005 Subject: [ISN] Grand National extortion attacks 'unlikely' Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39194300,00.htm Dan Ilett ZDNet UK April 08, 2005 Police are confident that gambling Web sites will be safe from cybercriminals threatening to disrupt betting on the Grand National The massive bandwidth extortion attacks that crippled online gambling sites last year are unlikely to be repeated ahead of this year's Grand National horse race, which takes place on Saturday, industry experts predicted on Friday. According to police sources, complaints of attacks have eased off since the arrest of a gang believed to be behind a protection racket which forced Web-gambling firms to pay up or face long periods of downtime on their systems. "An attack is unlikely," said a spokeswoman for the National Hi-Tech Crime Unit. "We arrested the people behind it in Russia last year." Bandwidth attacks using networks of compromised computers, also known as distributed denial-of-service (DDoS) attacks, are used by hackers to cripple a Web site by sending its servers more data than they can process, ultimately forcing it offline. This type of attack was used last year against several betting Web sites to disrupt their operations. "The number of [DDoS attacks] we get phone calls about is very low now," said Paul Lawrence, general manager at Top Layer, a vendor involved in protecting Web sites from DDoS attacks. "I can't say there's been an increase." Last year, Russian police claimed that the gang behind the attacks has caused about ?40m in damage. Yevgeny Yakimovich, the chief of the Russian Interior Ministry's Department K, which tackles cybercrime, said DDoS attacks were launched at nine UK bookmakers. Those responsible then demanded up to ?28,000 before they would stop the attacks, which typically coincided with major sporting events. From isn at c4i.org Mon Apr 11 05:25:25 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 11 05:39:42 2005 Subject: [ISN] Patient IDs stolen in computer thefts Message-ID: http://sanjose.bizjournals.com/sanjose/stories/2005/04/04/daily47.html Robert Mullins April 8, 2005 San Jose Medical Group has changed computer security procedures in the wake of a burglary in which computers storing personal data about patients were stolen. The medical group, an organization of more than 200 doctors who practice at Silicon Valley hospitals and clinics, was deluged with telephone calls Friday from patients who received a letter from the group the day before that the computer theft could make them a victim of identity theft. It mailed notices to 185,000 patients informing them of the theft and encouraging them to contact any one of three credit bureaus in the U.S. in case someone tries to obtain a credit card in their name. The notice is required under California law. Burglars broke into the medical group's offices at 400 Race St., San Jose, March 28 and stole two computers that were in a room whose locked doors were forced open. The computers stored names, addresses, Social Security numbers and confidential medical information about patients. They were the only computers in the organization that contained this personal data, which was being stored on them as part of an audit, said Dr. Dean Didech, chief medical officer. "We have changed security issues with regard to what we do with computers that handle such information," Mr. Didech said. The medical group has received hundreds of calls from patients with questions about the notice. Patients have been advised to contact one of the credit bureaus to have a "fraud alert" placed on their credit file, which would warn creditors that the named person may be a victim of identity theft. A fraud alert filed with one bureau is shared with the other two. Patients also can receive a copy of their credit report at no charge. "When you receive your credit reports, look the papers over carefully," wrote Ernie Wallerstein, chief executive officer of San Jose Medical group, in the letter mailed to patients and also handed out to people visiting clinic sites Friday. "Look for accounts that you did not open. Look for inquiries from creditors that you did not initiate. Look for personal information such as a home address or Social Security number that is not accurate." Patients can contact the credit bureaus by phone or online: Experian: 888-397-3742 www.experian.com Equifax: 888-766-0008 www.equifax.com TransUnion Corp.: 800-680-7289 www.transunion.com From isn at c4i.org Mon Apr 11 05:25:37 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 11 05:39:44 2005 Subject: [ISN] Industry group draws scrutiny Message-ID: http://www.fcw.com/article88532-04-08-05-Web By David Perera April. 8, 2005 Government officials last week scaled back their involvement in a newly formed public/private council of security officers amid controversy about the appearance that a select group of vendors could have undue influence on public policy. O'Keeffe and Co., an Alexandria, Va.-based public relations and marketing agency, spearheaded development of the Chief Information Security Officers (CISO) Exchange as a forum for discussions between government officials and industry executives. Full industry membership costs $75,000. Backers have used the participation of Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, and the CIO Council's sponsorship as selling points in materials aimed at soliciting industry members. "It seems as if all you're doing is selling access to Congress," said Mark Amtower, a partner at Amtower and Co. Davis' association with the organization changed late last week when his spokesman, David Marin, announced that the congressman would withdraw from the exchange in any official capacity. A photograph of Davis, which had been in the advisory board section of the CISO Exchange Web site, was taken down April 7. CIO Council officials are also "reviewing the proposed structure of that forum to ensure that it is accessible and is consistent with open access to federal resources," said Dan Matthews, the council's vice chairman. While observers praise the concept of a CISO Exchange in the hopes of raising the visibility of cyber-security issues, the controversy swirling around the change has instead raised questions about similar organizations and the appropriateness of holding events for government officials that industry representatives pay to attend. Scores of companies organize a wide variety of events, including 101Communications' FCW Media Group, which owns Federal Computer Week. Like its competitors, FCW Media Group hosts a series of events, such as the Government CIO Summit. Much of the controversy around the CISO Exchange, however, stems from the perception of an inappropriate link between the group's paying members and government policy-makers. Steve O'Keeffe, executive director of the CISO Exchange and the principal of O'Keeffe and Co., said the group's members would publish an annual report on federal information security priorities and operational issues and would host an annual awards dinner on the evening that Davis announces the latest federal computer security report card grades. Industry observers say the issue is the annual report on federal priorities. Given the involvement of senior members of Davis' staff and the CIO Council, the group's report could be perceived as representing government policy. CISO Exchange publicity had listed Melissa Wojciak, staff director for the House Government Reform Committee, and Vance Hitch, the Justice Department's CIO and the CIO Council's privacy and security liaison, as co-chairing the group's advisory board. The board will select the annual report's topics. To "contribute in the development" of that report, industry participants were invited to pay $25,000 or $75,000, according to CISO Exchange materials. Some industry sources have worried that with Wojciak, Hitch and federal CISOs' names attached, the report would carry official weight. Marin said Wojciak will continue to informally participate in the exchange, but Davis "wants to make absolutely sure that no one infers that the committee's name or resources are being used to support a commercial endeavor or that the committee's role will imply that any work product produced will somehow have the committee's imprimatur on it. Nor does he want any would-be sponsor to believe that sponsoring the exchange means they will have an inside track to him or committee staff." "If in fact you cannot contribute [to the report] or participate without being a sponsor, then that would be a cause for concern," said Amit Yoran, formerly director of the Homeland Security Department's Cyber Security Division. "It sounds like it's unclear whether or not that's the case." The exchange "represents a new model in public/private interaction and collaboration, and we are very proud of the construct," O'Keeffe said. When asked about the necessity of paying to be able to contribute to the report, he said, "I have not made it an exclusive situation." The Exchange's structure consists of a two advisory board co-chairs, six federal executives - mostly CISOs - and six system integrator company representatives, who must each pay $75,000 apiece. The board selectes the topics of annual report on federal information security priorities. Industry officials can pay $25,000 to join at a lesser level and "contribute in [the] development" of the annual report, but not sit on the board. In the third and least expensive level of industry participation is at $5,000, for which industry officials can participate in a lottery to attend quarterly CISO Exchange events and but cannot play a role in the report's development. The money will be used to pay for expenses of the exchange's quarterly events and preparation of the annual report, O?Keeffe said. His company will charge by the hour for CISO Exchange support. Industry participants at the $5,000 level will also be able to contribute to the report, he said. The group's publicity has also included a quote from Hitch stating that "agency CIOs will require their CISOs to attend the CISO Exchange full program meetings." That quote was wrongly phrased, O'Keeffe said. "This quote should have read 'ask' their CISOs to attend," he said. Hitch could not be reached for comment. Controversy surrounding the program has been around since Davis announced its creation in February. "I would have been happier if this had come about through a nonprofit that was open to everyone," said Thomas Hewitt, a member of the board of directors at Sigaba, an information security management company. "I absolutely applaud the founders for creating the CISO Exchange." However, "access to government employees should be available to all people, not just those with a large budget." "If this was a group driven by industry and run by industry," there would be no problem with the arrangement, one industry source said. "But when the chairman is the staff director of the full Government Reform Committee, it gives it a different level of credibility and attention." Paul Kurtz, executive director of the Cyber Security Industry Alliance, said he's in a wait-and-see mode. "I'd like to learn more from Congressman Davis' staff as to what their roles are going to be," he said. Efforts to raise the profile of information security should be welcomed, "but the devil's in the details," he added. Don Upson, formerly Virginia's secretary of technology, who helped conceptualize the CISO Exchange, said industry officials who feel shut out by the steep prices of the CISO Exchange are always free to contact participating government officials directly. Money collected through the exchange is unlikely to yield a profit, he added. Upson said he's involved in the exchange "because it's the right thing to do, because I'm passionate about what this technology and management can do, and because I have been for 27 years." O'Keefe defended the CISO Exchange as being no different than other private sector events featuring government speakers. From isn at c4i.org Mon Apr 11 05:25:52 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 11 05:39:47 2005 Subject: [ISN] OSVDB Recognized as 501(c)3 Non-Profit Organization Message-ID: Forwarded from: jkouns OSVDB Recognized as 501(c)3 Non-Profit Organization The Open Source Vulnerability Database, a project to catalog and describe the world's security vulnerabilities, has continued to focus on improving database content and increasing services offered to the security community. Since the official launch of OSVDB in March 2004, the vulnerability database has grown from 1000 to over 6700 complete entries. This rapid growth has far surpassed initial estimates, and the project's many successes show that the open source community can truly deliver world-class security information. OSVDB's rapid success is directly attributed to the dedicated volunteers who help populate, maintain and enhance the database. Their hard work has already allowed OSVDB to exceed the amount of vulnerability information available in some databases. At the current rate of growth, the project is poised to surpass the other vulnerability databases by the end of 2005. "It will soon become mandatory for security professionals to use OSVDB if they want the most thorough information available," says Brian Martin, one of the project leaders. The OSVDB leadership team has been aggressively working to ensure the long term viability of the project. After improving content to be recognized as an industry leader, the team determined that incorporating as a non-profit organization was imperative to OSVDB?s future success. Founded to formally run the OSVDB project, the Open Security Foundation has been approved as a 501(c)3 non-profit organization under United States law. Jake Kouns, OSVDB project lead, says, "Achieving our non-profit status will allow us to seek funding and ensure free vulnerability information will be available for years to come." Two of the OSVDB project leaders, Brian Martin and Jake Kouns, will be presenting a talk called "Vulnerability Databases: Everything is Vulnerable" at cansecwest/core05 (http://www.cansecwest.com/) in May 2005. The presentation aims to provide an unbiased review of vulnerability databases, and addresses the value they should provide to security practitioners. ### More Information: Jake Kouns Open Source Vulnerability Database Project +1.804.306.8412 jkouns@osvdb.org From isn at c4i.org Mon Apr 11 05:26:05 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 11 05:39:49 2005 Subject: [ISN] Who's Watching You Through Your Web Cam? Message-ID: http://wcco.com/localnews/local_story_099193700.html Apr 9, 2005 Minneapolis (WCCO) - Web cams are now inside millions of homes, allowing friends and family to chat face to face. But, they could also be opening up private homes to prying eyes. Web cams capture everyday images: a teen coming home from school, a family pet or college students working in a computer lab. Thousands of pictures like these are now easily accessible on the Internet, raising issues of personal privacy. "The thing that's concerning about this is that anybody could be looking at people through these Web cams," said Annalee Newitz of the Electronic Frontier Foundation. "These people's pictures are being released everywhere all over the world." Web cams have unique Internet addresses, much like web pages, and most cameras use similar patterns and codes, which are no secret to cyber snoopers. "All they need to find these cameras is a few letters and numbers that are typical of the Web pages where these cameras are found," Newitz said. With the help of almost any search engine, someone can find thousands of links to live camera feeds. Many are harmless scenes like a bird's nest, but we found private documents lying on someone's desk. Sometimes, you can even take control of a stranger's Web cam. We zoomed right into someone's window. Jared Johnson said he uses a Web cam to keep tabs on his dog when he's not home. He said he's appalled by the idea that strangers could peer into his private life. "You're exposing yourself, your life, your business and your house," Johnson said. So, Johnson is doing everything he can to protect his camera. He uses a firewall and password, the same security features he uses with his computer. Taking simple security measures is crucial, according to Frederick Nilsson of Axis Communications, a leading manufacturer of Web cams. "The cameras have the built-in security features such as the password protection and the firewalls, etc., and it's up to the user to use them or choose not to use them," Nilsson said. Legal experts said laws regarding these types of technologies are murky and that Web cam owners usually have few legal options if they feel violated. "After all, the person who setup the Web cam put it on the Internet and left it in a position where you could access it with either the default password or no password at all," lawyer Jennifer Granick said. But, Johnson isn't worried since his camera is secure. He said there's no reason to leave yourself open for all eyes to see. "That's something that can be solved so simply," Johnson said. "Take the extra steps to learn how to secure it." From isn at c4i.org Tue Apr 12 07:01:46 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 12 07:15:35 2005 Subject: [ISN] How to protect your computer Message-ID: http://australianit.news.com.au/articles/0,7204,12819346%5E15841%5E%5Enbv%5E,00.html Angus Kidman and Anthony Fordham APRIL 12, 2005 THE release of Windows 95 10 years ago marked a key turning point in the evolution of the consumer internet. Built-in support for core internet protocols in Windows 95, combined with rapid growth in the number of consumer-focused internet service providers (ISPs), helped transform the net from a specialist geek pastime into something everyone wanted. In 2005, it's much simpler to get connected to the internet, and even easier to fall victim to myriad security threats. "There's all this malicious stuff out there, and 10 years ago there wasn't that much,'' says Sean Richmond, senior technology consultant for computer security software company Sophos. "The internet in 1995 was a reasonably safe place to wander around. Now it's got that feeling where you have to be on guard. You have to be on the ball a lot and pay a lot more attention to what you need to do to be safe." The threat of viruses was alive and well in 1995. However, the evolution of malware (code designed to either damage your computer or steal resources and information) has put a wider range of threats on centre stage. "There's a constant hum of malicious code roaming the internet," says John Donovan, managing director for Symantec for Australia and New Zealand. According to Allan Bell, Asia-Pacific marketing director for McAfee, the history of malicious code can be divided into five broad stages. In the pre-network era, roughly from 1986 to 1995, viruses spread largely via floppy disks. Over the next four years, macro viruses in popular applications such as Word and Excel dominated. Between 1999 and 2001, mass-mailing viruses that distributed themselves via email took centre stage. >From 2001, blended threats that combine existing technologies became predominant. More recently, "content invasion" problems such as spyware (which invisibly tracks what you do on your PC) and phishing (which uses "social engineering" to try to access sensitive information such as credit card details) have become dominant. Computer security group Trend Micro says the broad virus problem has not disappeared. It reckons more than 8 million systems were infected in the first three months of this year. "Viruses and worms do still infect systems, but it's less obvious. Trojans are by far the most common things we're seeing now," Sophos' Richmond says. However, it's the sheer range of potential attacks that now poses the biggest challenge for consumers and security companies. McAfee's Bell says: "Threats in the past have been very much mass-market threats. The trend you'll see in the future is more customised and personalised attacks." New technologies create new risks, managing director of internet service provider Netspace?s Stuart Marburg says. "Consumers are putting themselves at financial risk by not securing their wireless networks, leaving their broadband connection open for anyone to use their account to check emails and surf the internet," he says. A core change in recent years has been in the profile of the typical malware writer, senior product manager, security, at Microsoft Australia Ben English says. "Organised crime has taken an interest in the internet as a route to market," he says. "Money is now the predominant driving factor, and the sophistication is increasing. We've moved away from a nuisance attack model into a more crime-based scenario." There's no room for naivety on the net, Richmond says. "There's a definite interest in ripping people off, and that's making the internet less fun," he says. "The amount of adware and spyware is driving people away from the idea of browsing around for its own sake." With that said, the biggest problem for most consumers is their failure to keep their systems up-to-date with software patches and updates. "One problem is the rate of change," Bell says. "We're seeing multiple vulnerabilities emerge every day, but multiple patches are just not realistic for the average consumer." Lack of education and awareness among users is a big problem. "You can choose to use a different browser, but you have to know you're able to do that," Richmond says. Such solutions are often short-term in any case. For instance, in its most recent Internet Security Threat report, Symantec noted that while Internet Explorer continued to display more serious vulnerabilities, "alternative" browsers such as Firefox were increasingly being targeted. Many consumers also incorrectly assume that newly-purchased PCs will be up-to-date and secure out of the box. "One of the most unsafe things you can do is buy a brand-new PC and plug it into a broadband network and see what happens," Donovan says. Richmond says: "You can be part of a botnet within 15 minutes of connecting an unprotected system to the internet." With any new system, experts advise downloading patches for all key applications and ensuring security software is set up before performing any other tasks. While future trends may be difficult to predict, one thing is certain: PC security problems aren't going to go away. "Anywhere there's software, there's going to be vulnerabilities," Bell says. But regular updating of security software combined with a healthy degree of cynicism will protect users from most problems. Marburg says: "The key to internet security is common sense. As an ISP we can provide pre-emptive measures to safeguard our customers from viruses, but we can not reach into their computer and stop our customers from handing over their personal information online or downloading files from the internet." Richmond says: "You don't need to be terrified and paranoid, you just need to be informed. Don't make a target of yourself and act like an idiot." In other words just exercise some good common sense. KEEPING YOUR PC HEALTHY THE maintenance involves a combination of proactive and reactive tasks designed to keep your machine in perfect running order. Here are the most important. Windows security updates Nearly as effective as antivirus software, staying on top of Windows security up-dates will keep your machine in good running order. Automatic updates will alert you whenever there is a new fix or patch, but you can also select Windows Update from the Start menu. Be sure to install new service packs as they are released, but take the time to read accounts online of how the service pack has affected users so you can be prepared for any potential teething problems. Fresh install Recommended for the experienced user only, the ultimate solution to instability is a complete fresh reinstall of all your software, including Windows. Make sure you have everything you need on disc, not forgeting applications such as word processors, games, and, of course - your personal files. Delete Windows at the hard drive partition level, by using the command line instruction FDISK. If you reinstall over an old copy of Windows, it may not fix the instability. You can benefit from a complete reinstall every 18 months or so, but the operation is incredibly risky and not recommended for inexperienced users. Control installations When installing a new program, don't let the installer choose the folder. Most applications put themselves under Program Files, which results in a huge list of folders that can be difficult to manage. Creating a logical folder structure will make it much easier to find programs as you need them. You can mirror this structure in the Start menu. Use Windows Explorer to find your username in Documents and Settings, then select Start Menu and create program groups according to your own filing system. This prevents Start Menu bloat, which can occur if every application is allowed to create its own program group. Dusting Modern components are pretty tough, if not subjected to unusual conditions such as damp or cockroach infestation. However, dust has the potential to build up inside fans and on sensitive electronics, which runs the risk of short-circuiting your machine and killing the motherboard. Use a can of compressed air to blow dust away from components, but don't hold it too close since most use an aerosol that could cause condensation to form. Be aware that you run the risk of voiding the warranty if you open the back of your machine. Dust shouldn't be a problem for at least the first year, by which time most warranties expire. Uninstall, don't delete Because you can delete a file by dragging it to the Recycle Bin it can be tempting to do this with applications such as games or internet related programs. But deleting this way leaves parts of the application still on your PC in other folders, which will slow performance. Instead, go to Control Panel, choose Add or Remove Programs and select the application you want to uninstall from the list. The uninstall wizard will say if you have to delete anything manually. Update virus software Installing an antivirus suite will only keep you protected for as long as it takes hackers to come up with a new virus. You need to regularly update antivirus files, available from your antivirus suite's website. The files will configure the software to be able to detect and block new viruses as they are released. Most software can now do these updates automatically, but it's worth checking for new image files every two weeks. A LITTLE KNOWLEDGE CAN BE DANGEROUS A LITTLE knowledge can be a dangerous thing, according to network manager James Bannan. He says the biggest threat to a large network is users who think they know how to configure their own computers. "You might know a little bit about networking and how to turn on a feature, but you probably don't realise what you're exposing the network to," he says. Bannan is deputy systems manager at St Leonard's College in Melbourne. In a previous position at Price-waterhouseCoopers, Bannan had to deal with a network heavily infected by an Internet Information Systems (IIS) virus. "We came in to work one day and the whole network was running slow. The first couple of requests to the helpdesk were along the lines of, my PC has crashed, my mail won't open." Bannan says. "It's hard to immediately diagnose a virus attack because the problems it causes can be so generic. We told the first five people to just reset their computers, but pretty soon we realised the problem was much more widespread." He says the virus the team eventually identified was designed to spam a network with traffic to slow it down and inconvenience its users. "Basically, these viruses are written to exploit security holes in later versions of Windows, such as 2000 and XP," he says. Bannan believes the virus coders are ideologically motivated. "A lot of these guys are proponents of the open source standard and are really anti-Microsoft." He says the virus got into the network because employees were taking their laptops home and using IIS features to enable them to connect to the work network remotely. "These were DIY configuration jobs. These guys knew enough to turn the system on, but not enough to lock it down and protect it from attacks. It took us more than a week to eradicate the problem." Viruses aren't the only thing that can hang a network. Bannan says many types of naive configuration can be dangerous. "Here at St Leonard's College, we had a problem with a user who had taken his laptop home and used Windows bridging functionality to configure an Ethernet-based network card with a wireless card. "When he came to school and plugged his laptop back in, he forgot to turn off his wireless and the network got itself into an infinite loop and hung. It took us quite a bit of time to identify the problem and track down the offending user," Bannan says. His message to anyone who uses a complex network is simple: "If you don't know what you're doing, 100 per cent, please don't turn on any features or change your settings. "It makes life very hard for network managers." However, Bannan admits his primary role is to protect users from themselves. He says most people can't be expected to understand the inner workings of a big network. "Networking can expose you to considerable risks. Even peer-to-peer file sharing can be very dangerous unless you know how to configure it properly," Bannan says. From isn at c4i.org Tue Apr 12 07:05:35 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 12 07:15:38 2005 Subject: [ISN] Rules aimed at digital misdeeds lack bite Message-ID: http://www.usatoday.com/money/industries/technology/2005-04-11-net-law-cover_x.htm By Jon Swartz USA TODAY 4/11/2005 SAN FRANCISCO - Federal and state lawmakers, compelled by headlines of a computer-crime wave, are scrambling to introduce bills that would tighten cybersecurity and make it easier for prosecutors to file charges and impose stiffer penalties. Digital thieves have rarely been so audacious. Data breaches at ChoicePoint, LexisNexis, the University of California and elsewhere, in which the personal records of thousands of Americans were pinched, underscore the brazen tactics of criminals marauding like gunslingers on a lawless Internet, security experts say. At least a dozen federal and state bills covering privacy protection, phishing and spyware have been introduced on Capitol Hill and in state capitals this year. The bills are designed to staunch consumer losses. Identification theft cost consumers, banks and credit card companies $11.7 billion through the 12 months ended in April 2004, says researcher Gartner. Phishing scams, fraudulent e-mails or Web sites that trick computer users into surrendering personal information, burned U.S. consumers for $500 million in the 12-month period ended September 2004, says researcher Ponemon Institute.Damages from spyware, software that quietly monitors the activities of Internet users: More than $200 million to U.S. consumers last year, Ponemon says. "The large number of bills, unfortunately, reflects the dark side of the Internet," says Harris Miller, president of the Information Technology Association of America, a non-profit that represents 400 tech companies. But computer-security experts doubt the legislative outbreak will change matters. They contend prospective bills often are watered down to appease lobbyists and can't always be enforced by overtaxed law enforcement. On top of that, corporations are reluctant to share sensitive data in investigations, and offshore criminals are outside the reach of the law. Several fear a repeat of the federal Can-Spam law, which outlaws unsolicited commercial e-mail but has done little to curb spam. "When it gets down to the nitty-gritty, Congress rarely passes strong consumer-protection measures, primarily because of industry influence," says Beth Givens, director of Privacy Rights Clearinghouse. "To quote Shakespeare, this is 'Full of sound and fury, signifying nothing.' " Computer-security experts already blame fuzzy national laws that do not specifically ban spyware, phishing and other digital misdeeds. "Legislation is reactive. There are harsher penalties, yes, but nothing that would help prevent identity theft," says Judith Collins, a criminal justice professor at Michigan State University. Limited tools Hacking laws exist, but as computer crimes become more sophisticated so, too, must the laws, lawmakers and prosecutors say. "New laws are about making it easier for prosecutors to bring harsh, specific charges," says Deborah Thoren-Peden, an Internet lawyer in Los Angeles. "It raises awareness for the public and risk for criminals." For now, authorities are limited in the laws they cite in computer-crime cases, Internet lawyers say. The Computer Fraud and Abuse Act, a 1986 law most recently amended in 2001, makes it a crime to access a computer without authorization. Common trespass law can apply to phishing scams and computer viruses. Federal law doesn't impose security measures on companies outside of financial services and health care to protect private information, says Internet lawyer Edward Naughton. Most companies prefer it that way. They don't want to be regulated out of concern it will be costly to shore up computer defenses and give investigators access to sensitive data. Instead, they advocate self-regulation and tighter security. With high-profile computer crimes on the rise, and consumers clamoring for protection, the tech and financial industries may have no choice, Naughton and privacy experts say. The raft of legislation covers: * Privacy protection. A bill from Sen. Dianne Feinstein, D-Calif., would require federal agencies and companies conducting interstate commerce to notify customers when their private data are compromised. The bill, based on a similar law in California, may include a requirement that all commercially stored data be encrypted. Even then, a federal-notification requirement may not be enough to appease lawmakers and privacy experts, who oppose the sale of Social Security numbers without an individual's consent. FTC Chairman Deborah Platt Majoras says there are legitimate purposes for obtaining a Social Security number without the individual's knowledge, including fraud investigations and law enforcement. Meanwhile, Sen. Bill Nelson, D-Fla., and Rep. Ed Markey, D-Mass., last month introduced legislation that would expand the powers of the FTC to oversee data brokers as it does companies that handle medical and financial records. Sen. Jon Corzine, D-N.J., also plans to file a bill that would help create federal data-protection standards and require CEOs or chief compliance officers to show that their companies comply with the rules. Still, broad privacy legislation faces a tough battle on Capitol Hill, where data brokers have strong lobbyists such as Akin Gump Strauss Hauer & Feld. The law firm was paid $160,000 by ChoicePoint in the first six months of 2004 and $280,000 in 2002 and 2003 to influence lawmakers, public documents show. Information brokers have "an enormous number of (lobbyists) canvassing the Hill with inside connections and massive campaign contributions," says Ed Mierzwinski, consumer program director for the U.S. Public Interest Research Group. "Privacy advocates do not have nearly the resources." * Spyware. Lobbying efforts may also undercut anti-spyware legislation from Rep. Mary Bono, R-Calif. Her bill, currently in the House, would raise fines against spyware purveyors to up to $3 million per infraction. Yet privacy advocates complain it exempts software cookies, a coded piece of information stored on a computer that identifies the computer during visits to a Web site, and embedded ads on Web pages from an earlier version, rendering it less effective. Another bill, introduced in late March by Sens. Conrad Burns, R-Mont., and Ron Wyden, D-Ore., prohibits the surreptitious installation of spyware programs. The FTC would be charged with enforcing the law, though state attorneys general would also be authorized to bring actions. It, too, exempts cookies. To strengthen federal law, states routinely craft bills that come down hard on violators who victimize residents. Bills in Michigan, Nebraska and Georgia would make it illegal to install spyware on the computers of state residents without their permission, and would delegate who is responsible for enforcement ? a common shortcoming of federal law. Utah signed a bill into law in March. * Phishing. The Anti-Phishing Act, sponsored by Sen. Patrick Leahy, D-Vt., would impose jail terms up to five years and fines up to $250,000 for phishing. The bill protects free speech related to parody and politics online. More important, it allows law-enforcement officials to stop phishing schemes before the bad guys use stolen data, says phishing expert Dave Jevans. The national bill comes on the heels of state bills in Texas, Virginia, Rhode Island and elsewhere. An overriding worry with phishing bills ? as with any computer-security-related proposal ? is that too many could lead to legislative inflation. "How many ways can you make phishing illegal? There are at least five laws already," says Ari Schwartz, associate director at the Center for Democracy & Technology. "And they're not enforced." Making it work Despite the wave of bills, no matter how well researched and written, they are only as effective as enforced by police. Foreign governments often ignore U.S. law or fail to help their American counterparts. "We could add a million new laws, but you need to follow through," says Internet lawyer Pete Wellborn, who wrote the anti-spyware legislation in Georgia. "Unfortunately, there are more bad guys than good guys." Law enforcement is the "perennial question," adds Robert Holleyman, CEO of Business Software Alliance, a trade group that represents two dozen of the largest tech companies. "At the end of the day, we need adequate resources to track down and convict criminals. That means additional resources for the FTC and Justice Department." The Department of Justice declined comment. The federal Can-Spam law offers a cautionary tale on what some new bills might face. Anti-spam activists contend the much-ballyhooed law actually increases spam because of the way it is worded. It requires recipients to opt out of unwanted commercial e-mail by contacting each sender instead of forcing senders to get opt-in permission. The law also pre-empts parts of tougher state laws, including a California opt-in requirement. Can-Spam bars citizens from suing spammers, allowing only state attorneys general or Internet service providers to file civil suits. Backers of Can-Spam counter that ISPs such as Microsoft, America Online and EarthLink have taken advantage of the law to file dozens of successful lawsuits against spammers. Ultimately, the fate of the computer-security bills depends on the conflicting interests of politicians, lobbyists, tech companies and law enforcement. "It's all about striking a balance between punishing the bad elements and minimally intruding on the good actors," Holleyman says. "And that isn't easy." From isn at c4i.org Tue Apr 12 07:05:53 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 12 07:15:40 2005 Subject: [ISN] Cadets Face Challenge From Computer Hackers Message-ID: Forwarded from: William Knowles http://www.nbc30.com/education/4365694/detail.html April 11, 2005 NEW LONDON, Conn. -- Cadets at the Coast Guard Academy in New London will try to fend off computer hackers in a weeklong national drill. The cadets will join their peers from the Naval, Air Force, West Point and Merchant Marine academies in the National Security Agency's cyber defense exercise. The military students will try to protect a network of computers from highly skilled attackers during the drill, which begins Monday. The academies will be competing against each other, and the winner gets a trophy and bragging rights. The exercise also serves as the final project for senior-level computer science majors taking the U.S. Military Academy's information assurance course. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Apr 12 07:06:37 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 12 07:15:43 2005 Subject: [ISN] Linux Security Week - April 11th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 11th, 2005 Volume 6, Number 15n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "7 Myths About Network Security," " SANS tracking active DNS cache poisonings," and "The Day After: Your First Response To A Security Breach." --- DEMYSTIFY THE SPAM BUZZ: Roaring Penguin Software Understanding the anti-spam solution market and its various choices and buzzwords can be daunting task. This free whitepaper from Roaring Penguin Software helps you cut through the hype and focus on the basics: determining what anti-spam features you need, whether a solution you are considering includes them, and to what degree. Find out more! http://www.roaringpenguin.com/promo/spambuzzwhitepaper.php?id=linuxsecuritywnbuzz0305 --- LINUX ADVISORY WATCH This week, advisories were released for MySQL, samba, ImageMagick, krb5, remstats, wu-ftpd, sharutils, util-linux, words, gaim, e2fsprogs, subversion, ipsec-tools, libexif, htdig, grip, gtk2, tetex, curl, gdk-pixbuf, and XFree86. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118835/150/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * The Hacker-Proof Network 5th, April, 2005 In Cambridge, Mass., not too far from the Charles River, which cuts near Harvard and M.I.T., David Pearson is attempting to build an un-hackable network. http://www.linuxsecurity.com/content/view/118799 * The security risk of hard disk password protection 4th, April, 2005 In most notebooks the hard disk can be protected against unauthorized access with the aid of a password. Without it the disk, even went inserted into another computer, cannot be made to divulge its data. This security function has meanwhile become a feature of almost all 3.5" ATA hard disks and presents a full-blown security loophole. http://www.linuxsecurity.com/content/view/118784 * A Couple Points on the "Open Source War" 8th, April, 2005 If you're interested in this matter at all, you should go straight to the primary source material: the Red Hat and Microsoft security advisories. Your milage may vary, but my scans of the two lists shows a lot of Red Hat fixes that are mostly irrelevant to my simple web server, unless I've given lots of untrustworthy and industriously malicious people shell access to log in to the server. On the other hand, I see lots more references to "remote code execution" on the Microsoft site, which is what I'm really afraid of when I'm exposing a server to the internet. http://www.linuxsecurity.com/content/view/118838 * Hack Job 4th, April, 2005 When a hacker broke into the network at George Mason University (VA) earlier this year, IT officials were absolutely powerless to stop him. Within minutes, the hacker compromised the school.s main Windows 2000 server and gained access to information that included names, Social Security numbers, university identification numbers, and even photographs of almost everyone on campus. Next, he poked around for a back door into other GMU servers that store information such as student grades, financial aid, and payroll. http://www.linuxsecurity.com/content/view/118783 * 7 Myths About Network Security 4th, April, 2005 Hacker tools are growing more sophisticated and automated. Hackers can now quickly adapt to new security vulnerabilities as they are uncovered and distribute the fruits of their exploits more widely with the help of automated toolkits. And they're employing an ever-increasing range of methods to find individuals' and companies' private information and use it to their own advantage. http://www.linuxsecurity.com/content/view/118788 * SANS tracking active DNS cache poisonings 6th, April, 2005 Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began receiving reports from multiple sites about DNS cache poisoning attacks that were redirecting users to websites hosting malware. As the "Handler on Duty" for March 4, I began investigating the incident over the course of the following hours and days. This report is intended to provide useful details about this incident to the community. http://www.linuxsecurity.com/content/view/118813 * DNSSEC: What Is It Good For? 7th, April, 2005 DNSSEC, which stands for DNS Security Extensions, is a method by which DNS servers can verify that DNS data is coming from the correct place, and that the response is unadulterated. In this article we will discuss what DNSSEC can and cannot do, and then show a simple ISC Bind 9.3.x configuration example. http://www.linuxsecurity.com/content/view/118822 * DNS cache poisoning update 8th, April, 2005 The InfoCon is currently set at yellow in response to the DNS cache poisoning issues that we have been reporting on for the last several days. We originally went to yellow because we were uncertain of the mechanisms that allowed seemingly "secure" systems to be vulnerable to this issue. Now that we have a better handle on the mechanisms, WE WANT TO GET THE ATTENTION OF ISPs AND ANY OTHERS WHO RUN DNS SERVERS THAT MAY ACT AS FORWARDS FOR DOWNSTREAM Microsoft DNS SYSTEMS. If you are running BIND, please consider updating to Version 9. http://www.linuxsecurity.com/content/view/118841 * Anatomy of an Attack: The Five Ps 4th, April, 2005 In a meeting with an engineer (Jonathan Hogue) from a security company called Okena (recently acquired by Cisco), I was introduced to the concept of the five Ps. Hogue graciously gave me the presentation slide and I use it all the time. There are a lot of models of how an attack progresses, but this is the best I've seen. These five steps follow an attack's progression whether the attack is sourced from a person or an automated worm or script. We will concentrate on the Probe and Penetrate phases here, since these are the stages that Snort monitors. Hopefully, the attacker won't get past these phases without being noticed. The five Ps are Probe, Penetrate, Persist, Propagate, and Paralyze. http://www.linuxsecurity.com/content/view/118790 * To catch a thief? 8th, April, 2005 When we turn our minds to matters of e-security, our first thoughts tend to be about defenses such as firewalls and intrusion detection. And rightly so. After all, there is much wisdom in the pursuit of prevention before cure. But, what happens when our defenses are breached? How should we respond to such an incident? http://www.linuxsecurity.com/content/view/118840 * Red Hat Patches Security Flaw 5th, April, 2005 Enterprise Linux users should update their installations of XFree86 to remedy several security holes, some of which could allow attackers to take over a system. http://www.linuxsecurity.com/content/view/118797 * Linux still seen as most secure 7th, April, 2005 Microsoft's efforts to improve the security of Windows have paid off, leading to significant improvements in patch management and other areas, according to executives from North American companies surveyed by Yankee Group. http://www.linuxsecurity.com/content/view/118820 * Red Hat patches critical hole 4th, April, 2005 Red Hat is warning enterprise Linux users to update their installations of XFree86 to fix a number of serious security bugs, some of which could allow attackers to take over a system. http://www.linuxsecurity.com/content/view/118792 * Flaw found in Firefox 7th, April, 2005 A flaw has been discovered in the popular open-source browser Firefox that could expose sensitive information stored in memory, Secunia has warned. http://www.linuxsecurity.com/content/view/118821 * Firefox Flaw Publicity Good for Open Source 6th, April, 2005 Publicity surrounding the JavaScript flaw shows .the open source system is working,. said Greg Minchak, an analyst with the Open Source Industry Alliance. .The open source community swarms to a problem the moment it.s made known.. http://www.linuxsecurity.com/content/view/118809 * The Day After: Your First Response To A Security Breach 4th, April, 2005 The security incident is over. The techs have all gone home and are snug in their beds, dreaming of flawless code trees and buffer-overflow repellent. Upper management has done all the damage control they can. Everyone's shifting back into their normal activities and schedules. Everyone, that is, except you. What can you do to prevent this from ever happening again? http://www.linuxsecurity.com/content/view/118789 * Sued for finding security flaws? 5th, April, 2005 In late March we mentioned that Sybase were making threats against a security company about disclosure of security flaws they found in Sybase code and a French company that took a security researcher to court and had him fined 5000 Euro. Going from this Register story, it looks like Sybase and NGSSoftware are going to settle their dispute amicably, but it really does bring into view a point that many in the Open Source community have been trying to make known for ages. http://www.linuxsecurity.com/content/view/118796 * Security top reason IT pros consider Linux 5th, April, 2005 Security concerns are the main reason IT managers consider switching from Windows to Linux on the desktop - but the cost of migration and compatibility issues remain significant barriers, according to a new study. http://www.linuxsecurity.com/content/view/118798 * U.S. government agencies turn to Linux 7th, April, 2005 As government agencies are being forced to do more with a smaller budget more agencies are turning to the open source movement for a solution.In Mississippi three counties and 30 agencies formed a jail management system to pool all law enforcement and homeland security forces together using Linux. http://www.linuxsecurity.com/content/view/118819 * Phishers spread net for smaller prey 4th, April, 2005 Phishers are moving away from big banking institutions and heading for smaller targets, according to the Anti-Phishing Working Group (APWG). http://www.linuxsecurity.com/content/view/118760 * Mobile-proofing your network 4th, April, 2005 A stolen laptop made public last week by the University of California, Berkeley contained unencrypted personal data on nearly 100,000 graduate students and applicants and is just the latest case to underscore the need for increased protection of personal information. http://www.linuxsecurity.com/content/view/118785 * How 20% effort can get you 80% security 6th, April, 2005 To manage risk, maintain razor-sharp security architecture and still enjoy a peaceful night's sleep, security professionals at this week's InfoSec World conference offered this advice: Know your limits, speak the boss's language and embrace change. http://www.linuxsecurity.com/content/view/118810 * Using Intrusion Detection Systems To Keep Your WLAN Safe 6th, April, 2005 Wireless LANs utilize radio waves for transporting information, which results in security vulnerabilities that justifiably worry network managers. To assuage those worries, most companies implement authentication and encryption to harden security. http://www.linuxsecurity.com/content/view/118812 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Apr 12 07:06:50 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 12 07:15:45 2005 Subject: [ISN] 2005 IALEIA & LEIU Annual Conference, Alexandria, VA Message-ID: Forwarded from: David Jimenez The must attend event of the year 23-27 May - Alexandria, VA - The 25th Anniversary of International Association of Law Enforcement Intelligence Analysts, and Fiftieth Anniversary of the Law Enforcement Intelligence Unit Annual Conference, to be held at the Hilton Alexandria Mark Center in Alexandria, 5000 Seminary Road, Alexandria, VA Among the scheduled topics: - Strategic Analysis - Understanding Terrorism in the Middle East - Hizballah - A Case Study - National and International Perspectives on Organized Crime - High Tech Crime - Analytic Standards - Criminal Intelligence Files/Legal Issues - Fusion Center Development - Illegal Gambling Issues - Basic Elements of Criminal Intelligence - Forecasting the Future: Architecture for a Strategic Early Warning System for Law Enforcement - Intelligence Led Policing - A Global Perspective - Law Enforcement Operations in Mexico - Analytical Thinking and Presentation - Warning Analysis for Law Enforcement Please see the IALEIA website for an updated agenda http://www.leiu-homepage.org/events/2005dcConference/displayAgenda.cgi A "Fundamentals in Criminal Intelligence" certificate will also be given to those attending specific seminars Registration fees are $275 for members, $375 for non-members, and $150 for associate members and spouses. There will be a program for the spouses. Please keep in mind that IALEIA membership costs only $50. Membership information can be found on the IALEIA web page at www.ialeia.org You can register on-line at: http://www.leiu-homepage.org/events/2005dcConference/registration.html Hilton room Rates are $143.00 Single/Double Occupancy (plus 10.5% Tax and $1.00 Occupancy Tax), and $163.00 Triple Occupancy or $183.00 Quadruple Occupancy (plus taxes). For reservations, call (703) 845-1010 or 1-800-HILTONS, and mention the conference to get the special rate. Shuttle service is complimentary from Reagan International Airport, and parking is Free For more information, please contact Ritchie Martinez, IALEIA Executive Director at (520) 547-8760, or Email: ramartinez@dps.state.az.us We hope to see you there! David Jimenez, MSgt, USAF (Ret), CCA IALEIA Director of Training, Education, and Career Development From isn at c4i.org Tue Apr 12 07:07:03 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 12 07:15:47 2005 Subject: [ISN] Book Review: Google Hacking for Penetration Testers Message-ID: http://books.slashdot.org/books/05/04/11/1750217.shtml [ http://www.amazon.com/exec/obidos/ASIN/1931836361/c4iorg - WK] Author: Johnny Long Pages: 448 Publisher: Syngress Rating: 8 Reviewer: Corey Nachreiner ISBN: 1931836361 Summary Google's dark and dork sides exposed; despite the title, useful for everyone who'd like to get the most out of Google. According to its cover, Johnny Long's book focuses primarily on revealing the "Dark Side" of Google -- a promise it delivers in spades. But I can also heartily recommend Google Hacking to newbies who simply want to learn how to harness Google's full potential. The first few chapters of the book walk you through Google's interfaces and features, then introduce you to Google's advanced operators and techniques you can use to refine your Google searches. Instead of submitting basic searches that leave you arduously parsing hundreds of results for your desired answer, you quickly learn to submit powerful queries that almost instantly yield the results you intend. Even as an experienced Google user, I learned a lot from Google Hacking's early chapters. For Google neophytes, this alone makes the book worth its price. However, we all know Slashdotters really want this book in order to learn how hackers misuse Google. Well, you won't be disappointed. As soon as Long has taught you to submit advanced queries, he wastes no time in showing you the techniques l33t Google hax0rs use to exploit the search engine's power. For example, did you know you can use Google as a free proxy server? By submitting a specially-crafted, English-to-English translation query, you can capitalize on Google's translation service to anonymously submit all your Web requests. This simple hack just scratches the surface of Google's malicious potential. Most Web surfers don't realize the sheer amount of extremely sensitive information available for the harvesting on the Internet. In that sense, Google Hacking is eye-popping. Do you want to find misconfigured Web servers that publicly list their directory contents? A quick Google search does the trick. Or, suppose you found some new exploit code that only works against a particular version of IIS 5.0. Submit a quick Google query for a helpful list of possible targets. Do you want to harvest user logins, passwords (for example, mySQL passwords in a connect.inc file), credit card numbers, social security numbers or any other potentially damaging tidbit that Web users and administrators accidentally leak onto the Internet? Google Hacking shows you how, with highly refined searches gleaned from the community contributing to the Google Hacking database (GHDB) found on Long's Web site. While Long's book discloses these and many other potentially malicious Google searching techniques, it does so responsibly, with the goal of prevention in mind. Only the less damaging search strings are fully revealed. Long saves the juicier (read: more dangerous) hacks for your own discovery. Long even obfuscates the sensitive results of the more damaging search strings in order to protect the innocent incompetents he refers to as "googledorks." After showing you how hackers subvert Google to their malicious intent, Long dedicates a chapter to how Web administrators can configure their Web servers securely in order to prevent sensitive data from making it into a Google Hacker's clutches. Though I've gushed about the book so far, I will quibble with its inconsistent tone. Some of its chapters target readers having different levels of technical understanding. While the book starts out in a voice easy enough for even the most novice user to understand, some of the later chapters, on topics such as document grinding, database digging, and query automation, jump drastically and use language and techniques that only programmers or Unix power-users would understand. In addition, the humor that made Johnny's live presentation so memorable shows up in his book, but in scant supply; frankly, more jokes would be welcome. But these negatives are mere nits. Whether you're a penetration tester wanting to exploit Google, a Web administrator wanting to protect yourself from information leaks, or even a newbie wanting to harness Google's full potential, Google Hacking for Penetration Testers makes an excellent resource. If you, too, use Google as a second brain, pick up Johnny Long's book and learn how to exploit this powerful search engine to its full capacity. -=- Corey Nachreiner [1], Network Security Analyst for WatchGuard's LiveSecurity Service, writes about network security on the free RSS news feed, WatchGuard Wire [1] http://www.watchguard.com/archive/bios.asp From isn at c4i.org Tue Apr 12 07:08:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 12 07:15:57 2005 Subject: [ISN] Linux report stirs hornets nest Message-ID: http://www.theinquirer.net/?article=22460 By Guy Matthews 11 April 2005 HELL HATH NO fury like a Linux devotee scorned. An analyst, just doing her job by writing about open source software, has been the victim of a furious barrage of criticism, much of it personal, from elements within the Linux community. Yankee Group software analyst Laura DiDio put out a report last week daring to suggest, based on extensive research, that Microsoft Windows Server 2003 may be as good as, if not in some respects better than, Linux in terms of quality, performance and reliability. A virtual techie "fatwa" seems to have been the result. Her views have been repeatedly savaged by Linux apologists, accusing her of bias in favour of Microsoft. DiDio has hit back denying any such leanings, but the self-appointed Ayatollahs of open source have paid no heed. Instead DiDio has had to put up with being branded DiDiot on open source forums, and has even been telephoned at home after 11pm by people she has described as 'nut jobs' and "an extremist fringe of Linux loonies". DiDio says the Yankee Group end user study her analysis was based on is strictly independent, and not something she has any personal influence over. This is not the first evidence suggesting a strong streak of unreasonable insanity in the Linux community. Last year security analyst firm Mi2g claimed Linux was getting hacked more frequently than Windows, the resulting brouhaha leading it to declare on its web site that "any empirical evidence pointing to a high level of online Linux breaches is immediately shot down by religious zealots as if a church had been desecrated". Let's hope the BBC doesn't televise an opera about it, or we're all in trouble. From isn at c4i.org Wed Apr 13 06:12:52 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 13 06:32:14 2005 Subject: [ISN] LexisNexis: Files May Have Been Breached Message-ID: http://apnews.myway.com/article/20050412/D89E4KI80.html By JANE WARDELL April 12, 2005 LONDON (AP) - Criminals may have breached computer files containing the personal information of 310,000 people, a tenfold increase over a previous estimate of how much data was stolen from information broker LexisNexis, the company's parent said Tuesday. Last month, London-based publisher and data broker Reed Elsevier Group PLC said criminals may have accessed personal details of 32,000 people via a breach of its recently acquired Seisint unit, part of Dayton, Ohio-based LexisNexis. LexisNexis is a Reed subsidiary. Reed said it identified 59 instances since January 2003 in which identifying information such as Social Security numbers or driver's license numbers may have been fraudulently acquired on thousands of people. Information accessed included names, addresses, Social Security and driver license numbers, but not credit history, medical records or financial information, the company said. Reed spokesman Patrick Kerr said that the first batch of breaches was uncovered by Reed during a review and integration of Seisint's systems shortly after it purchased the Boca Raton, Fla.-based unit for $775 million in August. Seisint provides data for Matrix, a crime and terrorism database funded by the U.S. government, which has raised concerns among civil liberties groups. The Matrix database was not involved in the breach, the company has said. Seisint's databases store millions of personal records including individuals' addresses and Social Security numbers. Customers include police and legal professionals and public and private sector organizations. The company said the 59 identified instances of fraudulently obtained information - 57 at Seisint and two in other LexisNexis units - are largely related to the improper use of IDs and passwords belonging to legitimate customers. It stressed that neither LexisNexis nor the Seisint technology infrastructure was breached by hackers. Kerr said the company has since ensured that the system is watertight by improving login systems and security checks. He said only 2 percent of the 32,000 people it notified about the possible theft of their personal information in March have contacted LexisNexis to accept its offer of free credit reports and credit monitoring, and none has so far advised LexisNexis that they have experienced any form of identity theft. However, LexisNexis Chief Executive Kurt Sanford said Tuesday that of the 32,000 who were notified, law enforcement officials have identified 10 who investigators believe may have been victims of identity theft. He said it is unclear whether those possible thefts are related to the breach at LexisNexis. Investigators said only three of those people appeared to have been the victims of financial fraud, Sanford said. The breach is being investigated by the FBI's cyber-crime squad in Cincinnati. FBI spokesman Mike Brooks would say only that the agency is pursuing leads. Rep. Edward Markey, D-Mass., who has introduced legislation designed to increase protections of consumer data, said LexisNexis turned a blind eye to customer protection. But Sanford said LexisNexis had initiated the review and notified potential victims. "We're going to fix this," he said. "The congressman's statement overreaches and mischaracterizes the situation." Reed Elsevier played down the effect of the breach on its profits, reaffirming its target of higher earnings and at least 5 percent growth in revenues excluding acquisitions. The breach at Seisint is the second of its kind at a major information provider in recent months. Rival data broker ChoicePoint Inc. (CPS) announced last month that the personal information of 145,000 Americans may have been compromised in a breach in which thieves posing as small business customers gained access to its database. In the ChoicePoint scam, at least 750 people were defrauded, authorities say. The case fueled consumer advocates' calls for federal oversight of the loosely regulated data-brokering business, and Capitol Hill hearings on the topic were held last month and are continuing this week. Reed Elsevier specializes in the education, legal and science sectors, publishing more than 10,000 journals, books and compact discs, as well as almost 3,000 Web sites and portals. It also organizes 430 trade exhibitions. The LexisNexis division specializes in legal and business information. From isn at c4i.org Wed Apr 13 06:14:36 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 13 06:32:17 2005 Subject: [ISN] Industry group draws scrutiny Message-ID: Forwarded from: Mark Bernard Dear Associates, In light of these events I would recommend that serious professionals interested in information security including investigations and forensics take a look the High Tech Crime Investigation Association. It doesn't cost $60k to join and has been around providing value to government agencies, law enforcement and private businesses longer than most of these organizations. http://www.htcia.org [...] The High Technology Crime Investigation Association (HTCIA) is designed to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership. [...] Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by John Quincy Adams: "If your actions inspire others to dream more, learn more, do more and become more, you are a leader." ----- Original Message ----- From: "InfoSec News" To: Sent: Monday, April 11, 2005 6:25 AM Subject: [ISN] Industry group draws scrutiny > http://www.fcw.com/article88532-04-08-05-Web > > By David Perera > April. 8, 2005 > > Government officials last week scaled back their involvement in a > newly formed public/private council of security officers amid > controversy about the appearance that a select group of vendors > could have undue influence on public policy. > > O'Keeffe and Co., an Alexandria, Va.-based public relations and > marketing agency, spearheaded development of the Chief Information > Security Officers (CISO) Exchange as a forum for discussions between > government officials and industry executives. Full industry > membership costs $75,000. > > Backers have used the participation of Rep. Tom Davis (R-Va.), > chairman of the House Government Reform Committee, and the CIO > Council's sponsorship as selling points in materials aimed at > soliciting industry members. > > "It seems as if all you're doing is selling access to Congress," > said Mark Amtower, a partner at Amtower and Co. From isn at c4i.org Wed Apr 13 06:15:15 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 13 06:32:20 2005 Subject: [ISN] Security websites taken down by unhappy hackers Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=3465 By Paul Roberts IDG News Service 12 April 2005 Two prominent websites that specialise in remote access software have been taken offline by a DDoS attack orchestrated by a group of hackers who have taken offence at comments posted about them. Rootkit.com, an established website run by security expert Greg Hoglund, has been offline for almost a week. Two other sites, operated by a prominent rootkit author known as "Holy Father" have also been taken down in the attacks, which are believed to be the work of a group of Bulgarian and Turkish hackers known as the SIS-Team. The attack against rootkit.com began on Tuesday 5 April, after someone using the name "ATmaCA" posted an inflammatory message to one of the discussion groups on the site that advertised a number of malicious remote access software programs sold by SIS Team, including SIS-Downloader, ProAgent and SIS-IExploiter, Hoglund said. The programs are powerful spyware tools that, when combined, enable remote attackers to secretly compromise other machines using attack Web pages. They are sold online at websites like www.spyinstructors.com and are popular with those behind spam campaigns, who use the tools to plant remote control programs that are then used to send out spam, Hoglund said. The post by ATmaCA prompted curt responses from rootkit.com members, who objected to authors using the discussion forum as a venue to advertise their commercial software. Other rootkits discussed on rootkit.com are open source, and authors typically post links to their source code on the site, Hoglund said. In the flame war that erupted between the SIS-Team members and the rootkit.com contributors, questions were also raised about the quality of the SIS-Team products. Some rootkit.com regulars alleged that the tools were poorly written and frequently crashed machines they ran on, Hoglund said. Within hours of the first post from ATmaCA, the rootkit.com website was under attack by a network of more than 500 compromised computers, or bots, that flooded the site with about 170,000 requests a second, making it unreachable for most Internet users, he said. Two rootkit-focused websites operated by Holy Father were also downed by DDoS attack after that person posted remarks critical of ATmaCA and SIS-Team. In both cases, extortion e-mail was sent to the website owner following the DDoS attacks saying that the owners could end the attacks by posting public apologies to ATmaCA and SIS-Team on their websites. Hoglund is angry and unrepentant: "I find it very offensive that a public website that does nothing but share information is attacked by a bunch of immature children. These are hackers who can't stand on their own merits. They make claims for their software, and then can't argue about it, but just DDoS their critics off the Internet." Rootkit.com has more than 25,000 registered users and about 30 regular contributors. Despite the reputation of rootkits as hacker tools, many of those who frequent the site are professional security experts and students who study computer security and use the rootkit source code available on the site to figure out ways to defend against rootkit programs, Hoglund said. From isn at c4i.org Wed Apr 13 06:16:27 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 13 06:32:23 2005 Subject: [ISN] Linux report stirs hornets nest Message-ID: Forwarded from: security curmudgeon Cc: guymatthews@transom-media.co.uk, mike.magee@theinquirer.net, consultingservices@yankeegroup.com : http://www.theinquirer.net/?article=22460 : : By Guy Matthews : : Yankee Group software analyst Laura DiDio put out a report last week : daring to suggest, based on extensive research, that Microsoft Windows : Server 2003 may be as good as, if not in some respects better than, : Linux in terms of quality, performance and reliability. Based on extensive research? Or based on extensive questionnaires? Big difference. Read on for a bit more truth than this crappy opinion piece gives us... : A virtual techie "fatwa" seems to have been the result. Her views have : been repeatedly savaged by Linux apologists, accusing her of bias in : favour of Microsoft. DiDio has hit back denying any such leanings, but : the self-appointed Ayatollahs of open source have paid no heed. Amusing that you call these linux apologists fun names like "self-appointed Ayatollahs of open source" while she calls them "nut jobs" and "extremist fringe of linux loonies". Is there a chance.. just a remote, outside *chance*, that there could be some bias in this survey? That these linux "nuts" have a reason to be angry? Does the fact that Microsoft has funded such studies over the last half decade give them reason to question her motives? Of course there is. : DiDio says the Yankee Group end user study her analysis was based on is : strictly independent, and not something she has any personal influence : over. Unfortunately, if you go to the Yankee Group site [1] you see her picture on the left (but not on the list of analysts), you find a PDF mentioning the upcoming study on TCO [2], but no clear links to to the survey results that I can see. Are they hiding it? No.. read on. : This is not the first evidence suggesting a strong streak of : unreasonable insanity in the Linux community. Last year security analyst : firm Mi2g claimed Linux was getting hacked more frequently than Windows, : the resulting brouhaha leading it to declare on its web site that "any : empirical evidence pointing to a high level of online Linux breaches is : immediately shot down by religious zealots as if a church had been : desecrated". mi2g has a history of releasing material that has little factual basis, no clear methodology, and a tendancy to cater to news that gets them attention, regardless of what it is. Very bad example to cite backing your claims here. Please don't forget that only 6 years ago, they ran 'portal' web sites dedicated to used cars as their only business, then overnight became "security experts". You did know that.. right Mr. Matthews? -- Anyway, back to Didio's survey. A quick search finds all kinds of wonderful commentary on it, but not the actual survey (wonder why..). Turns out they are issuing press releases for this survey but not releasing the results until June 2005 [8]. So it's basically "believe what we say, even though we won't disclose our testing methodology", then let time pass, then quietly release the actual survey after the hype has died down and people begin questioning it? Oh wait, search Microsoft and you find it.. now why would they have a copy so far in advance and make it available on their site [9]? Moving on, check a GrokLaw article [3] that comments on it. Now we see that this survey [4] is a bunch of questions that was sent to W2Knews readers [5] including "C-level" executives, who are likely not the most unbiased people to ask about Windows vs Linux. Next, the article mentions that DiDio did her "independant" research with Sunbelt Software [6] who is also known for their spamming [7]. Reading their 'about' page finds they are Windows consultants: The company was founded in 1994 and offers product solutions that enable companies to protect and secure their infrastructure from costly inefficiencies including spam, Windows system downtime and network security vulnerabilities. Again, this is not the most unbiased group to 'research' Windows vs Linux TCO issues. Next, search Microsoft's site and you will find that not only has the Yankee Group been good pals with Microsoft [10], DiDio herself has done other studies that favored Microsoft (in their eyes) [11]. In fact, Microsoft has previously funded Yankee Group to carry out surveys [12] which undermines any claims from DiDio that she or Yankee Group are unbiased and "independant". [1] http://www.yankeegroup.com/ [2] http://www.yankeegroup.com/public/research/surveys.jsp [3] http://www.groklaw.net/article.php?story=20040324085956154 [4] http://www.sunbelt-software.com/surveys/040213_Linux.htm [5] http://www.w2knews.com/index.cfm?id=463 [6] http://www.sunbelt-software.com/index.cfm [7] http://www.spamhaus.org/sbl/sbl.lasso?query=SBL3704 [8] http://www.yankeegroup.com/public/products/survey/brochures/2005NorthAmericanLinuxTCOSurvey.pdf [9] http://download.microsoft.com/download/e/e/e/eee3b9eb-0dbe-4729-95e2-829d5127760d/YankeeGroup-CustomercasestudiesonSoftwareAssurance.pdf [10] http://www.microsoft.com/presspass/press/2000/Jun00/OSSpr.asp http://www.microsoft.com/windowsserversystem/facts/indemnification/indembrown.mspx http://www.microsoft.com/Education/GetTheFacts.aspx http://www.microsoft.com/presspass/press/2004/Jan04/01-06TVFoundationEditionPR.asp [11] http://www.microsoft.com/windowsserversystem/facts/indemnification/indemwp.mspx [12] http://www.microsoft.com/presspass/features/2004/oct04/10-05SBServer.asp From isn at c4i.org Wed Apr 13 06:16:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 13 06:32:26 2005 Subject: [ISN] Microsoft releases patches for 18 separate flaws Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,101033,00.html By Jaikumar Vijayan APRIL 12, 2005 COMPUTERWORLD After a rare lull in March, Microsoft Corp. today released eight security bulletins detailing fixes for 18 separate vulnerabilities affecting a wide range of its software products. Five of the patches released today under Microsoft's monthly patch release program were for critical flaws, while the rest addressed less serious issues in Microsoft's Windows, Internet Explorer, Exchange, Messenger and Office products. Among the more serious holes are those affecting Microsoft's IE Web browser software, said Michael Sutton, director of vulnerability research at iDefense Inc. a Reston, Va.-based security intelligence firm that discovered two of the critical vulnerabilities disclosed today. One of the Internet Explorer flaws, described in Microsoft Security Bulletin MS05-020 [1], results from the way in which IE handles certain dynamic HTML objects, Sutton said. The flaw allows attackers to construct a malicious Web page that could then be used to infect the systems of those who visit the site. "It is a condition that could result in the execution of arbitrary code on a compromised system," Sutton said. The other critical IE vulnerability, also detailed in Security Bulletin MS05-020, results from the way Internet Explorer handles certain URLs with very long host names. Host names over 250 characters long can be used to trigger "input validation" errors that could allow malicious hackers to take control of compromised systems. To exploit this vulnerability, an attacker would need to either host a Web site that contains a malicious Web page or compromise someone else's Web site and have it display malicious content, according to Microsoft's description of the flaw. Though neither flaw is especially easy to exploit, iDefense has developed proof-of-concept code in both instances, Sutton said. Another of the critical vulnerabilities announced today affects Microsoft's Exchange Server software, according to Security Bulletin MS05-021 [2]. According to Microsoft, the flaw allows an attacker to connect to the SMTP port on an Exchange server and issue a specially-crafted command that could result in a denial-of-service attack or allow an attacker to run malicious programs on the compromised system. "The Exchange Server flaw is reasonably trivial to exploit," said Neel Mehta, team lead for advanced research at Internet Security Systems Inc.'s X-Force vulnerability research group in Atlanta. "We are fairly concerned that an [exploit] could become available soon" that takes advantage of the flaw, Mehta said. Another vulnerability in MSN Messenger that could lead to remote code execution was also rated as critical by Microsoft in Security Bulletin MS05-022 [3]. [1] http://www.microsoft.com/technet/security/bulletin/MS05-020.mspx [2] http://www.microsoft.com/technet/security/bulletin/MS05-021.mspx [3] http://www.microsoft.com/technet/security/bulletin/MS05-022.mspx From isn at c4i.org Wed Apr 13 06:17:07 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 13 06:32:28 2005 Subject: [ISN] Clique and Dagger Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A45059-2005Apr11.html By Hanna Rosin Washington Post Staff Writer April 12, 2005 If he is confirmed this month as the first-ever director of national intelligence, John Negroponte will face many daunting challenges: courting foreign intelligence sources, for instance, and streamlining intelligence gathering to help prevent another massive terrorist attack. But in the spy world these days another question dominates the discussions: Where will Negroponte's office be? If the president places him in CIA headquarters, says one former CIA official, that will send the message that he's the boss now. If instead he's detailed to an alternative site in Tysons Corner, that would send the message either that he's irrelevant, or that the CIA's irrelevant, depending on whom you talk to. No one actually knows what the plan is, but the answer is beside the point. The real purpose of the Office Rumor is to keep alive the gossip and jockeying for power and endless squabbling that the new position was intended to end. In its final report, the Sept. 11 commission called the system for sharing intelligence between agencies unacceptable, outmoded and excessively secretive. The DNI is intended to get the agencies to stop hoarding and start sharing. But the early reports do not look too hopeful. So far all the buzz has been about power struggles -- DNI up, CIA down, Pentagon nervous -- anything to give the 15 agencies Negroponte oversees an excuse to give each other the silent treatment. The intelligence world is a "community" only in the same sense as any high school. From the outside they are united by a common rival. But from the inside they are fractured into finely subdivided cliques that wouldn't be caught in the same room together unless the principal (in this case, Negroponte) called them into his office. Broadly speaking, Spy High is ruled by two warring factions: the Techno-Geeks and the 007s. Each side thinks the future of intelligence rests with them and the other side is for losers. "It's cubicle city. Computer guys, cryptographers. A bunch of people listening to inane telephone chatter for 45 minutes at a time. My God, it really puts you to sleep. Believe me, they don't have very exciting lives." This is the voice of the Football Jock of the 007s: Robert Baer, a retired CIA case officer in the Middle East for 21 years who writes books with breathless titles such as "See No Evil" and "Sleeping With the Devil." That's his take on the National Security Agency, that big top-secret fortress at Fort Meade that is the headquarters of the Techno-Geeks. Here, now, is the Techno-Geeks' swift and haughty response: "A CIA agent is someone who gets a lot of glory for intelligence collection, but 85 percent of intelligence comes from the NSA," says James Bamford, who wrote the two definitive books on the NSA. "Human intelligence never produced much useful information. And whatever they did produce was all compromised by Aldrich Ames and Bob Hanssen. They never penetrated al Qaeda, and their intelligence on Iraq was marginal at best." When they are not rumbling with each other, the two sides are tamping down power struggles within their own ranks. Within the 007s the legendary spitting match between the CIA and the FBI continues to rage, ever more so now that the FBI is encroaching on foreign intelligence gathering. To the moviegoing public they are both guys with trench coats who rough up the bad guys. But to each other they are different species, night and day, Jekyll and Hyde. As the old joke goes, the FBI guys catch the bank robbers and the CIA guys rob the banks. Both sides can laugh at that one, but beyond it they part. A CIA case officer looks at the FBI agent and sees: a guy in Hush Puppies and a fake Burberry, clean-cut as a Mormon, never been to Paris or Morocco, never been far outside Fairfax. Every morning he gets in his Crown Vic and promptly clocks in. He's got some skills in hunting down bad guys, but he's also got a lawyer sitting on him all the time. Asking him to catch terrorists is like asking your kid's teacher to break up the local gangs. The FBI guy looks at the CIA guy and thinks: With a slight tick and shift in his history he'd be stealing cars in the Bronx. Gosh, he looks like he's been up a lot of nights in a row. Doesn't he own a razor? And how does he afford that place in Georgetown, not to mention those shoes? "Sometimes you read these old FBI files and wonder who the enemy was, the KGB or the CIA," says Athan Theoharis, an FBI expert at Marquette University. Then there is the third wheel, the pesky hanger-on, the one they won't even bother to fight with. That's the various branches of military intelligence, meaning Army, Navy, Air Force and Marine Corps. What CIA and FBI guys say about them is almost too insulting to print. To them, the "buzzheads" are the Chihuahuas of the intelligence pack, the weenies who yap at you in their own little lingo. On the other hand, "they are disciplined, they went through boot camp, and they don't just attract the same old white guys," Baer grudgingly admits, so maybe they do have a place in the club. The Techno-Geeks have their own internal problems. Tensions run high in the corner of the computer lab where the National Geospatial-Intelligence Agency guys hang out. NGA originated nine years ago, as a way to combine the imagery people, who read and interpret satellite photos, with the mapmakers. Many of you may have missed this marriage announcement but in spyland this was the equivalent of the prom king taking a math nerd as his date. "The satellite imagery people were considered the big dogs, the holy of holies, the inner sanctum," says John Pike, director of GlobalSecurity.org. They were visual, even artistic; in college they might have been scenery designers for the theater, he says. The mapmakers, meanwhile, "were never really regarded as being intelligence. That was not dignified, it was just about as unsexy as it gets," Pike says. In 2003, the agency adopted its current name, in an effort to better unify the two cultures. "They're trying to bring them together," Pike says. "But they all hate each other." Then, off on the other side of campus, hidden behind the trees, sits a building called the National Security Agency. Nobody really goes there and the residents don't wander out. They have their own cafeteria, their own clubs, their own parties. Everyone else suspects the NSA guys are the smartest, but they don't really know; even if you happened to meet one he wouldn't show you the fraternity ring. If somehow you were to manage to sneak over there and get through the million layers of security and then through one of the big bank vault doors, here's what you would see: "Huge rooms full of nothing but cubicles," says Bamford. "Behind each one sits someone looking at a computer screen, or listening to a tape recorder. Then there's this one big room full of huge antennas where they test new data collection systems -- like something out of a sci-fi movie." As the NSA guys see it, they do all of the work with none of the glamour. Thus, the deep resentment of the CIA, as articulated by Bamford above. When Bush picked Lt. Gen. Michael V. Hayden, the current NSA director, as Negroponte's deputy, this was seen as confirmation of their superiority, says Bamford, and much gloating ensued. Presidents back to Gerald Ford have tried to gather the various intelligence branches into one big happy family. The Web site Intelligence.gov hails the power of cooperation and shows seemingly happy colleagues working shoulder-to-shoulder. But those who know better sigh, like the principal facing the same old boys in his office. "It's not a problem that can be solved," says Pike. "It's just a process that has to be managed." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Apr 13 06:24:51 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 13 06:32:31 2005 Subject: [ISN] Spy technology a threat to conclave's secrecy Message-ID: http://www.freep.com/news/religion/pope-bar112e_20050412.htm [Just goes to show you, EVERYONE has to worry about high-tech security headaches, even the Vatican has IT, electronic, and physical security threats to be concerned about. - WK] BY AIDAN LEWIS and JIM KRANE ASSOCIATED PRESS April 12, 2005 VATICAN CITY -- Spying has gotten a lot more sophisticated since John Paul II was elected in 1978, but the Vatican seems confident it can protect the tradition of secrecy that will surround next week's meeting of cardinals to name a new pope. Computer hackers, electronic bugs and supersensitive microphones are among the possibilities. Vatican security members wouldn't discuss the details of any anti-bugging measures to be used during the conclave. But Giuseppe Mazzullo, a private detective and retired Rome police officer whose former unit worked with the Vatican in the past, has said the Holy See is expected to reinforce its own experts with Italian police and private security contractors. "The security is very strict," Mazzullo said. "For people to steal information, it's very, very difficult if not impossible." Thousands of reporters will be watching as the 115 cardinals gather Monday. Hackers and government informants may also be monitoring the conclave. Revelations of the proceedings could prove embarrassing to the Vatican. For instance, sensitive discussions on a papal candidate's stand on relations with Muslims or Jews, recognizing China rather than Taiwan, or views on contraception would be sought-after by governments and the news media. In 1996, John Paul set rules to protect cardinals from "threats to their independence of judgment." Cell phones, electronic organizers, radios, newspapers, televisions and recorders were banned from conclaves. Cell phones and personal data organizers can be hacked and used to broadcast the proceedings to a listener, security experts say. "An eavesdropper can reach into those devices and turn on the microphone and turn it into an eavesdropping device," said James Atkinson, who heads a Gloucester, Mass., company that specializes in bug detection. Also, rooftop snoops with sensitive laser microphones can pick up conversations from a quarter-mile away by recording vibrations on window glass or other hard surfaces. The Sistine Chapel, where the conclave will be held, has windows set near the roof. Laser microphones can be thwarted with heavy drapes and by masking conversations with ambient noise. Tougher to root out are tiny transmitters or recorders as small as a coin. To handle those, teams acting on the pope's 1996 orders would need to mount complex sweeps of sensitive meeting areas, taking out carpets, poking through chair cushions, opening heating ducts and testing electrical wiring, light bulbs and water pipes, Atkinson said. The late pope deemed the threat to the conclave serious enough to decree that those who break their oaths of secrecy can be cast out of the church. In a sign of nervousness about maintaining secrecy, the College of Cardinals decided Saturday to halt interviews with the news media. "They've assured us there are ways to block all communications and conversations," Chicago Cardinal Francis George said last week. But even with precautions, halting a spy inside the Vatican -- perhaps an unwitting one -- is probably the toughest threat to block, experts said. "Are they going to search all the cardinals to see whether someone bugged their spectacles or crucifixes?" asked Giles Ebbut, a surveillance expert for the London consultancy Jane's. "The imagination can run riot." From isn at c4i.org Thu Apr 14 08:54:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 14 09:09:56 2005 Subject: [ISN] Hacker invades Anchorage airport Web site Message-ID: http://www.usatoday.com/travel/news/2005-04-13-ala-airport-hacking_x.htm 4/13/2005 ANCHORAGE (AP) - A hacker broke into the Web site of the Ted Stevens Anchorage International Airport and replaced arrival and departure times with a waving Turkish flag. Screens also displayed a steely eyed man's face in the lower right corner. Beneath it was a message crediting a Turkish hacker who goes by the handle "iSKORPiTX" for the cybervandalism. The flight information page on the Web site of the state-owned was defaced at about 1:40 p.m. Sunday, airport officials said. It remained that way until about 9 p.m., when technicians disabled that part of the site until about 6 a.m. Monday, they said. The hacker gained access only to the airport's Web server, not its internal network on which financial documents, e-mails and other data are stored, airport director Mort Plumb said. The break-in occurred as federal law-enforcement officials are completing an investigation of a broader rash of cyberattacks on state computers this winter. Stan Herrera, the state's director of enterprise technology services, said Tuesday that a defacement of another agency's Web site during winter spurred the investigations. The breadth of the attacks is still being analyzed, and federal officials have not released details of their investigation, he said. Lawmakers recently set aside $5 million to pay for equipment and software to make the state's computer network more secure, Herrera said. Two years ago, officials had expected to shift all of the state's computer systems onto a new, more secure platform to be built by Anchorage-based Alaska Communications Systems, which had been hired to overhaul the state's telecommunications system, including computer networks. That deal fell apart in September 2003 and the state's networks reverted back to equipment and software that were to have been phased out, Herrera said. Money earmarked this year for computer security upgrades will buy new routers and switches and the software that makes them work. Some also will be used to pay for new security software that will be installed on network servers as well as employee workstations, Herrera said. The airport Web site hacker is fairly well known in Internet circles and does not try to hide his tracks. Earlier this winter, an image and message similar to the ones that appeared on the airport's site showed up on the Information Security Association's Web site in the United Kingdom. The group is a nonprofit international organization of information security professionals. A hacker Web site that chronicles such exploits gives iSKORPiTX credit for defacing hundreds of other Web sites, including state government sites in Iowa, Georgia and Tennessee. From isn at c4i.org Thu Apr 14 08:54:55 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 14 09:09:59 2005 Subject: [ISN] Day Two: CGA Cadets Foiling Would-be Cyber Infiltrators So Far Message-ID: http://www.theday.com/eng/web/news/re.aspx?re=9400778c-9d6b-4ffa-86a6-01edf6d4280c By ROBERT A. HAMILTON Day Staff Writer Navy/Defense/Electric Boat Published on 4/13/2005 New London - The computer screen was displaying such dire warnings as "ICMP Destination Unreachable Fragmentation needed and DF bit was set." Well, it's a dire warning if you speak computer. "You can tell we're under attack now because the network is so slow," Lt. Cmdr. Joseph Staier, assistant dean of the Coast Guard Academy, said Tuesday, his gleeful demeanor belying what seemed an evil intent. "They're probing us, trying to find our weaknesses." It was Day Two of a four-day Cyber Defense Exercise, in which a "Red Team" from the National Security Agency, with assistance from some of the top computer experts from the Army, the Air Force and other agencies, is trying to hack networks set up by students at the nation's five military academies. On the second floor of Coast Guard Academy's McAllister Hall, 21 cadets, including three international students, were rushing from screen to screen, monitoring what will be increasingly sophisticated hacking attempts through Thursday night. Web cameras keep the students in touch with their counterparts at the Air Force, Naval and Merchant Marine academies and the U.S. Military Academy at West Point, each waiting to see who will fall first. Each team gets the same hardware, and they can only use free software such as Linux, an operating system that does the job of Windows. The academy team is running intrusion detection software that includes Snort, which records tiny packets of information coming onto the network, and Base, which looks through those packets for the "fingerprints" of a hacker. "I can make a perfectly safe system," Staier said. "You turn the computer off and lock it in a safe. That's secure. But it's not very usable." Conversely, you can just plug the computer into the Internet with no safeguards, and you can access your data from anywhere in the world - but so can everyone else. "The idea is to teach them the balancing act between security and usability," Staier said. And it's an important question for the Coast Guard, as it is for all military services, he said. If you're sending operational orders via e-mail, you don't want the bad guys reading them. For the last three years, the Coast Guard cadets have beaten their counterparts at the Naval Academy, though they have one-third the number of players and no computer science major. "You'd like to win, of course, but as long as you beat Navy ..." Staier observed with a grin. The computers are stacked on desks along the wall. In the center of the room, a large table holds bottles of iced tea, cans of Mug root beer, a largely untouched bin of salad and empty containers of French fries and chicken nuggets. The box of Nature Valley granola bars is still full, but the Pringles and Goldfish are disappearing. Most of the cadets have been working almost nonstop since Monday morning. "This is a real trial by fire," said Cadet 1st Class Roger Nurse of Guyana, who had no experience in network administration before this week. He said it's a struggle to pull himself away for classes, because he doesn't want one of his systems to be the first one to fall to the cyber-intruders. Cadet 1st Class Matt Kempe of Tustin, Calif., said he has already learned a lot from the exercise. "I learned starting a network from scratch is a lot of work, and sleep is a luxury network administrators can't afford," Kempe said with a chuckle. "I have a new appreciation for IS (information services) staff." But Cadet 1st Class Roland "Tim" Orr of Fayetteville, N.C., said all the work is worth it when you feel the rush of foiling an attack. "When it works, it's like, "Wow, everything came together,' " Orr said. From isn at c4i.org Thu Apr 14 08:55:40 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 14 09:10:01 2005 Subject: [ISN] Security UPDATE -- Hacking IIS 6.0 -- April 13, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Centralized Desktop Configuration from ScriptLogic http://list.windowsitpro.com/t?ctl=7624:4FB69 Converting a Microsoft Access Application to Oracle HTML DB http://list.windowsitpro.com/t?ctl=7611:4FB69 ==================== 1. In Focus: Hacking IIS 6.0 2. Security News and Features - Recent Security Vulnerabilities - Eight Security Patches from Microsoft - Help with HIPAA, SOX, and GLBA Compliance - Auditing Permission Changes on a Folder 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Keep Track of Your Registry ==================== ==== Sponsor: ScriptLogic ==== Centralized Desktop Configuration from ScriptLogic Get a free T-shirt after you evaluate ScriptLogic's Desktop Authority. Desktop Authority is the award-winning desktop management solution that combines the functionality of logon scripting, group policies, and user profiles, plus Remote Management. What's unique to Desktop Authority is that you can use its patented Validation Logic technology to centrally determine how, when, and where desktops are configured! Centrally configure drive mappings, printer deployments, security policies and more from an easy to use point and click management console. Eliminate Roaming Profiles and the hassle and complexity of maintaining logon scripts! Download a free 30-day evaluation of Desktop Authority and receive a free ScriptLogic T-shirt. Evaluate now at http://list.windowsitpro.com/t?ctl=762A:4FB69 ==================== ==== 1. In Focus: Hacking IIS 6.0 ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Have you heard about Windows IT Pro's "Hack IIS 6.0 Challenge"? Roger Grimes will secure a Microsoft IIS 6.0 system and make it available on the Internet April 17 through June 8 so that people can try to break into it. In the July issue, Roger will write about how he secured the system and what happened during the contest. For more information about the contest, go to http://list.windowsitpro.com/t?ctl=7629:4FB69 I've already read messages on one security mailing list from people complaining about the challenge or poking fun at it. One person wrote that it's a ploy to gather zero-day (previously unpublished) exploits. I don't know whether anybody will collect packets during the contest or whether such packets will be examined to learn more about how people approach hacking an IIS 6.0 box. But such forensic analysis might occur. Would that be a bad thing? There were also comments that the contest is an attempt to identify hackers and arrest them. That notion is laughable (and probably based in paranoia) given the fact that people have been invited to hack the box. Some people also felt that such challenges don't work because of eventual Denial of Service (DoS) attacks. One person mentioned that the hackiis6.com site is located on the same subnet as the magazine's Web farm. So if somebody decides to launch a Distributed DoS (DDoS) attack against the site, it could overwhelm the gateway and thereby render all sites behind the gateway unavailable. That's true. But the hackiis6.com site is only an information site. It's not the actual system that will be made available for hacking. Sometime in the next week, further information will become available at the hackiis6.com site, so check back to learn more details, including the address of the system to hack. People also pointed out that the challenge can't really prove that the site is secure. If no one manages to break into the site, it might just be because somebody who might know how to break in doesn't take part in the challenge. That's rational; we should probably assume that somebody somewhere knows how to break any particular piece of software. It's a widely held opinion that no system is completely secure. We could enjoy the challenge for exactly what it is--a challenge-- without trying to read all sorts of motives into it. Many people attend various hacker conferences at which such challenges are relatively common. The main difference here is that this challenge is open to the public. It's a way to test your skills and have some fun trying to find a way to breach security. That's it. Speaking of contests, the Windows IT Pro annual Readers' Choice contest is underway. Vote for your favorite IT products and reward companies that provide excellent products and services. The September 2005 issue of Windows IT Pro will feature the winners. To vote, go to http://list.windowsitpro.com/t?ctl=7623:4FB69 And, finally, if you use the Windows IT Pro Web site, you might be happy to have a chance to tell us how to improve it. Give us your opinion in the usability survey at http://list.windowsitpro.com/t?ctl=761A:4FB69 ==================== ==== Sponsor: Oracle ==== Converting a Microsoft Access Application to Oracle HTML DB Get the most efficient, scaleable and secure approach to managing information using an Oracle Database with a Web application as the user interface. In this free white paper learn how you can use an Oracle HTML Database to convert a Microsoft Access application into a Web application that can be used by multiple users concurrently. You'll learn how to improve the original application by adding hit highlighting and an authorization scheme to provide access control to different types of users. Download this free white paper now! http://list.windowsitpro.com/t?ctl=7611:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=7616:4FB69 Eight Security Patches from Microsoft Yesterday, April 12, was Patch Tuesday for Windows users, and Microsoft released eight security patches. The company also announced that beginning this month, it will change its Security Bulletin Advance Notification information provisioning to include other useful information. http://list.windowsitpro.com/t?ctl=761D:4FB69 Help with HIPAA, SOX, and GLBA Compliance Vigilar announced a new service aimed at helping companies comply with the Sarbanes-Oxley (SOX) Act, the Gramm-Leach-Bliley (GLB) Act, and the Health Insurance Portability and Accountability Act (HIPAA). A compelling feature of Vigilar's new AuditPass program is that it guarantees that your company will pass compliance and audit checks. http://list.windowsitpro.com/t?ctl=761F:4FB69 Auditing Permission Changes on a Folder Randy Franklin Smith points out that you'll need to enable auditing for successful object-access events on the servers on which the folders reside and you'll need to enable auditing on the folders you want to monitor. You'll also need to look for specific events in the Security log. Learn the details in this article on our Web site. http://list.windowsitpro.com/t?ctl=761E:4FB69 ==================== ==== Resources and Events ==== Does Windows Server 2003 Service Pack 1 Live Up to Expectations? What can you expect when you deploy SP1 in real life? Join industry guru Michael Otey as he reviews the service pack and answers your questions about Windows Firewall, data execution prevention (DEP), boot-time protection, the anxiously awaited Security Configuration Wizard (SCW), and more. http://list.windowsitpro.com/t?ctl=762B:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=7612:4FB69 Attend the Black Hat Briefings Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the briefings are designed to be pragmatic regardless of your security environment. Featuring 25 hands- on training courses and 10 conference tracks. Lots of Windows stuff profiled. http://list.windowsitpro.com/t?ctl=7628:4FB69 Ensure SQL Server High Availability In this free Web seminar, discover how to maintain business continuity of your IT systems during routine maintenance and unplanned disasters. Learn critical factors for establishing a secure and highly available environment for SQL Server including overcoming the technology barriers that affect SQL Server high availability. Find out about Microsoft's out-of-the-box high-availability technologies, including clustering, log shipping, and replication. Register Now! http://list.windowsitpro.com/t?ctl=7610:4FB69 Protect the Rest of Your Exchange Infrastructure There is more to data protection for Exchange than protecting mail and mail servers. In this free Web seminar, you'll learn some methods for anticipating, avoiding, and overcoming technical problems that can affect your Exchange environment, including corruption or errors in Active Directory, DNS problems, configuration errors, service pack installation problems, and more. Register now! http://list.windowsitpro.com/t?ctl=760E:4FB69 ==================== ==== Featured White Paper ==== Quantify the Business Benefits of ITSM This free white paper explores how to meet IT infrastructure's needs and manage crucial support and service processes by implementing Help desk, problem, change, configuration, and service-level agreement (SLA) management into a single workflow. Improve productivity and service delivery quality while reducing costs, resources, and downtime in your organization. Download it now! http://list.windowsitpro.com/t?ctl=760F:4FB69 ==================== ==== Hot Release ==== High Availability for Windows Services It is no stretch to say that Windows high availability must be a fundamental element in your short- and long-term strategic IT planning. This free white paper discusses the core issues surrounding Windows high availability, with a focus on business drivers and benefits. You'll learn about the current market solutions, technologies and real- world challenges including cost-benefit analyses. Plus, find out how to assess technical elements required in choosing a high availability solution, including the robustness of the technology, time-to-failover, and implementation difficulties. Download this white paper now! http://list.windowsitpro.com/t?ctl=760D:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=7622:4FB69 Need a Security Scorecard? Looking for a simple way to assess desktop security? PivX Solutions just released a new tool, PreView, that can tell you whether your firewall offers enough protection, whether you're missing necessary patches, and more. http://list.windowsitpro.com/t?ctl=761C:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=7620:4FB69 Q: Do I need to take any special steps when restoring a backup of my Relative Identifier (RID) master? Find the answer at http://list.windowsitpro.com/t?ctl=761B:4FB69 Security Forum Featured Thread: AD Permissions A forum participant is having trouble restricting permissions in Windows Server 2003. He's running Active Directory (AD) in Mixed Mode and has a few global groups that need access to resources on a member server. However, anyone--not just the intended groups--can access the folders and subfolders that he's trying to secure. Join the discussion at http://list.windowsitpro.com/t?ctl=7613:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Check Out the New Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database! Click here to try a sample issue today: http://list.windowsitpro.com/t?ctl=7618:4FB69 Nominate Yourself or a Friend for the MCP Hall of Fame Are you a top-notch MCP who deserves to be a part of the first-ever MCP Hall of Fame? Get the fame you deserve by nominating yourself or a peer to become a part of this influential community of certified professionals. You could win a VIP trip to Microsoft and other valuable prizes. Enter now--it's easy: http://list.windowsitpro.com/t?ctl=7614:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Keep Track of Your Registry ElcomSoft has released Advanced Registry Tracer 2.0, a utility that lets you analyze changes made to your registry (whether by Trojan horse programs, viruses, or software installations or removals) and store snapshots of the registry in a database so that you can easily restore the registry when you encounter problems. New features in version 2.0 include the ability to define scanning and comparison filters, an object-tweaking feature that lets you safely experiment with registry values, a new database format that reduces the size of the database, the ability to compare keys in command-line mode, faster registry file exports, and an improved interface. Advanced Registry Tracer 2.0 runs under Windows 95/98/Me/NT4/2000/XP and costs $40 for a single-user license. For more information, go to http://list.windowsitpro.com/t?ctl=7626:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Quest Software Heading to Exchange from Notes or GroupWise? Get Expert Help! http://list.windowsitpro.com/t?ctl=762C:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=7625:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=7619:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Apr 14 08:55:57 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 14 09:10:04 2005 Subject: [ISN] Patch now to reduce denial-of-service threat Message-ID: http://www.computerweekly.com/articles/article.asp?liArticleID=137910 By Antony Savvas 14 April 2005 The UK's National Infrastructure Security Co-ordination Centre (NISCC) has advised users to update their internet communications infrastructure to plug a denial of service vulnerability in major suppliers' equipment. Cisco, Juniper Networks and IBM have already admitted to the problem and have issued patches to prevent the threat, which can lead to organisations' networks crashing from a remote denial-of-service attack. The threat involves network routers not being able to handle internet traffic supported by the internet control message protocol (ICMP) and the transmission connection protocol (TCP). Hackers could use the protocols to launch a remote attack and crash networks, said the NISCC. The NISCC has rated the threat "medium to high". Cisco equipment affected includes all router products running its Internetworking Operating System (IOS) and its PIX firewall products. IBM's AIX operating system is also vulnerable, as are some versions of Juniper's JUNOS operating software running on its M-series and T-series routers. Other companies' products are believed to be affected by the vulnerability. The NISCC advisory is available from: http://www.niscc.gov.uk/niscc/docs/al-20050412-00308.html?lang=en From isn at c4i.org Thu Apr 14 08:56:15 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 14 09:10:06 2005 Subject: [ISN] HSBC acts on card snafu Message-ID: http://money.cnn.com/2005/04/13/news/fortune500/gm_creditcard/index.htm By: Caleb Silver CNN Business News April 13, 2005 NEW YORK (CNN) - As many as 187,000 GM MasterCard customers may have potentially had their personal information exposed, officials with card issuer HSBC Holdings said Wednesday. About 6 million HSBC (Research) customers hold GM-branded MasterCards, according to the automaker, and letters have been sent so far to 1,200 telling them their information may have been open to compromise when they shopped with an undisclosed retailer. There is no evidence any card accounts have actually been compromised, said a spokesman for HSBC. In the interest of "better safe than sorry," HSBC is proactively warning its customers, he said. The remaining 185,800 cardholders affected will be notified between now and mid-May, according to HSBC. HSBC insisted the bank is not to blame for the security breach. "This is not an issue with our card," said Tom Nicholson, a spokesman for HSBC. "It's an issue with the retailer." HSBC said it was notified by MasterCard's Fraud Management Department in March about the breach, but was not provided with details on the unnamed retailer. GM MasterCard, in a letter to customers, said it did not know the merchant involved and urged customers to replace their credit cards as soon as possible "due to the serious nature of this situation," the Boston Globe reported. The security breach is the latest example of private financial information being improperly accessed in recent weeks by companies that compile an sell personal information about millions of Americans. Lexis-Nexis said Tuesday that data on 310,000 people nationwide may have been stolen -- 10 times its estimate of just a month earlier. Household Bank, acquired by HSBC in 2002, began issuing the GM MasterCard Rewards card in 1992. Customers earn points towards the purchase or lease of GM vehicles, and GM says more than 4 million GM cars have been bought or leased by Rewards customers since the card was launched. For more on what you can do to protect yourself from the problems of identity theft, click here [1]. [1] http://money.cnn.com/news/specials/security/ From isn at c4i.org Thu Apr 14 08:57:50 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 14 09:10:09 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-15 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-04-07 - 2005-04-14 This week : 87 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: Microsoft has released their monthly security updates for April, which correct vulnerabilities in many different Microsoft products. Users of Microsoft products are advised to check Windows Update for available updates or view referenced Secunia advisories below. References: http://secunia.com/SA12758 http://secunia.com/SA14909 http://secunia.com/SA14915 http://secunia.com/SA14920 http://secunia.com/SA14921 http://secunia.com/SA14922 http://secunia.com/SA14927 -- Security firm HexView has released details about a vulnerability in the Microsoft Jet Database Engine, which can be exploited by malicious people to compromise a vulnerable system. Although Microsoft just released their monthly security updates for April, a patch was not included for this vulnerability. Users are therefore recommended not to open untrusted ".mdb" database files. NOTE: Exploit code has been posted to a public mailing list. Additional details are available in the Secunia advisory below. http://secunia.com/SA14896 -- A vulnerability has been reported in OpenOffice, which potentially can be exploited to compromise a vulnerable system. The vendor has confirmed the vulnerability and has released a fix, which is available in the CVS repository. An official updated version is expected within a short period of time. References: http://secunia.com/SA14912 -- A vulnerability has been reported in Maxthon, a popular skin for Internet Explorer, which can be exploited to compromise a vulnerable system. The vendor has released an updated version. Please view Secunia advisory below for more information about non-vulnerable versions. References: http://secunia.com/SA14918 -- Some vulnerabilities have been reported in Lotus Notes/Domino, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Updated versions are available from the vendor. References: http://secunia.com/SA14879 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 2. [SA14821] Mozilla Suite JavaScript Engine Information Disclosure Vulnerability 3. [SA14896] Microsoft Jet Database Engine Database File Parsing Vulnerability 4. [SA14879] Lotus Notes/Domino Multiple Vulnerabilities 5. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 6. [SA14654] Mozilla Firefox Three Vulnerabilities 7. [SA14922] Microsoft Internet Explorer Multiple Vulnerabilities 8. [SA14902] Sun Java JDK/SDK Jar Directory Traversal Vulnerability 9. [SA14927] Microsoft Windows Kernel Multiple Vulnerabilities 10. [SA14804] Netscape JavaScript Engine Information Disclosure Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14920] Microsoft Exchange SMTP Service Extended Verb Request Buffer Overflow [SA14918] Maxthon Security ID Disclosure Vulnerability [SA14915] Microsoft MSN Messenger GIF Image Processing Vulnerability [SA14896] Microsoft Jet Database Engine Database File Parsing Vulnerability [SA14879] Lotus Notes/Domino Multiple Vulnerabilities [SA14870] MailEnable IMAP "LOGIN" Command Buffer Overflow Vulnerability [SA14861] AN HTTPD cmdIS.DLL Buffer Overflow and Log File Injection [SA14909] Microsoft Windows Shell MSHTA Script Execution Vulnerability [SA14880] DC++ Unspecified Manipulation of Arbitrary Files [SA14864] Ocean12 Membership Manager Pro Cross-Site Scripting and SQL Injection [SA14921] Microsoft Windows Message Queuing Buffer Overflow Vulnerability [SA14910] CA BrightStor ARCserve Backup Universal Agent Buffer Overflow [SA14930] Centra Profile Script Insertion Vulnerability [SA14944] WIDCOMM Bluetooth Connectivity Software Directory Traversal [SA14927] Microsoft Windows Kernel Multiple Vulnerabilities [SA14923] DeluxeFTP Disclosure of User Credentials [SA14889] FTP Now Disclosure of User Credentials UNIX/Linux: [SA14949] Red Hat update for kdegraphics [SA14922] Microsoft Internet Explorer Multiple Vulnerabilities [SA14914] SUSE update for kdelibs3 [SA14908] KDE kdelibs PCX Image Buffer Overflow Vulnerability [SA14900] SUSE Updates for Multiple Packages [SA14893] UnixWare update for libtiff [SA14963] Fedora update for openoffice [SA14939] Debian update for axel [SA14933] Gentoo update for axel [SA14907] UnixWare update for telnet [SA14897] Access_user Class Undocumented Default Password [SA14873] Camino JavaScript Engine Information Disclosure Vulnerability [SA14951] Gentoo update for gld [SA14948] Red Hat update for dhcp [SA14941] Gld Multiple Vulnerabilities [SA14891] UnixWare CDE dtlogin XDMCP Parsing Vulnerability [SA14946] AIX Various Communication Protocol Security Issues [SA14945] Sun Solaris ICMP Message Handling Denial of Service [SA14925] KDE KMail User Interface Spoofing Vulnerability [SA14911] Gentoo update for phpmyadmin [SA14898] FirstClass Client Bookmark Files Can Launch Local Programs [SA14895] Fedora update for gftp [SA14877] Gentoo update for gnome-vfs/libcdaudio [SA14936] Debian update for mysql [SA14872] Mandrake update for mysql [SA14863] Ubuntu update for mysql-server [SA14956] Gentoo update for rsnapshot [SA14926] Ubuntu update for kernel [SA14903] portupgrade Insecure Temporary File Creation Vulnerability [SA14894] UnixWare update for cdrecord [SA14892] OpenServer auditsh/atcronsh/termsh Buffer Overflow Vulnerabilities [SA14878] rsnapshot "copy_symlink()" Privilege Escalation Vulnerability [SA14876] OpenServer update for cscope [SA14875] SGI IRIX gr_osview Privilege Escalation and Information Disclosure [SA14952] Mandrake update for gaim [SA14947] Red Hat update for gaim [SA14886] Mandrake update for gtk+2.0 [SA14885] Mandrake update for gdk-pixbuf [SA14899] Pine rpdump File Creation Race Condition Vulnerability [SA14887] Mandrake update for sharutils [SA14883] Red Hat vixie-cron Exposure of Arbitrary Cron Files [SA14862] Fedora Core vixie-cron Exposure of Arbitrary Cron Files Other: [SA14874] Novell NetWare Unspecified TCP Packet Handling Denial of Service [SA14871] Linksys WET11 Password Change Security Bypass Vulnerability [SA14950] Juniper Networks JUNOS ICMP Message Handling Denial of Service [SA14937] Network Appliance Data ONTAP ICMP Message Handling Denial of Service [SA14928] WatchGuard Products ICMP Message Handling Denial of Service [SA14904] Cisco Various Products ICMP Message Handling Denial of Service [SA14860] SonicWALL Pro Series Script Insertion Vulnerability Cross Platform: [SA14916] DokuWiki File Upload Vulnerability [SA14890] ModernBill Cross-Site Scripting and File Inclusion Vulnerabilities [SA14935] Oracle Products Multiple Unspecified Vulnerabilities [SA14929] Mambo zOOm Media Gallery Module "catid" SQL Injection [SA14919] jPortal Banner Module SQL Injection Vulnerability [SA14913] aeDating Multiple Vulnerabilities [SA14912] OpenOffice ".doc" Document Handling Buffer Overflow [SA14906] RadBids Gold Multiple Vulnerabilities [SA14888] SurgeFTP "LEAK" Command Denial of Service Vulnerability [SA14882] PunBB SQL Injection and Cross-Site Scripting Vulnerabilities [SA14881] Macromedia ColdFusion MX Exposure of Class Files [SA14869] Runcms / exoops Arbitrary File Upload Vulnerability [SA14866] PHP-Nuke Multiple SQL Injection Vulnerabilities [SA14934] Veritas i3 FocalPoint Server Unspecified Vulnerability [SA14940] eGroupWare Exposure of Mail Attachments [SA14924] Pinnacle Cart "pg" Cross-Site Scripting Vulnerability [SA14902] Sun Java JDK/SDK Jar Directory Traversal Vulnerability [SA14884] TowerBlog Exposure of Sensitive Information [SA14868] PostNuke Cross-Site Scripting and SQL Injection Vulnerabilities [SA14867] CubeCart "language" PHP Script Inclusion Vulnerability [SA14865] HP OpenView Network Node Manager Unspecified Denial of Service ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14920] Microsoft Exchange SMTP Service Extended Verb Request Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-12 ISS X-Force has reported a vulnerability in Microsoft Exchange Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14920/ -- [SA14918] Maxthon Security ID Disclosure Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-11 Aviv Raff has reported a vulnerability in Maxthon, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14918/ -- [SA14915] Microsoft MSN Messenger GIF Image Processing Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-12 Hongzhen Zhou has reported a vulnerability in MSN Messenger, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14915/ -- [SA14896] Microsoft Jet Database Engine Database File Parsing Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-12 HexView has discovered a vulnerability in Microsoft Jet Database Engine, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14896/ -- [SA14879] Lotus Notes/Domino Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2005-04-08 Some vulnerabilities have been reported in Lotus Notes/Domino, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14879/ -- [SA14870] MailEnable IMAP "LOGIN" Command Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-07 H D Moore has discovered a vulnerability in MailEnable, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14870/ -- [SA14861] AN HTTPD cmdIS.DLL Buffer Overflow and Log File Injection Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2005-04-08 Tan Chew Keong has reported two vulnerabilities in AN HTTPD, which can be exploited by malicious people to inject arbitrary data into log files or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14861/ -- [SA14909] Microsoft Windows Shell MSHTA Script Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-12 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14909/ -- [SA14880] DC++ Unspecified Manipulation of Arbitrary Files Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-11 cologic has reported a vulnerability in DC++, which can be exploited by malicious people to manipulate sensitive information. Full Advisory: http://secunia.com/advisories/14880/ -- [SA14864] Ocean12 Membership Manager Pro Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-04-07 Zinho has reported two vulnerabilities in Ocean12 Membership Manager Pro, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14864/ -- [SA14921] Microsoft Windows Message Queuing Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-04-12 Kostya Kortchinsky has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14921/ -- [SA14910] CA BrightStor ARCserve Backup Universal Agent Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-04-12 A vulnerability has been reported in BrightStor ARCserve/Enterprise Backup, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14910/ -- [SA14930] Centra Profile Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-13 Clorox has reported a vulnerability in Centra, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14930/ -- [SA14944] WIDCOMM Bluetooth Connectivity Software Directory Traversal Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-04-13 Kevin Finisterre has reported a vulnerability in WIDCOMM Bluetooth Connectivity Software, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14944/ -- [SA14927] Microsoft Windows Kernel Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-04-12 Some vulnerabilities have been reported in the Microsoft Windows, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14927/ -- [SA14923] DeluxeFTP Disclosure of User Credentials Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-04-11 Lostmon has discovered a security issue in DeluxeFTP, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14923/ -- [SA14889] FTP Now Disclosure of User Credentials Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-04-08 Kozan has discovered a security issue in FTP Now, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14889/ UNIX/Linux:-- [SA14949] Red Hat update for kdegraphics Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-13 Red Hat has issued an update for kdegraphics. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14949/ -- [SA14922] Microsoft Internet Explorer Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-12 Some vulnerabilities has been reported in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14922/ -- [SA14914] SUSE update for kdelibs3 Critical: Highly critical Where: From remote Impact: Spoofing, DoS, System access Released: 2005-04-12 SUSE has issued an update for kdelibs3. This fixes some vulnerabilities, which can be exploited to cause a DoS (Denial of Service), spoof the URL displayed in an address bar and status bar, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14914/ -- [SA14908] KDE kdelibs PCX Image Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-12 Bruno Rohee has reported a vulnerability in KDE kdelibs, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14908/ -- [SA14900] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Exposure of system information, Privilege escalation, System access Released: 2005-04-11 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious, local users to escalate their privileges and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14900/ -- [SA14893] UnixWare update for libtiff Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-08 SCO has issued an update for libtiff. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14893/ -- [SA14963] Fedora update for openoffice Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-04-14 Fedora has issued an update for openoffice. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14963/ -- [SA14939] Debian update for axel Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-13 Debian has issued an update for axel. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14939/ -- [SA14933] Gentoo update for axel Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-13 Gentoo has issued an update for axel. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14933/ -- [SA14907] UnixWare update for telnet Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-11 Unixware has issued an update for telnet. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14907/ -- [SA14897] Access_user Class Undocumented Default Password Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-04-08 The vendor has reported a security issue in Access_user Class, which can be exploited by malicious people to get access to arbitrary accounts. Full Advisory: http://secunia.com/advisories/14897/ -- [SA14873] Camino JavaScript Engine Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-04-08 A vulnerability has been discovered in Camino, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14873/ -- [SA14951] Gentoo update for gld Critical: Moderately critical Where: From local network Impact: System access Released: 2005-04-13 Gentoo has issued an update for gld. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14951/ -- [SA14948] Red Hat update for dhcp Critical: Moderately critical Where: From local network Impact: System access Released: 2005-04-13 Red Hat has issued an update for dhcp. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14948/ -- [SA14941] Gld Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2005-04-13 dong-hun you has reported some vulnerabilities in Gld, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14941/ -- [SA14891] UnixWare CDE dtlogin XDMCP Parsing Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-04-08 SCO has acknowledged a vulnerability in UnixWare, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14891/ -- [SA14946] AIX Various Communication Protocol Security Issues Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-13 IBM has acknowledged some security issues in AIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14946/ -- [SA14945] Sun Solaris ICMP Message Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-13 Sun has acknowledged some security issues in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14945/ -- [SA14925] KDE KMail User Interface Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Spoofing Released: 2005-04-11 Noam Rathaus has discovered a vulnerability in KMail, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/14925/ -- [SA14911] Gentoo update for phpmyadmin Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-12 Gentoo has issued an update for phpmyadmin. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attack. Full Advisory: http://secunia.com/advisories/14911/ -- [SA14898] FirstClass Client Bookmark Files Can Launch Local Programs Critical: Less critical Where: From remote Impact: System access Released: 2005-04-08 dila has reported a vulnerability in FirstClass, which can be exploited by malicious people to execute arbitrary commands on a vulnerable system. Full Advisory: http://secunia.com/advisories/14898/ -- [SA14895] Fedora update for gftp Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-04-08 Fedora has issued an update for gftp. This fixes a vulnerability, which can be exploited by malicious people to conduct directory traversal attacks. Full Advisory: http://secunia.com/advisories/14895/ -- [SA14877] Gentoo update for gnome-vfs/libcdaudio Critical: Less critical Where: From remote Impact: System access Released: 2005-04-08 Gentoo has issued updates for gnome-vfs and libcdaudio. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14877/ -- [SA14936] Debian update for mysql Critical: Less critical Where: From local network Impact: Security Bypass, Privilege escalation, System access Released: 2005-04-14 Debian has issued an update for mysql. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions and potentially compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14936/ -- [SA14872] Mandrake update for mysql Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-04-13 MandrakeSoft has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14872/ -- [SA14863] Ubuntu update for mysql-server Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-04-07 Ubuntu has issued an update for mysql-server. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14863/ -- [SA14956] Gentoo update for rsnapshot Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-14 Gentoo has issued an update for rsnapshot. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14956/ -- [SA14926] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-04-11 Ubuntu has issued updates for the kernel. These fixes two vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14926/ -- [SA14903] portupgrade Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-04-12 Simon L. Nielsen has reported a vulnerability in portupgrade, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14903/ -- [SA14894] UnixWare update for cdrecord Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-08 SCO has issued an update for cdrecord. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14894/ -- [SA14892] OpenServer auditsh/atcronsh/termsh Buffer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-08 Joel Soderberg and Christer Oberg have reported some vulnerabilities in SCO OpenServer, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14892/ -- [SA14878] rsnapshot "copy_symlink()" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-11 A vulnerability has been reported in rsnapshot, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14878/ -- [SA14876] OpenServer update for cscope Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-08 SCO has issued an update for cscope. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14876/ -- [SA14875] SGI IRIX gr_osview Privilege Escalation and Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-04-08 Two vulnerabilities have been reported in SGI IRIX, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and disclose some sensitive information. Full Advisory: http://secunia.com/advisories/14875/ -- [SA14952] Mandrake update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-14 MandrakeSoft has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14952/ -- [SA14947] Red Hat update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-13 Red Hat has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14947/ -- [SA14886] Mandrake update for gtk+2.0 Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-08 MandrakeSoft has issued an update for gtk+2.0. This fixes a vulnerability, which can be exploited by malicious people to crash certain applications on a vulnerable system. Full Advisory: http://secunia.com/advisories/14886/ -- [SA14885] Mandrake update for gdk-pixbuf Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-08 MandrakeSoft has issued an update for gdk-pixbuf. This fixes a vulnerability, which can be exploited by malicious people to crash certain applications on a vulnerable system. Full Advisory: http://secunia.com/advisories/14885/ -- [SA14899] Pine rpdump File Creation Race Condition Vulnerability Critical: Not critical Where: Local system Impact: Manipulation of data Released: 2005-04-12 Imran Ghory has reported a vulnerability in Pine, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14899/ -- [SA14887] Mandrake update for sharutils Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-04-08 MandrakeSoft has issued an update for sharutils. This fixes a vulnerability, which potentially can be exploited by malicious, local users to conduct certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14887/ -- [SA14883] Red Hat vixie-cron Exposure of Arbitrary Cron Files Critical: Not critical Where: Local system Impact: Exposure of system information Released: 2005-04-08 Karol Wi?sek has discovered a vulnerability in vixie-cron on Red Hat Enterprise Linux, which can be exploited by malicious, local users to read arbitrary cron files. Full Advisory: http://secunia.com/advisories/14883/ -- [SA14862] Fedora Core vixie-cron Exposure of Arbitrary Cron Files Critical: Not critical Where: Local system Impact: Exposure of system information Released: 2005-04-08 Karol Wi?sek has discovered a vulnerability in vixie-cron on Fedora Core, which can be exploited by malicious, local users to read arbitrary cron files. Full Advisory: http://secunia.com/advisories/14862/ Other:-- [SA14874] Novell NetWare Unspecified TCP Packet Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-08 A vulnerability has been reported in Novell NetWare, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14874/ -- [SA14871] Linksys WET11 Password Change Security Bypass Vulnerability Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2005-04-07 Kristian Hermansen has reported a vulnerability in Linksys WET11, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14871/ -- [SA14950] Juniper Networks JUNOS ICMP Message Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-13 Juniper Networks has acknowledged some security issues in the M-series and T-series routers running certain unspecified releases of JUNOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14950/ -- [SA14937] Network Appliance Data ONTAP ICMP Message Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-13 Network Appliance has acknowledged some security issues in Data ONTAP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14937/ -- [SA14928] WatchGuard Products ICMP Message Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-13 WatchGuard has acknowledged some security issues in the WatchGuard firewall products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14928/ -- [SA14904] Cisco Various Products ICMP Message Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-12 Fernando Gont has published an Internet-Draft describing how ICMP (Internet Control Message Protocol) can be exploited by malicious people to cause a DoS (Denial of Service). Cisco has acknowledged that various Cisco products are affected. Full Advisory: http://secunia.com/advisories/14904/ -- [SA14860] SonicWALL Pro Series Script Insertion Vulnerability Critical: Less critical Where: From local network Impact: Cross Site Scripting Released: 2005-04-08 Dev Appan has reported a vulnerability in SonicWALL Pro series, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14860/ Cross Platform:-- [SA14916] DokuWiki File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-13 H?var Henriksen has reported a vulnerability in DokuWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14916/ -- [SA14890] ModernBill Cross-Site Scripting and File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-04-11 James Bercegay has reported some vulnerabilities in ModernBill, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14890/ -- [SA14935] Oracle Products Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS Released: 2005-04-13 Multiple vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to gain knowledge of sensitive information, manipulate data, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14935/ -- [SA14929] Mambo zOOm Media Gallery Module "catid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-12 Andreas Constantinides has reported a vulnerability in the zOOm Media Gallery module for Mambo, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14929/ -- [SA14919] jPortal Banner Module SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-04-12 Marcin "CiNU5" Krupowicz has reported a vulnerability in jPortal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14919/ -- [SA14913] aeDating Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2005-04-12 dionisio has reported some vulnerabilities in aeDating, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/14913/ -- [SA14912] OpenOffice ".doc" Document Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-04-13 AD-LAB has reported a vulnerability in OpenOffice, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14912/ -- [SA14906] RadBids Gold Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2005-04-11 Diabolic Crab has reported some vulnerabilities in RadBids Gold, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and potentially disclose sensitive information. Full Advisory: http://secunia.com/advisories/14906/ -- [SA14888] SurgeFTP "LEAK" Command Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-08 Tan Chew Keong has reported a vulnerability in SurgeFTP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14888/ -- [SA14882] PunBB SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-04-08 Some vulnerabilities have been reported in PunBB, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14882/ -- [SA14881] Macromedia ColdFusion MX Exposure of Class Files Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-04-08 Sean Waddell has reported a security issue in Macromedia ColdFusion MX, which can be exploited by malicious people to disclose some potentially sensitive information. Full Advisory: http://secunia.com/advisories/14881/ -- [SA14869] Runcms / exoops Arbitrary File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-07 pokleyzz has reported a vulnerability in Runcms and exoops, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14869/ -- [SA14866] PHP-Nuke Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2005-04-07 Some vulnerabilities have been reported in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14866/ -- [SA14934] Veritas i3 FocalPoint Server Unspecified Vulnerability Critical: Moderately critical Where: From local network Impact: Unknown Released: 2005-04-13 NGSSoftware has reported a vulnerability with an unknown impact in Veritas i3 FocalPoint server. Full Advisory: http://secunia.com/advisories/14934/ -- [SA14940] eGroupWare Exposure of Mail Attachments Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-04-13 Gerald Quakenbush has discovered a security issue in eGroupWare, which may expose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/14940/ -- [SA14924] Pinnacle Cart "pg" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-13 SmOk3 has reported a vulnerability in Pinnacle Cart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14924/ -- [SA14902] Sun Java JDK/SDK Jar Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-04-11 Pluf has discovered a vulnerability in Sun Java JDK/SDK, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14902/ -- [SA14884] TowerBlog Exposure of Sensitive Information Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-04-11 CorryL has reported a vulnerability in TowerBlog, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14884/ -- [SA14868] PostNuke Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-08 Diabolic Crab has reported some vulnerabilities in PostNuke, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14868/ -- [SA14867] CubeCart "language" PHP Script Inclusion Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of system information Released: 2005-04-07 John Cobb has reported a vulnerability in CubeCart, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14867/ -- [SA14865] HP OpenView Network Node Manager Unspecified Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-04-07 A vulnerability has been reported in OpenView Network Node Manager (OV NNM), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14865/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Thu Apr 14 09:02:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 14 09:10:11 2005 Subject: [ISN] Another broadband outage strikes Comcast Message-ID: Forwarded from: Richard Forno [Two weeks ago it was Rolex spam, last week, flu, this week, Comcast (who we use for Internet) has been flaking out. It can be really challenging sending out InfoSec News at times. ;) - WK] By Jim Hu Staff Writer, CNET News.com April 13, 2005, By Jim Hu Staff Writer, CNET News.com http://news.com.com/Another+broadband+outage+strikes+Comcast/2100-1034_3-5669961.html Comcast's high-speed Internet service suffered nationwide outages for the second time in six days Tuesday, which the cable giant blamed on issues related to its domain name servers. The three-hour outage came after a similar issue crippled Comcast Thursday for six hours. Both involved issues with the cable giant's domain name servers, which translate and route Web page requests from users. Although Internet applications such as instant messaging could continue to operate, all Web site requests either did not respond or were sluggish. A Comcast spokeswoman said Tuesday night's outage was first noticed about 6:30 p.m. PT and service was restored about three hours later. "We were able to identify the situation right away," Comcast spokeswoman Jeanne Russo said. "We are working with the (hardware) vendor to make sure it doesn't happen again." Russo declined to identify Comcast's hardware vendor. Me TV: Finally, you are in control Throughout online message boards, including Comcast's own forum, subscribers fumed at the company's second outage in four days. Michael Spoonauer, a software engineer and Comcast customer from Quincy, Mass., noticed the issue Tuesday evening when Web site requests continued to time out. Spoonauer said Comcast's support representative told him that that the network was experiencing an unscheduled outage due to server maintenance. Spoonauer bristled at Comcast for not informing its users about the outage, and added that the company's Web site offered little information about why the service was down again. "I would consider it to be corporately responsible to send a message to customers saying what happened, why it happened and what they're going to be doing to prevent it," Spoonauer said. "It's not too much to ask from a company." Comcast's Russo said the company communicates issues through areas on its Web site and sometimes through recorded messages that greet callers. Comcast is the nation's largest broadband Internet access provider. It reported 7 million subscribers at the end of 2004. From isn at c4i.org Fri Apr 15 05:57:37 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 15 06:10:44 2005 Subject: [ISN] Network Chem Gets $6 million Message-ID: http://www.redherring.com/Article.aspx?a=11794 April 14, 2005 Wi-Fi network security company Network Chemistry said Thursday it raised a $6-million Series A from VC investors including the CIA's In-Q-Tel investment firm. The company, based in Menlo Park, California, makes radio frequency appliances to monitor Wi-Fi networks. The appliances send messages back to a server installed with Network Chemistry software designed to optimize network performance and keep hackers off the data-laden airwaves. Geneva Venture Partners led the investment round with help from In-Q-Tel and Innovacom, the venture arm of France Telecom [1]. "This is an ideal group of investors," said CEO Rob Markovich. The company impressed VCs last fall at the annual Silicon Valley Bank "best new startup" contest, winning first place in a field of 10. The firm was also profiled by Red Herring (see Wardriving Along Sand Hill Road) [2]. The market for security software to keep Wi-Fi hackers off the network is taking off. Frost & Sullivan predicts companies will sell $200 million in Wi-Fi protection appliances this year. That's double last year's figures. But Network Chemistry isn't the only startup trying to take advantage of this new market. Competitors include AirTight, which got $10.25 million from VCs last year (see VC Action: AirTight Networks Gets $10.25-million Series A for Wi-Fi security [3]). AirDefense and AirMagnet, both Red Herring 100 companies, are also fighting for lucrative contracts (see Top 100 Innovative Companies) [4]. Traditionally, Wi-Fi security companies started with a radio-frequency monitoring device and overlaid security on top of that. On Tuesday, eEye Digital Security announced its entry into the wireless protection market. The company sells vulnerability assessment tools and intrusion-prevention software (see Top 100 Innovative Companies: eEye, Beyond Patches) [5]. eEye has made its Retina network scanning product Wi-Fi-compatible. Although its new software won't do everything Network Chemistry's will, it's clear that cutting-edge security companies are looking to develop a Wi-Fi strategy. [1] http://studio.financialcontent.com/Engine?Account=redherring&PageName=QUOTE&Ticker=FTE [2] http://www.redherring.com/Article.aspx?a=11790&hed=Wardriving+Along+Sand+Hill+Road [3] http://www.redherring.com/Article.aspx?a=11027&hed=VC+Action:+AirTight+Networks+gets+$10.25-million+Series+A+for+wi-fi+security [4] http://www.redherring.com/Article.aspx?a=11067&hed=Top+100+Innovative+Companies [5] http://www.redherring.com/Article.aspx?a=11057&hed=Top+100+Innovative+Companies:+eEye,+Beyond+patches From isn at c4i.org Fri Apr 15 05:58:33 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 15 06:10:47 2005 Subject: [ISN] Perimeter Security: It's Not Just about Razor Wire and Guard Towers Anymore Message-ID: Forwarded with with permission from www.homelandresponse.org. Copyright 2005 Penton Media Inc. http://homelandresponse.org/full_story.php?WID=13218 By Sandy Smith 04/13/2005 Terry Wood, PE, CPP, is the director of Engineering and Security Applications for Wackenhut Corp. He says effective perimeter security can range from high fences to guard patrols to motion sensors to a good lock. Wood ought to know: his responsibilities at Wackenhut include preparation of physical security system analysis, vulnerability and risk assessments, design and construction document development (drawings and specifications) and the performance of construction administration and technical consultation services. The projects he has worked on include the design of security systems for the new international airport in Hong Kong, port security assessments for a West African government, petroleum refinery security analysis in Greece, security assessment of copper mining operations throughout South America, and security analysis and support for all areas of critical U.S. infrastructure, including nuclear power plants and water treatment plants. "Some facilities have no perimeter whatsoever. Take a high-rise building, for example. There, perimeter security consists of a lock on the door," says Wood. "Then, there are other facilities that have a large perimeter that includes double fencing with motion sensors inbetween the fences, closed-circuit television, security patrols, guard stations, limited access, etc." The Plan The first step to determining if your perimeter security plan fulfills your needs is to conduct a risk assessment and take a long, hard look at the mission of your facility and the security measures you already have in place. According to Wood, a risk assessment is a tool for measuring the compliance of a facility with security requirements. The assessment is used to analyze a system or facility to identify vulnerabilities that could potentially result in losses of life, products or technology. The methodology behind the risk assessment is based on the interrelationships of four key factors: * Assets. Any useful or valuable resource. * Vulnerability. Weakness or susceptibility of an asset or a collection of assets to losses of various kinds. * Threat. An event, process or act which, when realized, has an adverse effect on one or more assets. * Safeguard. A countermeasure, control or action taken to decrease the existing level of vulnerability of an asset to one or more threats. According to Wood, "A risk equals a threat plus your vulnerability to that threat." "If you operate a corrections facility, then your plan is to keep individuals from crossing the perimeter. If your facility is an automotive manufacturing plant, then you want to protect the product and monitor who is entering and leaving the facility," says Wood. The threat at a chemical facility, petrochemical plant or nuclear power station might be sabotage or terrorism, which means limiting access to the facility and the surrounding area. An effective security plan will include: * The operational aspects of a security program, * Establishment of a proactive process to prevent security and safety issues, * An assessment of threat and vulnerability, * The utilization of and need to balance manpower and electronic solutions. Technology The first step in a perimeter security program, once you determine your risks and vulnerabilities and needs, is to assess what you've already got in place. Is it enough? Is it too much? Should you beef it up? Some facilities choose to utilize two or three different types of perimeter systems, depending on the location. Sensors placed between two lines of fencing might work in some locations, but in other locations, where you might find birds nesting between the two fences or trees or shrubbery moving with the wind, sensor technology is not a good choice. "You end up with a lot of nuisance alarms, and management loses confidence in the system. So, the sensitivity is turned way down or the system is turned off entirely," says Wood. "What good is that technology if it doesn't work for your situation?" Some sensors make use of buried cable, which doesn't work in climates where permafrost is an issue, while others utilize an infrared beam. That technology works well as long as there is nothing - including piles of snow in winter - blocking the beam. Facilities on the water - such as the airport that was recently opened in Hong Kong - present special challenges. "Boat traffic on the edge of the runway was a concern," Wood remembers. "There were limitations in the structures that could rise above the ground - such as fences - that might interfere with the landing and takeoff of aircraft." The solution was to install biostatic sensors that utilize microwaves to measure motion in volumetric space. Sonar, underwater video systems and boat patrols are other ways to protect harbors, says Wood. Lighting is another important aspect of perimeter security. Lighting is more than throwing up some light poles, says Wood. "A lighting assessment examines the facility. Is there a storage yard, truck parking, a loading dock? If you light just the fa?ade of a building, are there other areas that can't be seen where people can run in and out?" Gatehouses pose a challenge when it comes to lighting. The interiors are usually well-lit while the exterior is sometimes dark. "Guards can't see outside. Half the time, they turn the lights out inside so they can see what's going on outside. That makes it difficult for them to work inside." The answer can be to increase the lighting outside the gatehouse or to install dimmer switches inside. Fencing, or the lack of it, can contribute to perimeter security problems. A company came to Wood and wanted a perimeter security system with all the high-tech bells and whistles: cameras, CCTV, sensors. When he went out to the facility to take a look at what the company was already doing in terms of perimeter security, Wood discovered that the fence surrounding the property had fallen down in several locations. "I don't know how often they walked around the perimeter of the fence, but that's probably a good first step before investing in technology like sensors and cameras. If whole sections of fence are missing, your perimeter security will not be great," counsels Wood. Fencing has changed since the basic chain link was invented. Electric fences are sometimes used, and new fences have been developed that curve back out toward the outside, if you are trying to keep people out, or back in toward the inside, if you are trying to keep people in. "Intruders can't get a foothold," says Wood. "You see this type of fencing a lot on bridges and overpasses." Barbed wire or razor wire at the top or between layers of fencing can be useful, while some companies utilize plantings around the foundations of buildings, such as thorny bushes, to deter intruders. Wood says special paint is available for objects such as light poles, which might provide easy access over a fence. "Sometimes, you'll have a light pole or some other type of pole that has to be there, even if it's close enough to a fence to be a concern for the perimeter. The paint makes it slippery, so the pole can't be climbed," said Wood. Signage is an effective element of a perimeter security plan, says Wood. Use signs to direct visitors to their entrance, employees to their entrance and deliveries to that entrance. Place signs in strategic places that note the area is monitored and that security is on site. "You'd be surprised how effective a security tool a sign can be," Wood states. Separating employees from visitors is a key element of any perimeter security program. Wood strongly suggests receiving visitors to your facility away from your manufacturing or processing areas. "Visitors shouldn't be in those areas unless they have received proper security clearance and are escorted by employees," says Wood. "Don't allow visitors near sensitive areas without good reason." And try to keep visitor parking outside your secure perimeter. If your facility has multiple buildings, it can be relatively easy to separate employee entrances from visitor entrances. In the case of a software manufacturer with one building, or several floors in a building, that can be more difficult, but not impossible. "Have one place, near the door or perimeter of the offices, where visitors report. Try to have another entrance for employees, but if that's not possible, have a badge or ID system that does not allow entrance to interior offices without proper credentials," says Wood. Engage Employees Employees could be one of your greatest security advantages or disadvantages, says Wood. Employees will realize a stranger is on site almost immediately, but it's what they do about it that can make or break your perimeter security program. Do they report the visitor, or do they hold open the door and allow full access to your facility? "It's human nature to see someone struggling with packages and hold open the door for them. But it's bad security policy," says Wood. "You can have great perimeter security - high fences, barricades, stopping and searching incoming delivery trucks, ID checks for everyone - and still allow a former employee to enter because you never got his ID badge back," says Wood. It can be these types of lapses that can cost you everything. Wood says he'll go out to a client who has good policies in place and will ask him, "Who controls the keys to the building? If an employee is dismissed, do you re-key the building?" The client will say that the maintenance department handles that. The maintenance department says, "We don't have anything to do with that." "We'll ask, 'How many master keys are there to the building?'" says Wood, "and the client will say, 'I don't know.' It could be that there are dozens of master keys out there, and not all of them belong to current employees." The solution, says Wood, is to make employees active participants in the perimeter security program by offering security awareness training. Have guidelines for employees about what they should do if they see a stranger walking around unescorted or without proper credentials. Instill in employees the idea that all visitors must go through proper channels and should not be allowed to walk through an open door. The security systems are in place to not only protect your facility and technology, but employees as well. For their own safety, they need to follow security policies. "Some companies think that if they invest a lot of money in technology, they will solve their security problems," says Woods. "A camera, even a very good camera, never caught anyone doing anything. It's just a tool used by security personnel who can receive the message, assess the problem and direct a response." "Physical security is the first step in a perimeter security program, but your employees and security personnel can make or break your program," he adds. From isn at c4i.org Fri Apr 15 06:01:06 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 15 06:10:50 2005 Subject: [ISN] Linux report stirs hornets nest Message-ID: Forwarded from: Jeff Berner Cc: jericho@attrition.org Wow, you certainly have a lot to say but it does seem from the perspective of someone that doesn't care one way or the other about MS Vs. Linux that you do indeed feel like a rock was thrown through the stained glass window of the Linux temple. I have completed reading your synopsis and would like to point out that while the Yankee Group does indeed show up in a search of Microsoft most of the articles you linked to were nothing more than quotes from them. As an 'analyst' their job is to take money and research something and give feedback. Do you ever read an article from a paid analyst that ever contradicts the purpose of the sponsor? With exception to the tobacco industry (lately), not very often. Reports that come back not favoring the view of the sponsor usually reach the circular file pretty quickly. Was their methodology flawed, perhaps, but until the report was released and their methods of collecting data fully divulged the speculation from Groklaw is just that, speculation. Nothing in your rebuttal supports that MS and Yankee Group are 'good friends'. You sound as biased as your purport the article to be. I suppose that if this report was released from Gartner you would have reacted the same way. Again a few quotes doesn't make them vested business partners. Anything that in anyway hints of a flaw, perceived or real, in the Linux world seems to always result in a BS email response from a feverishly angry computer person that wants to continue to preach that Linux is god. MS releases lots of propaganda too but at least it they refrain from directly bashing You brought up some good points about how the actual report is missing but the link you sent was for software assurance, nothing to do with MS vs. Linux. Your reporting in this case is as bad as theirs. If you want to rebuke an analyst, become one and do you own independent research and get it published. I have listened to you for years via various mail lists and usually enjoy what you have to say and find it informative but your response to that article was hideous. Grow up and get over the Linux is superior to MS or MS is superior to Linux argument. We all live in a world where the media is bent or broken and al information we receive is suspect. Somehow I have a feeling if this were hotrod magazine you would be complaining about someone else telling you your engine is too small. Your response is as full of FUD as Yankee's. -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News Sent: Wednesday, April 13, 2005 6:16 AM To: isn@attrition.org Subject: Re: [ISN] Linux report stirs hornets nest Forwarded from: security curmudgeon Cc: guymatthews@transom-media.co.uk, mike.magee@theinquirer.net, consultingservices@yankeegroup.com : http://www.theinquirer.net/?article=22460 : : By Guy Matthews : : Yankee Group software analyst Laura DiDio put out a report last week : daring to suggest, based on extensive research, that Microsoft Windows : Server 2003 may be as good as, if not in some respects better than, : Linux in terms of quality, performance and reliability. Based on extensive research? Or based on extensive questionnaires? Big difference. Read on for a bit more truth than this crappy opinion piece gives us... : A virtual techie "fatwa" seems to have been the result. Her views have : been repeatedly savaged by Linux apologists, accusing her of bias in : favour of Microsoft. DiDio has hit back denying any such leanings, but : the self-appointed Ayatollahs of open source have paid no heed. Amusing that you call these linux apologists fun names like "self-appointed Ayatollahs of open source" while she calls them "nut jobs" and "extremist fringe of linux loonies". Is there a chance.. just a remote, outside *chance*, that there could be some bias in this survey? That these linux "nuts" have a reason to be angry? Does the fact that Microsoft has funded such studies over the last half decade give them reason to question her motives? Of course there is. : DiDio says the Yankee Group end user study her analysis was based on is : strictly independent, and not something she has any personal influence : over. Unfortunately, if you go to the Yankee Group site [1] you see her picture on the left (but not on the list of analysts), you find a PDF mentioning the upcoming study on TCO [2], but no clear links to to the survey results that I can see. Are they hiding it? No.. read on. : This is not the first evidence suggesting a strong streak of : unreasonable insanity in the Linux community. Last year security : analyst firm Mi2g claimed Linux was getting hacked more frequently than : Windows, the resulting brouhaha leading it to declare on its web site that : "any empirical evidence pointing to a high level of online Linux : breaches is immediately shot down by religious zealots as if a church : had been desecrated". mi2g has a history of releasing material that has little factual basis, no clear methodology, and a tendancy to cater to news that gets them attention, regardless of what it is. Very bad example to cite backing your claims here. Please don't forget that only 6 years ago, they ran 'portal' web sites dedicated to used cars as their only business, then overnight became "security experts". You did know that.. right Mr. Matthews? -- Anyway, back to Didio's survey. A quick search finds all kinds of wonderful commentary on it, but not the actual survey (wonder why..). Turns out they are issuing press releases for this survey but not releasing the results until June 2005 [8]. So it's basically "believe what we say, even though we won't disclose our testing methodology", then let time pass, then quietly release the actual survey after the hype has died down and people begin questioning it? Oh wait, search Microsoft and you find it.. now why would they have a copy so far in advance and make it available on their site [9]? Moving on, check a GrokLaw article [3] that comments on it. Now we see that this survey [4] is a bunch of questions that was sent to W2Knews readers [5] including "C-level" executives, who are likely not the most unbiased people to ask about Windows vs Linux. Next, the article mentions that DiDio did her "independant" research with Sunbelt Software [6] who is also known for their spamming [7]. Reading their 'about' page finds they are Windows consultants: The company was founded in 1994 and offers product solutions that enable companies to protect and secure their infrastructure from costly inefficiencies including spam, Windows system downtime and network security vulnerabilities. Again, this is not the most unbiased group to 'research' Windows vs Linux TCO issues. Next, search Microsoft's site and you will find that not only has the Yankee Group been good pals with Microsoft [10], DiDio herself has done other studies that favored Microsoft (in their eyes) [11]. In fact, Microsoft has previously funded Yankee Group to carry out surveys [12] which undermines any claims from DiDio that she or Yankee Group are unbiased and "independant". [1] http://www.yankeegroup.com/ [2] http://www.yankeegroup.com/public/research/surveys.jsp [3] http://www.groklaw.net/article.php?story=20040324085956154 [4] http://www.sunbelt-software.com/surveys/040213_Linux.htm [5] http://www.w2knews.com/index.cfm?id=463 [6] http://www.sunbelt-software.com/index.cfm [7] http://www.spamhaus.org/sbl/sbl.lasso?query=SBL3704 [8] http://www.yankeegroup.com/public/products/survey/brochures/2005NorthAme ricanLinuxTCOSurvey.pdf [9] http://download.microsoft.com/download/e/e/e/eee3b9eb-0dbe-4729-95e2-829 d5127760d/YankeeGroup-CustomercasestudiesonSoftwareAssurance.pdf [10] http://www.microsoft.com/presspass/press/2000/Jun00/OSSpr.asp http://www.microsoft.com/windowsserversystem/facts/indemnification/indem brown.mspx http://www.microsoft.com/Education/GetTheFacts.aspx http://www.microsoft.com/presspass/press/2004/Jan04/01-06TVFoundationEditionPR.asp [11] http://www.microsoft.com/windowsserversystem/facts/indemnification/indemwp.mspx [12] http://www.microsoft.com/presspass/features/2004/oct04/10-05SBServer.asp From isn at c4i.org Fri Apr 15 06:02:37 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 15 06:10:54 2005 Subject: [ISN] Linux report stirs hornets nest Message-ID: Forwarded from: security curmudgeon Cc: Jeff Berner : Wow, you certainly have a lot to say but it does seem from the : perspective of someone that doesn't care one way or the other about MS : Vs. Linux that you do indeed feel like a rock was thrown through the : stained glass window of the Linux temple. Can you quote one place in my reply where I say that Linux is better than Microsoft, or vice versa? : I have completed reading your synopsis and would like to point out that : while the Yankee Group does indeed show up in a search of Microsoft most : of the articles you linked to were nothing more than quotes from them. Right, and how do these articles work? The person writing them goes to people they know will support their story/ideas. They are glorified press releases from Microsoft, not articles from the AP. So the author pulls up a list of Microsoft friendly people, solicits them for quotes, includes them. That would show a relationship and everyone should question the YG when they turn around and do "independant" research that is pro-Microsoft. : give feedback. Do you ever read an article from a paid analyst that ever : contradicts the purpose of the sponsor? With exception to the tobacco : industry (lately), not very often. Reports that come back not favoring : the view of the sponsor usually reach the circular file pretty quickly. Two things here. First, Microsoft tries to distance themselves on these reports. So there may not be a direct "paid for" approach, but it's essentially the same thing. Second, that illusion of independance is why these articles get more attention, and Microsoft knows that. : Was their methodology flawed, perhaps, but until the report was released : and their methods of collecting data fully divulged the speculation from : Groklaw is just that, speculation. Actually, read the PDF on YG's site. It says they are sending out questionaires as their research. Quoting from the PDF: Survey Methodology - SMBs and large North American enterprises (businesses with 250 + employees) - Respondents are IT decision makers (VPs, Directors, IT Managers) - Approximately 500 completed responses - 50 questions - Web-based survey No matter how you cut it, that is 500 opinion pieces being labeled as something other than opinion. If that survey is sent to a targeted group, it further biases the opinions. : Nothing in your rebuttal supports that MS and Yankee Group are 'good : friends'. You sound as biased as your purport the article to be. I : suppose that if this report was released from Gartner you would have : reacted the same way. Again a few quotes doesn't make them vested : business partners. YG is quoted in Microsoft fluff pieces, has carried out research that seemingly ends up pro-MS every time, they partner with a 10 year old outfit that specializes in Windows and makes their money by installing, maintaining and converting people to windows, and the YG sends out this survey primarily to Windows admins and CEO types that aren't always hip to what technology is deployed in their own office. Add it all up and there is plenty of doubt about YG independance and this being anything other than a MS fluff piece. : Anything that in anyway hints of a flaw, perceived or real, in the Linux : world seems to always result in a BS email response from a feverishly : angry computer person that wants to continue to preach that Linux is : god. MS releases lots of propaganda too but at least it they refrain : from directly bashing That is a joke, right? Ballmer saying that Linux is written by chinese hackers sounds like bashing to me. : You brought up some good points about how the actual report is missing : but the link you sent was for software assurance, nothing to do with MS : vs. Linux. Your reporting in this case is as bad as theirs. If you http://download.microsoft.com/download/e/e/e/eee3b9eb-0dbe-4729-95e2-829d5127760d/YankeeGroup-CustomercasestudiesonSoftwareAssurance.pdf You didn't find this interesting? The Yankee Group .. pro-Microsoft article .. available on microsoft.com but not yankeegroup.com that I could see .. quotes the survey in question .. and you don't think there is grounds for someone to call them biased? The Yankee Group recently profiled several organizationsamong them a media and entertainment conglomerate, an Ivy League university and a law firmto discover how each has lowered its total cost of ownership (TCO) and derived immediate return on investment (ROI) from its purchase of Software Assurance. [..] The joint October 2004 Yankee Group/Sunbelt Software survey indicated that 43% will increase their spending in the next 12 to 18 months to fund network upgrades. But nearly two-thirds of the increases will be minimal to modestranging from 3% to 20%. Therefore, corporations will continue to keep close tabs on spending and scour their licensing agreements for discounts and values. [..] Come on, you have to admit this looks shady =) Microsoft quoting the TCO survey that seemingly isn't available yet? : want to rebuke an analyst, become one and do you own independent : research and get it published. I have listened to you for years via : various mail lists and usually enjoy what you have to say and find it : informative but your response to that article was hideous. Why was it hideous exactly? No matter how you cut it, there is bias in this 'research'. The methodology the YG has published will not yield the same results each time (send that survey to 500 shops with a heavy unix presence, and make sure half of the surveys end up in a unix admins hands), and the results will come out that Linux is better blah blah. If anyone does that, I'll be the first to call them out and say it's unfair to Microsoft and question the bias or methodology. My reply may not have been that of an analyst, but it certainly wasn't hideous. : Grow up and get over the Linux is superior to MS or MS is superior to : Linux argument. Again, can you quote where I said one is superior to the other? The only thing in my reply calls out how these 'research' gigs are often not accurate, heavily biased, and soemtimes funded (even if indirect) by one of the two sides. My problem isn't with Windows, Linux, TCO or anything of the sort, and I don't have anything more than an opinion which is just as unsuitable as this YG report. : We all live in a world where the media is bent or broken and al : information we receive is suspect. Somehow I have a feeling if this : were hotrod magazine you would be complaining about someone else telling : you your engine is too small. Your response is as full of FUD as : Yankee's. Your reply was going so good until this last part. Something tells me this was nothing more than bait. If you really believe this, then you are exactly the kind of person MS/YG want reading that 'research'. Brian From isn at c4i.org Fri Apr 15 06:02:55 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 15 06:10:58 2005 Subject: [ISN] British banks to provide extra Web security Message-ID: http://news.zdnet.com/2100-1009_22-5671175.html By Dan Ilett ZDNet (UK) April 14, 2005 Major British banks are set to agree on a physical security device for all U.K. online customers to use. This move to two-factor authentication could make customers more secure when banking online. Such systems use a physical security device that generates a password to be used only once. Identity theft e-mails, known as phishing attacks, cost U.K. banks $22.6 million last year, according to the Association of Payment and Clearing Systems, which represents the British banking industry. Precise details of the two-factor device should be agreed upon in May, with the banks expected to roll out devices within nine to 12 months. "We are looking to get a U.K. standard for next month," said an APACS representative. "We are hoping this will enable us to make rapid progress. It would also be good to get a global standard." APACS said that credit card issuer Barclaycard and the high-profile bank Coutts have already issued some customers identity devices. Last year, former White House cybersecurity adviser Howard Schmidt urged banks to use issue customers with two-factor authentication. Schmidt is the chief security strategist of online auction eBay, which itself has yet to issue bidders two-factor authentication devices. Not everyone is so sure that two-factor authentication is the way forward, however. "People are selling two-factor authentication as the solution to our current identity theft problems, but it was designed to solve the issues from 10 years ago," security expert Bruce Schneier said last month. Dan Ilett of ZDNet UK reported from London. From isn at c4i.org Fri Apr 15 06:03:13 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 15 06:11:00 2005 Subject: [ISN] O'Keeffe ends CISO Exchange Message-ID: http://www.fcw.com/article88588-04-14-05-Web By David Perera April 14, 2005 Steve O'Keeffe is halting his efforts to promote a for-profit forum for government and private-sector chief information security officers (CISOs). O'Keeffe, the principal of public relations firm O'Keeffe and Co., spearheaded the CISO Exchange. The effort has come under fire by government and industry officials for appearing to sell influence over government policy formulation. O'Keeffe's statement comes hours after CIO Council officials announced they would end any relations with the Exchange and establish a new, open and accessible forum for the public and private sectors. Whether the company will have any involvement in that new forum "is at the discretion of the CIO Council," O'Keeffe said. "Any organizations that have made commitments to the CISO Exchange, whether contractual or financial, will be immediately released from those commitments and any monies received will be returned to the organizations," he said. O'Keeffe officials planned to charge $75,000 to companies for full participation in the Exchange, which would be limited to six system integrator representatives. Other industry officials could have joined for $25,000 or $5,000, with varying levels of access and authority over exchange efforts. Two companies, Computer Sciences Corp. and NetSec, committed to the Exchange at the $75,000 level, O'Keeffe said last week. CSC has since withdrawn from the initiative. "Any time there is a question or a perception of buying client access, we're not going to be involved," said Austin Yerks, CSC's president of federal sector business development, in a statement. The other company, NetSec, let the project's abrupt end speak for itself. "It's our understanding that it has dissolved, so there's nothing to withdraw from," a NetSec spokesman said, adding that the company is disappointed that the CISO Exchange did not come to fruition. Controversy about federal official participation in for-profit efforts may cause some chief information officers to re-evaluate what private-sector initiatives they are involved in, O'Keeffe said. "There needs to be a bright line in terms of what is appropriate and what is not appropriate in private-sector funding for activities in which public officials are involved," O'Keeffe said. That line is currently blurry, O'Keeffe said. "Somebody needs to clarify," he said. "As long as there's ambiguity or room for interpretation, then there's scope for confusion. Clearly, public/private partnership and interaction is critical to moving the ball forward on some of the most pressing issues." The CISO Exchange was not an O'Keeffe and Co. effort, O'Keeffe said. Money collected for the Exchange would have gone to O'Keeffe?s holding company, Bonaparte Holdings, "which is used to maintain a distinct identity to ensure there is no potential for mixing the funds," he said. "From an integrity standpoint, it's very important to maintain separate bank accounts for the organization to handle the expenses and make sure there's absolute transparency on a matter where you have a public/private partnership," he said. From isn at c4i.org Fri Apr 15 06:03:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 15 06:11:02 2005 Subject: [ISN] Comcast sued for disclosing customer info Message-ID: http://news.com.com/Comcast+sued+for+disclosing+customer+info/2100-1030_3-5671438.html By Reuters April 14, 2005 Comcast, the top U.S. cable TV network operator, is being sued by a Seattle-area woman for disclosing her name and contact information, court records showed Thursday. In a lawsuit filed in King County, Wash., Dawnell Leadbetter said that she was contacted by a debt collection agency in January and told to pay a $4,500 for downloading copyright-protected music or face a lawsuit for hundreds of thousands of dollars. Leadbetter, a mother of two teenage children, was a customer of Comcast's high-speed Internet access service. The company, Settlement Support Center, based in Washington state, was using information that the Recording Industry of Association of America had obtained in a Philadelphia lawsuit over the illegal sharing of digital music files, said Lory Lybeck, the lawyer representing Leadbetter. But no court authorized Comcast to release names and addresses of its customers, or notified his client that her information had been given to an outside party, Lybeck said. "Comcast should respect the rights of privacy who pay them monthly bills," Lybeck said. Representatives from Comcast said they could not immediately comment on the lawsuit. The RIAA has filed thousands of lawsuits since September and settled several hundred for about $3,000 each. From isn at c4i.org Mon Apr 18 05:59:45 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 18 06:15:55 2005 Subject: [ISN] Linux Security Week - April 18th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 18th, 2005 Volume 6, Number 16n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Diffie: Infrastructure a disaster in the making," "From SATAN to OVAL: The Evolution of Vulnerability Assessment," and "Taking a swipe at two-factor authentication." --- DEMYSTIFY THE SPAM BUZZ: Roaring Penguin Software Understanding the anti-spam solution market and its various choices and buzzwords can be daunting task. This free whitepaper from Roaring Penguin Software helps you cut through the hype and focus on the basics: determining what anti-spam features you need, whether a solution you are considering includes them, and to what degree. Find out more! http://www.roaringpenguin.com/promo/spambuzzwhitepaper.php?id=linuxsecuritywnbuzz0305 --- LINUX ADVISORY WATCH This week packages were released for axel, gftp, wireless-tools, glibc, selinux-policy-targeted, kernel, autofs, GnomeVFS, phpMyAdmin, shorewall, gtk, shareutils, gdk-buf, kdegraphics, dhcp, and gaim. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118882/150/ --- Introduction: Buffer Overflow Vulnerabilities Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. http://www.linuxsecurity.com/content/view/118881/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * A federated crypto guy 14th, April, 2005 WHEN budgets get tight, R&D is often one of the first departments to feel the squeeze. But at RSA Security, vice-president of research Burt Kaliski and his team are considered the heart and soul of the business. RSA puts about 18-20 per cent of its revenue into applied research and standards development at its research centre, RSA Laboratories. http://www.linuxsecurity.com/content/view/118876 * TuxJournal is online! 11th, April, 2005 The first on-line Italian Magazine is on-line. All the Italian readers can find here a very good source of news and articles about the OpenSource and Technology World. http://www.linuxsecurity.com/content/view/118848 * And here's a key to combat hacking 11th, April, 2005 As we rely more on computers, the potential for hackers to hurt us and destroy our personal records has grown. Corporates and public networks, instead of individuals face the brunt of hackers. ingenuity. However, there are ways to build unhackable network. http://www.linuxsecurity.com/content/view/118845 * Using a Linux failover router 13th, April, 2005 Today, it's hard to imagine an organization operating without taking advantage of the vast resources and opportunities that the Internet provides. The Internet's role has become so significant that no organization can afford to have its Net connection going down for too long. http://www.linuxsecurity.com/content/view/118867 * Diffie: Infrastructure a disaster in the making 13th, April, 2005 In the 1970s, Martin Hellman and Whitfield Diffie wrote the recipe for one of today's most widely used security algorithms in a paper called "New Directions in Cryptography. The paper mapped out the Diffie-Hellman key exchange, a major advancement in Public Key Infrastructure (PKI) technology that allows for secure online transactions and is used in such popular protocols as the Secure Sockets Layer (SSL) and Secure Shell (SSH). In 2000, they received the prestigious Marconi Foundation award for their contributions. http://www.linuxsecurity.com/content/view/118868 * Network monitoring with Nagios 14th, April, 2005 How can a system administrator monitor a large number of machines and services to proactively address problems before anyone else suffers from them? http://www.linuxsecurity.com/content/view/118877 * From SATAN to OVAL: The Evolution of Vulnerability Assessment 15th, April, 2005 With the growing reliance and dependence on our inter-connected world, security vulnerabilities are a real world issue requiring focus and attention. Security vulnerabilities are the path to security breaches and originate from many different areas - incorrectly configured systems, unchanged default passwords, product flaws, or missing security patches to name a few. The comprehensive and accurate identification and remediation of security vulnerabilities is a key requirement to mitigate security risk for enterprises. http://www.linuxsecurity.com/content/view/118886 * Developers Rate Linux More Secure Than Windows In Survey 14th, April, 2005 A new study addressing security issues finds that software-development managers generally rate Linux as a more secure operating system than Windows. The study, which will be released by the end of the month, was conducted by BZ Research, the research subsidiary of publisher BZ Media LLC. It was not funded by any vendors. http://www.linuxsecurity.com/content/view/118875 * Breaking software easier than you think 15th, April, 2005 One reason software security vulnerabilities are so tough to fix is because they are so hard to find. Unlike other bugs that become apparent when an application acts up, security holes tend to hide from normal view. And that's just how the hacker underground likes it. http://www.linuxsecurity.com/content/view/118888 * Fortinet in court for hiding Linux in its code 15th, April, 2005 A German court has granted a preliminary injunction against security firm Fortinet for allegedly violating the general public licence (GPL) and hiding Linux in its code. http://www.linuxsecurity.com/content/view/118885 * Cisco: Malicious ICMP messages could cause denial of service 15th, April, 2005 A publicly available document on how to use how the Internet Control Message Protocol (ICMP) to launch denial-of-service attacks has prompted Cisco Systems to issue an... http://www.linuxsecurity.com/content/view/118887 * Taking a swipe at two-factor authentication 11th, April, 2005 An essay in an April trade magazine maintains two-factor authentication can't counter emerging threats, and that the industry would be wise to come up with a better solution to the nation's biggest cyberproblem: identity theft. http://www.linuxsecurity.com/content/view/118846 * HIPAA Compliance In 30 Days or Less 12th, April, 2005 HIPAA. We are all sick of the acronym by now, and the April 20 compliance deadline for the Health Insurance Portability and Accountability Act is looming. http://www.linuxsecurity.com/content/view/118853 * Strategic Security 12th, April, 2005 Christofer Hoff is on a mission. As the director of information security at Western Corporate Federal Credit Union (WesCorp), Hoff has launched an initiative to quantify the benefits of information security spending for business executives at the San Dimas, Calif.-based company. http://www.linuxsecurity.com/content/view/118854 * Linux servers praised for security 12th, April, 2005 Software development managers rate Linux significantly higher than Windows server products for security, according to the latest research. http://www.linuxsecurity.com/content/view/118855 * The two-edged sword: Legal computer forensics and open source 12th, April, 2005 Ryan Purita of Totally Connected Security is one of the leading computer forensic experts in private practice in Canada. He is a Certified Information Systems Security Professional, holding one of the most advanced security qualifications in the world. http://www.linuxsecurity.com/content/view/118860 * First Spam Felony Case Nets 9-Year Jail Term 11th, April, 2005 A Virginia judge sentenced a spammer to nine years in prison Friday in the nation's first felony prosecution for sending junk e-mail, though the sentence was postponed while the case is appealed. http://www.linuxsecurity.com/content/view/118847 * Universities To Aid U.S. Cybersecurity Effort 12th, April, 2005 Experts from a consortium of colleges will lead a far-reaching effort to keep the nation's computer data safe from cyberattack, the National Science Foundation announced Monday. http://www.linuxsecurity.com/content/view/118861 * Linux programmer wins legal victory 14th, April, 2005 A Linux programmer reported a new victory in a German court Thursday in enforcing the General Public License, which governs countless projects in the free and open-source software realms. A Munich district court on Tuesday issued a preliminary injunction barring Fortinet, a maker of multipurpose security devices, from distributing products that include a Linux component called "initrd" that Harald Welte helped write. http://www.linuxsecurity.com/content/view/118879 * LexisNexis Data on 310,000 People Feared Stolen 12th, April, 2005 Data broker LexisNexis said Tuesday that personal information may have been stolen on 310,000 U.S. citizens, or nearly 10 times the number found in a data breach announced last month. http://www.linuxsecurity.com/content/view/118859 * 180,000 warned credit-card data exposed 14th, April, 2005 Data apparently stolen from the popular clothing retailer Polo Ralph Lauren Inc. is forcing banks and credit card issuers to notify thousands of consumers that their credit-card information may have been exposed. http://www.linuxsecurity.com/content/view/118880 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Apr 18 06:00:18 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 18 06:15:58 2005 Subject: [ISN] U.S. Military's Elite Hacker Crew Message-ID: Forwarded from: William Knowles http://wired-vig.wired.com/news/privacy/0,1848,67223,00.html By John Lasker April. 18, 2005 The U.S. military has assembled the world's most formidable hacker posse: a super-secret, multimillion-dollar weapons program that may be ready to launch bloodless cyberwar against enemy networks -- from electric grids to telephone nets. The group's existence was revealed during a U.S. Senate Armed Services Committee hearing last month. Military leaders from U.S. Strategic Command, or Stratcom, disclosed the existence of a unit called the Joint Functional Component Command for Network Warfare, or JFCCNW. In simple terms and sans any military parlance, the unit could best be described as the world's most formidable hacker posse. Ever. The JFCCNW is charged with defending all Department of Defense networks. The unit is also responsible for the highly classified, evolving mission of Computer Network Attack, or as some military personnel refer to it, CNA. But aside from that, little else is known. One expert on cyber warfare said considering the unit is a "joint command," it is most likely made up of personnel from the CIA, National Security Agency, FBI, the four military branches, a smattering of civilians and even military representatives from allied nations. "They are a difficult nut to crack," said Dan Verton, a former U.S. Marine intelligence officer. "They're very reluctant to talk about operations." Verton is author of the book Black Ice, which investigates the threats cyber terrorism and vandalism could have on military and financial networks. Verton said the Defense Department talks often about the millions it spends on defending its networks, which were targeted last year nearly 75,000 times with intrusion attempts. But the department has never admitted to launching a cyber attack -- frying a network or sabotaging radar -- against an enemy, he said. Verton said the unit's capabilities are highly classified, but he believes they can destroy networks and penetrate enemy computers to steal or manipulate data. He said they may also be able to set loose a worm to take down command-and-control systems so the enemy is unable to communicate and direct ground forces, or fire surface-to-air missiles, for example. Some of the U.S. military's most significant unified commands, such as Stratcom, are undergoing a considerable reorganization. Stratcom, based at the massive Offutt Air Force base in eastern Nebraska and responsible for much of the nation's nuclear arsenal, has been ordered by the Defense Department to take over the JFCCNW. To better understand the secret program, several questions about the unit were submitted to Stratcom. Capt. Damien Pickart, a Stratcom spokesman, issued a short statement in response: "The DOD is capable of mounting offensive CNA. For security and classification reasons, we cannot discuss any specifics. However, given the increasing dependence on computer networks, any offensive or defensive computer capability is highly desirable." Nevertheless, Verton says military personnel have told him numerous "black programs" involving CNA capabilities are ongoing, while new polices and rules of engagement are now on the books. The ground was prepared in the summer of 2002, when President Bush signed National Security Presidential Directive 16, which ordered the government to prepare national-level guidance on U.S. policies for launching cyber attacks against enemies. "I've got to tell you we spend more time on the computer network attack business than we do on computer network defense because so many people at very high levels are interested," said former CNA commander, Air Force Maj. Gen. John Bradley, during a speech at a 2002 Association of Old Crows conference. The group is the leading think tank on information and electronic warfare. Last summer, the internet-posted execution of American civilian Nicholas Berg sparked a debate about the offensive capabilities of the CNA program, said retired U.S. Army Col. Lawrence Dietz. The Berg execution, a gruesome example of Netpolitiking (.pdf), sparked a back-room debate at the highest levels, involving the State Department, the Department of Justice and the Defense Department, said Dietz. The debate focused on whether the United States should shut down a website as soon as it posts such brutality. "There are some tremendous questions being raised about this," said Dietz. "On whether they (JFCCNW) have the legal mandate or the authority to shut these sites down with a defacement or a denial-of-service attack." Dietz knows a thing or two about information warfare. He led NATO's "I-War" against Serbia in the mid-1990s -- a conflict that many believe was the occasion for the U.S. military to launch its first wave of cyber attacks against an enemy. One story widely reported, but never confirmed, described how a team of military ops was dropped into Serbia, and after cutting a wire leading to a major radar hub, planted a device that emitted phantom targets on Serb radar. Rita Katz, an expert on Islamic terror sites and director of the Washington, D.C.-based Search for International Terrorist Entities, believes a website that posts an execution should be taken out immediately. No matter what the implications are for free speech or other nation's laws, she said. "There is no good, no value in those sites to exist anymore," said Katz. However, Katz promotes the theory that some terror sites, especially those whose servers are in the United States, should remain up and running for intelligence purposes. Dietz believes it could only be a matter of time before a U.S. soldier faces a similar fate as Berg. Yet along with raising questions about free speech, he realizes shutting down a website has its limitations. After discovering that al-ansar.net's servers, which hosted video of Berg's execution, were within its borders, the Malaysian government shut the site down. But it took the Malaysian government more than a day to act. By then, the Berg video was well on its way to becoming a global recruiting tool for terror groups. And even if a website were to be knocked offline, eventually such highly-charged political statements would find a way onto the internet, Dietz said. Verton said the Berg debate is actually an extension of a cyber warfare debate started several years ago. "The reality is, once you press that Enter button, you can't control it," he said. "If the government were to release a virus to take down an enemies' network, their radar, their electrical grid, you have no control what the virus might do after that." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Apr 18 06:02:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 18 06:16:01 2005 Subject: [ISN] Virus writers have girlfriends - official Message-ID: http://www.theregister.co.uk/2005/04/15/vxers_have_gfs/ By John Leyden 15th April 2005 The stereotype of virus writers as spotty nerds who can't pull is well wide of the mark, according to an expert on the psychology of virus writers. Sarah Gordon, senior principal research engineer at Symantec Security Response, said that the more recent idea that virus writing activity is focused mainly around money-making scams is inaccurate. Gordon - sometimes described as the Clarice Starling of anti-virus security - has interviewed over a hundred virus writers in the course of years of research. She found the type of person who causes the disruption that accompanies the release of malicious code varied considerably by age, education, income, interests and social skills. "Most of the adult males I've interviewed have had girlfriends. Female virus writers have had boyfriends. The stereotypes are wrong," Gordon told El Reg. Gordon drew a distinction between viruses created out of technical curiosity - which still account for the majority of "in-the-wild" viruses - and malicious code created by criminal elements in the hacking community as a way of stealing personal information on computer resources. Agobot, Bagle and the like get all the publicity but the vast majority of viruses are written by people as a technical challenge. These nuisance virus writers have no conception of the damage and inconvenience their creations can cause. "Virus writing is irresponsible but not difficult," she said. For years, Gordon has attended conferences and conventions attended by virus writers and corresponded with them online as a way of better understanding the motives behind virus creation and how it might be possible to make VXers stop their anti-social activities. She is over in Europe to complete final work on a thesis for her PhD in computer science. From isn at c4i.org Mon Apr 18 06:03:17 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 18 06:16:04 2005 Subject: [ISN] Reuters shuts down system to fight Kelvir IM worm Message-ID: http://www.nwfusion.com/news/2005/0415reuteshuts.html By Laura Rohde IDG News Service 04/15/05 Reuters Group was able to bring its instant messaging system back online early Friday morning, after an outbreak of the Kelvir worm led the company to shut down the system for most of Thursday. The London news and information provider detected the external worm on its network coming though a customer Internet portal mid-morning on Thursday and took the system down as a precaution, according to Reuters spokesman Johnny Weir. After insuring there were proper filters in place, the IM system was made operational again at 7 a.m. local time Friday, he said. The Kelvir worm is designed to use Microsoft?s IM software as a means for disseminating malicious code. The variant that hit Reuters, W32/Kelvir-Re, was not unique to their IM system, called Reuters Messaging, Weir said. No incidents of users being infected by the attack have been reported and Reuters' other services continued operating as normal, Weir said. Reuters has its own IM application for the financial services industry which it developed to be interoperable with Microsoft's MSN Messenger. Reuters' IM system also works with AIM software from AOL. According to Weir, the problem only affected users on the Reuters system. The Kelvir worm spreads by sending messages through the IM system to all of an infected user's contacts, encouraging the recipients to visit a Web page to download a file. New versions of both the Kelvir and Bropia worms have been actively attacking systems this year, especially within corporations, according to anti-virus software company Sophos. Reuters has increasingly been connecting customers to its IM system and there are currently more than 60,000 active users, according to Weir. From isn at c4i.org Mon Apr 18 06:04:47 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 18 06:16:08 2005 Subject: [ISN] O'Keeffe ends CISO Exchange Message-ID: Forwarded from: Larry Pingree Can't they just do a non-profit CISO organization like ISSA and INFRAGARD to avoid the profit motives? I do think its necessary for these folks to be communicating their strategies together with the industries that fight hackers, etc. Its too bad that the public does not understand the benefits. Best Regards, Larry Pingree Information Security Sr. Information Security Analyst 925-226-5574 When you know others, then you are able to attack them. When you know yourself, you are able to protect yourself. Attack is the time for defense, defense is a strategy of attack. If you know this, you will not be in danger even if you fight a hundred battles. Zhang Yu, disciple of Sun Tzu ~ 500 BC -----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News Sent: Friday, April 15, 2005 3:03 AM To: isn@attrition.org Subject: [ISN] O'Keeffe ends CISO Exchange http://www.fcw.com/article88588-04-14-05-Web By David Perera April 14, 2005 Steve O'Keeffe is halting his efforts to promote a for-profit forum for government and private-sector chief information security officers (CISOs). O'Keeffe, the principal of public relations firm O'Keeffe and Co., spearheaded the CISO Exchange. The effort has come under fire by government and industry officials for appearing to sell influence over government policy formulation. O'Keeffe's statement comes hours after CIO Council officials announced they would end any relations with the Exchange and establish a new, open and accessible forum for the public and private sectors. Whether the company will have any involvement in that new forum "is at the discretion of the CIO Council," O'Keeffe said. "Any organizations that have made commitments to the CISO Exchange, whether contractual or financial, will be immediately released from those commitments and any monies received will be returned to the organizations," he said. O'Keeffe officials planned to charge $75,000 to companies for full participation in the Exchange, which would be limited to six system integrator representatives. Other industry officials could have joined for $25,000 or $5,000, with varying levels of access and authority over exchange efforts. Two companies, Computer Sciences Corp. and NetSec, committed to the Exchange at the $75,000 level, O'Keeffe said last week. [...] From isn at c4i.org Mon Apr 18 06:06:06 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 18 06:16:19 2005 Subject: [ISN] Bellua Asia 2005 Slides and Pictures Message-ID: Forwarded from: Anthony Zboralski Just a brief note to tell you that the proceedings and pictures from the conference are online. http://www.bellua.com/bcs2005/asia05.archive.html http://www.bellua.com/bcs2005/asia05.pictures/ The event was opened by keynote speeches from the Minister of Communications and Information, Bpk. Dr. Sofyan Djalil and the Attorney General of Indonesia, Bpk Abdul Rahman Saleh. 44 speakers from Asia, Europe and the Americas joined Bellua Cyber Security Asia 2005 to discuss present and future information security issues through an intensive series of presentations, demonstrations and technical sessions. Bellua Cyber Security Asia 2005 was brought to you by Bellua Asia Pacific and supported by Excelcomindo Pratama (XL), Kabelvision, Mynet, Bispro, M-Sistems, Cisco, Multipolar, Microsoft, Unipro, Scan Nusantara, Network Security Solutions, KPMG, TSTF, Sun Microsystems, Sensepost, The Jakarta Post, SWA, Detik, KCM, ISACA, Infolinux, Phrack Magazine, HERT, InfoSecNews.org, Zone-H, Hack in The Box, The Hacker's Choice, Packet Storm, eBizzAsia, ... Cheers, Anthony C. Zboralski -- Anthony C. Zboralski PT Bellua Asia Pacific - http://www.bellua.com Bumi Daya Plaza 18th Floor, jl. Iman Bonjol No.61 Jakarta 10310 Indonesia. Phone: +62213918330 HP:+62 818 699 084 65b1d8c7 - 6c0b b76a 51ef bfa6 c03b 97c8 af75 420c 65b1 d8c7 From isn at c4i.org Mon Apr 18 06:05:40 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 18 06:16:22 2005 Subject: [ISN] LayerOne 2005 only a week away Message-ID: Forwarded from: Layer One LayerOne 2005 April 23-24 Pasadena Hilton Pasadena, CA http://layerone.info For Immediate Release 4/15/05 Happy Tax Day. This is the final announcement for LayerOne 2005. Pre-registration will be ending Monday 4/18/05. At that point tickets will be 60 dollars and available only in person at the event. If you still want to get the 50 dollar price, pre-register before the weekend is out. Lots of great speakers and topics Major Malfunction will be joining us from the UK to talk about infrared hacking. In addition we have several members of the Shmoo Group speaking, as well as great talks on everthing from 'simulated reality' to BIOS hacking. APC (the UPS people) will be on hand to give a product demo of some of their rackmount equipment as well as to toss out some goodies. One of our organizers has also graciously donated a new PSP to be raffled off at the Saturday night reception. Reminder, if/when you book a room at the Pasadena Hilton, mention code 'LON' to get the 139 a night room rate. Also, mention LayerOne at the hotel to recieve 20% off your daily parking fee (8 dollars vs. 10 dollars) We look forward to seeing you in sunny California next weekend! -The LayerOne Staff From isn at c4i.org Mon Apr 18 06:06:35 2005 From: isn at c4i.org (InfoSec News) Date: Mon Apr 18 06:16:27 2005 Subject: [ISN] Commentary: Bulletin board for terrorists Message-ID: http://www.washtimes.com/upi-breaking/20050415-043722-5547r.htm By Arnaud de Borchgrave UPI Editor at Large April 18, 2005 Washington, DC, Apr. 15 (UPI) -- The 15 intelligence agencies that John Negroponte, President Bush's nominee for national intelligence director, will oversee employ just under 100,000 people. Most turn their noses up at anything that isn't stamped with a secret classification, preferably "TOP SECRET." Tongue-only-half-in-cheek, one veteran intelligence analyst conceded, "I'm not interested in anything unless I know it's been stolen." But there is now a recently discovered open source gold mine with rich nuggets the intelligence community still hasn't figured out how to exploit. At the beginning of the year, the exploding blogosphere was estimated to contain about 10 million weblogs, or online journals. Last week, according to National Security Agency and Defense Information Agency experts, there were more than 180 million blogs all over the world. The bloggers are frustrated would-be editors, journalists, private detectives and a multitude of others craving recognition for their special knowledge in a wide variety of subjects and specialties. A blog and an attitude are the only requirements to become an instant pundit with a worldwide audience. The Defense Advanced Research Projects Agency, prodded by the NSA, is now trying to figure out how to vacuum clean these electronic-bulletin boards for coded messages in seemingly innocuous phrases. Blogs would greatly facilitate the coordination of terrorist acts at the same time in different parts of the world. The cyber Hoover would be a super google.com that already processes information with giant databases and super computers capable of several trillion operations per second. (One trillion seconds ago was 29,000 years before Jesus Christ.) Dan Gillmore in his book, "We the media," argues bloggers are the direct descendants of revolutionary pamphleteers, such as Tom Paine, spreading dissent, holding those in authority accountable and encouraging citizens to participate in a newly emerging public sphere, or global village. Bloggers relentlessly hounded three media stars and eventually knocked them off their lofty perches while the mainstream media was panting for breath trying to catch up. The powerful executive editor of the influential New York Times was the first to bite the dust for ignoring a wayward black reporter who had been faking exclusive stories. Next "blogged" was Dan Rather over the veracity of documents on which CBS had based a story on Bush's service in the National Guard. Rather stepped down early from his evening anchor chair, but still managed to salvage his berth at "60 Minutes II." Three others took the fall instead. CNN's top news honcho Eason Jordan was next to crash. Liberal orthodoxy took it on the chin. But this was not a victory for conservatives. It simply telegraphed bloggers would hit whenever and wherever they spotted dishonesty and hypocrisy. Conventional wisdom is now the target. MSM -- shorthand for mainstream media -- was taken by surprise. Its agenda-setting power was going the way of the dodo. Bloggers build their own agendas, brick by brick, reinforcing one another with cyber pats on the back. Important tidbits exchanged by two Washington insiders on the shuttle between Washington and New York and overheard by a blogger will span the globe faster than conventional e-mail. Last summer, both the Republican and Democratic conventions accredited bloggers alongside MSM. The blogosphere had come of age. But no one foresaw where it would take us a few months later. When anyone who's anyone in Washington goes out to dinner, he/she must decide what part of his/her life is on or off the record. Blogger monitors say the lines between public events and ordinary social interactions are being erased, changing the way we do everything, from dating to working, and just plain living. Futurologists can see the emergence of global participatory democracy that will force national politicians to make the environment a priority for global governance. Think tanks are studying models of global governance for global heath problems -- and the bloggers are forcing these issues out in the open. Reporters Without Borders, the journalistic watchdog group, argues this new form of blogging journalism is the ultimate in freedom of expression. The World Editors Forum is more circumspect. It advocates a barrier between MSM and blog publishers with a code of ethic for the bloggers. The Blogger Social Media Group fires back by arguing a blog is not a one-to-many relationship, but a many-to-many medium. Bloggers say they are a collective intelligence, which is preferable to a single reporter and his or her editor. The MSM process is opaque and oblique, say the bloggers, whereas "ours is the ultimate in transparency." Bloggers also compare their cyber product to market research information. "The bloggers act as fact checkers and we always need fact checkers," says Bertrand Pecquerie of World Editors Forum. Some major corporations have started company blogs. Trouble there is disgruntled employees can add embarrassing bullets at the drop of an altercation with a supervisor. Whatever the arguments, the majority (52 percent) of a general public survey said bloggers should have the same rights as traditional journalists, while 27 percent had no opinion. Newspapers are losing circulation and advertising to the blogosphere. Instapundit.com ramped up to 100 million pages to become the second most-cited blogger on technorati in a few weeks. Technorati alone logs about 40,000 new blogs a day. The number doubles every five months. South Korea, a country of 50 million, already has 12 million bloggers. The average Internet user is now spending three hours a day on line -- and 1-1/2 hours watching television. That's 4-? hours a day! Blogs are bound to increase the daily average. Sex is still the favorite topic for online journals. The very private has never been more public, said one wag. From isn at c4i.org Tue Apr 19 09:11:40 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 19 09:29:25 2005 Subject: [ISN] Linux report stirs hornets nest (Two messages) Message-ID: Forwarded from: Jeff Berner Cc: security curmudgeon , isn@c4i.org Thanks for the response. I didn't actually think you would give me the time of day. I see articles like this Yankee Group report all the time that contain bad information, questionable research/reporting and such. Unfortunately I am not in the same position as you to have the luxury to be able to comment about them. Normally I am very happy to see what your opinions are. This particular article cross referenced with other articles that I have seen from you in the past seemed to lean (indirectly) toward the pro Linux view while at the same time (directly) trying to discredit the Yankee Group's report. I agree with you on you views that, yes, the report does appear shady and suspicious but at the same time your references to GrokLaw (are they truly unbiased?) and simple Microsoft searches didn't inspire me to fully believe in your rebuttal while leaving me to feel that your rebuttal research was done over roughly a 1 hour time period. All I am asking is that you spend a little more time finding more concrete references other than Microsoft mentioning the Yankee Group in a few other articles. If you dig deep enough you will find me all over Microsoft's site, but that certainly doesn't mean that I am a huge Microsoft supporter. Most of my references are in KB articles where I was fixing Microsoft problems for them or winning some MS company competitions that do nothing but make fluffy articles about how my company helped another companies by installing a SBS server or something to that ilk. Like you I truly believe that Linux is a far superior product on many fronts and internally I run my single most important company applications on Linux boxes while maintaining my day to day office and communication functions across various MS server. As a person on the outside of the MS/Linux debate I was reading between the lines of your article and pointing out that if your were not a Linux fan you probably would not have written that response and like most people in the MS world would have done nothing more than seen it for the fluff that is probably is and just ignored it. The last paragraph that you comment on was simply referencing that you are feverishly supportive and active defender of your opinions. The point that it was making is that I believe that if you had been around during the hot rod days you would have some stinging commentary if someone told you your big block was outperformed by a small bore engine or the other way around(think 1950's). The FUD comment comes from my opinion concerning what I felt was quoting weak sources and obscure articles to make a connection about a weak article with no apparent sources. That is FUD fighting FUD. That is bad reporting. -=- Forwarded from: security curmudgeon Cc: Jeff Berner , isn@c4i.org : Thanks for the response. I didn't actually think you would give me the : time of day. I see articles like this Yankee Group report all the time : that contain bad information, questionable research/reporting and such. : Unfortunately I am not in the same position as you to have the luxury to : be able to comment about them. Out of curiosity.. why not? You certainly had a very well written response to me. You could have spent the same amount of time questioning their report as my reply to the article. : Normally I am very happy to see what your opinions are. This particular : article cross referenced with other articles that I have seen from you : in the past seemed to lean (indirectly) toward the pro Linux view while : at the same time (directly) trying to discredit the Yankee Group's : report. In general I am pro-linux, if for no other reason than rooting for the underdog. Or if it makes you or others more comfortable, the enemy of my enemy.. =) But before that is taken out of context, I see flaws in both sides of the 'OS war'. I just feel that Microsoft is a lot more shady, and a lot less ethical so I spend more time pointing that out. : I agree with you on you views that, yes, the report does appear shady : and suspicious but at the same time your references to GrokLaw (are they : truly unbiased?) and simple Microsoft searches didn't inspire me to : fully believe in your rebuttal while leaving me to feel that your : rebuttal research was done over roughly a 1 hour time period. My rebuttal was done over a one hour time period. The real question should be.. if I can dig up that much in one hour, imagine what else there is to find, or what else they are managing to keep out of the public eye. If Yankee Group can find a bunch of Windows users, and partner with a company that has a vested interest in keeping Microsoft happy, and the YG *has* been funded by MS to carry out other surveys.. so what if I quote GrokLaw? I don't make any claims as to their bias, only that others beside myself have seen flaws in the original 'research'. : All I am asking is that you spend a little more time finding more : concrete references other than Microsoft mentioning the Yankee Group in : a few other articles. Why? Microsoft and Yankee Group (specifically DiDio) have a history together as far as I can tell. Read the Microsoft summary of the Brown University Case Study for example [1]: This case study, by the Yankee Group, reports how Brown University, an Ivy League college in Rhode Island, thoroughly investigated the technological and business aspects of Linux and Windows to determine which server operating system would offer the university's Department of Psychiatry optimal total cost of ownership and return on investment with minimal risk of intellectual property lawsuits. Microsoft Windows Server 2003 scored highest. Yet read the report itself [2] and there is no "thorough investigation". It is a single case filled with opinion and perspective, not research and fact. And since when does a network admin for a university have the time and ability to "thoroughly research" something like Operating System Indemnification as it relates to deploying technology on their network? The last university network admin I heard about was deathly scared of my girlfriend for using SSH to connect to a "hacker" system to check her mail. Do you think indemnification came to mind in the terminal client she used? The crypto that program used? : As a person on the outside of the MS/Linux debate I was reading between : the lines of your article and pointing out that if your were not a Linux : fan you probably would not have written that response and like most : people in the MS world would have done nothing more than seen it for the : fluff that is probably is and just ignored it. If I saw a fluff piece that touted Linux as much as that report did, with as little evidence and justification as that one had, I would write a respond challenging it just as much. I care more about fair reporting and honest research than Linux, Windows or who is winning the holy war. : The last paragraph that you comment on was simply referencing that you : are feverishly supportive and active defender of your opinions. The : point that it was making is that I believe that if you had been around : during the hot rod days you would have some stinging commentary if : someone told you your big block was outperformed by a small bore engine : or the other way around(think 1950's). Right.. to carry this analogy through.. what operating system do I run? If you are going to judge me and say that I would be just as rabid over an engine block as I would be over my operating system.. isn't it fair for you to *at least know what operating system i use*? What if my big block was a 50/50 hybrid of the two big brands of the era? What does that say about what I would or would not argue? : The FUD comment comes from my opinion concerning what I felt was quoting : weak sources and obscure articles to make a connection about a weak : article with no apparent sources. That is FUD fighting FUD. That is : bad reporting. Except, I cited my sources. Did Yankee Group? Brian From isn at c4i.org Tue Apr 19 09:12:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 19 09:29:29 2005 Subject: [ISN] Going to InfoSec: five things to remember Message-ID: http://www.techworld.com/infosec/features/index.cfm?featureid=1360 By David Cartwright Techworld 15 April 2005 Although there aren't so many IT shows going these days as there were, say, five years ago, it's fair to say that the average IT manager could still spend a reasonable slice of his or her life attending such events. The attraction of a trade show in particular is that you're given - potentially, at least - the opportunity to look at a wide range of competitor products in a single hit, to see them with your own eyes, and to ask questions about them. The downside is that it's very easy to lose your focus and get negligible value out of what ends up as a wasted day. Here, then, are the top five things you should be thinking about when you get ready for your trip to InfoSec - or any show for that matter. Why am I going? To some, a trade show is a day out of the office. Not a bad thing if it exposes you to the current state of the art in technology, but remember that by taking a day out, you're giving yourself a catching-up exercise to look forward to on your return. The first thing to consider, then, is the reason you're thinking of going. Because most shows tend to offer you free registration, and will post you your shiny plastic delegate badge in the week or two running up to the event, it's easy to sign up and then feel compelled to turn up. Before you do either, then, read the blurb (there's usually an exhibitor list on the website) and ask yourself whether (a) the stuff on show is relevant to your day-to-day job; and (b) if so, you're actually in the market for any of it. If the subject area isn't really your field, you're likely to have a boring day - why not see if one of your colleagues, to whom the show would be more relevant, would think of going instead? If the material is relevant to you but you don't have any looming purchasing plans, this isn't an automatic "don't go" decision but in order to make the trek you should be comfortable that you're at least going to learn something about what's new in the trade. Am I looking for anything in particular? If you have a specific requirement and there are going to be several companies in the relevant field(s) at the show, it's pretty much a no-brainer that you should go along. This is particularly the case with high-end and/or hardware products - although you can get eval copies of small and medium software products to play with in the office, the same isn't true for high-end expensive kit unless you're a massive company with the clout to demand that vendors come and show you stuff. So the more high-end your specific requirements, the more likely it is you should go along, because it's the only way you're really going to get an initial glimpse of it in action. Before you go Preparation is the key to a successful trade show visit. You need to look up the exhibitor list, dig out the floor plan, download PDFs of their product blurb, speak to distributors for pricing, and generally research the subject to death well before you physically go there to see who's worth visiting and who isn't. There are two types of exhibitor at a show: those you can figure out beforehand, and those you can't. They're differentiated by the quality of their marketing documentation - the good ones tell you in the blurb what the product does; the bad ones tell you they make "extensive security portfolio solutions for forward-thinking businesses" but you want to go see them just in case the product you want is somewhere behind the bullshit. When you've decided who you want to go and see, draw up a tentative timetable as a guide to how long you can spend with each company. There's no way you'll stick to it rigidly, so don't spend hours on it, but you need something to remind you that you can't see 20 companies in a day if you're wasting half an hour with each. A final note on this topic is that if you are bored, you might like to call the companies you're particularly interested in seeing at the show and trying to arrange specific appointments. It won't work nine times out of ten, but you sometimes get lucky. Do I care that it does that? When you're being rambled at by a sales droid on a stand, you'll find that he or she (but usually he) loves to tell you about all the nice, unique features of the gadget in question. If they're really on form, they'll also tell you about the special way that their product does the job, which is way better than the competition. Remember to engage your cynicism circuits before interacting with such individuals. Some good questions are: * "If your system is unique, doesn't that make it proprietary and thus unable to interface to the one I've already got from X?" * "That's an interesting range of connectors, but where's the RJ-45 I put my Ethernet into?" * "Okay, yours is the fastest in the industry, but it's only 1.2 percent faster than X's, so do I give a stuff?" Obviously you'll have to pick some key questions that fit the subject in question, but you get the idea - namely that what matters is what they don't tell you. And ask them things like "What new features are planned for the next versions?" - remember, the "fab new features" in the next release may well be the things they forgot to put in the current one. Shows are also for the vendors? The vendor's mission at a trade show is to get as many names as possible on to the mailing list. They're not there to show you their wares, because it's an incredibly inefficient place to do so. Let's face it, they have a handful of staff and several thousand potential customers, and thus the time they can spend per customer is next to nothing. So unless you're the CTO of a billion-pound company, you're not going to get any real value out of turning up at a stand and saying: "Tell me about X". (And if you are the CTO of a billion-pound company, you don't need to go to shows - you phone them and say: "Hi, come and bring me one to play with"). Do not expect, then, to be treated with anything but polite contempt, or to hear anything but a marketing line. Learn as much as you can prior to the show (as we said earlier) and ensure that you prioritise the companies you need to see because you have specific questions about their products. You'll only get to interact with a handful of them at the show itself, so make sure you start with the ones you care most about. Summary Tradeshows are hard work and you get at best modest value from them. To maximise the benefit from going, though: * Plan before you go, so you make the most of your time at the show asking questions that aren't covered by the marketing material. * Just as you would with any salesperson, take everything that's said with a healthy pinch of salt, and remember that what's not said is as important as what is. * Don't expect to spend hours on one stand, because neither you nor they have the time, but if you go armed with good questions (i.e. those whose answer isn't: "as you'll see from page two of the brochure") you'll get more value and the vendors will spot that you're not just a techno-muppet. * They want to get your details from your delegate badge so they can market to you. Make sure you get their salespeople's contact details too, so that you can follow up once you've had a chance to digest everything you've seen. From isn at c4i.org Tue Apr 19 09:13:22 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 19 09:29:34 2005 Subject: [ISN] Iraqi insurgents turn to net publishing Message-ID: http://www.theinquirer.net/?article=22604 By Doug Mohney 18 April 2005 AS IRAQI insurgents continue to battle against the existing Iraqi government and allied forces, the Internet is playing a key role in their efforts to coordinate attacks and publicise them after the fact, according to multiple newspaper and media accounts. Who would have thought that we would see the "Jihadist Information Brigade" appear or Abu Musab al-Zarqawi start publishing his own Internet webzine? Zurwat Al Sanam . translated, it means "The Tip of the Camel Hump" . allegedly started publishing in March, but trying to find a URL to the publication in English through Google is about as easy as trying to find Mr. Zarqawi himself. Ironically, this grass-roots, er, sandlot use of the Internet runs counter to the loud ideas espoused by cyberwarfare geeks and info-sec experts that evil doers would use their much superior knowledge of the Internet to bring down banking systems, power plants, and Civilisation As We Know it, inflicting billions of dollars of damage onto world economies. Turns out that the evil doers need the Internet now more than ever to communicate, organise and propagandise the masses. However, this isn't a one-sided battle, by any stretch of the imagination. While Al Qaeda and its international band of affiliates post their latest beheading videos and exchange the latest bomb tips via peer-to-peer networking, various governmental agencies are conducting their own operations. Exactly what is going on in this electronic version of Spy-vs-Spy isn't clear, but we can wager some very good guesses. First, intelligence agencies, and of course, the public media, are actively "tuned in" to various terrorist "Network 21" websites and go through every freshly posted web page with a fine-tooth comb, examining everything from a newly posted JPEG graphic for hidden messages to downloading audio and video clips and running them against archival databases to identify speakers voices and sifting for clues on locations from background noises and images. Each web page is catalogued and compared to previous ones, in an attempt to discern patterns and electronic "fingerprints" of compositional style and software. While government agencies may loathe the content of these missives, they love each and every posting opportunity that jihadist webmasters make. Every piece of data presents an opportunity to learn more about the individual(s) and build a profile. Efforts are also made to track down the physical location where postings are made from to web servers and chat rooms, but this is a little trickier given the proliferation of anonymous posting techniques and the explosive growth of cybercaf?s across Iraq. It's likely there's a combination of American technology and expertise working with Iraqi government security forces to put eyes on any potential "points of posting," with a quick raid to grab people and computers if a successful lead develops. It is also likely that US information warfare specialists are very carefully and selectively examining and, when possible, even manipulating posted data. Nothing better than to change a couple of key steps in the on-line bomb making manual or to suggest "improvements" in bomb-making techniques that result in devices that are more easily discovered or go off prematurely. A few successful "plants" of that nature and suddenly the practices of Information Assurance are more than abstract theory taught at West Point. From isn at c4i.org Tue Apr 19 09:13:39 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 19 09:29:37 2005 Subject: [ISN] Rotarians learn about FBI's fight against terrorism Message-ID: http://www.zwire.com/site/news.cfm?newsid=14362297&BRD=1574&PAG=461&dept_id=532238&rfi=6 By VALARIE TORRES Citizen Reporter 04/18/2005 Pasadena Rotary Club members were informed of the increasing worldwide security efforts of the Federal Bureau of Investigation at their afternoon meeting Friday. Since Sept. 11, 2001, the United States has become more precocious regarding the security of the state. Roderick L. Beverly, the special agent in charge of the FBI's Houston field office, spoke to Rotarians about the agency's efforts to provide better security for the nation and what the community can do to help. Beverly, whose career began in law enforcement as a deputy sheriff, worked as a special agent with the North Carolina State Bureau of Investigation, then entered the FBI in the early 1980s and has since traveled to San Diego, Miami, and many other states primarily working in the Organized Crime and Drug divisions of the FBI. His international experience with the agency includes his work as the Assistant Legal Attach? for the U.S. Embassy in Bogot?, Colombia. The agency's Houston division, where Beverly works, is the regional center for the Texas coastal bend, which extends from Texas's Gulf Coast to Louisiana. The region includes the cities of Houston, Beaumont, Bryan, Corpus Christi, Conroe, Texas City and Victoria. This division, one of the 10 largest in the FBI, covers 40 counties and roughly 16 million people. Beverly showed a film about a legal attach?'s international investigations regarding terrorism or the threat of it. Beverly painted a realistic picture of an agent's duties in foreign countries. Not allowed to carry a handgun, agents normally travel with only their passport and FBI identification badge for protection abroad. The film revealed the diplomacy involved in creating open forums of communication with countries suspected of supporting terrorism. "We want to give a face to the FBI," said Beverly, referring to his presentation at Rotary. Beverly talked about new developments within different departments to fight terrorism. The FBI has beefed up its Joint Terrorism Task Force and has created the Greater Houston Regional Computer Forensic Laboratory to combat cyber terrorism. Beverly ended his presentation by acknowledging the public's help in the FBI's efforts to secure the nation. He asked that the community continue to support the agency's actions and thanked Rotarians for inviting him. "We can't function without the credibility from the community," Beverly said, "It makes no difference how big our budgets are . . . unless we have the support of the community we can't work." From isn at c4i.org Tue Apr 19 09:14:04 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 19 09:29:40 2005 Subject: [ISN] Security Concerns Boosted VeriSign's Dot-Net Bid Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A62302-2005Apr18.html By David McGuire washingtonpost.com Staff Writer April 18, 2005 When the nonprofit organization that oversees the Internet's domain name system announced last month that the world's fourth largest domain would remain in the hands of VeriSign Inc., technology workers and Internet policy wonks around the world were incredulous, wondering aloud how the company had managed to navigate a process that was, in many ways, designed to reduce its hold on key pieces of Internet real estate. Online message boards lit up with rants and conspiracy theories about how VeriSign had managed to keep dot-net -- a vital piece of the Internet's infrastructure, particularly in the United States where major Internet service providers like Verizon and Comcast have assigned millions of dot-net e-mail accounts to their customers. "I would give the job to Microsoft before I'd willingly let VeriSign have another crack at it, and that's not something I'd say lightly. If they built cars, people would have died in the VerisSgn Pinto," one angry poster wrote on Slashdot.org, a message board and news site that caters to the technology audience. Other message boards swelled with accusations that VeriSign had inappropriate connections with the technical team that evaluated the company's proposal to continue managing dot-net, or that VeriSign had somehow bullied Internet authorities into compliance. But experts who closely follow VeriSign and the Internet domain market say the Mountain View, Calif.-based company owes its latest coup to a savvy lobbying effort in which VeriSign worked through the press and with its industry allies to play up already heightened concerns about the stability and security of the Internet. "Competition isn't the only parameter of concern. Security and stability are also issues of concern," said Vinton Cerf, chairman of the Internet Corporation for Assigned Names and Numbers (ICANN), the Marina Del Rey, Calif.-based group that was commissioned by the U.S. government in 1998 to oversee the domain name system. "It's not clear to me anymore that competition comes from binding a top-level domain to a particular operator," Cerf told reporters at an ICANN meeting earlier this month, a few days after the dot-net decision was announced. Cerf's comments were surprising to some observers, as he heads a group that was created with the express mission of breaking up the near monopoly on domain name management maintained at that time by Network Solutions, a company VeriSign bought in 2000. "It's shocking because ICANN and VeriSign basically hate each other and have hated each other since [ICANN's] inception," said Milton Mueller, an information studies professor at Syracuse University and author of a book about Internet governance. "VeriSign basically had to be bludgeoned into accepting ICANN as the administrator of the domain name system, and ICANN has always been run by people fundamentally hostile to VeriSign." ICANN and VeriSign have locked horns in courtrooms, at negotiating tables and even before Congress, as the company has sought to protect its valuable domain name business. The bad blood between the two sides boiled over last year when VeriSign sued ICANN after ICANN officials forced the company to jettison a controversial search service called Site Finder. That suit is still pending in California. But in the post-Sept. 11 world, VeriSign found itself in a strong position to play on ICANN's realigned focus on protecting the stability of the global Internet infrastructure. When ICANN put out its request for dot-net bids last December, the group made security and technical competence two of its top requirements for the next dot-net operator. Telcordia, the company chosen by ICANN to review the dot-net bids, ranked the criteria it used to judge bidders by importance -- high, medium or low. The ability to run a secure and stable registry was ranked "high," while promoting greater competition ranked "medium." Prior to the January deadline for submitting dot-net bids, VeriSign began pleading its case to reporters, touting the importance of the domain and warning of the disruptions that could occur if the domain were ever to go down for any substantial length of time -- something that hasn't occurred under VeriSign's stewardship. "During the period we've been operating dot-net, we've run it at the highest level," Mark McLaughlin, the general manager of naming and directory services for VeriSign said in January. "By definition, changing [the] operator would create the possibility for adding a great deal of instability to the system." "We believed this was a big decision on ICANN's part, and we certainly wanted people to focus on that decision. We wanted people to scrutinize our bid. We wanted people to scrutinize other bids, and we wanted people to scrutinize the process that ICANN used," said Tom Galvin, who was VeriSign's vice president of government relations when the bids were submitted and now works as an outside consultant for the firm. VeriSign also garnered support from some of the nation's largest high-tech companies, including Microsoft, Sun Microsystems and MCI, each of which sent letters to ICANN backing VeriSign's track record on security. Galvin said ICANN didn't do any formal briefings with those companies, but rather had informal conversations about the issue. In some cases, Galvin said the companies offered to write letters support, and in others VeriSign asked for them. "For the .net registry operator to be less than dependable would harm business growth and could endanger the commerce that runs across the Internet Infrastructure," Microsoft Chief Technical Officer Craig Mundie wrote in a letter to ICANN last July. "We endorse VeriSign's performance to date and we hope they will continue to operate the .net registry." The four other groups that submitted bids for dot-net responded that VeriSign was fear mongering. "There's no question that dot-net helps underpin the Internet. The one [assertion] that strikes me as incongruous is that if you touch dot-net, everything will fall apart," Ram Mohan, chief technical officer of Afilias, said last October. Based in Dublin, Afilias finished third in the five-way dot-net race. A Valuable Line of Business The domain name market is lucrative for the largest Internet registries and registrars, the companies that sell and catalog Internet addresses. Starting in 1999 when ICANN began the process of breaking up Network Solutions's monopoly, it focused on the retail side of the business. At the time Network Solutions was sole wholesaler (registry) and the sole retailer (registrar) for Internet addresses ending in dot-com, dot-net and dot-org. In order to give consumers more choices and spur price competition for Internet addresses, ICANN created several new registrars, requiring Network Solutions to offer the new companies a fixed wholesale rate of $6 per domain per year. The move opened the domain name market to hundreds of companies (ICANN has now accredited more than 400 registrars), helping drive the annual price of an Internet address down from a fixed $35 to less than $10 in many cases. VeriSign left the retail business altogether in 2003 when it spun off its Network Solutions business. VeriSign's share price climbed $1.40 to close at $27.40 the day after ICANN announced that dot-net would remain where it is, reflecting the importance some investors placed on the company maintaining a leading role the domain name market. "It's meaningful in terms of the bragging rights. It's not meaningful in terms of stand-alone revenue, but losing it would puncture a hole in VeriSign's story about how unique they are," Merrill Lynch analyst Ed Maguire said. The dot-net operation generates about $30 million in revenue a year for VeriSign -- not a vast sum compared with the nearly $1.2 billion in revenues and $186 million in profits the company reported in 2004. Scott Sutherland, an analyst at Wedbush Morgan, said losing the domain could have panicked some investors, who may have taken it as a sign that VeriSign would eventually lose dot-com as well. That's unlikely, since VeriSign's contract to run dot-com presumes that the company will retain control of the domain indefinitely unless it does something to warrant having it taken away, but Sutherland said winning the dot-net contract is likely to quell investors' concerns on that front. The dot-com registry generates more than $150 million a year for VeriSign. Also, while dot-net may not contribute a large revenue stream, Maguire and Sutherland noted it is an extremely profitable line of business because the technology required to run the registry is already in place. The two analysts don't own stock in VeriSign and their firms don't provide investment-banking services for the company. Unfair Advantage? While it was stressing security in its dot-net bid, VeriSign also argued that competition at the consumer level wouldn't necessarily be served by moving the domain to another operator -- saying that from a consumer standpoint it's more important to bolster competition at the retail level. "I don't think this was a choice between security and competition, security and stability are important, but Telcordia gave VeriSign its highest score for competition," McLaughlin said. But even the choice of Telcordia as the evaluator has raised some hackles among VeriSign and ICANN critics. Telcordia is owned by Science Applications International Corporation, a company that once owned a piece of Network Solutions. Although Telcordia fully disclosed its historic ties before the dot-net evaluation began, the company couldn't help but view VeriSign in a favorable light, said Paul Vixie, president of the Redwood City, Calif.-based Internet Systems Consortium, a company that publishes a key piece of Internet software. "Telcordia shares a lot of corporate DNA with VeriSign. They're the same type of people, and they do things in the same general way, and these evaluations are really smell tests. ... [ICANN] picked someone who would recognize VeriSign as someone who was like themselves," Vixie said. ICANN spokesman Kieran Baker said ICANN didn't go forward with the evaluation process until all the bidders were satisfied that Telcordia could render an unbiased evaluation. But in the wake of the decision in VeriSign's favor, at least three of the four losing bidders have filed formal complaints about some portion of the evaluation process, and all five bidders told ICANN that they'd be submitting written comments on the evaluation process. DeNic, the company that operates Germany's sovereign dot-de, the world's second-largest Internet domain behind dot-com, has been vocal about its unhappiness with the process. "We will comment on these issues, but I'm not sure we'll do further complaints, because we don't think it will change the results. But we're disappointed that ICANN and Telcordia did not take the opportunity to run this process more properly," DeNic director Sabine Dolderer said. DeNic complained that Telcordia misstated information about DeNic's in-house technology in the first draft of the report. Telcordia issued an amended report that did not change DeNic's ranking, which was fourth out of five. Sentan, the joint venture between Sterling Va.-based NeuStar and Japan Registry Services, which runs Japan's sovereign dot-jp domain, placed second in the dot-net bidding process. Sentan wrote a letter to ICANN voicing concerns about the selection process, but other than that has remained fairly silent. VeriSign's current contract to run dot-net expires June 30, and ICANN expects to complete negotiations in the next couple weeks. The ICANN board of directors must approve the final deal, and the U.S. Department of Commerce will then have the final say, but in recent years, the department has gone along with every major decision by the ICANN board. The agency declined to comment on the dot-net issue. From isn at c4i.org Tue Apr 19 09:14:22 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 19 09:29:42 2005 Subject: [ISN] IRS security flaws expose taxpayer data to snooping, GAO finds Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,101166,00.html By Andy Sullivan APRIL 18, 2005 REUTERS Security flaws in computer systems used by the Internal Revenue Service expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report released today. The IRS also is unlikely to know if outsiders are browsing through citizens' tax returns because it doesn't effectively police its computer systems for unauthorized use, the Government Accountability Office found. The report was released three days after the deadline for filing personal income tax returns, and at a time when concerns about identity theft and computer security are running high. "This lack of systems security at the IRS is completely unacceptable and needs to be corrected immediately," said Rep. James Sensenbrenner (R-Wis.), chairman of the House Judiciary Committee. The IRS promised to fix any problems and find out if tax returns had been exposed to outsiders. Over the past several years, the agency has taken steps to protect the information it collects, the report found. The agency has fixed 32 of the 53 problems that turned up in a 2002 review. But the GAO found 39 new security problems on top of the 21 that remain unfixed. Along with $2 trillion in tax receipts, the IRS also collects information on money laundering and other possible financial crimes for the government's financial-intelligence office. But barriers between tax returns and money-laundering reports don't exist, the GAO found. Thus, a police officer checking up on money-laundering reports can also read personal tax returns, in violation of federal law. In all, 7,500 IRS employees, law enforcers and outside contractors can access and modify tax returns and financial-crime reports, the GAO found. A master list of passwords and usernames is also widely available, the report said. "Increased risk exists that unauthorized users could ... claim a user identity and then use that identity to gain access to sensitive taxpayer or Bank Secrecy Act data," the report said. Identity thieves have used stolen passwords to gain access to nearly half a million profiles of U.S. citizens maintained by data brokers ChoicePoint Inc. and LexisNexis, a division of Reed Elsevier. In a letter dated April 14, a Treasury Department official said many of the security holes portrayed in the report have been fixed and other updates should be completed by October. The agency will figure out whether tax returns and financial-crime information have been inappropriately disclosed, Acting Deputy Treasury Secretary Arnold Havens said. An IRS spokesman declined to comment further. Rep. John Conyers (D-Mich.) said the Judiciary Committee will consider whether additional measures are needed to strengthen computer security. From isn at c4i.org Tue Apr 19 09:14:39 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 19 09:29:44 2005 Subject: [ISN] EU task force to study IT critical infrastructure Message-ID: http://www.nwfusion.com/news/2005/0418eutask.html By John Blau IDG News Service 04/18/05 The European Union has set up a task force to explore what its 25 member states are doing in the area of combating cyber threats against the region's critical infrastructure. As part of the EU's Critical Information Infrastructure Research Coordination (CI2RCO) project, announced Friday, the task force aims to identify research groups and programs focused on IT security in critical infrastructures, such as telecommunications networks and power grids. "We want to bring together experts across the EU, learn more about their programs and how we can cooperate in curbing what we view as a global problem," said Paul Friessem, a director at the Fraunhofer Institute for Secure Information Technology (SIT), which is one of the organizations in the European task force. "We also intend to collaborate with experts outside the EU, in particular in the U.S., Canada, Australia and even possibly Russia." One of the problems facing the task force is convincing parties to divulge information that some governments view as critical to their national security. "While most EU member states are aware of the threat of cyberattacks on their critical infrastructure and are thus willing to share information, some are less willing," Friessem said. "We hope to overcome these barriers." In addition to identifying research efforts within the enlarged EU, the task force will ask the critical infrastructure players - telecom operators, power companies and other utilities - about their requirements. "We want to bring together these players to see where we have overlapping efforts and gaps," Friessem said. The plan is to submit an overview of the situation to the European Commission over the next few months so that officials in Brussels can address, if necessary, the issue of critical infrastructure security research in the forthcoming Seventh Framework Program, according to Friessem. The 7th Framework Program is the next five-year research and development program funded by the EU. The CI2RCO project will run for two years. In addition to SIT, the task force includes the German Aerospace Center (DLR);Industrieanlagen-Betriebsgesellschaft mbH (IABG); the Italian National Agency for New Technologies, Energy and the Environment (ENEA); Netherlands Organization for Applied Scientific Research (TNO); ?cole Nationale Sup?rieure des T?l?communications; and Ernst Basler+Partner. The task force expects to launch a new Web site within the next few weeks, according to Friessem. From isn at c4i.org Tue Apr 19 09:21:17 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 19 09:29:47 2005 Subject: [ISN] U.S. Military's Elite Hacker Crew (Two messages) Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" Cc: cissp-guns-and-butter@yahoogroups.com (I should probably state, right off the top, that my intention is not to make fun of military studies of infowar/cyberwar capabilities, but the people who report on them.) Date sent: Mon, 18 Apr 2005 05:00:18 -0500 (CDT) From: InfoSec News Subject: [ISN] U.S. Military's Elite Hacker Crew > http://wired-vig.wired.com/news/privacy/0,1848,67223,00.html > > By John Lasker > April. 18, 2005 > > The U.S. military has assembled the world's most formidable hacker > posse: a super-secret, multimillion-dollar weapons program that may > be ready to launch bloodless cyberwar against enemy networks -- from > electric grids to telephone nets. Ummm, haven't we heard this before? Many, many, many times? > In simple terms and sans any military parlance, the unit could best > be described as the world's most formidable hacker posse. Ever. Oh, it could *easily* be described that way. When you're a reporter looking for a sensational story, you can describe all kinds of things that way! > But aside from that, little else is known. Surprise, surprise! > "They are a difficult nut to crack," said Dan Verton, a former U.S. > Marine intelligence officer. "They're very reluctant to talk about > operations." Yeah. I'll bet. > Verton said the unit's capabilities are highly classified, but he > believes they can destroy networks and penetrate enemy computers to > steal or manipulate data. Oh, golly! Intrusions into other people's computers! Just imagine! > He said they may also be able to set loose a worm to take down > command-and-control systems so the enemy is unable to communicate > and direct ground forces, or fire surface-to-air missiles, for > example. Didn't they already do this? In 1991? April of 1991? April *First* of 1991? > To better understand the secret program, several questions about the > unit were submitted to Stratcom. > > Capt. Damien Pickart, a Stratcom spokesman, issued a short statement > in response: "The DOD is capable of mounting offensive CNA. For > security and classification reasons, we cannot discuss any specifics. Again, surprise, surprise. > However, given the increasing dependence on computer networks, any > offensive or defensive computer capability is highly desirable." Any capability. Regardless of what it does. Regardless of how it works, or how *well* it works ... > Nevertheless, Verton says military personnel have told him numerous > "black programs" involving CNA capabilities are ongoing, while new > polices and rules of engagement are now on the books. Ah, so we are at the point where we don't know what we are doing, but, by golly, we are going to do it! > Last summer, the internet-posted execution of American civilian > Nicholas Berg sparked a debate about the offensive capabilities of > the CNA program, said retired U.S. Army Col. Lawrence Dietz. [...] > The debate focused on whether the United States should shut down a > website as soon as it posts such brutality. Nobody told them about Kazaa, BitTorrent, etc? > Dietz knows a thing or two about information warfare. He led NATO's > "I-War" against Serbia in the mid-1990s -- a conflict that many > believe was the occasion for the U.S. military to launch its first > wave of cyber attacks against an enemy. Oh, no, not the first! The *first* one was the "Desert Storm" virus. > One story widely reported, but never confirmed Again, surprise, surprise. > "The reality is, once you press that Enter button, you can't control > it," he said. "If the government were to release a virus to take > down an enemies' network, their radar, their electrical grid, you > have no control what the virus might do after that." One of the reasons that, eighteen years ago, we figured that "attack" viruses were not a really good idea. ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu This is the bitterest pain among men, to have much knowledge but no power. - Herodotus http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade -=- Forwarded from: matthew patton Subject: Re: [ISN] U.S. Military's Elite Hacker Crew I'd be happy to be wrong but I really don't think such a shallow "scare" piece warrants much notice. I'm not suggesting there aren't a couple of 0-days the military has come up with that it can potentially use to DoS or otherwise compromise the odd website here and there. I got a chance to view and interface with some folk involved in a "green room" project and well, it's "really cool" to the youngsters that they've got a hacking tool and the authorization to use it, it's not what I'd consider earth shattering stuff. The established bug hunters nee NGS are IMO considerably more skilled at this than the military will be. Much as we've been seeing in the crypto world for some time, the "public" is pretty darn good at this stuff too. The controversial website thing to me is a red herring. By the time the military/intelligence community is aware of it's existence the cat is LONG out of the bag. The Mallaysian case of taking an extra day to pull the plug makes no difference - the video was out there on plenty of hard drives already. Going after financial transaction software and infrastructure control devices is way more interesting. The barrier to entry has generally been getting ones hands on the software in question and figuring out how to mess with it. I'm sure having gov't contacts tremedously facilitates access to what would otherwise be better controlled. Then again, how hard is to bribe a sysadmin here or there who has access to the CD's at a big or not so big bank? Technical hacking is almost always greased by personnel hacking. I frankly wouldn't be surprised a purple suiter isn't in the employ of a couple of banks, trading houses or the like. And if not, why not? From isn at c4i.org Wed Apr 20 04:12:52 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 20 04:28:27 2005 Subject: [ISN] Report: Private Screeners Outperform Gov't Workers (Not Suprising!) Message-ID: Forwarded from: William Knowles http://abcnews.go.com/Politics/wireStory?id=686213 By LESLIE MILLER Associated Press Writer April 20, 2005 A congressional investigation found airport screeners employed by private companies do a better job detecting dangerous objects than government screeners, according to a House member who has seen the classified report. [...] I don't find this suprising, my good friend who graciously has been hosting C4I.org on his box since day 1, joined me for the flights to and from Cleveland to attend NOTACON [1] He hasn't flown very often since 9-11 and usually it's for longer trips where he checks his luggage with anything that he knows might be questionable by TSA standards tucked inside. So we flew out of Chicago O'Hare uneventfully, my friend who was running late to begin with, had sailed through security without issue even though he'd packed a Leatherman multi-tool [2] and a Swiss Army CyberTool [3] in his dop kit inside a gym bag with his clothing. He made it to the gate just in time and left the bag on the ramp to be stored in the cargo hold of the jet powered puddle jumper we were on. Both items have blades on them, the Leatherman blade comes in just at or over the 3" rule the security screeners go by. You can imagine the hypothetical situations where this could really be a dangerous item onboard, but the item never made it into the passenger cabin of the tiny Embraer RJ135 that my friend compared unfavorably to a school bus in terms of space and cabin-height. The blade on the Swiss Army Knife could barely stab someone serving in the Swiss Army let alone injure them. So, coming back to Chicago from Cleveland on Sunday evening, they make you take off your shoes, (If they look like they are thick enough to do a shoe bombing with) there are no posted signs that you may or may have to take off you shoes, (The locals know this, but I rarely fly and rarely to Cleveland) nor does O'Hare make you take off your shoes, I didn't have to again, at O'Hare, (again the worlds busiest airport), and at Cleveland there is no signs if you didn't know better, I don't take off shoes, but everyone around me was. I had to take off the shoes, (No problem but I missed the area to take your shoes off, everyone else meekly took theirs off and I have my laptop and TravelPro bag to watch) During the routine x-ray search of the carry-on bag, the TSA finds my friend's Leatherman stashed in his dop kit. The TSA agent asked if they could search his bag, looking for the the item they saw in the x-ray, they dug in the bag and finding the dop kit. Then the TSA opened the dop kit where both tools were packed and ONLY GRABBED THE ONE. How they missed the Cyber Tool is beyond me. This is especially troubling with 2-3 TSA agents hovering over my friend checking out all the other tools on the Leatherman like they are Kalahari bushman and they have never seen a multi-tool before, they are opening all the tools, having no clue how to close them and trying to figure if this is a prohibited item or not. So the lead TSA Golden Retriever tells my friend within earshot of me tells him that he won't face a fine, if he does one of the three following things... 1.) That he could toss it in the garbage (a $50+ Leatherman) 2.) Mail it back for $7 and take your chances with their TSA authorized mailing provider no pinching it for themselves. OR... 3.) Check a bag with the TSA manager placing the item in themselves into the bag under their watchful eyes. My friend was willing to check his bag, but being basically a duffel bag with no locks, I offered to check my TravelPro bag since it was lockable (not realizing that made ultimately no difference). "So here's where it became the Keystone Kops of Cleveland time." It was damn close to the time of departure with this delay I had no idea that my luggage would make it through to the plane but we never had a chance on boarded with it. BUT, the TSA didn't tell us we'd miss our flight, also this being a Sunday, with everyone getting out of Dodge we were in the general queue for searches, I fly with Continental out of Chicago for the upgrades to first class (This might be considered odd when I have United as my hometown airline but eternally in bankruptcy court), we tried for the VERY empty first class line and was told we weren't first class, we couldn't use that lane. Who pays for a first class ticket on a plane with no first class cabin [4], there was a workaround to that, but I wasn't thinking, I was thinking about sleeping in my own bed for once. So we both missed our flight back to Chicago. Sitting around the gate (not more than 20 paces from the security checkpoint) wondering where the plane is, I called the airline and found out that we missed the flight. However, my bag DID fly ahead of me, and would be waiting for me, (Unlocked, since Cleveland's checked bags explosives detectors are under the airport and I had to unlock the bag) we had to leave the gate and go back to the front and get new tickets. We explained to the nice lady at the check-in desk what happened, got tickets with no fees, thank God (and Continental), and went through security for the second time, and what happens this time around?!?!? TSA discovers the Swiss Army Knife... The one they conveniently had missed with their deft little gloved hands previously. My friend isn't stupid and noticed this the first time around. But he assumed, right or wrong, you don't volunteer anything in a situation like that - hell, more than likely they'd talk over you explaining that "they're just doing their job"." The TSA agents had no clue who we are, they forgot in the timeframe of half an hour that we were went through before, and that we had to take off our shoes again, it was like the Cleveland TSA office was managed by pet-quality Golden Retrievers in snappy TSA uniforms, nice looking, but dumb as a bag of hammers. Another condemnable fact is that both of us, having gone through the SAME exact screening line 3 times, never got so much as a visual acknowledgement from the 4 or so TSA agents on our subsequent trips. It so happens on my friend's last run through the gauntlet he was asked by the agent at the metal detector "How's your day going?". Incredulously my friend said "You should know! This is my third time through here!". Forget any notion that should a photograph ever be circulated amongst these 'agents' that that person might be caught in line. They pay zero attention to the people they herd through their maze." You have to really wonder about these TSA agents that should be really flipping burgers at the airport Burger King if there was no TSA or private screeners, but they're high on the buzz of authority, knowing they can't do anything wrong, and if you get out of line with lip and talking back, secondary searches can and will happen. Mind you, all of this wasn't a punitive search just procedural, lock-step, rule-following security drones there really for the Govt paycheck. Airport/mall rent-a-cops can get fired for royally screwing up, TSA agents can't really get canned, unless its something that they really screw the pooch over. So my friend checked the Cyber Swiss Army knife in the bag he was originally going to check for the Leatherman in. What really irked me, was there was not likely going to be some report about why they missed the items at O'Hare, and why they missed the Swiss Army knife after the first screening with the Leatherman and a gaggle of TSA agents and managers, why wasn't there a secondary search for more items, more knives, box cutters, explosives, etc. when coming back to Chicago. Also the TSA will escort you out of the checkpoint, but wasn't able to escort him through the whole mess from the ticket counter back to the security checkpoint without any real justification especially when the evening rush was over and the TSA agents were all hitting the Burger King, and Ben & Jerry's for dinner and snacks, at 6PM, it was just that dead there. As much as I have scary National Guard security stories, (Everyone does) when they were placed at the airport in those trying weeks after 9/11, I think I miss them over the TSA since they had at least six weeks intensive basic training under their belts, over maybe one week of training a bunch of slupoffs who left their jobs as Taco Bell line cooks to work for the TSA. Besides, the Army National Guard members were better cleared for doing security in the f&cking first place. As a information security professional that regularly meets with my physical security counterparts, I can't believe there is a definite lack of standards and compliant rules on what happens when a prohibited item is found and why there isn't any reports being taken as a lesson learned for next time. It boggles the mind, Grandma that maybe fly's once every three years (Grandma can fly with her knitting needles [5]) likely feels more secure, me personally, I don't, I feel less secure since 9/11/2001 and because of that, either take the train or drive. :( [1] http://www.notacon.org/ [2] http://www.amazon.com/exec/obidos/ASIN/B0000WU85A/c4iorg [3] http://www.amazon.com/exec/obidos/ASIN/B00005ML8H/c4iorg [4] http://www.continental.com/Travel/inflight/aircraft/erj135.asp [5] http://www.tsa.gov/public/interweb/assetlibrary/Prohibited_English_4-1-2005_v2.pdf *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Apr 20 04:13:08 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 20 04:28:30 2005 Subject: [ISN] Security group wants ideas Message-ID: http://www.fcw.com/article88625-04-19-05-Web By Florence Olsen April 19, 2005 Federal agencies spent up to $2 billion last year reinventing the wheel to make federal information systems more secure, an Office of Management and Budget official said this week. That amount was nearly a half of the $4.2 billion that federal agencies spent on information systems security in fiscal 2004. Glenn Schlarman, chief of the information policy branch at OMB, said an interagency task force representing all federal agencies is appealing to industry officials for ideas to help reduce those costs and improve information security governmentwide. "We already know we're going to save a bunch of money," said John Sindelar, deputy associate administrator of the Office of Governmentwide Policy at the General Services Administration. He and Schlarman were among more than a half-dozen federal officials who spoke on Monday at an Enterprise Cybersecurity Practioners Day in Washington, D.C. Sindelar is also project executive for the interagency effort to improve information systems security by consolidating certain security functions and adopting government and industry best practices, procedures and policies. Systems integrators who attended the industry event were asked to submit information about approaches they have found to be successful in creating large-scale information security programs. Government officials also have issued an official request for information about information systems security. Federal officials said they plan to take that information, which must be submitted by May 5, and incorporate it into business case documents that federal agencies will review and submit in final form with their budget requests for fiscal 2007. OMB requires federal agencies to submit business cases to justify their spending on information security. The deadline for submitting business cases for consideration during the fiscal 2007 budget planning process is September 2005. Sindelar said governmentwide procurements of information security hardware, software and services could begin as early as fiscal 2006 and would extend to fiscal 2007 and beyond. "We're interested in ideas not only for what we procure but also how we procure it," he said. From isn at c4i.org Wed Apr 20 04:13:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 20 04:28:33 2005 Subject: [ISN] Recon 2005 - Speakers list Message-ID: Forwarded from: hfortier RECON 2005 Montreal, Quebec, Canada 17 - 19 June 2005 We are pleased to announce the final paper selection for the RECON conference. RECON is a computer security conference taking place in downtown Montreal from the 17th to the 19th of June 2005. Please take note that we have extended the early registration period until April 30th. We have also reduced the student registration rate to 200$CAN. Here are the final results from the Call For Papers: Aaron Newman - Techniques for Attacking an Oracle Database Adam Shostack - Anonymous Blogging System Andrew Griffiths - Binary protection schemes Cedric Blancher - Attacking Wifi with Traffic Injection Fravia - Wizard searching: reversing the commercial web for fun and knowledge Haroon Meer - Web Application Hacking Jack Whitsitt - Visual analysis: 2d does it better in color Jonathan Levin - The Dark Side of Winsock Jonathan Westhues - Practical attack on a prox card Jose Nazario - Introduction to network programming with libevent, libned and libnids Kathy Wang - Using honeyclients to discover new attacks Matt Shelton - Passive asset detection system Nish Bhalla - Auditing source code Nicolas Brulez & Ryan Russell - Malware Analysis Pedram Amini - Process stalking: runtime visual rce Robert E. Lee & Jack Louis - Syllogic application testing Ryan McBride - Network Randomness in OpenBSD Thorsten Schneider - Hardening Registration Number Protection Schemes Todd MacDermid & Jack Lloyd - Encrypted P2P and VoIP Spaces with CUTLASS An intensive Reverse Engineering training course will be given by Nicolas Brulez. Two sessions will take place, there is currently a few available space on each training. Visit http://recon.cx for more information. Please visit http://forum.recon.cx for discussions about REcon. Recon Staff From isn at c4i.org Wed Apr 20 04:13:57 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 20 04:28:36 2005 Subject: [ISN] Open-Source CVS Project Plugs Security Leaks Message-ID: http://www.eweek.com/article2/0,1759,1788016,00.asp By Ryan Naraine April 19, 2005 Security researchers on Tuesday issued a warning for multiple vulnerabilities in the open-source CVS, a popular program that allows developers to keep track of different development versions of source code. The most serious of the flaws could allow a remote compromise of unpatched servers, the open-source Concurrent Versions System Project confirmed in an advisory. The flaws range from buffer overflows and memory leaks that could lead to code execution and denial-of-service attacks. Security alerts aggregator Secunia has slapped a "moderately critical" rating on the vulnerabilities and recommended that users upgrade to version 1.11.20 immediately. CVS, also known as the Concurrent Versioning System, implements a version control system that keeps track of all work and changes in the implementation of a software project. The system is commonly used as a collaboration tool among open-source developers, and the discovery of security flaws could cause serious problems if an attacker embeds malicious code in software revisions and patches. The CVS Project described the buffer overflow as "potentially serious" but said it may not be exploitable. It also confirmed that the new version fixes several plugged memory leaks and potentially freed NULL pointers that may have been exploitable for a denial-of-service attack. The group also warned that several potential vulnerabilities in the contributed Perl scripts have been fixed. "The confirmed vulnerability could allow the execution of arbitrary code on the CVS server, but only if a user already had commit access and if one of the 'contrib.' scripts was installed improperly, a condition which should have been quickly visible to any administrator," the Project said. A complete description of the problem has been published. "If you were making use of any of the contributed trigger scripts on a CVS server, you should probably still replace them with the new versions, to be on the safe side," the group said. A fix for this bug, however, is incomplete. "Taint-checking has been enabled in all the contributed Perl scripts intended to be run as trigger scripts, but no attempt has been made to ensure that they still run in taint mode," the advisory read. The latest security hiccup comes at a crucial time for the CVS Project, which is still reeling from a major server attack last year. On the Project home page, the remnants of that attack are still visible. "The cvshome site is currently being thoroughly cleaned as a direct result of an exploitative code set that attacks a cvs security violation," reads the note that greets visitors. "The publication of this code makes all sites running cvs with any remote protocol vulnerable. Use the following information to determine if your site is at risk and to access either a patch for this problem or a full source distribution with the fix included," the notice reads. From isn at c4i.org Wed Apr 20 04:14:12 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 20 04:28:39 2005 Subject: [ISN] PHP falls down security hole Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=3514 By Matthew Broersma Techworld 19 April 2005 Servers running PHP are vulnerable to a number of serious security exploits, including some which could allow an attacker to execute malicious code, as well as denial-of-service exploits, according to the PHP Group. The project has issued updates [1] fixing the bugs, available from the PHP website and directly from various operating system vendors. "All Users of PHP are strongly encouraged to upgrade to this release," the PHP Group said in its advisory. PHP, an open-source programming language mainly for server-side applications, runs on server operating systems such as Linux, Unix, Mac OS X and Windows. Several of the flaws were discovered in PHP's EXIF module, used to handle the Exchangeable Image file format (EXIF) specification used by digital cameras. A bug in the module's exif_process_IFD_TAG() function could be exploited by a specially crafted "Image File Directory" (IFD) tag to cause a buffer overflow and execute malicious code with the privileges of the PHP server, according to Mandriva, which issued its update [2] on Monday. A second EXIF module bug could lead to an infinite recursion, causing the executed program to crash. Another flaw, first disclosed [3] by iDefense, affects the "php_handle_iff()" and "php_handle_jpeg()" functions and could be exploited by a specially formed image to cause infinite loops and consume all available CPU resources, creating a denial of service. The PHP update fixes a number of other security flaws, mostly less serious, as well as non-security-related bugs. Independent security firm Secunia originally gave the flaws a non-critical ranking, but later changed its rating to "highly critical" [4] as more information came to light, the company said. Updates are being distributed by Debian, Gentoo, Suse and others. [1] http://www.php.net/release_4_3_11.php [2] http://www.mandriva.com/security/advisories?name=MDKSA-2005:072 [3] http://www.idefense.com/application/poi/display?id=222 [4] http://secunia.com/advisories/14792/ From isn at c4i.org Wed Apr 20 04:14:27 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 20 04:28:42 2005 Subject: [ISN] Shoppers' data stolen from DSW shoe stores Message-ID: http://www.miami.com/mld/miamiherald/11437206.htm BY ELAINE WALKER April 20, 2005 If you shopped at the Dadeland DSW Shoe Warehouse during the past two years and paid with a credit card, debit card or check, your credit information is now in the hands of thieves. It is the latest in a rash of security breaches involving personal data that can be used to steal an individual's identity. The shoe retailer didn't offer details of how its computer system was hacked but said the theft included data from 1.4 million credit and debit card transactions and 96,000 check transactions at 108 stores, including those in Miami near Dadeland Mall, Aventura, Davie, Boca Raton and West Palm Beach. The affected transactions occured between mid-November 2004 and mid-February 2005, except at the Dadeland store, where the theft stretched back to early 2003. ''We don't know why that location was targeted,'' said Rob Whitehouse, a DSW spokesman. For each credit or debit card, stolen information included card number, name and transaction amount. Address, PIN numbers and any other personal info was not stolen, the company said. With checks, checking account numbers and driver's licenses were obtained, but not customer names, addresses or Social Security numbers. The DSW thefts are one in a string of recent high-profile incidents involving confidential consumer data. Thieves may have accessed as many as 310,000 Social Security numbers from LexisNexis databases. Earlier this year, the ChoicePoint data clearinghouse revealed thieves posing as legitimate clients bought information on 145,000 people. Bank of America also revealed it ''lost'' computer data tapes with account information on more than one million federal employees. Sen. Bill Nelson, D-Fla., is one of several legislators taking steps to strengthen laws to offer consumers more protection for their personal and financial information. Nelson has introduced a bill that would require the Federal Trade Commission to establish safeguards that would apply to any company warehousing consumer financial data. ''There are millions of Americans right now whose entire life history is flying around in somebody's hands,'' said Dan McLaughlin, a Nelson spokesman. STORES AFFECTED At DSW, neither the Southland Mall location, which was not open in February when the company's computer system got hacked, nor the store at Kendall Ridge Center was hit. Identity theft experts say this didn't have to happen. ''This is sloppy handling of information or poor security procedures,'' said Jay Foley, co-founder of the Identity Theft Resource Center in San Diego, a nonprofit organization that assists victims of identity theft. ``Somewhere there's a flaw in the system if they're allowed to lose this much information.'' Customers who made purchases at DSW stores during the affected time periods are urged to pay close attention to their credit card or bank statements for unusual activity. They should also contact their bank or credit card company for additional guidance. Customers can also check the company's website www.dswshoe.com for more information. ''We understand that our customers feel violated by this criminal act, and we feel the same,'' said a statement from Debbie Ferree, DSW's president. ``Our sincere apologies go out to our customers for the inconvenience this may have caused. We will continue to work with authorities to identify and prosecute those responsible for this crime to the full extent of the law.'' With its rows of discounted men's and women's shoes, DSW is a mecca for shoe lovers. But Lilly Lancent, a South Miami resident who buys shoes at the Dadeland DSW store several times a month, said Tuesday she was shocked to hear the news of the identity theft, especially after using her credit card to buy a new pair of shoes. ''I think customers have a right to know that this is going on,'' said Lancet, clutching a black-and-white striped DSW bag. ``I shouldn't be shopping and putting my trust in a place where things are shady.'' Others said they were aware the store had had problems and have made changes in their purchasing habits. DSW first announced some customer information had been compromised last month. ''I paid with cash because I'd heard about it,'' said Claudia Farfan, an interior designer from Doral, who stopped by the Dadeland store Tuesday between client visits. ``You never know -- it just makes you very cautious.'' UNDER INVESTIGATION DSW said it contacted the U.S. attorney's office and the U.S. Secret Service within 24 hours after discovering the theft. Ray Lopez, assistant to the special agent in charge with the Miami office of the Secret Service confirmed the matter remains under active investigation, but would not discuss the details. The retailer also immediately notified all major credit card companies -- Visa, MasterCard, Discover and American Express -- and provided the companies with the stolen credit and debit card numbers. DSW said it hired a computer security firm to conduct a forensic investigation regarding what happened and take steps to prevent any repeat situations. But the company won't elaborate on the changes that have been made, Whitehouse said. ''We don't want to give them any clues,'' he said. From isn at c4i.org Wed Apr 20 04:14:40 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 20 04:28:45 2005 Subject: [ISN] Wood River student expelled for hacking into computer Message-ID: http://www.mtexpress.com/index2.php?issue_date=04-20-2005&ID=2005102706 By MEGAN THOMAS Express Staff Writer April 20, 2005 A case of "senioritis" took a turn for the worse after a former Wood River High School senior discovered how to excuse his absences. "A buddy of mine and I found a security hole," said Noah Brod, 18, of Hailey. The security hole enabled Brod, at the time a WRHS senior, along with four other WRHS students to crack the school's attendance system. The group discovered how to enter the School Administrative Student Information program?known as SASI?that contains students' attendance records, transcripts, class schedules and demographic information. The students reportedly guessed the default administrative user name and the password. The access enabled the students to excuse absences at their liberty. Four of the students were punished with a session of Saturday school. The other student, Brod, found himself expelled for the rest of the year. Brod's record indicates he was a diligent student. According to his first trimester transcript, he earned four A grades and one B grade. He was also a four-year member of the debate team, Chess Club president and a member of the National Honor Society. Brod appeared at an expulsion hearing Wednesday, Feb. 9, in front of the Blaine County School board of directors based on accusations of breaking into the computer system, altering the attendance record and altering grades. All members of the board, with the exception of Kathy Pruett, attended the hearing "I only excused absences. Really, I had no reason to change my grades. I am a 3.5 student," Brod told the Mountain Express. Brod appeared before the board with his lawyer, Andy Parnes. Brod described the process as a four- to five-hour hearing, during which he and other students and adults addressed the board. Brod said the majority of the hearing addressed the issue of attendance, rather than grade changing. Blaine County School District Clerk Cathy Zaccardi said the hearing was held in a closed executive session and that no information was available from the district. "It's a student issue, the Brod situation. It was a board decision during executive session. I am not at liberty to say anything about it," District Assistant Superintendent Mary Gervase said. Brod this week provided the district's findings of fact and conclusions of law that detail the board's decision. The findings state that the board voted unanimously to expel Brod for the remainder of the second trimester. "I believe the decision was discriminatory. It shows Noah was singled out," said David Brod, Noah's father. The expulsion carried a list of conditions permitting Brod to return the second semester. The conditions mandated that he write a letter of apology, not attend extracurricular activities and complete 40 hours of community service with 10 hours allocated to writing a 20-page essay on the topic of honesty and integrity. Upon completion of the conditions, Brod was permitted to return for the third trimester at WRHS, provided that he check in with administrators when arriving and leaving campus. The provisions also banned Brod from extracurricular activities, prom, school computers, visiting other district schools and the Community Campus. Finally, he was not allowed to participate in graduation ceremonies. "By the time the board handed down the decision my grades had already slipped. If I wanted to appeal it would take longer than the third trimester," Brod said. Brod wrote a letter of apology and decided not to complete the other conditions. Brod was not permitted back to the school for the third trimester. His plans for college were sidelined, and he plans to complete his remaining credits in Wyoming's Teton County School District next year. Then he plans to attend college and join the Peace Corps. In the meantime, David Brod said he plans to move forward with a lawsuit against the Blaine County School District. The district has also taken measures to prevent student access to the SASI system. The district disabled all of the default user name accounts and is encouraging teacher diligence to log off their computers, explained the district's director of technology Jerry Huchins. Principal Graham Hume declined to comment. From isn at c4i.org Wed Apr 20 04:16:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 20 04:28:48 2005 Subject: [ISN] Spitzer Targets Hackers Message-ID: http://www.redherring.com/Article.aspx?a=11839 April 19, 2005 New York Attorney General Eliot Spitzer has urged his state's legislators to do more to protect consumers from digital fraud and taken a swipe at computer criminals. "The theft of one's identity and personal information is not a matter of "if," but a matter of "when," Mr. Spitzer said on Monday. "New York State must enact reforms to strengthen consumers' ability to control personal information and to facilitate the prosecution of identity theft crimes." The proposed legislation would make it easier for consumers to file identity fraud complaints, put "security freezes" on credit files, and provide "opt-out" lists for consumers who do not want their data passed along to third parties. Mr. Spitzer's legislation would make it tougher for businesses. It would require companies to notify customers whenever they send out reports containing their information. The notification would include the address of the entity which had requested the private information. Companies would also have to inform New Yorkers of any exposure of their personal information that affected more than 500 people. The proposal resembles California Senate Bill 1386, which became law in July 2003. It requires companies to inform California of data leaks. On Tuesday, the Senate Judiciary Committee was scheduled to consider ways to augment the existing legislation. Senate Bill 852 would make companies as responsible for theft of records as they are now for digital data theft. More than 785,000 Americans learned that they may have been the subject of identity theft in the last three months. HSBC, a U.K. bank, recently informed 180,000 of its customers that information the company kept on them had been exposed to potential criminals (see HSBC Warns 180,000 of Fraud) [1]. Earlier the same week, data-collection firm LexisNexis announced it would mail 280,000 letters to Americans who had their information tapped into inappropriately (see LexisNexis Leaks 280,000 IDs [2]). Before that, the San Jose Medical group lost 185,000 patient records and social security numbers when someone walked out of the hospital with a computer under each arm. The recent rash of identity theft started with ChoicePoint's announcement in February that it had lost detailed data on 145,000 people at the hands of a low-tech fraudster (see The Choicepoint Incident [3]). Cyber trespassers On top of the legislation designed to protect consumers, Mr. Spitzer has called for tougher penalties on computer criminals. He wants to prosecute people who gain access to computers surreptitiously, but who do not do any harm. The proposed legislation would also make encrypting information a crime if it concealed some other crime. The anti-hacker part of Mr. Spitzer's proposed legislation has drawn criticism from computer experts. "I've always admired Elliot Spitzer because of the types of bad guys he went after," said noted cryptographer Phil Zimmermann. "But I think it would be a mistake to make it a crime to use crypto. It's pervasive, and built into our web browsers and applications. It would be hard for most people to avoid using crypto because of its ubiquity." Making cryptography a crime when it is used to conceal illegal activity would be a step in the wrong direction, said Mr. Zimmermann, who created an encryption program called Pretty Good Privacy. "We need an ever-increasing ubiquity of crypto deployment across all relevant applications on the Internet, in databases, in access control, in authentication, in backup utilities: everywhere," he said. "That will help reduce identity theft, which is certainly a goal shared by Mr. Spitzer." [1] http://www.redherring.com/Article.aspx?a=11798&hed=HSBC+Warns+180%2c000+of+Fraud [2] http://www.redherring.com/Article.aspx?a=11763&hed=LexisNexis+Leaks+280%2c000+IDs [3] http://www.redherring.com/Article.aspx?a=11336&hed=The+Choicepoint+incident From isn at c4i.org Thu Apr 21 01:23:54 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:17 2005 Subject: [ISN] DHS OIG: Transportation Security Agency Criticized Message-ID: Forwarded from: Richard Forno http://www.nytimes.com/2005/04/20/politics/20security.html By ERIC LIPTON April 20, 2005 WASHINGTON, April 19 - The Transportation Security Administration wasted money on an operations office lavishly equipped with artwork, tens of thousands of dollars of silk flowers, expensive kitchen equipment and a state-of-the-art fitness center with towel service, according to a report by the inspector general of the Homeland Security Department that was released on Tuesday. Some of those supplies were improperly bought from a company owned by an acquaintance of the agency's project manager, according to the report. The spending occurred in 2003 while the agency was setting up a $19 million transportation security center in Herndon, Va., for 79 full-time employees. The site includes seven kitchens and a fitness center more than half the size of one that serves nearly 7,000 employees at the agency's headquarters, the report says. "Breakdowns in management controls left the project vulnerable to waste and abuse," says the report by Richard L. Skinner, the department's acting inspector general. The critique was released on the same day that Mr. Skinner published separate reports concluding that the Transportation Security Administration's airport screeners had made no progress since 2003 in detecting weapons or explosives and asserting that the agency was not taking enough steps to prevent its staff from stealing items from passengers' bags during inspections. "Three and a half years after those horrific terrorist attacks and there is still a vital need for security improvements," said Representative John L. Mica, the Florida Republican and chairman of a House aviation subcommittee who released the results of the audit related to weaknesses in weapons screening last Friday. "We have given them time to try to work out the kinks." Agency officials did not dispute that at least one employee who had managed the construction of the Transportation Security Operations Center in Herndon, appeared to have broken department rules, adding that they have referred the case to the Department of Justice for possible prosecution. But they rejected the inspector general's assertions that the inappropriate spending occurred because of management failures, saying that the agency was justified in rushing to open the center and that supervisors detected the wrongdoing long before the audit. "The report does not recognize the absolute criticality of achieving command and control over aviation security incidents as rapidly as possible," said a letter written by David M. Stone, the assistant secretary for the agency. Mr. Stone also defended much of the extra spending at the transportation security center, saying that it was designed to serve during emergencies and other major national security events to handle a larger number of employees. The inspector general disagreed. The agency project manager, who was not named in the report, asked the contractor to disguise $252,392 worth of artwork, $29,032 for an art consultant, $30,085 on silk plants and $13,861 on lamps and other items as "equipment and tools," instead of "enhancements" as they had been described on the first invoice, the report said. To avoid a $2,500 cap on purchases made with a special agency buying card, it said, the project manager and two other agency employees also routinely split up the transactions into as many as 22 pieces, hiding the purchase of leather briefcases, loveseats, armoires and coffee pots. The agency project manager also approved the installation of nine microwave ovens, four ice makers and 10 refrigerators, including two high-priced Sub-Zero models, for the center, the report said. It called the expenditures wasteful, even if the building was used by more people during emergencies. When some agency staff members objected to the spending practices, the audit says, they were told, "I'll give you the money, just do it," because "the culture at T.S.A. is the mission supersedes the process." The report on agency measures to prevent theft of jewelry or other valuables from airline passengers' baggage said that since January 2003, 37 baggage screeners had been fired for theft. The agency has also paid $736,000 to settle claims about missing items. The inspector general said he could not estimate how many times thefts had occurred or divide blame between agency screeners and other airport or airline employees who also have access to bags. He urged the agency to install video cameras to try to prevent such crimes. The third report, on the effectiveness of screening to detect weapons or explosives, found that there had been no major progress since a 2003 inspection in the rate at which agency workers caught undercover investigators carrying fake weapons or explosives. Hundreds of tests were conducted at 15 airports from November through February. Actual results were not disclosed, as they are classified, but Representative Mica said they were extremely disappointing. "The lack of improvements since our last audit indicates that significant improvement in performance may not be possible without greater use of technology," the report says. It was referring to machines that more thoroughly screen passengers for explosives before they enter a secure area, instead of a metal detector check, as is now most often done. Agency officials said they agreed with this conclusion, adding that until they can buy new equipment, "we will continue to seek incremental gains in screener performance through training, testing and management practices." From isn at c4i.org Thu Apr 21 01:24:06 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:20 2005 Subject: [ISN] U.S. Military's Elite Hacker Message-ID: Forwarded from: William Knowles I got a nice note from Kim Zetter (the staff security reporter for Wired.com). She explained that the author who wrote this story was a freelance writer who had written only one article for Wired News before this one. Generally, as the staff security reporter, stuff like this gets passed by her before an editor makes an assignment so that she can comment on its newsworthiness. But Kim was out of town when this story came in so she was unable to weigh in on it before it was published. From isn at c4i.org Thu Apr 21 01:24:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:23 2005 Subject: [ISN] State websites' security shaky? Message-ID: http://www.startribune.com/stories/587/5360065.html Pat Doyle Star Tribune April 21, 2005 Reacting to revelations that the state motor vehicle website is vulnerable to hackers, legislators worried Wednesday that more government online sites might be vulnerable to penetration, and their fears were not allayed by the state official who uncovered the weakness. Sen. Thomas Neuville, R-Northfield, asked Legislative Auditor James Nobles if he could offer assurances that the problems with the Department of Public Safety's motor vehicle website are unique among state agencies. "I can assure you it is not the only agency with a problem," Nobles replied. He said later that auditors over the years have noticed weaknesses in online security while conducting other reviews of agencies. "We haven't found any so bad to cause us to recommend a system be shut down," he said. "But we found a lot of problems." The exchange occurred at a hearing of the Legislative Audit Commission, where Public Safety officials told legislators that the department had been falsely assured earlier this year by its information technology employees that problems dating to 2001 had been corrected. "The staff had assured us that ... it was a secure website," said Patricia McCormack, director of driver and vehicle services for the department. Deputy Commissioner Mary Ellison said after the hearing that department officials don't know why they were misinformed or whether employees had lied. "We're investigating it now," she said. The website, which allows drivers to renew license tabs and plates online with a credit card, was taken down April 4, and officials said it could take months to fix the problem and get it running again. As legislators sought answers for how problems in the driver and vehicle services division occurred, Ellison said that the division had sought help last year in securing its site through a homeland security grant awarded to the Department of Administration, but that it hasn't received any. Homeland security grants are distributed by a division of the Department of Public Safety. "There's a huge amount of irony in that," Ellison said, adding that the Public Safety Department might have learned of the problems earlier had it gotten help through the homeland security grant. "That's ridiculous," said Keith Payden, the state's chief information officer and a deputy commissioner of administration. He said the department was trying to determine how to best spend the money among state agencies. Ellison said Public Safety recently received a request for a specific proposal from the Administration Department. Neuville and other legislators asked whether the legislative auditor or other officials could do a comprehensive survey of state agencies to determine the extent of online security problems. But Nobles said such a review would be a difficult undertaking given the variety of computer systems and websites offering government services. Monitoring threats The threat of hackers trying to penetrate state computers is illustrated by the experience of the secretary of state's office, which offers voting and business filing information online. It uses a private firm to monitor Internet transmissions in an effort to detect and deter intruders. In March it found 553,000 incidents deemed unusual; in a typical month, at least 20 to 30 are considered suspicious. "Those are attempts that have not led to breaches," Secretary of State Mary Kiffmeyer said Wednesday. She added that she is confident that her office has blocked any hacking attempt. "You have to stay on top of this every week, every month, every day." From isn at c4i.org Thu Apr 21 01:23:21 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:26 2005 Subject: [ISN] Security UPDATE -- Wipe Old Hard Disks Clean Reprise -- April 20, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. The Competitive Advantages of Multi-Platform Remote Control: A Pathway to Increased Productivity http://list.windowsitpro.com/t?ctl=7EED:4FB69 Is Your Office Truly Fax Integrated? http://list.windowsitpro.com/t?ctl=7EF0:4FB69 ==================== 1. In Focus: Wipe Old Hard Disks Clean--Reprise 2. Security News and Features - Recent Security Vulnerabilities - SSL VPN Products - IIS Application Isolation - eEye Releases Free WiFi Scanner 3. Instant Poll 4. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 5. New and Improved - Manage Windows Firewall ==================== ==== Sponsor: Netopia ==== The Competitive Advantages of Multi-Platform Remote Control: A Pathway to Increased Productivity The largest cost component associated with computers in the workplace is "misdirected end user activities" - the amount of time wasted by end users trying to fix a problem themselves or trying to help a colleague fix a problem that is best handled by IT staff. In this free white paper discover how to achieve a faster resolution of IT-related problems, reduce end-user downtime, increase employee productivity, and operate in a more efficient manner. Learn how your company can intelligently manage their enterprise environment and possess an inherent competitive advantage. Discover how you can outperform the competition by controlling costs and boosting productivity and download this free white paper now! http://list.windowsitpro.com/t?ctl=7EED:4FB69 ==================== ==== 1. In Focus: Wipe Old Hard Disks Clean--Reprise ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net A year ago, I wrote in this space about tools that you can use to wipe hard disks clean of all data. In that article, I mentioned four software-based tools. This week I learned about two more tools and about another type of product that can help when you need to erase a disk. The tools I mentioned in the previous article (first URL below) are Autoclave (no longer supported), LSoft Technologies' Active@KillDisk (second URL below), Stellar Information Systems' Stellar Wipe Safe Data Eraser (third URL below), and Heidi Computers' Eraser (fourth URL below). http://list.windowsitpro.com/t?ctl=7EFF:4FB69 http://list.windowsitpro.com/t?ctl=7F0F:4FB69 http://list.windowsitpro.com/t?ctl=7F04:4FB69 http://list.windowsitpro.com/t?ctl=7F0E:4FB69 Because Autoclave, formerly provided by the University of Washington, is no longer supported, the university now refers people to the open source Darik's Boot and Nuke tool (DBAN). DBAN works from a bootable floppy disk, can erase data in various modes (DoD short, random number streams) and works with PCs and PowerPC platforms, including Apple Macintosh. DBAN is also bundled with Heidi Computers' Eraser. http://list.windowsitpro.com/t?ctl=7F0D:4FB69 If you have Windows XP, then maybe you know that it ships with a command-line tool, cipher.exe, designed to manage encryption on entire volumes as well as directories. One of the features of cipher.exe is that it can wipe a disk to help prevent data recovery. The tool's /? switch gives you a list of all the available command-line options. You can use the last option, /W, to wipe an entire disk or a select directory. There are, of course, other tools that can do the same job, which you can probably find using your favorite search engine. Wiping an entire disk clean (so that you can recycle or dispose of it, donate it to charity, or return it under warranty) is sometimes quite a problem, especially if the disk is in a system that can no longer boot. You can of course try to use some sort of bootable CD-ROM and then run a software-based tool to wipe the disk. You can also remove the disk and put it into another system, boot that system, then wipe it clean. Another method, which I think is very handy, is to use a custom connector that lets you connect a disk to any system using a USB or FireWire port. Such connectors are relatively inexpensive and have the added advantage of letting you connect any ATA disk to a supported system, including a laptop, which is also a great way to get a bunch of extra disk space when you need it. The Dan's Data Web site reviews at least four connectors I think you might be interested in. One is an external drive box shell from Sunnytek Information available for ATA and SATA configurations (review at the first URL below). You can insert just about any regular ATA disk you can think of inside the shell. Another is ComboDock by WiebeTech, which is a small external connector box that connects to the back of an ATA disk (review at the second URL below). Yet another is the USB 2.0 to IDE Cable, available from USBGEEK.COM (review at the third URL below). And finally, there is the R-Driver II USB to IDE cable (review at the fourth URL below), which I think is the best choice because it lets you connect regular ATA drives and the mini-ATA drives that are typically used in laptops and other portable computing devices. http://list.windowsitpro.com/t?ctl=7F08:4FB69 http://list.windowsitpro.com/t?ctl=7F06:4FB69 http://list.windowsitpro.com/t?ctl=7F07:4FB69 http://list.windowsitpro.com/t?ctl=7F09:4FB69 One thing to keep in mind is that USB 2.0 (up to 480Mbps) is much faster than USB 1.x (up to 12Mbps). And likewise, FireWire 1394b (up to 800Mbps) is twice as fast as FireWire 1394a (up to 400Mbps). If you don't have USB 2.0 or FireWire 1394b in your system, you can buy an inexpensive add-on card to significantly speed up read and write times. Any of the ATA connectors I mentioned let you add a disk to a system in just a few seconds. Not only can you use them to wipe data off disk, but because they offer complete portability, you can also use them with CD-ROM and DVD drives to create your own portable backup solutions. If you're interested in these connectors, be sure to read the related hardware reviews at Dan's Data. ==================== ==== Sponsor: FaxBack ==== Is Your Office Truly Fax Integrated? Discover how to make your business more productive with easier ways for users to communicate and carry out mission-critical business processes. Download this free white paper to learn how to integrate fax with Microsoft Office and Exchange/Outlook applications. Get usage examples of Office-to-Fax integration, learn the benefits, and how fax works with Microsoft Office to deliver clear and substantial benefits to users. http://list.windowsitpro.com/t?ctl=7EF0:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=7EF6:4FB69 SSL VPN Products Not having access to your company's network and applications when you're on the road or working at home can seriously compromise your ability to do your job. This Buyer's Guide looks at Secure Sockets Layer (SSL) VPNs, a special type of remote access product that complements the secure gateways and network-based VPN technology that most companies already have. http://list.windowsitpro.com/t?ctl=7EFC:4FB69 IIS Application Isolation From time to time, you're probably called on to deploy a Web application that traffics sensitive information. The deployment includes installing the application on a hardened server in such a way that no other Microsoft IIS applications can access the application files. Learn how to isolate applications in Brett Hill's article on our Web site. http://list.windowsitpro.com/t?ctl=7EFD:4FB69 eEye Releases Free WiFi Scanner eEye Digital Security announced the release of its free Retina WiFi Scanner, which is designed to help detect active wireless devices, including those that might already be connected to a company's wireless network. http://list.windowsitpro.com/t?ctl=7EFA:4FB69 ==================== ==== Resources and Events ==== Microsoft Tech Ed 2005 Europe, 5 - 8 July, Amsterdam, The Netherlands Build you own 4 day agenda from 12 targeted tracks offering over 400 technical sessions, Hands-On Labs, Chalk-&-Talks, Panel Discussions and more. At Microsoft's flagship European technical education conference for Developers and IT Professionals engage with outstanding speakers, network with your European peers, evaluate current and soon-to-be- launched technologies and share the inspiration! Save 300 euros! Register before our 20th May Early Bird deadline at http://list.windowsitpro.com/t?ctl=7F05:4FB69 Are You Experiencing Increased Frustration with Your Current Antispam Solution? With new and more dangerous email threats, in-house software, appliances, and even some services may no longer work effectively. They require too much IT staff time to update and maintain or to satisfy the needs of different users. In this free Web seminar, learn firsthand from your colleagues and peers about their search for a better solution. Register today! http://list.windowsitpro.com/t?ctl=7EEF:4FB69 Get The Valuable Resources You Need To Secure Your IT Environment. Stay on top of new security threats, address those security threats, ensure trustworthy computing in your environment, and more! Download an eBook or white paper before June 30th and you'll be entered for a chance to win an Xbox! http://list.windowsitpro.com/t?ctl=7EEA:4FB69 Developing, Deploying and Managing SQL Server Integration Services (SSIS) In this free Web seminar, find out the role SSIS plays in Microsoft's BI strategy and learn about the important new SSIS features. You'll get a guided tour illustrating how to develop SSIS packages using the new SSIS Designer and learn how to customize those packages to run on different systems. Sign up today! http://list.windowsitpro.com/t?ctl=7EE9:4FB69 Improve Fax Messaging and Application Integration View this on-demand Web seminar and receive a complimentary 30-day software evaluation and industry white paper! Join industry expert David Chernicoff and learn how leading organizations are incorporating fax technologies to empower users and enhance existing investments in infrastructure and applications while providing substantial ROI. Register now! http://list.windowsitpro.com/t?ctl=7EF2:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=7EF1:4FB69 ==================== ==== Featured White Paper ==== Converting a Microsoft Access Application to Oracle HTML DB Get the most efficient, scaleable, and secure approach to managing information using an Oracle Database with a Web application as the user interface. In this free white paper learn how you can use an Oracle HTML Database to convert a Microsoft Access application into a Web application that can be used by multiple users concurrently. Download this free white paper now! http://list.windowsitpro.com/t?ctl=7EEE:4FB69 ==================== ==== Hot Release ==== Best Practices for Establishing and Enforcing a Security Policy in Your Business With all the viruses, Trojans, spyware, malware, and malicious attacks out there, is your company as prepared as it can be to fend off these threats? This white paper will provide you with detailed information for establishing and enforcing a security policy so that you have a safety net to fall back on and can ensure that you're making the right decisions at a demanding time. Download this free white paper now! http://list.windowsitpro.com/t?ctl=7EEC:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: Do you consider IIS 6.0 to be a secure platform? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 52 votes: 52% Yes 48% No New Instant Poll: Do you map the data you collect during wireless- network audits by using tools such as StumbVerter and MapPoint? Go to the Security Hot Topic and submit your vote for - Yes - I haven't been, but I plan to - No, and I don't plan to http://list.windowsitpro.com/t?ctl=7F00:4FB69 ==== 4. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=7F03:4FB69 Honeynet Project Challenge: Scan 34 The Honeynet Project's latest Scan of the Month challenge is online now and invites you to analyze data collected from an Apache server, a Linux system, an iptables firewall, and a Snort IDS system. If you plan to participate, your forensic analysis is due by May 9. http://list.windowsitpro.com/t?ctl=7EFE:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=7F01:4FB69 Q: What's new in Windows Server 2003 Service Pack 1 (SP1)? Find the answer at http://list.windowsitpro.com/t?ctl=7EFB:4FB69 Security Forum Featured Thread: Pushing Software to Client PCs A forum participant wants to know how to install software on PCs on which the users don't have administrator rights. He needs to push out client software to a few hundred users. He's considering using a Windows Management Instrumentation (WMI) script to set up a scheduled task running as a local admin on each PC. This task would map the drive and run the silent install. He wonders if that would work or whether there's another option that he should know about. Join the discussion at http://list.windowsitpro.com/t?ctl=7EF3:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Check Out the New Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database! Click here to try a sample issue today: http://list.windowsitpro.com/t?ctl=7EF9:4FB69 Windows IT Security Monthly Pass = Quick Answers! Sign up today for your Windows IT Security Monthly Pass and get 24/7 online access to every article on the Windows IT Security Web site, including exclusive subscriber-only content. That's a database of more than 1900 security articles to help you get all the answers you need, when you need them! Sign up now: http://list.windowsitpro.com/t?ctl=7EF4:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Manage Windows Firewall Gravity Storm Software announced the release of Service Pack Manager (SPM) 7.0, which now includes functionality to manage Windows Firewall on networked Windows XP and Windows Server 2003 machines. SPM 7.0 lets you detect all the machines on the network running Windows Firewall, determine which machines are in compliance with your user-defined Windows Firewall policy, and easily distribute your policy. Compliance checks are performed at the level of allowed/blocked ports. Service Pack Manager doesn't require use of Active Directory (AD), Group Policies, or scripting. For more information or to download a free evaluation copy, go to http://list.windowsitpro.com/t?ctl=7F0B:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Quest Software Heading to Exchange from Notes or GroupWise? Get Expert Help! http://list.windowsitpro.com/t?ctl=7F10:4FB69 Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=7F11:4FB69 High Availability for Windows Services Learn of core issues surrounding Windows high availability - Download this white paper now! http://list.windowsitpro.com/t?ctl=7EEB:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=7F0A:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=7EF8:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Apr 21 01:24:43 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:29 2005 Subject: [ISN] Bastille Linux update: Hardening the OS with help from Uncle Sam Message-ID: http://software.newsforge.com/software/05/04/19/1256244.shtml?tid=78&tid=2&tid=79 By Jay Lyman April 19, 2005 The Bastille Linux project has recently been working with the U.S. government to improve and harden the operating system security software. Project leader Jay Beale took some time to tell NewsForge readers what's been going on recently with Bastille. NF: You mentioned recently that Bastille Linux has been under major development -- please talk a little bit about what is happening. Beale: Until today, Bastille could only harden or "lock down" systems. It did this by deactivating unnecessary operating system components and better configuring the ones that remained. It took proactive steps to make a system harder to compromise, reducing the probability that the next item in the attacker's toolkit will be successful against your system. We've just finished adding reporting functionality to Bastille, so that it can tell you what parts of the system aren't locked down. It examines the system in a read-only fashion, reporting on the status of each of its hardening items. For example, Bastille might check whether the DNS server is locked in a chroot prison, whether telnet is turned off, or even if passwords are required to be a good length. You can take a look at a Web-only demo of this through this link. Bastille's new reporting functionality even assigns you a score, using weights you supply. These weights allow you to make some items count more than others, or even not count at all. You can use our weights, but you can just as easily use weights that are provided by one of the standards bodies or your organization's IT security or system administration staff. The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They'll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score. Anyway, we're quite excited about Bastille's ability to report on a system. This is an entire second mission for Bastille, though it's quite related to hardening. It's one that we achieved thanks to help both from Hewlett-Packard, which has been donating developer time for a few years now, and from the U.S. government. NF: What can you tell us about the U.S. government sponsorship? Beale: This work was sponsored by the U.S. government's Technical Support Working Group (TSWG). TSWG funded the U.S. Navy's Space and Naval Warfare (SPAWAR) Systems Center San Diego to provide Bastille Linux with an auditing capability. The effort also provided for adding some additional Department of Defense hardening steps within Bastille and documentation. The project is called Fort Knox for Linux. NF: What is your objective right now, and has that changed since the project was started? Beale: Well, our primary objective is to improve the state of operating system security. In the short term, that means hardening a large number of individual systems. In the long term, that means demonstrating to both the users and the vendors that best practices can be standard practices. Back in 1999, the Linux distributions all ran the BIND DNS server with superuser (root) privileges. Bastille set BIND to run as a non-root user and locked it in a chroot prison. When the Lion worm ran around compromising DNS servers in 2001, it had a drastically different effect on the non-Bastilled boxes, where it could fully compromise them and use them as jumping off points to attack other machines. On Bastille [protected] and similarly hand-hardened boxes, it could only knock down the DNS server, but couldn't complete a compromise or spread to other systems. Soon after this worm died down, almost every Linux distribution began running BIND as a non-root user. In the last two years, some have begun chroot-jailing BIND themselves. The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors. Our secondary objective has been to teach users and administrators about security so that we could help them make better decisions both in our hardening interview and in their use of IT later, from practice to policy. We're still moving in that direction. The auditing functionality both helps people see what more can be done on a system that's somewhat hardened, and also raises their awareness about host-based security. NF: What is the biggest challenge for Bastille now? Beale: There's so much more we'd like to do. We've been focusing on porting to more operating systems and laying down good internal architecture. I'd like to see us continue to increase the number of things we can do on any given operating system. I'd like to get full coverage of standards guides like those available from the Center for Internet Security, [Information Systems Audit and Control Association] (ISACA), and possibly [Defense Information Systems Agency] (DISA). That might lead naturally to creating content and weights files corresponding to requirements in recent legislation. I'd like to widen our list of supported operating systems just a bit further to include Solaris and FreeBSD. Finally, using our new reporting functionality, I'd like to create hardening items that look for non-standard or unexpected misconfigurations that lead to vulnerabilities the way the open source program Tiger does. For instance, we might find vital directories marked world-writable, like in the local privilege escalation vulnerability discovered on OS X by Eric Hall. Bastille has the infrastructure for this already -- it's just a matter of coding the items. I'm always looking for people to help! NF: Where is the U.S. government in general on the idea of bolstering security by using Linux and other open source software? Beale: I don't speak for the government, so I'm not really qualified to answer that, but from what I've seen, the government is exploring a number of ways to enhance computer security through Linux and open source software. TSWG, which I mentioned earlier, is focused on securing critical infrastructure. As a system hardening tool, Bastille provides clear support for that mission. By supporting an open source project rather than someone else's for-spec software, TSWG knows that the software, and thus their improvements, will be around for the long term. The government gave us a wonderful boost, but it's up to us to continue to enhance and support the technology they've helped us create. We've got a wonderful community of people that have brought Bastille to this point. Bastille started out just hardening Red Hat Linux and MandrakeLinux. Individual developers brought us to Debian (Javier Fernandez-Sanguino) and Gentoo (Brian Stine). We got on SUSE and TurboLinux with IBM's help (Niki Rahimi) and became the default hardening script for HP-UX via the amazing efforts of Hewlett-Packard developers Keith Buck, Robert Fritz, and Tyler Easterling. Along the way, many others have contributed their time creating code and ideas, as well as beta testing. NF: What is needed for a more secure Linux and Internet: certifications, deployments, Bastille Linux, or something else? Beale: The best way to increase Linux system security is to educate users about good systems administration practices: keeping software up-to-date, disabling unused services, hardening default configurations, automating drudgery, backing up regularly, and reading system and error logs. Bastille and the open source community can help by creating and maintaining useful tools. In addition to Bastille, these include complementary kernel-level technology like grSecurity, SeLinux and ExecShield, compromise detection technology like Osiris and Snort, and many others. In the end, however, the best tools in the world can't help if system administrators and users are not proactive about security. Perhaps the single most important task we have before us is explaining to users why security matters. NF: Anything else you would like to add? Beale: Bastille has improved tremendously since our last major release. We're always going to have more to do, and we can move faster when users tell us what they need, and when people volunteer their time and effort to help us. All the funding in the world is great, but it's only one part of what makes Bastille work. -=- Links "Bastille Linux" - http://www.bastille-linux.org/ "link" - http://www.bastille-linux.org/Reporting/audit-report.html "Fort Knox for Linux" - http://fortknox.sourceforge.net/ "Lion worm" - http://www.sans.org/y2k/lion.htm "Center for Internet Security" - http://www.cisecurity.org/ "ISACA" - http://www.isaca.org/ "DISA" - http://www.disa.mil/ "Tiger" - http://www.net.tamu.edu/network/tools/tiger.html "grSecurity" - http://www.grsecurity.net/ "SeLinux" - http://www.nsa.gov/selinux/ "ExecShield" - http://people.redhat.com/mingo/exec-shield/ "Osiris" - http://osiris.shmoo.com/ "Snort" - http://www.snort.org/ From isn at c4i.org Thu Apr 21 01:25:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:31 2005 Subject: [ISN] =?iso-8859-1?q?Bank_attack_used_key-loggers_costing_just_?= =?iso-8859-1?q?=A320_?= Message-ID: http://www.vnunet.com/news/1162595 Peter Warren Computing 20 April 2005 The hacker attack on Sumitomo Mitsui bank last month involved the use of keyboard logging devices costing as little as ?20 each, according to sources close to the investigation. Computing has learned that the attempt to steal an estimated ?220m from the London office of the Japanese bank relied on battery-sized hardware bugging devices plugged into PCs? USB ports. Users? keyboards were connected to these key-loggers, which recorded details of everything typed into the system. Sources claim that cleaning staff ? or people posing as cleaners ? were able to attach the devices to machines. When the plot was uncovered, bank investigators found some of the devices still attached to the back of PCs. The bugging kits, known as hardware key-loggers, can be bought from spy shops for about ?20. They are difficult to detect unless someone physically examines the back of the machine. The devices can then download passwords and other data used to gain access to the computer system. "It is known that people have been using devices such as these because you can buy them from shops. It is highly likely that they have been used in other scenarios," said Paul Docherty, technical director of consultancy Portcullis Computer Security. Many banks are now believed to be permanently connecting keyboards and other devices into their computers to prevent similar attacks. Sources say some banks have also banned wireless keyboards in offices. "This type of scam has been going on for a while. This is an old, old issue, and people have been talking about it being a weakness for at least two years now," said a source. Sumitomo is now believed to have deployed sophisticated software that monitors the electrical current in computer systems and can tell if they are being tampered with. A spokesman for the bank declined to comment on the investigation. From isn at c4i.org Thu Apr 21 01:25:49 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:33 2005 Subject: [ISN] Ameritrade warns clients about potential data breach Message-ID: Forwarded from: Faust http://www.nwfusion.com/news/2005/0420ameriwarns.html By Todd R. Weiss Computerworld 04/20/05 A computer backup tape containing account information of more than 200,000 Ameritrade clients was apparently lost or accidentally destroyed while being shipped, prompting the online investment brokerage to notify the clients of a potential breach. Donna Kush, a spokeswoman for the Omaha-based company, Wednesday confirmed that a package of data backup tapes was damaged in transit in late February by a shipping company that isn't being named. Four of the tapes in the package disappeared after the package was damaged but three were later found by the shipper during a search of its facility, she said. The fourth tape is still missing and is presumed to still be lost in the facility or to have been destroyed accidentally. "We do believe that foul play was not involved," Kush said. "We don't feel that any of the [client] information has led to any misuse." The backup tapes held account information for clients and former clients from 2001 to 2003, Kush said. Last week, the clients began receiving letters from Ameritrade telling them of the incident and offering one free year of credit-protection services from Identity Track. Chantilly, Va.-based Identity Track monitors credit profiles and alerts clients to activity that may indicate identity theft -- including recent inquiries, new accounts or address changes. Consumers can also access and review their credit reports. In its letter to clients, Ameritrade said it's adding another layer of security to their accounts. Kush wouldn't discuss what is being done in detail. "We're evaluating our processes and procedures on what we do here and are making some changes," she said. Kush said the company acted as quickly as possible after learning in late February that the tapes were missing. "It took some time to work with the [shipping] vendor" after the loss was discovered, she said. "It took some time just to find those three tapes." More time elapsed as the search continued for the fourth tape. "We feel we acted promptly," she said. The backup tapes weren't labeled with Ameritrade's name or logo or any other identifiable information, Kush said. Although the data on the tapes was compressed and special equipment would be needed to read it, the information wasn't encrypted. Under California law, which mandates that customers be told of potential data breaches, the company would have been required to notify about 175,000 of the affected former and current clients. But Ameritrade chose to send letters to all potentially affected clients. The incident differs from several other recent high-profile data loss cases, which largely involved computer system break-ins or the thefts of actual computers. Last week, about 106,000 alumni of Tufts University in Boston were notified that personal information stored on a server used by the university for fund raising could have been exposed to intruders. Last month, officials at the University of California, Berkeley, said they were notifying more than 98,000 graduate students and applicants about the theft of a laptop computer on campus containing their names, Social Security numbers and other personal information. Another data breach in March at data broker LexisNexis may have exposed personal information of some 320,000 people (see story), while credit and personal information vendor ChoicePoint sold personal information on about 145,000 people to thieves posing as legitimate businesses. That incident was made public in February. From isn at c4i.org Thu Apr 21 01:26:29 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:37 2005 Subject: [ISN] Bill to promote cybersecurity chief moves forward Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35577-1.html By Wilson P. Dizard III GCN Staff 04/20/05 A House subcommittee today approved a bill that would elevate the Homeland Security Department.s cybersecurity director to the level of an assistant secretary in the Information Analysis and Infrastructure Protection Directorate. The House Homeland Security Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity passed HR 285, the Cybersecurity Enhancement Act of 2005, by unanimous voice vote. The bill specifies that the assistant secretary for cybersecurity will lead the directorate.s National Cybersecurity Division. It calls for the division to identify threats and vulnerabilities, reduce vulnerabilities, launch warning systems and respond to cyberattacks. Rep. Zoe Lofgren (D-Calif.), a subcommittee member, had introduced similar legislation earlier this year along with Rep. Mac Thornberry (R-Texas), who formerly chaired a now-superseded Select Committee on Homeland Security subcommittee in the 108th Congress. The two lawmakers helped move a similar bill out of committee last year, but it was blocked by opponents who contended that cybersecurity and physical security oversight should remain linked. Rep. Tom Davis (R-Va.) offered and withdrew an amendment that would have mandated a study of the department.s cybersecurity activities and possible reorganization. Davis, chairman of the House Government Reform Committee, has serious doubts about the wisdom of elevating the cybersecurity slot to the assistant secretary level, according to his staff. "Chairman Davis believes Congress gave DHS broad reorganization powers, and he will not support the legislation unless the secretary of Homeland Security supports it," said Melissa Wojciak, the committee's staff director, at a panel discussion sponsored by the Association for Federal Information Resources Management in Washington. "The position, the chairman believes, may duplicate some of what" the Office of Management and Budget does, Wojciak said. From isn at c4i.org Thu Apr 21 01:26:49 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:40 2005 Subject: [ISN] Researchers Propose Early Warning System for Worms Message-ID: http://www.eweek.com/article2/0,1759,1788294,00.asp By Ryan Naraine April 20, 2005 Researchers at the University of Florida have designed an Internet-worm early warning system that offers a new approach to pinpointing the first sign of a malicious network attack. Shigang Chen and Sanjay Ranka, professors in the university's Computer and Information Science and Engineering department, outlined the plumbing for the system in a research paper (here in pdf [1]) that promises a fix for known weaknesses in existing early warning mechanisms. The paper focuses on TCP-based worms and identifies ways of avoiding false positives by looking at reply traffic from the targets instead of monitoring Syn (synchronization) packets to keep track of half-open connections. "Our proposal integrates a set of techniques that can automatically detect the concerted scan activity of an ongoing worm attack," Chen explained. In an interview with Ziff Davis Internet News, he said the system monitors a "used" address space and relies on RESET packets to find the scan sources. "This has greater accuracy and makes the system resilient to antimonitor measures," he added. The paper does not provide details on how worm propagation warnings would be distributed or how the system would arrange detection of UDP (User Datagram Protocol)-based worms, but Chen argues that the research can be easily expanded to solve those issues. "Once the system is in place and worm propagation is detected, you can use all kinds of distribution mechanisms to get the alarm out. You can set up subscriptions to distribute the data via e-mail, pagers, newsgroups or any other existing mechanism," he said. Chen's group has also designed a distributed anti-worm system, described here in pdf, that offers perimeter-based defense against high-bandwidth distributed denial-of-service attacks. That system, Chen said, can be used by ISPs to provide security service to customers. With the worm early warning system, dubbed WEW, Chen said he believes the "open problem" of thwarting attacks like the destructive Blaster, CodeRed, Nimda and Sasser worms could be minimized. "The problem has not been solved because nobody is detecting worms in time. As we've seen with the big attacks, they were already widespread before the industry could figure out it was a worm attack," Chen said. Chen and Ranka's proposal also includes an antispoof protocol that filters out the false scan sources to identify possible worm-infected hosts. It also proposes the use of a new performance metric, system sensitivity, to capture the responsiveness of an early warning system in reporting an ongoing worm. In theory, Chen sees the early warning system deployed at the gateway of a large enterprise network to collect samples of Internet scan activities. "The system detected potential worm outbreak by analyzing the pattern of increase in external scan sources and comparing their similarity," the researcher wrote. "It captures the common signature from those sources in order to assist human analysis or automatically reconfigure a filtering device to block them," he added. The primary task of Chen's worm early warning system is to monitor outbound TCP RESET packets which would indicate failed inbound connection attempts, Chen explained. To work around the problem of false positives, the paper proposes to filter out false scan sources. "The goal is to have a system to issue warnings at the very early stages of an attack and to provide information for security analysts to control the damage." Chen said the system can be deployed locally or codeployed among a group of enterprise networks to provide comprehensive worm-detection capabilities. Chen said "honeypots" would be used to capture the attack signatures of the scanning hosts, but conceded that the issue of creating signatures was not fully addressed in the proposal. He likened the need for an Internet-worm early warning system to similar mechanisms that deal with real-life disasters like hurricanes, floods and tornados. "In the Internet world, the damage may not be loss of lives, but it's still very significant," Chen said. "The network worm is still the number one threat in the enterprise. It costs hundreds of millions of dollars every year to fix compromised machines and clean up from a major attack." "An early warning system gives you some time to take urgent action ahead of worm propagation. Just like with the hurricane warnings, you can learn about the nature of the attack and figure out ways to put defense systems in place before it becomes widespread," he added. [1] http://www.cise.ufl.edu/~sgchen/papers/JSAC2005.pdf From isn at c4i.org Thu Apr 21 01:36:21 2005 From: isn at c4i.org (InfoSec News) Date: Thu Apr 21 01:44:43 2005 Subject: [ISN] WiPhishing hack risk warning Message-ID: http://www.theregister.co.uk/2005/04/20/wiphishing/ [Since changing the default SSID from Linksys to (202) 323-3205, it seems the number of malicious wardrivers and hotspot hackers prowling around has gone down significantly in my part of town. =) - WK] By John Leyden 20th April 2005 You've heard of war driving and phishing but now there's yet another reason to wear a tin-foil hat every time you surf the net. "WiPhishing" (pronounced why phishing) involves covertly setting up a wireless enabled laptop or access point in order to get wireless-enabled laptops to associate with it as a prelude to hacking attacks. An estimated one in five access points use default SSIDs (such as linksys). By guessing the name of a network that target machines are normally configured to connect to a hacker could (at least in theory) gain access to data on a laptop or introduce malicious code. The scenario is plausible. But like the 'evil twins' risk of earlier this year this is probably a well understood risk given a catchy moniker, backed by an energetic marketing campaign. Nicholas Miller, chief exec of Cirond Corporation, and the man who coined the term WiPhishing, was unable to cite incidents of any actual WiPhishing attacks. Nonetheless he maintained WiPhishing posed a greater threat then war driving. Instead of hackers with laptops trying to break into wireless networks with WiPhishing you have hackers with networks trying to break into wireless networks. He said that even companies with wired networks were at risk from the attack if the wireless access functions of corporate laptops happened to be left on. By hijacking the legitimate connection to a traditional wired computer network, hackers might be able to exploit the soft underbelly of corporate networks and launch even more invasive attacks. Cirond held a press conference at the wireless LAN event in London today in order to discuss WiPhishing and discuss its enterprise tools to control how and when wireless technology is used by employees (AirSafe Enterprise) and its wireless intrusion detection appliance (AirPatrol Enterprise). From isn at c4i.org Sat Apr 23 08:14:05 2005 From: isn at c4i.org (InfoSec News) Date: Sat Apr 23 08:25:06 2005 Subject: [ISN] Moderators Note: Rare Saturday ISN! Message-ID: Forwarded from: William Knowles Just a quick note, We've been having some software issues with Mailman so that's the reason some Fridays there has been no InfoSec News. This batch, while pretty small, should still wet the appetite for the hardcore information security news junkie until Monday. I will have an annoucement soon on some major upgrades with InfoSec News that I am really excited about. On an unrelated note, but something I feel should get a brief mention, one of our users on C4I.org got his papers to join his reserve unit in Iraq, the financial hardship will mean a 60% decrease in his salary and he's selling a number of his personal belongings on eBay so that his wife can afford to keep up the house together until he returns around November 2006. The Army does not consider a drop in income something bad, but expected. I will mention that he's one of the most patriotic Americans I have ever met and we're doing what we can to help him come back to the U.S. with everything he left with. Also with a 100% satisfaction score for 467 items sold on eBay shows you that he's not out to mess with anyone. One item he has up for sale now is a Linksys Wireless A+G wireless notebook card signed by by Kevin Mitnick at Defcon 11. This may or may not do anything for you with Kevin's autograph on it but the current price is at $19.00 with a day and a half to go. http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5768454441 Check out that auction, check out his other items for sale, and maybe add him as one of your favorite sellers, keep in mind he will selling alot of computer hardware and other gear in the coming weeks. But it will be to help keep the mortgage payments going and to buy the additional gear to protect him from all the insurgents wanting nothing less than to kill Americans there helping their country in the transition from the iron fisted rule of Saddam Hussein. I'm sorry if this all sounds campy, but tears are welling in my eyes as I write this. :( Have a wonderful and safe weekend, see you again on Monday, Cheers! William Knowles wk@c4i.org *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Sat Apr 23 08:14:38 2005 From: isn at c4i.org (InfoSec News) Date: Sat Apr 23 08:25:23 2005 Subject: [ISN] Apple's Big Virus Message-ID: Forwarded from: Richard Forno http://www.theregister.co.uk/2005/04/21/apples_big_virus/ By Kelly Martin SecurityFocus 21st April 2005 After your identity has been stolen, your bank accounts compromised, 53 critical patches and 27 reboots later, when will you decide that you've had enough? Back in 1984, William Gibson's Neuromancer had an incredibly bleak view of our future with technology -- from social decay to daily security breaches based on greed and corruption. This dystopian view is one that many people forget, because Gibson of course coined the term cyberspace even before he'd ever used a computer to any great extent. As a favorite author of mine, he seems to have since discovered there's some joy to the Internet after all, and you might even say that he's never looked back. I've never had a dystopian view of technology, but I do think we're pulling the general population forward into a realm of the underworld that they're simply never going to "get." Let's step beyond the growing privacy issues, the identity theft and so on for a moment. It's so easy to become accustomed to technology and all its failings, where viruses, trojans and such have become a fact of life -- for Microsoft Windows users, at least. We've come to accept the countless virus infections, the Trojan that steals passwords, and the loss of an average user's identity as inevitable and acceptable, and it makes me wonder if we're taking our users down the right path. Same old story? Not really. Alternative environments like Apple and Linux are finally catching on. Unit sales of Apple Computer's OS X based computers grew by 43% in the past quarter, over the same time last year -- in business terms, that's incredible growth. Revenue grew by 70%, and profit grew by an unbelievable 530%, thanks to the little music revolution they call the iPod and the iTunes Music Store. What's fueling Apple's growth, besides the infamous iPod halo effect? Security. Either it's the perceived security that is thought to be better in OS X, or it's the documented lack of security in the Windows world. By that, I mean that you can't assume everyone who owns Genuine Windows is running XP with Service Pack 2, which has some improved security features -- because there are a few hundred million people out there still running Windows 2000, 98, or something else. No, they don't have automatic updates, and no, they may never understand what a firewall is. Anyone who works hands-on in the security field has his own experience spending countless hours removing viruses and spyware, or becoming adept at formatting and reinstalling (or laying down a new image), patching, immunizing, and so on. Whether it's in your large corporate environment or your Uncle Bob's computer at home, it all takes time. Here's a simple example of a recent virus incident, and one organization's lackluster information response. I discovered a nasty Trojan on a relative's computer. He's a prominent member of the federal government and uses his computer for online banking, so I urged him to contact his bank. The response the customer received from the Royal Bank, the largest bank in Canada and one of the 10 largest banks in the world, was interesting. The representative said that their systems are secure enough that a Trojan or virus cannot infect them -- but she said thanks for calling to let them know his home computer had been infected, that his accounts may have been compromised, and have a nice day. No discussion about stolen passwords, identity theft, or even the need to change the his online password. Get some better anti-virus software, she said. And again, have a nice day. The person on the line didn't "get it," and I can assure you that my relative didn't really "get it" either until after a long talk. With confirmation from his bank, he was now confident that his system, the same one with the Trojan and the keylogger still on it, was perfectly fine. A virus is normal; it's a fact of life. It's no big deal, right? Why not just email me your SSN, your credit card numbers, and date of birth then -- or print it out on paper and post it in the street? The typical user is now forced to use the computer on every desktop, but must he also become an MCSE to administer it? Viruses don't have to be a fact of life. There are no viruses on OS X -- not a single one. The reason most often touted is Apple's lack of critical mass, but that argument has been beaten to death. There are millions of OS X computers out there. It's not that a virus couldn't be written for it either. Far from it. The soft underbelly of Unix (or Darwin, an open-source Unix like OS similar to FreeBSD) is just as vulnerable as the eye-candy applications that run on top of it. Step back from Apple's three-tiered user privilege system (user, GUI superuser, and root, which is disabled by default) and understand that users can still be tricked into clicking on anything -- social engineering will always work, and there will always be people who click. Why, then, are there no viruses for OS X? Just as Windows users have become accustomed to 140,000 viruses, Apple users have become accustomed to none. It's a major cultural difference that admittedly, sometimes causes Apple users to do stupid things -- and get away with them. It's hard to describe the freedom of using a system with no malware known to have spread. It's liberating. Beyond critical mass, I would like to believe there's a better reason for the lack of viruses on OS X, and it's based on the culture of the Mac -- which is distinctly different from other platforms. Is it wrong to try a new computer system and actually enjoy the user experience, for a change? Can you imagine a world where (today) you can click on anything and never worry about malicious intent? Can we not continue this unwritten rule that there can be a platform out there that is simple, easy-to-use, with Unix (and a cool ports tree) underneath that has no threat at all from viruses? Perhaps I'm living in a pipe dream, but that reality is here today. Linux is also close, but OS X is already there. Perhaps Apple's big virus is really just the market enthusiasm that translate to new unit sales, spread like a contagion, that fuels their 70% year-over-year revenue growth. I held off writing this column for the better part of a year, because many SecurityFocus readers have the intellect, talent and ability to write a virus that could be quite nasty on OS X. There's the general notion that (shh!), any added exposure to the platform might bring it out of the limelight. But if a Windows programmer or security researcher can try a new operating system and enjoy it just enough to not want to destroy it, then there's hope for us all. I should have also prefaced this column with the disclaimer that most SecurityFocus staff use OS X in some way or another, if not at work then at home, so we're somewhat biased. After covering multi-platform security news all day long, from WiFi penetration testing to intrusion detection and honeypots, at the end of the day it's nice to use a system that's not on everyone's radar for a change. Let's keep it that way. Copyright (c) 2005, SecurityFocus logo Kelly Martin has been working with networks and security for 18 years, from VAX to XML, and is currently the content editor for Symantec's independent online magazine, SecurityFocus. From isn at c4i.org Sat Apr 23 08:14:22 2005 From: isn at c4i.org (InfoSec News) Date: Sat Apr 23 08:25:26 2005 Subject: [ISN] In the security hot seat (was re: Symantec on crack) Message-ID: Forwarded from: security curmudgeon Cc: send-letters-to-news@cnet.com, tim_mather@symantec.com In the security hot seat By Eileen Yu http://news.com.com/In+the+security+hot+seat/2008-7355_3-5681205.html Story last modified Fri Apr 22 11:08:00 PDT 2005 Like most information security professionals, Tim Mather focuses on keeping hackers out of his company's network and ensuring all systems are updated with the latest patch. And like most of his peers in the industry, he worries about the level of sophistication of the next security attack and looks at what his team needs to do to fend off the most vicious ones. But the difference here is that Mather works for Symantec. As chief information security officer at a company known for its antivirus products, he faces challenges particular to his role. [..] Will you hire hackers to join your team? You know, so you can get them off the streets? Mather: No, absolutely not, absolutely not. Wouldn't even touch them with a 10-foot pole. [..] -- Uh, excuse me? Is Tim Mather outright lying or completely ignorant of who he works for? This crap he is peddling can't even be used for a pathetic attempt at "plausable deniability". Hey Eileen, why didn't you press this windbag on his lies? http://www.symantec.com/press/2004/n040916b.html Symantec to Acquire @stake Hey Tim, who work[s|ed] at @stake? How did they build their name? Hint: by hiring a well known group of HACKERS known as the "l0pht". Weld Pond (not his real name), Dildog (not his real name), Mudge (not his real name), et al .. guess what, they are hackers. Some of them work for Symantec. http://www.symantec.com/press/2002/n020717.html Symantec to Acquire SecurityFocus Hey Tim, who work[s|ed] for SecurityFocus? Kevin Poulsen (sound vaguely familiar?), Aleph1, Synapse, et al.. guess what, they too are hackers. Some of them work for Symantec. http://www.symantec.com/press/2002/n020717b.html Symantec to Acquire Riptech http://www.symantec.com/press/2002/n020717a.html Symantec to Acquire Recourse Technologies Think these companies were hacker free? I'll refrain from outting the *hackers* that work for Symantec that are currently subscribed to ISN (you know who you are!). And that is just the *beginning* of the hacker stories centered around your company. "And this idea that they've reformed themselves--I don't buy it, not in the least." -- Tim Mather, Symantec Yah. -- [..] In an interview with CNETAsia, Mather reveals that his company gets inundated with a barrage of hacking attacks simply because of what it is. Some of these attempts have gotten "pretty close," he says. [..] -- Where by "pretty close" you mean your main web page defaced, right? 08/02/1999: http://www.symantec.com http://www.zone-h.org/en/defacements/view/id=2930/ And I guess the 'small business' page doesn't count? 01/20/2001: http://smallbiz.symantec.com http://www.zone-h.org/en/defacements/view/id=12031/ I'm not sure who to laugh at more.. Tim or Eileen. security curmudgeon ps: i tried calling Tim, but only got his voice mail =( From isn at c4i.org Sat Apr 23 08:14:51 2005 From: isn at c4i.org (InfoSec News) Date: Sat Apr 23 08:25:29 2005 Subject: [ISN] Fake Hospital Inspectors Probed Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A7680-2005Apr21.html By David Brown Washington Post Staff Writer April 22, 2005 The FBI and other law enforcement agencies are looking into incidents in which people masquerading as unannounced inspectors were found poking around three hospitals in Boston, Detroit and Los Angeles. In each case the impostors were stopped by security guards or hospital staff, and then either left or were expelled. No one has been arrested, and neither the identity of the intruders nor their motives are known. "There is no working hypothesis. It could be any number of things, from identity theft to something more nefarious," an FBI spokesman, who declined to be named, said yesterday. The Department of Homeland Security is also "aware of these suspicious reports," said Brian Roehrkasse, a department spokesman. He added the agency does not have "any intelligence information that indicates al Qaeda is planning an attack or targeting hospitals." Virtually all U.S. hospitals are subject to unannounced inspections by surveyors from the Joint Commission on Accreditation of Healthcare Organizations (JCAHO). The surveyors can ask to see hospital records, gain admittance to nonpublic areas, and watch people work. In all three incidents, the impostors implied or stated outright they were JCAHO surveyors. In the past the organization has occasionally gotten reports of people falsely claiming to be its inspectors. Usually, though, they were seeking favored treatment, such as moving ahead of others in the emergency room or getting copies of a patient's medical chart. That was not the case in the recent incidents, which occurred from late February through mid-March. "We decided that this represented a pattern of behavior that we had not seen before, and our anxiety level went up," said Joe Cappiello, JCAHO's vice president for accreditation/field operations. In the first, a well-dressed man and woman were stopped by a security guard at a Los Angeles hospital about 2 a.m. They showed badges similar to those issued by JCAHO and asked to be let in. When the guard asked for more identification, they retreated, saying they were at the wrong hospital. The second incident occurred three days later at a hospital in Boston. A well-dressed man described as being 35 to 40 and of South Asian or Middle Eastern descent was stopped about 3 a.m. "He seemed to have some authority about him, and again when pressed for identification that person fled the medical center," Cappiello said. About a week later, a woman was found in the maternity ward of a Detroit hospital. She identified herself as a Joint Commission surveyor but fled when staff members asked more questions. A fourth incident, which occurred in daylight hours on March 27 at a hospital in Sussex County, N.J., was deemed unrelated to the others. In that one, three men told a security guard they were doctors, and asked for a hospital directory and information about bed capacity and services. They did not mention JCAHO. It is unclear whether any of the impostors in the three incidents participated in more than one. An FBI spokesman said he was "not going to get into any specifics." Neither JCAHO nor the FBI would identify the hospitals, and officials at the hospital associations in California, Massachusetts and Michigan said they did not know. The Joint Commission sent two security alerts to the 5,000 medical institutions it accredits, describing the incidents and warning the hospitals to be on the lookout for suspicious activities. "It might all be coincidence," Cappiello said. Although hospitals have been named as possible terrorist targets, he noted they also may be attractive to people wanting to steal drugs, expensive equipment or identity information. JCAHO surveyors go to about 1,700 hospitals a year, with about 300 of the visits unannounced. Only a few are done outside usual work hours, and those are usually to investigate complaints made about specific night-shift activities. In response to the three incidents, the organization said that all unannounced surveyors will now carry a letter signed by its executive vice president. Ron Czajkowski, vice president of the New Jersey Hospital Association, said his organization used to post on its Web site the names of Joint Commission surveyors working in the state. It stopped that practice two weeks ago. From isn at c4i.org Sat Apr 23 08:16:18 2005 From: isn at c4i.org (InfoSec News) Date: Sat Apr 23 08:25:32 2005 Subject: [ISN] Wood River student expelled for hacking into computer Message-ID: Forwarded from: matthew patton > He was also a four-year member of the debate team, Chess Club > president and a member of the National Honor Society. I guess ol' Brody glossed over the "honor" part of that group's charter. A session of Saturday school? That's it? Heck, I'd hold their diplomas hostage and make them take summer school. And publicly appologize to the school staff and students at an assembly. They need to be humiliated. > "I only excused absences. Really, I had no reason to change my > grades. I am a 3.5 student," Brod told the Mountain Express. "Judge, the old lady's purse only had $20 in it. Come on, it's not like I made off with the weekly payroll! So just slap my wrist and let me go scampering off free." "ahem, you brandished a knife and stole from her. $20 or $2000 makes absolutely no difference" Seems our 'student' has learned one lesson very well. Our schools have taught them in the name of "self-esteem" that there is no such thing as moral standards. They can be interpreted to be anything you want and a sin is not a sin if it's only a little sin. Wait, 'sin' doesn't exist in the first place. Hey, can I strip a woman, tie her up and prance around naked but not actually rape her and get away with a trivial offense? I don't think so! Why not? And we wonder why the Catholic church selected a hardliner conservative for Pope. > "I believe the decision was discriminatory. It shows Noah was > singled out," said David Brod, Noah's father. Seems the father is just as much a product of the system. Yeah, let's play the victim card! "*whine* why are you picking on me?" If it was my kid, I'd be publicly praising the Board for taking my son to task and appologizing to the community for my son's shameful behavior. And impounding his car, and calling the college admissions office and turning down their acceptance letter. What happens or doesn't happen to the other kids is none of my concern. > The expulsion carried a list of conditions permitting Brod to return > the second semester. The conditions mandated that he write a letter > of apology, not attend extracurricular activities and complete 40 > hours of community service with 10 hours allocated to writing a > 20-page essay on the topic of honesty and integrity. At least the board has a backbone. Good for them! > In the meantime, David Brod said he plans to move forward with a > lawsuit against the Blaine County School District. I hope the judge tosses him out so hard on his ear he needs surgery to put it back on. Or to remove the boot from his backside. Wants to go to the Peace Corp does he? Figures. From isn at c4i.org Tue Apr 26 01:49:25 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 26 01:58:57 2005 Subject: [ISN] Hushmail Business Service Issue Message-ID: [Phone number and recieving address edited. - WK] ---------- Forwarded message ---------- Date: Mon, 25 Apr 2005 17:11:57 -0700 (PDT) From: Hushmail Business Support Subject: Hushmail Business Service Issue Dear Hushmail Business Customer, On April 23rd, an unauthorized party gained access to our customer account at our domain registrar. They were able to change the name server entries for the hushmail.com domain, which resulted in traffic to hushmail.com Internet addresses being redirected. We are following up with our domain registrar to find out how this occurred. There was no unauthorized access to any of the Hush servers. Data managed by Hush was not compromised. During this period, however, some users were unable to log in to their email accounts, and email sent to Hushmail Business domains may not have been delivered. The issue was resolved within four hours, and the vast majority of DNS servers on the Internet are now correctly resolving the hushmail.com domain name. However, a few DNS servers may still be misdirecting traffic, causing logins and email delivery to fail for some users. This problem will cease as DNS servers update their information, but it may still be hours or days before every DNS server on the Internet is updated. If you have users that are experiencing difficulties, Hushmail Business is now accessible through servers on the hush.com domain as well as the hushmail.com domain. (The hush.com domain was not affected by this issue.) You can now optionally access Hushmail Business at the following URL: https://www.hush.com/services-business If you host a login page on your own website, you now have the option to direct the form to: https://mailserver1.hush.com/hushmail/index.php If you use your own domain for email (mycompany.com as opposed to mycompany.hush.com) you can optionally update your MX records in your DNS to direct mail as follows. (Substitute your domain for mycompany.com.) mycompany.com IN MX 10 plsmtp1.hush.com. mycompany.com IN MX 10 plsmtp2.hush.com. Please accept our sincerest apologies for the inconvenience this has caused. We take this incident very seriously, and will continue to keep our customers updated as more information becomes available, through the following web page: https://www.hushmail.com/login-status If you have any questions you can contact us at pl@hushmail.com. Regards, Hush Communications Support From isn at c4i.org Tue Apr 26 01:49:38 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 26 01:59:01 2005 Subject: [ISN] Redfaced professor made up scary story Message-ID: http://www.theinquirer.net/?article=22762 By Nick Farrell 25 April 2005 A BIOLOGY professor who attempted to scare the student who nicked his laptop into giving himself up may have exaggerated his story a tad. Last week we told how University of California, Berkeley, professor, Jasper Rine tried to put the fear of god into the student who nicked his laptop by claiming it had all sorts of top secret government data on it. He warned that almost every James Bond in the world was hunting that laptop. He also said he knew who the thief was. Since we ran that story, it has been picked up by ABC News in the States and debated on bog sites across the world. Most techies consider that anyone could see that the Rine was telling porkies. One of the ways that Rine claimed he identified the tea leaf was by installing the same version of Windows on another computer. If the professor had attempted to use the same key to activate a copy of Windows, the activation servers would have denied him access. Some of the technobabble that the professor spouted to out the thief was impressive, but has not been found to work well yet. He claimed that there were passive trackers embedded in the bezel of laptop screens beside the wireless transmitters. Technology like this does sort of exist, but is rare and not used by anyone outside the Department of Energy. He also claimed that the wireless card in the laptop triggered some location data. This is possible, but pretty unlikely. In fact a University spokesman told ABC that Rine had indeed made the whole thing up to scare the student into handing over the laptop. The story has for some reason now been pulled from the ABC site, but can be found here. There might be a bit of a clue as to the way Rine operates in an article here, in which he says: "Although I have unlimited respect for facts, and delight in their discovery and appreciation, I have come to the obvious yet almost blasphemous view that, with respect to teaching, the facts just aren't that important." Despite all the exaggeration, and threats, the thief has ignored Rine and has kept his laptop. Still it was worth a crack. From isn at c4i.org Tue Apr 26 01:49:52 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 26 01:59:04 2005 Subject: [ISN] What I Learned In Teaching Computer Security, Privacy, and Politics to a General Audience Message-ID: http://www.onlamp.com/pub/wlg/6928 Ming Chow Apr. 24, 2005 http://www.cs.tufts.edu/~mchow/excollege/ Hard to believe, I am almost finished with teaching a full college course (one semester) --my course at Tufts University entitled "Security, Privacy, and Politics in the Computer Age," offered by the Experimental College. It has certainly been an exhilerating few months, but it has been a very rewarding, memorable, and flattering experience. So what did I learn from teaching computer security, politics, and privacy to a group of twenty, mainly non-technical, college students? Here are some of my thoughts in a nutshell: * It is difficult to balance technical and non-technical information. Many students know what spyware and computer viruses are, but the technical workings of them are complicated. If you delve into complexities such as the operating system or the kernel, the students will be lost. I also recall making my cryptography lecture too simplistic, and I saw many students fall asleep. * Few have knowledge about open source software, and alternatives to popular software packages. It is important to discuss the software life-cycle development process early in the semester because it will provide students insights on where a lot of the problems come from. One of the first comments from students that stuck me was that many have never heard of open source software, nor have they heard of alternatives to popular software packages such as GIMP, GAIM, and yes, even Firefox. As much as the technical community read and speak about OSS, the general public still don't understand it. * Few have used Unix or Linux. Unix and Linux are sometimes dubbed as the "the most important operating systems you may never use," and I found this quite true. That is why I distributed free copies of Knoppix to students, and used it for my lectures on occasion. * News and information evolve and change frequently. Several weeks after I gave a demonstration on password cracking, the news of Paris Hilton's sidekick cracked via simple password broke out. We had to reflect back on our previous lecture. Same issue with the recent slew of consumer database breaches. The instructor (myself) have to keep up with current events especially when teaching such a course. * Students enjoy examples. Students love screenshots and hands-on examples from the terminal. * Instructor has to encourage feedback and dialog. Maybe it is because of the college environment, most of us have been there, done that. I found that students walk into class with very little expectation or motivation each day. They just want to go to class and leave, and probably forget the information. It is the instructor's job to incorporate debate and dialog in the course. You just can't hope that all students will be active. I had two debates and two expert panel sessions in the class, and they have been most engaging (as said by the students). Same goes for the discussions on copyrights, electronic voting, and P2P technologies -- no surprise considering the topics are controversial and debateable. * Need a hands-on assignment to show how hard security is. Security is hard, we know that. But talk can only do so much. Recently, I gave a two-part group project on designing a fictitious state lottery game and its secure system. Not only did the students find that designing a system is difficult and time-consuming, but also how hard it is the accomodate for everything there is. I had to use so much red ink on grading the design projects, both phases (the game design and the system design) These are just some highlights of what I learned in my very first teaching experience. After I submit the course grades, I will sit down and collect all my thoughts about the course. Would I want to do this again? Absolutely, in a heartbeat. Ming Chow is a scholar of science and technology, whose areas of interests are human-computer interaction, game development, computer security, and computer science in education. From isn at c4i.org Tue Apr 26 01:48:29 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 26 01:59:08 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-16 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-04-14 - 2005-04-21 This week : 63 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: GreyMagic Security has reported a vulnerability in Windows 2000, which can be exploited by malicious people to compromise a user's system. No patch is available from the vendor. However, an alternate workaround is described in the referenced Secunia advisory below. Reference: http://secunia.com/SA15017 -- The Mozilla Foundation has released new versions of Mozilla and Mozilla Firefox, correcting several new vulnerabilities including the "JavaScript Arbitrary Memory Exposure" vulnerability disclosed on the 4th April. View the Secunia advisories below for additional details. References: http://secunia.com/SA14820 http://secunia.com/SA14938 http://secunia.com/SA14992 -- Piotr Bania has reported a vulnerability in Realplayer and RealOne, which can be exploited by malicious people to compromise a user's system. Users are advised to check for available updates. Reference: http://secunia.com/SA15023 -- Apple has issued an update for Mac OS X, which fixes various vulnerabilities. Please refer to Secunia advisory below for details. Reference: http://secunia.com/SA14974 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14938] Mozilla Firefox Multiple Vulnerabilities 2. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 3. [SA14896] Microsoft Jet Database Engine Database File Parsing Vulnerability 4. [SA12959] Internet Explorer HTML Elements Buffer Overflow Vulnerability 5. [SA14992] Mozilla Multiple Vulnerabilities 6. [SA14879] Lotus Notes/Domino Multiple Vulnerabilities 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 8. [SA14821] Mozilla Suite JavaScript Engine Information Disclosure Vulnerability 9. [SA14962] IBM WebSphere Application Server JSP Source Exposure 10. [SA15017] Microsoft Windows Explorer Web View Script Insertion Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15000] Simple Web Server Request Handling Buffer Overflow [SA14967] Yager Buffer Overflow and Denial of Service Vulnerabilities [SA15026] Ocean12 Calendar Manager Pro SQL Injection Vulnerability [SA15017] Microsoft Windows Explorer Web View Script Insertion Vulnerability [SA14999] WebcamXP Chat Name Script Insertion Vulnerability [SA14996] Netscape Two Vulnerabilities [SA14969] OneWorldStore Multiple Vulnerabilities [SA14989] McAfee Internet Security Suite 2005 Insecure File Permissions UNIX/Linux: [SA15043] Fedora update for HelixPlayer [SA15028] SUSE update for realplayer [SA15018] Gentoo update for mplayer [SA15014] MPlayer RTSP and MMST Streams Buffer Overflow Vulnerabilities [SA15005] Fedora update for php [SA15002] Gentoo update for mozilla/firefox [SA14995] SUSE update for OpenOffice_org [SA14988] Mandrake update for php [SA14984] Gentoo update for monkeyd [SA14983] Gentoo update for openoffice [SA14975] Gentoo update for php [SA15042] Fedora update for cvs [SA15019] Red Hat update for kernel [SA15012] Fedora update for curl [SA15003] SUSE update for cvs [SA14998] Gentoo update for xv [SA14994] Gentoo update for cvs [SA14991] Debian update for libexif [SA14987] SUSE Updates for Multiple Packages [SA14986] Debian update for php3 [SA14985] OmniWeb Local Domain Arbitrary Code Execution Vulnerability [SA14977] xv Multiple Vulnerabilities [SA14976] CVS Buffer Overflow and Denial of Service Vulnerabilities [SA14974] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA14973] SUSE update for php4/php5 [SA14966] SGI Advanced Linux Environment Multiple Updates [SA15021] Red Hat update for xloadimage [SA15007] Fedora update for htdig [SA15006] Fedora update for nasm [SA15001] Debian update for gtkhtml [SA14997] Debian info2www Cross-Site Scripting Vulnerability [SA14978] libsafe Race Condition Protection Mechanism Bypass [SA15016] SUSE update for postgresql [SA14970] OS/400 Incoming Remote Command Service Denial of Service [SA15022] Debian geneweb Arbitrary File Manipulation Vulnerability [SA15020] Red Hat logwatch secure Script Parsing Error Denial of Service [SA14981] Sun Solaris Network Port Hijacking Vulnerability [SA14979] Solaris Xsun and Xprt Server Font Handling Vulnerabilities [SA14971] Solaris Unspecified Generic Security Services Library Vulnerability [SA14968] Fedora update for sharutils Other: Cross Platform: [SA15023] Realplayer/RealOne RAM File Processing Buffer Overflow Vulnerability [SA15013] AZ Bulletin Board Multiple Vulnerabilities [SA14992] Mozilla Multiple Vulnerabilities [SA14972] All4WWW-Homepagecreator "site" File Inclusion Vulnerability [SA15029] phpBB phpbb-Auction Module SQL Injection Vulnerabilities [SA15024] UBB.threads "main" SQL Injection Vulnerability [SA15004] Coppermine Photo Gallery Cross-Site Scripting and SQL Injection [SA14982] eGroupWare Cross-Site Scripting and SQL Injection Vulnerabilities [SA14980] myBloggie Comment Script Insertion Vulnerability [SA15027] PHP Labs proFile "dir" and "file" Cross-Site Scripting [SA15015] Knusperleicht Shoutbox Exposure of Sensitive Information [SA15011] CityPost Image Editor Cross-Site Scripting Vulnerabilities [SA15010] CityPost Simple PHP Upload "message" Cross-Site Scripting [SA15009] CityPost Automated Link Exchange "msg" Cross-Site Scripting [SA14965] PHP-Nuke "forwarder" Parameter HTTP Response Splitting ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15000] Simple Web Server Request Handling Buffer Overflow Critical: Extremely critical Where: From remote Impact: System access Released: 2005-04-19 Michael Thumann has reported a vulnerability in PMSoftware Simple Web Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15000/ -- [SA14967] Yager Buffer Overflow and Denial of Service Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-15 Luigi Auriemma has reported some vulnerabilities in Yager, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14967/ -- [SA15026] Ocean12 Calendar Manager Pro SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-20 Zinho has reported a vulnerability in Ocean12 Calendar Manager Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15026/ -- [SA15017] Microsoft Windows Explorer Web View Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-20 GreyMagic has discovered a vulnerability in Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15017/ -- [SA14999] WebcamXP Chat Name Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-19 Donnie Werner has discovered a vulnerability in WebcamXP, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14999/ -- [SA14996] Netscape Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-04-19 Some vulnerabilities have been reported in Netscape, which potentially can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/14996/ -- [SA14969] OneWorldStore Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-04-15 Some vulnerabilities have been reported in OneWorldStore, which can be exploited by malicious people to conduct cross-site scripting, script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14969/ -- [SA14989] McAfee Internet Security Suite 2005 Insecure File Permissions Critical: Less critical Where: Local system Impact: Manipulation of data, Privilege escalation Released: 2005-04-19 A security issue has been reported in McAfee Internet Security Suite 2005, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14989/ UNIX/Linux:-- [SA15043] Fedora update for HelixPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-21 Fedora has issued an update for HelixPlayer. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15043/ -- [SA15028] SUSE update for realplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-20 SUSE has issued an update for realplayer. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15028/ -- [SA15018] Gentoo update for mplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-20 Gentoo has issued an update for mplayer. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15018/ -- [SA15014] MPlayer RTSP and MMST Streams Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-20 Two vulnerabilities have been reported in MPlayer, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15014/ -- [SA15005] Fedora update for php Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-19 Fedora has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15005/ -- [SA15002] Gentoo update for mozilla/firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2005-04-19 Gentoo has issued updates for mozilla and firefox. These fix some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, gain knowledge of potentially sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/15002/ -- [SA14995] SUSE update for OpenOffice_org Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-19 SUSE has issued an update for OpenOffice_org. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14995/ -- [SA14988] Mandrake update for php Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-19 MandrakeSoft has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14988/ -- [SA14984] Gentoo update for monkeyd Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-18 Gentoo has issued an update for monkeyd. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14984/ -- [SA14983] Gentoo update for openoffice Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-18 Gentoo has issued updates for openoffice. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14983/ -- [SA14975] Gentoo update for php Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-18 Gentoo has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14975/ -- [SA15042] Fedora update for cvs Critical: Moderately critical Where: From remote Impact: System access, DoS, Unknown Released: 2005-04-21 Fedora has issued an update for cvs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15042/ -- [SA15019] Red Hat update for kernel Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access, Hijacking Released: 2005-04-20 Red Hat has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited to gain knowledge of various information, gain escalated privileges, hijack other users terminal sessions, or cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15019/ -- [SA15012] Fedora update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-21 Fedora has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15012/ -- [SA15003] SUSE update for cvs Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-04-19 SUSE has issued an update for cvs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15003/ -- [SA14998] Gentoo update for xv Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-19 Gentoo has issued an update for xv. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14998/ -- [SA14994] Gentoo update for cvs Critical: Moderately critical Where: From remote Impact: Unknown, DoS, System access Released: 2005-04-19 Gentoo has issued an update for cvs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14994/ -- [SA14991] Debian update for libexif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-04-18 Debian has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14991/ -- [SA14987] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Spoofing, Manipulation of data, DoS, System access Released: 2005-04-18 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, poison the DNS cache, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14987/ -- [SA14986] Debian update for php3 Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-18 Debian has issued an update for php3. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14986/ -- [SA14985] OmniWeb Local Domain Arbitrary Code Execution Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-04-19 David Remahl has reported a vulnerability in OmniWeb, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14985/ -- [SA14977] xv Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-19 Tavis Ormandy has reported some vulnerabilities in xv, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14977/ -- [SA14976] CVS Buffer Overflow and Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS, System access Released: 2005-04-19 Multiple vulnerabilities have been reported in CVS, where one has an unknown impact and others which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14976/ -- [SA14974] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2005-04-18 Apple has issued an update for Mac OS X, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/14974/ -- [SA14973] SUSE update for php4/php5 Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-15 SUSE has issued updates for php4 and php5. These fix two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14973/ -- [SA14966] SGI Advanced Linux Environment Multiple Updates Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-04-15 SGI has issued a patch for SGI Advanced Linux Environment. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to crash certain applications on a vulnerable system and compromise a user's system. Full Advisory: http://secunia.com/advisories/14966/ -- [SA15021] Red Hat update for xloadimage Critical: Less critical Where: From remote Impact: System access Released: 2005-04-20 Red Hat has issued an update for xloadimage. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15021/ -- [SA15007] Fedora update for htdig Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-20 Fedora has issued an update for htdig. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15007/ -- [SA15006] Fedora update for nasm Critical: Less critical Where: From remote Impact: System access Released: 2005-04-19 Fedora has issued an update for nasm. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15006/ -- [SA15001] Debian update for gtkhtml Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-19 Debian has issued an update for gtkhtml. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on certain applications using it (eg. Evolution). Full Advisory: http://secunia.com/advisories/15001/ -- [SA14997] Debian info2www Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-19 Debian has issued an update for info2www. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14997/ -- [SA14978] libsafe Race Condition Protection Mechanism Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-04-18 "Overflow.pl" has discovered a security issue in libsafe, which can be exploited by malicious people to bypass the security mechanism. Full Advisory: http://secunia.com/advisories/14978/ -- [SA15016] SUSE update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2005-04-20 SUSE has issued an update for postgresql. This fixes some vulnerabilities, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15016/ -- [SA14970] OS/400 Incoming Remote Command Service Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-04-18 A vulnerability has been reported in OS/400, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14970/ -- [SA15022] Debian geneweb Arbitrary File Manipulation Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-04-20 Debian has issued an update for geneweb. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15022/ -- [SA15020] Red Hat logwatch secure Script Parsing Error Denial of Service Critical: Less critical Where: Local system Impact: DoS Released: 2005-04-20 Red Hat has issued an update for logwatch. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15020/ -- [SA14981] Sun Solaris Network Port Hijacking Vulnerability Critical: Less critical Where: Local system Impact: Hijacking Released: 2005-04-19 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to hijack network ports. Full Advisory: http://secunia.com/advisories/14981/ -- [SA14979] Solaris Xsun and Xprt Server Font Handling Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-19 Sun Microsystems has acknowledged some vulnerabilities in Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14979/ -- [SA14971] Solaris Unspecified Generic Security Services Library Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-04-15 A vulnerability has been reported in Solaris, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14971/ -- [SA14968] Fedora update for sharutils Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-04-15 Fedora has issued an update for sharutils. This fixes a vulnerability, which potentially can be exploited by malicious, local users to conduct certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14968/ Other: Cross Platform:-- [SA15023] Realplayer/RealOne RAM File Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-20 Piotr Bania has reported a vulnerability in Realplayer and RealOne, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15023/ -- [SA15013] AZ Bulletin Board Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, System access Released: 2005-04-20 James Bercegay has reported some vulnerabilities in AZ Bulletin Board, which can be exploited by malicious users to delete arbitrary files, and by malicious people to determine the existence of local files or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15013/ -- [SA14992] Mozilla Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, System access Released: 2005-04-18 Multiple vulnerabilities have been reported in Mozilla Suite, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/14992/ -- [SA14972] All4WWW-Homepagecreator "site" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-15 Francisco Alisson has reported a vulnerability in All4WWW-Homepagecreator, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14972/ -- [SA15029] phpBB phpbb-Auction Module SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-20 sNKenjoi has reported two vulnerabilities in the phpbb-Auction module for phpBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15029/ -- [SA15024] UBB.threads "main" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-20 Axl has reported a vulnerability in UBB.threads, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15024/ -- [SA15004] Coppermine Photo Gallery Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-04-19 Two vulnerabilities have been reported in Coppermine Photo Gallery, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15004/ -- [SA14982] eGroupWare Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-04-18 James Bercegay has reported some vulnerabilities in eGroupWare, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14982/ -- [SA14980] myBloggie Comment Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-18 Francisco Alisson has discovered a vulnerability in myBloggie, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14980/ -- [SA15027] PHP Labs proFile "dir" and "file" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-20 sNKenjoi has reported two vulnerabilities in PHP Labs proFile, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15027/ -- [SA15015] Knusperleicht Shoutbox Exposure of Sensitive Information Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-04-20 CorryL has reported a security issue in Knusperleicht Shoutbox, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15015/ -- [SA15011] CityPost Image Editor Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-19 sNKenjoi has reported some vulnerabilities in Image Editor, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15011/ -- [SA15010] CityPost Simple PHP Upload "message" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-19 sNKenjoi has reported a vulnerability in Simple PHP Upload, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15010/ -- [SA15009] CityPost Automated Link Exchange "msg" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-19 sNKenjoi has reported a vulnerability in Automated Link Exchange, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15009/ -- [SA14965] PHP-Nuke "forwarder" Parameter HTTP Response Splitting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-18 Diabolic Crab has reported a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14965/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Tue Apr 26 01:49:08 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 26 01:59:11 2005 Subject: [ISN] Linux Security Week - April 25th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 25th, 2005 Volume 6, Number 18n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Five Linux Security Myths You Can Live Without," "Configurations that keep your Linux System safe from attack," and "Linux Distribution Tames Chaos." --- DEMYSTIFY THE SPAM BUZZ: Roaring Penguin Software Understanding the anti-spam solution market and its various choices and buzzwords can be daunting task. This free whitepaper from Roaring Penguin Software helps you cut through the hype and focus on the basics: determining what anti-spam features you need, whether a solution you are considering includes them, and to what degree. Find out more! http://www.roaringpenguin.com/promo/spambuzzwhitepaper.php?id=linuxsecuritywnbuzz0305 --- LINUX ADVISORY WATCH This week, advisories were released for MySQL, PHP, libexif, gtkhtml, info2www, geneweb, f2c, XFCE, vixie-cron, at, nasm, aspell, urw-fonts, htdig, alsa-lib, curl, HelixPlayer, cvs, foomatic, monkeyd, mplayer, xloadimage, logwatch, kernel, OpenOffice, and PostgreSQL. The distributors include Conectiva, Debian, Fedora, Gentoo, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118951/150/ --- Introduction: Buffer Overflow Vulnerabilities Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. http://www.linuxsecurity.com/content/view/118881/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Quantum cryptography: Your security holy grail? 19th, April, 2005 Quantum cryptography . using a private communication channel to lock down the exchange of sensitive data between two points . has to date created much more discussion than it has practical applications. http://www.linuxsecurity.com/content/view/118909 * Five Linux Security Myths You Can Live Without 20th, April, 2005 All distributions are not created equal: Some distros, by default, are very secure; others install with virtually no default security. A good source of independent information on the quality of distro security is www.distrowatch.com, a site that supports the idea that some distros offer better security than others. http://www.linuxsecurity.com/content/view/118929 * Network Scanner Includes Linux Security Checks 21st, April, 2005 GFI Software Ltd., recently announced the release of a new version of its network security scanner, GFI LANguard Network Security Scanner (N.S.S.) 6 that can detect all machines and devices connected to the network via a wireless link. It also alerts administrators when suspicious USB devices are connected to the network. http://www.linuxsecurity.com/content/view/118942 * Can this man save the Net? 22nd, April, 2005 VeriSign is the world's largest digital certificate authority and is steward of the A and J root servers (two of the 13 computers representing the top of the Internet's hierarchy). With 40 percent of North American e-commerce payments going through its gateways, 100 percent of .com registrars running 15 billion queries a day through its system, and 50 percent of North American cellular roamings going through its servers, VeriSign has a significant role in seeing that the Internet infrastructure runs securely. http://www.linuxsecurity.com/content/view/118956 * Cybercrime Wars 20th, April, 2005 In the ethereal world of the Internet, an underground crime war is being silently waged between the cyber-criminals and those trying to stop them. A war that is undermining the interests of corporations and governments worldwide and one that bears no regard for innocent victims. In fact, the victims are purposely targeted, unwittingly press-ganged into becoming foot-soldiers helping to spread spam, attack large companies and unknowingly distribute illegal porn and copyrighted materials. Nowadays, cyber-attacks and automated hacking tools work so fast and efficiently that the enemy is winning. Something needs to be done, as Nick Ray, CEO of Prevx explains. http://www.linuxsecurity.com/content/view/118928 * Cyber attack early warning center begins pilot project 21st, April, 2005 A fledgling nonprofit group working to develop an automated cyber-attack early warning system, the Cyber Incident Detection Data Analysis Center (CIDDAC), is about to begin a pilot project to collect data on network intrusions from a group of companies in national-infrastructure industries. http://www.linuxsecurity.com/content/view/118950 * Configurations that keep your Linux System safe from attack 20th, April, 2005 In this series of articles, learn how to plan, design, install, configure, and maintain systems running Linux in a secure way. In addition to a theoretical overview of security concepts, installation issues, and potential threats and their exploits, you'll also get practical advice on how to secure and http://www.linuxsecurity.com/content/view/118918 * US Government helps Bastille Linux gain assessment functionality 20th, April, 2005 We've just finished adding a major new mission to Bastille Linux -- it now does hardening assessment! The US Government's TSWG helped us add this functionality. http://www.linuxsecurity.com/content/view/118923 * The Five Ps of Patch Management 20th, April, 2005 Security and vulnerability patching has become one of the top concerns for IT managers, but has also left many IT teams fighting a losing battle as the job of patching competes with day-to-day system maintenance and security tasks. http://www.linuxsecurity.com/content/view/118930 * Microsoft to support Linux 21st, April, 2005 Microsoft head Steve Ballmer has promised to add Linux support for the first time in one of its products because, he explained, users need to manage heterogeneous networks. http://www.linuxsecurity.com/content/view/118943 * Mozilla flaws could allow attacks, data access 18th, April, 2005 Multiple vulnerabilities that could allow an attacker to install malicious code or steal personal data have been discovered in the Mozilla Suite and the Firefox open-source browser. http://www.linuxsecurity.com/content/view/118903 * PHP falls down security hole 20th, April, 2005 Servers running PHP are vulnerable to a number of serious security exploits, including some which could allow an attacker to execute malicious code, and denial-of-service exploits, according to the PHP Group. http://www.linuxsecurity.com/content/view/118939 * Linux Distribution Tames Chaos 19th, April, 2005 Chaos, a Linux distribution developed by Australian Ian Latter, harnesses the unused processing power of networked PCs, creating a distributed supercomputer that can crack passwords at lightning speed. http://www.linuxsecurity.com/content/view/118908 * Linux receives pat on the back for security 18th, April, 2005 A recent survey carried out by Evans Data Corporation has revealed that development managers have more faith in Linux as an operating system to guard them against internal attacks than they have in Windows. Over 6,000 development managers were interviewed in the Evans Data Corporation's new Spring 2005 Linux and Development survey. They considered open source software to be more secure with client operating systems; web servers; server operating systems and components and libraries. http://www.linuxsecurity.com/content/view/118896 * Guidelines for Choosing to Outsource Security Management 21st, April, 2005 Outsourcing security is not appropriate for every organization. Some organizations will be better served by deploying and running security management and monitoring solutions. Your organization should use Gartner's Decision Framework to determine whether it is a candidate for MSSP services. It is important to be clear about your organization's expectation of a security outsourcing engagement, and to structure a service-level agreement that reflects those expectations. http://www.linuxsecurity.com/content/view/118949 * Ameritrade Shows Peril of Backup Tapes 22nd, April, 2005 For the second time this year, a high-profile financial company has lost a backup tape containing customer data while shipping the tape to an off-site storage facility. http://www.linuxsecurity.com/content/view/118960 * Retailers feel security heat 22nd, April, 2005 Following several high-profile incidents of data theft, retailers are under increased pressure to clean up their computer security act. http://www.linuxsecurity.com/content/view/118962 * Tackling identity theft 18th, April, 2005 The only way to control today's identity theft epidemic is for consumers, Congress and corporate America to team up. Jim Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C., today told a panel of security experts from eBay, eTrade, RSA Security, Forrester Research and BITS that protecting data is a shared responsibility. "Consumers have to become more perceptive about risks, but companies that use and hold data have a greater responsibility to put procedures and safeguards in place," he said. "Government's responsibility is to make sure this happens and to prosecute the criminals." http://www.linuxsecurity.com/content/view/118902 * Flash Player Worries Privacy Advocates 21st, April, 2005 Macromedia's Flash media player is raising concerns among privacy advocates for its little-known ability to store computer users' personal information and assign a unique identifier to their machines. http://www.linuxsecurity.com/content/view/118947 * Teenagers struggle with privacy, security issues 22nd, April, 2005 High-schools students have a message for their parents: Trust us with technology. Security and privacy? We have it covered. http://www.linuxsecurity.com/content/view/118952 * U.S. Military's Elite Hacker Crew 18th, April, 2005 The U.S. military has assembled the world's most formidable hacker posse: a super-secret, multimillion-dollar weapons program that may be ready to launch bloodless cyberwar against enemy networks -- from electric grids to telephone nets. http://www.linuxsecurity.com/content/view/118904 * NY AG Spitzer Targets Hackers 19th, April, 2005 New York Attorney General Eliot Spitzer has called for tougher penalties on computer criminals. He wants to prosecute people who gain access to computers surreptitiously, but who do not do any harm. The proposed legislation would also make encrypting information a crime if it concealed some other crime. http://www.linuxsecurity.com/content/view/118922 * DSW data theft much larger than estimated 19th, April, 2005 Thieves who accessed a DSW Shoe Warehouse database obtained 1.4 million credit card numbers and the names on those accounts - 10 times more than investigators estimated last month. http://www.linuxsecurity.com/content/view/118913 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Apr 26 01:50:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 26 01:59:14 2005 Subject: [ISN] Get Physical About IT Security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,101220,00.html Opinion by Douglas Schweitzer APRIL 25, 2005 COMPUTERWORLD A San Jose-based medical practice recently notified about 185,000 current and former patients about the theft of their personal information. Stored on two computers, the data was stolen from the medical office during a burglary that occurred March 28. Under California law SB 1386, the medical group was required to publicly disclose the computer security breach because the confidential information of California residents may have been compromised. Unfortunately, that law promises to teach both businesses and the public plenty of lessons about insufficient security practices like those highlighted in the San Jose case. Let's face it: Hardware and software are usually less secure when they're located in an open workspace than they are when they're located in a separate computer room. Security is further decreased when the hardware and/or software is used within a network of computers that aren't housed at a single location. And the level of vulnerability is even higher when the network extends beyond the organization's premises. Some assets -- like hardware devices and data and software that are stored on file servers, PCs or removable media like tapes and disks -- need to be secured physically. Part of physical security is ensuring that only authorized personnel are permitted to transmit data and access devices on LANs. The National Computer Security Center's "Glossary of Computer Security Terms" defines physical security as "the application of physical barriers and control procedures as preventive measures or countermeasures against threats to resources and sensitive information." According to security expert and author Kevin Beaver, CISSP, "You cannot have any sense of information security if you don't implement proper physical security measures." Unfortunately, IT departments may disregard physical security, fearing that it's too expensive or too much of a burden. But effectively controlling physical access to an organization's facilities should be the security staff's top concern. When it comes to physical security, most organizations use one or a combination of mechanisms. Security guards are at the front line and should be trained to restrict the removal of assets from the premises. Among other things, they should be trained to record the identity of anyone removing assets. In addition, an authorization procedure should be established for those occasions when removing hardware and software from the premises is necessary. A traditional lock is, of course, one of the simplest ways to secure physical access to IT assets. This ubiquitous security system has effectively impeded access for centuries. While it's decidedly low tech, this approach nevertheless remains appealing to those on a budget, since it's simple and doesn't cost very much. If you wish to add another layer to this security model, you can use keys that can't be duplicated or build "mantraps" in which those who wish to gain entry must pass through two doors, so only one person can enter at a time. Electronic key cards are another good option, and they provide a higher level of security than the traditional lock-and-key approach. With this technology, a user gains entry by swiping an electronically coded plastic card through a magnetic badge reader. An advantage of key-card systems is that they eliminate some of the management problems that arise when you use locks and keys. For example, if an employee quits and walks off with his card, you don't have to change the locks; you just deactivate his card. Perhaps the most intriguing approaches to physical security are those that utilize biometrics. Biometric authentication involves the examination of physical traits of users. The examined feature is compared with stored reference data. Identifiable traits include fingerprints, hand geometry, voice patterns, facial patterns, and iris and retina patterns. Biometrics, or at least the promise of the various technologies involved, is currently at the forefront of thinking about authentication. But organizations have been slow to adopt biometrics, partially because the products available can be expensive and aren't as foolproof as they should be. Remembering that control procedures are necessary for all of the hardware and software you use will go a long way toward protecting less-secure environments. Of course, the level of access control you choose will have to be adjusted depending upon the sensitivity of the data being accessed. Other variables include the significance of the applications processed, the cost of the equipment and the availability of backup equipment. Because laptops are portable and hence targets for theft and misuse, they must be included in the security policy equation. Again, their location and the amount of sensitive data they contain will determine how much physical security they require. This may sound basic, and it is. But any comprehensive security plan has to start with physical security. From isn at c4i.org Tue Apr 26 01:50:25 2005 From: isn at c4i.org (InfoSec News) Date: Tue Apr 26 01:59:17 2005 Subject: [ISN] The spies in the next cube Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/04/25/BUGGLCDPUJ1.DTL Birgitta Forsberg Chronicle Staff Writer April 25, 2005 When Shin-Guo Tsai gave notice of resignation from his job as a design engineer at the Fremont semiconductor company Volterra on Feb. 15, he allegedly told his manager that he was returning to Taiwan to get married and that he didn't have a job lined up. The story was a smoke screen, according to the FBI. Tsai, the agency alleges, had downloaded information on Volterra products. The FBI accuses him of using a private e-mail account to send some of the information to a Taiwanese startup company that was recruiting him for a job. When Tsai announced his resignation, several co-workers told a manager that he had been downloading company information. On Feb. 25, Volterra's vice president of design engineering, David Lidsky, and the FBI confronted Tsai, who allegedly admitted he had sent proprietary information to the Taiwanese firm. Two days later, FBI agents turned up at Tsai's home in San Jose late at night and arrested him. He is out on bail. Tsai's lawyer, John Robertson of Los Angeles, said his client's actions did not involve industrial espionage. "Our intention is to plead not guilty," Robertson said. "We plan to contest certain of the allegations." Cases like this are far from unusual. Experts say U.S. companies are losing billions of dollars as a result of domestic and international espionage. When it comes to cross-border theft of trade secrets, there are more foreigners spying on U.S. corporations than ever, according to Todd Davis, an FBI supervisor in Sacramento. "Corporate America ought to be darned worried," Davis said. "If you are a major corporation with very sensitive technology, you have been targeted. Somebody is spying on you right now." When corporate spies come to America, they tend to flock to Silicon Valley. "We have prosecuted more theft of trade secret cases than any other district in the country," said Christopher Sonderby, chief of the Computer Hacking and Intellectual Property Unit of the U.S. attorney's office in San Jose. His computer hacking unit was founded as the country's first such entity in February 2000. There are now 18 such units in U.S. attorneys' offices nationwide. "Silicon Valley has more than 7,000 technology-based companies. It is home to the largest concentration of technology expertise in the world ... and there is a substantial temptation for some businesses and companies to acquire this technology by illegal means," he said. Many thefts kept quiet Davis estimates there have been about 20 to 30 cases in the past 10 years, including both domestic and cross-border industrial espionage incidents. A lot of cases, however, are never reported because many companies handle the incidents quietly to avoid publicity. The FBI has a list of about 20 countries that actively spy on U.S. companies, according to corporate security consultant John Case, who does not want to name any countries. Davis acknowledges there is such a list, but he declined to mention which countries are on it. "Certain countries are doing their darnedest to gain economic superiority, and we are the No. 1 target for all corporate and international spying," Davis said. He did mention China, without confirming that it is on the list. "PRC, the People's Republic of China, has been accused of setting up small firms" that act as front companies, he said. In a written statement, the Chinese consulate in San Francisco denied that the country engages in industrial espionage: "A few people in the United States stiffly hold on to the Cold War mentality and drum up the so-called 'China Threat Theory' by fabricating stories about China stealing technologies from the United States. All these allegations are baseless with ulterior motives. Their purpose is to use this to denigrate China and harm Sino-U.S. relations. Facts have proven that such attempts are doomed to fail." Anne Rogers, vice president of marketing at the Information Systems Security Association, noted that China is far from the only country that has been implicated in corporate espionage. "Some years ago, one of our biggest problems was with the French," she said. The French Consulate in San Francisco said its policy is not to comment on industrial espionage matters. Many of those charged with corporate espionage allegedly e-mailed stolen information or stored it on their home computers, as if they hadn't considered the possibility of detection. "The Internet facilitates the commission of crimes, but it also facilitates their investigation and prosecution by creating a robust trail of electronic evidence," Sonderby said. Some corporate spies apparently suffer from hubris. "White-collar crooks have always thought they were smarter than everyone else. But they'll make a little mistake somewhere, and you can put a case together," said John Smith, a high-technology investigator and security consultant. Many companies take elaborate measures to protect the security of their trade secrets. For example, Intel, the world's largest chipmaker, requires employees to sign forms explaining procedures for handling proprietary information. The company insists spying is not a problem for it. "This has not been an issue for us in recent years," spokesman Chuck Mulloy said. "It is a testament to the controls we have in place, which we have developed over many years. Companies that are immature have fewer controls in place." Pizza man not to blame Experts say that company insiders are a much bigger problem than someone hacking into the system from the outside. "Seventy-five to 85 percent of all theft per se is done by an insider," said Julie Snyder, president of the Silicon Valley chapter of the International High Technology Crime Investigation Association. Smith agrees. "In all the cases I am aware of, a trade secret theft usually involves an employee or a contractor or a person who has a legitimate right to be on the company's premises. They are operating inside the company's network firewalls, " Smith said. Among the signals that should raise a red flag, Davis said, are employees staying late at night, tours and delegations in which visitors strike up a friendship with insiders, and outsiders who are found in sensitive areas of a facility, such as network administration. "It will not be the pizza deliverer," Davis said. "It's real engineers, and they infiltrate U.S. technology companies, pharmaceutical companies and weapons contractors." International travel raises special problems, experts say. "Corporate employees who have foreign contacts and make frequent trips overseas should be closely scrutinized," Davis said. "Some employees think they can have safe conversations in their hotel room abroad. They are not aware that the hotel room is a target for the foreign government." Employees should be briefed before attending a symposium, whether at home or abroad, to warn them of the hazards of disclosing information, then debriefed when they come back, said Case, the corporate security consultant. "Ask them if someone tried to talk to them and what that person asked," he said. Background checks key Most experts mention background checks as key. Not hiring the potential spy in the first place is the absolute best way to keep out of trouble. "Ask their former employer if the persons are re-hirable. If they are not re-hirable, that is a big clue," said Snyder said of the High Technology Crime Investigation Association. The ultimate question is whether trade secrets can truly be protected. It's an issue that security pros debate with a fervor that is almost theological. "Sure you can if you don't try to classify too much information as secret and allow too many people in on the secret," Case said. "The classical example is Coca-Cola with only a handful of people who know the formula." But Doron Ben-Atar, a history professor at Fordham University in New York, disagrees. "To protect secrets is a human fantasy. People can't protect secrets," he said. "The U.S. was founded on piracy. Every branch of American industry was pirated." Ben-Atar argues that protecting a corporation's intellectual property should be overridden by other concerns. "The Third World can't let its people pay $20,700 for a drug against leukemia when they can get it for $2,700," he said. "We shouldn't be so self- righteous sanctimonious about it." From isn at c4i.org Wed Apr 27 01:22:36 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 27 01:32:36 2005 Subject: [ISN] MoD suppliers' laptop turns up on rubbish tip Message-ID: Forwarded from: William Knowles http://www.theregister.co.uk/2005/04/26/tip_secret_laptop/ By John Leyden 26th April 2005 An Oxfordshire-based security company claims to have found sensitive MoD-related files on a laptop bought from council rubbish dump. The partner of a back-office worker at penetration testing outfit SecureTest bought the IBM Thinkpad laptop for ?80 from a colleague at a council rubbish tip earlier this month. SecureTest staff looked at machine for a favour. The technician who investigated files left on the machine with forensic tools (called ENcase) was shocked at what he found: recovered tenders for military communications software contracts, technical information and minutes of meetings with Navy personnel marked restricted. "It looks like a MoD supplier.s laptop," Ken Munro, managing director of SecureTest told El Reg. No secret files were involved but even so the case raises further questions about the disposal of PCs containing potentially sensitive military information. Last week the MoD announced it was launching an investigation after a Hampshire man found sensitive Ministry of Defence plans on a laptop he was given at a rubbish dump*, circumstances that eerily parallel the SecureTest find. SecureTest is yet to inform the MoD of its find. Munro declined to name the dump involved or the IT contractor whose laptop, although ultimately beyond economic repair, contained sensitive data. Wombles of Wimbledon quizzed by MI5 Despite the government bringing in a new standard last August for the secure destruction of data (InfoSec standard 5) many government departments have failed to implement it successfully and most business are unaware of it, according to Jon Godfrey, a data destruction expert and managing director of Life Cycle Services (LCS). In a recent research study by LCS and Glamorgan University, nearly half of a sample of over 100 discarded hard drives contained personal information, contravening the Data Protection Act. One in five (20 per cent) contained financial information about the organisations which owned the disks. Less then 10 per cent of the drives left functional were completely clear of data. One contained personal information about an extramarital affair and could have been used for blackmail. Another contained information about children. "I am constantly amazed at how lackadaisical major organisations and even government can be regarding this issue", said Godfrey, who is calling for regulations to established licensed PC disposal centres. ? * Sounds odd but apparently you can get anything from working stereos to PCs from council dumps, apparently. Steptoe and Son, eat your heart out. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Apr 27 01:22:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 27 01:32:40 2005 Subject: [ISN] Black Hat USA 2005 Reminder CFP closing soon! Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear ISN Readers, The Black Hat USA 2005 Call for Papers closes May 1st! Do not hesitate to submit your presentation, as time is running out. This is your chance to present in front of the largest Black Hat to date, and share your knowledge with you peers. For more details please see: http://www.blackhat.com/html/bh-usa-05/bh-usa-05-cfp.html The pre conference training offerings have increased for 2005. We are now offering more extensive weekend training with twenty-four distinct classes, with our weekday training expanded to twenty-seven separate classes. We have tailored the training to help avoid overlap in subject matter, and providing you with classes by instructors who are leaders in their field. http://www.blackhat.com/html/bh-usa-05/train-bh-usa-05-index.html Register for the Black Hat USA 2005 show, held in Las Vegas. Our early bird rate closes May 15, so register now and save. http://www.blackhat.com/html/bh-registration/bh-registration.html#us The Black Hat Europe 2005 Briefings was a success, our largest conference ever in Europe! All presentations and tools from the event are available at http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html#EU-2005 with audio and video being encoded now for release next month. The international press wrote several interesting articles about Black Hat Europe 05, including stories about global privacy issues, hardware (in)security, novel Google hacking techniques, and more. Read about it at: http://www.blackhat.com/html/bh-europe-05/bh-eu-05-index.html Thank you, Jeff Moss -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQEVAwUBQm8D/UqsDNqTZ/G1AQJKcAf/dDXqWsRZCHq9yI9bIlGHlc3c+2lBhKA7 zbRUfl0xkIPcDVbwwi9aduA1OgMr9qbaaySw64ss29kyB9vTCrkR+W0F+qBV/ulN DBA8s1mUfo4cXjY6SwaikYkvq/WoNMEM2bdbJ06jXWjxexuDzW/PDf/kCyMlqjvD GRQzWbOKPl3j6VIzGq9W3yIQ254GPxbyg3VBWNRWEilJ90XB9jl7XOfHInKSvUvF pjNRvchZ95XG5+mJZyGxGFCSpsnZPOiFPaY0T8Txtt15UHZSmFnG4r0fDw5NYXTN s0ruqNaahX7MxacxujRuzpnnX0fBPGw7hG/4COuit5ENNP08kskPJA== =TarV -----END PGP SIGNATURE----- From isn at c4i.org Wed Apr 27 01:23:09 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 27 01:32:43 2005 Subject: [ISN] Computer scientist sentenced to eight months for hacking Message-ID: http://www.usatoday.com/tech/news/computersecurity/hacking/2005-04-26-ebay-hacker-sentenced_x.htm 4/26/2005 SAN JOSE, Calif. (AP) . A former Los Alamos National Laboratory computer specialist was sentenced to eight months in prison Monday for hacking into and damaging the computers of several high-tech companies, including online auction giant eBay. Jerome T. Heckenkamp, 25, of Santa Monica, pleaded guilty to two counts in January 2004 to the attacks, which took place before he joined the laboratory. Heckenkamp could have faced up to five years in prison but U.S. District Court Judge James Ware sentenced him to eight months in prison and eight months of electronic monitoring and home confinement. He also has to pay $268,291 in restitution and for three years cannot use a computer with Internet access without approval from a probation officer. Heckenkamp admitted breaking into San Jose-based eBay's computers in February and March 1999, defacing a Web page and installing malicious programs that captured usernames and passwords that he used to gain access to other eBay computers. Heckenkamp also admitted he broke into San Diego-based Qualcomm Inc.'s computers in late 1999 and installed more so-called "Trojan" programs. At the time, he was a student at the University of Wisconsin at Madison. He was arrested in January 2001 and lost his job at Los Alamos. In the sentence, the judge also considered losses from other companies' computers Heckenkamp was charged with accessing. They include Exodus Communications, Juniper Networks, Lycos, and Cygnus Solutions. Heckenkamp must report to prison by July 11. From isn at c4i.org Wed Apr 27 01:23:22 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 27 01:32:46 2005 Subject: [ISN] China's anti-hacking alliance regrouped Message-ID: http://news.xinhuanet.com/english/2005-04/26/content_2879866.htm www.chinaview.cn (Source: Shenzhen Daily) 2005-04-26 BEIJING, April 26 -- The "Red Hacker Alliance," the largest and earliest hacking legion in China, was regrouped recently after a short break. The alliance, attracting 20,000 hackers, once ranked the fifth in the world in terms of the number of its members. Its Web site, set up at the end of 2000, had nearly 80,000 registered members at its peak. The task of the alliance was to prevent hacking attacks from foreign countries. But the Web network was disintegrated by the end of 2004 for no specific reason. The Web site founder, nicknamed Lion, said in an e-mail that the Web site existed in name only and he closed the Web site after Dec. 21, 2004. A sophomore majored in computer sciences at University of Electronic Science and Technology of China in Chengdu, who is also a group member, is now responsible for personnel management of the group and the Web site maintenance. The student, surnamed Yang, said: "I can design a computer virus in a few minutes, which can disfunction the use of mouse and computer, but I will not do this because the mission of a 'Red Hacker' member is to protect the Web sites from being attacked." The Web site also has a supervision committee to supervise its members' behaviors and cancel memberships of those who violate its rule by attacking other Web sites. From isn at c4i.org Wed Apr 27 01:23:40 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 27 01:32:50 2005 Subject: [ISN] Insecurities over Indian outsourcing Message-ID: http://news.com.com/Insecurities+over+Indian+outsourcing/2100-7355_3-5685170.html By Ed Frauenheim Staff Writer, CNET News.com April 26, 2005 A case of bank fraud involving an India-based outsourcer has rekindled a debate about using overseas contractors for tasks involving sensitive data. Some say there's little risk, while others warn of serious hazards, including a threat to America's national sovereignty. In the incident, former call center employees of Mphasis are accused of taking part in a theft of $350,000 from U.S. consumers' bank accounts. In the wake of the theft, some observers have voiced concerns about the security of data being handled by outsourcers in India, including worries about weak procedures for checking employee backgrounds. According to this school of thought, the Mphasis breach could dramatically dent the amount of call center work shipped to outsourcers operating offshore. "This was not a lapse of judgment or an issue of poor customer service: The incident was an organized and systematic plot to steal customers' money," John McCarthy, an analyst at Forrester Research, wrote recently. "Forrester believes that this breach, coupled with recent onshore disclosures of sensitive customer data, will have far-reaching negative connotations for the offshore BPO (business process outsourcing) space." Not everyone shares this view. But even the perception of danger could hurt the market. A report from rival researcher Gartner played down the security risks but made no bones about the seriousness of the situation. "The entire Indian offshore industry ecosystem--including...the Indian government--must act quickly and decisively to counter the perception that Indian BPO poses a severe security risk," the report said. Business process outsourcing, or BPO in industry parlance, refers to farming out tasks such as customer service and transaction processing to a separate company. The work could be done in the United States, or completed in lower-wage countries such as India or Mexico. In addition, some organizations have set up their own operations offshore. Shipping tasks offshore has become a controversial issue for U.S. labor advocates. At the moment, U.S. organizations devote only a small fraction of their budgets for information technology services--including BPO--to low-cost countries, according to a recent Merrill Lynch survey of chief information officers. But that share of the budget is expected to grow over time, from 0.9 percent in 2004 to 1.6 percent in two-to-three years. According to the Merrill Lynch report, security fears are the main reason CIOs aren't moving IT work offshore faster: The "key inhibitor preventing companies (from using) offshore outsourcing remains data security," the report said. Earlier this month, news broke that police in India arrested three former Mphasis call center employees who allegedly stole U.S. customers' personal account information and transferred about $350,000 to fake accounts in Pune. Among other people arrested in the case was a current Mphasis call center worker, said Mphasis Vice Chairman Jeroen Tas. He said the perpetrators may have persuaded bank customers to disclose their account passwords. A Times of India story cited unnamed sources in pegging Citibank as the bank in question. Citibank did not return a call requesting comment. Mphasis declined to comment on the identity of the bank. Mphasis, which has operations in India, China and Mexico, is led by former Citibank executives. The Indian arrests come during a period of heightened anxiety about data security and identity theft. In one of the latest examples, LexisNexis revealed that an intrusion into its Seisint databases may have compromised personal information on about 310,000 Americans, a tenfold increase on a previous estimate. In 2003, the San Francisco Chronicle reported allegations that a woman in Pakistan doing clerical work for the University of California at San Francisco Medical Center had threatened to post patients' confidential files online unless she was paid more money. But most of the criticism of so-called offshoring has focused on other matters, such as service quality and communication problems. Data security at companies providing call center services offshore is indeed an issue, however, according to industry observers. Checking into the credit and criminal backgrounds of employees is not as reliable in India as it is in the United States, said Vail Dutto, chief executive of InTelegy, a California-based consulting firm. Among other services, InTelegy helps clients choose call center outsourcers in India. Dutto said Indian methods for tracking a person's past are not as mature as those in the United States, where an individual's misdeeds in one state are likely to turn up when the person applies for a job in another. "What you did in Bangalore might not as easily follow you to Mumbai," Dutto said. Mphasis' Tas agreed that checking the backgrounds of employees in India is more difficult than in the United States. "It is harder to track that," he said. But the background-checking process for call center employees and other BPO workers in India could improve, Tas said, thanks to plans by the country's National Association of Software and Service Companies, or Nasscom, to set up a national registry of BPO workers. Another concern is employee attrition. Thanks partly to the perception that BPO work amounts to a dead-end job, attrition rates have been increasing in India. Higher turnover works against efforts by call center companies to run a tight ship, argues Forrester Research analyst McCarthy. "Forrester expects that the rising attrition rates in the call center space--50 percent to 100 percent--undermine suppliers' ability to adhere to processes and sufficiently check backgrounds," McCarthy wrote in his report earlier this month. McCarthy also suggested the Mphasis breach will seriously hurt the offshore BPO business. "Call center BPO growth could drop by as much as 30 percent," he wrote. Tas called the Forrester report "sensational." He said Mphasis' annual turnover among BPO employees was in the range of 30 percent to 40 percent, and he said that level is not unusual for call centers worldwide. In a statement made on April 13, Mphasis said it "highly values data protection and data security of its clients. It has proactively instituted elaborate systems which are constantly reviewed, to ensure and protect client confidentiality." Among its rules, Tas said, are that cell phones aren't allowed in call centers, given the ability of some of them to take pictures. In addition, between 2 percent and 5 percent of calls are monitored at Mphasis BPO facilities. This is consistent with the norms in the industry, according to the company. Tas said the alleged fraud is not a sign of security problems specific to shipping call center work overseas. "We believe this is something that can happen anywhere," he said. But losing control of sensitive data abroad is particularly worrisome, argues Peter Gregory, chief security strategist at consulting firm VantagePoint Security. "Outsourcing America's corporate business processes to overseas countries not only makes accountability difficult to enforce, but it puts our national sovereignty at risk," Gregory said in a statement. "In this, the Information Age, a country like India could disconnect itself from the Internet and hold America hostage--a provocative action that would be tantamount to an act of war." In its report earlier this month, Gartner offered a much less grave assessment. The idea that offshore business process outsourcing presents special risks is a "largely incorrect perception," the firm said. But Gartner and others seem concerned the perception alone could torpedo the industry. In a statement earlier this month, Mphasis appeared to acknowledge the fraud could have a potentially large impact on India's BPO industry. "We have instituted our own internal inquiry and taken necessary short-term and long-term measures in consultation with Nasscom and the bank concerned, to protect our clients and their customers, and safeguard the security and integrity of the BPO business in India," an Mphasis representative said in the statement. Some see a silver lining for offshoring in the fraud case. Tas said the response by police in India shows that the system of laws and law enforcement in India "works well, and it works swiftly." "India is fast becoming the outsourcing capital of the world, and this kind of incident, while unfortunate in itself, when successfully dealt with, highlights and reaffirms the existence of an effective framework of laws and a commitment to enforcing them in India," Nasscom President Kiran Karnik said in a statement. Nasscom has set up an Indo-U.S. security forum to make its members aware of security and privacy issues when they handle sensitive information from foreign companies. Nasscom also recently launched a security initiative in Pune with local IT companies and police. That may not be enough to satisfy the public, however. Earlier this month, Sen. Dianne Feinstein, a California Democrat, introduced legislation to ensure that Americans are notified when their most sensitive personal information is part of a data breach that puts them at risk of identity theft. Politicians in India as well would be wise to act, McCarthy argues. "To bolster its offshore credibility, India will also have to tighten its data protection and privacy laws," he wrote in his report. He also suggests that companies sending tasks offshore take an active role in managing their remote work, even going so far as to mandate pencil-free offices: "Customers are going to have to implement their own aggressive requirements, such as eliminating writing instruments in their offshore centers." From isn at c4i.org Wed Apr 27 01:24:02 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 27 01:32:53 2005 Subject: [ISN] Most computer hacking an 'inside job' Message-ID: http://www.vnunet.com/news/1162718 Iain Thomson InfoSec in London vnunet.com 26 Apr 2005 The vast majority of computer hacking is done by current and former employees, according to the Metropolitan Police. In a panel session at this year's InfoSecurity Europe conference, Detective Inspector Chris Simpson of the Metropolitan Police Computer Crime Unit told delegates that one of the first steps in any investigation is to check employee details. "In the vast majority of cases we investigate the culprits are current or former employees," he said. "They are not hacking into systems using flaws in software. Instead they are using flaws in the security procedures of the company to carry out their attack." Simpson added that electronic crime is definitely on the rise and outlined the main threat vectors. Online organised crime is originating predominantly from eastern Europe, while the biggest spammers are found in the US, China and Germany. Script kiddies are predominantly from the US, Canada or Britain and their numbers are on the rise thanks to the popularity of virus creation kits. Meanwhile the Crown Prosecution Service (CPS) is gearing up for more computer crime. "We have come to the conclusion that computer crime is here to stay," said Ester George, policy advisor to the CPS. "Computers now touch almost every case, hacking or otherwise. The convergence of phones and PDAs is increasing this." George cited two non-hacking events where computers were crucial to the case. In one a man went berserk and attacked passers by, claiming diminished responsibility. But his internet logs showed that he'd been researching his likely sentence online before carrying out the attacks. In the other case a child was brought into hospital and died of pneumonia. The parent was charged after internet logs showed that sites had been visited that identified factors in catching the infection. To prepare for this, the CPS has set up a training scheme which teaches barristers how to handle high-tech cases. To date 110 prosecutors have attended the course. From isn at c4i.org Wed Apr 27 01:24:14 2005 From: isn at c4i.org (InfoSec News) Date: Wed Apr 27 01:32:56 2005 Subject: [ISN] Web defacements and server hacks on the rise Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39196291,00.htm Dan Ilett ZDNet UK April 25, 2005 Brief: Hackers in 2004 attacked more Web sites and servers than ever before, a security research group says. Hackers carried out almost 500,000 more attacks on Web sites and servers last year than in 2003, according to independent research. A study carried out by Zone-H, a Web site where hackers report their activity, found that global Web server attacks and Web site defacements rose by over 400,000 (36 percent) compared to 2003 figures. "Defacement is just one option for an attacker," said Roberto Preatoni, the founder of Zone-H. "In most circumstances the techniques used by defacers are the same used by serious criminals to cause damage. The data on cybercrime provides information on the evolution of trends and [this] allows system administrators to close the security holes that are used." The report said that an average of roughly 2,500 Web servers (out of approximately 45 million) were hacked every day last year, and that 70,357 single Web defacements occurred over the year. US government servers were hit 186 times using individually tailored "special attacks", while US military servers received 49 such attacks. Preatoni said that Web server attacks are likely to rocket as the adoption of 3G and VoIP services becomes increasingly common. "Once GSM telephone platforms are replaced by VoIP and 3G phones, which work in the same way as Internet servers, the number of Web servers will increase to 1.5bn," he said. "Each of these phones will potentially be subject to the same vulnerabilities as traditional Web servers and personal computers. [This] could even turn the phones into remote-controlled snooping devices, opening the way to massive industrial espionage incidents." Zone-H has archived 900,000 digital attacks in five years. From isn at c4i.org Fri Apr 29 05:23:00 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 29 05:37:24 2005 Subject: [ISN] F-Secure pros issue hacker challenge Message-ID: http://www.theinquirer.net/?article=22879 By INQUIRER staff 28 April 2005 DEVELOPERS AT F-Secure have issued a challenge to hackers to find an embedded message in a .EXE file. The challenge looks quite tricky, and the winner gets a free ticket to the T2'05 info sec conference in Finland, but unfortunately only if she or he lives in Finland. As well as figuring out the message, and sending it to a pre-defined email address, information about the methods and tools must be supplied. There's more information, and the rules of the challenge, here [1]. ? [1] http://www.t2.fi/english/challenge-05.html From isn at c4i.org Fri Apr 29 05:23:22 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 29 05:37:31 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-17 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-04-21 - 2005-04-28 This week : 98 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: Microsoft Windows XP is vulnerable to a DoS (Denial of Service) vulnerability, which can be exploited when e.g. a vulnerable user visits a malicious web site using Internet Explorer. Successful exploitation would cause the system to crash. Currently, no solution is available from the vendor. Reference: http://secunia.com/SA15064 -- A vulnerability has been reported in KDE, which can be exploited by malicious people to compromise a user's system. The vendor has released patches, which can be found in referenced Secunia advisory below. References: http://secunia.com/SA15060 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15023] Realplayer/RealOne RAM File Processing Buffer Overflow Vulnerability 2. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 3. [SA15103] Netscape GIF Image Netscape Extension 2 Buffer Overflow 4. [SA15064] Microsoft Windows Image Rendering Denial of Service Vulnerability 5. [SA15017] Microsoft Windows Explorer Web View Script Insertion Vulnerability 6. [SA14938] Mozilla Firefox Multiple Vulnerabilities 7. [SA14654] Mozilla Firefox Three Vulnerabilities 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 9. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 10. [SA14821] Mozilla Suite JavaScript Engine Information Disclosure Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15103] Netscape GIF Image Netscape Extension 2 Buffer Overflow [SA15068] MailEnable Unspecified IMAP and SMTP Vulnerabilities [SA15062] MailEnable HTTPMail Connector Authorization Header Buffer Overflow [SA15140] NetTerm NetFtpd "USER" Command Buffer Overflow Vulnerability [SA15137] MetaCart e-Shop Two SQL Injection Vulnerabilities [SA15136] MetaBid Three SQL Injection Vulnerabilities [SA15134] MetaCart Multiple SQL Injection Vulnerabilities [SA15108] Citrix Program Neighborhood Agent Two Vulnerabilities [SA15105] ACS Blog Login Check Security Bypass Vulnerability [SA15104] OneWorldStore "idOrder" Disclosure of Sensitive Information [SA15101] nProtect Netizen Arbitrary File Placement Vulnerability [SA15100] Argosoft Mail Server Cross-Site Scripting and Script Insertion [SA15087] Musicmatch Jukebox Two Vulnerabilities [SA15072] BK Forum SQL Injection Vulnerabilities [SA15071] StorePortal SQL Injection Vulnerabilities [SA15066] Asp Nuke Cross-Site Scripting and SQL Injection Vulnerabilities [SA15057] OneWorldStore "chksettings.asp" Denial of Service Vulnerability [SA15055] CartWIZ Cross-Site Scripting and SQL Injection Vulnerabilities [SA15052] Yawcam Web Server Directory Traversal Vulnerability [SA15106] ACS Blog Unspecified Cross-Site Scripting Vulnerability [SA15064] Microsoft Windows Image Rendering Denial of Service Vulnerability [SA15085] Novell NSure Audit ASN.1 Message Parsing Denial of Service [SA15118] dBpowerAMP Music Converter Privilege Escalation Vulnerability [SA15076] BitDefender Insecure Program Execution Vulnerability UNIX/Linux: [SA15148] Debian update for lsh-utils [SA15146] Debian update for kdelibs [SA15139] Red Hat update for mozilla [SA15129] Gentoo update for xine-lib [SA15122] HP-UX Mozilla Multiple Vulnerabilities [SA15113] Sun Solaris Multiple libtiff Vulnerabilities [SA15111] Red Hat update for openoffice [SA15096] Gentoo update for kdelibs [SA15095] Gentoo update for realplayer/helixplayer [SA15069] Slackware update for mozilla [SA15065] xine-lib RTSP and MMS Streams Buffer Overflow Vulnerabilities [SA15162] Fedora update for cyrus-imapd [SA15131] Gentoo update for Convert-UUlib [SA15126] Debian CVS Password Protection Bypass and Denial of Service [SA15123] HP-UX Unspecified TCP/IP Denial of Service Vulnerability [SA15117] Astaro update for kernel [SA15114] Gentoo update for egroupware [SA15112] Red Hat update for cvs [SA15102] NetIQ Security Manager Directory Traversal Security Bypass [SA15099] SafeStone DetectIT Directory Traversal Security Bypass [SA15097] Gentoo update for kdewebdev [SA15094] PowerLock NetworkSecurity Directory Traversal Security Bypass [SA15092] Red Hat update for kernel [SA15091] Bsafe/Global Security for iSeries Directory Traversal Security Bypass [SA15090] FreeBSD update for cvs [SA15088] Castlehill Computer Services SECURE/NET Directory Traversal Security Bypass [SA15070] Slackware update for python [SA15063] RazLee Firewall+++ Directory Traversal Security Bypass [SA15061] Slackware update for cvs [SA15060] KDE Kommander Arbitrary Code Execution Vulnerability [SA15056] Trustix update for cvs [SA15053] Debian update for junkbuster [SA15120] Snmppd Logging Functionality Format String Vulnerability [SA15157] Conectiva update for squid [SA15144] Ethereal RSVP Protocol Decoding Denial of Service Vulnerability [SA15125] tcpdump Multiple Denial of Service Vulnerabilities [SA15119] SqWebMail "redirect" HTTP Response Splitting Vulnerability [SA15082] Forwards Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15081] Accounts Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15080] Kronolith Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15079] Nag Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15078] Mnemo Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15077] Horde IMP Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15075] Passwd Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15074] Turba Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15073] Vacation Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15115] Trustix update for postgresql [SA15098] BIG-IP / 3-DNS Radius Authentication "login_radius" Security Bypass [SA15132] Gentoo update for rkhunter [SA15127] Rootkit Hunter Insecure Temporary File Creation [SA15086] Affix "affix_sock_register()" Privilege Escalation Vulnerability [SA15051] Gentoo update for openmosixview [SA15163] Conectiva update for gaim [SA15151] Fedora update for imagemagick [SA15149] Debian update for gaim [SA15124] ImageMagick PNM Image Decoding Buffer Overflow Vulnerability [SA15059] Slackware update for gaim [SA15138] Red Hat update for sharutils Other: Cross Platform: [SA15133] GrayCMS "path_prefix" File Inclusion Vulnerability [SA15107] yappa-ng Cross-Site Scripting and File Inclusion Vulnerabilities [SA15054] WebAPP E-Cart Module Shell Command Injection Vulnerability [SA15147] PHPCart Price Manipulation Vulnerability [SA15145] Serendipity Multiple Vulnerabilities [SA15141] phpMyVisites "mylang" Local File Inclusion Vulnerability [SA15130] Perl Convert::UUlib Module Buffer Overflow Vulnerability [SA15116] PHP-Calendar SQL Injection Vulnerability [SA15109] MaxDB Web Administration Service Buffer Overflow Vulnerabilities [SA15121] Confixx "change user" SQL Injection Vulnerability [SA15110] VooDoo cIRCle BOTNET Buffer Overflow Vulnerability [SA15084] phpMyVisites Cross-Site Scripting Vulnerabilities [SA15083] Chora Parent Frame Page Title Cross-Site Scripting Vulnerability [SA15067] IBM WebSphere Application Server Cross-Site Scripting Vulnerability [SA15058] Woltlab Burning Board Two Cross-Site Scripting Vulnerabilities [SA15050] Macromedia ColdFusion Error Page Cross-Site Scripting ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15103] Netscape GIF Image Netscape Extension 2 Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-26 A vulnerability has been reported in Netscape, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15103/ -- [SA15068] MailEnable Unspecified IMAP and SMTP Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-26 Some vulnerabilities have been reported in MailEnable Professional and MailEnable Enterprise, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15068/ -- [SA15062] MailEnable HTTPMail Connector Authorization Header Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-22 CorryL has reported a vulnerability in MailEnable, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15062/ -- [SA15140] NetTerm NetFtpd "USER" Command Buffer Overflow Vulnerability Critical: Highly critical Where: From local network Impact: System access Released: 2005-04-27 Sergio Alvarez has reported a vulnerability in NetTerm, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15140/ -- [SA15137] MetaCart e-Shop Two SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-27 Diabolic Crab has reported two vulnerabilities in MetaCart e-Shop, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15137/ -- [SA15136] MetaBid Three SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-27 Diabolic Crab has reported some vulnerabilities in MetaBid, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15136/ -- [SA15134] MetaCart Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-27 Diabolic Crab has reported some vulnerabilities in MetaCart for SQL Server, MetaCart for PayPal and MetaCart for PayFlow Link, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15134/ -- [SA15108] Citrix Program Neighborhood Agent Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-26 Patrik Karlsson has reported two vulnerabilities in Citrix Program Neighborhood Agent, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15108/ -- [SA15105] ACS Blog Login Check Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-04-25 farhad koosha has reported a vulnerability in ACS Blog, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15105/ -- [SA15104] OneWorldStore "idOrder" Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-04-25 Lostmon has reported a vulnerability in OneWorldStore, which can be exploited by malicious people to disclose some sensitive information. Full Advisory: http://secunia.com/advisories/15104/ -- [SA15101] nProtect Netizen Arbitrary File Placement Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-04-25 Keigo Yamazaki has reported a vulnerability in nProtect Netizen, which can be exploited by malicious people to place arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/15101/ -- [SA15100] Argosoft Mail Server Cross-Site Scripting and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-26 ShineShadow has discovered two vulnerabilities in Argosoft Mail Server, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/15100/ -- [SA15087] Musicmatch Jukebox Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data Released: 2005-04-25 Two vulnerabilities have been reported in Musicmatch Jukebox, where one has an unknown impact, and the other can be exploited by malicious people to create or overwrite arbitrary files. Full Advisory: http://secunia.com/advisories/15087/ -- [SA15072] BK Forum SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-25 Diabolic Crab has reported some vulnerabilities in BK Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15072/ -- [SA15071] StorePortal SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-25 Diabolic Crab has reported some vulnerabilities in StorePortal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15071/ -- [SA15066] Asp Nuke Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-04-25 Diabolic Crab has reported some vulnerabilities in Asp Nuke, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15066/ -- [SA15057] OneWorldStore "chksettings.asp" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-22 Lostmon has reported a vulnerability in OneWorldStore, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15057/ -- [SA15055] CartWIZ Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2005-04-25 Diabolic Crab has reported some vulnerabilities in CartWIZ, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15055/ -- [SA15052] Yawcam Web Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-04-22 Donato Ferrante has reported a vulnerability in Yawcam, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15052/ -- [SA15106] ACS Blog Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in ACS Blog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15106/ -- [SA15064] Microsoft Windows Image Rendering Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-22 Andrew has discovered a vulnerability in Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15064/ -- [SA15085] Novell NSure Audit ASN.1 Message Parsing Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-04-25 Dennis Rand has reported a vulnerability in Novell NSure Audit, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15085/ -- [SA15118] dBpowerAMP Music Converter Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-26 fRoGGz has discovered a vulnerability in dBpowerAMP Music Converter, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15118/ -- [SA15076] BitDefender Insecure Program Execution Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-04-26 fRoGGz has reported a vulnerability in BitDefender, which can be exploited by malicious, local users to disable the virus protection or gain escalated privileges. Full Advisory: http://secunia.com/advisories/15076/ UNIX/Linux:-- [SA15148] Debian update for lsh-utils Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-27 Debian has issued an update for lsh-utils. This fixes two vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15148/ -- [SA15146] Debian update for kdelibs Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-27 Debian has issued an update for kdelibs. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15146/ -- [SA15139] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2005-04-27 Red Hat has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to gain knowledge of potentially sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/15139/ -- [SA15129] Gentoo update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-27 Gentoo has issued an update for xine-lib. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15129/ -- [SA15122] HP-UX Mozilla Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2005-04-26 HP has acknowledged multiple vulnerabilities in Mozilla for HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service), gain knowledge of potentially sensitive information, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/15122/ -- [SA15113] Sun Solaris Multiple libtiff Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-04-26 Sun has acknowledged some vulnerabilities in Solaris, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15113/ -- [SA15111] Red Hat update for openoffice Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-26 Red Hat has issued an update for openoffice. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15111/ -- [SA15096] Gentoo update for kdelibs Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-25 Gentoo has issued an update for kdelibs. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15096/ -- [SA15095] Gentoo update for realplayer/helixplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-25 Gentoo has issued updates for realplayer and helixplayer. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15095/ -- [SA15069] Slackware update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2005-04-22 Slackware has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, gain knowledge of potentially sensitive information, and compromise a user's system. Full Advisory: http://secunia.com/advisories/15069/ -- [SA15065] xine-lib RTSP and MMS Streams Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-22 Some vulnerabilities have been reported in xine-lib, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15065/ -- [SA15162] Fedora update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2005-04-28 Fedora has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15162/ -- [SA15131] Gentoo update for Convert-UUlib Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-27 Gentoo has issued an update for Convert-UUlib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15131/ -- [SA15126] Debian CVS Password Protection Bypass and Denial of Service Critical: Moderately critical Where: From remote Impact: DoS, Security Bypass Released: 2005-04-27 Debian has issued an update for cvs. This fixes two vulnerabilities, which can be exploited by malicious people to bypass password protection or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15126/ -- [SA15123] HP-UX Unspecified TCP/IP Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-26 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15123/ -- [SA15117] Astaro update for kernel Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-04-26 Astaro has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15117/ -- [SA15114] Gentoo update for egroupware Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-04-26 Gentoo has issued an update for egroupware. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15114/ -- [SA15112] Red Hat update for cvs Critical: Moderately critical Where: From remote Impact: System access, DoS, Unknown Released: 2005-04-26 Red Hat has issued an update for cvs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15112/ -- [SA15102] NetIQ Security Manager Directory Traversal Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-04-25 NOTE: Based on information from the vendor, this is NOT a security issue in the mentioned product and the advisory has therefore been revoked. Full Advisory: http://secunia.com/advisories/15102/ -- [SA15099] SafeStone DetectIT Directory Traversal Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-04-25 Shalom Carmel has reported a security issue in SafeStone DetectIT, which can be exploited by malicious users to bypass certain restrictions. Full Advisory: http://secunia.com/advisories/15099/ -- [SA15097] Gentoo update for kdewebdev Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-25 Gentoo has issued an update for kdewebdev. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15097/ -- [SA15094] PowerLock NetworkSecurity Directory Traversal Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-04-25 Shalom Carmel has reported a security issue in PowerLock NetworkSecurity, which can be exploited by malicious users to bypass certain restrictions. Full Advisory: http://secunia.com/advisories/15094/ -- [SA15092] Red Hat update for kernel Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-04-25 Red Hat has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited to gain knowledge of potentially sensitive information, cause a DoS (Denial of Service), or gain escalated privileges. Full Advisory: http://secunia.com/advisories/15092/ -- [SA15091] Bsafe/Global Security for iSeries Directory Traversal Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-04-25 Shalom Carmel has reported a security issue in Bsafe/Global Security for iSeries, which can be exploited by malicious users to bypass certain restrictions. Full Advisory: http://secunia.com/advisories/15091/ -- [SA15090] FreeBSD update for cvs Critical: Moderately critical Where: From remote Impact: Unknown, DoS, System access Released: 2005-04-25 FreeBSD has issued an update for cvs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15090/ -- [SA15088] Castlehill Computer Services SECURE/NET Directory Traversal Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-04-25 Shalom Carmel has reported a security issue in Castlehill Computer Services SECURE/NET, which can be exploited by malicious users to bypass certain restrictions. Full Advisory: http://secunia.com/advisories/15088/ -- [SA15070] Slackware update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-04-22 Slackware has issued an update for python. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15070/ -- [SA15063] RazLee Firewall+++ Directory Traversal Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-04-25 Shalom Carmel has reported a security issue in RazLee Firewall+++, which can be exploited by malicious users to bypass certain restrictions. Full Advisory: http://secunia.com/advisories/15063/ -- [SA15061] Slackware update for cvs Critical: Moderately critical Where: From remote Impact: Unknown, DoS, System access Released: 2005-04-22 Slackware has issued an update for cvs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15061/ -- [SA15060] KDE Kommander Arbitrary Code Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-22 Eckhart W?rner has reported a vulnerability in KDE, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15060/ -- [SA15056] Trustix update for cvs Critical: Moderately critical Where: From remote Impact: Unknown, DoS, System access Released: 2005-04-22 Trustix has issued an update for cvs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15056/ -- [SA15053] Debian update for junkbuster Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS, System access Released: 2005-04-22 Debian has issued an update for junkbuster. This fixes two vulnerabilities, which can be exploited by malicious people to manipulate certain information, cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15053/ -- [SA15120] Snmppd Logging Functionality Format String Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-04-26 dong-houn you has reported a vulnerability in Snmppd, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15120/ -- [SA15157] Conectiva update for squid Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-04-28 Conectiva has issued an update for squid. This fixes a security issue, which may disclose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/15157/ -- [SA15144] Ethereal RSVP Protocol Decoding Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-27 Vade79 has reported a vulnerability in Ethereal, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15144/ -- [SA15125] tcpdump Multiple Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-27 Vade79 has reported some vulnerabilities in tcpdump, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15125/ -- [SA15119] SqWebMail "redirect" HTTP Response Splitting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-26 Zinho has reported a vulnerability in SqWebMail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15119/ -- [SA15082] Forwards Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Forwards, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15082/ -- [SA15081] Accounts Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Accounts, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15081/ -- [SA15080] Kronolith Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Kronolith, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15080/ -- [SA15079] Nag Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Nag, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15079/ -- [SA15078] Mnemo Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Mnemo, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15078/ -- [SA15077] Horde IMP Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Horde IMP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15077/ -- [SA15075] Passwd Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Passwd, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15075/ -- [SA15074] Turba Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Turba, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15074/ -- [SA15073] Vacation Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Vacation, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15073/ -- [SA15115] Trustix update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2005-04-26 Trustix has issued an update for postgresql. This fixes some vulnerabilities, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15115/ -- [SA15098] BIG-IP / 3-DNS Radius Authentication "login_radius" Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-04-25 The vendor has acknowledged a vulnerability in BIG-IP and 3-DNS, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15098/ -- [SA15132] Gentoo update for rkhunter Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-27 Gentoo has issued an update for rkhunter. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15132/ -- [SA15127] Rootkit Hunter Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-27 Sune Kloppenborg Jeppesen and Tavis Ormandy has reported some vulnerabilities in Rootkit Hunter, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15127/ -- [SA15086] Affix "affix_sock_register()" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-04-25 Kevin Finisterre has reported a vulnerability in Affix, which may be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15086/ -- [SA15051] Gentoo update for openmosixview Critical: Less critical Where: Local system Impact: Manipulation of data, Privilege escalation Released: 2005-04-22 Gentoo has issued an update for openmosixview. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15051/ -- [SA15163] Conectiva update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-28 Conectiva has issued an update for gaim. This fixes some weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15163/ -- [SA15151] Fedora update for imagemagick Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-28 Fedora has issued an update for imagemagick. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15151/ -- [SA15149] Debian update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-27 Debian has issued an update for gaim. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15149/ -- [SA15124] ImageMagick PNM Image Decoding Buffer Overflow Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-27 Damian Put has reported a vulnerability in ImageMagick, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15124/ -- [SA15059] Slackware update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-04-22 Slackware has issued an update for gaim. This fixes some weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15059/ -- [SA15138] Red Hat update for sharutils Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-04-27 Red Hat has issued an update for sharutils. This fixes a vulnerability, which potentially can be exploited by malicious, local users to conduct certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15138/ Other: Cross Platform:-- [SA15133] GrayCMS "path_prefix" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-27 Kold has reported a vulnerability in GrayCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15133/ -- [SA15107] yappa-ng Cross-Site Scripting and File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-04-26 James Bercegay has reported some vulnerabilities in yappa-ng, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15107/ -- [SA15054] WebAPP E-Cart Module Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-04-22 SoulBlack has reported a vulnerability in the E-Cart module for WebAPP, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15054/ -- [SA15147] PHPCart Price Manipulation Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-27 Lostmon has reported a vulnerability in PHPCart, which can be exploited by malicious people to manipulate orders. Full Advisory: http://secunia.com/advisories/15147/ -- [SA15145] Serendipity Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Manipulation of data Released: 2005-04-27 Some vulnerabilities have been reported in Serendipity, where some have unknown impacts and others, which potentially can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15145/ -- [SA15141] phpMyVisites "mylang" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-04-27 Max Cerny has reported a vulnerability in phpMyVisites, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15141/ -- [SA15130] Perl Convert::UUlib Module Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-27 A vulnerability has been reported in the Convert::UUlib module for Perl, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15130/ -- [SA15116] PHP-Calendar SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-27 A vulnerability has been reported in PHP-Calendar, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15116/ -- [SA15109] MaxDB Web Administration Service Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2005-04-26 Three vulnerabilities have been reported in MaxDB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15109/ -- [SA15121] Confixx "change user" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-04-26 Erich Klaus has reported a vulnerability in Confixx, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15121/ -- [SA15110] VooDoo cIRCle BOTNET Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-04-26 A vulnerability has been reported in VooDoo cIRCle, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15110/ -- [SA15084] phpMyVisites Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 benjilenoob has reported some vulnerabilities in phpMyVisites, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15084/ -- [SA15083] Chora Parent Frame Page Title Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 A vulnerability has been reported in Chora, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15083/ -- [SA15067] IBM WebSphere Application Server Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 Dr_insane has reported a vulnerability in IBM WebSphere Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15067/ -- [SA15058] Woltlab Burning Board Two Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-25 Two vulnerabilities have been reported in Woltlab Burning Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15058/ -- [SA15050] Macromedia ColdFusion Error Page Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-04-26 Dr_insane has discovered a vulnerability in Macromedia ColdFusion, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15050/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Apr 29 05:25:56 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 29 05:37:36 2005 Subject: [ISN] DEF CON - New CTF Organizers chosen! Message-ID: Forwarded from: The Dark Tangent DEF CON is proud to announce that the new hosts for Capture the Flag this year will be Kenshoto! COMPETE! Capture the Flag has been reborn. A brave new group has stepped up to the plate and is continuing the tradition of savage virtual warfare. "KENSHOTO" are the new hosts of CTF. They consist of names that you're familiar with and whose members belong to organizations you've heard of. The Kenshoto includes high-placing CTF participants, as well as past CTF organizers. There are several changes to the contest this year. Individuals will now compete as well as teams. While team size will not be limited, only eight players per team can play at any given time. Specifics of game rules will be available to those that enter the preliminary qualifying rounds. To sign up, qualify, and get more information visit http://www.kenshoto.com/ COMPETE [unofficially]! The "unofficial" Capture the Flag, Amateur Edition has been born. Over the years CTF has evolved and matured, raising the bar on participant's skill levels and increasing the difficulty to enter the game. While this has resulted in impressive players and teams, it has been increasingly difficult for the "average Joe hacker" to have some fun and test their skills. Amateur CTF will be open to all participants in a format that closer resembles early DEFCON CTF games. There will be no official teams, so make sure that you bring extra caffeine ? the only thing keeping you from winning is sleep and skill. Virus-X will be your host. From isn at c4i.org Fri Apr 29 05:27:11 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 29 05:37:39 2005 Subject: [ISN] Security UPDATE -- Browser History: What Happened? -- April 27, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Simplify Software, Desktop and Server Management http://list.windowsitpro.com/t?ctl=87E6:4FB69 Phishing, viruses, bot-nets and more: How to prevent the "Perfect Storm" from devastating your email system http://list.windowsitpro.com/t?ctl=87CD:4FB69 ==================== 1. In Focus - Browser History: What Happened? 2. Security News and Features - Recent Security Vulnerabilities - Firefox 1.0.3--Nine Security Fixes - Credit Card Companies to Enforce Payment Card Industry Standard - Putting OpenVPN to Work 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Fast Security ==================== ==== Sponsor: KACE ==== Simplify Software, Desktop and Server Management KBOX by KACE is a simple, affordable solution that delivers complete inventory, software deployment, patch management, software update, reporting and more. Finally there's a complete solution that lets you act on your information. It's all in the (K)BOX. This self-contained appliance is a snap to implement and use and costs less than you'd expect. Find out why leading companies are choosing KBOX by KACE every day and learn how you can take advantage of our 45-day return policy that guarantees your satisfaction. http://list.windowsitpro.com/t?ctl=87E6:4FB69 ==================== ==== 1. In Focus - Browser History: What Happened? ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Occasionally, you might need to trace a user's Web-browsing path. Manual forensic analysis, which involves digging through cookie files, the browser's cache, and browser history data, isn't easy. For a good rundown on forensic analysis of browser activity, you should consider reading "Web Browser Forensics, Part 1," by Keith J. Jones and Rohyt Belani of Red Cliff Consulting. The article, published on the SecurityFocus Web site, offers a brief usage overview of some very useful tools: in particular, Pasco, Internet Explorer History Viewer, Web Historian, and Forensic Toolkit. http://list.windowsitpro.com/t?ctl=87E4:4FB69 Pasco is an open-source tool that can be used to reconstruct browser use from Microsoft Internet Explorer's (IE's) index.dat files. The files contain data such as which URLs were visited and when. Pasco is a command-line tool that creates a text-based output file. http://list.windowsitpro.com/t?ctl=87E7:4FB69 Internet Explorer History Viewer, available from Phillips Ponder, has been around for a while. It too can reconstruct IE usage and has the added benefits of being able to read Netscape history data and find fragments of deleted files in the Windows Recycle Bin. IE History costs $50. http://list.windowsitpro.com/t?ctl=87E2:4FB69 The free Web Historian, provided by Red Cliff Consulting, is more powerful than the previous two tools. It can help you analyze the historic usage of Internet Explorer, Mozilla, Firefox, Netscape, Opera, and Apple Computer's Safari. http://list.windowsitpro.com/t?ctl=87D7:4FB69 Forensic Toolkit (FTK), from AccessData, is the most powerful of the bunch, and at $995, it better be. It too can reconstruct browser use history, but it's also billed as a tool that can perform "complete and thorough forensics examinations." Among other tasks, Forensic Toolkit can index entire drives, allows quick text searches, and supports more than 270 file types. http://list.windowsitpro.com/t?ctl=87DE:4FB69 Now let's suppose for a minute that you don't want anybody to be able to perform such analysis on your systems. For example, if your laptop is stolen or lost, do you want whoever ends up with it to be able to find out detailed information about you by analyzing your surfing habits? To prevent someone else from accessing your data, you could implement disk encryption. You can also manually delete browser details (IE History and Cache) fairly easily, but you have to remember to do that, and you also need to erase the disk sectors to ensure that the data can't be recovered. I know that many standalone tools can do both these tasks quickly and effortlessly. Privacy Eraser is one example (which I haven't yet tried). http://list.windowsitpro.com/t?ctl=87E5:4FB69 Are any such tools that include centralized management available for an enterprise? If you know of any, please send me an email with the details or a URL. ==== Don't miss a Web chat with Randy Franklin Smith on the topic "The Security Event Log: The Unofficial Guide." It will take place May 4, 12:00 P.M. Eastern (9:00 A.M. Pacific). For more information, go to http://list.windowsitpro.com/t?ctl=87D3:4FB69 And, finally, you have less than one week left to vote for your favorite products in Windows IT Pro's annual Readers' Choice Awards. Voting ends May 2, so vote now at http://list.windowsitpro.com/t?ctl=87E8:4FB69 ==================== ==== Sponsor: Postini ==== Phishing, viruses, bot-nets and more: How to prevent the "Perfect Storm" from devastating your email system Unfortunately, fragmented appliance-based and software-based anti- spam solutions operating inside the email gateway can't prevent a potentially devastating impact on your email system and users. In this free white paper learn how you can protect your email boundary and stop attacks with a multi-layered approach that effectively prevents the perfect storm from ever reaching your email gateway. Download your copy now! http://list.windowsitpro.com/t?ctl=87CD:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=87D4:4FB69 Firefox 1.0.3--Nine Security Fixes Mozilla Organization released Firefox 1.0.3 to correct nine security vulnerabilities. Interestingly enough, all the problems corrected in the new release relate to vulnerabilities that could be exploited via JavaScript. http://list.windowsitpro.com/t?ctl=87DD:4FB69 Credit Card Companies to Enforce Payment Card Industry Standard Most major credit card companies have adopted the Payment Card Industry (PCI) Data Security Standard, which was jointly developed by VISA and MasterCard. Adopters of the standard include American Express, Diners Club, Discover, and JCB International. http://list.windowsitpro.com/t?ctl=87DB:4FB69 Putting OpenVPN to Work You're probably familiar with Microsoft's RRAS VPN solutions, as well as commercial VPNs from vendors such as Cisco Systems and Nortel Networks, but you might not be aware of an open-source program called OpenVPN. Jeff Fellinge explains how to implement OpenVPN in this article on our Web site. http://list.windowsitpro.com/t?ctl=87DA:4FB69 ==================== ==== Resources and Events ==== Protect the Rest of Your Exchange Infrastructure There is more to data protection for Exchange than protecting mail and mail servers. In this free Web seminar, you'll learn some methods for anticipating, avoiding, and overcoming technical problems that can affect your Exchange environment, including corruption or errors in Active Directory, DNS problems, configuration errors, service pack installation, and more. Register now! http://list.windowsitpro.com/t?ctl=87CA:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=87CE:4FB69 Ensure SQL Server High Availability In this free Web seminar, discover how to maintain business continuity of your IT systems during routine maintenance and unplanned disasters. Learn critical factors for establishing a secure and highly available environment for SQL Server including overcoming the technology barriers that affect SQL Server high availability and Microsoft's out-of-the-box high-availability technologies such as clustering, log shipping, and replication. Register now! http://list.windowsitpro.com/t?ctl=87CB:4FB69 Configuring Blade Servers for Your Application Needs Blade servers pack a lot of function into a small space, conserve power, and are flexible. In this free, on-demand Web seminar, industry guru David Chernicoff details the best use of 1P, 2P, and 4P configurations using single and multiple enclosures; integrating with NAS and SAN; and managing the entire enterprise from a single console. Register now and take advantage of blade servers' power and flexibility. http://list.windowsitpro.com/t?ctl=87CF:4FB69 Discover All You Need to Know About 64-bit Computing in the Enterprise In this free, on-demand Web seminar, industry guru Michael Otey explores the need for 64-bit computing and looks at the type of applications that can make the best use of it. He'll explain why the most important factor in the 64-bit platform is increased memory. Discover the best platform for high performance and learn how you can successfully differentiate, migrate, and manage between 32-bit and 64- bit technology. Register now! http://list.windowsitpro.com/t?ctl=87CC:4FB69 ==================== ==== Featured White Paper ==== Get Rapid and Reliable Data and System Recovery Even under the best circumstances, performing a bare metal recovery from tape is tedious and unreliable. In this free white paper, learn how you can achieve unprecedented speed and reliability in recovering systems and data. http://list.windowsitpro.com/t?ctl=87C9:4FB69 ==================== ==== Hot Release ==== Security Event Management – It shouldn't cost a fortune to save a fortune Activeworx Security Center dramatically reduces the time, effort & cost required to collect, analyze, report & escalate critical security data. Activeworx consolidates multi-vendor security log data - providing an affordable solution for detailed event correlation to detect both known and unknown threats. Free Trial. http://list.windowsitpro.com/t?ctl=87E1:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=87E3:4FB69 Perils of Wardriving It's fairly common knowledge that some people set up Wi-Fi hotspots using the Wi-Fi cards in their own computers in hopes that someone will connect. Once a connection is made, an intrusion attempt begins against the machine that connected. Obviously it's not very smart to use any old Wi-Fi hotspot you come across just because it's there. http://list.windowsitpro.com/t?ctl=87DC:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=87DF:4FB69 Q: How can I configure the Windows Server 2003 Service Pack 1 (SP1) Windows Firewall from a command line? Find the answer at http://list.windowsitpro.com/t?ctl=87D5:4FB69 Security Forum Featured Thread A forum participant is looking for methods or products that can block all access to X-rated Web sites on his company's laptop computers and for security policy templates to use as a model for developing an acceptable-use policy. Join the discussion at: http://list.windowsitpro.com/t?ctl=87D0:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Check Out the New Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database! Click here to try a sample issue today: http://list.windowsitpro.com/t?ctl=87D9:4FB69 Windows IT Security Monthly Pass = Quick Answers! Sign up today for your Windows IT Security Monthly Pass and get 24/7 online access to every article on the Windows IT Security Web site, including exclusive subscriber-only content. That's a database of more than 1900 security articles to help you get all the answers you need, when you need them! Sign up now: http://list.windowsitpro.com/t?ctl=87D1:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Fast Security Metanetworks Technologies offers the MTP-1G Gigabit Ethernet and MTP-10G 10 Gigabit Ethernet cards, specifically designed to support existing open-source network security and monitoring applications, such as Intrusion Detection Systems (IDSs). The MTP-1G passes Gigabit Ethernet traffic and the MTP-10G passes 10 Gigabit Ethernet traffic between the card's two ports with 400 ns latency while performing wire- speed, stateful packet inspection. When determining whether to capture or block packets, the cards can apply up to 1500 wire-speed stateful policies per packet. When the cards capture packets, the cards present the packets to the OS as standard NICs in promiscuous mode. For more information, go to http://list.windowsitpro.com/t?ctl=87EB:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Quest Software Heading to Exchange from Notes or GroupWise? Get Expert Help! http://list.windowsitpro.com/t?ctl=87EC:4FB69 Best Practices for Establishing and Enforcing a Security Policy in Your Business Is your company prepared to fend off threats? Download this free white paper! http://list.windowsitpro.com/t?ctl=87ED:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=87E9:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=87D8:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Apr 29 05:28:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Apr 29 05:37:44 2005 Subject: [ISN] Computer scientist sentenced to eight months for hacking Message-ID: Forwarded from: security curmudgeon : http://www.usatoday.com/tech/news/computersecurity/hacking/2005-04-26-ebay-hacker-sentenced_x.htm : : 4/26/2005 : : SAN JOSE, Calif. (AP) . A former Los Alamos National Laboratory computer : specialist was sentenced to eight months in prison Monday for hacking : into and damaging the computers of several high-tech companies, : including online auction giant eBay. : Heckenkamp could have faced up to five years in prison but U.S. : District Court Judge James Ware sentenced him to eight months in prison : and eight months of electronic monitoring and home confinement. He also : has to pay $268,291 in restitution and for three years cannot use a : computer with Internet access without approval from a probation officer. : Heckenkamp must report to prison by July 11. From Heckenkamp's attorney: "Jerome has already served his eight months, back when he was representing himself and the case was getting out of control. In other words, the judge basically sentenced him to time served and all he has to do now is his home detention."