From isn at c4i.org Fri Dec 2 01:13:28 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:35:22 2005 Subject: [ISN] Security glitch aids IRS phishers Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,106645,00.html By Robert McMillan NOVEMBER 30, 2005 The U.S. Department of Labor said Wednesday it is working to fix a programming glitch in a U.S. government Web portal that makes it easier for phishers to trick people into disclosing sensitive information. The flaw was first exploited by phishers who, earlier this week, began sending out bogus e-mail messages asking for personal information, including social security and credit card numbers. The bug lets these phishers redirect URLs (Uniform Resource Locators) that use the GovBenefits.gov domain to fraudulent Web sites that are unconnected with the U.S. government. This redirecting flaw was first exploited just days ago by phishers masquerading as the U.S. Internal Revenue Service (IRS), said Graham Cluley, a senior technology consultant with Sophos PLC, a U.K. security firm that has been researching the matter. "The people behind GovBenefits.gov have implemented their software in such a way that leaves the Web site vulnerable to a phishing attack," he said. The technique is particularly effective because the link that users click on is, in fact, a genuine GovBenefits.gov link, he added. The fraudulent e-mail claims to require the sensitive information in order to process a tax refund, and claims to come from tax refunds@irs.gov, the IRS said. The GovBenefits.gov Web site is used by 16 federal agencies, including the IRS, and is designed to help users determine their eligibility for government-funded benefit and assistance programs. It is maintained by the Department of Labor. Though the site's redirect glitch is not common, Sophos has seen it before, usually made by programmers looking for a flexible way to move users around their Web sites, Cluley said. "It's a simple mistake to make, until you realize the consequences," he said. "They probably didn't see how it could be used." The Department of Labor is working to fix the glitch and hopes to resolve the problem as early as late Wednesday, a Labor spokeswoman said. Meanwhile, the IRS published a statement Wednesday, warning users of the scam http://www.irs.gov/newsroom/article/0,,id=151065,00.html . "What we want people to know is if you get an unsolicited e-mail that purports to be from the IRS and it's asking for personal information, that's bogus," said Eric Smith, an IRS spokesman. "We're not going to request that you provide this kind of information by e-mail." From isn at c4i.org Fri Dec 2 01:15:21 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:41:41 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-48 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-11-24 - 2005-12-01 This week : 83 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to compromise a user's system. Please refer to the referenced Secunia advisory below for additional information. Reference: http://secunia.com/SA17748 -- Apple has released a security update for Mac OS X, which fixes 13 vulnerabilities. A complete list and details about the vulnerabilities can be found in the Secunia advisory below. Reference: http://secunia.com/SA17813 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 2. [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities 3. [SA16907] Opera Command Line URL Shell Command Injection 4. [SA17437] Opera Macromedia Flash Player SWF Arbitrary Code Execution 5. [SA17430] Macromedia Flash Player SWF File Handling Arbitrary Code Execution 6. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 7. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 8. [SA17786] Linux Kernel Multiple Denial of Service Vulnerabilities 9. [SA17813] Mac OS X Security Update Fixes Multiple Vulnerabilities 10. [SA17780] Cisco IOS HTTP Server Script Insertion Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17765] Panda Antivirus ZOO Archive Decompression Buffer Overflow [SA17792] ASP-rider "referer" Header SQL Injection Vulnerability [SA17740] MailEnable "RENAME" Command Denial of Service Vulnerability [SA17737] Freeftpd PORT Command Denial of Service Vulnerability [SA17815] Cisco Security Agent Local Privilege Escalation Vulnerability UNIX/Linux: [SA17813] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA17757] SGI Advanced Linux Environment Multiple Updates [SA17738] Gentoo update for netscape-flash [SA17778] Gentoo update for inkscape [SA17775] KchmViewer chmlib Buffer Overflow Vulnerabilities [SA17774] unalz Filename Handling Buffer Overflow Vulnerability [SA17770] Debian update for gtk+2.0 [SA17768] ktools VGETSTRING Buffer Overflow Vulnerability [SA17735] ShockBoard "offset" SQL Injection Vulnerability [SA17817] Usermin "miniserv.pl" Format String Denial of Service Vulnerability [SA17749] Webmin "miniserv.pl" Format String Denial of Service Vulnerability [SA17754] NuFW Packet Parsing Denial of Service Vulnerability [SA17781] QNX RTOS "phgrafx" Buffer Overflow Vulnerability [SA17818] Debian update for centericq [SA17798] Centericq Empty Packet Denial of Service Weakness [SA17764] Kadu Message Denial of Service Weakness [SA17739] Gaim-Encryption Malformed Encrypted Message Denial of Service [SA17787] Fedora update for kernel [SA17786] Linux Kernel Multiple Denial of Service Vulnerabilities [SA17761] Linux Kernel ptrace Denial of Service Vulnerability Other: [SA17780] Cisco IOS HTTP Server Script Insertion Vulnerability Cross Platform: [SA17790] GuppY PHP Code Injection and Local File Inclusion Vulnerabilities [SA17779] Ampache Snoopy "_httpsrequest()" Command Injection Vulnerability [SA17777] eFiction Multiple Vulnerabilities [SA17771] Q-News "id" File Inclusion Vulnerability [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities [SA17730] DeskLance "main" File Inclusion Vulnerability [SA17812] Atlantis Knowledge Base Software "searchStr" SQL Injection [SA17811] FAQRing "id" SQL Injection Vulnerability [SA17810] WSN Knowledge Base SQL Injection Vulnerabilities [SA17809] Softbiz FAQ Script SQL Injection Vulnerabilities [SA17808] Softbiz B2B Trading Marketplace Script "cid" SQL Injection [SA17807] SocketKB SQL Injection and Local File Inclusion Vulnerabilities [SA17806] KBase Express SQL Injection Vulnerabilities [SA17805] Orca Knowledgebase "qid" SQL Injection Vulnerability [SA17804] Orca Blog "msg" SQL Injection Vulnerability [SA17803] Orca Ringmaker "start" SQL Injection Vulnerability [SA17801] FAQ System SQL Injection Vulnerabilities [SA17800] Survey System "SURVEY_ID" SQL Injection Vulnerability [SA17799] ltwCalendar "id" SQL Injection Vulnerability [SA17796] 88Scripts Event Calendar "m" SQL Injection Vulnerability [SA17795] O-Kiraku Nikki "day_id" SQL Injection Vulnerability [SA17789] PHP Web Statistik Multiple Vulnerabilities and Security Issue [SA17788] Xaraya "module" Local File Inclusion Vulnerability [SA17785] N-13 News "id" SQL Injection Vulnerability [SA17783] FreeWebStat Script Insertion Vulnerabilities [SA17782] randshop SQL Injection Vulnerabilities [SA17776] Gentoo update for chmlib / kchmviewer [SA17773] OmniStar KBase SQL Injection Vulnerabilities [SA17772] Nephp Publisher SQL Injection Vulnerabilities [SA17769] DotClear Unspecified trackbacks Security Issue [SA17767] Babe Logger "gal" and "id" SQL Injection Vulnerabilities [SA17766] Zainu SQL Injection Vulnerabilities [SA17763] PHP "mb_send_mail()" "To:" Header Injection Vulnerability [SA17760] BedengPSP Multiple SQL Injection Vulnerabilities [SA17759] DMANews Multiple SQL Injection Vulnerabilities [SA17758] Fantastic News "category" SQL Injection Vulnerability [SA17753] Entergal MX SQL Injection Vulnerabilities [SA17752] BosDates SQL Injection Vulnerabilities [SA17747] Gallery Unspecified Vulnerability [SA17745] PHP Doc System Local File Inclusion Vulnerability [SA17744] ADC2000 NG Pro "cat" SQL Injection Vulnerability [SA17742] Netzbrett "p_entry" SQL Injection Vulnerability [SA17734] UGroup Multiple SQL Injection Vulnerabilities [SA17733] phpWordPress SQL Injection Vulnerabilities [SA17732] ActiveCampaign KnowledgeBuilder SQL Injection and Denial of Service [SA17731] ActiveCampaign SupportTrio "page" Local File Inclusion Vulnerability [SA17729] Nicecoder iDesk "cat_id" SQL Injection Vulnerability [SA17784] WebCalendar SQL Injection and Local File Overwrite Vulnerabilities [SA17756] ClientExec Multiple SQL Injection Vulnerabilities [SA17755] drzes HMS Cross-Site Scripting and SQL Injection Vulnerabilities [SA17751] Post Affiliate Pro "sortorder" SQL Injection Vulnerability [SA17750] GhostScripter Amazon Shop "query" Cross-Site Scripting Vulnerability [SA17746] Simple Document Management System SQL Injection Vulnerability [SA17743] Enterprise Connector "messageid" SQL Injection Vulnerabilities [SA17741] blogBuddies Cross-Site Scripting Vulnerabilities [SA17736] SmartPPC Pro "username" Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17765] Panda Antivirus ZOO Archive Decompression Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-30 Alex Wheeler has reported a vulnerability in Panda Antivirus, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17765/ -- [SA17792] ASP-rider "referer" Header SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 info has reported a vulnerability in ASP-rider, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17792/ -- [SA17740] MailEnable "RENAME" Command Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-11-25 Josh Zlatin-Amishav has discovered a vulnerability in MailEnable Professional and MailEnable Enterprise, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17740/ -- [SA17737] Freeftpd PORT Command Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-11-25 Stefan Lochbihler has discovered a vulnerability in freeftpd, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17737/ -- [SA17815] Cisco Security Agent Local Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-30 A vulnerability has been reported in Cisco Security Agent (CSA), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17815/ UNIX/Linux:-- [SA17813] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-11-30 Apple has issued a security update for Mac OS X, which fixes 13 vulnerabilities. Full Advisory: http://secunia.com/advisories/17813/ -- [SA17757] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2005-11-29 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, cause a DoS (Denial of Service), and to compromise a user's system. Full Advisory: http://secunia.com/advisories/17757/ -- [SA17738] Gentoo update for netscape-flash Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-25 Gentoo has issued an update for netscape-flash. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17738/ -- [SA17778] Gentoo update for inkscape Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-28 Gentoo has issued an update for inkscape. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17778/ -- [SA17775] KchmViewer chmlib Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-28 Some vulnerabilities have been reported in KchmViewer, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17775/ -- [SA17774] unalz Filename Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-28 Ulf Harnhammar has reported a vulnerability in unalz, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17774/ -- [SA17770] Debian update for gtk+2.0 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-11-30 Debian has issued an update for gtk+2.0. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/17770/ -- [SA17768] ktools VGETSTRING Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-11-28 Mehdi Oudad and Kevin Fernandez have reported a vulnerability in ktools, which has an unknown impact. Full Advisory: http://secunia.com/advisories/17768/ -- [SA17735] ShockBoard "offset" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has reported a vulnerability in ShockBoard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17735/ -- [SA17817] Usermin "miniserv.pl" Format String Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-11-30 A vulnerability has been reported in Usermin, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17817/ -- [SA17749] Webmin "miniserv.pl" Format String Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-11-29 Jack Louis has discovered a vulnerability in Webmin, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17749/ -- [SA17754] NuFW Packet Parsing Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-11-29 A vulnerability has been reported in NuFW, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17754/ -- [SA17781] QNX RTOS "phgrafx" Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-11-30 Pasquale Minervini has reported a vulnerability in QNX RTOS, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17781/ -- [SA17818] Debian update for centericq Critical: Not critical Where: From remote Impact: DoS Released: 2005-11-30 Debian has issued an update for centericq. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17818/ -- [SA17798] Centericq Empty Packet Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-11-30 Wernfried Haas has reported a vulnerability in Centericq, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17798/ -- [SA17764] Kadu Message Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2005-11-29 Michal Gizowski has reported a weakness in Kadu, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17764/ -- [SA17739] Gaim-Encryption Malformed Encrypted Message Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2005-11-25 Joerg Kurlbaum has discovered a weakness in Gaim-Encryption, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17739/ -- [SA17787] Fedora update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2005-11-29 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17787/ -- [SA17786] Linux Kernel Multiple Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2005-11-29 Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17786/ -- [SA17761] Linux Kernel ptrace Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2005-11-29 A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17761/ Other:-- [SA17780] Cisco IOS HTTP Server Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-29 Hugo Vazquez Carames has reported a vulnerability in Cisco IOS, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17780/ Cross Platform:-- [SA17790] GuppY PHP Code Injection and Local File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-11-29 rgod has reported some vulnerabilities in GuppY, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17790/ -- [SA17779] Ampache Snoopy "_httpsrequest()" Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-28 A vulnerability has been reported in Ampache, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17779/ -- [SA17777] eFiction Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, System access Released: 2005-11-28 rgod has reported some vulnerabilities in eFiction, which can be exploited by malicious people to disclose system information, conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17777/ -- [SA17771] Q-News "id" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-28 ][GB][ has discovered a vulnerability in Q-News, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17771/ -- [SA17748] Sun Java JRE Sandbox Security Bypass Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-29 Some vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17748/ -- [SA17730] DeskLance "main" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-11-25 r0t has reported a vulnerability in DeskLance, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17730/ -- [SA17812] Atlantis Knowledge Base Software "searchStr" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported a vulnerability in Atlantis Knowledge Base Software, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17812/ -- [SA17811] FAQRing "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported a vulnerability in FAQRing, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17811/ -- [SA17810] WSN Knowledge Base SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported some vulnerabilities in WSN Knowledge Base, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17810/ -- [SA17809] Softbiz FAQ Script SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported some vulnerabilities in Softbiz FAQ Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17809/ -- [SA17808] Softbiz B2B Trading Marketplace Script "cid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported a vulnerability in Softbiz B2B Trading Marketplace Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17808/ -- [SA17807] SocketKB SQL Injection and Local File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-11-30 r0t has reported some vulnerabilities in SocketKB, which can be exploited by malicious people to conduct SQL injection attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/17807/ -- [SA17806] KBase Express SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in KBase Express, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17806/ -- [SA17805] Orca Knowledgebase "qid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered a vulnerability in Orca Knowledgebase, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17805/ -- [SA17804] Orca Blog "msg" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered a vulnerability in Orca Blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17804/ -- [SA17803] Orca Ringmaker "start" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered a vulnerability in Orca Ringmaker, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17803/ -- [SA17801] FAQ System SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in FAQ System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17801/ -- [SA17800] Survey System "SURVEY_ID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported a vulnerability in Survey System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17800/ -- [SA17799] ltwCalendar "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported a vulnerability in ltwCalendar, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17799/ -- [SA17796] 88Scripts Event Calendar "m" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has reported a vulnerability in 88Scripts Event Calendar, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17796/ -- [SA17795] O-Kiraku Nikki "day_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 r0t has discovered a vulnerability in O-Kiraku Nikki, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17795/ -- [SA17789] PHP Web Statistik Multiple Vulnerabilities and Security Issue Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, DoS Released: 2005-11-29 Francesco "aScii" Ongaro has discovered some vulnerabilities and a security issue in PHP Web Statistik, which can be exploited by malicious people to disclose system information, cause a DoS (Denial of Service), and conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/17789/ -- [SA17788] Xaraya "module" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, DoS Released: 2005-11-30 rgod has discovered a vulnerability in Xaraya, which can be exploited by malicious people to disclose and manipulate sensitive information. Full Advisory: http://secunia.com/advisories/17788/ -- [SA17785] N-13 News "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-30 KingOfSka has discovered a vulnerability in N-13 News, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17785/ -- [SA17783] FreeWebStat Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-29 Francesco "aScii" Ongaro has reported some vulnerabilities in FreeWebStat, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17783/ -- [SA17782] randshop SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 Liz0ziM and wannacut have discovered two vulnerabilities in randshop, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17782/ -- [SA17776] Gentoo update for chmlib / kchmviewer Critical: Moderately critical Where: From remote Impact: System access Released: 2005-11-28 Gentoo has issued updates for chmlib / kchmviewer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17776/ -- [SA17773] OmniStar KBase SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported some vulnerabilities in OmniStar KBase, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17773/ -- [SA17772] Nephp Publisher SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported some vulnerabilities in Nephp Publisher, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17772/ -- [SA17769] DotClear Unspecified trackbacks Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-11-29 A security issue with an unknown impact has been reported in DotClear. Full Advisory: http://secunia.com/advisories/17769/ -- [SA17767] Babe Logger "gal" and "id" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in Babe Logger, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17767/ -- [SA17766] Zainu SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in Zainu, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17766/ -- [SA17763] PHP "mb_send_mail()" "To:" Header Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-11-28 s.masugata has reported a vulnerability in PHP, which potentially can be exploited by malicious people to use it as an open mail relay. Full Advisory: http://secunia.com/advisories/17763/ -- [SA17760] BedengPSP Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered some vulnerabilities in BedengPSP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17760/ -- [SA17759] DMANews Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered some vulnerabilities in DMANews, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17759/ -- [SA17758] Fantastic News "category" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has discovered a vulnerability in Fantastic News, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17758/ -- [SA17753] Entergal MX SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in Entergal MX, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17753/ -- [SA17752] BosDates SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported two vulnerabilities in BosDates, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17752/ -- [SA17747] Gallery Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-11-29 A vulnerability with an unknown impact has been reported in Gallery. Full Advisory: http://secunia.com/advisories/17747/ -- [SA17745] PHP Doc System Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-28 r0t has discovered a vulnerability in PHP Doc System, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17745/ -- [SA17744] ADC2000 NG Pro "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has reported a vulnerability in ADC2000 NG Pro which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17744/ -- [SA17742] Netzbrett "p_entry" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has discovered a vulnerability in Netzbrett, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17742/ -- [SA17734] UGroup Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has reported some vulnerabilities in Ugroup, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17734/ -- [SA17733] phpWordPress SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-25 r0t has reported some vulnerabilities in phpWordPress, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17733/ -- [SA17732] ActiveCampaign KnowledgeBuilder SQL Injection and Denial of Service Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS Released: 2005-11-25 r0t has discovered two vulnerabilities in ActiveCampaign KnowledgeBuilder, which can be exploited by malicious people to cause a DoS (Denial of Service) and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17732/ -- [SA17731] ActiveCampaign SupportTrio "page" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-11-25 r0t has discovered a vulnerability in ActiveCampaign SupportTrio, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17731/ -- [SA17729] Nicecoder iDesk "cat_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-11-25 r0t has discovered a vulnerability in iDesk, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17729/ -- [SA17784] WebCalendar SQL Injection and Local File Overwrite Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 Francesco "aScii" Ongaro has reported some vulnerabilities in WebCalendar, which can be exploited by malicious users to manipulate certain information and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17784/ -- [SA17756] ClientExec Multiple SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported some vulnerabilities in ClientExec, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17756/ -- [SA17755] drzes HMS Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-11-29 r0t has reported some vulnerabilities in drzes HMS, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17755/ -- [SA17751] Post Affiliate Pro "sortorder" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-29 r0t has reported a vulnerability in Post Affiliate Pro, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17751/ -- [SA17750] GhostScripter Amazon Shop "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-29 r0t has reported a vulnerability in GhostScripter Amazon Shop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17750/ -- [SA17746] Simple Document Management System SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has discovered a vulnerability in Simple Document Management System (SDMS), which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17746/ -- [SA17743] Enterprise Connector "messageid" SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-11-28 r0t has reported some vulnerabilities in Enterprise Connector, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17743/ -- [SA17741] blogBuddies Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-25 ][GB][ has discovered some vulnerabilities in blogBuddies, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17741/ -- [SA17736] SmartPPC Pro "username" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-11-25 BiPi_HaCk has reported a vulnerability in SmartPPC Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17736/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Dec 2 01:15:35 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:42:24 2005 Subject: [ISN] Mac OS X security under scrutiny Message-ID: http://www.theregister.co.uk/2005/12/01/secfoc_macos/ By Robert Lemos Securityfocus 1st December 2005 When the SANS Institute, a computer-security training organization, released its Top-20 vulnerabilities last week, the rankings continued an annual ritual aimed at highlighting the worst flaws for network administrators. This year, the list had something different, however: the group flagged the collective vulnerabilities in Apple's Mac OS X operating system as a major threat. It's the first time that the SANS Institute called out an entire operating system for its vulnerabilities. While the move has raised questions about the value of such a general warning, highlighting recent vulnerabilities in Mac OS X was intended as a wake up call, said Rohit Dhamankar, security architect for TippingPoint, a subsidiary of networking firm 3Com, and the editor for the SANS Top-20 vulnerability list. "We are not pointing at the entire Mac OS X and saying you have to worry about the entire operating system," he said. "It is just that the Mac OS X is not entirely free of troubles." The naming of Apple's Mac OS X to the list is the latest warning from security experts to users that Apple's operating system is not immune to threats. In its last two bi-annual reports, security firm Symantec has warned Apple users that the perceived security strengths of Mac OS X will not withstand determined attackers, especially with mounting vulnerabilities and at least one known rootkit tailored to the system. Symantec is the owner of SecurityFocus. Such warnings, however, have to contend with the Mac OS X's impressive lack of major security incidents. While users of Microsoft Windows have to worry about the latest viruses, Trojan horse programs, spyware and phishing attacks, users of Apple's systems have significantly fewer threats about which to be concerned. Still, if would-be attackers begin to focus on the operating system, then it's likely that major security incidents will not be far behind, said Nicholas Raba, CEO of Mac OS X security information and software site SecureMac.com. "Mac OS X is currently more secure than Linux or Windows only for the fact that the shares of users is smaller thus the (number of) researchers discovering the flaws is smaller," Raba said. Others point out that the vulnerability landscape is already shifting. The number of vulnerabilities patched by Apple in the Mac OS X rivals the number fixed by Microsoft in its operating systems, according to data from the Open Source Vulnerability Database. So far in 2005, Microsoft has released patches for 89 vulnerabilities, while Apple has released patches for 81 vulnerabilities, according to Brian Martin, content editor for the OSVDB. Counting flaws offers little more than a rough approximation of the threat to a particular operating system, Martin said, but it does show that Apple has gained the attention of the security community. "A lot of the people who do vulnerability research started with Unix, and a lot of hackers have moved to Apple Mac OS X because it is cool and they can do anything they could do on Unix," he said. Apple adopted its variant of the Unix operating system, the Berkeley Software Distribution or BSD, as the basis for its revamped Mac OS, which it first released in March 2001. Since then the number of flaws discovered that affect the operating system has steadily increased, to 46 in 2004 from 5 in 2001, according to the OSVDB. However, Mac OS X does not have the same security problems that Windows does, Martin said. In many ways, Apple's operating system gains the advantages of Unix, but because Unix has not historically been a desktop operating system, many of the mistakes made by Microsoft - such as Active X controls' poor security model and unsecured services - are not present, he said. Instead, Apple users primarily need to worry about malicious Web sites that attack through the Safari browser and media files that exploit vulnerabilities in the operating system's applications. The SANS Top-20, for example, called out five different parts of the Windows operating system, including Internet Explorer, the broad Windows services category, and Windows configuration weaknesses. Poor configuration of Mac OS X computers is also a worry, according to some network administrators. "The problem is that there are enough OS X boxes on networks that are not patched, firewalled, and configured that they pose a clear and present danger to the networks they reside on," said one university information-technology specialist posting to the Full Disclosure security mailing list. Security researchers also worry about Apple's hesitation to speak publicly about its operating system's security. Apple has infrequently commented on the topic of its operating system security or the company's security policies. Apple also declined to comment for this article. Yet, including the entire operating system as a to-do item on a list of top-20 vulnerabilities is not entirely fair, OSVDB's Martin said. "In 2005, they have about the same number of vulnerabilities in the operating system as Windows, but Microsoft has a much greater market share," Martin said. "The Mac OS doesn't deserve a spot any more than any other operating system." SANS's Dhamankar stressed that the intent was not to call the Mac OS X operating system a threat, but to give Mac users a wake up call. If they have not been paying attention to security, then they should start today, he said. "There are some people that feel that, if they are running Mac OS X, then all is well," Dhamankar said. "That is no longer true." Copyright ? 2005, SecurityFocus From isn at c4i.org Fri Dec 2 01:13:43 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:43:09 2005 Subject: [ISN] ID theft, malware worry U.S. online shoppers Message-ID: Fowarded from: Melissa Shapiro http://www.infoworld.com/article/05/11/30/HNshoppingworries_1.html By Juan Carlos Perez IDG News Service November 30, 2005 More than one fifth of U.S. Internet users will take a pass on online shopping this holiday season due to security concerns, according to a new study released Wednesday. The concerns most cited by respondents were identity theft, spam, credit-card theft and spyware, according to a survey of 1,005 U.S. Internet users conducted by London-based market researcher Taylor Nelson Sofres PLC. Among the 78 percent of U.S. Internet users who will shop online during the holidays, 69 percent will curb their purchasing activities due to fears over possible misuse of their personal information, according to the survey. The poll was commissioned by nonprofit organization TRUSTe, which certifies Web sites that comply with the group's privacy protection principles. Specifically, security concerns will keep some shoppers away from smaller, lesser-known online retailers, out of fear that these vendors are more likely to misuse personal information than their larger, better known counterparts. The survey, conducted online between Oct. 27 and Nov. 1, has a margin of error of 3 percentage points. A study released last week reached similar conclusions. Commissioned by the Business Software Alliance and conducted by Forrester Research Inc.'s Custom Consumer Research, that study found that 25 percent of U.S. consumers won't shop online during the upcoming holiday season because of concerns over buying goods online. Still, online shopping is growing this holiday season, compared with last year's. Between Nov. 1 and Nov. 28, nontravel spending by consumers reached US$7.93 billion, a 24 percent increase compared with the same period last year, according to market researcher comScore Networks Inc. Specifically during the Thanksgiving weekend (between Thursday, Nov. 24 and Sunday, Nov. 27) and on the following so-called "Black Monday" (Nov. 28), spending grew 26 percent over the same period last year, comScore said Tuesday. From isn at c4i.org Fri Dec 2 01:13:56 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:47:22 2005 Subject: [ISN] Federal judge adds 7 years to prison term of 'Dr. Chaos' Message-ID: http://www.jsonline.com/news/metro/nov05/374384.asp By GINA BARTON gbarton @ journalsentinel.com Nov. 30, 2005 A computer expert who caused hundreds of thousands of dollars worth of damage in 13 Wisconsin counties won't get out of prison until 2022. Joseph D. Konopka, 29, who adopted the moniker "Dr. Chaos" during his crime spree, was sentenced on 11 felony charges Wednesday in federal court in Milwaukee. Konopka, formerly of De Pere, earlier was sentenced to 13 years in prison as a result of federal charges in Chicago, where he was convicted of two felonies for hiding cyanide in an underground tunnel near the subway system. During Wednesday's hearing, U.S. District Judge Lynn Adelman added seven years to that term. It was the second Milwaukee sentencing hearing for Konopka, who won a new sentence on appeal. Charges against Konopka included conspiracy, arson, creating counterfeit software and interfering with computers. Using the Internet, he recruited a group of teenage boys and young men known as "The Realm of Chaos" to help him in the crimes. The group's actions caused about 28 power failures and 20 other service interruptions at power plants throughout Wisconsin, court records show. The group also set buildings on fire, disrupted radio and television broadcasts, disabled an air traffic control system, sold counterfeit software and damaged the computer system of an Internet service provider, according to court records. In 2003, after reaching a plea agreement with prosecutors, Konopka pleaded guilty to six felonies in connection with the Wisconsin crimes. After his first sentencing hearing, during which Adelman handed down a 23-year prison term, Konopka asked to withdraw those pleas. Konopka argued that when he made the deal with prosecutors, he did not realize that one of the accusations - an explosives charge - carried a mandatory 10-year sentence that wouldn't begin until after he had served his 13 years on the Chicago counts. The appeals court ruled in Konopka's favor, after which he pleaded guilty to 11 counts. Prosecutors promised him nothing in exchange. At the sentencing hearing Tuesday, Konopka's attorney, Bridget Boyle-Saxton, asked for a 17-year prison term, with 13 of those years to be served at the same time as the Chicago sentence. In essence, Boyle-Saxton asked that Konopka do only four more years for the Wisconsin crimes. Assistant U.S. Attorney Stephen Ingraham asked for a completely consecutive sentence, pointing out that Konopka's actions had caused "damage, destruction, inconvenience and anguish" for thousands of people. Ingraham also told the judge that state prosecutors in the counties where Konopka committed crimes would only agree not to prosecute him there if he got at least a 20-year prison term. Adelman fashioned a sentence that will net Konopka 20 years in prison between the federal cases in Illinois and Wisconsin. Before imposing sentence, Adelman said it was hard to understand why Konopka had embarked on a crime spree. "It's extremely fortunate that no one was hurt or killed," he said. Konopka also must pay about $436,000 in restitution and spend three years on supervised release after prison. From isn at c4i.org Fri Dec 2 01:14:10 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:49:20 2005 Subject: [ISN] Redmond Mulls Emergency Patch for IE Attacks Message-ID: http://www.eweek.com/article2/0,1895,1894820,00.asp By Ryan Naraine November 30, 2005 Microsoft Corp. is working on a plan to release an out-of-cycle patch to cover a gaping hole in its dominant Internet Explorer browser. Sources say the MSRC (Microsoft Security Response Center) is aggressively aiming to release the emergency IE fix ahead of the December 13 Patch Tuesday schedule. Officially, the company isn't commenting on a timeline for the IE patch. A Microsoft spokeswoman said the creation of security updates is "an extensive process involving a series of sequential steps." "There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges." However, a source familiar with the company's thinking said the out-of-cycle update is dependent on the patch holding up through a "very rigorous" quality assurance testing process. "If the patch isn't ready from a quality standpoint, it won't be released. But with an attack already underway, I think you'll see an emergency patch," the source said. Microsoft late Tuesday updated its security advisory to confirm it was aware of a zero-day exploit and a drive-by malware attack targeting the unpatched vulnerability. Alex Eckelberry, president of anti-spyware vendor Sunbelt Software, said his company first detected the drive-by downloads earlier this week and reported its findings to Microsoft. "This is a pretty nasty exploit. You just have to visit the [malicious] site and your computer gets hosed. It's dropping a Trojan downloader that takes control of the victim's machine," Eckelberry said in an interview. Sunbelt Software researchers have confirmed the exploit is being launched from a handful of malicious Web sites. He said the drive-by exploit was successfully loading pornography-themed spyware programs on fully patched Windows XP SP2 machines. "If there's one time Microsoft needs to go out-of-cycle with a patch, this is it," Eckelberry declared. Stephen Toulouse, an MSRC program manager, said Microsoft's anti-virus engine has been updated to detect the latest attack, which drops a piece of malware called TrojanDownloader:Win32/Delf.DH. Anti-virus vendor McAfee Inc. identified it as JS/Exploit-BO.gen and confirmed it was using the zero-day "Window()" remote code execution exploit released last week by a UK-based group called "Computer Terrorism." Eckelberry said that he was aware that Kaspersky Lab and Symantec Corp. had updated its virus definitions to detect the latest attack. In Microsoft's advisory, the company recommends that customers can visit its new Windows Live Safety Center and use the "Complete Scan" option to check for and remove the malicious software and future variants. The Safety Center, which is part of the company's new 'Windows Live' initiative, lets customers run free Web-based computer scans to detect and remove viruses and other known malware. It currently works only on IE and uses an ActiveX Control to scan for and remove viruses. It is also capable of detecting vulnerabilities on Internet connections. Johannes Ullrich, chief research officer at the SANS ISC (Internet Storm Center), said in a recent interview that the severity of the vulnerability and the public release of exploit code should force Microsoft into releasing an out-of-cycle update. "This one certainly qualifies for an emergency patch. How much worse can it get? At this stage, you really can't wait for next month to get a fix out there," Ullrich said. Since moving to a monthly release cycle in late 2003, Microsoft has released three out-of-cycle patches, all for "critical" IE flaws. From isn at c4i.org Fri Dec 2 01:15:04 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:51:26 2005 Subject: [ISN] Information Battleground Message-ID: Forwarded from: William Knowles http://www.afa.org/magazine/Dec2005/1205info.asp By Adam J. Hebert Senior Editor December 2005 Across a range of unusual battle-spaces - global computer networks, human psychology, and electronic systems -the Air Force has become fully engaged in information warfare (IW), now deemed a critical element in the worldwide conflict with terrorists. USAF is concentrating on three IW thrusts: network - that is, computer - operations, "influence" operations, and electronic warfare operations. In these new combat arenas, adversaries, and consequences of their actions, are constantly shifting. Encounters rarely are unambiguous. Take, for example, an unidentified intruder's success in hacking into the Air Force Personnel Center's Assignment Management System database, used by airmen for assignment planning. The hacker, acting last June, used a legitimate user's log-in and access codes and downloaded the names, birth dates, and Social Security numbers of 33,000 airmen, mostly officers. In so doing, the miscreant, whoever he was, acquired vast amounts of data tailor-made for identity theft - or worse. Maj. Gen. Anthony F. Przybyslawski, commander of AFPC at Lackland AFB, Tex., said officials became aware of a problem as the information was being downloaded. Security officers shut down the system, but the damage was done. Przybyslawski said the center's security standards simply weren't high enough. This security breach did not pose a traditional military threat - apparently. However, it immediately focused attention on the difficulty the Air Force has in the ever-changing global information war. What if hackers, terrorists, or hostile nations could acquire something more sensitive? What if the stolen information was not personnel data but schedules for the movement of nuclear warheads or classified stealth aircraft designs? Building true information security is "indeed a monumental task," said Gen. William T. Hobbins, who led the Air Force's warfighting integration efforts before being confirmed to become the new commander of US Air Forces in Europe. "We have threats from multiple sources, ... everything from hostile attacks to inadvertent compromise." In the past, spies also have used legitimate access illegitimately to obtain sensitive military information. In one notorious case, retired Air Force MSgt. Brian P. Regan, working for the National Reconnaissance Office, penetrated a classified database and downloaded images and coordinates of Iraqi and Chinese missile sites. He then tried, unsuccessfully, to sell the information to Baghdad and Beijing. Growing Threat It is no secret that the US military has become highly dependent on its information systems. USAF defines these systems as including not only computer networks but also command, control, and communications equipment. Potential enemies believe that attacks on these systems constitute an effective way to strike at US military strength. More than 20 nations, including China and North Korea, possess dedicated computer attack programs. In a 2005 Pentagon report to Congress on Chinese military power, officials wrote that the People's Liberation Army (PLA) sees computer warfare as "critical to seize the initiative," early in a conflict. The goal: achieve "electromagnetic dominance." The PLA, warned the new Pentagon report, "likely" has established information warfare units able to "develop viruses to attack enemy computer systems and networks" as well as "tactics to protect friendly computer systems and networks." A Chinese information warfare concept of operations "outlines the integrated use of electronic warfare, [computer attacks], and limited kinetic strikes against key C4 nodes to disrupt the enemy's battlefield network information systems," the Pentagon report observed. US Strategic Command, DOD's lead organization for network warfare, contends that Pentagon-focused "intrusion attempts" have been growing quickly. In the first half of 2004, DOD suffered through more than 150 hostile intrusion attempts per day. In the first half of 2005, by contrast, there were more than 500 intrusion attempts per day. The Air Force has seen similar growth in network attacks, but it has generally fended off the threats so far. Both foreign and domestic hackers are responsible. The more the military comes to rely on network-based operations, the more it must defend those networks, said USAF Lt. Gen. C. Robert Keh?ler, STRATCOM deputy commander. Hobbins agreed. "The number and sophistication of attacks have increased," he said, but while "the number of suspected attempts to penetrate our systems has increased, ... the number of actual intrusions has decreased." Vulnerability Seen The Pentagon has been at this for a while. In the late 1990s, DOD exercises, plus a number of strange attacks on DOD computer systems, raised the military's awareness of its vulnerability. In 1997, Pentagon officials launched an internal exercise, code-named "Eligible Receiver." A Red Team of hackers organized by the National Security Agency was instructed to try to infiltrate Pentagon computer networks, using only publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the Red Team was able to infiltrate and take control of some of US Pacific Command?s computers as well as emergency systems in major US cities. Eligible Receiver revealed the surprising vulnerability of supposedly secure military networks. Not long after Eligible Receiver, the US accidentally uncovered Moonlight Maze, a two-year-long pattern of probing of computer systems in the Pentagon, NASA, Energy Department, and university and research labs. Although the attacks, which were believed to have begun in March 1998, were traced to a mainframe computer in Russia, the perpetrators never have been publicly identified and may be unknown to the US. Russia denied any involvement. Military information could be better protected by moving everything from the public Internet to the SIPR Net, a secret military network, but "the benefits wouldn't outweigh the costs," said Hobbins. The Defense Department also must be careful not to go too far and make security so intense that it slows down military action. "We go too far when [infosec] restricts our ability to act and attack," said one official. "Our security system should resemble something more like a Kevlar body vest than full body armor." The trend today is definitely toward protection. "I can tell you that information assurance has clearly increased in budgeting priority," Hobbins said. "We live in a resource-constrained environment, but we do have the means to counter the threats we face." While the Air Force is continuously studying technologies and vulnerabilities, its IW effort is not completely devoted to fending off attacks. Defensive and offensive information warfare operations are "intrinsically linked and complementary," said Hobbins. He added, "Our efforts focus upon capabilities that will enable us to defend DOD assets and exploit, deny, degrade, disrupt, or destroy adversaries' information [resources]." STRATCOM would, if so ordered, conduct DOD's information warfare operations. "You can see the potential" for offensive information warfare, said Kehler, by looking at what already has happened to the United States. Unique Challenge Strategic Command today is embracing a "unique challenge," said Rear Adm. Thomas E. Zelibor, STRATCOM director of global operations. The command is using information warfare as a way to "get the desired effects without blowing something up." While officials offer few specifics about what they are trying to accomplish in offensive information warfare, Zelibor said the goal is to "delay or disrupt the decision-making process of your adversaries." This could mean subtly channeling an enemy toward doing "what we want them to do," said Zelibor. If the goal is to collect intelligence, DOD might want to observe an enemy network that it has compromised and not automatically shut the network down. Similarly, there is a critical need to be able to track lone individuals in the war on terror and not necessarily kill or capture them right away. Army Gen. Bryan D. Brown, head of US Special Operations Command, testified before Congress this year that his "No. 1 technological shortfall" is the inability to "persistently and remotely locate, track, and target a human." Seeing who terrorists interact with, listening in on their phone calls, and later swooping in to seize paperwork and laptops can yield a treasure trove of coveted "actionable" information. Kehler said the most dramatic near-term improvements in intelligence probably will come through fusion, not new sensors. The "big leverage today" will come by "bringing it all together," he said. Data mining, a relatively new intelligence tool, is a big part of the fusion effort. SOCOM has a standing intelligence collaboration center that "has been used extensively in supporting unique special operations requirements" in Iraq and Afghanistan, said Brown. The collaboration center uses "the equivalent of a Google search engine," explained Air Force Maj. Gen. Donald C. Wurster, deputy director of SOCOM's Center for Special Operations. "Whenever we have people go out around the world, they're bringing information back and plowing it into an infrastructure that enables us to mine it later," he said. Wurster told Congress this summer that as troops "were rolling guys up in Iraq," SOCOM would run the information on fugitives through SOJICC, the Special Operations Joint Interagency Collaboration Center. The center "printed out a notebook that would fit in a soldier's thigh pocket," Wurster continued. The information would tell the troops everything known about a captured terrorist or insurgent: "Here's who his family is, here's where he's from, here's who he's hooked up with." Wurster described SOJICC as "the most significant piece of horizontal integration we have ... as a consumer of other people's expertise." The Air Force plays a major role in gathering the tactical information needed for immediate use on the battlefield. Immediate Impact USAF's fleet of RC-135 Rivet Joint aircraft, for example, gathers signals intelligence and flies missions of up to 24 hours - seemingly making it ideal for the war on terror. Rivet Joint crews can listen in on enemy radio and cell phone conversations, providing immediate impact on the ground in Afghanistan and Iraq. Information gathered from the air is "key to how soldiers and marines do their jobs," said Col. Dennis R. Wier, commander of the 55th Operations Group at Offutt AFB, Neb. The RC-135 is so valuable, Wier said in an interview, that US Central Command and US Pacific Command have the Nebraska-based aircraft assigned to them around the clock, and Rivet Joints fly over Afghanistan every day. Lt. Col. Ron Machoian said the crews know they are making a difference. "We hear it," said Machoian, commander of the 38th Reconnaissance Squadron at Offutt. "I can listen to us informing an engagement on the ground, while I'm airborne." Intelligence personnel are in short supply, however. Maj. Jeff Lauth, acting director of operations for the 97th Intelligence Squadron at Offutt, said staffing for many positions is "critically low." The airmen have skills that are in high demand outside the Air Force. Enlisted airborne crypto-linguists are a particular concern. Wier said this summer that the 55th Wing was only 35 percent manned in linguists, partially because it takes up to three years to train new ones. To help fill the need, the Air Intelligence Agency recently created the Offutt Language Learning Center to help train linguists. Language needs are much broader than during the Cold War. In addition to the "traditional" Russian speakers, DOD needs fluency in Arabic, Pashtu, Farsi, Dari, Urdu, Korean, and Mandarin Chinese. RC-135s don't have weapons, noted the language center's 1st Lt. Brandon Middleton, so "language is the weapon it takes to the fight." Linguists cannot work without equipment, and obtaining the intelligence needed is an ongoing challenge. Wier noted that the RC-135s have their onboard equipment completely upgraded every year or two to ensure the US can continue to "get" enemy information. It "blows you away, ... the type of things you can do" with the latest airborne intelligence equipment, said Maj. Gen. John C. Koziol, who was then commander of the 55th Wing and now heads the Air Intelligence Agency. Constant upgrades and deployments make training difficult, he added. It is hard for Rivet Joint aircrews to keep current with the technology, Koziol said, because each RC-135 variant has its "own little quirks." This is a necessary evil. Lt. Col. John Rauch, commander of the 338th Combat Training Squadron, noted that upgrades come directly from operational lessons. Combat aircrews continually develop new tactics and ideas for better equipment. Protecting Data The Air Force Information Warfare Center's IW Battlelab is tasked with quickly developing solutions to many of these operational needs. One recently fielded example is "Lockjaw," a device to quickly destroy computer hard drives so that US information does not fall into enemy hands. Col. David D. Watt, AFIWC commander, said the unit is working to build within USAF an awareness of the importance of defending and exploiting information. The center has an aggressor squadron conducting vulnerability assessments, Watt said, trying to get in base gates, access computers, and see what it can "piece together" from various sources. Officials are often surprised to learn what is found even in open sources. A study on information operations in Iraq by the Air Force Command and Control and Intelligence, Surveillance, and Reconnaissance Center at Langley AFB, Va., described one security risk that came from an unlikely place - the Pentagon. A B-1B bomber mission targeting Saddam Hussein received much publicity in the early days of Operation Iraqi Freedom. Details of the mission and crew members' full names, commanding officer, and home base were widely reported. This was "an egregious OPSEC [operations security] violation [that] potentially put the family members ... at risk," stated the study. AFIWC commander Watt said influence ops in particular are still on "the ground floor" doctrinally, and the center is trying to get the rest of the Air Force to understand what information warfare brings to the fight. Even something as simple as "the truth" can be applied in different ways, noted Maj. Tadd Sholtis in the fall 2005 Air & Space Power Journal. If it is a military objective to deter an enemy from taking action, both an information operation and a public affairs tactic can be engaged. The "IO influence tactic" would be to broadcast radio and television messages describing the futility of challenging the superior US military. The "PA tactic," meanwhile, would "demonstrate military resolve by promoting media coverage of the deployment of combat-capable forces to the region," Sholtis wrote. STRATCOM's Zelibor said it is difficult to create metrics - battle damage assessment, if you will - judging the effectiveness of DOD's information efforts. Even so, he noted, strategists can tune in to foreign news sources to "look for the effects." Copyright Air Force Association *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Dec 2 01:14:22 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 01:57:48 2005 Subject: [ISN] Cisco IOS security hole surfaces in Web server code Message-ID: http://www.networkworld.com/news/2005/113005-cisco-ios.html By Phil Hochmuth NetworkWorld.com 11/30/05 Security researchers this week said they discovered a hole in the Web server code in Cisco's IOS software. The flaw could allow attackers - armed only with knowledge of the Cisco device's IP address - to gain administrative control of a Cisco device or run arbitrary code on the machine, according to claims. The vulnerability - as reported by the security organizations Secunia and SecurityFocus - could allow a potential attacker to view a memory dump (a record of the data in a router's memory) of an IOS router via the HTTP server and inject script code into the router through the HTTP server. Attackers could use this method to get administrator-level access to a Cisco router or switch or run code on the device. The vulnerability only affects Cisco routers running IOS HTTP servers, which are used as an alternative management interface to the text-based command line for configuring routers. Cisco IOS versions 11.0 and higher are vulnerable, due to the fact that they ship with the HTTP server software. The HTTP server is not enabled by default in most IOS versions installed on routers shipped from Cisco, according to the company's Web site. However resellers, carriers and other partners could enable the HTTP for management purposes when deploying the device in customer networks. Cisco is aware of the claims of the IOS HTTP vulnerability, a company spokesperson says, and is investigating the issue. An advisory will be sent to customers if deemed necessary by the company. From isn at c4i.org Fri Dec 2 01:30:50 2005 From: isn at c4i.org (InfoSec News) Date: Fri Dec 2 02:04:44 2005 Subject: [ISN] Ex-Gov't Worker Sentenced In Prostitution Case Message-ID: http://www.thekansascitychannel.com/news/5439171/detail.html December 1, 2005 KANSAS CITY, Mo. -- A federal judge on Wednesday sentenced a former employee of the U.S. Department of Health and Human Services to four years probation for using her computer access at work to promote prostitution. Candice Smith, 44, of Blue Springs, pleaded guilty in July to unauthorized computer intrusion. Her sentence includes four months of home detention. As part of her plea, Smith admitted making illegal inquiries into the LexisNexis database, which was available to her in her job as a payment recovery specialist for the Center for Medicaid Services, an agency of the Department of Health and Human Services. According to prosecutors, Smith had been working as a prostitute and used information from LexisNexis to help her avoid arrest and prosecution. Candice Smith told KMBC by phone that she wants to go on with her life and raise her children, but she can't get a job. She said the media coverage of her case has destroyed her life and hurt her family. Her ex-husband, Tom Smith, wants custody of the boys, ages 8 and 11. "There are two boys involved. Why now, when you get caught, do you think of the children?" Tom Smith told KMBC's Maria Antonia. Tom Smith said he had hoped his ex-wife would end up in prison. "She just got away with it," Tom Smith said. He was in the courtroom Wednesday to raise his concerns about Candice raising their boys. "We took our case to social services, and they said unless she was making the children watch her perform sexual acts, there was nothing they could do to help us out," Tom Smith said. He said he will fight for custody of the children in court. Meanwhile, the federal judge said Smith's case is not about prostitution -- it's about a federal employee using a computer illegally. From isn at c4i.org Mon Dec 5 04:08:56 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:23:02 2005 Subject: [ISN] Gartner: 2005 hurricanes prompt more companies to store data off-site Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,106641,00.html By Lucas Mearian DECEMBER 01, 2005 COMPUTERWORLD The number of companies making copies of data to protect it has dramatically risen in the wake of hurricanes Katrina and Wilma this year, but most of those companies are keeping that duplicate data locally where it's still vulnerable to disasters, according to a survey released yesterday by Gartner Inc. The September survey of 104 North American IT managers showed that 45% of respondents back up or replicate data to another disk, up from just 6% who did so in 2004. But 70% of the respondents who make backups do so to a local device. Adam Couture, an analyst at Stamford, Conn.-based Gartner, said that if companies hope to truly protect their data, they have to electronically copy it to an off-site facility either owned by the company or a service provider. Dale Caldwell, a systems programmer at Grange Insurance Group in Seattle, said that until a year ago, his company performed nightly tape backups that took four hours to complete and stored the tapes at an office in another part of the city. But after 9/11 and a recent spate of natural disasters, regulators pushed the company to establish disaster recovery plans that include off-site data replication. As a result, Caldwell chose to replicate data between a virtual tape library (VTL) in his main data center and one in an off-site location in Spokane, Wash. -- 230 miles away. He is using a VTL controller from Bus-Tech Inc. in Burlington, Mass., to store and retrieve mainframe tape data sets, eliminating most of his tape infrastructure. "The [off-site replication] has been really wonderful. There's a lot of time savings to it," Caldwell said. Caldwell said the disk-to-disk replication knocked two hours off his nightly backups and allowed him to trim the time needed for data restorations from two hours with tape to 45 minutes with disk. Christopher Varner, chief technology officer at DDJ Capital Management LLC in Wellesley, Mass., said he is considering a move away from tape backup to an electronic backup scheme using an online data backup and recovery service from EVault Inc. in Emeryville, Calif., and protection services from SunGard Data Systems Inc. in Wayne, Pa. DDJ Capital plans to install a backup storage server on its LAN running EVault software for regular backups to restore deleted files locally. The firm also plans to have a duplicate backup server making copies over the Internet to a SunGard data center also running EVault. "This enhances our disaster recovery capabilities and also makes backups easier for my staff," Varner said. "No more taking tapes home every night or dealing with the hassle of rotating our tape library in the bank safe deposit box." The local vault will be used as necessary to restore deleted files, and the off-site backup will be used for disaster recovery. The Gartner survey also showed that IT managers are more comfortable considering managed storage services to copy data off-site. Over the past two years, Couture said, surveys have shown that between 30% and 40% of IT managers would never use a third-party service provider. But in the most recent survey, that number had plummeted to just 6%. "The survey showed me the barriers to managed service providers are really coming down," he said. The survey also showed that security is becoming a priority for IT managers because of a number of highly publicized data-loss incidents this year. Fifty-five percent of those surveyed said they encrypt all backup files, and 50% said they will review internal policies surrounding access to backup data. "One of the advantages of using a service provider for remote backup service is they encrypt everything before it's set, and of course, nobody is touching a physical tape or putting it on the truck," Couture said. The prospect of service-provider culpability is also a top concern for many respondents, with 40% saying they plan to review the security policies and procedures of their physical tape archiving service providers. Another one-third said they may switch to another service provider. The physical loss of tapes can often be blamed on the fact that the physical transportation of tapes involves many "hands" moving them from their silo slots to bins to transport trucks to a physical archive location, to their storage slots and back again, Gartner said in its report. Eliminating all touch points also eliminates the possibility of human error or theft, Couture said. In light of that, 35% of survey respondents said they plan to switch to network-based backups, while another 20% cited plans to move to disk-to-disk-based storage. From isn at c4i.org Mon Dec 5 04:07:19 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:23:28 2005 Subject: [ISN] 7,800 linked to USD told of network security breach Message-ID: http://www.signonsandiego.com/news/business/20051203-9999-1b3breach.html By Bruce V. Bigelow UNION-TRIBUNE STAFF WRITER December 3, 2005 The University of San Diego has notified almost 7,800 individuals, including some faculty members, students and vendors, that hackers gained illicit access to computers containing their personal income tax data. The compromised data included names, Social Security numbers and addresses, according to a letter signed by Douglas Burke, the private Catholic university's director of network and systems operations. The undated letter aggravated many recipients, though, because it provided no details about the breach and offered no specific recommendations on steps they could take to protect their personal banking and credit accounts. "It's one of the worst security breach notice letters I've ever seen," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego nonprofit consumer group once affiliated with USD. "I'm outraged," said Michael Shames, who teaches part-time at USD's law school and shares an office with Givens as executive director of the Utility Consumers' Action Network, a nonprofit consumer advocacy group. "I was just astounded that a university would go to such lengths to keep their own people in the dark about something like this." A USD spokeswoman voiced regret about the shortcomings of the letter, which was mailed Wednesday, and the breach in USD's computer network, which was discovered Nov. 14. "It's a very unfortunate situation, and we're very empathetic to the folks who have been impacted by this," said the spokeswoman, Pamela Gray Payton. She said it was USD's first computer security breach. A hacker or hackers gained access for an unknown period to a computer server on campus that is used to print W-2, 1099 and 1098T tax forms, Payton said. The compromised data included information from 2003 and 2004 for certain vendors, consultants, student aid recipients and employees. Payton could not say if any administrators or trustees were affected, saying the computers containing the data were used to generate the letters automatically. "If a trustee received a check or W-2 form, then they were affected," said Payton, who noted she received a copy of the letter yesterday afternoon. Under California law, companies and organizations that operate computerized databases with sensitive personal information are required to alert people whose data has been compromised by computer break-ins. The law was intended to help people prevent identity theft, a crime in which thieves use stolen personal data to get credit cards and loans and make purchases using someone else's name. Once alerted, consumers can monitor their bank and credit accounts more closely and request that a fraud alert be posted on their credit reports. But the law does not specify what information should be included in the notice, or when it must be sent. "If you're somewhat Web-savvy and you read the news, you'll know that there is nothing new about these security breaches," Givens said. In April 2004, for example, hackers pierced network security at the University of California San Diego and accessed personal data on an estimated 380,000 students, alumni, faculty, employees and applicants. But Givens said the required notice letter really is an opportunity to tell people what they need to do. "A good letter will say, this is how you contact the three credit reporting bureaus, and this is how you put a fraud alert on your accounts," Givens said. Such information is available online at her group's Web site, www.privacyrights.org , and from the Federal Trade Commission www.consumer.gov/idtheft. "Not having had this experience before, what we're willing to do now in retrospect is make that information available to people who call the university," Payton said. University officials also were investigating the feasibility of putting the information on USD's Web site. From isn at c4i.org Mon Dec 5 04:07:49 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:24:14 2005 Subject: [ISN] Mac OS X security under scrutiny Message-ID: Forwarded from: "Thor (Hammer of God)" > SANS's Dhamankar stressed that the intent was not to call the Mac OS > X operating system a threat, but to give Mac users a wake up call. > If they have not been paying attention to security, then they should > start today, he said. If the intent was simply a "wake up call," then why is it listed as one of "The Twenty Most Critical Internet Security Vulnerabilites???" Classifying it as "Most Critical" doesn't really fit when one claims to be mearly increasing awareness for "some people that feel that, if they are running Mac OS X, then all is well." It brings the validity of the entire list into question. But then again, so does claiming that AV software itself is one of the most critical vulnerabilites when any real-world experience still shows that outdated AV, not the AV itself, is a far greater concern. t From isn at c4i.org Mon Dec 5 04:08:13 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:25:18 2005 Subject: [ISN] Linux Advisory Watch - December 2nd Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 2nd, 2005 Volume 6, Number 49a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for zope, gtk, certericq, gdk-pixbuf, horde2, inkscape, chmlib, fuse, netpbm, and the kernel. The distributors include Debian, Gentoo, and Mandriva. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- Hacks From Pax: SELinux Policy Development Hi, and welcome to the final entry in my series of articles on SELinux. My last three articles have provided an overview and history of SELinux, discussed how SELinux makes access decisions, and explained how to administer an SELinux system. Today we'll build on the SELinux knowledge we've gained and learn how to perform basic customization of our system's security policy. Customizing your system's SELinux policy can be necessary when running an application your policy is unaware of. Particularly, web based applications might need customization of Apache policy in order to run properly. Setting Up a Policy Development Environment For the purposes of this article, I'll assume you have a server running EnGarde Secure Community 3.0 (a free downloadable ISO image is available). Engarde Secure Linux is a good base for learning SELinux policy since it is a server system only, which allows for a policy that is easier to understand than distributions such as Fedora which include many policy modules for X11 and other desktop applications. First, log in as root and transition to the sysadm_r role. Generally policy development is best done with SELinux in permissive mode, so use the setenforce command to set the proper mode. Be sure your system is upgraded to the latest release by issuing the apt-get update command, and then install the necessary policy development packages by entering apt-get install make m4 gcc python engarde- policy-sources. Other packages may be installed due to dependencies. Compiling Policy Once this is done, you should change to the policy sources directory which is /etc/selinux/engarde/src/policy/. The main part of the policy sources is the policy/modules directory, which contains directories that contain your actual policy source modules for all services and applications constrained by SELinux. The first time you compile a policy, you must make the configuration files by typing make conf in the main policy directory. This creates the modules.conf and policy.conf files. Now you can compile the policy by entering make policy. This gathers all the modules and compiles them into a binary policy that is directly used by SELinux. The next step is to install the newly compiled policy by issuing the make install command. Next, you must reload the policy by typing make reload. If you have changed file specifications, you also need to relabel based on the new policy, this is done by typing make relabel. Finally, return to enforcing mode using the setenforce command. One way to speed up this process is to issue all of the compilation commands in a single command line, as shown below. # setenforce 0 && make policy install reload relabel reload && setenforce 1 Read Entire Aricle: http://www.linuxsecurity.com/content/view/120837/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New zope2.7 packages fix arbitrary file inclusion 24th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120884 * Debian: New gtk+2.0 packages fix several vulnerabilities 29th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120908 * Debian: New centericq packages fix denial of service 30th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120909 * Debian: New gdk-pixbuf packages fix several vulnerabilities 1st, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120917 * Debian: New horde2 packages fix cross-site scripting 1st, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120918 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Macromedia Flash Player Remote arbitrary code 25th, November, 2005 A vulnerability has been identified that allows arbitrary code execution on a user's system via the handling of malicious SWF files. http://www.linuxsecurity.com/content/view/120893 * Gentoo: Inkscape Buffer overflow 28th, November, 2005 A vulnerability has been identified that allows a specially crafted SVG file to exploit a buffer overflow and potentially execute arbitrary code when opened. http://www.linuxsecurity.com/content/view/120900 * Gentoo: chmlib, KchmViewer Stack-based buffer overflow 28th, November, 2005 chmlib and KchmViewer contain a buffer overflow vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120901 * Gentoo: chmlib, KchmViewer Stack-based buffer overflow 28th, November, 2005 chmlib and KchmViewer contain a buffer overflow vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120903 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated fuse packages fix vulnerability 24th, November, 2005 Thomas Beige found that fusermount failed to securely handle special characters specified in mount points, which could allow a local attacker to corrupt the contents of /etc/mtab by mounting over a maliciously-named directory using fusermount. http://www.linuxsecurity.com/content/view/120891 * Mandriva: Updated netpbm packages fix pnmtopng vulnerabilities 30th, November, 2005 Greg Roelofs discovered and fixed several buffer overflows in pnmtopng which is also included in netpbm, a collection of graphic conversion utilities, that can lead to the execution of arbitrary code via a specially crafted PNM file. http://www.linuxsecurity.com/content/view/120913 * Mandriva: Updated kernel packages fix numerous vulnerabilities 30th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120914 * Mandriva: Updated kernel packages fix numerous vulnerabilities 30th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120915 * Mandriva: Updated kernel packages fix numerous vulnerabilities 30th, November, 2005 Updated package. http://www.linuxsecurity.com/content/view/120916 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Dec 5 04:08:31 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:26:39 2005 Subject: [ISN] FBI Delays Awarding Contract For Computer-System Overhaul Message-ID: http://online.wsj.com/public/article/SB113357762116313178-d8t1EtVGKdN0tsFNRNNcqn9AbtE_20061203.html By ANNE MARIE SQUEO Staff Reporter of THE WALL STREET JOURNAL December 3, 2005 FBI officials, nervous about making another costly mistake overhauling the agency's antiquated computer system, have postponed awarding the contract for the high-profile job until next year. Two of the nation's biggest defense contractors -- Lockheed Martin Corp. and Northrop Grumman Corp. -- are competing for the information-technology system, dubbed Sentinel. Federal Bureau of Investigation officials were scheduled to announce the winner last month. But they have postponed the selection until at least early next year, according to two government officials. The delay is in part because of a desire to avoid the mistakes that plagued Sentinel's disastrous predecessor, the Virtual Case File system. FBI Director Robert Mueller pulled the plug on that project in April after four years and about $170 million. "At this time, we are currently in the middle of source selection, so it would be inappropriate to provide a specific release date," said FBI spokesman Richard Kolko. FBI officials have been seeking additional information for weeks from the two companies and haven't yet made a recommendation to senior FBI officials. Much is riding on the project's success. Congress and other overseers pilloried the FBI for its reliance on paper records, forms and file cabinets. The FBI only last year completed the rollout of the Internet to its agents and analysts. And even though the bureau installed a computerized case-management system in the mid-1990s, it relied largely on aging, less-agile technology to do so. And it did little to eliminate the department's notorious number of paper forms -- currently numbering more than 1,000. Having been hauled before Congress numerous times to explain the bureau's technology problems, Mr. Mueller has staked his legacy on installing a system that will streamline internal processes, speed investigations and improve information-sharing with other agencies. The Sept. 11 commission criticized the FBI's lack of information sharing that could have helped prevent the terrorist attacks. "There is no agency that needs the best information-sharing mechanisms more than the FBI," Attorney General Alberto Gonzales said in a press briefing on Friday. "Bob [Mueller's] focused on it. I'm focused on it. The president is focused on it and so are members of Congress." Lockheed, of Bethesda, Md., and Los Angeles-based Northrop are the only two bidders for the project, which likely would total in the hundreds of millions of dollars. No target price has been released. Industry and government officials have expressed surprise that no other bidders emerged but said the intense scrutiny of the project may have been a disincentive. Science Applications International Corp., which handled the earlier project, was criticized publicly when Mr. Mueller canceled it. Also, the window of opportunity to bid was fairly narrow -- the request for proposals went out in August with responses due in October. Further, bidders had to put together a working prototype. FBI Chief Information Officer Zalmai Azmi said some potential vendors decided to team up rather than compete on their own. The Lockheed team, for example, includes Accenture Ltd., Computer Sciences Corp., CACI International Inc. and others. Northrop hasn't disclosed its teammates. Industry officials acknowledge the job is enormous. "This is a big complicated system" because of the variety of issues the FBI investigates -- such as terrorism, white-collar crime, kidnappings and insurance fraud, said one industry executive who asked not to be identified because of the ongoing competition. In white-collar investigations, for example, often "bank records all have to be pulled into the case-file system, and some of these cases have 13 million financial transactions," this person said. With a wide variety of investigations, the FBI must be able to collect and store information in several different systems -- top secret, secret, classified, and sensitive but unclassified -- and any given document might contain information that falls into all four categories. Thus, the new system needs strict security controls to prevent information from falling into the wrong hands, such as in the case of rogue FBI agent Robert Hanssen, sentenced to life in prison for stealing and selling secrets to the Russians over two decades. Lockheed and Northrop are banking on their expertise integrating sophisticated weapons systems for the military to give them an edge on the FBI's problems. And both companies also have experience working with the Justice Department and the FBI on other projects. Write to Anne Marie Squeo at annemarie.squeo @ wsj.com From isn at c4i.org Mon Dec 5 04:08:41 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:27:58 2005 Subject: [ISN] DSW to beef up computer security in US settlement Message-ID: http://www.localnewsleader.com/brocktown/stories/news-00107611.html Staff and agencies 03 December, 2005 WASHINGTON - Shoe retailer DSW Inc. (NYSE:DSW - news) agreed to beef up its computer security to settle U.S. charges that it did not adequately protect customers' credit cards and checking accounts, the Federal Trade Commission said on Thursday. DSW said this spring that identity thieves had gained access to debit card, credit card and checking account information of more than 1.4 million customers, one of a string of such security breaches announced by U.S. companies this year. Identity thieves have generated fraudulent activity on some of those accounts, resulting in out-of-pocket charges for some customers, the FTC said. The FTC said the company engaged in an unfair business practice because it created unnecessary risks by storing customer information in an unencrypted manner without adequate protection. As part of the settlement, DSW set up a comprehensive data-security program and will undergo audits every two years for the next 20 years. DSW operates approximately 190 stores in 32 states. It had been a subsidiary of Retail Ventures Inc. (NYSE:RVI - news) until June, when it was spun off in an initial public offering. DSW issued a statement on Thursday saying it did not agree with all the allegations made by the FTC. But it said the settlement "validates the importance we place on security and brings closure to this matter." The company has said information was stolen from 108 stores. The transaction information stolen involved 1.4 million credit cards and 96,000 checks. Other companies to report such problems include Bank of America Corp. (NYSE:BAC - news) and ChoicePoint Inc. (NYSE:CPS - news), where the thefts involved thousands of individuals' data. From isn at c4i.org Mon Dec 5 04:09:08 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:29:17 2005 Subject: [ISN] Fremont Man Busted for Fake Prescriptions Message-ID: http://www.nbc24.com/Global/story.asp?S=4195206 Kevin Milliken kmilliken @ nbc24.com December 2, 2005 (Fremont, OH) --- You could say 27-year old Chad Mockensturm had a bad week. Now he's spending his birthday behind bars. Fremont police say Mockensturm recently got fired from a car audio dealer and ended up living in a Fremont motel. But detectives call Mockensturm a "gadget guy" who cooked up an elaborate computer scheme to make fake prescriptions and feed an addiction to painkillers. "I wouldn't say he's a computer genius, but I would say fairly intelligent," said Tony Emrich, a Fremont police detective. "This is not your average prescription fraudulent activity." Police say the scheme started with a keychain gadget known as a wi-fi finder, which scans for wireless Internet service. Once Mockensturm found a signal, detectives say would park his van in front of someone's house, steal their wireless Internet access, and download the prescription painkiller information he needed --- without them ever knowing it. Once he returned to his motel room, detectives say Mockensturm would plug the painkiller information into his computer, then scan an actual prescription, rewrite it, and print out a bogus batch. Police say the real prescription was for a name-brand drug. But without medical insurance, Mockensturm could only afford a cheap high-- so he went for generic painkillers. Mockensturm got busted waiting in line at Kroger, when workers at the pharmacy smelled fraud. "We're glad we picked this up fairly early on, because I think in time he would have realized what he was capable of doing with his intelligence and it could have been a real big headache for us," Emrich admitted. Police call the case a warning shot for all wireless Internet users, especially those that don't protect their access with security measures. Detectives admit Mockensturm could have stolen all sorts of personal information from people, but only wanted drugs. From isn at c4i.org Mon Dec 5 04:09:37 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:38:05 2005 Subject: [ISN] Federal flaw database commits to grading system Message-ID: http://www.theregister.co.uk/2005/12/04/common_vulnerability_database/ By Robert Lemos SecurityFocus 4th December 2005 A federal database of software vulnerabilities funded by the US Department of Homeland Security has decided on a common method of ranking flaw severity and has assigned scores to the more than 13,000 vulnerabilities currently contained in its database, the group announced last week. The National Vulnerability Database, unveiled in August, completed its conversion over to the Common Vulnerability Scoring System, a industry initiative aimed at standardizing the severity rankings of flaws. The CVSS gives vulnerabilities a base score based on their severity, a temporal score that measures the current danger - which could be lessened by a widely available patch, for example - and an environmental score that measures an organization's reliance on the vulnerable systems. "There does not exist or ever will exist a perfect technique for scoring vulnerability impact," Mell said. "CVSS appears to work very effectively and it was better than my current scoring system and so it made sense to adopt it." The move to the Common Vulnerability Scoring System gives the flaw-ranking initiative a major boost. Created by security researchers at networking giant Cisco, vulnerability management software provider Qualys and security company Symantec, the CVSS has not been used widely, though many companies are considering scoring flaws with the system. (SecurityFocus is owned by Symantec.) The grading of the previous vulnerabilities on the CVE list solves a problem that hampered adoption of the Common Vulnerability Scoring System, said Gerhard Eschelbeck, chief technology officer for Qualys and one of the founding members of the CVSS team. "With the introduction of CVSS as a standardized vulnerability scoring system, the question appeared, how do we go back and score all the historical vulnerabilities released?" he said. "It is very encouraging to see NVD has taken on this big task, providing comprehensive CVSS scoring for even historical vulnerabilities." To date, no software vendor has yet graded vulnerabilities in its product using the Common Vulnerability Scoring System. Microsoft, for example, has its own severity-grading system and has considered but not committed to supporting the CVSS. Microsoft's current scoring system - rating flaws as one of four levels of severity - works well for its customers, said a spokesperson for the software giant. The company did not rule out a future move to the ranking system, however. Some software makers worry that rating vulnerabilities could have some legal implications. For example, if a company gave a flaw a low rating and then that issue was used as an avenue for a costly attack, the firm could be held liable for its severity ranking. Such worries have caused companies to take their time debating the merits of adopting the Common Vulnerability Scoring System, said Gavin Reid, team lead for the CVSS program at the Forum of Incident Response and Security Teams (FIRST), which was chosen to host the CVSS project. "I think there is significant hurdles for people adopting the scoring system," said Reid, who also works for Cisco, one of the companies that supported the creation of the CVSS. "But once one or two of them start using it, I think we will see a lot more adopting CVSS." For that reason, the National Vulnerability Database's decision to use the scoring system and the group's ranking of more than 13,000 previous vulnerabilities has given CVSS a major boost, Reid said. The NVD is managed by National Institute of Standards and Technology (NIST) but funded through the Department of Homeland Security. The group's staff adds 16 new vulnerabilities to the the database each day, up from 8 per day in August, and keeps a variety of current statistics, including a measure of the workload that the release of such flaws has on network administrators. The National Vulnerability Database (NVD) is an initiative funded by the US Department of Homeland Security to boost the preparedness of the nation's Internet and computer infrastructure, as called for by the Bush Administration's National Strategy to Secure Cyberspace. Other DHS initiatives, such as the US Computer Emergency Readiness Team (US-CERT), release some information on serious vulnerabilities, but do not try to create a complete collection of critical and non-critical flaws. The NVD piggybacks on the Common Vulnerability and Exposures (CVE) to do just that. The CVE, a listing of serious vulnerabilities maintained by the Mitre Corporation, expands on the Internet Catalog (ICAT)--a previous NIST project--that archived the vulnerabilities defined by the Common Vulnerability and Exposures list. The NVD team scored the vulnerabilities using an automated process. The CVE database only had about 80 percent of the information needed to give an exact score, Mell said, so the group has generated the scores based on the information at hand and labeled each one "approximate." The CVE definitions are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language, NIST's Mell said. "The reason we chose CVSS as opposed to another scoring system was that we believe in standards," Mell said. "If everyone uses a different scoring system, then the effectiveness of each scoring system is limited." Currently, the database gets nearly 1.5 million hits a month from the private sector as well as government and academic users, Mell said. The group also provides a calculator for companies to generate an environmental score based on the vulnerable systems and the company's use of those systems. Copyright ? 2005, SecurityFocus From isn at c4i.org Mon Dec 5 04:09:22 2005 From: isn at c4i.org (InfoSec News) Date: Mon Dec 5 04:38:37 2005 Subject: [ISN] Cybersecurity czar concept meets resistance in Britain Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27522-1.html By Alice Lipowicz Staff Writer 12/02/05 Calls from a Member of Parliament to appoint a British cybersecurity czar are being greeted with skepticism from the U.K. information technology industry. Mark Pritchard, a Conservative MP for The Wrekin parliamentary constituency, is urging the government to name a cybersecurity czar to address the growing threat against online commerce and national security in the United Kingdom. "The rise of the professional hacker has serious implications for the UK, particularly in relation to national defense," Pritchard said in a speech [1] posted on his Web site. "I just wondered whether the Government would consider...appointing a cybersecurity czar and having a cybersecurity day or week, which would include the private and public sectors." Pritchard also noted the danger of cyberattacks against key critical infrastructures such as energy, transport, finance, telecommunications and aviation. "A penetration of any of those networks would be a serious threat to national security - not least when it comes to the potential to access Britain's 14 nuclear power stations," Pritchard said. Initial IT industry reaction to Pritchard's request appeared to be negative, with the argument that the United Kingdom already has a sufficient number of protections in place to protect the cyberenvironment. "As security experts said on Tuesday, there are already plenty of organizations charged with protecting us online," stated a Dec. 1 editorial [2] in ZDNetUK, an online IT publication. Instead of a cybersecurity czar, the newspaper calls for stronger anti-cybercrime legislation, less red tape for reporting cybercrimes, and more resources for cyber law enforcement as more effective measures to strengthen cybersecurity. [1] http://www.markpritchard.com/search/article.php?id=144 [2] http://comment.zdnet.co.uk/other/0,39020682,39239299,00.htm From isn at c4i.org Tue Dec 6 05:33:11 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 6 05:54:41 2005 Subject: [ISN] Computer security incidents cost NZ businesses millions Message-ID: http://www.nbr.co.nz/home/column_article.asp?id=13723 December 5, 2005 Internet security breaches are costing New Zealand businesses between $140 million and $240 million a year, a new study shows. According to an Internet Security Survey conducted by the Employers and Manufacturers Association Northern in November, the range was "conservatively estimated" from the lowest to the median costs of the disruptions reported by 356 businesses, extrapolated across the country's 123,000 businesses employing more than one person. About half the sample's respondents said the cost in the last 12 months was between $500 to $10,000, including rework, lost work, repairs and lost business. Despite the cost of vulnerability, many businesses are failing to protect themselves in even the most rudimentary of ways, the study shows. "For instance, 91 per cent of companies employing 20 people or less have antivirus software installed compared to 84 per cent of companies employing more than 20 people. 55 per cent of smaller companies have deployed anti-spyware compared to 49 per cent of larger firms," said EMA communications manager Gilbert Peterson. Investment in IT remained static from 2004 to 2005, the survey said, with 51.2 per cent of respondents spending less than $19,000 this year, compared to 51.8 per cent in the last survey in March 2004. Of that relatively modest investment, 55.8 per cent invested five per cent or less on security in 2005 -- level pegging with the 55.7 per cent that spent five per cent or less in 2004. Nor are businesses taking advantage of the automatic security upgrades that are widely seen as essential to combatting fast-evolving internet threats. "It's disturbing that the number automatically updating their internet security systems has dropped," Mr Peterson said, down from 90.3 per cent in 2004 down to 75.2 per cent in 2005. "If these systems products are not regularly updated there is little point in having them. "Though more businesses are allowing staff access to the internet at work - now up to 65 per cent - staff internet policies have not kept pace, while training on safe internet practices has dropped from 67.2 per cent in 2004 to 55.9 per cent in 2005. "Nonetheless the survey shows the great majority of businesses are using security software at some level. Overall 88 per cent of respondents have installed antivirus software; 77 per cent have in place firewall software or appliance; and overall 63 per cent have spam filtering. However, only 26 per cent use intrusion prevention software and 24 per cent URL blocking," he said. "This year's survey attracted a far higher response rate than last time, over double with 530 respondents in all compared to 230 previously keeping pace with the growth of internet threats. "The range of internet security breaches has become broader and more complex. Twenty one months ago, the top security concerns were limited to viruses, hackers and spam. Now the list includes Trojans, worms, spyware and email scams such as phishing, and others," said Mr Peterson. Fifty-one per cent of total respondents have been the target of a phishing expedition, the study showed and businesses are receiving an average of 98 spam emails per day. That's down from 21 months ago, the survey said, as spam filtering appears to be working. This year, five per cent of the survey sample report getting 51-100 spam emails a day compared with 12 per cent reporting the same volume in the last survey. Only 9.1 per cent of businesses are still on a dial up internet with 34 per cent on high speed broadband connections though many are dissatisfied with its reliability, speed and cost. Nearly 11 per cent of respondents cited broadband reliability, speed and cost as one of their top two IT issues. Handheld devices are now a pervasive part of the mix, the study showed. In 2004 just 12 per cent had a hand held device in their business, now 49 per cent have them with 51.8 per cent using one or more converged devices. From isn at c4i.org Tue Dec 6 05:33:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 6 05:55:25 2005 Subject: [ISN] ID thieves try to steal millions from U.K. taxman Message-ID: http://news.com.com/ID+thieves+try+to+steal+millions+from+U.K.+taxman/2100-7348_3-5983318.html By Andy McCue Special to CNET News.com December 5, 2005 The British government has come under fire after it emerged ministers have known for months that criminals were using stolen identities to make fraudulent online tax credit claims worth millions of pounds. HM Revenue and Customs, the U.K.'s tax authority, was warned about the flaw more than six months ago. However, it only closed the tax credit Web portal down last week after it discovered criminals had used the identities of 1,500 government employees at the Department of Work and Pensions to make fraudulent claims. The tax credit Web site handles around half-a-million transactions a year. The fraudsters were able to change claim details and redirect the money into their own bank accounts by getting hold of a genuine claimant's name, date of birth and National Insurance number, which is the U.K. version of a Social Security number. The fraud involving innocent staff at the Department of Work and Pensions only came to light during compliance checks by HM Revenue and Customs. British lawmakers were told that the tax credit Web site has been hit by more than 30 million pounds, or about $52 million, in fraudulent claims. The police have now been called in, and a representative for the tax agency declined to comment further while the criminal investigation is going on. However, the representative said the tax credit Web site will remain down until the review of its security is completed. David Laws, the Work and Pensions secretary for the Liberal Democratic party, slammed the Labour government and said ministers must make a statement as to why they took so long to take action to stop the fraud. "This complicated and chaotic system is wide open to fraud," he said. "Ministers have known for some time that organized criminals were using the Internet to defraud the system." The debacle is yet another embarrassment for the U.K. government's flagship tax credits program, which has suffered from problems since it was launched in 2003. Much of that has been down to an IT system described as a "nightmare" by British lawmakers. EDS was last month forced to shell out 71 million pounds, or about $123.5 million, to HM Revenue and Customs to settle a dispute over problems with the tax credits IT system. Copyright ?1995-2005 CNET Networks From isn at c4i.org Tue Dec 6 05:33:48 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 6 05:56:15 2005 Subject: [ISN] Security 'head honcho' role divides firms Message-ID: http://software.silicon.com/security/0,39024655,39154826,00.htm By Will Sturgeon 5 December 2005 The noise being made about the importance of having a dedicated security professional within organisations and the actual number of such appointments appear greatly at odds. Recent figures show only a quarter of companies currently have a chief security officer (CSO), leading some to say the resistance is a result of businesses recognising a fad when they see one. Jay Heiser, research VP at Gartner, told silicon.com he believes companies still need to better understand the security challenge and said many companies will begin to realise the value of a dedicated "figurehead" in helping them grasp concepts such as risk. "There are more and more companies putting them in place," said Heiser of the slow but steady growth in popularity of CSOs and chief information security officers (CISO). But he admits many may be put off by what sounds like yet another vanity job title. "Today lots of organisations see the way to jumpstart and manage a process is to put a 'C' in front of somebody's job title," said Heiser. "But I wouldn't say it's a fad." But nor is a CSO or CISO right for every firm. Heiser said the size, complexity and connectivity of the organisation are all going to be factors in determining whether such an appointment is a necessary addition to the workforce. As such Heiser said banks and other financial services firms are ahead of the curve in terms of adopting a high-level dedicated information security professional. He said ecommerce and other highly web-dependent businesses are also leading the way. The CSO is charged with gaining a greater understanding of how business and security are complementary, rather than the latter being a restriction on the former, with MBAs a favoured qualification over more technical letters after their name, said Heiser. Heiser added he was surprised by a recent MORI poll which found that only 24 per cent of organisations have appointed a CSO. This was despite the fact 30 per cent believe they face a high risk of being targeted or hit by a security breach. Companies with 500-plus employees are beginning to acknowlede the need for a CSO - or at least more so than their smaller peers, with 41 per cent saying they do employ a dedicated security chief. At smaller companies the figure fluctuated around the mid-teens in percentage terms. Within these results there is also a further breakdown in terms of what companies expect from their security chief. Gartner's Heiser said the distinction between CISO and CSO is important, as the former tends to deal solely with the safeguarding of data and information while the latter may also have a role which encompasses physical security of premises and employees. Of those respondents to the MORI survey who do have a CSO, 58 per cent employ that person to manage all security policy and processes within the enterprise - both physical and digital. Simon Perry, VP security strategy at CA, who commissioned the MORI survey, told silicon.com: "The presence of a CSO is usually indicative of a sense of maturity in the approach to security." "Good security implementation comes first and foremost from the fostering of a secure culture in an organisation. It's not about the technology it's the people and processes too." The CSO is responsible for creating and steering that culture, said Perry. From isn at c4i.org Tue Dec 6 05:34:15 2005 From: isn at c4i.org (InfoSec News) Date: Tue Dec 6 05:57:15 2005 Subject: [ISN] Security's Shaky State Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=174900279 By Ted Kemp, Secure Enterprise InformationWeek Dec. 5, 2005 Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with. The third annual Strategic Deployment Survey conducted by Secure Enterprise, an InformationWeek sister publication, polled more than 1,500 IT-security pros about their companies' security and their tactics for dealing with challenges. Follow-up interviews provided even more details on the state of IT security. Shortfalls in security staffing and budgets aren't new, of course. But what makes the situation more nerve-racking are the regulatory risks and compliance requirements that fall to the IT security department, adding cost and work at a time when budgets are growing only moderately, if at all. Case in point: One multibank holding company with 500 employees and assets of almost $2 billion recently implemented monitoring, encryption, and intrusion-prevention technologies to assist its adherence to the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Bank Secrecy Act, and the Health Insurance Portability and Accountability Act. But the company's chief information security officer, who asked to remain unidentified, still has a bleak security outlook. "Our staffing levels are inadequate and have an impact on our ability to maintain systems in accordance with our policies and standards," he says. "This problem won't improve. Hopefully, we can do more automation and less hands-on administration and monitoring." He's not alone in his pessimism. The survey shows IT security staffing almost unchanged from last year--and, in a word, deficient. Forty-four percent of this year's respondents describe their security groups as moderately understaffed, with 21% saying they're severely understaffed. Last year, those numbers were 45% and 20%, respectively. "I've yet to meet anyone who has all the staff and money they need," says Peter Clissold, information security manager at the Edmonton Police Service, one of Canada's largest law-enforcement agencies. The agency lacks well-segregated IT security roles and doesn't have the staff to carry out demonstrable audit or review exercises, Clissold says. However, he adds, the organization has identified its security gaps and has managed to get support from executives to address those shortfalls. Managing expectations is important for handling staffing inadequacies, Clissold says. It's vital to define what should be expected from IT security groups--and what they expect from management--to deliver an expected level of service. Security managers must know their business and be innovative and resourceful. "We must be skilled communicators and negotiators with those in senior positions," he says. Being resourceful of