From isn at c4i.org Tue Feb 1 04:01:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:45 2005 Subject: [ISN] NIST issues final draft of IT security controls Message-ID: http://www.gcn.com/vol1_no1/daily-updates/34930-1.html By William Jackson GCN Staff 01/31/05 The National Institute of Standards and Technology has released the final public draft of recommended security controls for federal systems, a fine-tuned version of a document that will become a mandatory Federal Information Processing Standard by the end of the year. The agency's IT Laboratory says this third version of Special Publication 800-53 [1] contains modest changes based on more than 400 responses to earlier releases. It is one of seven NIST publications being produced as required by the Federal Information Security Management Act. NIST released the initial draft in November 2003 and the second last September. Comments on the current draft can be e-mailed [2] to the agency's Computer Security Division until Feb. 11. The agency expects a final version to get Commerce Department approval by the end of February. "SP 800-53 has special significance in that the security controls contained in the recommended baselines will form the basis for those controls that will become mandatory in December 2005," NIST said in releasing the publication. "At that time, FIPS 200, Minimum Security Controls for Federal Information Systems, will take effect and be applicable to all federal information systems other than national security systems." The controls include management, operational and technical safeguards, and countermeasures that ensure the confidentiality, integrity and availability of government systems. They create baseline configurations for low, moderate and high risk systems. Changes in the current draft include: * The class designations management, operational and technical have been reinstated to more closely conform to the existing organization of agencies. security programs. * Guidance has been enhanced for evaluating public access systems and addressing scalability, with expanded risk-based considerations to provide more flexibility in establishing appropriate controls. * The concept of compensating security controls has been added to allow for equivalent or comparable controls not included in the publication. * The low baseline security controls have been adjusted to reduce the minimum controls for low-impact systems. * A new set of application-level security controls has been added. [1] http://csrc.nist.gov/publications/drafts/SP-800-53-FinalDraft.pdf [2] sec-cert [at] nist.gov From isn at c4i.org Tue Feb 1 04:01:35 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:47 2005 Subject: [ISN] Linux Security Week - January 31st 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 31st, 2005 Volume 6, Number 5n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Introduction to Troubleshooting Linux Firewalls," "Common Criteria Salvation For Email Security," and "Do 'irresponsible' security researchers help or hinder?" --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH: This week, articles were released for libtiff, ethereal, xpdf, squid, xtrlock, sword, unarj, enscript, zhcon, vdr, xine-lib, libpam-radius, kdebase, f2c, cups, alsa-lib, grep, kernel-utils, hal, im-sdk, gphoto, apr, tetex, koffice, kdegraphics, kdelibs, gaim, procps, mailman, mysql, awstats, less, kernel, and xpdf. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, and TurboLinux. http://www.linuxsecurity.com/content/view/118107/150/ ---------------------- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ --- A 2005 Linux Security Resolution Year 2000, the coming of the new millennium, brought us great joy and celebration, but also brought great fear. Some believed it would result in full-scale computer meltdown, leaving Earth as a nuclear wasteland. Others predicted minor glitches leading only to inconvenience. The following years (2001-2004) have been tainted with the threat of terrorism worldwide. http://www.linuxsecurity.com/content/view/117721/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * The encryption factor 27th, January, 2005 Quantum computing is set to revolutionise the way we work. Trouble is, it could crack any of today's security codes in a fraction of a second, says Charles Arthur.When bankers and spies begin to worry about advances in computing, the rest of us would do well to take notice. What makes them edgy are the advances being made in "quantum computing", which is, as might be expected from the name, as entangled and confusing a field to understand as the branch of physics on which it is based - quantum mechanics. http://www.linuxsecurity.com/content/view/118097 * Introduction to Troubleshooting Linux Firewalls 25th, January, 2005 Oh no you say not more management speak! Please, I get enough of that already! Fear not; we promise that we won't waste your time with YAUM (Yet Another Useless Methodology). We want you to find your problem and fix it quickly. So you can call this a process, a method, a way, or if you like, call it a methodology whatever works for you. What we don't want to do is fill your head with some useless babble. This methodology is hard won from years of solving problems. http://www.linuxsecurity.com/content/view/118057 * Patching up problems 28th, January, 2005 The race to plug network holes before attackers use them is running system managers ragged--so they're throwing up more barriers to stop intruders. http://www.linuxsecurity.com/content/view/118105 * SELinux: Playing with fire 26th, January, 2005 One of the much-talked-about features in Fedora Core 3 (FC3) is Security-Enhanced Linux, which some people believe will make Linux a truly military-grade secure operating system. But SELinux is available to secure many other distributions as well. http://www.linuxsecurity.com/content/view/118071 * Common Criteria Salvation For Email Security 26th, January, 2005 With the increasing threat of far more sophisticated attacks than just spam and viruses, email security is taking a leap forward. But in implementing new solutions, organisations open up the risk to additional vulnerabilities, because the products they have chosen may not provide an adequate level of security. http://www.linuxsecurity.com/content/view/118086 * The Role Of Email Security In Meeting Regulatory Requirements 27th, January, 2005 Corporate governance and regulation were one of the dominant themes of 2004 and look set to continue to be so throughout 2005. Corporate governance relates to how an organisation is run, and has repercussions for almost every department particularly Finance, HR, Auditing, Procurement and IT. Due to the nature of the potential content of email, ranging from a simple customer query to financial projections, the use of this application demands particular attention to ensure that its management helps to secure regulatory compliance. http://www.linuxsecurity.com/content/view/118092 * Developer Raps Linux Security Developer Raps Linux Security 26th, January, 2005 Brad Spengler of grsecurity characterized the Linux Security Model, or LSM, as merely a way to allow the National Security Agency's SELinux to be used as a module. "The framework is unfit for any security system that does anything remotely innovative, such as grsecurity and RSBAC [Rule Set-Based Access Control]," he declared. http://www.linuxsecurity.com/content/view/118084 +------------------------+ | Network Security News: | +------------------------+ * 'Evil twin' could pose Wi-Fi threat 26th, January, 2005 Researchers at Cranfield University are warning that "evil twin" hot spots, networks set up by hackers to resemble legitimate Wi-Fi hot spots, present the latest security threat to Web users. http://www.linuxsecurity.com/content/view/118085 * Hackers targeted by high-level system 25th, January, 2005 Running on Windows, Linux or Sun, Defiance TMS was made up of four elements. Defiance Monitor acted as the intrusion detection system (IDS), which would let IT staff monitor for threats. Defiance Gateway was the core IPS protection element, backed up by A Defiance Management Server to store logs and other security data, and the Defiance Security Console for system unified administration. http://www.linuxsecurity.com/content/view/118056 +------------------------+ | General Security News: | +------------------------+ * Coyotos, A New Security-focused OS & Language 25th, January, 2005 For those who haven't been following the EROS project, it has now migrated to the Coyotos project. EROS, the Extremely Reliable Operating System, was a project to create an operating system whose security relied on capabilities rather than the traditional Unix model of root or non-root. http://www.linuxsecurity.com/content/view/118055 * Open and safe? 25th, January, 2005 TRUE or false? Open source software like Linux is more secure than Microsoft Windows, a proprietary operating system because there seem to be more virus attacks against it. http://www.linuxsecurity.com/content/view/118054 * No end to security sector growth 27th, January, 2005 The South African IT security industry, worth R1.082 billion, is still growing, according to research firm BMI-TechKnowledge. According to the firm's latest findings on the local security market, the industry grew by about 16% in 2003, with that level of growth expected to continue throughout the forecast period 2003 to 2008. http://www.linuxsecurity.com/content/view/118090 * Do 'irresponsible' security researchers help or hinder? 27th, January, 2005 To many software makers and security consultants, flaw finder David Aitel is irresponsible. The 20-something founder of vulnerability assessment company Immunity hunts down security problems in widely used software products. But unlike an increasing number of researchers, he does not share his findings with the makers of the programs he examines. http://www.linuxsecurity.com/content/view/118095 * Run information security like you run your busines 28th, January, 2005 Do your CSO, CIO, information security professionals and software developers have measurable quotas and compensation for meeting or exceeding their information security numbers? Chances are, your firm is not running information security like a business unit with a tightly focussed strategy on customers, market and competitors. Without well-defined, standard, vendor-neutral threat models and performance metrics. there cannot be improvement; and improvement is what our customers want. http://www.linuxsecurity.com/content/view/118102 * US to tighten nuclear cyber security 26th, January, 2005 The US Nuclear Regulatory Commission (NRC) quietly launched a public comment period late last month on a proposed 15-page update to its regulatory guide "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants." The current version, written in 1996, is three pages long and makes no mention of security. http://www.linuxsecurity.com/content/view/118072 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Feb 1 04:02:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:49 2005 Subject: [ISN] Los Alamos missing disks never existed Message-ID: http://www.abqtrib.com/albq/nw_state/article/0,2564,ALBQ_19863_3508091,00.html By Leslie Hoffman The Associated Press January 29, 2005 Missing computer disks that virtually shut down Los Alamos National Laboratory during the summer never existed, a new Department of Energy report says, and the National Nuclear Security Agency has inflicted a multimillion-dollar penalty on the University of California for sloppy inventory control and security failures at the nuclear weapons lab. In a harshly worded review that described severe security weaknesses at the nuclear lab, the Energy Department concluded that bar codes were recorded for the disks but the disks themselves were never created. A separate FBI investigation supported that finding, according to the report released Friday. "Although the FBI has validated our conclusions that the `unaccounted for pieces of (classified removable electronic media) at the center of this investigation never were created and, therefore, (are) not missing from inventory,' the weaknesses revealed by this incident are severe and must be corrected," the report stated. The material was reported missing in July, and lab director Pete Nanos halted all work at the facility pending retraining of staff on security issues. Several workers were suspended and subsequently fired. The incident was merely the latest in a series of security breaches going back several years. Energy Secretary Spencer Abraham, annoyed at the persistent problems with security, decided in 2003 to put the management contract for the lab up for open bidding. A final version of proposals is expected to be unveiled next week, and the contract will go into effect for the winning bidder later this year. Because of the problems detailed in the new report, the NNSA announced it would slash the University of California's management fee, imposing the largest fee reduction ever on a national laboratory. UC will get only a third of the total fee it was eligible for as lab manager during the last fiscal year ending in September. Out of a possible $8.7 million, UC will get only $2.9 million. In slashing the fee, NNSA chief Linton Brooks said he was concerned about "major weaknesses in controlling classified material." Those weaknesses "are absolutely unacceptable, and the University of California must be held accountable for them," he said. UC officials on Friday accepted responsibility for the problems but pointed to the months of work they and lab officials have done reviewing Los Alamos' safety and security procedures since the initial shutdown. "We got walloped. Unfortunately, we deserve this," UC spokesman Chris Harrington said. "But what we have done is correct the problems and put the right system in place so that we don't have to take this type of hit again." Sen. Pete Domenici, an Albuquerque Republican, objected to the funding cut, saying the school has worked to make changes under difficult circumstances. "The NNSA has responded to the bad headlines by cutting the university's award fee unreasonably," he said. "That willingness to succumb to political pressure reveals to me that the university is doing a better job of standing up to criticism that is the NNSA. I had expected better from the NNSA." Lab watchdogs that have long criticized UC's management of the lab hailed the cut. "It's certainly a step in the right direction," said Pete Stockton of the Project on Government Oversight. Sen. Jeff Bingaman, a Silver city Democrat, said he understood the rationale behind the cut but noted that the most important issue should be making sure the safety and security challenges raised in the report released Friday are dealt with. The report highlighted areas in which DOE and NNSA officials believe corrective action was needed. They include enforcing accountability, improving overall handling of classified material and improving oversight of security at the lab. One of the report's recommendations called for holding the university accountable through the management fee. From isn at c4i.org Tue Feb 1 04:02:59 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:51 2005 Subject: [ISN] Attackers Could Bypass XP SP2 Security Mechanisms Message-ID: http://www.eweek.com/article2/0,1759,1757786,00.asp By Ryan Naraine January 31, 2005 Microsoft Corp. on Monday confirmed it was investigating a claim by a Russian security researcher that two key security technologies built into Windows XP Service Pack 2 could be easily defeated. The weaknesses were highlighted in a research paper [1] published by Alexander Anisimov of Positive Technologies and centers around XP SP2's heap protection and DEP (data execution prevention) security mechanisms. According to Anisimov, malicious hackers could bypass the two security mechanisms to execute arbitrary code on Windows systems running XP SP2. A successful attack could also allow arbitrary memory region write access (smaller or equal to 1016 bytes) and DEP bypass. Microsoft is disputing the crux of the researcher's claim, insisting it is not a security vulnerability. "An attacker cannot use this method by itself to attempt to run malicious code on a user's system. There is no attack that utilizes this, and customers are not at risk from the situation," a spokesperson for the software giant told eWEEK.com. She said the two security technologies built into XP SP2 are meant to make it more difficult for an attacker to run malicious software on the computer as the result of a buffer overrun vulnerability. "It's important to note that data execution protection and heap overflow protection were never meant to be foolproof; the purpose of these features is to make it more difficult for an attacker to run malicious software on the computer as the result of a buffer overrun," she said. Officials at the Microsoft Security Research Center plan to modify the technologies to address the reported weaknesses. The primary benefit of DEP is to help prevent code execution from data pages. In XP SP2 and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows. Execution protection, or NX (no execute), prevents code execution from data pages such as the default heap, various stacks and memory pools. Protection can be applied in both user- and kernel mode. [1] http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm From isn at c4i.org Tue Feb 1 04:04:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:53 2005 Subject: [ISN] Know thy hacker Message-ID: http://www.infoworld.com//article/05/01/28/05OPsecadvise_1.html By Bob Francis January 28, 2005 As I said last week [1], I recently attended a local meeting of the Information Systems Audit and Control Association (ISACA) to hear a presentation by Mark Loveless, who heads up the Razor research team at BindView. As well as talking about the many daunting threats that face security administrators, Loveless also spoke about the changing nature of the hackers and groups that are causing security threats. Many hackers are known as "black-hat" hackers, those who generally hack systems for personal gain or malicious reasons. The black-hat hacker either exploits these hacks for themselves or trades or sells that information. A "gray-hat" hacker hacks systems and software without the administrator's or developer's permission in order to uncover network or software problems. Many of these hackers used to operate alone but now work for organized crime, foreign governments, or spammers. According to Loveless, the black-market price for exploit code for a known flaw -- such as some of the recently announced Internet Explorer flaws -- is between $100 and $500. That's the price if no exploit code is currently available; after the exploit code is made available on public forums, the price drops to zero, under the "carrying coals to Newcastle" principle of economics. Exploit code for an unknown flaw is -- not surprisingly -- considerably more valuable: Prices for unknown exploits range between $1,000 and $5,000. Among the buyers of those codes are various foreign governments, foreign and domestic organized crime groups, and iDefense, a company that buys the exploits then informs its clients of the flaw. Want to know who has your e-mail address? Get in line. A list of 5,000 IP addresses of computers infected with spyware and ready and able to go into "bot" mode goes for $150 to $500. If you're in the black market for a list of 1,000 working credit card numbers, expect to fork over between $500 and $5,000. Some sites even will send you a couple of free numbers to test drive prior to purchase, Loveless says, while others have rating services of the different credit card number sellers, much like eBay. Prices were even cheaper for those numbers, although the price has increased since the U.S. Secret Service began Operation Firewall, an investigation that targets underground hacker organizations known as Shadowcrew, Carderplanet, and Darkprofits. What do these black-hat hackers working for spammers make for their trouble? According to Loveless, the annual salary of a top-end, skilled black-hat hacker working for spammers is between $100,000 and $200,000. Not bad -- although if you are caught, legal costs will eat that up in a matter of weeks. Apparently not all black-hat hackers are making the big bucks, however. I spoke recently with Dr. Bill Hancock, Savvis Communications. chief security officer and chairman of the FCC's National Reliability & Interoperability Council (NRIC) Homeland Security focus group on cyber-security, who says some black-hat hackers are wearing their hats under protest. Hancock had dinner with a hacker from Eastern Europe last year who said the Russian Mafia threatened his family if he did not perform work for them. "I think it shows how serious and how difficult a problem this can be," he says. Indeed, but it still pays to know your foe. [1] http://www.infoworld.com/infoworld/article/05/01/21/04secadvise_1.html From isn at c4i.org Tue Feb 1 04:05:23 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:09:56 2005 Subject: [ISN] REVIEW: "Modern Cryptography: Theory and Practice", Wenbo Mao Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKMDNCRP.RVW 20041207 "Modern Cryptography: Theory and Practice", Wenbo Mao, 2004, 0-13-066943-1, U$54.99/C$82.99 %A Wenbo Mao %C One Lake St., Upper Saddle River, NJ 07458 %D 2004 %G 0-13-066943-1 %I Prentice Hall %O U$54.99/C$82.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0130669431/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0130669431/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0130669431/robsladesin03-20 %O tl s rl 1 tc 3 ta 3 tv 0 wq 1 %P 707 p. %T "Modern Cryptography: Theory and Practice" A "Short Description of the Book" states that it is intended to address the issue of whether various crypto algorithms are "practical," as opposed to just theoretically strong. This seems odd, since no algorithm is ready for implementation as such: it must be made part of a full system, and most problems with cryptography come in the implementation. The preface doesn't make things much clearer: it reiterates a "fit-for-application" mantra, but doesn't say clearly, at any point, why existing algorithms are not appropriate for use. The preface also suggests that this book is for advanced study in cryptography, although it states that security engineers and administrators, with special responsibility for developing or implementing cryptography, are also in the target audience. Part one is an introduction, consisting of two chapters. Chapter one outlines the idea of the first "protocol" of the book: a "fair coin toss" over the telephone, grounding the book firmly in the camp of cryptography for the purpose of secure communications. The remainder of the chapter points out all the requirements to make such an unbiased selector work, acting as a kind of sales pitch or "come on" to make you want to read the rest of the book. The promotion is slightly flawed by the fact that there is very little practical detail in the material (it takes a lot of work on the part of the reader to figure out that, yes, this system might work), excessive verbiage, and poor explanations. The stated "objectives" of the chapter, given at the end, say that you should have a "fundamental understanding of cryptography": this is true only in the most limited sense. Chapter two slowly builds a kind of pseudo-Kerberos system. Part two covers mathematical foundations. Chapter three deals with probability and information theory, four with Turing Machines and the notion of computational complexity, five with the algebraic foundations behind the use of prime numbers and elliptic curves for cryptography, and various number theory topics are touched on in chapter six. Part three addresses basic cryptographic techniques. Chapter seven deals with basic symmetric encryption techniques, touching on substitution and transposition, as well as reviewing the operations of DES (Data Encryption Standard) and AES (Advanced Encryption Standard). The insistence on converting all operations, and giving all explanations, in symbolic logic does not seem to have any utility, does not provide any clarity, and makes the material much more difficult than it could be. Asymmetric techniques, and attacks against them, are outlined in chapter eight. Finding individual bits of the message, a process examined in chapter nine, can, over time, result in an attack on the message or key as a whole. Chapter ten looks at data integrity, hashes, and digital signatures. Part four deals with authentication. Chapter eleven reviews various conceptual protocols, pointing out (for example) that there is a serious problem of key storage for challenge/response systems. A variety of real applications are considered in chapter twelve, and warnings issued about each. Issues of authentication specific to asymmetric systems are covered in chapter thirteen. Part five looks at formal approaches to the establishment of security. There is more asymmetric cryptographic theory in chapter fourteen. Chapter fifteen examines a number of provably secure asymmetric cryptosystems, while sixteen does the same for digital signatures. Formal methods of authentication protocol analysis are given in chapter seventeen. Part six discusses abstract cryptographic protocols. Chapter eighteen reviews a number of zero knowledge protocols, which provide the basis for authentication where the principals are not previously known to each other. The coin flipping protocol, initiated in chapter one, is revisited in chapter nineteen. Chapter twenty wraps up with a summary of the author's intentions for the book. The book is certainly for advanced study, but it is hardly suitable for security administrators, professionals, or even engineers. The mathematical material is quite demanding, and is seldom explained (as opposed to the clear explanations of the implications of the math that is given in, for example, "Applied Cryptography" [cf. BKAPCRYP.RVW], or even the equally advanced but much more comprehensible "Algebraic Aspects of Cryptography" [cf. BKALASCR.RVW]). However, there are points in the material that could be useful for practical cryptographic systems, provided one is dealing primarily with authentication of communications, and the possibility of physical access is ignored. The text would have been much more useful if the author could have been induced to provide some of the basic explanations in English, rather than leaving the reader to work out the math. copyright Robert M. Slade, 2004 BKMDNCRP.RVW 20041207 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu As soon as men decide that all means are permitted to fight an evil, then their good becomes indistinguishable from the evil that they set out to destroy. - Christopher Dawson, The Judgment of Nations http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Tue Feb 1 04:07:18 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 1 04:10:00 2005 Subject: [ISN] Iraq battle plan leak sparks overhaul of cybercrime-fighting techniques Message-ID: Forwarded from: William Knowles http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,99397,00.html By Paul Roberts JANUARY 31, 2005 IDG NEWS SERVICE The U.S. Department of Defense seized hundreds of computers and around 60TB of data as part of an investigation into how details of the U.S. invasion plan for Operation Iraqi Freedom were leaked to The New York Times, a Defense Department official said. The investigation ended in 2003 without finding the source of the leak. But it has prompted changes within the department, which is developing software tools and investigative strategies for computer crime cases that involve large amounts of data, said Lt.Col. Ken Zatyko, director of the DOD's Computer Forensics Laboratory. The investigation was prompted after details of the U.S.'s planned invasion of Iraq appeared in a series of newspaper articles in the Times beginning in July 2002. The articles revealed various details of the planned invasion and options that were being considered by military planners. Operation Iraqi Freedom was launched in March 2003. The Times articles set off an intense effort within the DOD to discover the source of the leak. Hundreds of computer servers and desktop systems were seized at a number of locations, including U.S. Central Command at MacDill Air Force Base in Tampa, Fla., and from military bases in the Persian Gulf region, including the U.S. naval base in Bahrain, Zatyko said. In all, about 60TB of data, including data stored on computer hard drives and other devices, was collected and brought back to the DOD's computer forensic lab at the Department of Defense Cyber Crime Center (DC3), he said. One Times reporter was also subpoenaed for information pertaining to the leak, but that subpoena was quashed, according to Catherine Mathis, vice president of corporate communications at The New York Times Co. At DC3, a team of computer forensics investigators searched through the data looking for evidence -- such as an e-mail message or document transfer -- that would link a particular individual to a Times reporter, Zatyko said. Ultimately, the investigation failed, in part because of the challenge of sifting through the huge volume of data, he said. "It was a 'needle in the haystack' case," Zatyko said. "The challenge is to reduce all that data and hone in on the document that was sent to the reporter." The investigators did discover a number of versions of a presentation that contained information linked to the articles, as well as e-mail messages to reporters. However, they couldn't find evidence that the presentation or other sensitive information was sent to the Times, and DC3's investigation ended in late 2003 without finding those responsible for the leaks, Zatyko said. There are a number of possible explanations for why the investigation failed. The best explanation is that the information wasn't transferred digitally to the Times, Zatyko said. "They could have just printed it out and provided it [to the reporter] as a hard-copy document," he said. The failure to find the source of the leak shows that reporters and their sources are getting sophisticated about covering their trails using IT, said Bob Giles, curator of the Nieman Foundation for Journalism at Harvard University. "The people inside the government are being smart about how they're [leaking information] and not doing it in a way that's going to get them caught," he said. The DC3 is changing the way it conducts large computer forensic investigations in the wake of the case, Zatyko said. In particular, the DC3 has established a section of its lab and a team of examiners just to work on cases with large data sets, replacing ad hoc teams created to address case requests as they come in. DC3 is also using a combination of commercial forensic software and proprietary tools to comb seized data stored on large capacity storage-area networks and network-attached storage devices. The new DC3 approach replaced individual examiners working on separate workstations, which led to inconsistencies in the forensic examination process and duplication of effort between examiners, Zatyko said. With the Iraq battle-plan leak investigation closed at DC3, forensic investigators are trying out the new techniques on a more common source of large data set investigations: child pornography cases, he said. "We're focusing on the child-porn issue and moving out from there," Zatyko said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Feb 2 06:09:18 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:19 2005 Subject: [ISN] Manhunt for Filipino hacker ensues Message-ID: Forwarded from: William Knowles http://news.inq7.net/infotech/index.php?index=1&story_id=26163 By Erwin Lemuel Oliva Feb 02, 2005 INQ7.net A MANHUNT for the alleged Filipino hacker of the government portal "gov.ph" and other government websites was launched after the suspect went into hiding, the police said Tuesday. Judge Antonio Eugenio of the Manila Regional Trial Court ordered the arrest of a certain JJ Maria Giner on January 24, 2005 for violating section 33a of the Electronic Commerce Law. Giner remains at large to date however. "He's now on top of our priority list," said Police Superintendent Gilbert Sosa of the Anti-Transnational Crime Division (ATCD) of the Philippine National Police Criminal Investigation and Detection Group (PNP-CIDG), in an interview. Sosa is also executive director of the Government Computer Security Incident Response Team (G-SIRT). According to the arrest warrant, the court set bail for Giner at 25,000 pesos (440 dollars). The Department of Justice decided last month that there was enough evidence to file charges against him. A copy of the DoJ?s resolution, obtained by INQ7.net, revealed that Giner had admitted to hacking the government websites but indicated that he had no intention to "corrupt, alter, steal or destroy" files contained in the computer systems that were compromised. The DoJ resolution indicated that Giner penetrated government websites of the National Economic and Development Authority, the National Book Development Board, the Philippine Navy, Dagupan City, as well as the web servers or computer systems hosting websites of the local Internet service provider Bitstop and UP Visayas Miagao in Iloilo. Giner also launched attacks against the websites of the Office of the Presidential Management Staff in Malaca?ang, the Task Force on Security of Critical Infrastructure, the Professional Regulatory Board, the Department of Labor and Employment, and the Technical Educational and Skills and Development Authority, according to the DoJ resolution. "It was discovered that the respondent attempted to penetrate the digital infrastructure of government agencies as well as private businesses. Several network infrastructure setups were first scanned by [Giner] for vulnerability exploits. Critical government infrastructure facilities were also probed. Allegedly, [Giner] listed all the possible attack scenarios and backdoor programs to penetrate the target systems," the resolution added. In his counter-affidavit, Giner admitted to sending an e-mail to the National Economic and Development Authority (NEDA), informing the agency about the vulnerability of its website to hackers. With this admission, he argued that if he had the intention of destroying or corrupting the system, he would not have informed the agency. The suspected hacker also denied launching a so-called "denial-of-service" attack on the Journal Group of Publications website that resulted in system overload of the computer system hosting it, his counter-affidavit said. The DoJ resolution however said that Giner had clearly violated section 33a of the E-commerce Law (RA8792) because he was not authorized to access government websites. "Intention is not essential in this mode as mere unauthorized access is a violation of the law," the resolution said. The DoJ resolution further revealed that Giner launched attacks in April 27, 2004 until May 7, 2004, three days before the country?s national elections. The resolution said that digital evidence gathered by the PNP?s ATCD-CIDG Computer Crime unit indicated that Giner launched his attack from Internet addresses issued by Asia Pacific Network Information Center to Globe Telecom. When police further traced the IP addresses, they led to the U. P. Miagao campus in Iloilo, registered under the name of Efren Servento. Police then found that the IP addresses were assigned to a Linux-based system that served as a "primary gateway" to almost 200 computers all over the U.P. Miagao network. Further probing this network led police computer investigators to the Information and Publications Office, and eventually to a computer used by alleged hacker Giner, who happened to be the webmaster and program developer of U.P. Miagao. Giner's computer hard drive was seized and gave police "vital information" indicating what had transpired before and during the alleged network intrusion of the gov.ph portal and the Journal Group of Publications website, recounted the DoJ resolution. A source privy to the case disclosed that the police almost lost Giner after some Globe employees allegedly informed U.P. Miagao of the ensuing police investigation. The same source added that Globe initially refused to cooperate with the police until it was issued a court subpoena. Who is Giner? The DoJ resolution further revealed that Giner is a contractual employee of U.P. Miagao but had access to the university?s computer systems as webmaster. The DoJ resolution indicated that he comes from a middle-class family, his father a retired PC soldier and his mother a teacher. An outstanding student during his primary years, Giner was accelerated from grade III to grade IV. He graduated with a Bachelor of Science in Marine Fisheries at the University of the Philippines in the Visayas and had never been charged with any criminal offense. According to a copy of his dossier obtained by INQ7.net, he has worked for Process Foundation-Panay, Inc. and the UP Visayas? Philippine Marine Transport Systems Project as research assistant. He also had evident skills in web development, database construction, model construction, and web interface development(HTML and JavaScript Programming), basic visual programming, MS Office applications, computer graphics design, and CRM Work. His other skills include First Aid and basic life support systems and scuba diving. His interests include fishes, gardening, cooking, computers, bio-toxins and poisons, arts (visual and music), underwater, coral reefs, islands. He speaks Hiligaynon, Kiniray-a, Filipino, English, and Cebuano. According to the DoJ resolution, Undersecretary Abraham Puruganan, head of the Task Force for the Security of Critical Infrastructure (TFSCI), is the main complainant in the "gov.ph" hacking case. On May 3, 2004, he filed a case against Giner in behalf of several government websites attacked from April to May 2004. Other complainants include the Office of the President, the Department of Interior and Local Government, and PNP CIDG-ATCD. Puruganan said the TFSCI has instructed the police to ask the Bureau of Immigration to issue a hold-departure order in case Giner decides to escape abroad. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Feb 2 06:09:41 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:21 2005 Subject: [ISN] Infighting Cited at Homeland Security Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A55552-2005Feb1.html By John Mintz Washington Post Staff Writer February 2, 2005 As its leadership changes for the first time, the Department of Homeland Security remains hampered by personality conflicts, bureaucratic bottlenecks and an atmosphere of demoralization, undermining its ability to protect the nation against terrorist attack, according to current and former administration officials and independent experts. Although the 22-month-old department has vast powers over the lives of travelers, immigrants and citizens, it remains a second-tier agency in the clout it commands within President Bush's Cabinet, the officials said. Pockets of dysfunction are scattered throughout the 180,000-employee agency, they said. There is wide consensus that the agency has made important strides in a number of areas, including establishing high-speed communications links with state and local authorities, researching sensors to detect explosives and biopathogens, and addressing vulnerabilities in the nation's aviation system. Its weaknesses, including scant progress in protecting thousands of U.S. chemical plants, rail yards and other elements of the nation's critical infrastructure, have received considerable public attention as well. Less well known is the role that turf battles, personal animosities and bureaucratic hesitancy have played in limiting the headway made by the infant department, an amalgam of 22 federal agencies that Congress merged after the Sept. 11, 2001, attacks, officials said. * The department made little progress protecting infrastructure because officials spent much of their time on detailed strategic plans for that task and believed they were technically prohibited by law from spending money on most such efforts. Others in government disagreed, and DHS officials did not reword the technical legal language until recent months. * Two arms of the department gridlocked over efforts to secure hazardous chemicals on trains -- one of Congress's most feared terrorist-attack scenarios. * Lengthy delays in deciding which agency would take the lead in tracking people and cargo at U.S. ports of entry resulted from similar disputes. Efforts to develop tamper-proof shipping containers were among the initiatives stalled. * The department's investigative arm, Immigration and Customs Enforcement (ICE), has operated under severe financial crisis for more than a year -- to the point that use of agency vehicles and photocopying were at times banned. The problem stems from funding disputes with other DHS agencies. Richard A. Falkenrath, who until last May was Bush's deputy homeland security adviser, said many officials at the department were so inexperienced in grasping the levers of power in Washington, and so bashful about trying, that they failed to make progress on some fronts. "The department has accomplished a great deal in immensely difficult circumstances, but it could have accomplished even more if it had had more aggressive and experienced staff," said Falkenrath, now a fellow at the Brookings Institution. "It would have done better if it had been less timid, less insular and less worried about facing down internal and external opposition." "This department is immensely powerful in society, given its central role in foreign trade, immigration and transportation," he added. "But it is far less powerful in interagency meetings and the White House situation room." Michael Chertoff, a federal appeals court judge who is Bush's nominee to succeed the department's first secretary, Tom Ridge, begins confirmation hearings today. He has been described as a no-nonsense administrator who would not hesitate to intercede in turf wars or get tough with recalcitrant bureaucrats. Growing Pains Homeland Security leaders accept many of the criticisms of the department's performance by government officials and experts but reject others as unfair. "Nobody fully understands the complexity of our task: to build a department out of 22 agencies, operate it, reorganize it, and design and build networks and systems that will defend the nation in perpetuity," said Ridge, who stepped down yesterday. Ridge is widely credited with managing the first phase of the most complicated government reorganization since the 1940s. But the former Pennsylvania governor also is noted for having a politician's desire to please all comers, which resulted in some policy quandaries remaining unaddressed for long periods, officials and experts said. Top DHS officials point out that much of their time has been spent crafting eight huge internal initiatives. Finished in some cases only in recent weeks, they map out the department's new information technology, payroll, personnel, procurement and other systems. Among other time-consuming initiatives were laying out new doctrines for counterterrorism preparedness that assigned the responsibilities of many agencies before and after an attack. Almost all this work, which involved tedious vetting by dozens of agencies, is now complete, but it was invisible to the public and will yield results only in the future, officials said. "These are a family of plans coming into play that's received virtually no publicity," said retired Coast Guard Adm. James M. Loy, deputy secretary of homeland security, who is widely described as the department's strongest manager. "When he comes, we want to say, 'Judge Chertoff, here is the strategic plan.' " All the while, Homeland Security has had to contend with the daily demands of searching air travelers, patrolling harbors, protecting the president, distributing threat warnings to state and local agencies, and many other duties. But several current and former officials said the department remains underfinanced and understaffed and suffers from weak leadership. "DHS is still a compilation of 22 agencies that aren't integrated into a cohesive whole," said its recently departed inspector general, Clark Kent Ervin, who released many critical reports and was not reappointed after a falling-out with Ridge. Asked for examples of ineffectiveness, he replied: "I don't know where to start. . . . I've never seen anything like it." Ervin cited a report from his office last month that DHS immigration inspectors had continued to let dozens of people using stolen foreign passports enter the United States -- even after other governments had notified the agency of the passport numbers. Using stolen passports is a well-known tactic of al Qaeda operatives. Even when immigration officials realized someone had entered the United States on a stolen passport, they did not routinely notify sister agencies that track illegal immigrants, the report said. When officials made missteps such as this, Ridge rarely intervened, Ervin said. "Tom Ridge is a prince of a man, but he's not a tough guy," he said. "Nobody's kicking anybody to do things" at Homeland Security, said Seth Stodder, former policy and planning director at the department's Customs and Border Protection agency. "There's a reluctance to make decisions that will be unpopular with the loser, so things just drift." Stodder and other government officials said the department's main problem is that, under pressure from the White House to keep staffing lean, it lacks a policy staff to study its largest strategic challenges. The Pentagon, by contrast, has 2,000 people doing that, he said. "It's very thinly staffed at the top of DHS, and there's no policy vision . . . thinking through the main threats," Stodder said. In the absence of such strategic thinking, he added, "DHS practices management by inbox, getting distracted by daily emergencies" such as a congressman's complaint about a late-arriving passport. Acknowledging that the lack of a policy staff was a mistake, DHS officials say one will be launched within days. Infrastructure Protection One of the department's biggest failings is its performance securing the U.S. infrastructure, some members of Congress and administration officials said. Fifteen people declined requests to apply for the undersecretary job supervising this area, and the person who took it, retired Marine Lt. Gen. Frank Libutti, was not confirmed until 2003. Libutti was unfamiliar with Washington's ways, as was his subordinate who directly oversaw infrastructure, former Coca-Cola Co. executive Robert P. Liscouski. Both became distracted by small bureaucratic obstacles they could have surmounted, other officials said. Members of Congress and others in the administration have expressed frustration at what they say are lengthy delays in producing a list of vulnerable infrastructure sites. Officials involved in infrastructure protection said some of the delays were caused by Liscouski, who, they said, at times failed to coordinate with others working on the matter. He has had several bitter arguments with members of Congress and their staffs, they said. Finally, the infrastructure division was at times distracted by arguments between camps of officials pressing the competing agendas of firms or other agencies offering plans to secure plants and landmarks, officials said. Liscouski denied that any such disputes distracted his office, and he denied failing to meet with colleagues. He said he met continually with them and had "an open-door policy." He disputed suggestions that his office dragged its feet in securing or preparing lists of infrastructure sites. "We worked with a sense of urgency, and we made significant progress," he said. "But this work had never been done before, and it was hard." Liscouski said that until the past few months, technical language in DHS budgets barred his office from spending money on chemical plants and other sites. Department officials said that within days they will announce distribution of $92 million, the first large expenditures for these purposes. The money will be given to states by a separate DHS bureaucracy. The infrastructure office also has been hobbled by turf fights. Another DHS agency -- the Transportation Security Agency (TSA), with 45,000 airport screeners -- said that a sentence in a budget law established it as overseer of security on trains, including ones moving dangerous chemicals. Hassles between TSA and infrastructure officials slowed progress, including efforts to secure chemicals that travel on tracks near the U.S. Capitol, for a year, officials said. "I'm sorry to say, since 9/11 we have essentially done nothing" to secure chemical plants and trains carrying chemicals, Falkenrath told Congress last week. "This [issue] stands out as an enormous vulnerability we had the authority to address." The TSA's claims that it supervises all transportation security also led to fights with DHS agencies that handle immigration and customs. The struggles delayed progress for a year on developing anti-tampering technology for shipping containers and deciding which databases to use to track foreigners and cargo entering the country, officials said. The fighting amounted to "a civil war within the U.S. government," one former official said. Eventually Ridge decided that the TSA should not lead the way on these issues. But an authoritative study released in December by the Center for Strategic and International Studies and the Heritage Foundation concluded that the TSA's actions led to years-long "policy impasses." It said the DHS section that oversees the agencies involved, and which refereed the struggles -- Border and Transportation Security -- was "not particularly effective" in straightening it out. Several officials described the undersecretary for Border and Transportation Security, former representative Asa Hutchinson (R-Ark.), as a consensus-builder who had difficulty demanding an end to the turf fights. Especially troublesome was a personality conflict between the affable Hutchinson and one of his subordinates, Robert C. Bonner, the aggressive head of Customs and Border Protection, whose airport and seaport inspectors investigate people and cargo. "There were knock-down, drag-out meetings every day" between leaders in some parts of the department, said Loy, who added that "management styles can pour gasoline" on such arguments. But he said the fights are now resolved. Asked about conflicts with Bonner, Hutchinson said: "I'd be enormously disappointed if I didn't have agency leaders who leaned forward and fought for their agencies." But, he added, "people who work under me know I make decisions." Through a spokesman, Bonner declined to comment. Loy, who once ran the TSA and will step down March 1, said the Homeland Security Department is fated to be criticized for its public failures, such as creating long lines at airports, and rarely praised for its success protecting the country. "Most of the publicity is bad, but that's the nature of our work," he said. "We operate in a fishbowl." From isn at c4i.org Wed Feb 2 06:10:14 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:23 2005 Subject: [ISN] RealPlayer and IE exploited Message-ID: http://www.theinquirer.net/?article=21042 By Nick Farrell 02 February 2005 AN EXPLOIT that takes advantage of holes in Real Player and IE has been released on the web. According to an advisory issued by the security outfit Secunia, RealMedia (.rm) files can open local files in the browser built into RealPlayer. This means a malicious website can load a local HTML document in a local context by using a re-written RealMedia file. The flaw exists on version 10.5 (build 6.0.12.1056) of RealPlayer but other versions could be affected as well. There is a workaround for the problem. You have to avoid opening RealMedia files from an untrusted source and restrict such files from being opened automatically from within browsers. So, not much that can be done then. From isn at c4i.org Wed Feb 2 06:10:26 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:25 2005 Subject: [ISN] Hackers break into Zimbabwe government website Message-ID: http://www.newzimbabwe.com/pages/email5.12221.html By Staff Reporter 02/01/2005 ZIMBABWEAN intelligence officials were investigating a major security breach this week after two computer wizards from the UK hacked into the government's website forcing it to go offline. New Zimbabwe.com was alerted to the breach by the hackers from Leicester, England. "The idea was to hack into the website and replace everything on there with slogans like 'Robert Mugabe is a tyrant'," one of the hackers told New Zimbabwe.com by telephone last night. "We were about to achieve our goal when the whole thing crashed," the hacker who has asked to remain anonymous said. "We will keep trying, the security is clearly lax." The government website http://www.gta.gov.zw is now offline and has been replaced by a server advert from the computer giant Microsoft. An intelligence source within the CIO's telcoms unit told New Zimbabwe.com last night: "This is a very serious security breach. We are trying to establish how this came about and we are treating it very seriously. The internet has become a major source of irritation for the government and the President has admitted as much." The government recently announced moves to monitor e-mails. The plan is for all internet service providers in Zimbabwe to forward to government any e-mail communications "likely to incite or cause alarm, fear or despondency" under the country's draconian Public Order and Security Act. At least two people have been arrested and charged. However, President Robert Mugabe's bid to play Big Brother has already suffered a major setback after the Supreme Court, sitting as a full bench, declared as unconstitutional legal provisions that give the President powers to eavesdrop, including the powers to intercept mail, telephone conversations and other such electronic telecommunications devices. The superior court upheld contentions by the Law Society of Zimbabwe (LCZ), a grouping of lawyers, who had filed the constitutional application arguing that the presidential powers provided for by the Posts and Telecommunication (PTC) Act violated section 20 of the Constitution. The lawyers were challenging section 98 and 103 of the PTC Act, which gives president powers to intercept mail, telephones, e-mail and any other form of communication. The Act also gave powers to the president to give any directions to a licensee requiring him or her to do or not to do a particular specified action. From isn at c4i.org Wed Feb 2 06:10:50 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 2 06:14:28 2005 Subject: [ISN] State computer worker says 'hacking' justified Message-ID: http://www.2theadvocate.com/stories/020205/new_hacking001.shtml By ADRIAN ANGELETTE Advocate Staff Writer 02.02.05 A state computer worker testified Tuesday that he did nothing wrong when he used the identifications of other state workers, including his boss, to gain access to computer files and to raise his access level in state computer systems. Andrew Mata, 44, claims he was not given the correct access level when he started work with his new job at the state and he used another computer worker's identification to set his access level to where he thinks it should have been. Mata also admitted getting into files that pertained to an investigation that ultimately led to his indictment. Mata testified that his new boss, John Pourciau, instructed him to find out what he could about the investigation. Mata has been on trial for more than a week on a charge of offenses against intellectual property. Mata testified that he was hired by the Louisiana Department of Health and Hospitals to be the administrator of the computer system that handled Medicaid for the state. Mata had worked at the state Department of Social Services before leaving for the Health and Hospitals job. Shortly after starting the job at Health and Hospitals, Mata testified that he tried to start work and thought he would have the same security clearances as he had with the Social Services. Mata testified he discovered a computer worker with Social Services, Bobby Collins, had lowered his access level. Prosecutor Mark Pethke said Mata used Collins' computer system identification to enter a "back door" of the system and raise his access level to that of an administrator -- a move that granted Mata broad access into Social Services systems. Mata testified that he did not consider this to be hacking into the state computer system, as prosecutors allege, because the program he entered was still in the testing phase and there was no data stored on the program at the time. "It's a test system. You are supposed to try to break it. If it breaks you fix it or go find something to replace it with," Mata testified. Pethke contends that Social Services workers kept removing Mata's elevated access clearance because he was no longer a Social Services employee and he wasn't supposed to have access to many sensitive files the office maintains. Mata testified he worked for Social Services for about 10 years and left the agency on good terms. He said he does not understand why Social Services employees were monitoring his actions just four days after he started his new job with Health and Hospitals. The investigation of Mata began in the spring of 1999. Mata testified that he needed the access because of Y2K problems that the state was concerned about at the time. Mata testified that the investigation and its consequences have been stressful on him and his family. "I want to clear my name and move on," Mata testified. The charge of offenses against intellectual property carries a penalty of up to five years in prison and a fine of up to $10,000. Mata was the last person to testify Tuesday in the trial. State District Judge Richard Anderson recessed the trial until today. When the trial resumes, Pethke and defense attorney Lewis Unglesby will make their closing arguments. Jurors are expected to get the case after lunch today. From isn at c4i.org Thu Feb 3 01:09:51 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:03 2005 Subject: [ISN] Theft of SAIC Computers Containing Stockholder Personal Information Message-ID: http://www.saic.com/cover-archive/announce/012805.html SAIC was victim to a break in at one of its corporate facilities on January 25, 2005, and several personal computers were stolen that contained personal information on current and former stockholders. The facility where the break in occurred serves in an administrative capacity and is not used for performance on any of our government or commercial contracts. SAIC filed a police report with San Diego authorities to report the theft and continues to fully cooperate with law enforcement officials to apprehend those individuals responsible and to attempt to recover the stolen property. We have no evidence that the thieves have accessed any personal information on these computers or that the purpose of the crime was identity theft, but we are notifying current and former stockholders as a precaution. We want to emphasize how strongly we regret this occurred and how deeply concerned we are about the inconvenience and the concern this is causing among our stockholders. The company has attempted to responsibly and proactively deal with this situation, and we recognize the importance of rapid response for our stockholders. Besides using multiple means to notify those affected, such as e-mail to employee stockholders, as well as those retirees and alumni for whom we have e-mail addresses, we have also have established a 24/7 help desk to assist employees and stockholders who might have questions or need assistance. We are implementing a program to make other resources, information and assistance available to our stockholders, including providing guidance on simple actions they can take to minimize the risk of identity theft. Again, we are troubled that this event occurred but are working round-the-clock to mitigate any impact on our stockholders. Information for Current and Former Stockholders We are taking the precaution of alerting you because the stolen computers contained personal information of current and former stockholders, including name, social security number, address, telephone number and stockholder records, including shares bought, sold and held. SAIC has established several resources to assist you. We have set up a prerecorded message for general information on this situation and answers to common questions regarding identity theft, at (888) 826-7377. If you have questions that are not covered in the recorded message, we have also set up a 24/7 Help Desk at (866) 478-0433. Those working outside of the United States should call (703) 676-5200. It is recommended that all current and former stockholders contact one of the three major credit bureaus at the phone numbers listed below to place a temporary fraud alert (90 days) on their credit file, at no charge, as a precautionary measure. Experian also allows you to place a fraud alert online at experian.com (www.experian.com). Both processes are extremely simple and should not take more than a couple of minutes. A fraud alert warns creditors to contact you before opening any new accounts or changing information on your existing accounts. Placing a fraud alert on your credit file will automatically result in notification to the other two credit bureaus. Equifax: 800-525-6285 Experian: 888-397-3742 TransUnion: 800-680-7289 All three credit bureaus will send copies of your credit report to you, upon request. When you receive your credit reports, look them over carefully for accounts you did not open, inquiries from creditors that you did not initiate, and inaccurate personal information. Even if you do not find any signs of fraud, it is recommended that you keep your fraud alert in place and check your credit reports every three months for the next year. If you should see anything you do not understand or find suspicious in your credit report, call the credit agency and your local police or sheriff's office to file a report of identity theft. You should also notify SAIC's Stockholder Help Desk at (866) 478-0433. The Stockholder Help Desk will provide information on additional resources that the Company will provide to any victims of identity theft, including the services of a company specializing in assisting victims of identity theft. Additional information on how best to respond to a possible identity theft is available at the federal government's central website for identity theft information (http://www.consumer.gov/idtheft) and at the California Attorney General's website (http://www.caag.state.ca.us/idtheft/tips.htm). Your patience and continued confidence in SAIC is greatly appreciated. Related Information * Federal Trade Commission: ID Theft Resources (http://www.consumer.gov/idtheft) * California Attorney General's website (http://www.caag.state.ca.us/idtheft/tips.htm) * Equifax (www.equifax.com) * Experian (www.experian.com) * TransUnion (www.transunion.com) From isn at c4i.org Thu Feb 3 01:11:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:05 2005 Subject: [ISN] Microsoft seeks security cooperation Message-ID: http://www.fcw.com/fcw/articles/2005/0131/web-mssec-02-02-05.asp By Brian Robinson Feb. 2, 2005 Microsoft officials have launched a program to create a community of governments at all levels worldwide to share information and conduct joint projects on network and information technology security. The program's goal is to more effectively handle viruses, worms and other incidents. Initial members of the Security Cooperation Program (SCP), announced by Bill Gates at Microsoft's Government Leaders' Forum in Prague, Czechoslovakia, are the governments of Canada, Chile, Norway and the United States, along with various state and local entities. The first challenge will be to obtain the trust relationships necessary for sharing information across national and governmental boundaries, said Stuart McKee, Microsoft's national technology officer, in an interview with Federal Computer Week. "The ability to share critical information is pretty low right now," he said. "Trusted relations [with another entity] is critical to both running and improving the security infrastructure." SCP members will have immediate access to Microsoft's incident response center, McKee said. During an incident, they will have real-time contact with Microsoft engineers and incident response engineers. Following an event, a feedback loop will be established to evaluate what happened, how effective the response was and what can be done to make it better the next time, McKee said. SCP participants will use all means of communication, including phones, e-mail, fax, text-messaging and collaboration tools such as Microsoft's SharePoint so they can do such things as post documents securely, he said. Delaware is one of the early state participants. The program could be a major boost to the state officials' attempts to handle their security problems, said Tom Jarrett, Delaware's chief information officer. Delaware is a heavy user of Microsoft products, he said. The state has its own security experts, but they don't have the specific expertise that Microsoft officials can offer. "We want to move out of a reactive environment" to security incidents, Jarrett said. ""So anything that helps us to affect things on a more proactive basis is very good for us." Based on discussions he's had with Microsoft officials about SCP, Jarrett said Delaware should quickly reap some benefits, particularly concerning core security issues, through access to Microsoft's security experts. "Traditionally we haven't had that level of access," he said. At least at the beginning, SCP outreach will be a major activity, McKee said. "The most important thing we can do is increase awareness about the need to focus on security as a critical business and government issue," he said. "Also to stress the fact that people also need to focus on it when they are not in the middle of an incident." If SCP membership balloons, there could be management problems, McKee said. But he said Microsoft officials would be ecstatic if such a large community evolved. "It will be a great problem to have," he said. Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite at mindspring.com From isn at c4i.org Thu Feb 3 01:11:35 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:07 2005 Subject: [ISN] Rowling to Potter fans: Watch out for phishing scams Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99442,00.html By Paul Majendie FEBRUARY 02, 2005 REUTERS Author J.K. Rowling is warning Harry Potter fans to watch out for Internet fraudsters claiming to be selling electronic copies of her latest wizard saga -- they are trying to steal bank and credit card details. In the latest phishing scam, fans were asked to hand over financial information to pay for a supposed copy of Harry Potter and the Half-Blood Prince, which is to be published on July 16. "Please, please protect yourselves, your computers and your credit cards and do not fall for these scams," the writer said, after her lawyers succeeded in closing down a fraudulent Web site that offered the latest Potter book in electronic form. Rowling, whose tales of a teenage wizard have turned her into a multimillionaire and revived children's passion for reading, warned that the scam artists could reappear. "I would bet the original manuscript of Harry Potter and the Half-Blood Prince itself that this will not be the last attempt to con HP fans before publication of the book," she said on her official site. Telling fans never to trust anyone who offers downloads of Potter books, Rowling said they could be laid open to computer viruses or hackers. "The only genuine copies of Harry Potter remain the authorized traditional book or audio tapes/cassettes/CDs distributed through my publishers," she said. Phishing frauds have become common over the past two years as more consumers have begun to do personal banking on the Internet. Banks advise their customers to be wary of any e-mail asking for personal details. Police suspect that organized crime gangs from Eastern Europe are the main culprits. Rowling's copyright lawyer, Neil Blair, told Reuters, "They were asking for money and people's credit cards. This was a phishing scam." Blair, who monitors the Internet for copyright infringements for Rowling, said, "We spotted it and also heard from a fan site called The Leaky Cauldron, which had alerted us. We got it shut down very quickly." According to Blair, Rowling has never granted licenses for electronic versions of any of her books. From isn at c4i.org Thu Feb 3 01:11:50 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:09 2005 Subject: [ISN] Hacker 'Mudge' Returns to BBN Message-ID: http://www.eweek.com/article2/0,1759,1758913,00.asp?kc=EWRSS03119TX1K0000594 By Dennis Fisher February 2, 2005 Security industry veteran and itinerant hacker Peiter Zatko decided this week to rejoin Internet pioneer BBN Technologies Inc. as a research scientist. Better known in security circles as Mudge, Zatko was one of the founding members of the L0pht Heavy Industries hacking team that later became the technical heart of @stake Inc. He left @stake several years ago and stayed away from the security industry for a while before resurfacing last year as the founding scientist at Intrusic Inc., a Waltham, Mass., startup. At BBN, Zatko is getting back to his roots in a sense. He worked at BBN in the 1990s, before joining @stake. BBN is a research and development firm that specializes in advanced security and networking projects. The company is best known as the contractor that built the ARPANET, the predecessor of today's Internet, for the U.S. Department of Defense. It has gone through several iterations since then but still does a large amount of government work as well as working with enterprises. Zatko gained a reputation in the late 1990s as not only a talented hacker, but also as a straight shooter unafraid to tell bureaucrats and executives what he thought of their security efforts. His penchant for delivering unvarnished opinions made him a sought-after consultant and speaker, both in the security industry and in Washington. Called to testify along with several other L0pht members before a Senate committee in 1998, Zatko famously told the senators that he or any of his cohorts could take down the Internet in a half hour. From isn at c4i.org Thu Feb 3 01:12:03 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:11 2005 Subject: [ISN] Spammers 'tricking ISPs' into sending junk mail Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39186364,00.htm Dan Ilett ZDNet UK February 02, 2005 Spam levels are about to skyrocket, according to experts who warned this week that spammers have developed a new way of delivering their wares. According to SpamHaus -- an anti-spam organisation which compiles blacklists blocking eight billion messages a day -- a new piece of malware has been created that takes over a PC and then uses it to send spam via the mail server of that PC's Internet service provider. This means the spam appears to come from the ISP, making it very hard for an anti-spam blacklist to block it. Previously, these zombie PCs have been used as mail servers to send spam emails directly to recipients. "The Trojan is able to order proxies to send spam upstream to the ISP," said Steve Linford, director of SpamHaus. Linford believes that this Trojan was written by the same people who write spamming software. Reports suggest that ISPs in the US have already been hit. "We've seen a surge in spam coming from major ISPs. Now all of the ISPs are having large amounts of spam going out from their mail servers," said Linford. This will cause serious problems for email infrastructures as it is impractical to block domain names from large ISPs. Linford predicts that ISPs will see a growth in the volume of bulk mail they send and receive over the next two months, with spam levels rising from75 percent of all email to around 95 percent within a year. "The email infrastructure is beginning to fail," Linford warned. "You'll see huge delays in email and servers collapsing. It's the beginning of the email meltdown." Linford said that ISPs need to act fast to take control of the problem. "They've got to throttle the number of emails coming from ADSL accounts. They are going to have to act quickly to clean incoming viruses. ISPs have so much spam -- they are too understaffed to call people up and tell them they have Trojans on their machines. And no one would know what you're talking about." ISPs BT and Thus didn't respond to requests for comment on this issue. Anti-spam company MessageLabs confirmed Linford's findings. "This ups the ante in the need for filters," said Mark Sunner, chief technology officer for MessageLabs. "It makes it more difficult for people who compile black lists, which is why spammers are doing this. It will put more pressure on ISPs to take greater interest in the traffic they carry and filter at source." The Information Commissioner's Office, the UK's point of call to report about spam, said it had received no complaints of bulk spam from ISPs. A statement from the ICO said, "As you are aware the ICO's role is to enforce the regulations (the Privacy and Electronic Communications (EC Directive) Regulations 2003. If it receives complaints regarding spam, the ICO needs to establish the source of the spam to take action. The ICO then contacts the company concerned." From isn at c4i.org Thu Feb 3 01:12:34 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:13 2005 Subject: [ISN] Root kit surfaces after Jabber attack Message-ID: http://www.theregister.co.uk/2005/02/02/jabber_attack/ By John Leyden 2nd February 2005 The Jabber Software Foundation (JSF) - the open source instant messaging organisation - has advised developers to check their code, after discovering that a hack attack against its website was more serious than first suspected. An audit conducted on JSF's web servers after an intrusion two weeks ago revealed a root kit on a machine hosting both the jabber.org website and the JabberStudio service. Subsequent investigations revealed the machine (hades.jabber.org) had been compromised for more than a year. The affected machine has been rebuilt and fully locked down. Dynamically generated pages were disabled on the site and the JabberStudio service was temporarily suspended as a precaution after JSF detected the January assault. JSF Executive Director Peter Saint-Andre said in a recent update that Jabber.org will restore its website to normal operation when it is satisfied that there is no security risk. Developers are urged to validate their code as a precaution. However, evidence suggests that other servers in the jabber.org infrastructure (such as the production Jabber server or the mailing list server) were unaffected by the security breach. Neither does much mischief seem to have been perpetrated on the compromised server. It's rare, but not unprecedented, for malicious hackers to load backdrops onto the web servers of application developers. Crackers owned the primary file servers of the GNU Project for five months in 2003, the Free Software Foundation admitted. In May 2001, infamous cracker Fluffy Bunny bragged that he had compromised the systems of the Apache Project. In October 2000, Microsoft's systems were comprehensively compromised by a cracker using the QAZ Trojan. Weeks later Microsoft's core web sites were again 0wn3d in an attack that went beyond the usual web page defacement. From isn at c4i.org Thu Feb 3 01:16:17 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 3 01:19:16 2005 Subject: [ISN] Security UPDATE -- Windows 2000 Support; IE; Spyware Study -- February 2, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Service Account Manager for your Data Center http://list.windowsitpro.com/t?ctl=85C:4FB69 Email Encryption and Compliance: The Answer to an Email Admin's Worst Nightmare http://list.windowsitpro.com/t?ctl=841:4FB69 ==================== 1. In Focus: Windows 2000 Support; IE; Spyware Study 2. Security News and Features - Recent Security Vulnerabilities - MCI to Acquire NetSec - SonicWALL Extends Managed Security Services Partner Program - Microsoft to Require Legitimate Windows for Downloads - IronPort C30 3. Security Matters Blog - New Updates for Ethereal and Snort - Need Help Automating Configuration of Routers and Firewalls? 4. Security Toolkit - FAQ - Security Forum Featured Thread 5. New and Improved - Speedier Authentication ==================== ==== Sponsor: Lieberman Software ==== Service Account Manager for your Data Center Most organizations don't update all their service accounts regularly. Reason: it's too hard to do reliably with the built-in tools Microsoft provides (scripts don't make it much better). Lieberman Software's product: "Service Account Manager" has been reliably handling the most complex service account management issues of major corporations and government agencies since 1998. Complex issues such as service dependencies, logon cache, rights and memberships are handled easily. Try it for free on 10 systems for 30 days by going to our web site. Or, contact us for an on-line demo. http://list.windowsitpro.com/t?ctl=85C:4FB69 ==================== ==== 1. In Focus: Windows 2000 Support; IE; Spyware Study ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net As you know, Microsoft's blanket support for Windows NT Server has ended. The company will cease to provide online support of the product on January 1, 2007. However, Microsoft has released updates that apply to Windows NT components. For example, the company included an update for Microsoft Internet Explorer (IE) 6.0 Service Pack 1 (SP1) for Windows NT systems in its monthly security update release for January. You can read more about Windows NT support at the following URL: http://list.windowsitpro.com/t?ctl=848:4FB69 Microsoft recently announced that it will end standard support, including nonsecurity hotfixes, for Windows 2000 Server on June 30. Paid mainstream support will be available beginning on that date, paid extended support can be obtained until June 30, 2010. Security hotfixes will continue to be available, free for everybody, until March 31, 2007. http://list.windowsitpro.com/t?ctl=84D:4FB69 The company also recently said that it will release no new version of IE until the next version of Windows, code-named Longhorn, becomes available. Longhorn is currently scheduled for some time in 2006, but there are no guarantees that it will in fact be released then. Those of you who want an enhanced version of IE with better security, similar to the one in Windows XP SP2, will have to use third-party browser enhancements to bolster IE's functionality. As you know, Microsoft recently released a beta version of an antispyware solution that's based on the technology of GIANT Company Software, which Microsoft recently purchased. You can download a copy at the Microsoft Security at Home Web site. http://list.windowsitpro.com/t?ctl=84A:4FB69 My December 2, 2004 commentary, "A Flurry of Enterprise Spyware Solutions," provides a comprehensive list of the available and upcoming enterprise antispyware solutions. http://list.windowsitpro.com/t?ctl=853:4FB69 Just before I wrote that article, I found a useful study of various antispyware packages, but I failed to bookmark the site and lost track of it for a while. I recently came across the site again, and I think you'll find it very interesting. The site, Spyware Warrior, has a blog, forums, lists of products to avoid that contain spyware, and the study, by Eric L. Howes, that offers lots of valuable information about how various antispyware solutions perform. http://list.windowsitpro.com/t?ctl=85F:4FB69 http://list.windowsitpro.com/t?ctl=85A:4FB69 Howes says that the GIANT/Microsoft solution is among the best at detecting and removing various forms of spyware--good news for people who want to use a Microsoft solution. Howes' report explains his methodology and contains loads of data and test results gathered during various phases of testing in October 2004. Among his findings are that no one antispyware solution removes all forms of spyware, that even the best performers miss a quarter of spyware-related files and registry entries, and that prevention is preferable to removal. ==================== ==== Sponsor: Postini ==== Email Encryption and Compliance: The Answer to an Email Admin's Worst Nightmare New regulations, legal liability issues and evolving threats have recently bumped the issue of secure email transmission to the top of IT security managers' "To Do" list. In this free white paper you'll learn how simple and cost effective is it to implement TLS-based secure email transmission. Download this whitepaper now to find out how to support the dual goals of securing email transmission while preserving the administrator's ability to filter out spam, viruses and prevent email content policy violations. http://list.windowsitpro.com/t?ctl=841:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=84B:4FB69 MCI to Acquire NetSec MCI will acquire NetSec for approximately $105 million in cash. A joint press release says that MCI will combine its network intelligence with NetSec's managed security services and premise-based intelligence to create an expanded suite of offerings targeted at businesses and governments. http://list.windowsitpro.com/t?ctl=855:4FB69 SonicWALL Extends Managed Security Services Partner Program SonicWALL announced changes to its Managed Security Services Partner (MSSP) program that will give resellers a boost in establishing and building their managed services infrastructures. http://list.windowsitpro.com/t?ctl=854:4FB69 Microsoft to Require Legitimate Windows for Downloads by Paul Thurrott Microsoft announced a roadmap for moving to a future in which Windows users must prove that their OSs aren't pirated before they can download any software from Microsoft.com or Windows Update. The plan, dubbed Windows Genuine Advantage, is being phased in over time, although Microsoft will continue to let even pirated Windows versions download critical security patches through Automatic Updates. http://list.windowsitpro.com/t?ctl=857:4FB69 IronPort C30 By David Chenicoff IronPort Systems' IronPort C30 is a midrange email-security appliance for small-to-midsized businesses (SMBs). The appliance supports spam detection, virus protection, and content filtering, but what sets it apart are two advanced features: IronPort Reputation Filters and IronPort Virus Outbreak Filters. http://list.windowsitpro.com/t?ctl=856:4FB69 ==================== ==== Resources and Events ==== Free eBook! Keeping Your Business Safe from Attack: Passwords and Permission Master password and permissions basics with our newest free eBook and discover how to prevent most vulnerabilities and exploits with Microsoft's new tools. Firewalls, antivirus software, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) can all fail--but a strong permissions and authentication defense is priceless. Get the latest chapter now! http://list.windowsitpro.com/t?ctl=843:4FB69 Encryption and Certificate Services eBook In this new eBook, get the information you need to best deploy Windows Public Key Infrastructure (PKI) services in your IT environment. This free book explains the key components, concepts, and standards behind PKI and provides insight into how to put a Windows- rooted PKI into operation and how to keep it operational. Get the eBook now! http://list.windowsitpro.com/t?ctl=842:4FB69 Fax Servers: Integrate. Automate. Communicate Join industry expert David Chernicoff in this free Web seminar to learn the best way to integrate and automate fax from messaging systems such as Microsoft Exchange Server and Outlook; improve document handling and delivery; and more. You'll receive a complimentary 30-day software evaluation, whitepaper, and Starbuck's gift card just for attending! Register now. http://list.windowsitpro.com/t?ctl=845:4FB69 Is Your Messaging Infrastructure Ready for Tomorrow's Risks? Join industry security expert Randy Franklin Smith as he reveals the hottest security trends in the industry. Find out how SPIM, spyware, phishing, and malware evolve and become the latest threats for industrial espionage. You'll learn which kinds of attacks companies are reporting in increased numbers and the commonly held misconceptions about Microsoft security patches. You'll also discover how secure content management solutions (SCMs) can help your company defend against business and network integrity threats. Register now and ensure enterprisewide protection! http://list.windowsitpro.com/t?ctl=844:4FB69 ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=85B:4FB69 Check out these recent entries in the Security Matters blog: New Updates for Ethereal and Snort Two popular open-source security tools, Ethereal and Snort, were recently updated. The latest version of Ethereal is 0.10.9, and the latest version of Snort is 2.3.0 . If you use these tools, be sure to check out the latest versions, which undoubtedly contain bug fixes and improvements. http://list.windowsitpro.com/t?ctl=851:4FB69 Need Help Automating Configuration of Routers and Firewalls? I found a really slick tool that can help you automate configurations for Cisco routers, Cisco PIX firewalls, and Linux iptables and ip routes. It's called NetSPoC, which I believe is short for Network Security Policy Compiler. http://list.windowsitpro.com/t?ctl=850:4FB69 ==== 4. Security Toolkit ==== FAQ by John Savill, http://list.windowsitpro.com/t?ctl=858:4FB69 Q: Does Windows XP Service Pack 2 (SP2) have an updated Sysprep tool? Find the answer at http://list.windowsitpro.com/t?ctl=852:4FB69 Security Forum Featured Thread: Modifying Directory ACLs A reader writes that he accidentally modified the ACL of a directory on his disk and now he can't change it back. He said he has full access to the parent object and doesn't know why this isn't enough authority to change the ACL again. Have the answer? Join the discussion at http://list.windowsitpro.com/t?ctl=846:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Plus, paid subscribers receive exclusive online library access to every article we've ever published. Order now! http://list.windowsitpro.com/t?ctl=84F:4FB69 Nominate Yourself or a Friend for the MCP Hall of Fame Are you a top-notch MCP who deserves to be a part of the first-ever MCP Hall of Fame? Get the fame you deserve by nominating yourself or a peer to become a part of this influential community of certified professionals. You could win a VIP trip to Microsoft and other valuable prizes. Enter now--it's easy: http://list.windowsitpro.com/t?ctl=849:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Speedier Authentication I/O Software offers SecureSuite XS 4.51, authentication management software that works with biometrics, smart cards, and tokens. SecureSuite XS's applications provide secure system logon, password bank/single sign-on, file encryption, and application locking. SecureSuite XS 4.51 integrates data compression, caching, and other optimizations to improve client-server authentication time and overall performance on WANs. The new release also adds to the number of authentication devices supported by SecureSuite XS. SecureSuite XS supports Windows Server 2003, Windows XP,and Windows 2000 and can be deployed as a standalone workstation product or in a client-server environment, using Active Directory (AD). For more information, go to http://list.windowsitpro.com/t?ctl=860:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=861:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=85D:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=84E:4FB69 View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=84C:4FB69 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Feb 4 05:43:46 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:20 2005 Subject: [ISN] Test Site guards failed attack drill Message-ID: http://www.lasvegassun.com/sunbin/stories/lv-other/2005/feb/03/518233054.html By Mary Manning LAS VEGAS SUN February 03, 2005 Guards stationed at the Nevada Test Site to protect the nuclear weapons complex 65 miles northwest of Las Vegas apparently failed a recent test in which they faced a mock terrorist attack. Darwin Morgan, spokewman for the National Nuclear Security Administration, an agency within the Energy Department that runs the nuclear weapons complex, said Tuesday that unspecified deficiencies had been identified during the exercise, performed late last year to test the capability of Test Site guards to protect weapons-grade plutonium and highly enriched uranium stored at the site. In a force-on-force exercise, specially trained commandos under the Energy Department's Office of Independent Oversight and Performance Assurance staged a mock attack simulating a potential terrorist attack. Since the exercise at the end of last year, the National Nuclear Security Administration has "taken corrective actions" at the Test Site, Morgan said. The Nevada Test Site has always been a heavily guarded facility because it has tested nuclear weapons from 1951 until September 1992. The government is continuing nuclear-related activities at the site, conducting subcritical underground nuclear experiments that do not cause a nuclear chain reaction. Morgan said the security requirements at the Test Site have been raised because some special nuclear materials are being transferred for security reasons from Los Alamos, N.M., where they had been in an area known as Technical Area 18, to the Test Site. The special nuclear materials and some equipment from the New Mexico is to be transferred to the Device Assembly Facility at the Test Site, Morgan said. The Device Assembly Facility is a buried building guarded by gun turrets at either end, officials said. Morgan noted that "we have been growing the guard force." The Test Site expects to have 240 to 250 guards in place by the time the nuclear materials from New Mexico arrive, Morgan said. Exact numbers of guards and details about the Test Site are kept secret for security reasons, Morgan said. The Test Site is guarded by forces provided by Wackenhut Services Inc. under contract with the Energy Department. The department last year put the Nevada security contract out for bid along with its prime operating contract held by Bechtel Nevada. From isn at c4i.org Fri Feb 4 05:44:43 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:24 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-5 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-01-27 - 2005-02-03 This week : 65 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Qualcomm has released a new version of Eudora, which according to the vendor corrects some vulnerabilities, which can be exploited to crash the mail client. However, according to the security researcher who initially found the vulnerabilities, these can actually be exploited to run arbitrary code on a vulnerable system. Please refer to the Secunia advisory below for additional details. References: http://secunia.com/SA14104/ -- The Mozilla Foundation has released details about several vulnerabilities, which was corrected with the releases of Firefox 1.0, Mozilla 1.7.5, and Thunderbird 1.0. A listing of the vulnerabilities and additional details are available in the Secunia advisory below. References: http://secunia.com/SA14017/ VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profile below for more information: Bropia.F - MEDIUM RISK Virus Alert - 2005-02-03 06:25 GMT+1 http://secunia.com/virus_information/15107/bropia.f/ Bagle.BA - MEDIUM RISK Virus Alert - 2005-01-28 02:58 GMT+1 http://secunia.com/virus_information/12174/bagle.ba/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 2. [SA13969] DivX Player ".dps" Skin File Directory Traversal Vulnerability 3. [SA14017] Firefox / Mozilla / Thunderbird Multiple Vulnerabilities 4. [SA13482] Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting 5. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 6. [SA13599] Mozilla / Mozilla Firefox Download Dialog Source Spoofing 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 8. [SA13918] Sun Java Plug-In Two Vulnerabilities 9. [SA13862] Oracle Products 23 Vulnerabilities 10. [SA14061] Windows Registry Key Locking Denial of Service ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14113] Painkiller CD-Key Hash Buffer Overflow Vulnerability [SA14104] Eudora System Compromise Vulnerabilities [SA14116] DeskNow Mail and Collaboration Directory Traversal Vulnerabilities [SA14077] Eternal Lines Web Server Two Vulnerabilities [SA14073] Xpand Rally Denial of Service Vulnerability [SA14063] SnugServer FTP Server Directory Traversal Vulnerability [SA14054] War FTP Daemon Denial of Service Vulnerability [SA14053] Winmail Server Multiple Vulnerabilities [SA14106] Eurofull E-Commerce "nombre" Cross-Site Scripting [SA14087] RealPlayer RealMedia ".rm" Security Bypass Vulnerability [SA14080] SmarterMail Attachment Upload Vulnerability [SA14079] WebAdmin Multiple Vulnerabilities [SA14058] WebWasher Classic Server Mode Proxying Vulnerability [SA14078] IceWarp Web Mail Various Weaknesses [SA14075] Captaris Infinite Mobile Delivery Webmail Cross-Site Scripting [SA14061] Windows Registry Key Locking Denial of Service UNIX/Linux: [SA14103] Debian update for prozilla [SA14096] Debian update for squirrelmail [SA14086] Red Hat update for ethereal [SA14081] HP VirtualVault / Webproxy Apache Vulnerabilities [SA14065] Gentoo update for tikiwiki [SA14059] Gentoo update for ngircd [SA14056] ngIRCd "Lists_MakeMask()" Buffer Overflow Vulnerability [SA14112] Gentoo update for squid [SA14109] Red Hat update for enscript [SA14105] Gentoo update for enscript [SA14101] Fedora update for squid [SA14100] Mandrake update for imap [SA14099] Mandrake update for chbg [SA14097] Gentoo update for uw-imap [SA14093] Fedora update for openssl096b [SA14091] Squid Oversized Reply Header Handling Security Issue [SA14089] Gentoo update for clamav [SA14088] Avaya Intuity Audix Denial of Service Vulnerabilities [SA14085] Mandrake update for clamav [SA14084] Clam AntiVirus ZIP File Handling Denial of Service [SA14082] HP VirtualVault TGA Daemon Unspecified Denial of Service [SA14062] Fedora update for openswan [SA14057] UW-imapd CRAM-MD5 Authentication Bypass Vulnerability [SA14055] Mandrake update for evolution [SA14107] Red Hat update for cups [SA14095] AIX Unspecified NIS Client System Compromise Vulnerability [SA14098] Gentoo update for newspost [SA14094] newsfetch NNTP Response Handling Buffer Overflows [SA14092] Newspost "socket_getline()" Buffer Overflow Vulnerability [SA14069] Gentoo update for gallery [SA14111] Mandrake update for ncpfs [SA14072] fprobe Weak Hash Functions Denial of Service [SA14071] Dante FD_SET Overflow Vulnerability [SA14070] Gentoo update for ncpfs [SA14068] ncpfs Two Vulnerabilities [SA14121] Debian cpio Incorrect File Permissions [SA14115] Mandrake update for vim [SA14108] Red Hat update for perl-DBI [SA14102] Gentoo update for firehol [SA14067] Gentoo update for f2c [SA14066] Gentoo update for vdr [SA14052] Debian update for f2c Other: [SA14122] Cisco IP/VC 3500 Series Hard-Coded SNMP Community Strings [SA14060] Ingate Firewall Active Blocked PPTP Tunnel Security Issue Cross Platform: [SA14124] Mambo Global Variables Security Bypass Vulnerability [SA14064] Xoops Incontent Module Arbitrary File Content Disclosure [SA14090] PHP-Fusion "forum_search.php" Information Disclosure [SA14074] JShop Server "xProd" and "xSec" Parameters Cross-Site Scripting [SA14076] Squid WCCP Message Handling Buffer Overflow Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14113] Painkiller CD-Key Hash Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2005-02-03 Luigi Auriemma has reported a vulnerability in Painkiller, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14113/ -- [SA14104] Eudora System Compromise Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-03 John Heasman of NGSSoftware has reported some vulnerabilities in Eudora, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14104/ -- [SA14116] DeskNow Mail and Collaboration Directory Traversal Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS, System access Released: 2005-02-03 Tan Chew Keong has reported two vulnerabilities in DeskNow Mail and Collaboration, which can be exploited by malicious users to delete arbitrary files and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14116/ -- [SA14077] Eternal Lines Web Server Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2005-02-01 Two vulnerabilities have been reported in Eternal Lines Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose sensitive information, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14077/ -- [SA14073] Xpand Rally Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-31 Luigi Auriemma has reported a vulnerability in Xpand Rally, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14073/ -- [SA14063] SnugServer FTP Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-01-28 muts has reported a vulnerability in SnugServer, which can be exploited by malicious users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14063/ -- [SA14054] War FTP Daemon Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-28 MC.Iglo has discovered a vulnerability in War FTP Daemon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14054/ -- [SA14053] Winmail Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Spoofing, Exposure of sensitive information, System access Released: 2005-01-28 Tan Chew Keong has reported some vulnerabilities in Winmail Server, which can be exploited by malicious users to disclose sensitive information, use a vulnerable system for port scanning other hosts, conduct script insertion attacks, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14053/ -- [SA14106] Eurofull E-Commerce "nombre" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-02 Security .Net Information has reported a vulnerability in Eurofull E-Commerce, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14106/ -- [SA14087] RealPlayer RealMedia ".rm" Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-02-01 http-equiv has discovered a vulnerability in RealPlayer, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14087/ -- [SA14080] SmarterMail Attachment Upload Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-31 Soroush Dalili has discovered a vulnerability in SmarterMail, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14080/ -- [SA14079] WebAdmin Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2005-01-31 David Alonso P?rez has reported some vulnerabilities in WebAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14079/ -- [SA14058] WebWasher Classic Server Mode Proxying Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-01-28 Oliver Karow has discovered a vulnerability in WebWasher Classic, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14058/ -- [SA14078] IceWarp Web Mail Various Weaknesses Critical: Not critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-01-31 ShineShadow has reported two weaknesses in IceWarp Web Mail, which can be exploited by malicious users to gain knowledge of certain system information or sensitive information. Full Advisory: http://secunia.com/advisories/14078/ -- [SA14075] Captaris Infinite Mobile Delivery Webmail Cross-Site Scripting Critical: Not critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-01-31 Steven has reported a vulnerability in Infinite Mobile Delivery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14075/ -- [SA14061] Windows Registry Key Locking Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2005-01-31 Vladimir Kraljevic has reported a security issue in Windows, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14061/ UNIX/Linux:-- [SA14103] Debian update for prozilla Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-02 Debian has issued an update for prozilla. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14103/ -- [SA14096] Debian update for squirrelmail Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-02-02 Debian has issued an update for squirrelmail. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14096/ -- [SA14086] Red Hat update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-02-02 Red Hat has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14086/ -- [SA14081] HP VirtualVault / Webproxy Apache Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-01-31 HP has acknowledged some vulnerabilities in Virtualvault and Webproxy, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14081/ -- [SA14065] Gentoo update for tikiwiki Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-31 Gentoo has issued an update for tikiwiki. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14065/ -- [SA14059] Gentoo update for ngircd Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-01-31 Gentoo has issued an update for ngircd. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14059/ -- [SA14056] ngIRCd "Lists_MakeMask()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-01-31 Florian Westphal has reported a vulnerability in ngIRCd, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14056/ -- [SA14112] Gentoo update for squid Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, DoS Released: 2005-02-03 Gentoo has issued an update for squid, which fixes various vulnerabilities. One has an unknown impact, and others can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14112/ -- [SA14109] Red Hat update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-02 Red Hat has issued an update for enscript. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14109/ -- [SA14105] Gentoo update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-03 Gentoo has issued an update for enscript. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14105/ -- [SA14101] Fedora update for squid Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-02-02 Fedora has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14101/ -- [SA14100] Mandrake update for imap Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-02 MandrakeSoft has issued an update for imap. This fixes a vulnerability, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14100/ -- [SA14099] Mandrake update for chbg Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-02 MandrakeSoft has issued an update for chbg. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14099/ -- [SA14097] Gentoo update for uw-imap Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-02 Gentoo has issued an update for uw-imap. This fixes a vulnerability, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14097/ -- [SA14093] Fedora update for openssl096b Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-01 Fedora has issued an update for openssl096b. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14093/ -- [SA14091] Squid Oversized Reply Header Handling Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-02-01 A security issue with an unknown impact has been reported in Squid. Full Advisory: http://secunia.com/advisories/14091/ -- [SA14089] Gentoo update for clamav Critical: Moderately critical Where: From remote Impact: DoS, Security Bypass Released: 2005-02-01 Gentoo has issued an update for clamav. This fixes a vulnerability and a weakness, which allows malware to bypass detection and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14089/ -- [SA14088] Avaya Intuity Audix Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-01 Avaya has acknowledged some vulnerabilities in Intuity Audix R5, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14088/ -- [SA14085] Mandrake update for clamav Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-02-01 MandrakeSoft has issued an update for clamav. This fixes a vulnerability and a weakness, which allows malware to bypass detection and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14085/ -- [SA14084] Clam AntiVirus ZIP File Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-01 Reinhard Max has reported a vulnerability in Clam AntiVirus, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14084/ -- [SA14082] HP VirtualVault TGA Daemon Unspecified Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-31 A vulnerability has been reported in HP Virtualvault, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14082/ -- [SA14062] Fedora update for openswan Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-31 Fedora has issued an update for openswan. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14062/ -- [SA14057] UW-imapd CRAM-MD5 Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-01-28 A vulnerability has been reported in University of Washington IMAP server, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14057/ -- [SA14055] Mandrake update for evolution Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-01-28 MandrakeSoft has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system or by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14055/ -- [SA14107] Red Hat update for cups Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-02 Red Hat has issued an update for cups. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14107/ -- [SA14095] AIX Unspecified NIS Client System Compromise Vulnerability Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-01 A vulnerability has been reported in AIX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14095/ -- [SA14098] Gentoo update for newspost Critical: Less critical Where: From remote Impact: System access Released: 2005-02-03 Gentoo has issued an update for newspost. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14098/ -- [SA14094] newsfetch NNTP Response Handling Buffer Overflows Critical: Less critical Where: From remote Impact: System access Released: 2005-02-01 Niels Heinen has reported a vulnerability in newsfetch, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14094/ -- [SA14092] Newspost "socket_getline()" Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-02-01 Niels Heinen has reported a vulnerability in Newspost, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14092/ -- [SA14069] Gentoo update for gallery Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-31 Gentoo has issued an update for gallery. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14069/ -- [SA14111] Mandrake update for ncpfs Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-02 MandrakeSoft has issued an update for ncpfs. This fixes two vulnerabilities and a potential issue, which can be exploited to perform certain actions on a vulnerable system with escalated privileges or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14111/ -- [SA14072] fprobe Weak Hash Functions Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-31 A vulnerability has been reported in fprobe, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14072/ -- [SA14071] Dante FD_SET Overflow Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-31 3APA3A has reported a vulnerability in Dante, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14071/ -- [SA14070] Gentoo update for ncpfs Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-01-31 Gentoo has issued an update for ncpfs, which fixes two vulnerabilities. The first can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, and the second may potentially allow malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14070/ -- [SA14068] ncpfs Two Vulnerabilities Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-01-31 Erik Sjolund has reported two vulnerabilities in ncpfs. The first can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, and the second may potentially allow malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14068/ -- [SA14121] Debian cpio Incorrect File Permissions Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2005-02-03 Debian has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious, local users to disclose and manipulate information. Full Advisory: http://secunia.com/advisories/14121/ -- [SA14115] Mandrake update for vim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-03 MandrakeSoft has issued an update for vim. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14115/ -- [SA14108] Red Hat update for perl-DBI Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-02 Red Hat has issued an update for perl-DBI. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14108/ -- [SA14102] Gentoo update for firehol Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-02 Gentoo has issued an update for firehol. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14102/ -- [SA14067] Gentoo update for f2c Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-31 Gentoo has issued an update for f2c. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14067/ -- [SA14066] Gentoo update for vdr Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-01-31 Gentoo has issued an update for vdr. This fixes a vulnerability, which can be exploited by malicious, local users to manipulate sensitive information. Full Advisory: http://secunia.com/advisories/14066/ -- [SA14052] Debian update for f2c Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-28 Debian has issued an update for f2c. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14052/ Other:-- [SA14122] Cisco IP/VC 3500 Series Hard-Coded SNMP Community Strings Critical: Moderately critical Where: From local network Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-02-03 A security issue has been reported in some Cisco IP/VC Videoconferencing System models, which can be exploited by malicious people to read or manipulate configuration information. Full Advisory: http://secunia.com/advisories/14122/ -- [SA14060] Ingate Firewall Active Blocked PPTP Tunnel Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-01-28 Neil Watson has reported a security issue in Ingate Firewall, which may allow PPTP users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14060/ Cross Platform:-- [SA14124] Mambo Global Variables Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-03 A vulnerability has been reported in Mambo, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14124/ -- [SA14064] Xoops Incontent Module Arbitrary File Content Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-01-31 Larok has reported a vulnerability in the Incontent module for Xoops, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14064/ -- [SA14090] PHP-Fusion "forum_search.php" Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-02 TheGreatOne2176 has discovered a vulnerability in PHP-Fusion, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/14090/ -- [SA14074] JShop Server "xProd" and "xSec" Parameters Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-31 SmOk3 has reported a vulnerability in JShop Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14074/ -- [SA14076] Squid WCCP Message Handling Buffer Overflow Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-31 FSC Vulnerability Research Team has reported a vulnerability in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14076/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 4 05:45:00 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:26 2005 Subject: [ISN] State worker acquitted of hacking government computer Message-ID: http://www.tuscaloosanews.com/apps/pbcs.dll/article?AID=/20050203/APN/502030742 The Associated Press February 03, 2005 A state worker has been acquitted of charges of hacking into a computer system at the Department of Social Services in 1999. A state district court jury returned the verdict in favor of Andrew Mata on Wednesday. Prosecutors accused Mata of illegally entering the system and upgrading his own access. After he left DSS for a job with the Department of Health and Hospitals, Social Services personnel lowered Mata's access to their computer records. The alleged crime - offenses against intellectual property - occurred when Mata, using the codes of a Social Services computer worker, got back into the computer systems and restored his previous access, prosecutors said. But Mata testified he broke no laws and changed his access in the DSS computer back to where he thought it should have been and went to work on major projects related to the anticipated Y2K crisis. He said he was supposed to have the same status on both the DSS and DHH systems. The charge, which was filed against Mata in May 2001, carried up to five years in prison. From isn at c4i.org Fri Feb 4 05:45:11 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:29 2005 Subject: [ISN] Saddam Hussein "death" virus on loose Message-ID: http://www.theinquirer.net/?article=21080 By INQUIRER staff 03 February 2005 BRITISH ANTIVIRUS firm Sophos warned that a version of the Bobax-H worm is on the loose, disguised as pictures of a dead Saddam Hussein. According to Sophos, the worm carries different message warnings such as "Saddam Hussein: Attempted Escape. Shot Dead". Other versions carrying the same payload claim to have pictures of a captured Osama Bin Laden. Sophos said the worm, if activated, carries the same payload as the Sasser worm exploited. Graham Cluley, marketing director at Sophos, warned that many people opened emails to be abreast of the news. But he also hit out at those responsible for the security of Windows machines for not taking advantage of the patches that protect against Bobax. From isn at c4i.org Fri Feb 4 05:45:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 4 05:51:31 2005 Subject: [ISN] Huge security hole in .NET: Java creator Message-ID: http://www.zdnet.com.au/news/security/0,2000061744,39179932,00.htm By Renai LeMay ZDNet Australia 04 February 2005 Java creator James Gosling this week called Microsoft's decision to support C and C++ in the common language runtime in .NET one of the "biggest and most offensive mistakes that they could have made". Gosling, who is currently CTO of Sun's Developer Products group, made the comments as part of his speech to developers at an event in Sydney earlier this week. He further commented that by including the two languages into Microsoft's software development platform, the company "has left open a security hole large enough to drive many, many large trucks through". According to Gosling, the security hole is based upon the fact that several features of the older languages are ambivalent with regards to security: "C++ allowed you to do arbitrary casting, arbitrary adding of images and pointers, and converting them back and forth between pointers in a very, very unstructured way. "If you look at the security model in Java and the reliability model, and a lot of things in the exception handling, they depend really critically on the fact that there is some integrity to the properties of objects. So if somebody gives you an object and says 'This is an image', then it is an image. It's not like a pointer to a stream, where it just casts an image," said Gosling. Microsoft developer evangelist Charles Sterling didn't entirely disagree with Gosling's comments, but he sought to clarify the issue with .NET's security. Stirling pointed out that .NET defines different sorts of code. "Managed" code is code that is executed under the control of the .NET framework. New languages such as C# and Visual Basic.NET only produce managed code. However, Gosling is concerned about "unsafe" code, which is produced by traditional languages like C and C++. Unsafe code is old code that does not strictly follow the rules of type safety that .NET defines, and this sort of code requires additional permissions to execute. According to Sterling, "you as a developer take it upon yourself" to utilise unsafe code in your .NET applications. An important point is that the so-called unsafe code does have the potential to run faster than "managed" code due to some languages' ability to include machine-specific features that may sacrifice platform portability for speed. Sterling acknowledged this as he said that the choice between the two platforms is all about risk: if developers are willing to "accept the risk" of unsafe code then they may gain access to "the best performance system on the planet". Sterling also gave the debate a reality check when asked of his personal knowledge of .NET developers actually implementing C or C++ code under a .NET framework. Of the approximately one thousand developers that Sterling knows, he could only recall one directly developing under the C++ code. Whether this indicates an unwillingness on the part of developers to utilise code that is unsafe is notclear. From isn at c4i.org Mon Feb 7 08:30:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:29 2005 Subject: [ISN] Cisco: There is no fixed software for this issue. Message-ID: Forwarded from: security curmudgeon http://www.attrition.org/security/rant/cisco01.html Cisco: There is no fixed software for this issue. Fri Feb 4 01:55:02 EST 2005 Jericho I think it is time to give up on Cisco. Most professionals in the security industry have long since given up on vendors such as Microsoft and resigned ourselves to the fact that they don't understand security, and that for all the marketing and PR these companies never will. Year after year, we see stupid and trivial security bugs pop up in their software. Often times these are the same vulnerabilities reborn with a new product, or the same class of vulnerabilities creeping back into the code due to poor programming practices. In other cases, vulnerabilities are found and supposedly patched by vendors. Days or weeks later, it is discovered that the patch does not fully mitigate the original problem and can be bypassed and the software is still vulnerable. Yesterday, Cisco Systems, Inc. posted a new security advisory announcing a vulnerability in one of their product lines. This is not new for Cisco by any means as they have releaesed 155 security advisories dating back to June 1, 1995. Why is this one different? The proverbial straw that broke the camel's back perhaps. The issue is not that just another vulnerability affects their products, nor it is the amount of issues Cisco has posted over the years. While depressing to anyone responsible for the security of one of their devices, it is mostly manageable. Cisco has been fairly good about addressing problems in the past, providing patches and solid workarounds and eventually selling new versions of their software that aren't affected. Until now. There are two issues with the latest advisory covering a vulnerability in Cisco IP/VC Products. Either issue unto themselves should have Cisco customers up in arms demanding better products and better service. As long as companies continue to buy and support irresponsible and unethical vendors, they will continue to deliver over-priced insecure software. [..] From isn at c4i.org Mon Feb 7 08:31:03 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:31 2005 Subject: [ISN] J-CARD numbers leaked on Internet Message-ID: http://www.jhunewsletter.com/vnews/display.v/ART/2005/02/04/42025291bac2c By Katherine Brewer February 04, 2005 Over 2,100 Hopkins students, mostly juniors and seniors, must trade in their J-CARDS after the university discovered it had accidentally posted their names and J-CARDS numbers online this winter. The files, used in the spring 2003 Student Counsel elections, contained the names, birthdays and J-CARD numbers of over 4,000 students. The last four digits of 1,500 of these students' Social Security numbers were also posted. Many of the affected students have graduated, but all juniors and seniors and several graduate students who still have active J-CARDs were contacted through mail by Susan Boswell, dean of student life, on Jan. 24. Although there was no direct link to the leaked J-CARD information, it was accessible through search engines. A student who entered her name on http://www.google.com discovered the files and notified the school. The error was discovered on January 4, but administrators kept it private until all links to the material could be deleted. "It's not clear exactly how long they were online," said Dennis O'Shea, executive director of communications and public affairs for Hopkins. O'Shea also stressed that this would not happen again, because it was a transition year in StuCo balloting, and elections no longer involves entering J-CARD numbers. There is no evidence that the information was accessed and used illegally, but the university decided to take precautions and asked all those effected to trade in their J-CARDs for new one by Feb. 11. "The file was in a very obscure place. You would have had to gone looking for them," O'Shea said, "and most people wouldn't know what they were, even if they did find them." "Although the university feels strongly that any potential harm has been averted by the discovery and removal of the files, we nonetheless think it is advisable to err on the side of caution," Boswell wrote in an e-mail to affected students. The J-CARD office has extended its hours to 7 p.m. until Feb. 11 to help with the exchange, but students who do not exchange their cards by the scheduled date are subject to cancellation of their cards. To date, according to O'Shea's office, more than 750 students have made their J-CARD exchanges, out of the 2,100 juniors and seniors with active cards. "We do encourage all students who are affected to exchange," said O'Shea, "and remind them that they are subject to cancellation if they do not make the exchange by the deadline." Although there is very little that can be done with only the J-CARD number without the possession of the actual card, the university has notified local businesses that accept J-CARD to be on alert and asked affected students to keep tabs on their J-CARD accounts. "It doesn't really bother me much," said James Baird, a senior who has yet to trade in his card. "I suppose it's safer than doing nothing at all, but I'm kind of surprised they didn't figure this out a while ago." Some students expressed little concern about the information leak. "I don't really care that the information was on the Internet," said Mike Kong, a senior. At least one student did express feelings of frustration at the situation, especially in light of what he considered to be other general security failures. "For some reason, I don't have much confidence in the security measures at this school," said Matt Bassett, a junior. "This is just another example of a security failure; they can't even keep our personal information safe on the Internet." From isn at c4i.org Mon Feb 7 08:31:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:41 2005 Subject: [ISN] "The Bad Boys are also Terribly Clever" Message-ID: http://service.spiegel.de/cache/international/spiegel/0,1518,340395,00.html SPIEGEL Interview with Bill Gates January 31, 2005 Microsoft founder Bill Gates, 49, talks about the thorny issues of computer security, competition, software bundling and how he lives with the downsides of his wealth and fame. In addition to being the world's richest man, Gates is the founder of the world's most powerful software company. SPIEGEL: Mr. Gates you came to Munich this week specifically to initiate a project for more Internet security in Germany. The government sponsor is Labor and Economics Minister Wolfgang Clement. Why are you taking the initiative now? Gates: The enthusiasm about how computers, the Internet, and good software can help people is probably as large today as it ever was. A lot of fantastic things have happened in the past few years. Just think about how e-mail contact or digital business with photos or music have developed world-wide. But while we still work on wonderful further developments, some really serious issues are being forced onto the agenda, and we now have to ensure that they do not ever become a problem. This stretches from annoyance about a mailbox filled with junk advertising to the risk that your computer has been taken over by hackers to spy on your data. There is a lot to do, especially for Microsoft. SPIEGEL: You want to achieve that single-handedly? Gates: The bandwidth of problems is enormous. And not only individual companies are facing demands, but our entire industry. In meeting these demands we have to work together with governments and public agencies. Politics has to ensure the legal framework. SPIEGEL: And consumers? Gates: PC users will have to grapple more intensively with very practical questions. For example: Do I need regular updates of my software? That alone is a gigantic thing for us. When we offer an improvement to Windows via the Internet today, there are a few hundred million people who take up the offer, but also a few hundred million who do not do it. Or here's another question: How do my children use the Internet? If nothing else, that is a challenge now because at times kids handle the World Wide Web significantly better than parents. One thing we have to do is make computer use simpler in order to increase people's awareness of such questions. SPIEGEL: Did you underestimate the security problems? A few years ago, the chief concerns of your industry were making computers more efficient and hooking up as many houses as possible. Now security is of chief concern. Even Microsoft seems to have first become aware of the danger after Sept. 11. Gates: The terrorist attacks in 2001 just showed people up close where a lack of security can lead. Problems with computer security have more to do with the unbelievable success of the computer itself. The more successful the PC became, the more the downsides also became clear, such as: how can I prevent someone from stealing my credit cards off the Internet? In some areas, the bad boys are also terribly clever -- and occasionally more crafty than we had expected. SPIEGEL: Those who send spam advertising e-mails for example. Gates: I don't want to minimize the problem at all. We will still have a few years of fighting with that. But, there are many things that have already improved. On the other hand, problems in the area of data theft have increased. SPIEGEL: From which corner do you expect the greatest challenge? Virus makers? Hackers? Spam senders? Gates: There will always be people who try to take advantage of the medium by bothering us with marketing stuff, which is fast, easy, and cheap to distribute world-wide. We will be able to control that to some degree because the sources allow themselves to be traced back. The people who create advertisements for a certain company usually receive money from the company. That makes them traceable. We have been making enormous progress on this front. I worry more about whether our general dream will be fulfilled. SPIEGEL: What is that dream? Gates: That we can globally communicate with one another without mistrust and can do it more creatively. To do this, for example, it is important that your identity is safe on the Internet. In the end it involves a promise, the promise of the digital age. But I also do not believe that the current difficulties can really endanger that. SPIEGEL: Microsoft is not only a part of the solution, but also, because of its market power, part of the problem. When a company provides more than 90 percent of all personal computers with software it is inevitably a target for hackers interested in causing the most damage possible. Gates: There are actually a large number of operating systems in addition to Windows, for example, such as OS from Apple or Linux and Unix... SPIEGEL: ... but in the realm of normal personal computers, they don't play a large role worldwide. Gates: The truth is: the fewer operating systems there are within a company, the better it is from a security point of view. SPIEGEL: I beg your pardon? Gates: Simply because one must spend billions of dollars to ensure the security of each individual system. Our company has an unbelievable number of people who are solely responsible for this type of security around the clock. SPIEGEL: The particular charm of Linux is that it is an adaptable system that users can shape themselves. Gates: If everything runs under the same platform, however, you can better concentrate resources and more quickly repair errors. For instance, in a hospital where different systems are used, a single problem in one section cause the other systems to crash. Thus, from a security standpoint it is always better to focus on one system. SPIEGEL: But your small competitor Apple, for example, is much less frequently a victim of virus attacks ... Gates: ... put so sweepingly, that is not correct. Of course we are the largest target, simply because we have the most widely disseminated system. But it affects others in exactly the same way. Linux is, in many respects, even more significantly affected. SPIEGEL: In a few hours a Windows virus can travel across the world like an epidemic... Gates: ... above all because of our global popularity. But we know that. And we must apply still more time and money to it. However, spam or data theft are not questions of the operating system. For this, you also need laws and global standards. SPIEGEL: Once again: Windows is the most vulnerable. Gates: You could look at that in many ways. The speed with which, for example, the Linux community reacts to problems is not especially high -- that's because this system, unlike ours, simply does not keep thousands of people on standby to deal with problems. In this respect, a commercially distributed operating system also has decisive benefits. Sweeping judgments don't help because we all have to take the problems seriously. Even Linux developers know that there is no miracle cure in Linuxland. They, too, must continue to work and continue to make progress. [...] From isn at c4i.org Mon Feb 7 08:37:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:43 2005 Subject: [ISN] FBI Computers: You Don't Have Mail Message-ID: http://www.msnbc.msn.com/id/6919621/site/newsweek/ By Michael Isikoff and Mark Hosenball Newsweek http://www.amazon.com/exec/obidos/ASIN/B00005N7RT/c4iorg February 14th 2005 issue The FBI's computer woes got even worse last week when bureau officials were forced to shut down a commercial e-mail network used by supervisors, agents and others to communicate with the public. The reason, sources tell NEWSWEEK, was an apparent "cyberintrusion" by an outside hacker who officials fear had been tapping into supposedly secure e-mail messages since late last year. FBI spokesmen publicly sought to downplay the damage, saying the compromised commercial server - maintained by AT&T - was used exclusively for unclassified and "nonsensitive" communications that did not involve ongoing investigations. One example, they said, was notices from public-affairs offices' fbi.gov addresses to members of the press. But privately, officials were highly concerned - and recently notified the White House. One top FBI official says he regularly used his shut-down fbi.gov e-mail account to send messages to state and local police chiefs. Another source tells Newsweek that more than 3,000 old and current e-mail accounts were shut down. Others say the same apparently compromised server also provided accounts to other government agencies. Justice Department officials, who launched their own cybercrime investigation into the apparent intrusion, noted that there was no telling the potential damage at this point, given the common tendency for everybody to say too much - including making references to law-enforcement "sensitive" cases - even in theoretically routine e-mails. "This is an eye-opener for all of us," says one FBI official. The bigger question, sources say, was how the hackers penetrated the bureau's e-mails - and why it took the FBI so long to notify the rest of the government. The FBI e-mail system was erected with firewalls that were supposed to prevent even sophisticated hackers from penetrating. But while officials stressed there was no evidence that the apparent intruder or intruders were part of any terrorist or foreign intelligence organization, the authorities were still baffled as to how they got into the system. According to sources familiar with the investigation, one suspicion is that hackers either used sophisticated "password cracking" software that tries out millions of password combinations or somehow eavesdropped on Internet transmissions. Over the weekend, NEWSWEEK has learned, the Department of Homeland Security posted a computer-security alert to agencies throughout the federal government urging e-mail users to be more careful about choosing their passwords by avoiding obvious clues - like nicknames, initials, children's names, birth dates, pet names or brands of car. "Such information can be easily obtained and used to crack your password," the bulletin states. The e-mail compromise couldn't have come at a worse time for the bureau. Just last week, the Justice Department inspector-general released a report sharply criticizing the FBI's management of its new Virtual Case File computer system - a $170 million software upgrade that bureau officials now concede they may have to - scrap. The VCF system was supposed to make it much easier for agents to electronically access vital information relating to ongoing cases in different FBI offices. But the I.G. found that poor planning and ineffective management have resulted in a system that is nearly unworkable. FBI chief Robert Mueller, who sources say has personally briefed President George W. Bush on the matter, took responsibility "at least in part" for the fiasco before a Senate subcommittee. "No one is more frustrated and disappointed than I," he said. From isn at c4i.org Mon Feb 7 08:39:31 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 7 08:42:45 2005 Subject: [ISN] NSPW 2005 Call For Papers Message-ID: Forwarded from: Abe Singer Call for Papers New Security Paradigms Workshop Lake Arrowhead, California, USA September 20-23, 2005 http://www.nspw.org Background NSPW is a unique workshop that is devoted to the critical examination of new paradigms in security. We solicit and accept papers on any topic in information security subject to the following caveats: * Papers that present a significant shift in thinking about difficult security issues are welcome. * Papers that build on a previous shift are also welcome. * Contrarian papers that dispute or call into question accepted practice or policy in security are also welcome. * We solicit papers that are not technology centric, including those that deal with public policy issues and those that deal with the psychology and sociology of security theory and practice. * We discourage papers that represent established or completed works as well as those that substantially overlap other submitted or published papers. * We encourage a high level of scholarship on the part of contributors. Authors are expected to be aware of related prior work in their topic area, even if it predates Google. In the course of preparing an NSPW paper, it is far better to read an original source than to cite a text book interpretation of it. Our program committee particularly looks for new paradigms, innovative approaches to older problems, early thinking on new topics, and controversial issues that might not make it into other conferences but deserve to have their try at shaking and breaking the mold. Participation in the workshop is limited to authors of accepted papers and conference organizers. Each paper is typically the focus of 45 to 60 minutes of presentation and discussion. Prospective authors are encouraged to submit ideas that might be considered risky in some other forum, and all participants are charged with providing feedback in a constructive manner. The resulting intensive brainstorming has proven to be an excellent medium for furthering the development of these ideas. The proceedings, which are published after the workshop, have consistently benefited from the inclusion of workshop feedback. Call for Papers We welcome three categories of submission: * Research papers should be of a length commensurate with the novelty of the paradigm and the amount of novel material that the reviewer must assimilate in order to evaluate it. * Position papers should be 5 - 10 pages in length and should espouse a well reasoned and carefully documented position on a security related topic that merits challenge and / or discussion. * Discussion topic proposals. Discussion topic proposals should include an in-depth description of the topic to be discussed, a convincing argument that the topic will lead to a lively discussion, and supporting materials that can aid in the evaluation of the proposal. The later may include the credentials of the proposed discussants. Discussion topic proposers may want to consider involving conference organizers or previous attendees in their proposals. Important Dates * Submission deadline: Monday, 28 March 2005. * Notification of acceptance: Monday, 30 May, 2005. Submission Submissions must include the following: * The submission in PDF format, viewable by Adobe Acrobat reader. * A justification for inclusion in NSPW. Specify the category of your submission and describe, in one page or less, why your submission is appropriate for the New Security Paradigms Workshop. A good justification will describe the new paradigm being proposed, explain how it departs from existing theory or practice, and identify those aspects of the status quo it challenges or rejects. The justification is a major factor in determining acceptance. * An Attendance Statement specifying how many authors wish to attend the workshop. Accepted papers require the attendance of at least one author. Attendance is limited, and we cannot guarantee space for more than one author. No submission may have been published elsewhere nor may a similar submission be under consideration for publication or presentation in any other forum during the NSPW review process. In order to ensure that all papers receive equally strong feedback, all attendees are expected to stay for the entire duration of the workshop. We expect to offer a limited amount of financial aid to those who require it. See http://www.nspw.org for details of the workshop policies and for submission procedures. Further Information Simon Foley, General Chair University College Cork s.foley@cs.ucc.ie Abe Singer, Vice Chair San Diego Supercomputer Center abe@sdsc.edu John McHugh, Program Chair SEI/CERT jmchugh@cert.org Bob Blakley, Program co-Chair IBM blakley@us.ibm.com Karl Levitt, Local Chair UC Davis levitt@cs.ucdavis.edu NSPW is an ACSA Workshop From isn at c4i.org Tue Feb 8 03:52:11 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:11 2005 Subject: [ISN] Linux Security Week - February 7th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 7th, 2005 Volume 6, Number 6n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Getting to Know Linux Security: File Permissions," "Reporting Kernel Security Issues," and "Linux software can secure an entire network." --- >> LINUX SECURITY LIVE CHAT << Tuesday, February 8th 2005 from 11am-12pm EST. Title: Real World Linux Security Featured Guest: Bob Toxen Visit: http://www.linuxsecurity.com for information on how to participate! --- LINUX ADVISORY WATCH: This week, advisories were released for squirrelmail, prozilla, cpio, openswan, enscript, zlib, gaim, cvs, openssl, curl, ruby, rhgh, file, net-tools, gimp, squid, dump, mc, dbus, kdepim, xpdf, kernel, ngIRCd, tikiwiki, f2c, ncfs, clamav, imap, chbg, vim, perl-dbi, and ethereal. The distributors include Debian, Fedora, Gentoo, Mandrake, and Red Hat. http://www.linuxsecurity.com/content/view/118183/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Linux Security Cookbook 3rd, February, 2005 I read this book from cover to cover and consider it a great effort by the authors to cover many security issues related to not just Linux, but most *nix operating systems. Here's a chapter by chapter review of what I've observed in the book. http://www.linuxsecurity.com/content/view/118173 * Microsoft Claims Linux Security a Myth 31st, January, 2005 Microsoft bigwig Nick McGrath claims that Linux security is highly exaggerated, and that the open source development model is 'fundamentally flawed.' The gist of his argument appears to be his claim of lack of accountability among distributors, coupled with generic statements short on facts. 'Who is accountable for the security of the Linux kernel? Does Red Hat, for example, take responsibility? It cannot, as it does not produce the Linux kernel. It produces one distribution of Linux.' http://www.linuxsecurity.com/content/view/118125 * Home User Security Guide 1st, February, 2005 I know many of you have received some nice to tech toys for Christmas recently, so its time to talk about making them secure and keeping them that way. http://www.linuxsecurity.com/content/view/118147 * Reporting Kernel Security Issues 2nd, February, 2005 A lengthy and interesting thread was started on the lkml by Chris Wright looking to define a centralized place to report security issues in the Linux Kernel. Chris offered his services in getting things set up, addressing his email to Linus Torvalds, Andrew Morton [interview], Alan Cox [interview] and Marcelo Tosatti [interview]. He explained that he wanted to centralize the information "to help track it, make sure things don't fall through the cracks, and make sure of timely fix and disclosure". The resulting discussion was joined by numerous members of the kernel hacking community, exposing a wide range of opinions. http://www.linuxsecurity.com/content/view/118161 * Linux can secure entire network 3rd, February, 2005 Tested over three months at IBM's Linux Test Integration Center (LTIC) by a seven-person team, the 87-page report [pdf] titled "Linux Security: exploring open source security for a Linux server environment" set out to test a wide range of open-source Linux products supported by IBM to see whether they could adequately protect a middleware environment. Only open source products were us http://www.linuxsecurity.com/content/view/118174 * Linux software can secure an entire network 3rd, February, 2005 An IBM report that tested the suitability of Linux software to secure an network its entirety has come to light months after it was originally published. http://www.linuxsecurity.com/content/view/118179 * Linux is mission critical for Czechs 31st, January, 2005 The Czech postal service is putting its faith in open source, by migrating a vital application onto SuSE Linux http://www.linuxsecurity.com/content/view/118135 * Penguins at the Gate 2nd, February, 2005 Only a few open-source vendors have borne the time and expense of having their software EAL-certified. Red Hat and Novell's SuSE Linux attained EAL3+ ratings in the last year, but many other vendors have yet to do the same. This raises a fundamental question: Does open-source software need security certifications to win global acceptance? http://www.linuxsecurity.com/content/view/118162 * IBM study tests Linux security 31st, January, 2005 To test open source security products, a study was conducted over a period of three months at the IBM Linux Test Integration Center. The goal for the security study was to deploy and compare various open source security tools that were available for free in the industry, and provide solution recommendations. http://www.linuxsecurity.com/content/view/118129 * Linux security is a 'myth', claims Microsoft 1st, February, 2005 A senior Microsoft executive, speaking exclusively to vnunet.com, has dismissed Linux's reputation as a secure platform as a "myth", claiming that the open source development process creates fundamental security problems. http://www.linuxsecurity.com/content/view/118142 * Best Security Software Solution Live Voting 2nd, February, 2005 SYS-CON's Readers' Choice Awards program is considered to be the most prestigious award program of the software industry and is often referred to as "the Oscars of the software industry." The products participating in the program are nominated by their vendors, customers, users, or SYS-CON readers. This year a record number of companies and products were nominated. Below is a list of all companies and products participating in the 2005 Readers' Choice Awards in each category. http://www.linuxsecurity.com/content/view/118160 * Identity Management: Controlling the Costs of Continuous Compliance 3rd, February, 2005 There are a number of technologies that can streamline your compliance effort so that your company remains compliant without incurring burdensome recurring costs. One such technology is identity management, which can help to establish repeatable, sustainable, cost-effective processes that respond quickly to organizational changes, enable continuous compliance and security, and create auditable histories of who had access to what information. http://www.linuxsecurity.com/content/view/118180 * MS Security Program No Threat to Linux, Advocate Says 4th, February, 2005 Bruce Perens, co-founder of the Open Source Initiative and leader of the Debian GNU/Linux distribution, said he believes Linux is simply more secure and can respond to potential threats at any time since it has an international developer base. http://www.linuxsecurity.com/content/view/118189 * RFID Vulnerability Expose 1st, February, 2005 A vulnerability in radio-frequency ID chips could put millions of users of wireless car key tags or speed pass payment devices at risk, according to a recent study by researchers at Johns Hopkins University and RSA Laboratories. http://www.linuxsecurity.com/content/view/118152 * Manhunt for Filipino hacker ensues 1st, February, 2005 A manhunt for the alleged Filipino hacker of the government portal "gov.ph" and other government websites was launched after the suspect went into hiding, the police said Tuesday. http://www.linuxsecurity.com/content/view/118149 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Feb 8 03:52:41 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:14 2005 Subject: [ISN] CodeCon Reminder Message-ID: Forwarded from: Len Sassaman We'd like to remind those of you planning to attend that CodeCon is fast approaching. CodeCon is the premier event in 2005 for the, and application developer community. It is a workshop for developers of real-world applications with working code and active development projects. Past presentations at CodeCon have included the file distribution software BitTorrent, the Peek-A-Booty anti-censorship application, the email encryption system PGP Universal, and Audacity, a powerful audio editing tool. Some of this year's highlights include Off-The-Record Messaging, a privacy-enhancing encryption protocol for instant-message systems, SciTools, a web-based toolkit for genetic design and analysis, and Incoherence, a novel stereo sound visualization tool. CodeCon registration is discounted this year: $80 for cash at the door registrations. Registration will be available every day of the conference, though ticket are limited, and attendees are encouraged to register on the first day to secure admission. CodeCon will be held February 11-13, noon-6pm, at Club NV (525 Howard Street) in San Francisco. For more information, please visit http://www.codecon.org. From isn at c4i.org Tue Feb 8 03:53:40 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:16 2005 Subject: [ISN] Privacy, Security, Trust 2005 Conference - Oct 12th...14th Message-ID: Forwarded from: Mark Bernard Dear Associates, Here's an event that might interest a few members conducting research in Privacy, Security and Trust areas; http://www.unb.ca/pstnet/pst2005/index.html fyi.... American's travelling to Canada for conferences can get GST taxes returned to them for spent on accommodations, gifts, etc... through the Canadian Visitor Rebate program. You can mail your receipts in or stop by the boarder and get cash-back on the spot at designated spots. For more information on VRP's here is the link; http://www.cra-arc.gc.ca/tax/nonresidents/visitors/tax-e.html Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Co-chair HTCIA IEC Membership Committee & Chairman, AC-HTCIA Media & Communications, Moncton 2005 e-mail: Mark.Bernard@TechSecure.ca Web: http://www.NB-HTCIA.org & http://www.htcia.org Phone: (506) 325-0444 Leadership Quotes by John Quincy Adams: "If your actions inspire others to dream more, learn more, do more and become more, you are a leader." From isn at c4i.org Tue Feb 8 03:53:55 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:19 2005 Subject: [ISN] Experts: International domain names may pose threat Message-ID: http://www.nwfusion.com/news/2005/0207experinter.html By Paul Roberts IDG News Service 02/07/05 Security experts are warning about a new threat to Web surfers: malicious Web sites that use international domain names to spoof the Web addresses of legitimate sites. The new trick is a variation of a known technique called the "homograph attack" and takes advantage of loopholes in the way some popular Web browsers display domain names that use non-English characters. It could allow malicious hackers and online identity theft groups to trick unsuspecting users into divulging sensitive personal information, according to advisories from The Shmoo Group, a hacker collective, and Secunia. The warning was published after a demonstration of the new kind of homograph attacks at ShmooCon, a hacker convention in Washington, D.C. Secunia, of Copenhagen, issued advisories on the new issue for users of affected browsers and declared the issue "moderately critical." Homograph attacks are a well-known trick in which character resemblance, for example, between the letter "O" and the number "0" is used to fool users into thinking that a bogus Web site actually belongs to a legitimate company. For example, malicious hackers might register the domain www.pcw0rld.com and design it to mimic the popular computer news Web site. The latest threat was first described by Evgeniy Gabrilovich and Alex Gontmakher, computer science students at Technion, the Israel Institute of Technology. The attack takes advantage of changes supported by Internet standards bodies such as the Internet Engineering Task Force (IETF) to allow domain names to be registered in national alphabets using non-English characters. The new Internationalized Domain Name (IDN) program makes it easier for non-English speakers to use the Web but also creates opportunities for malicious hackers, Gabrilovich and Gontmakher wrote. For example, attackers could register a Web domain bloomberg.com, which looks identical to the popular business news Web site, but in which the letters "o" and "e" have been substituted with identical-looking substitutes from the Cyrillic alphabet, used in the Russian language, creating a new domain, the authors said (see here .) In another example, the authors registered the domain www.microsoft.com, in which the English letters "c" and "o" in that domain were substituted with their Cyrillic counterparts. Links to the bogus Web sites in e-mail messages could be disguised by hiding the actual URL with non-English characters, such as "http://www.p.ypal.com," in the HTML code of the e-mail message. Affected Web browsers would make the trick work by cleaning up that URL and displaying it with the international character. In this example, it would look like www.paypal.com, said Dan Hubbard, senior director at WebSense. Some popular Web browsers, including The Mozilla Foundation's Firefox 1.0, Apple's Safari Version 1.2.5 and Opera Software ASA's Version 7.54 browser all render the IDN characters in a way that could be used in an attack, according to details released by The Shmoo Group. Ironically, Microsoft's Internet Explorer browser, a popular target for Web-based attacks, is not vulnerable to the IDN homograph attack, The Shmoo Group said. The homograph vulnerability has been talked about for a long time but has not been commonly used because Internet domain name registrars didn't support IDN. Now that many registrars do support it, the homograph attacks carry more weight, Hubbard said. "It's just another method for phishers to use," he said. The vulnerability will be particularly useful for attacking Web surfers who are using browsers other than Internet Explorer, and phishing scam artists may develop scams to use it when they detect that a potential victim is on a browser other than IE, he said. Web users were advised not to follow Web links from untrusted sources and to type in Web domains manually when in doubt. Internet users can also cut and paste suspect Web links into Windows Notepad or other text readers to see what character set the URL is written in, The Shmoo Group said. FireFox supports IDN by default, but users can disable it by typing about:config into the browser's address bar, locating the network.enableIDN option, and double clicking on it to set it to "false." From isn at c4i.org Tue Feb 8 03:54:17 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:21 2005 Subject: [ISN] Hold the Phone, VOIP Isn't Safe Message-ID: http://www.wired.com/news/technology/0,1282,66512,00.html By Elizabeth Biddlecombe Feb. 07, 2005 In recognition of the fact that new technologies are just as valuable to wrongdoers as to those in the right, a new industry group has formed to look at the security threats inherent in voice over internet protocol. The VOIP Security Alliance, or VOIPSA, launches on Monday. So far, 22 entities, including security experts, researchers, operators and equipment vendors, have signed up. They range from equipment vendor Siemens and phone company Qwest to research organization The SANS Institute. They aim to counteract a range of potential security risks in the practice of sending voice as data packets, as well as educate users as they buy and use VOIP equipment. An e-mail mailing list and working groups will enable discussion and collaboration on VOIP testing tools. VOIP services have attracted few specific attacks so far, largely because the relatively small number of VOIP users doesn't make them a worthwhile target. (A report from Point Topic in December counted 5 million VOIP users worldwide.) But security researchers have found vulnerabilities in the various protocols used to enable VOIP. For instance, CERT has issued alerts regarding multiple weaknesses with SIP (session initiation protocol) and with H.323. Over the past year, experts have repeatedly warned that VOIP abuse is inevitable. The National Institute of Standards and Technology put out a report last month urging federal agencies and businesses to consider the complex security issues often overlooked when considering a move to VOIP. NIST is a member of VOIPSA. "It is really just a matter of time before it is as widespread as e-mail spam," said Michael Osterman, president of Osterman Research. Spammers have already embraced "spim" (spam over instant messaging), say the experts. Dr. Paul Judge, chief technology officer at messaging-protection company CipherTrust, says 10 percent of instant-messaging traffic is spam, with just 10 to 15 percent of its corporate clients using IM. "It is where e-mail was two and a half years ago," said Judge. To put that in perspective, according to another messaging-protection company, FrontBridge Technologies, 17 percent of e-mail was spam in January 2002. It put that figure at 93 percent in November 2004. So the inference is that "spit" (spam over internet telephony) is just around the corner. Certainly, the ability to send out telemarketing voicemail messages with the same ease as blanket e-mails makes for appealing economics. Aside from the annoyance this will cause, the strain on network resources when millions of 100-KB voicemail messages are transmitted, compared with 5- or 10-KB e-mails, will be considerable. But the threat shouldn't be couched solely within the context of unlawful marketing practices. Users might also see the audio equivalent of phishing, in which criminals leave voicemails pretending to be from a bank, said Osbourne Shaw, whose role as president of ICG, an electronic forensics company, has led him to try buying some of the goods advertised in spam. In fact, according to David Endler, chairman of the VOIP Security Alliance and director of digital vaccines at network-intrusion company TippingPoint, there are many ways to attack a VOIP system. First, VOIP inherits the same problems that affect IP networks themselves: Hackers can launch distributed denial of service attacks, which congest the network with illegitimate traffic. This prevents e-mails, file transfers, web-page requests and, increasingly, voice calls from getting through. Voice traffic has its own sensitivities, which mean the user experience can easily be degraded past the point of usability. Furthermore, additional nodes of the network can be attacked with VOIP: IP phones, broadband modems and network equipment, such as soft switches, signaling gateways and media gateways. Endler paints a picture in which an attack on a VOIP service could mean people would eavesdrop on conversations, interfere with audio streams, or disconnect, reroute or even answer other people's phone calls. This is a concern to the increasing number of call centers that put both their voice and data traffic on a single IP network. It is even more of a concern for 911 call centers. But Louis Mamakos, chief technology officer at broadband telephony provider Vonage, says he and his team "spend a lot of time worrying about security" but the problems the company has seen so far have centered on "more pedestrian" threats like identity theft. Vonage has not yet signed up for the VOIP Security Alliance, said Mamakos, and employees already spend a lot of time working on security issues with technology providers. "I'm not sure if (VOIPSA) is a solution to a problem we don't have yet," he said. "We need to judge what the incremental value is in working with another organization." He also talked about how hard it would be to break into Vonage's service. Access to Vonage's signaling traffic requires authentication. The infrastructure is much more distributed than the websites that have been taken offline by denial of service attacks. And anyone wanting to eavesdrop on a Vonage phone conversation would have to be physically very close to the broadband connection leading to the target, as the farther away the eavesdropper is, the more commingled the target's voice traffic will be with other traffic on the network. Meanwhile Kelly Larrabee, a spokeswoman for the peer-to-peer VOIP provider Skype, noted that Skype users control what information about themselves is available and who can contact them. She also said end-to-end encryption is used to protect voice conversations. The only vulnerability so far, aside from uncertified third-party applications, is through file transfers -- and again, this is under user control. But these words could be like a red rag to a bull. As one commentator put it, a continuous duel is going on between network users and abusers, and spammers and hackers could well be reading this article. This poses the question of whether a group like the VOIP Security Alliance should refrain from announcing its efforts in the media and from making its membership and e-mail list free and open to all. In response, said VOIPSA's Endler, "The people we really have to worry about are already thinking about (how to misuse VOIP)." Today's effort is to ensure that VOIP systems are reinforced "before it gets to the point that there are easily available tools for the script kiddies to use," he said. From isn at c4i.org Tue Feb 8 03:54:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:24 2005 Subject: [ISN] Bush backs boost for cybersecurity Message-ID: http://www.fcw.com/fcw/articles/2005/0207/web-lob-02-07-05.asp By David Perera Feb. 7, 2005 President Bush's proposed budget for fiscal 2006 would spend 7 percent more on information technology security year-over-year and add cybersecurity to the stable of cross-agency lines of business. The budget request calls for a 7.2 percent increase in IT security spending for the coming year to $1.685 billion, up from the $1.572 billion congressional appropriations approved for fiscal 2005. The greatest change, in percentage and absolute terms, occurs in the Justice Department. Officials from that Cabinet agency want about $254.6 million in fiscal 2006, or 20.7 percent more than the $210.9 million approved for this fiscal year. Cybersecurity and information sharing are the two new cross-agency lines of business, according to a recent presentation from the Office of Management and Budget. OMB officials postulate that consolidation of common cybersecurity processes, services and technologies could improve government performance while driving down costs. Their decision to add two lines of business brings the number of such efforts to seven. The original five cost-saving efforts were launched in March 2004 as a way of consolidating federal agencies' back-office functions by creating cross-agency service centers and implementing common IT architectures. Of the existing lines of business, federal health architecture has so far been the most expensive in terms of development, modernization or enhancement funds spent and requested. Officials managing that line of business are spending $1.6 billion during fiscal 2005, and are requesting $1.9 billion for fiscal 2006. The initial target architecture for management of government health information is due by the end of fiscal 2005. Officials for the financial management line of business have spent or are requesting less than half the health architecture effort. Fiscal 2005 spending amounts to $612 million; the fiscal 2006 request is for $666 million. As part of the fiscal 2006 budget request, federal officials selected four agencies to provide cross-agency financial service management. Agencies may begin shutting off their own financial systems this fiscal year. The human resources management line of business is responsible for $202 million in expenses this fiscal year and expects to spend $164 million in fiscal 2006. Federal officials publicly named today cross-agency service providers for this line. Officials for the case management line of business are spending $120 million this year and want to spend $152 million in fiscal 2006. From isn at c4i.org Tue Feb 8 03:54:44 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:26 2005 Subject: [ISN] Tester claims 90% of VPNs open to hackers Message-ID: http://www.computerweekly.com/articles/article.asp?liArticleID=136571 By Antony Savvas 8 February 2005 Security testing company NTA Monitor has claimed that 90% of virtual private networks are open to hackers. Over a three-year period of testing VPNs at large companies, NTA Monitor said 90% of remote access VPN systems have exploitable vulnerabilities, even though many companies, including financial institutions, have in-house security teams. Flaws include "user name enumeration vulnerabilities" that allow user names to be guessed through a dictionary attack because they respond differently to valid and invalid user names. Roy Hills, NTA Monitor technical director, said, "One of the basic requirements of a user name/password authentication is that an incorrect log-in attempt should not leak information as to whether the user name or password is incorrect. However, many VPN implementations ignore this rule." The fact that VPN user names are often based on people's names or e-mail addresses makes it relatively easy for an attacker to use a dictionary attack to recover a number of valid user names in a short period of time, said Hills. Passwords can also be made harder to crack by deploying a mixture of characters and numbers. Hills said a six-character password can be cracked in about 16 minutes using standard "brute force" cracking software. However, a six-character password combining letters and numbers could take two days to crack. From isn at c4i.org Tue Feb 8 03:55:20 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 8 03:58:29 2005 Subject: [ISN] Webroot Software Resigns from COAST Message-ID: Forwarded from: Paul Laudanski Original: http://castlecops.com/article-5721-nested-0-0.html In a very interesting turn around for COAST's credibility (and that of the folks who continue to remain as members), Webroot Software issued a press release: http://castlecops.com/article-5719-nested-0-0.html "Webroot Software announced today that after careful consideration, the company has decided to withdraw its membership from the Consortium of Anti-Spyware Technology Vendors (COAST). The company issued the following statement: Webroot has always considered our obligations to our customers as our most important mission as a company. We believe their protection, privacy and peace of mind are paramount and have developed products and supported public policies that reflect that view. Our founding of the Consortium of Anti-Spyware Technology Vendors, or COAST, also reflected that position." There is a very odd and long history about COAST. COAST was founded by other companies including Aluria Software. Aluria Software last year gave "Spyware Safe" status to WhenU. COAST recently added 180solutions to its membership. And now Webroot has left this organization. http://castlecops.com/article5669.html Some interesting information about Aluria Software their delisting of WhenU for their antispyware product, including how America Online insisted WhenU stay listed for their AOL members: http://castlecops.com/article-5524-nested-0-0.html 20 questions were sent to Aluria and they answered, electing not to answer one critical question about why two dictionaries exist: http://castlecops.com/article5618.html 1) AOL insists on WhenU being listed in Aluria's Spyware Eliminator 2) Outside of AOL, WhenU was listed as "Spyware Safe" and delisted in Aluria's Spyware Eliminator Out of roughly 1500 respondants, 85% no longer trust Aluria: http://castlecops.com/modules.php?name=Surveys&op=results&pollID=28&mode=nested&order=0&thold=0 Could COAST be Toast? Wayne Porter from Revenews decidedly thinks so: http://www.revenews.com/wayneporter/archives/000389.html#more Lavasoft was another defector from the COAST organization much earlier. It appears that with all the anti-spyware folks leaving COAST, the companies who remain are called into question on their motives. John Dvorak in his CBS Marketwatch weekley column stated: http://www.marketwatch.com/news/yhoo/story.asp?guid={65E7967A-DA81-451C-BE78-B5552FAC958C}&siteid=myyahoo&dist=myyahoo "There are many others including the highly regarded Spyware Eliminator from Aluria which seems to be in the middle of a conflict of interest debate you can read about at the Castlecops website at http://castlecops.com/article-5523-nested-0-0.html. Currently I cannot recommend this program until these issues are resolved." "Will COAST be Toast?" "Will Aluria be Eliminated?" Aluria has already taken measures in the past to stop comments about their own privacy policy. One smart reader spotted an old cache archive and found that Spywareguide was correct: http://castlecops.com/article-5516-nested-0-0.html A website called AdwareReport was highly critical of the Spywareguide article, but history has shown that Spywareguide reported on factual -- albeit dated -- Aluria privacy policy. BroadbandReports picked up on this Aluria defending their certification of WhenU: http://www.broadbandreports.com/shownews/58066?r=236 It appears that here too, public commentary does not favor Aluria. WildersSecurity picked up the story and made "The Lure of Aluria" available for readers: http://www.wilderssecurity.com/showthread.php?t=55643 This was one of the articles Spywareguide was ordered by Aluria to cease and desist. Earlier Suzi at SpywareWarrior is Baffled by Aluria: http://netrn.net/spywareblog/archives/2004/11/22/baffled-by-aluria/ SpywareInfo delisted Aluria from their database: http://www.spywareinfo.com/newsletter/archives/1104/4.php The companies that exist as members of COAST today (notice Webroot was not yet removed): http://www.coast-info.org/members.htm 1) http://www.pestpatrol.com/ 2) http://www.aluriasoftware.com/ 3) http://www.webroot.com/wb/index.php (Announced today they are no longer a member) 4) http://www.noadware.net/ 5) http://www.new.net/ 6) http://www.weatherbug.com/ It also appears 180solutions is not listed in the membership yet either. Weatherbug has known spyware: http://castlecops.com/startuplist-395.html http://castlecops.com/startuplist-2128.html 180solutions known spyware: http://castlecops.com/startuplist-4847.html http://castlecops.com/startuplist-5203.html http://castlecops.com/startuplist-4691.html http://castlecops.com/startuplist-5012.html http://castlecops.com/startuplist-5150.html http://castlecops.com/startuplist-5247.html http://castlecops.com/startuplist-5275.html http://castlecops.com/startuplist-6245.html http://castlecops.com/startuplist-6574.html http://castlecops.com/startuplist-6832.html I'm sure the public would like to know from Computer Associates who now own PestPatrol. Will they continue to remain partners with COAST? As Wayne put it, "Is COAST Toast"? trackbacks: http://alpha.revenews.com/MT/mt-tb.cgi/337 http://castlecops.com/trackback/News/5719 -- Regards, Paul Laudanski - Computer Cops, LLC. CastleCops(SM) - http://castlecops.com http://cuddlesnkisses.com | http://justalittlepoke.com | http://zhen-xjell.com From isn at c4i.org Wed Feb 9 07:01:17 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:37 2005 Subject: [ISN] FBI Van Burglarized; SWAT Rifles, Ammo Taken Message-ID: http://www.news4jax.com/news/4173456/detail.html [You would think having this fresh on their minds... http://www.cnn.com/US/9706/04/fbi.theft/ and maybe this... http://seclists.org/lists/isn/2002/Aug/0038.html you'd be a little more careful with what you leave unguarded - WK] February 7, 2005 JACKSONVILLE, Fla. -- Four sniper rifles, scopes and ammunition were stolen from an FBI SWAT van parked outside a Baymeadows Road hotel before dawn Sunday. The FBI said the guns belonged to a team from Atlanta in Jacksonville to provide extra security for the Super Bowl. A spokesman for the FBI said authorities are concerned these weapons are out on the street and are doing everything possible to try and find whoever took them. Four high-powered rifles with scopes and 80 rounds of 308 ammunition were taken from the unmarked, locked van parked outside the Holiday Inn at Baymeadows and Interstate 95. An agent parked the van at 3:45 a.m. and discovered a few hours later the padlock cut and van burglarized. An internal investigation is under way. The FBI asks anyone with information that could help recover the rifles to call their Jacksonville office at (904) 721-1211. From isn at c4i.org Wed Feb 9 07:01:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:40 2005 Subject: [ISN] =?iso-8859-1?q?Microsoft_issues_12_patches=2C_eight_of_them?= =?iso-8859-1?q?_for_critical=92flaws?= Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99621,00.html By Paul Roberts FEBRUARY 08, 2005 IDG NEWS SERVICE On the same day that it announced a deal to acquire antivirus software vendor Sybari Software Inc., Microsoft Corp. today released a total of 12 software patches designed to fix 16 vulnerabilities in Windows, Office and other products. Eight of the new patches are for "critical" security holes that could be used to run malicious code on affected computers, Microsoft said. The group of fixes represents one of the largest single-day releases of software updates since Microsoft switched to a monthly patching approach in October 2003. Microsoft provided patches for almost every supported version of Windows, including the recently issued Windows XP Service Pack 2. The company is trying to plug security holes in critical Windows components and in products such as its Internet Explorer Web browser and MSN Messenger instant messaging application. The most serious problems that Microsoft is trying to address with this month's patch release include the following: * A vulnerability in a component of MSN Messenger that renders the Portable Network Graphics image files used to display icons, such as smiley faces. If the flaw is successfully exploited, malicious code could be hidden in a buddy icon and launched whenever MSN users load their IM contact lists, Microsoft said. * A flaw in the Server Message Block (SMB) protocol that affects Windows XP, Windows 2000 and Windows Server 2003 and could be used to launch attacks on vulnerable systems from Web pages. SMB is used to communicate between Windows machines and to share network resources such as printers and files. * A vulnerability in the License Logging Service (LLS) used in Windows Server 2003, Windows 2000 and Windows NT Server 4.0. The logging service is a tool that helps customers manage software licenses for Microsoft's server products. The company said a remote attacker could use the vulnerability to cause LLS to fail, creating the potential for denial-of-service attacks on systems running Windows Server 2003. Attackers could install programs; view, change or delete data; or create new user accounts on Windows 2000 and NT Server 4.0 systems, Microsoft added. * Four holes in Versions 5 and 6 of Internet Explorer. One of the patches includes a fix for a "drag and drop" vulnerability that couldallow a remote attacker to use the Web to place an executable file on a Windows system without the user of the machine being shown a dialog box asking for approval for the download. With the exception of the Internet Explorer holes, Microsoft doesn't know of any active attacks attempting to exploit the vulnerabilities, which were all discovered by security researchers outside of the company, said Stephen Toulouse, program manager at Microsoft's Security Response Center. Microsoft recommends that companies assess their exposure to the vulnerabilities and make all applicable software patches as soon as possible, Toulouse said. Aware of the burden being placed on IT security managers by the large number of patches, Microsoft also released an enterprise-level scanning tool designed to help users detect vulnerable computers. The new tool supplements the Microsoft Baseline Security Analyzer, according to Microsoft. The company is also increasing the number of webcasts it holds to discuss deployment of the security updates, anticipating an increased need for help with this month's patch release, Toulouse said. From isn at c4i.org Wed Feb 9 07:01:58 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:42 2005 Subject: [ISN] Microsoft to buy Sybari Message-ID: http://www.fcw.com/fcw/articles/2005/0207/web-sybari-02-08-05.asp By Rutrell Yasin Feb. 8, 2005 Microsoft officials are moving into the virus protection business with an agreement to buy Sybari Software, a provider of anti-virus software. Company officials are counting on the acquisition to further provide enterprise customers with new solutions to protect them from malicious software. Microsoft officials bought Giant Company Software in December to protect Windows users from spyware and other deceptive software. The purchase of Sybari will aid in protecting messaging and collaboration servers from viruses, worms and spam, Microsoft officials said. "Enterprise customers face a complex set of attacks through their e-mail and collaboration infrastructure," said Mike Nash, corporate vice president of the Security Business Technology Unit at Microsoft, in a prepared statement. "Through this acquisition, we're excited to be able to provide customers with a server-level anti-virus solution that delivers advanced file and content-filtering capabilities and the use of multiple scan engines," he said. Nash added that this will give users "the most up-to-date protection possible." By being embedded within the server infrastructure it protects, Sybari Software provides an additional layer of messaging defense, stopping threats before they reach end users, Microsoft officials said. In addition, a single Sybari Software product will work with multiple versions of Microsoft Exchange and Lotus Notes. So when users migrate from one version to the next or deploy multiple versions long term, they can achieve lower maintenance and support costs, officials said. Sybari also offers solutions for Microsoft Office SharePoint Portal Server 2003 and Microsoft Windows SharePoint Services. Terms of the acquisition were not announced. Sybari will maintain all current operations until regulatory approval. Microsoft's move to strengthen virus protection for messaging and collaboration servers does not mean that enterprise customers won't need e-mail and messaging security solutions that offer a broader range of protection, according to officials at Symantec Corp., a leading provider of security management software. Organizations will still need integrated solutions that include scanning, filtering, archiving and recovery over heterogeneous networks, Symantec officials said. The Sybari "technology may help Microsoft help their customers more easily integrate antivirus solutions with Exchange, but still requires the scanning engines and support infrastructure from third party antivirus and antispam vendors," according to a statement issued by Symantec officials. "This acquisition does not provide Microsoft with the security and antivirus response infrastructure necessary to support the virus protection needs of enterprise customers. Detection is only as strong as the best engine plugged into the solution," the Symantec statement reads. From isn at c4i.org Wed Feb 9 07:02:10 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:44 2005 Subject: [ISN] Charges dropped against 'DDoS Mafia' Message-ID: http://www.theregister.co.uk/2005/02/08/ddos_mafia_case/ By John Leyden 8th February 2005 US prosecutors have dropped criminal complaints against four of five men accused of offering a denial of service attack for hire. Paul Ashley, the network administrator of CIT/FooNet, a web and IRC hosting company, and three alleged accomplices, Jonathan David Hall, Joshua James Schichtel, and Richard Roby were accused of organising attacks against the websites of rivals of Massachusetts businessman Jay Echouafni. Last month, charges against the group were dismissed at the request of prosecutors the O'Reilly Network reports. But an investigation remains open and charges could still be brought. "This just allows us to talk to defence attorneys and negotiate things before having to bring an indictment against a particular individual," prosecution lawyer Arif Alikhan told the O'Reilly Network. Charges against a fifth suspect in the case, Lee Graham Walker, a British man based in the UK, remain outstanding. Echouafni, former head of Orbit Communication, an online satellite TV retailer, was indicted separately last summer by a grand jury on five charges of aiding and abetting computer intrusion and conspiracy. He fled bail to become a fugitive from justice. His alleged role as a DDoS kingpin has earned him a spot of the FBI's most wanted list. From isn at c4i.org Wed Feb 9 07:02:31 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 9 07:05:47 2005 Subject: [ISN] First Monday February 2005 Message-ID: The February 2005 issue of First Monday (volume 10, number 2) is now available at http://firstmonday.org/issues/issue10_2/ ------- Table of Contents Volume 10, Number 2 - February 7th 2005 The media's portrayal of hacking, hackers, and hacktivism before and after September 11 by Sandor Vegh http://firstmonday.org/issues/issue10_2/vegh/ Abstract: This paper provides a thorough analysis of the mainstream media representation of hackers, hacking, hacktivism, and cyberterrorism. The intensified U.S. debate on the security of cyberspace after September 11, 2001, has negatively influenced the movement of online political activism, which is now forced to defend itself against being labeled by the authorities as a form of cyberterrorism. However, these socially or politically progressive activities often remain unknown to the public, or if reported, they are presented in a negative light in the mass media. In support of that claim, I analyze five major U.S. newspapers in a one-year period with 9-11 in the middle. I argue that certain online activities are appropriated for the goals of the political and corporate elite with the help of the mass media under their control to serve as pretext for interventions to preserve the status quo. Thus, the media portrayal of hacking becomes part of the elite's hegemony to form a popular consensus in a way that supports the elite's crusade under different pretexts to eradicate hacking, an activity that may potentially threaten the dominant order. ------- [...] From isn at c4i.org Thu Feb 10 05:21:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:20 2005 Subject: [ISN] Cyber-terror plan panned as "barmy" Message-ID: http://management.silicon.com/government/0,39024677,39127738,00.htm February 09 2005 By Will Sturgeon World Security Organisation is a non-starter... A controversial UK security vendor is calling for the creation of a World Security Organisation (WSO) to crack down on 'cyber-terror' as well as real world threats by air, land, sea and space. Yet some in the industry have criticised the 'cyber-terror' part of the plan, saying it is bogged down in fanciful thinking and hyperbole. One expert has even branded it "barmy". DK Matai, the chairman of mi2g will tomorrow night address the Oxford University Internet Institute with a proposal for a body which would tackle the issue of 'cyber-terrorism'. According to the company, he will address 60 attendees, including senior execs from the banking and insurance sectors as well as representatives from the academic, diplomatic, government and intelligence fields. Among the proposals he will present are the creation of "a global collaborative venture more powerful than Interpol" as well as plans to "reduce poverty levels in deprived areas from where radicals and organised crime members are recruited". But such bold claims have lead one leading anti-virus expert to brand the plans as "barmy". Speaking anonymously he told silicon.com: "We could just laugh this off as barmy, were it not for the fact that government, the City and now Oxford University actually take this self-appointed guru seriously. That's where I stop laughing and start worrying about the direction things are going." Addressing the specific accusations above a statement from mi2g said: "Far from engaging in hyperbole, we feel that our point of view is balanced and realistic." And Matai remains bullish about the role the WSO could play in ensuring greater safety for internet users and world governments. "The feedback we have received has been overwhelmingly in favour of The World Security Organisation," he said in a statement. "We invite further dialogue in this area because a significant need for such an institution has now been clearly identified by several countries." Central to any criticism of these plans is the fact that evidence of a genuine cyber-terror threat is yet to be presented by any respected body, according to Simon Perry, VP security strategy at CA who was recently invited to advise ENISA (the European Network and Information Security Agency) as a member of its permanent stakeholders group. Supporting this view, Pete Simpson, ThreatLab manager at Clearswift, told silicon.com: "There has not been a single cyber-terror threat. Not one. It's entirely fabricated and non-existent." Simpson suggested "political propaganda" and "commercial propaganda" may both be playing a part. Addressing whether the claims of mi2g should be regarded as genuine cause for concern, leading computer science academic, Ross Anderson, from Cambridge University, told silicon.com: "The use of the word 'cyber-terrorism' signals marketing rather than anything else." The other misconception with cyber-terror, according to CA's Perry, is the idea that terrorists will have a means of attack other than those attacks we see currently. From isn at c4i.org Thu Feb 10 05:23:15 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:22 2005 Subject: [ISN] Did U.S. Spy Agency Exchange E-Mails With '60s Pop-Singer? Message-ID: http://ap.tbo.com/ap/breaking/MGBAHT5M05E.html [I can almost see the NSA having an Eddie Izzard moment when writing out this security policy. "No, we can't do it... Who we got? Zingelbert Bembledack, Tringelbert Wangledack, Slut Bunwalla, Klingybun Fistelvase, Dindlebert Zindledack, Gerry Dorsey, Engelbert Humptyback, Zengelbert Bingledack, Engelbert Humperdinck, Vingelbert Wingledanck No, no, go back one. Go back one. "Engelbert Humperdinck." That's it!" :) - WK] By Ted Bridis Associated Press Writer Feb 10, 2005 WASHINGTON (AP) - Is Engelbert Humperdinck, the pop-singer icon once described in his liner notes as "kind of like James Bond, only with more chest hair," quietly exchanging e-mails with the super-secret National Security Agency? America's largest and most cryptic espionage organization indicated as much when it published new software security guidelines for federal agencies. An illustration of an NSA employee's e-mail inbox showed two messages that Humperdinck ostensibly forwarded in July to the spy agency. What could the government's top code-breakers be discussing over the Internet with Humperdinck, 68, whose velvety voice scored hits in the '60s and '70s with "Release Me" and "After the Lovin'" and led hysterical female fans to throw undergarments on stage? The NSA said it was only kidding. "Instead of using fictitious names as we try to do, this time a celebrity's name was used," the agency said in response to tongue-in-cheek inquiries from The Associated Press. "There was no harm intended. We've removed the name from the page and will substitute it." The NSA pulled the security guidelines off its Web site, although the document still was circulating on other Web sites. Humperdinck, known among friend as "Enge," did not respond over more than two weeks to phone calls and e-mail messages from the AP to his personal assistant, his manager or official fan club. Humperdinck, who grew up in Britain as the son of an army officer, picked up his unusual name in 1965 from the German opera composer best known for "HJansel and Gretel." He's sold more than 130 million records. His autobiography, "Engelbert: What's in a Name?," published last month, recounts his turbulent celebrity life and 40-year marriage that endured what he describes as hundreds of adulterous affairs. There were hints even in the NSA's security document that it wasn't really serious about exchanging e-mails with Humperdinck. It misspelled his name "Humperdink," and another illustration showed the spy agency received an e-mailed document from "James T. Kirk," the fictional captain from the "Star Trek" TV series and movies. -=- On the Net: NSA: www.nsa.gov Humperdinck's fan site: www.engelbert.com From isn at c4i.org Thu Feb 10 05:23:28 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:23 2005 Subject: [ISN] Symantec flaw leaves opening for viruses Message-ID: http://news.com.com/Symantec+flaw+leaves+opening+for+viruses/2100-1002_3-5569811.html By Robert Lemos Staff Writer, CNET News.com February 9, 2005 Symantec has issued a patch for a flaw in its scanning software that could cause a virus to execute, rather than catch it. The vulnerability affects an antivirus library used by the majority of Symantec's antivirus and antispam products, including Norton SystemWorks 2004 and Symantec Mail Security for Exchange, the security provider said on Tuesday. The software is aimed at a range of systems, from consumer desktops to large corporate mail servers, meaning the flaw could be used to take control of key corporate systems or to install programs to grab people's identity data. "The impact of this vulnerability is exaggerated by the fact that many e-mail and other traffic routing gateways make use of file-scanning utilities that make use of the vulnerable library," Symantec said in an advisory. "This could allow an attacker to potentially exploit high-profile systems used to filter malicious data, and potentially allow further compromise of targeted internal networks." Computers are at risk if they run an unpatched version of a Symantec product that scans files to detect malicious code and if they use the Microsoft Windows, Mac OS X, Linux, Solaris and AIX operating systems, Symantec said. But the flaw does not affect the latest versions of some of the products, such as Norton Antivirus 2005, the company said. "Symantec strongly recommends that customers ensure their products are up-to-date to protect against this vulnerability,"the company said in a statement. "To date, Symantec has not had any reports of related exploits of this vulnerability." Security information company Secunia, which rates the seriousness of software vulnerabilities, gave the Symantec flaw its second-highest threat grade, "highly critical." The problem exists in how the scanning code handles a compression format known as the Ultimate Packer for Executables (UPX). An attacker could create a virus designed to exploit the UPX flaw and send it to victims through e-mail or host it on a Web site. An unpatched Symantec scanner checking incoming e-mail or the Web pages that users browse would run the program instead of catching the virus. "The vulnerability can be triggered by an unauthorized remote attacker, without user interaction, by sending an e-mail containing a crafted UPX file to the target," Internet Security Systems, the company that found the flaw, stated in an advisory on Tuesday. The company said it notified Symantec of the issue when it found it. The flaw highlights the danger of weaknesses in the security software that acts as a gateway between the unfiltered Internet and internal corporate networks. Internet Security Systems experienced such problems firsthand a year ago, when a flaw in its own firewall software was targeted by a worm two days after the public release of an advisory. Symantec is distributing patches to its customers through its LiveUpdate automatic update service and other mechanisms. It warned companies that do not use those services to download the patches from its Web site and apply them as soon as possible. Internet Security Systems could not immediately provide a spokesperson to comment on the issue. The announcement of the flaw happened the same day that Microsoft released a dozen patches to fix holes in its Windows operating system and other applications. Microsoft also announced it intended to buy security company Sybari, which would put the software giant in direct competition with Symantec. Other products that use the Symantec antivirus scanning library include Symantec's Brightmail antispam software and Symantec Web Security. From isn at c4i.org Thu Feb 10 05:23:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:26 2005 Subject: [ISN] The curse of the secret question Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99628,00.html Opinion by Bruce Schneier Counterpane Internet Security Inc. FEBRUARY 09, 2005 COMPUTERWORLD It's happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a "secret question" to answer. Twenty years ago, there was just one secret question: "What's your mother's maiden name?" Today, there are more: "What street did you grow up on?" "What's the name of your first pet?" "What's your favorite color?" And so on. The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions. The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers. What can one do? My usual technique is to type a completely random answer -- I madly slap at my keyboard for a few seconds -- and then forget about it. This ensures that some attacker can't bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don't remember how I authenticated myself to the customer service rep at the other end of the phone line.) Which is maybe what should have happened in the first place. I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can't possibly do it. I know this is a customer service issue, but it's a security issue too. And if the password is controlling access to something important -- like my bank account -- then the bypass mechanism should be harder, not easier. Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact. -=- Bruce Schneier is a security expert and chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif. His latest book is Beyond Fear: Thinking Sensibly About Security in an Uncertain World. He also publishes the monthly "Crypto-Gram" newsletter. He can be reached at his Web site, www.schneier.com/. From isn at c4i.org Thu Feb 10 05:23:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:30 2005 Subject: [ISN] Spyware Critic Knocked Offline by DDoS Attack Message-ID: http://www.eweek.com/article2/0,1759,1763273,00.asp By Ryan Naraine February 9, 2005 Harvard researcher Ben Edelman, one of the most vocal critics of spyware purveyors, fell victim to a massive DDoS (distributed denial-of-service) attack over the past 24 hours. Edelman's Web site, which publishes detailed research reports on spyware, was knocked offline for much of Monday and Tuesday by a DDoS attack that crippled the server capacity. "My prior Web host tells me I was the target of the biggest DDoS attack they've ever suffered?some 600MB per second," Edelman said. He told eWEEK.com the site was an obvious target for denial-of-service attacks because of his work to uncover controversial online schemes ranging from software installations through security holes to adware companies deleting each other's programs. Edelman's published reports also have highlighted venture capital investments in adware companies and detailed step-by-step evidence of "drive-by downloads" and confusing software-installation techniques. "These aren't nice practices, so I suppose it comes as no surprise that someone - perhaps some group or company that doesn't like what I'm writing - has sought to knock my site offline," Edelman said. Denial-of-service attacks are used by malicious hackers to flood a network with bogus requests, effectively slowing or crashing a server. "The bad guys have thousands or millions of zombies to use in [these attacks]," Edelman said. With the help of the nonprofit Internet Systems Consortium Inc., which has offered to host the site, Edelman said his research material was back online Wednesday morning. Edelman is a Ph.D. candidate at the Department of Economics at Harvard University and a student at Harvard Law School. From isn at c4i.org Thu Feb 10 05:24:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:32 2005 Subject: [ISN] Computer Hackers Place False Emergency Calls - Hiawatha Prank Call Message-ID: http://www.kcrg.com/article.aspx?art_id=95468&cat_id=123 [Note: I added the headline from another story on the same subject, this article had the most information, but the headline was lacking. - WK] By Dave Franzman KCRG-TV9 News February 09, 2005 The FBI will investigate the realistic, but fake, 911 call that sent officers rushing to a Hiawatha company on Tuesday. Hiawatha Police Chief Rick Pierce says the hoax became a federal case because the call originated from somewhere on the west coast...possibly from a stolen or "cloned" cell phone. Officers say three separate calls to 9-1-1 dispatchers Tuesday were so realistic people could hearing yelling and screaming and even gunfire in the background. But when police and ambulance units arrived at the Crystal Group office in Hiawatha they found no gunmen and only confused workers. Wednesday, investigators said they had a better idea of what may have happened. Chief Pierce says someone called several offices at the Crystal Group Tuesday asking about phone system passwords. One worker at the company mistakenly gave out a "pin" number. With that number, pranksters could dial from out of state, but make it appear the call originated at the Hiawatha business. Chief Pierce says he's convinced the person who faked the call was not an average hacker, but someone familiar with phone systems. No one connected with emergency dispatch at the Linn County Communications Center can recall anything this elaborate in the way of a fake 9-1-1 call. Officers say this call was especially dangerous not only to officers responding, but also for people at the company who could have reacted inappropriately to the appearance of armed officers. Hiawatha officials say they believe the FBI may have some experience with similar hoaxes elsewhere. Hiawatha police were unable to trace the origin of the call beyond somewhere on the west coast. From isn at c4i.org Thu Feb 10 05:24:30 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 10 05:27:34 2005 Subject: [ISN] Hacker hits WSU computers Message-ID: http://www.kbsd6.com/servlet/Satellite?pagename=KBSD/MGArticle/BSD_BasicArticle&c=MGArticle&cid=1031780744325 By Cindy Klose KWCH 12 Eyewitness News February 9, 2005 A computer hacker figured out a way to get into three servers at Wichita State University, but the college says no private information was taken. The computer servers hold information on as many as eight thousand students, faculty and former students. The university says the hackers didn't take any information off the computers, but were looking for places to hide stolen movies or music. WSU's Chief Information Officer Peter Zoller told Eyewitness News," we've had numerous attempts to break in, none have ever succeeded. We were surprised this one did, but fortunately we caught it early, and remedied the problem." Wichita State watches the servers 24 hours a day from a security room, but the hackers broke in over the weekend when no one was monitoring the system. The three servers the hacker got into held information from the College of Education, clients at the Speech Language-Hearing Clinic and International students. The FBI is looking into the case. From isn at c4i.org Fri Feb 11 03:37:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:50 2005 Subject: [ISN] Sniffer dog threatens online privacy Message-ID: http://www.theregister.co.uk/2005/02/10/sniffer_dog_ruling/ By Mark Rasch, SecurityFocus 10th February 2005 Comment - The Fourth Amendment to the US Constitution is supposed to be the one that protects people and their "houses, places and effects" against "unreasonable searches". Forty-two years ago, the US Supreme Court held that attaching a listening device to a public pay phone violated this provision because the Constitution protects people, not places, and because the Fourth Amendment prohibits warrantless searches without probable cause if the target enjoys a reasonable expectation of privacy. Last month the US Supreme Court effectively trashed this principle in a case that could have a profound impact on privacy rights online. The case, decided by the court on 24 January, had nothing to do with the Information Superhighway, but rather an ordinary interstate highway in Illinois. Roy Caballes was pulled over by the Illinois State Police for speeding. While one officer was writing him a ticket, another officer in another patrol car came by with a drug sniffing dog. There was absolutely no reason to believe that Caballes was a drug courier - no profile, no suspicious activity, no large amounts of cash. The driver could have been a soccer mom with a minivan filled with toddlers. Under established Supreme Court precedent, while the cops could have looked in the window to see what was in "plain view", the officers had neither probable cause nor reasonable suspicion to search Caballes' car, trunk, or person. Well, you know what happened next - the dog "sniff" indicated that there might be drugs in the trunk, which established probable cause to open the trunk, where the cops found some marijuana. Now here is where things get dicey for the internet. In upholding the dog's sniff-search of the trunk, the Supreme Court held that it did not "compromise any legitimate interest in privacy". Why? Because, according to the court, "any interest in possessing contraband cannot be deemed 'legitimate'." The search was acceptable to the court because it could only reveal the possession of contraband, the concealment of which "compromises no legitimate privacy interest". The expectation "that certain facts will not come to the attention of the authorities" is not the same as an interest in "privacy that society is prepared to consider reasonable," the court wrote. In other words, the search by the dog into, effectively, the entire contents of a closed container inside a locked trunk, without probable cause, was "reasonable" even though the driver and society would consider the closed container "private" because the search only revealed criminal conduct. The same reasoning could easily apply to an expanded use of packet sniffers for law enforcement. Currently, responsible law enforcement agencies limit their warrantless internet surveillance to the "wrapper" of a message, ie, email addresses or TCP/IP packet headers, unless they have a court order permitting a more intrusive search. Looking at the "outside" of the communication has been treated as similar to looking at the outside of a vehicle - and maybe peering into the window a bit. To peek inside the communication - read the content - required that you first get someone in a black robe involved. The experiences of Mr. Caballes (the soccer mom, or me or you ) changed all that. The government is practically invited to peek inside internet traffic and sniff out evidence of wrongdoing. As long as the technology - like a well-trained dog - only alerts when a crime is detected, it's now legal. As context-based search technology improves, the government may soon have the ability to take Carnivore one better and deploy "intelligent" packet search filters that will seek out only those communications that relate to criminal activity. They may already have it. Although these packet sniffing dogs sniff the packets of sinner and saint alike, they only bark at the sinner's emails. Thus, according to the new Supreme Court precedent, the sinner has no privacy rights, and the saint's privacy has not been invaded. In fact, the saint would not even know the search had taken place - internet surveillance is less noticeable than a dog sniff. I think Sun Microsystems' president Scott McNealy was only slightly ahead of his time when he said: "You already have zero privacy, get over it." We could pass a a constitutional amendment to protect our privacy rights, but I thought we did that on 15 December, 1791 when the Bill of Rights was ratified. Hopefully, this case will be limited to a dark desert highway, and not find its way onto the Infobahn. But somehow I doubt it. -=- SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. From isn at c4i.org Fri Feb 11 03:38:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:52 2005 Subject: [ISN] Security UPDATE -- Safer Mobile Surfing -- February 9, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Evaluate ScriptLogic Cloak & Get A Free T-Shirt http://list.windowsitpro.com/t?ctl=164B:4FB69 An Evaluation of the Total Cost of Ownership of Email Security Solutions http://list.windowsitpro.com/t?ctl=1636:4FB69 ==================== 1. In Focus: Safer Mobile Surfing 2. Security News and Features - Recent Security Vulnerabilities - February the 13th: Microsoft Issues Massive Number of Security Fixes - Microsoft to Purchase Sybari Software - Weakness in Windows XP SP2 Overflow Protection - SOHO Firewall Appliances 3. Security Matters Blog - Stop Users from Bypassing Group Policy - Two More Months to Opt Out of Windows XP SP2 4. Instant Poll 5. Security Toolkit - FAQ - Security Forum Featured Thread 6. New and Improved - Spam Firewall for Large Organizations ==================== ==== Sponsor: ScriptLogic ==== Evaluate Cloak & Get A Free T-Shirt If you're a security-conscious administrator, ScriptLogic has a new product that's a must-have, no matter how large or small your company is. Cloak is an innovative software solution that enhances the NTFS by providing increased security, more accurate audits, and a streamlined experience for network users. When you install Cloak on the Windows Server, users will only see the files and folders they have permission to access. Not only does Cloak filter network requests on file servers, it can also filter local activity, so it's ideal for Citrix Metaframe and Terminal Servers too! Download a 30-day evaluation today and get a free Cloak t-shirt. Go to http://list.windowsitpro.com/t?ctl=164B:4FB69 ==================== ==== 1. In Focus: Safer Mobile Surfing ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net I'm sure you read lots of different security-related blogs and Web sites. There are a bunch of them out there, and the number seems to keep right on growing. I've got dozens of them in my RSS reader, and I often find new ones that I want to read now and then. One interesting blog that I found some time ago is called Secureme. Not only is it informative, but the writing style is subtly humorous at times too. When I look at the "avatars" of the blog writers at the site, I'm not quite sure what's missing: a flashy mirrored disco ball and colored lights, or Santa's workshop. When you go to the blog, you'll see what I mean. http://list.windowsitpro.com/t?ctl=1651:4FB69 An interesting recent post at the blog ("No SSH server, no problem!" January 13) covered two tools, The Onion Router (TOR) and Privoxy, both of which can be used in a variety of situations, such as using them together to better protect your Internet communications when you're on the road. For example, if you're using a hotel's in-house network or a public wireless network, you could use TOR and Privoxy to help protect your network traffic. TOR is a routing technology that encrypts and routes your Internet traffic through a number of TOR servers before the traffic reaches its destination. Privoxy is a proxy server that helps protect your Internet privacy by removing or obscuring various content, such as your DNS queries, browser type, OS type, and more. You can configure Privoxy to communicate with TOR so that all your Web traffic is routed through the TOR network. I tried the two tools, and they seem to work all right. Setting up a TOR client is incredibly simple. Just install it, run it, and make sure there are open ports on your firewall to pass traffic. That's it! Privoxy is equally simple, except that to make it work with TOR, you'll need to add one line to the Privoxy configuration, which is explained in the TOR documentation. You can learn more about TOR and Privoxy and download copies at their respective Web sites. http://list.windowsitpro.com/t?ctl=1653:4FB69 http://list.windowsitpro.com/t?ctl=1652:4FB69 Until next time, have a great week. ==================== ==== Sponsor: Postini ==== An Evaluation of the Total Cost of Ownership of Email Security Solutions Quantifying the Total Cost of Ownership (TCO) of email security solutions is a notoriously difficult task. Discover how Total Cost of Ownership is much more than the initial acquisition cost of a solution, and how you can save thousands of dollars each year without sacrificing accuracy, control or effectiveness in protecting your email systems. Download this free whitepaper now! http://list.windowsitpro.com/t?ctl=1636:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=163B:4FB69 February the 13th: Microsoft Issues Massive Number of Security Fixes Yesterday, Microsoft issued a massive number of security bulletins and fixes as part of its regularly scheduled monthly security update release. The company released 12 security bulletins for various products, including several Windows versions, Exchange Server, Office XP, Windows Media Player, MSN Messenger, and SharePoint. Eight of the bulletins are rated as "critical," the company's most serious rating. http://list.windowsitpro.com/t?ctl=163D:4FB69 Microsoft to Purchase Sybari Software Microsoft announced yesterday that it has signed a definitive agreement to acquire Sybari Software, a New York-based company that develops antivirus, antispam, and content-filtering technologies. The acquisition will include all of Sybari's staff and technologies. http://list.windowsitpro.com/t?ctl=163C:4FB69 Weakness in Windows XP SP2 Overflow Protection Security company Positive Technologies released a white paper that explains what it considers to be weaknesses in the heap overflow protection and data execution protection in Windows XP Service Pack 2 (SP2). The two technologies are designed to help prevent intruders from taking advantage of unchecked buffers to launch malicious code within the OS. http://list.windowsitpro.com/t?ctl=1643:4FB69 SOHO Firewall Appliances Even if you have a home office or work for a small company, you still need to protect your valuable data and network. Firewalls have become a de facto standard for all organizations--large and small--as a frontline perimeter-based defense against attackers who want to steal your information, hijack your resources, and otherwise vandalize your network. Jeff Fellinge looks at several solutions in this Buyer's Guide. http://list.windowsitpro.com/t?ctl=1641:4FB69 ==================== ==== Resources and Events ==== InfoSec World 2005, April 4-6, 2005, Orlando, FL InfoSec World 2005 is where connections are made. Expand your knowledge with the hottest topics and get real-world strategies and tested techniques for meeting your toughest information security challenges. With a full spectrum of events, InfoSec World offers an array of stimulating programs, presentations, activities, networking opportunities and more! http://list.windowsitpro.com/t?ctl=164C:4FB69 Ensure Successful Token Authentication What's more secure than password protection? Attend this free Web seminar and learn how to protect your network and make your mobile and remote users more secure with token authentication. Discover ways to evaluate, test, and roll out token authentication to protect your investment, while making a solid business case to justify the costs. Register now! http://list.windowsitpro.com/t?ctl=1637:4FB69 Windows Connections Conference Spring 2005 Mark your calendar for Windows Connections Spring 2005, April 17-20, 2005, at the Hyatt Regency in San Francisco. Sessions jam-packed with tips and techniques you need to know to ensure success in today's enterprise deployments. Get the complete brochure online or call 203- 268-3204 or 800-505-1201 for more information. http://list.windowsitpro.com/t?ctl=1654:4FB69 Configuring Blade Servers for Your Application Needs Blade servers pack a lot of function into a small space, conserve power and are flexible. In this free Web seminar, industry guru David Chernicoff details the best use of 1P, 2P and 4P configurations using single and multiple enclosures; integrating with NAS and SAN and managing the entire enterprise from a single console. Register now and take advantage of blade servers' power and flexibility. http://list.windowsitpro.com/t?ctl=1638:4FB69 ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=164A:4FB69 Check out these recent entries in the Security Matters blog: Stop Users from Bypassing Group Policy I read a really interesting thread on the Focus on Microsoft mailing list. A list member said his users found a way to bypass Group Policy so that they could install unauthorized software on their machines. The users entered their logon credentials, then as soon as they were authenticated to the domain, they unplugged the network cable so that Group Policy Objects (GPOs) weren't downloaded to their machines. However, there are ways to foil this strategy. http://list.windowsitpro.com/t?ctl=1644:4FB69 Two More Months to Opt Out of Windows XP SP2 According to Microsoft's TechNet Flash newsletter, "the mechanism to temporarily disable delivery of Windows XP SP2 is available only for a period of 240 days (8 months) from August 16, 2004. At the end of this period (after April 12, 2005), Windows XP SP2 will be delivered to all Windows XP and Windows XP Service Pack 1 systems." http://list.windowsitpro.com/t?ctl=1645:4FB69 ==== 4. Instant Poll ==== Results of Previous Poll: Is comment spam a problem on your company's blogs or Web forums? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 13 votes: - 23% Yes it was, but we solved it by requiring registration - 0% Yes, but we'll implement the new "rel" tag format to stop it - 0% Yes, but we don't plan to do anything about it - 77% No New Instant Poll: If your company uses Windows XP, do you use XP SP2? Go to the Security Hot Topic and submit your vote for - Yes - No, but we intend to - No, and we don't intend to http://list.windowsitpro.com/t?ctl=1646:4FB69 ==== 5. Security Toolkit ==== FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1647:4FB69 Q: How can I view a list of all applications on my computer that start at boot-up? Find the answer at http://list.windowsitpro.com/t?ctl=1642:4FB69 Security Forum Featured Thread: ISAPI Extension Access to DCOM Application Server Nicola has an Internet Server API (ISAPI) DLL that connects to a Distributed COM (DCOM) application server. The setup includes a Microsoft IIS server configured with integrated security and anonymous access disabled, a domain group to collect all the domain users that should be able to use the procedures in the DLL, and DCOM configured with an administrator account and launch/access permissions for the domain group. The setup works if the domain group is included in the local Administrators group, but Nicola doesn't want to put the domain group in the local Administrators group and wonders if there's some other configuration that will work. Join the discussion at http://list.windowsitpro.com/t?ctl=1639:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Plus, paid subscribers receive exclusive online library access to every article we've ever published. Order now! http://list.windowsitpro.com/t?ctl=1640:4FB69 ==================== ==== 6. New and Improved ==== by Renee Munshi, products@windowsitpro.com Spam Firewall for Large Organizations Barracuda Networks offers Barracuda Spam Firewall 800, a spam and virus appliance for large organizations and ISPs. Barracuda Spam Firewall 800 supports 30,000 active users and can handle nearly 1.3 million messages per hour. It's designed for reliability, including redundant hot-swap power supplies, RAID 5 disk storage, dual gigabit Ethernet ports, and clustering capabilities. Barracuda Spam Firewall 800 is priced at $17,999 for the appliance and $3999 per year for a subscription to the Energize Update service, which updates the appliance hourly with new spam rules and virus definitions. Barracuda also offers Spam Firewall models for smaller organizations. For more information, visit http://list.windowsitpro.com/t?ctl=164E:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=1655:4FB69 Quest Software See Active Directory in a whole new light. And get a free flashlight! http://list.windowsitpro.com/t?ctl=1656:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=164D:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=163F:4FB69 View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=163E:4FB69 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Feb 11 03:39:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:54 2005 Subject: [ISN] Hackers target state's computer network Message-ID: http://www.adn.com/front/story/6140359p-6022520c.html By SEAN COCKERHAM Anchorage Daily News February 10th, 2005 JUNEAU -- The FBI is looking into a recent rash of cyberattacks that hit the state's computer network. "We are aware of it and it is a pending investigation so there is really very little I can say about it," FBI spokesman Eric Gonzalez said. Rep. Pete Kott, R-Eagle River, said a federal task force came to Alaska as part of the investigation. Kott said he believes the CIA and the Department of Homeland Security are also involved. Kott said he was briefed on the situation by state officials. "Anytime you've got the feds up in Alaska it's got to be a serious issue," Kott said. "The White House has been briefed on this." He said the federal team came to Anchorage about two weeks ago and took piles of data back to Washington, D.C., to analyze. Kott said the January attacks appear to have originated in Brazil, although hackers can disguise where their attacks are coming from. He said he was told there was a security breach, but it was unclear how widespread it was or which agencies were involved. "I don't think we were the only state affected," said Kott, who led the Legislature's Information Technology subcommittee last year. The Alaska Department of Administration, which oversees the state computer network, refused to answer questions about the investigation. "We have no response, no comment," department spokesman Joe Holbert said. Kott said the department was slow in letting the Legislature know about the problem. He said his office got wind of it and had to call state officials and ask what was going on. "They were shocked that we even knew about it," Kott said Wednesday. Stan Herrera, the state's director of enterprise technology services, said Tuesday that he was unaware of an FBI investigation. Herrera told the Daily News in late January that the state was looking into increased activity of cyberattacks on the state network that month. He described it as "denial of service" attacks that made computers unresponsive. He said he could provide no estimate on the breadth of the attack because it was still being analyzed. But he said there was no indication sensitive material was stolen from state computers. The state's computer network contains credit card numbers and other personal information that could be used for identity theft. Kott said there could also be "widespread havoc" if a hacker were to penetrate the Permanent Fund dividend division. The division director, Sharon Barton, said in an interview that there was no evidence of that. The Alaska Permanent Fund Corp., which handles the billions of dollars in fund investments, is not on the state network and officials said it was not breached. Fund technology director Marshal Kendziorek said he checked the logs closely when the state network was attacked. "We are extremely security conscious here, much more so than other places," Kendziorek said. "We've seen no intrusions." For the past decade, Kott said, officials have likely not given enough attention to beefing up the security of the state computer network. Kott said the Murkowski administration has moved, though, to review the system and to "basically come up with a better mousetrap." He said it's not a high priority among members of the Legislature. "Nobody understands computers. They know how to turn them on, turn them off, and to get onto the Internet," Kott said. Kott said planned security upgrades were speeded up after the January cyberattacks, although more will likely be needed. He said he expects the investigators to make recommendations. "If it's sizable, multimillion dollar upgrades, which I'm guessing it's going to be, then we have to take a serious look at it," Kott said. "I don't think we have any choice but to take care of the problem." From isn at c4i.org Fri Feb 11 03:39:23 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:56 2005 Subject: [ISN] BlackBerry maker gets NIST nod Message-ID: http://www.fcw.com/fcw/articles/2005/0207/web-nistberry-02-10-05.asp By Florence Olsen Feb. 10, 2005 National Institute of Standards and Technology officials named Research in Motion, the Canadian maker of the wireless BlackBerry, as the recipient today of NIST's 500th cryptographic module certification. Since 1995, NIST-approved laboratories have tested and validated hundreds of cryptographic hardware and software modules. NIST officials issued the 500th certificate to Research in Motion for its BlackBerry cryptographic kernel, firmware that performs all basic cryptographic functions for the BlackBerry. Certification means that the module conforms to Federal Information Processing Standard 140-2. Federal agencies are required to use only validated cryptographic modules. NIST officials operate the Cryptographic Module Validation Program in conjunction with the Canadian government. NIST officials have accredited nine laboratories in the United States, Canada and the United Kingdom to test cryptographic modules. A statement from Research in Motion officials said a number of government organizations are using handheld BlackBerrys to support continuity of operations planning. Federal BlackBerry users are storing emergency preparedness information, standard operating procedures, emergency call lists and other documents on the handheld computers. From isn at c4i.org Fri Feb 11 03:39:36 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:42:59 2005 Subject: [ISN] Hackers Quickly Target Newly Disclosed Microsoft Flaw Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=60300331 By Gregg Keizer TechWeb News Feb. 10, 2005 It didn't take hackers long to start banging hard on the vulnerabilities Microsoft disseminated Tuesday. Just a day after the Redmond, Wash.-based developer rolled out a dozen advisories containing 16 vulnerabilities, 10 of them tagged as "Critical," exploit code has gone public for one, Microsoft said late Wednesday. "Microsoft won't be happy that someone has posted information about how to take advantage of their critical security hole within 48 hours of their patch being released," said Graham Cluley, senior technology consultant for Sophos, in a statement. "Many computer users are bound to have not yet defended themselves," he added. Microsoft posted an online advisory to its Web site, confirming that exploit code exists. "Microsoft is aware of exploit code available on the Internet that targets an issue addressed this week by the update released with Microsoft Security Bulletin MS05-009," Microsoft said. The bulletin in question patched two vulnerabilities, one in Windows Media Player, the other in MSN Messenger and Windows Messenger, Microsoft's instant messaging clients. All three applications can be attacked using malformed PNG image files. According to other security firms' analyses, the exploit code -- dubbed Exploit-PNGfile by McAfee -- can instruct the infected machine to run any payload the hacker bundles with it. Possible payloads could include such typical malware as Trojans, backdoor components, or worms to wrench control from the real user, or even spyware such as key loggers to steal information and identities. Although exploit code is out and about, Microsoft said it had not yet seen any actual attack. "We will continue to actively monitor the situation and provide updated customer information and guidance as necessary," the advisory continued. Microsoft said that patched systems were immune from the exploit, and outlined recommended steps for both individuals and enterprises that included updating both Windows and MSN Messenger for the former, and either uninstalling MSN Messenger or blocking it in the latter. "MSN Messenger is not intended for corporate environments," Microsoft said. "Instead, use Windows Messenger, which is included with Windows." Another option is to download the beta of MSN Messenger 7, which is not susceptible to the exploit. One stumbling block in eliminating this vulnerability is that users must update MSN Messenger manually, since it's not part of Windows per se (unlike Windows Messenger, the similar-but-not-identical IM client bundled with the OS). "Although there is an automatic update notification system present in MSN Messenger, it can take a long time for it to actually inform the user about a newer version," wrote Kaspersky Labs in its alert on the issue. Core Security Technologies, the Boston security firm which first found the flaw and reported it to Microsoft in August 2004, said that the MSN Messenger bug was extremely dangerous. "Due to the particular characteristics of the MSN Messenger communications protocol, exploitation of the vulnerability is likely to pass unnoticed to network Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and firewalls that do not implement decoding and normalization of the MSN Messenger protocol encapsulated within HTTP," the company said in its own advisory posted Tuesday. Core also said that exploits could be crafted that would compromise unpatched machines "without crashing or disrupting the normal functioning of the MSN Messenger client application," making detection almost impossible by the end user. "This vulnerability is serious," said Sophos' Cluley. "Everyone should ensure their systems are properly protected with the security patch at the earliest opportunity." From isn at c4i.org Fri Feb 11 03:39:49 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:43:01 2005 Subject: [ISN] Flaw in mail-list software leaks passwords Message-ID: http://news.com.com/Flaw+in+mail-list+software+leaks+passwords/2100-1002_3-5571576.html By Robert Lemos Staff Writer, CNET News.com February 10, 2005 A previously unknown vulnerability in Mailman, a popular open-source program for managing mailing lists, has led to the theft of the password file for a well-known security discussion group. The theft, discovered this week and reported in an announcement to the Full Disclosure security mailing list on Wednesday, casts uncertainty on the security of other discussion groups that use the open-source Mailman package. By specially crafting a Web address, an attacker can obtain the password for every member of a discussion group. "Anyone with a Web browser can download a file off a vulnerable system--it's (easy to do)," said John Cartwright, co-founder and manager of the Full Disclosure mailing list. The attack, known as a remote directory traversal exploit, occurred on Jan. 2, according to Cartwright's investigation. "As far as our server goes, there is no evidence that any other files were accessed using this flaw." The flaw could have far-reaching consequences because some mailing list subscribers change their access code to a password that they reuse elsewhere. Since Mailman uses subscribers' e-mail as their user name, people who reuse passwords could put other accounts in jeopardy. Servers that run Apache 2.0 and Mailman are suspected to be immune to exploitation of the vulnerability, according to a security advisory on the Mailman Web site. "In any event, the safest approach is to assume the worst, and it is recommended that you apply this Mailman patch as soon as possible," the advisory stated. The Full Disclosure discussion list had used Mailman running on Apache 1.3, a vulnerable configuration. Companies and projects that distributed Mailman as part of their Linux distribution have already started releasing fixes for the problem. Debian, Ubuntu and Gentoo Linux have released advisories citing the problem and offering patches. From isn at c4i.org Fri Feb 11 03:40:03 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 11 03:43:03 2005 Subject: [ISN] Cybersecurity: It's Dollars and Sense Message-ID: http://www.businessweek.com/technology/content/feb2005/tc20050211_8713.htm By Bill Hancock FEBRUARY 11, 2005 Few CEOs grasp the case for investing in safeguards against hackers, worms, and the like. It's every chief information officer's duty to banish that innocence No one really wants to spend money on cybersecurity. Not only is it technically impossible to completely secure cyberspace, but the technology is complicated, the vocabulary arcane, and the expertise to make it happen hard to find -- and even harder to apply. Worse yet, most managers never learned how to calculate the value of -- and communicate the business case for -- cybersecurity. Yes, I realize that overall spending on cybersecurity continues to increase every year. Yet every executive I know is kicking and screaming about its cost along the entire way. 45,000 OPEN DOORS. The sad reality is that every computer network has cybersecurity exposures. This is due in large part to the fact that most software and computer systems focus on function, not security. Security is bolted to computer systems using things like firewalls and intrusion-detection systems. Additionally, the communications methods used to deliver data are over 30 years old, coming from a time when security was less of an issue. Compounding the problem, as software has become more sophisticated, the code used to write it has grown significantly. Conventional wisdom says you can expect to find about one bug for every 1,000 lines of software code -- and every bug is an opening for hackers. The 45 million-line operating system that runs your computer may have 45,000 ways to be breached by a hacker. These hackers are smart, and most have much more time to spend attacking you than a typical system administrator can spend defending against them. Attacks are also becoming increasingly automated, which compounds the problem. Computer worms and other autonomous, malicious programs can attack and infiltrate these complex environments in a relentless, methodical fashion. EASY AS ABC. Most senior executives are aware of these cybersecurity issues. The problem is that these issues rarely turn into funded information-technology projects when evaluated against other business priorities. Sure, every survey of chief information officers says cybersecurity is one of the very top issues for a company. Yet in most executive suites, cybersecurity is considered necessary to stay in business, but not to make the business bigger. So what if a PC gets hammered by a worm? It won't kill the business, and the expense to clean it up will be minimal. There's a way to deal with this dilemma. Chief information officers need to translate the IT priority of cybersecurity into a business priority that the CEO can't ignore. The basic framework I've used to build the business case for cybersecurity I call the ABC's of Security Management: Asset protection: Most businesses recognize that they must protect their physical and intellectual assets. For example, they can't let someone steal their patents. The same kind of rigor that is applied to valuing, protecting, and insuring traditional assets needs to be applied to cyberassets. If someone steals your customer- or product-development data base you could be put out of business. Brand protection: Every CEO is concerned about the outfit's brand. CEOs can increase the perceived value of the company through the equity they build in their brands. What if your company is hit by a hacker and all the credit-card data from the e-commerce wWeb site is compromised? What happens to the value of the brand -- and to your stock price? Compliance: Probably the strongest justification for investing in cybersecurity is that you don't have a choice: It's the law. Actually, it's lots of laws. Sarbanes-Oxley (SOX), Graham-Leach-Bliley (GLB), the Health Insurance Portability & Accountability Act (HIPAA), and the USA Patriot Act all have provisions that require securing IT applications, data, and infrastructure. SHINING EXAMPLES. Once you've used the ABC's to make cybersecurity a business priority, what next? While there is no cookbook for cybersecurity, there are some best practices I've seen at leading companies. Hire outside experts: The best approach is to integrate your internal IT expertise about applications, data, and business processes with outside expertise on how to identify and protect against cyberthreats. In most cases, you can save money by engaging these cybersecurity experts on a short term basis to do periodic assessments, audits, and updates of your security systems and procedures. Evaluate your IT suppliers: Ensure that the IT solutions you buy -- just like corporate networks, applications, servers, and storage -- follow the best practices for cybersecurity and can be included in your "chain of trust" to comply with government regulations. Take one step at a time: You can't solve all your cybersecurity problems at once. Build a list of your cybersecurity vulnerabilities and prioritize the items based on business value. Focus on the high-value items that keep the business running and allow it to grow. Cybersecurity is a journey, not a destination -- you'll never be completely done. The important thing is to keep moving forward, continuously improve, and focus on the details many think aren't so important. -=- Bill Hancock is Chief Security Officer of SAVVIS Communications and is chairman of the FCC's Network Reliability & Interoperability Council Homeland Security focus group on cybersecurity From isn at c4i.org Mon Feb 14 05:21:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:07 2005 Subject: [ISN] Break-In At SAIC Risks ID Theft Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A17506-2005Feb11.html [InfoSec News subscribers were alerted of this incident with the stolen SAIC computers first with the article on February 3rd 2005 at: http://www.attrition.org/pipermail/isn/2005-February/001118.html - WK] By Griff Witte Washington Post Staff Writer February 12, 2005 Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees. The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers. Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud. David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure. "I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem," said Kay, who lives in Northern Virginia. About 16,000 SAIC employees work in the Washington area. Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. "It's worrisome," said Inman, who also received notification of the theft last week. "If the security is sloppy, it raises questions." Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances. "We're taking this extremely seriously," Haddad said. "It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it." Gary Hassen of the San Diego Police Department said there were "no leads." Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted. The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc. Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company. He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific. The theft comes at a time when the company, which depends on the federal government for more than 80 percent of its $7 billion annual revenue, is already under scrutiny for its handling of several contracts. Last week on Capitol Hill, FBI Director Robert S. Mueller III testified that the company had botched an attempt to build software for the bureau's new Virtual Case File system. The $170 million upgrade was supposed to allow agents to sift through different cases electronically, but the FBI has said the new system is so outdated that it will probably be scrapped. In San Antonio, SAIC is fighting the government over charges that the company padded its cost estimates on a $24 million Air Force contract. The case prompted the Air Force to issue an unusual alert to its contracting officials late last year, warning them that "the Department of Justice believes that SAIC is continuing to submit defective cost or pricing data in support of its pricing proposals." SAIC has defended its work for the FBI and the Air Force. Haddad said that criticisms are inevitable for a such a large company and that there is no pattern of poor performance. "I know people will try to jump to that kind of conclusion, but it's not an accurate reflection of how well this company is doing," he said. "This company has always prided itself on strong ethics." The company's alumni list reads like a roll call of the nation's highest-profile former officials, including former defense secretaries William J. Perry and Melvin R. Laird and former CIA director John Deutch. Current directors of the company include former chief counterterrorism adviser Gen. Wayne A. Downing. Founded by a group of scientists in 1969, SAIC has been growing in recent years at a rapid clip, right along with the government's appetite for high-tech services in information technology and national defense. The company named a new chief executive, Kenneth C. Dahlberg, in 2003, and he has set a goal of doubling the company's value within three to five years, Haddad said. Philip Finnegan, director of corporate analysis with Teal Group Corp., said SAIC is trying to push into the top tier of contractors -- a rarefied club that includes Boeing Co. and Lockheed Martin Corp. -- and that there are bound to be bumps along the way. "It's inevitable that they'll face problems," he said. Others are less sure that the company's recent difficulties don't add up to something more. "Is [the break-in] saying something about the quality of the company?" Kay said. "It's hard to say that. It's probably just random luck. But multiple occurrences of bad luck are often more than bad luck." From isn at c4i.org Mon Feb 14 05:23:01 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:09 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-6 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-02-04 - 2005-02-11 This week : 93 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Microsoft has released their monthly security bulletins for February, which correct vulnerabilities in various products. Users of Microsoft products are advised to visit Windows Update and check for available updates. Additional information can be found in referenced Secunia advisories below. References: http://secunia.com/SA11165 http://secunia.com/SA14190 http://secunia.com/SA14193 http://secunia.com/SA14192 http://secunia.com/SA14195 http://secunia.com/SA14177 http://secunia.com/SA14189 http://secunia.com/SA11634 http://secunia.com/SA14174 -- Multiple browsers have been reported vulnerable to a spoofing issue using IDN (International Domain Name). The problem is caused due to an unintended result of the IDN implementation, which allows using international characters in domain names. This can be exploited by registering domain names with certain international characters that resembles other commonly used characters, thereby causing the user to believe they are on a trusted site. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_idn_spoofing_test/ References: http://secunia.com/SA14166 http://secunia.com/SA14154 http://secunia.com/SA14163 http://secunia.com/SA14162 http://secunia.com/SA14165 http://secunia.com/SA14164 http://secunia.com/SA14209 -- Many products from Symantec and F-Secure have been reported vulnerable to a buffer overflow vulnerability, which can be exploited by malicious people to compromise a vulnerable system. A comprehensive list of affected products is available in referenced Secunia advisory below. References: http://secunia.com/SA14179/ http://secunia.com/SA14216/ VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla / Firefox / Camino IDN Spoofing Security Issue 2. [SA14179] Symantec Multiple Products UPX Parsing Engine Buffer Overflow 3. [SA14164] Safari IDN Spoofing Security Issue 4. [SA14160] Mozilla / Firefox Three Vulnerabilities 5. [SA11165] Microsoft Internet Explorer Multiple Vulnerabilities 6. [SA14154] Opera IDN Spoofing Security Issue 7. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 8. [SA14188] Mac OS X Finder Insecure File Creation Vulnerability 9. [SA14165] Netscape IDN Spoofing Security Issue 10. [SA13818] Opera "data:" URI Handler Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14193] Microsoft Windows OLE / COM Two Vulnerabilities [SA14190] Microsoft Windows Drag and Drop Vulnerability [SA14177] Microsoft Office URL File Location Handling Buffer Overflow [SA14174] Microsoft Various Products PNG Image Parsing Vulnerabilities [SA14145] Foxmail Server "Mail From:" Buffer Overflow Vulnerability [SA14209] VeriSign i-Nav Plug-In IDN Spoofing Security Issue [SA14195] Microsoft Windows Hyperlink Object Library Buffer Overflow [SA14187] RealArcade Two Vulnerabilities [SA14172] ArGoSoft FTP Server Compressed Shortcut Upload Security Bypass [SA14169] 602LAN SUITE Webmail Arbitrary File Upload Vulnerability [SA14161] ArGoSoft Mail Server Directory Traversal Vulnerabilities [SA14146] RaidenHTTPD Relative Pathname Disclosure of Sensitive Information [SA14192] Microsoft Windows License Logging Service Buffer Overflow [SA14206] Netscape Three Vulnerabilities [SA14180] SharePoint Services Cross-Site Scripting and Spoofing Vulnerability [SA14134] LANChat Malformed Data Processing Denial of Service [SA14144] Microsoft Outlook Web Access "owalogon.asp" Redirection Weakness [SA14189] Windows Anonymous Named Pipe Connection Information Disclosure UNIX/Linux: [SA14167] Debian update for php3 [SA14156] Gentoo update for openmotif [SA14149] SUSE Updates for Multiple Packages [SA14140] Gentoo update for lesstif [SA14241] Red Hat update for squirrelmail [SA14229] Mandrake update for enscript [SA14227] Mandrake update for python [SA14223] Debian update for mailman [SA14222] Red Hat update for mailman [SA14220] HP-UX BIND Unspecified Denial of Service Vulnerability [SA14215] Debian update for evolution [SA14212] Ubuntu update for mailman [SA14211] Mailman "private.py" Directory Traversal Vulnerability [SA14208] SUSE update for squid [SA14207] Gentoo update for pdftohtml [SA14202] Gentoo update for python [SA14196] Fedora update for emacs [SA14194] Debian update for emacs20 [SA14191] Debian update for xemacs21 [SA14185] Ubuntu update for squid [SA14182] Frox Deny ACL Security Bypass Vulnerability [SA14178] UnixWare update for racoon [SA14168] Ubuntu update for emacs21-bin-common [SA14166] OmniWeb IDN Spoofing Security Issue [SA14164] Safari IDN Spoofing Security Issue [SA14162] KDE Applications IDN Spoofing Security Issue [SA14158] Debian update for python2.2 [SA14150] Fedora update for python [SA14148] GNU Emacs "popmail()" Format String Vulnerability [SA14137] Ubuntu Postfix IPv6 Relaying Security Issue [SA14133] Mozilla Application Suite "MSG_UnEscapeSearchUrl()" Buffer Overflow [SA14129] Ubuntu update for python [SA14201] Avaya krb5 Two Vulnerabilities [SA14132] HP CIFS Server Security Descriptor Parsing Integer Overflow [SA14130] Sun Solaris Samba Integer Overflow Vulnerability [SA14184] Fedora update for postgresql [SA14170] UnixWare / OpenServer TCP Connection Reset Denial of Service [SA14228] Mandrake update for squid [SA14157] Debian update for squid [SA14226] Mandrake update for mysql [SA14218] Debian update for xview [SA14213] XView "xv_parse_one()" Buffer Overflow Vulnerability [SA14203] Mandrake update for perl [SA14200] Avaya Various Products Kernel Vulnerabilities [SA14199] Mandrake update for perl-DBI [SA14198] IBM AIX auditselect Format String Vulnerability [SA14188] Mac OS X Finder Insecure File Creation Vulnerability [SA14186] Red Hat update for perl [SA14176] SCO OpenServer "enable" Buffer Overflow Vulnerability [SA14175] UnixWare update for foomatic-rip [SA14173] IBM AIX chdev Format String Vulnerability [SA14171] Gentoo update for postgresql [SA14159] osh "iopen()" Buffer Overflow Vulnerability [SA14152] Avaya PDS Multiple Privilege Escalation Vulnerabilities [SA14151] Debian update for postgresql [SA14139] Debian update for ncpfs [SA14138] Ubuntu update for cpio [SA14153] Avaya CMS UDP End Point Handling Denial of Service Other: [SA14136] Linksys PSUS4 Print Server HTTP POST Request Denial of Service Cross Platform: [SA14216] F-Secure Multiple Products ARJ Archive Handling Vulnerability [SA14179] Symantec Multiple Products UPX Parsing Engine Buffer Overflow [SA14205] MyPHP Forum Multiple SQL Injection Vulnerabilities [SA14181] xGB Administrative User Authentication Bypass Vulnerability [SA14165] Netscape IDN Spoofing Security Issue [SA14163] Mozilla / Firefox / Camino IDN Spoofing Security Issue [SA14154] Opera IDN Spoofing Security Issue [SA14143] Chipmunk Forum Multiple SQL Injection Vulnerabilities [SA14142] CMScore Multiple SQL Injection Vulnerabilities [SA14141] BXCP "show" Local File Inclusion Vulnerability [SA14128] Python SimpleXMLRPCServer Library Module Vulnerability [SA14183] BrightStor ARCserve Backup Discovery Service Buffer Overflow [SA14160] Mozilla / Firefox Three Vulnerabilities [SA14135] PowerDNS Traffic Handling Denial of Service Vulnerability [SA14131] Claroline Add Course Script Insertion Vulnerability [SA14204] Emdros MQL Parser Memory Leak Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14193] Microsoft Windows OLE / COM Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2005-02-08 Cesar Cerrudo has reported two vulnerabilities in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14193/ -- [SA14190] Microsoft Windows Drag and Drop Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-08 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14190/ -- [SA14177] Microsoft Office URL File Location Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-08 Rafel Ivgi has reported a vulnerability Microsoft Office XP, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14177/ -- [SA14174] Microsoft Various Products PNG Image Parsing Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-08 Two vulnerabilities have been reported in various Microsoft products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14174/ -- [SA14145] Foxmail Server "Mail From:" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-02-08 Fortinet has reported a vulnerability in Foxmail Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14145/ -- [SA14209] VeriSign i-Nav Plug-In IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-09 Eric Johanson has reported a security issue in i-Nav Plug-In, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14209/ -- [SA14195] Microsoft Windows Hyperlink Object Library Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-08 Anna Hollingzworth has reported a vulnerability in Microsoft Windows, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14195/ -- [SA14187] RealArcade Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, System access Released: 2005-02-09 Luigi Auriemma has reported two vulnerabilities in RealArcade, which can be exploited by malicious people delete arbitrary files or compromise a user's system. Full Advisory: http://secunia.com/advisories/14187/ -- [SA14172] ArGoSoft FTP Server Compressed Shortcut Upload Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-08 Remus Hociota has reported a vulnerability in ArGoSoft FTP Server, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14172/ -- [SA14169] 602LAN SUITE Webmail Arbitrary File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-08 Tan Chew Keong has reported a vulnerability in 602LAN SUITE, which can be exploited by malicious webmail users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14169/ -- [SA14161] ArGoSoft Mail Server Directory Traversal Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-09 Tan Chew Keong has reported some vulnerabilities in ArGoSoft Mail Server, which can be exploited by malicious users to disclose and manipulate sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14161/ -- [SA14146] RaidenHTTPD Relative Pathname Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-07 Donato Ferrante has reported a vulnerability in RaidenHTTPD, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14146/ -- [SA14192] Microsoft Windows License Logging Service Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-08 Kostya Kortchinsky has reported a vulnerability in some versions of Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14192/ -- [SA14206] Netscape Three Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-02-09 mikx has discovered three vulnerabilities in Netscape, which can be exploited by malicious people to plant malware on a user's system, conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14206/ -- [SA14180] SharePoint Services Cross-Site Scripting and Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Spoofing, Manipulation of data Released: 2005-02-08 A vulnerability has been reported in Windows SharePoint Services and SharePoint Team Services, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14180/ -- [SA14134] LANChat Malformed Data Processing Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-04 Donato Ferrante has reported a vulnerability in LANChat Pro Revival, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14134/ -- [SA14144] Microsoft Outlook Web Access "owalogon.asp" Redirection Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-02-08 Donnie Werner has reported a weakness in Microsoft Outlook Web Access (OWA), which potentially can be exploited by malicious people to conduct phishing attacks. Full Advisory: http://secunia.com/advisories/14144/ -- [SA14189] Windows Anonymous Named Pipe Connection Information Disclosure Critical: Not critical Where: From local network Impact: Exposure of system information Released: 2005-02-08 Jean-Baptiste Marchand has reported a weakness in Microsoft Windows XP, which can be exploited by malicious people to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/14189/ UNIX/Linux:-- [SA14167] Debian update for php3 Critical: Highly critical Where: From remote Impact: System access, Security Bypass Released: 2005-02-07 Debian has issued an update for php3. This fixes two vulnerabilities, which can be exploited by malicious people to bypass certain security functionality or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14167/ -- [SA14156] Gentoo update for openmotif Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-07 Gentoo has issued an update for openmotif. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14156/ -- [SA14149] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-02-07 SUSE has issued updates for multiple packages. These fix various vulnerabilities, where some has an unknown impacts, and others can be exploited to cause a DoS (Denial of Service), perform spoofing and cross-site scripting attacks, disclose sensitive information, perform certain actions with escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14149/ -- [SA14140] Gentoo update for lesstif Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-02-07 Gentoo has issued an update for lesstif. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14140/ -- [SA14241] Red Hat update for squirrelmail Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Cross Site Scripting Released: 2005-02-11 Red Hat has issued an update for squirrelmail. This fixes three vulnerabilities, which can be exploited by malicious people to gain knowledge of sensitive information or conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14241/ -- [SA14229] Mandrake update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-11 MandrakeSoft has issued an update for enscript. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14229/ -- [SA14227] Mandrake update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-11 MandrakeSoft has issued an update for python. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14227/ -- [SA14223] Debian update for mailman Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-02-11 Debian has issued an update for mailman. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/14223/ -- [SA14222] Red Hat update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-11 Red Hat has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14222/ -- [SA14220] HP-UX BIND Unspecified Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-10 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14220/ -- [SA14215] Debian update for evolution Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-02-10 Debian has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14215/ -- [SA14212] Ubuntu update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-10 Ubuntu has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14212/ -- [SA14211] Mailman "private.py" Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-10 John Cartwright has reported a vulnerability in Mailman, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14211/ -- [SA14208] SUSE update for squid Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, DoS, System access Released: 2005-02-11 SUSE has issued an update for squid, which fixes multiple vulnerabilities. One has an unknown impact, and others can be exploited to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14208/ -- [SA14207] Gentoo update for pdftohtml Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-10 Gentoo has issued an update for pdftohtml. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14207/ -- [SA14202] Gentoo update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-09 Gentoo has issued an update for python. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14202/ -- [SA14196] Fedora update for emacs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-09 Fedora has issued an update for emacs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14196/ -- [SA14194] Debian update for emacs20 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-09 Debian has issued an update for emacs20. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14194/ -- [SA14191] Debian update for xemacs21 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-09 Debian has issued an update for xemacs21. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14191/ -- [SA14185] Ubuntu update for squid Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, DoS Released: 2005-02-08 Ubuntu has issued an update for squid, which fixes various vulnerabilities. One has an unknown impact, and others can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14185/ -- [SA14182] Frox Deny ACL Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-08 A vulnerability has been reported in Frox, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14182/ -- [SA14178] UnixWare update for racoon Critical: Moderately critical Where: From remote Impact: Hijacking, Security Bypass, Manipulation of data, DoS Released: 2005-02-08 SCO has issued an update for racoon. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), establish unauthorised connections, bypass certain security restrictions, and conduct MitM (Man-in-the-Middle) attacks. Full Advisory: http://secunia.com/advisories/14178/ -- [SA14168] Ubuntu update for emacs21-bin-common Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-08 Ubuntu has issued an update for emacs21-bin-common. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14168/ -- [SA14166] OmniWeb IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in OmniWeb, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14166/ -- [SA14164] Safari IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Safari, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14164/ -- [SA14162] KDE Applications IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Konqueror, which can be exploited by a malicious web site to spoof the URL displayed in the address bar and status bar. Full Advisory: http://secunia.com/advisories/14162/ -- [SA14158] Debian update for python2.2 Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-07 Debian has issued an update for python2.2. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14158/ -- [SA14150] Fedora update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-07 Fedora has issued an update for python. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14150/ -- [SA14148] GNU Emacs "popmail()" Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-08 A vulnerability has been reported in GNU Emacs, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14148/ -- [SA14137] Ubuntu Postfix IPv6 Relaying Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-04 Ubuntu has issued an update for postfix. This fixes a security issue, which can be exploited by malicious people to use a vulnerable system as an open relay. Full Advisory: http://secunia.com/advisories/14137/ -- [SA14133] Mozilla Application Suite "MSG_UnEscapeSearchUrl()" Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-02-04 HP has confirmed a vulnerability in Mozilla Application Suite for Tru64 UNIX, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14133/ -- [SA14129] Ubuntu update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-04 Ubuntu has issued updates for python2.2 and python2.3. These fix a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14129/ -- [SA14201] Avaya krb5 Two Vulnerabilities Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-10 Avaya has acknowledged some vulnerabilities in krb5, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious users to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14201/ -- [SA14132] HP CIFS Server Security Descriptor Parsing Integer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-04 HP has acknowledged a vulnerability in CIFS Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14132/ -- [SA14130] Sun Solaris Samba Integer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-04 Sun has acknowledged a vulnerability in Solaris, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14130/ -- [SA14184] Fedora update for postgresql Critical: Less critical Where: From remote Impact: Unknown, Security Bypass, Privilege escalation Released: 2005-02-08 Fedora has issued an update for postgresql. This fixes various vulnerabilities, where some have an unknown impact and others can be exploited by malicious users to gain escalated privileges or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14184/ -- [SA14170] UnixWare / OpenServer TCP Connection Reset Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-08 SCO has acknowledged a vulnerability in UnixWare and OpenServer, which can be exploited by malicious people to reset established TCP connections on a vulnerable system. Full Advisory: http://secunia.com/advisories/14170/ -- [SA14228] Mandrake update for squid Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2005-02-11 MandrakeSoft has issued an update for squid. This fixes a vulnerability and a security issue, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14228/ -- [SA14157] Debian update for squid Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2005-02-07 Debian has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14157/ -- [SA14226] Mandrake update for mysql Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information, Privilege escalation Released: 2005-02-11 MandrakeSoft has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14226/ -- [SA14218] Debian update for xview Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-10 Debian has issued an update for xview. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14218/ -- [SA14213] XView "xv_parse_one()" Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-10 Erik Sj?lund has reported a vulnerability in XView, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14213/ -- [SA14203] Mandrake update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-09 MandrakeSoft has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14203/ -- [SA14200] Avaya Various Products Kernel Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-02-09 Avaya has acknowledged some vulnerabilities in various products, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14200/ -- [SA14199] Mandrake update for perl-DBI Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-09 MandrakeSoft has issued an update for perl-DBI. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14199/ -- [SA14198] IBM AIX auditselect Format String Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-09 iDEFENSE has reported a vulnerability in IBM AIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14198/ -- [SA14188] Mac OS X Finder Insecure File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 vade79 has discovered a vulnerability in Finder, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14188/ -- [SA14186] Red Hat update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 Red Hat has issued an update for perl. This fixes two vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14186/ -- [SA14176] SCO OpenServer "enable" Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 A vulnerability has been reported in OpenServer, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14176/ -- [SA14175] UnixWare update for foomatic-rip Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 SCO has issued an update for foomatic-rip. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14175/ -- [SA14173] IBM AIX chdev Format String Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 iDEFENSE has reported a vulnerability in AIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14173/ -- [SA14171] Gentoo update for postgresql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 Gentoo has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14171/ -- [SA14159] osh "iopen()" Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-08 Charles Stevenson has reported a vulnerability in osh, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14159/ -- [SA14152] Avaya PDS Multiple Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-07 Avaya has acknowledged some vulnerabilities in PDS, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14152/ -- [SA14151] Debian update for postgresql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-07 Debian has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14151/ -- [SA14139] Debian update for ncpfs Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-04 Debian has issued an update for ncpfs. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14139/ -- [SA14138] Ubuntu update for cpio Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2005-02-04 Ubuntu has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious, local users to disclose and manipulate information. Full Advisory: http://secunia.com/advisories/14138/ -- [SA14153] Avaya CMS UDP End Point Handling Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2005-02-07 Avaya has acknowledged a vulnerability in CMS, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14153/ Other:-- [SA14136] Linksys PSUS4 Print Server HTTP POST Request Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-04 Rstack team has reported a vulnerability in Linksys PSUS4, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14136/ Cross Platform:-- [SA14216] F-Secure Multiple Products ARJ Archive Handling Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-10 ISS X-Force has reported a vulnerability in multiple F-Secure products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14216/ -- [SA14179] Symantec Multiple Products UPX Parsing Engine Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-09 ISS X-Force has reported a vulnerability in multiple Symantec products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14179/ -- [SA14205] MyPHP Forum Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-02-10 foster GHC has reported some vulnerabilities in MyPHP Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14205/ -- [SA14181] xGB Administrative User Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-08 Albania Security Clan has reported a vulnerability in xGB, which can be exploited by malicious people to bypass the user authentication and gain administrative access. Full Advisory: http://secunia.com/advisories/14181/ -- [SA14165] Netscape IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Netscape, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14165/ -- [SA14163] Mozilla / Firefox / Camino IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Mozilla / Firefox / Camino, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14163/ -- [SA14154] Opera IDN Spoofing Security Issue Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-02-07 Eric Johanson has reported a security issue in Opera, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. Full Advisory: http://secunia.com/advisories/14154/ -- [SA14143] Chipmunk Forum Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-02-07 GHC vision has reported some vulnerabilities in Chipmunk Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14143/ -- [SA14142] CMScore Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-02-07 GHC vision has reported some vulnerabilities in CMScore, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14142/ -- [SA14141] BXCP "show" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-07 Majest has reported a vulnerability in BXCP, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14141/ -- [SA14128] Python SimpleXMLRPCServer Library Module Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-04 Graham Dumpleton has reported a vulnerability in Python, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14128/ -- [SA14183] BrightStor ARCserve Backup Discovery Service Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-08 Patrik Karlsson has reported a vulnerability in BrightStor ARCserve/Enterprise Backup, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14183/ -- [SA14160] Mozilla / Firefox Three Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-02-08 mikx has discovered three vulnerabilities in Mozilla and Firefox, which can be exploited by malicious people to plant malware on a user's system, conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14160/ -- [SA14135] PowerDNS Traffic Handling Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-04 A vulnerability has been reported in PowerDNS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14135/ -- [SA14131] Claroline Add Course Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-04 Yiannis Girod has reported a vulnerability in Claroline, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14131/ -- [SA14204] Emdros MQL Parser Memory Leak Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-09 Some vulnerabilities have been reported in Emdros, which potentially can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14204/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Feb 14 05:23:48 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:11 2005 Subject: [ISN] Clarke joins latest cyberterror debate Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39187582,00.htm Dan Ilett ZDNet UK February 11, 2005 Proposals for a World Security Organisation to tackle cyberterrorism continue to alarm experts, including former White House cybersecurity chief Richard Clarke Richard Clarke, the former White House cyber security advisor, has criticised a UK company for using the term "cyberterrorism". DK Matai, chairman of security consultancy company mi2g, put forward proposals to the Oxford University Internet Institute on Thursday night for a World Security Organisation to tackle cyberterrorism. Matai argued that the threat was so great that governments should consider setting up electronic counter-attack forces to battle radical groups and organised criminals online. In response Clarke, who was a security advisor to four US presidents, said he disliked use of the word "cyberterror" as he doesn't believe it actually exists. "Cyberterrorism is not a term I like," said Clarke, now chairman of Good Harbor Consulting. "Many different groups use cyber-vulnerabilities and it's hard to know who they are. Some may be terrorists, but not many. It's a very serious problem that costs millions, but it's not terrorism." Matai made his proposals in a lecture to the Oxford University Internet Institute, an academic forum that debates on the development of the Web. Members include Derek Wyatt MP, chairman of the All Party Internet Group, and Richard Allan MP, chairman of the European Information Society Group. Other security experts are also unconvinced that cyberterror poses a genuine threat, with one leading anti-virus expert branding the plans as "barmy". Last year, the UK president of the Information Systems Security Association Richard Starnes said that cyberterror was not yet a reality. "Cyberterrorism is a word that the press loves because it gets people to read stories," Starnes said. "A good portion of what we get is not terrorism. Terrorism is where you try and change the political situation of a country by using terror. Web defacements don't really count for that. Terrorists use the Internet for recruiting, fundraising and research, but not a lot else." Other observers share his scepticism. Speaking at the CeBIT technology fair last year, security expert Bruce Schneier, chief technology officer of Counterpane Internet Security, said the threat posed by cyberterrorism had been overestimated. He added that rather than fostering a climate of fear, disrupting the Net and other communications networks would probably just annoy people. From isn at c4i.org Mon Feb 14 05:24:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:13 2005 Subject: [ISN] Linux Advisory Watch - February 11th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 11th, 2005 Volume 6, Number 6a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for python, squid, php, emacs, postgres, evolution, mailman, hztty, hwbrowser, cups, hotplug, xpdf, kdegraphics, gallery, perl, and squirrelmail. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- Are Your Servers Secure? By Blessen Cherian In a word, No. No machine connected to the internet is 100% secure. This doesn't mean that you are helpless. You can take measures to avoid hacks, but you cannot avoid them completely. This is like a house when the windows and doors are open then the probability of a thief coming in is high, but if the doors and windows are closed and locked the probability of being robbed is less, but still not nil. What is Information Security? For our purposes, Information Security means the methods we use to protect sensitive data from unauthorized users. Why do we need Information Security? The entire world is rapidly becoming IT enabled. Wherever you look, computer technology has revolutionized the way things operate. Some examples are airports, seaports, telecommunication industries, and TV broadcasting, all of which are thriving as a result of the use of IT. "IT is everywhere." A lot of sensitive information passes through the Internet, such as credit card data, mission critical server passwords, and important files. There is always a chance of some one viewing and/or modifying the data while it is in transmission. There are countless horror stories of what happens when an outsider gets someone's credit card or financial information. He or she can use it in any way they like and could even destroy you and your business by taking or destroying all your assets. As we all know "An ounce of prevention beats a pound of cure," so to avoid such critical situations, it is advisable to have a good security policy and security implementation. Read complete feature story: http://www.linuxsecurity.com/content/view/118211/49/ ---------------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Python2.2 packages fix unauthorised XML-RPC access 4th, February, 2005 For the stable distribution (woody) this problem has been fixed in version 2.2.1-4.7. No other version of Python in woody is affected. http://www.linuxsecurity.com/content/view/118182 * Debian: New squid packages fix several vulnerabilities 4th, February, 2005 LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting. http://www.linuxsecurity.com/content/view/118184 * Debian: New php3 packages fix several vulnerabilities 7th, February, 2005 http://www.linuxsecurity.com/content/view/118192 * Debian: New emacs20 packages fix arbitrary code execution 8th, February, 2005 http://www.linuxsecurity.com/content/view/118207 * Debian: New PostgreSQL packages fix arbitrary library loading 4th, February, 2005 http://www.linuxsecurity.com/content/view/118186 * Debian: New xemacs21 packages fix arbitrary code execution 8th, February, 2005 http://www.linuxsecurity.com/content/view/118210 * Debian: New xview packages fix potential arbitrary code execution 9th, February, 2005 http://www.linuxsecurity.com/content/view/118222 * Debian: New evolution packages fix arbitrary code execution as root 10th, February, 2005 Max Vozeler discovered an integer overflow in a helper application inside of Evolution, a free grouware suite. A local attacker could cause the setuid root helper to execute arbitrary code with elevated privileges. http://www.linuxsecurity.com/content/view/118234 * Debian: New mailman packages fix several vulnerabilities 10th, February, 2005 http://www.linuxsecurity.com/content/view/118235 * Debian: New hztty packages fix local utmp exploit 10th, February, 2005 http://www.linuxsecurity.com/content/view/118245 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: system-config-printer-0.6.116.1.1-1 4th, February, 2005 http://www.linuxsecurity.com/content/view/118187 * Fedora Core 3 Update: hwbrowser-0.19-0.fc3.2 4th, February, 2005 http://www.linuxsecurity.com/content/view/118188 * Fedora Core 3 Update: python-2.3.4-13.1 4th, February, 2005 An object traversal bug was found in the Python SimpleXMLRPCServer. http://www.linuxsecurity.com/content/view/118190 * Fedora Core 3 Update: postgresql-7.4.7-1.FC3.2 7th, February, 2005 http://www.linuxsecurity.com/content/view/118202 * Fedora Core 2 Update: postgresql-7.4.7-1.FC2.2 7th, February, 2005 http://www.linuxsecurity.com/content/view/118203 * Fedora Core 2 Update: cups-1.1.20-11.11 8th, February, 2005 A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted to correct this but the patch was incomplete. http://www.linuxsecurity.com/content/view/118212 * Fedora Core 3 Update: cups-1.1.22-0.rc1.8.5 8th, February, 2005 A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted to correct this but the patch was incomplete. http://www.linuxsecurity.com/content/view/118213 * Fedora Core 2 Update: hotplug-2004_04_01-1.1 8th, February, 2005 This update fixes updfstab in the presence of multiple USB plug/unplug events. http://www.linuxsecurity.com/content/view/118214 * Fedora Core 3 Update: emacs-21.3-21.FC3 8th, February, 2005 This update fixes the CAN-2005-0100 movemail vulnerability and backports the latest bug fixes. http://www.linuxsecurity.com/content/view/118219 * Fedora Core 2 Update: xpdf-3.00-3.8 9th, February, 2005 http://www.linuxsecurity.com/content/view/118223 * Fedora Core 3 Update: xpdf-3.00-10.4 9th, February, 2005 http://www.linuxsecurity.com/content/view/118224 * Fedora Core 3 Update: kdegraphics-3.3.1-2.4 9th, February, 2005 http://www.linuxsecurity.com/content/view/118225 * Fedora Core 2 Update: kdegraphics-3.2.2-1.4 9th, February, 2005 http://www.linuxsecurity.com/content/view/118226 * Fedora Core 2 Update: gpdf-2.8.2-4.1 9th, February, 2005 http://www.linuxsecurity.com/content/view/118230 * Fedora Core 3 Update: gpdf-2.8.2-4.2 9th, February, 2005 http://www.linuxsecurity.com/content/view/118231 * Fedora Core 3 Update: mailman-2.1.5-30.fc3 10th, February, 2005 There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files. http://www.linuxsecurity.com/content/view/118243 * Fedora Core 2 Update: mailman-2.1.5-8.fc2 10th, February, 2005 There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files. http://www.linuxsecurity.com/content/view/118244 * Fedora Core 2 Update: mod_python-3.1.3-1.fc2.2 10th, February, 2005 Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. http://www.linuxsecurity.com/content/view/118252 * Fedora Core 3 Update: mod_python-3.1.3-5.2 10th, February, 2005 Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. http://www.linuxsecurity.com/content/view/118253 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: pdftohtml Vulnerabilities in included Xpdf 9th, February, 2005 pdftohtml includes vulnerable Xpdf code to handle PDF files, making it vulnerable to execution of arbitrary code upon converting a malicious PDF file. http://www.linuxsecurity.com/content/view/118221 * Gentoo: LessTif Multiple vulnerabilities in libXpm 6th, February, 2005 Multiple vulnerabilities have been discovered in libXpm, which is included in LessTif, that can potentially lead to remote code execution. http://www.linuxsecurity.com/content/view/118191 * Gentoo: PostgreSQL Local privilege escalation 7th, February, 2005 The PostgreSQL server can be tricked by a local attacker to execute arbitrary code. http://www.linuxsecurity.com/content/view/118199 * Gentoo: OpenMotif Multiple vulnerabilities in libXpm 7th, February, 2005 Multiple vulnerabilities have been discovered in libXpm, which is included in OpenMotif, that can potentially lead to remote code execution. http://www.linuxsecurity.com/content/view/118193 * Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer 8th, February, 2005 Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/118216 * Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer 10th, February, 2005 Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/118240 * Gentoo: Mailman Directory traversal vulnerability 10th, February, 2005 Mailman fails to properly sanitize input, leading to information disclosure. http://www.linuxsecurity.com/content/view/118242 * Gentoo: Gallery Cross-site scripting vulnerability 10th, February, 2005 The cross-site scripting vulnerability that Gallery 1.4.4-pl5 was intended to fix, did not actually resolve the issue. The Gallery Development Team have released version 1.4.4-pl6 to properly solve this problem. http://www.linuxsecurity.com/content/view/118251 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: Updated perl-DBI packages 8th, February, 2005 Javier Fernandez-Sanguino Pena disovered the perl5 DBI library created a temporary PID file in an insecure manner, which could be exploited by a malicious user to overwrite arbitrary files owned by the user executing the parts of the library. The updated packages have been patched to prevent these problems. http://www.linuxsecurity.com/content/view/118217 * Mandrake: Updated perl packages fix 8th, February, 2005 Updated perl package. http://www.linuxsecurity.com/content/view/118218 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Updated Perl packages fix security issues 7th, February, 2005 Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 3. http://www.linuxsecurity.com/content/view/118195 * RedHat: Updated mailman packages fix security 10th, February, 2005 Updated mailman packages that correct a mailman security issue are now available. http://www.linuxsecurity.com/content/view/118239 * RedHat: Updated kdelibs and kdebase packages correct 10th, February, 2005 Updated kdelib and kdebase packages that resolve several security issues are now available. http://www.linuxsecurity.com/content/view/118246 * RedHat: Updated mod_python package fixes security issue 10th, February, 2005 An Updated mod_python package that fixes a security issue in the publisher handler is now available. http://www.linuxsecurity.com/content/view/118247 * RedHat: Updated emacs packages fix security issue 10th, February, 2005 Updated Emacs packages that fix a string format issue are now available. http://www.linuxsecurity.com/content/view/118248 * RedHat: Updated xemacs packages fix security issue 10th, February, 2005 Updated XEmacs packages that fix a string format issue are now available. http://www.linuxsecurity.com/content/view/118249 * RedHat: Updated Squirrelmail package fixes security 10th, February, 2005 An updated Squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 3. http://www.linuxsecurity.com/content/view/118250 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: kernel bugfixes and SP1 merge 4th, February, 2005 Two weeks ago we released the Service Pack 1 for our SUSE Linux Enterprise Server 9 product. Due to the strict code freeze we were not able to merge all the security fixes from the last kernel update on Jan23rd (SUSE-SA:2005:003) into this kernel. http://www.linuxsecurity.com/content/view/118185 * SuSE: squid (SUSE-SA:2005:006) 10th, February, 2005 The last two squid updates from February the 1st and 10th fix several vulnerabilities. The impact of them range from remote denial-of-service over cache poisoning to possible remote command execution. http://www.linuxsecurity.com/content/view/118241 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Feb 14 05:24:58 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:16 2005 Subject: [ISN] Cisco readies security product blitz Message-ID: http://news.com.com/Cisco+readies+security+product+blitz/2100-7347_3-5573255.html By Marguerite Reardon Staff Writer, CNET News.com February 11, 2005 Cisco is preparing to announce a major overhaul of its security portfolio next week, with upgrades to several of its existing products. On Tuesday, at the RSA Conference in San Francisco, the company plans to announce the largest set of upgrades to its security products in three years, sources say. The new enhancements should help the company catch up to leading vendors, focusing on such areas as secure socket layer virtual private networks and intrusion prevention. The upgrades should also help Cisco fulfill its promise of a "self-defending" network, beefing up security on IP telephony and other applications, while also extending network protection to the desktop. And to help corporate customers keep track of new threats, sources say, Cisco is also improving its management products. Cisco declined to comment on the specifics of its announcements next week, but has scheduled a press briefing at the security show. Security is an important market for Cisco. It is one of six new areas Cisco has been focusing on to help expand its overall business. So far, security has been proven to be a good investment for the company. Last quarter, revenues from security products were up 30 percent from a year earlier. Cisco's strength in security has come not from having the best products in every category, but from having a wide breadth of offerings, analysts say. Next week's announcements should help level the playing field against the pure security vendors while cementing Cisco's dominance as a network-level security provider, they add. "Cisco isn't known as a security company," said Zeus Kerravala, an analyst with the Yankee Group. "They sell security as part of a network strategy. But it's clear they are serious about providing more security in the network. They are definitely the security leader among networking vendors." Nitty gritty One of the more important upgrades to be announced next week is on Cisco's SSL VPN product, sources say. SSL VPNs allow users to remotely connect to the corporate network using a standard Web browser. Currently, Cisco's product only supports Web-based applications. The new version will allow users to access some non-Web applications, too, such as e-mail residing on a corporate mail server. Such upgrades are an important addition to the product, since they will allow remote workers to use their Web browsers to connect to the corporate network rather than a difficult-to-manage IPsec client that must be pre-installed. SSL VPN competitors, such as Juniper Networks, through its Netscreen acquisition, and Aventail have been supporting non-Web applications in their products for some time. Cisco has also beefed up its intrusion detection product by adding prevention software that can correlate possible symptoms of a worm or virus attack to determine whether certain traffic should be blocked. The new software will put Cisco's product on par with those from traditional security companies such as McAfee, say experts. Cisco also plans to announce that it has added security features to its PIX Firewall that will make it more friendly to IP telephony protocols. The Cisco firewall has not been able to identify some of these protocols, leaving voice over IP traffic vulnerable to attacks. To give customers more choice with respect to how they deploy this technology, Cisco is updating its Internetwork Operating Software (IOS) so that many of these new security features can also run on its switches and routers, sources report. The company has also added more security features to its desktop security agent. This software is a big component of Cisco's Network Admission Control architecture, designed to prevent worms and viruses from entering the network. The security agent sits on individual workstations, identifying malicious code in communications between network software systems. When it detects a virus or worm, it denies access to the PC. Cisco has supposedly enhanced this software by adding new anti-spyware protection meant to identify and remove malicious programs before they jump from a PC to the network. Cisco also plans to introduce a new blade that fits into its Catalyst switches to help prevent denial-of-service attacks on Web servers. Finally, Cisco will announce improvements to its network management tools using some technology that it recently acquired from Protego. This technology, acquired in December, aggregates and correlates information about security threats, so that network managers can detect attacks. From isn at c4i.org Mon Feb 14 05:25:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:18 2005 Subject: [ISN] China's Big Export - When it comes to spying, Beijing likes to flood the zone Message-ID: http://www.time.com/time/magazine/article/0,9171,1027457,00.html http://www.amazon.com/exec/obidos/ASIN/B00007BK3L/c4iorg (Subscribe to Time Magazine) By BRIAN BENNETT Feb. 13, 2005 Ning Wen and his wife were arrested last fall at their home office in Manitowoc, Wis., for allegedly sending their native China $500,000 worth of computer parts that could enhance missile systems. As these naturalized citizens await trial, similar episodes in Mount Pleasant, N.J., and Palo Alto, Calif., point only to the tip of the iceberg, according to FBI officials keeping tabs on more than 3,000 companies in the U.S. suspected of collecting information for China. A hotbed of activity is Silicon Valley, where the number of Chinese espionage cases handled by the bureau increases 20% to 30% annually. Says a senior FBI official: "China is trying to develop a military that can compete with the U.S., and they are willing to steal to get [it]." But instead of assigning one well-trained agent to pursue a target, "the Chinese are very good at putting a lot of people on just a little piece and getting a massive amount of stuff home," says a U.S. intelligence official. The number of Chinese snoops is staggering, if only because average civilians are enlisted in the effort. FBI officials say state security agents in China debrief many visitors to the U.S. before and after their trips, asking what they saw and sometimes telling them what to get. The FBI, severely criticized for its investigation of physicist Wen Ho Lee in the mid-'90s, has added hundreds more counterintelligence agents and put at least one in every Energy Department research facility. The bureau also started cooperation initiatives with corporations, but still sees universities as a soft spot, with some 150,000 Chinese currently studying in the U.S. The FBI's three most recent counterintelligence arrests were of suspects who had held student visas at some point. To help sort the few who go to America to spy from the thousands who go there for a better life, the FBI relies heavily on Chinese informants. Says a high-ranking Silicon Valley agent: "We have almost more assets than we can deal with." - With reporting by Timothy J. Burger and Elaine Shannon From isn at c4i.org Mon Feb 14 05:25:53 2005 From: isn at c4i.org (InfoSec News) Date: Mon Feb 14 05:29:19 2005 Subject: [ISN] IBM DB2 Flaws Found Message-ID: http://www.eweek.com/article2/0,1759,1764124,00.asp By Lisa Vaas February 11, 2005 Several flaws have been discovered in IBM's DB2 Universal Database that can be exploited to cause DoS attacks, to reveal sensitive information, to read and manipulate file content, or to compromise vulnerable systems. An advisory posted Thursday on the bug-reporting site Secunia rates the flaws as moderately critical, with IBM having already issued a FixPak for DB2 versions 8.x. IBM's advisory states that the vulnerabilities were discovered on Dec. 10. The new vulnerabilities follow close on the heels of three FixPaks that IBM released in October to address multiple vulnerabilities in DB2 on Linux, Unix and Windows platforms. The specifics on one of the flaws is that an error in the Windows platform relating to the way system resources are used can be exploited to cause a denial-of-service attack, to grab users' passwords or to view other query results. A second flaw has to do with processing of network messages while establishing a database connection or instance attachment. Attackers can exploit the flaw to execute arbitrary code. Another flaw deals with missing restrictions in some XML Extender user-defined functions. Exploits result in malicious users being able to read or manipulate file content. Finally, when creating certain databases within federated support, attackers can exploit a flaw that allows them to execute arbitrary code on vulnerable systems. IBM advises all users of Unix, Linux and Windows platforms, as well as users of DB2 UDB clients, servers and Connect gateway installations, to install FixPaks 6a, 6b and 7a. IBM advises all of the above users, plus users of DB2 XML Extender, to install FixPak 8. Windows-specific fixes in FixPak 8 also apply to DB2 clients, but the risk isn't serious, according to IBM, and therefore the fix isn't crucial. In general, IBM advises DB2 UDB administrators to upgrade all DB2 client, server and Connect gateway instances on all supported platforms to DB2 UDB Version 8.1 FixPak 8 "as soon as possible." The only exceptions are DB2 UDB client instances on Version 8.1 FixPak 6a, 6b or 7a, which don't need to move up to the FixPak 8 level. From isn at c4i.org Tue Feb 15 03:06:56 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:19 2005 Subject: [ISN] Hacker invades 'War of the Worlds' Web site Message-ID: http://news.com.com/Hacker+invades+War+of+the+Worlds+Web+site/2100-7349_3-5575660.html By Dan Ilett Special to CNET News.com February 14, 2005 A Brazilian hacker has defaced the Web site of Steven Spielberg's "War of the Worlds," which is set to be released in cinemas this summer, according to a security group. Zone-H.org, a Web site that records defacements, reported that the hacker broke into the Paramount Pictures-owned Web site on Sunday. The content, including a trailer for the movie featuring Tom Cruise, was replaced by black-and-white graphics and a message from the hacker. The defacer, who goes by the nickname "Un-root," apparently hacked the Linux system through a vulnerability in an Apache Web server. "That is embarrassing for them," said Jason Hart, director of security for WhiteHat UK. "If you look at Zone-H, there are a lot of hackers coming out of Brazil. It may be the increase in broadband or wireless access points. But there are certainly more." Hart added that poorly patched servers were often the cause of many defacements. "People are becoming more relaxed about security," Hart said. "It's about basic steps--just keep testing and have simple security frameworks. People think you need sophisticated answers, but you don't. Just make sure you have patch management." The site for "War of the Worlds," the film version of H.G. Wells' novel, had been restored by Monday lunchtime in the United Kingdom. Paramount Pictures was unable to comment on the incident at the time of writing. Last year, Brazilian federal police arrested 53 suspects on charges of stealing $93 million from online banking customers. Security experts have said that Brazil is a hacking hot spot of the world. From isn at c4i.org Tue Feb 15 03:07:30 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:22 2005 Subject: [ISN] Book Review - Kerberos: The Definitive Guide Message-ID: http://books.slashdot.org/books/05/02/14/210238.shtml Title: Kerberos: The Definitive Guide Author: Jason Garman Pages: 272 Publisher: O'Reilly and Associates Rating: 7/10 Reviewer: Jose Nazario ISBN: 0596004036 Summary: A comprehensive, cross platform guide to Kerberos Buy from Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004036/c4iorg I got started using Kerberos many moons ago, at my university. This is probably how many people got to know about it. While I didn't use it very much, it's there that I learned the basics and experimented a bit with Kerberos. Interest in it took off after Microsoft incorporated Kerberos authentication mechanisms into Windows 2000. Suddenly it wasn't such arcane knowledge. Two open source Kerberos implementations exist, the MIT reference implementation, and the Heimdal Kerberos implementation. Even then, there are two main versions which you can find, Kerberos IV and Kerberos V. Kerberos IV went away for most environments with the passing of the Y2K mark, but some legacy apps need support. So, you still have to deal with it on occasion. In writing Secure Architectures with OpenBSD, I got a lot more intimate with Kerberos, and even set up a decently sized realm in my house. Hence, I got to experience the turmoil of setup and debugging. A book like Kerberos: The Definitive Guide (K:TDG) would have been very welcome. Instead, I slogged my way through it, and got it to work for the most part. K:TDG will help you set up your Kerberos world by introducing you to the complex subject, terminology, and the pieces. Once you learn the basics, you recognize that a simple realm is actually somewhat easy to set up. The author, Jason Garman, uses a mixed Mac OS X, UNIX, and Windows environment, focusing on UNIX most of the time. The bulk of the examples deal with MIT Kerberos 5 version 1.3 (krb5-1.3) but should work for most versions. Some attention is given to the Heimdal implementation (which is integrated with BSD, for example), and for the most part you'll be OK. Windows examples are also pretty copious but always come second. If you're comfortable with UNIX, you'll easily be able to translate these into Windows examples to help bridge the Windows gaps. Chapter 1 is an obligatory Introduction, a short chapter that introduces the key concepts of Kerberos and what the book will cover. A very quick comparison of Kerberos to DCE, SESAME, and earlier versions of Kerberos is given. This chapter serves as a nice selling point for the book, it's the type of thing you'd flip through in the book store to decide if you should buy the book or not. Chapter 2 is a decent overview for the new user of Kerberos to the system and how it works. Kerberos is placed into its role in a AAA infrastructure - authentication, authorization, and accounting - as well as some caveats that are commonly made. You'll learn about core Kerberos features like tickets, realms, principles, instances, ticket granting tickets, and the ticket cache. A decent overview for practical purposes is given, but you will definitely want another resource if you're interested in diving headlong into Kerberos. These pieces come together in Chapter 3, where the actual protocols are described. They're laid out for a non-cryptographer, so go elsewhere if you want to learn the real formal material behind the system. Understanding the protocols is important to understanding the service as a whole. For someone new to Kerberos, you'll probably want to spend a little more time reading this to get oriented in the Kerberos world. The chapter doesn't mess around too much and delivers a fair treatment of the material. Chapter 4 is the meat of the book's material, setting up your implementation. It all starts with the KDC (key distribution center) and realm initialization. Again, the bulk of the treatment is on the MIT implementation on UNIX, with the Heimdal and then Windows sections following next. Slave KDCs are also introduced, which is useful for large environments. An OS X server is missing, but Kerberos clients for all three (UNIX, Windows and OS X) is given. The role of DNS is also explained well, a useful touch that's missing in some Kerberos documents I've used in the past. This chapter will get you started, and with some of the supplied documentation you should be up and running in no time. Chapter 5 is devoted to troubleshooting, an all too familiar task for a new Kerberos administrator. Common problems, their diagnosis, and resolution are discussed. I like the presentation of this chapter and think it will be useful for most real-world situations you'll encounter. Security concerns with Kerberos are covered in Chapter 6, which discusses concrete and abstract attacks on the Kerberos scheme. Since all of the security in Kerberos resides in your KDC hosts, obviously this covers some of the material. However, the clients can exposes your Kerberos realm to attacks, as well, and how to circumvent these problems is covered. A decent and practical chapter, and covered on both UNIX and Windows. In Chapter 7 a number of Kerberos enabled applications are discussed. After all, you can do more than just log on locally with Kerberos, you can use remote login programs like SSH, remote access scenarios like printing, and even control X via Kerberos. While not every application that I would have liked was covered, the treatment was fair and should get you started with a number of Kerberos enabled tools in your new realm. A strong selling point of the book is given in Chapter 8, titled Advanced Topics. Three main topics are discussed. The first is cross-realm authentication, where you have more than one separate Kerberos realm on your network but you want to have users switch between the two without creating accounts in the other. This can get tricky, and the book does a decent job of introducing it, but it's not as complete as it could be. The second main topic in this chapter is Kerberos 4 and 5 interoperability, which is relatively straightforward. Most Kerberos 5 implementations come with tools to process Kerberos 4 ticket scenarios to handle legacy applications. And finally, a really valuable section covers UNIX and Windows Kerberos interoperability, a hairy issue. Again, incomplete but strong enough that you should be able to get it working with some elbow grease. This is probably the most valuable chapter of the book, which does a decent job at the introductory level, but you'll be left to tie up a few loose ends on your own. An obligatory case study is given in Chapter 9, where you can see a number of configuration samples and even a mixed Windows-UNIX environment. Not terribly useful when compared to chapters 4 and 8, but overall worthwhile. It may answer some of your questions, even. Chapter 10 wraps up the book with looking at Kerberos futures, which isn't all that useful, honestly. What gets more useful is the appendix, which gives an administration reference. Lots of commands are given for MIT, Heimdal and even for Windows, so you can quickly jump there to refresh your memory on a topic. Overall this book is recommended if you need a place to start working on Kerberos, especially in a mixed environment. The MIT and Heimdal documents are a fair place to start for a UNIX only Kerberos realm, but if you find they aren't enough, this is probably the right book for you. The book's main strength is that it covers Kerberos on the three main platforms in use (Windows, OS X, and UNIX), although it could provide a deeper treatment to the mixed environment than it gives. Still, you should be able to use this as a starting point, and it's probably the best treatment I've seen so far on Kerberos setup and administration. From isn at c4i.org Tue Feb 15 03:07:41 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:24 2005 Subject: [ISN] Juvenile sentenced in Microsoft attack Message-ID: http://seattletimes.nwsource.com/html/localnews/2002178457_blaster12m.html By Maureen O'Hagan Seattle Times staff reporter February 12, 2005 A juvenile was sentenced yesterday in U.S. District Court to probation and community service in connection with a computer worm attack on Microsoft's main Web site. The juvenile admitted releasing a worm ? known as the RPCSDBOT ? in August 2003 and then directing infected computers to attack the Microsoft site. The site was shut down for about four hours. The U.S. Attorney's Office, which prosecuted the case, said federal law prevents it from releasing details about the juvenile, even the defendant's gender. It did say the juvenile was 14 when the crime occurred. The cyberattack occurred around the same time as another worm attack on Microsoft's Web site. In that case, Jeffrey Lee Parson, created a variant of the Blaster worm that infected about 1,200 Internet addresses. Parson, 19, a Minnesota resident, was sentenced last month to 1? years in prison. Initially, authorities wondered whether the two attacks were related, but they were not. At the juvenile's sentencing yesterday, the juvenile said, "Seventeen months ago, I made the worst mistake I ever made in my life. I did it out of curiosity and did not think I would cause any damage. I am sorry I created problems for people I did not even know." Judge Robert Lasnik took the juvenile's contrition to heart and replied, "You know what you did was wrong, and you aren't going to do it again." Lasnik sentenced the teen to three years of probation and required the teen to undergo mental-health counseling and perform 300 hours of community service. The judge also required the juvenile to update him by letter every six months, describing the community-service activities and how the experience has affected the juvenile. The U.S. Attorney's Office said yesterday that the investigation of the Blaster worm is continuing. From isn at c4i.org Tue Feb 15 03:07:54 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:27 2005 Subject: [ISN] WebTV hacker may get 'prison channel' Message-ID: http://sanjose.bizjournals.com/sanjose/stories/2005/02/14/daily13.html By Timothy Roberts February 14, 2005 A Louisiana man pleaded guilty Monday in U.S. District Court in San Jose to sending phony e-mail messages containing a malicious script that, when clicked on, reprogrammed WebTV boxes to dial up 9-1-1. David Jeansonne was accused of committing the crimes from his home in Metairie, La. He was charged in California because the WebTV computer servers are located in Santa Clara. WebTV is a product of Microsoft Corp. (NASDAQ: MSFT), that allows customers to use their TV sets as a monitor while connecting to the Internet. Mr. Jeansonne, 44, pleaded guilty to intentional damage to a protected computer causing a threat to public health and safety, and causing intentional damage to a protected computer causing at least $5,000 in damages. His sentencing is expected to take place in March. He faces up to 10 years in prison and a fine of up to $250,000 on each of the two counts. According to an affidavit Mr. Jeansonne targeted 18 people across the country from Rochester, N.Y., to San Diego, with whom he had had some exchange in the past. The hoax reached a total of 21 people. Police responded to 10 of the victims in July 2002 after their WebTV boxes dialed up 9-1-1. The FBI learned from WebTV that Mr. Jeansonne was a widely known computer hacker, whose WebTV account it had closed 17 times in the past. The FBI obtained an indictment and arrested Mr. Jeansonne on Feb. 18, 2004. The WebTV case underscores the need for computer users to take care when opening e-mail, says Christopher Sonderby, Assistant United States Attorney based in San Jose. "Don't click on e-mail links that you don't already know and trust," he says. From isn at c4i.org Tue Feb 15 03:08:12 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 15 03:13:30 2005 Subject: [ISN] You Call This Trustworthy Computing? Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=NKDW2KTVVSCQ4QSNDBCSKH0CJUMEKJVN?articleID=60400363 By John Foley InformationWeek Feb. 14, 2005 When Bill Gates takes the stage at the RSA conference in San Francisco this week, you can be sure he'll give an upbeat assessment of Windows security. The pending acquisition of security vendor Sybari Software Inc., disclosed last week, adds to a growing portfolio of products that promise to batten down Windows networks. And, as he's done in the past, Microsoft's chairman likely will detail other accomplishments and forward-looking plans that portray a company delivering on his 3-year-old promise to make Windows environments "trustworthy." It's a compelling message, except for one unavoidable fact: The software patches just keep coming. Microsoft last week issued a dozen security bulletins addressing 17 software vulnerabilities, tantamount to a shotgun blast of holes through the company's product line. Nine bulletins, many graded "critical" in importance, affect various versions of Windows. Others address problems with Microsoft's .Net Framework, SharePoint Services, Windows Media Player, MSN Messenger, Internet Explorer, and Office suite. Even Microsoft's most-secure operating system, Windows XP Service Pack 2, wasn't immune: More than half the bulletins involve SP2. To repair all the vulnerabilities in all affected products would require more than 60 patches on English-language computers alone. "It's an almost endless list," says Kyle Ohme, director of IT with Freeze.com, a Web-site operator that uses about four dozen Windows servers, some of which are IBM blade servers, to offer screen savers to millions of users each day. By Microsoft's own account, the vulnerabilities leave its software open to everything from buffer overruns to remote code execution. Just one day after Microsoft posted the patches, someone released exploit code to attack one of the vulnerabilities. "If we don't patch, we definitely have the ability to be exploited relatively soon," Ohme says. So Ohme and many IT professionals like him were busy last week assessing, downloading, testing, and deploying Microsoft's latest round of patches across their IT infrastructures. It's a process that can take days or even weeks. "For us, and the resources we have, it could [have been] a daunting task to get all of those patches to all of our systems quickly enough," says Daniel Hereford, data-security officer with First Bank and Trust Co. In January, the bank began using a service from Qualys Inc. to locate vulnerabilities and ensure that they're fixed, and now it reacts more quickly to Microsoft's monthly security bulletins. "Ninety percent of our software-security issues are centered around Windows," Hereford says. Despite all the work involved, it's an improvement compared with Windows security three years ago. In January 2002, following the Code Red and Nimda virus attacks that hit many Microsoft customers hard, Gates made "trustworthy computing" the company's top priority. Since then, Microsoft has trained its programmers to write more-secure code, established a predictable patch schedule, released more-secure operating systems (Windows Server 2003 and Windows XP), and acquired security products from other companies to fill gaps in its own line. "They've taken the right initiatives," Hereford says. There's still much more to do, as last week's bug blast and Sybari acquisition demonstrate. Key missing pieces are Windows Update Services and Microsoft Update, both of which promise to help companies roll out patches more quickly to Windows and other Microsoft products. Windows Update Services, which has been delayed twice, is in testing now and scheduled for availability by midyear. And, while Microsoft has acquired a variety of security companies and products over the past two years--including GeCAD Software (antivirus), Giant Company Software (spyware detection), and Pelican Software (behavior-based security)--it hasn't shown how or when all the pieces will fit together. Microsoft security VP Mike Nash last week tried to clear up some of the confusion. During a Webcast to discuss the newly issued patches and the Sybari acquisition, Nash said Microsoft is "working hard" on desktop antivirus software that's based on the GeCAD antivirus scanning engine. That software will be tweaked to work with the Sybari products this year. The Sybari acquisition is expected to close by midyear, pending regulatory approval (see story, All For One: Microsoft Ups Its Security Software Tools [1]). Nash acknowledged it's important that customers be able to manage Microsoft's security tools together. "We do think that there needs to be a management capability to allow enterprises to both control and monitor their security technologies like anti-spam and antivirus," he said. "We're currently working through specific requirements." There appears to be a ready market for security products that come directly from Microsoft. Last month, the company released a test version of the Giant Software tool, now called Windows AntiSpyware, and it's already been downloaded more than 5 million times. The product will go through at least one more test before release, Nash says. However, there's a problem: Windows AntiSpyware itself has become the target of virus writers. Malicious code aimed at the product attempts to suppress warning messages it displays and to delete all files within the program's folder. "This is the beginning of a wave of attempts to undermine the effectiveness of this new product," predicts Gregg Mastoras, senior security analyst with security software company Sophos plc. Microsoft officials insist things are moving in the right direction, pointing out that Windows Server 2003 has had half as many security bulletins as Windows 2000 Server over the same period, that the number of annual security bulletins is on a downward trend, and that there's a sharp increase in usage of its software-update services. Last week, the company released a test version of Windows Server 2003 Service Pack 1, which promises improved security. "We have made progress toward our goals," writes a company spokeswoman, "but there is still a lot of work to be done." That includes delivering a more bulletproof version of Windows. "They still haven't shipped a desktop operating system that was designed and coded after they started caring about security," says Gartner analyst John Pescatore via E-mail. The next-generation of Windows, code-named Longhorn, is due next year. Among other other security advances, Longhorn is expected to minimize situations in which PC users have administrative privileges, leaving systems more open to attack. Many customers credit Microsoft with making progress. "Microsoft is absolutely stepping up to the challenge," says Jason Stefanich, client-server engineering manager with Dow Corning Corp., where high-priority patches are usually completed within a day. Even so, Dow Corning is using a product from Ardence Inc. that moves the operating system off desktop PCs and onto servers, in part to provide better security and more manageable updates. And while the manufacturer uses Windows XP to drive those PCs, it hasn't yet upgraded to Service Pack 2, which Microsoft bills as its most-secure desktop environment. "It breaks a lot of [applications]. We can't have 8,000 people calling our help desk with issues," Stefanich says. "Microsoft missed the boat with SP2." So it goes. Microsoft customers are getting better at securing their Windows environments, partly because Microsoft is providing tools to help, but also through increased attention to internal processes, use of third-party products, and new tactics. Freeze has placed Windows' Internet Information Services, a favorite target of hackers, behind a firewall. Instead, its Windows-based Web servers run open-source Apache software. No one is calling Windows security easy. "It's a big pain," says an IT manager with an East Coast manufacturing company who manages about 200 PCs. "It's not something we feel is under our control." The company is contemplating a move to Microsoft's Systems Management Server to automate software updates. How are those done now? Manually, one computer at a time. Microsoft remains focused on making things better, says the spokeswoman. "Ultimately, what matters is not what we say, but what we do," she says. When Bill Gates talks this week, that's something to remember. -- With George V. Hulme and TechWeb's Gregg Keizer [1] http://www.informationweek.com/story/showArticle.jhtml?articleID=60400364 From isn at c4i.org Wed Feb 16 10:03:33 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:02 2005 Subject: [ISN] Flash Review: A Hacker Manifesto Message-ID: http://www.amazon.com/exec/obidos/ASIN/0674015436/c4iorg Title: A Hacker Manifesto Author: McKenzie Wark Pages: 160 pages Publisher: Harvard University Press Reviewer: f0rensik [at] attrition.org ISBN: 0674015436 A Hacker Manifesto is a tough read. I've found that reading some parts and then going back to others helps me make sense of it, but it's just very dense. Also, the author loves to say things in convoluted and difficult ways whenever he can. It's as if he's showing off how many big words he knows; and annoying as hell. What's frustrating is that I can tell that the author has some interesting ideas; I started to see glimmers of real concepts in the section on education, but it's buried under jargon. Reviewer bio, F0rensik is a recent MIT Computer Science grad, whose viewpoint is well respected around InfoSec News From isn at c4i.org Wed Feb 16 10:05:01 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:04 2005 Subject: [ISN] Hack.lu 2005 Call for Papers Message-ID: Forwarded from: Alexandre Dulaunoy == Call for Papers hack.lu 2005 == The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in the society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in August or September 2005 (soon to be defined). The convention is open to everyone. === Scope === Topics of interest include, but are not limited to : * Software Engineering * Honeypots/Honeynets * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security === Deadlines === Abstract submission : 1 April 2005 Full paper submission : 15 May 2005 === Submission guideline === Authors should submit a paper in English/French up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent to : hack2005-paper(AT)hack.lu Submissions should also include the following: # Presenter, and geographical location (country of origin/passport) and contact info. # Employer and/or affiliations. # Brief biography, list of publications or papers. # Any significant presentation and/or educational experience/background. # Reason why this material is innovative or significant or an important tutorial. # Optionally, any samples of prepared material or outlines ready. The information will be used only for the sole purpose of the hack.lu convention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. === Publication and rights === Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. === Sponsoring === If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to supportus(AT)hack.lu === Web site and wiki === http://www.hack.lu/ From isn at c4i.org Wed Feb 16 10:05:41 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:17 2005 Subject: [ISN] White House Eyes NSA for Network 'Traffic Cop' Message-ID: Forwarded from: Jon Erickson http://www.washingtonpost.com/wp-dyn/articles/A25583-2005Feb15.html By Ted Bridis AP Technologiy Writer February 15, 2005 The Bush administration is considering making the National Security Agency -- famous for eavesdropping and code breaking -- its "traffic cop" for ambitious plans to share homeland security information across government computer networks, a senior NSA official says. Such a decision would expand NSA's responsibility to help defend the complex network of data pipelines carrying warnings and other sensitive information. It would also require significantly more money for the ultra-secret spy agency. The NSA's director for information assurance, Daniel G. Wolf, was expected to outline his agency's potential role during a speech Wednesday at the RSA technology conference in San Francisco. In an interview preceding his speech, Wolf told The Associated Press that computer networks at U.S. organizations are like medieval castles, each protected by different-size walls and moats. As the U.S. government moves increasingly to share sensitive security information across agencies, weaknesses inside one department can become opportunities for outsiders to penetrate the entire system, Wolf warned. Attackers could steal sensitive information or deliberately spread false information. "If someone isn't working on being a traffic cop, giving guidance on how secure they need to be, a risk that is taken by one castle is really shared by other castles," Wolf said. "Who's defining the standards? Who says how high the walls should be?" The NSA already helps protect systems deemed vital to the nation's security, such as those involved in intelligence, cryptography and weapons. Wolf said the administration is considering whether to designate its fledgling information-sharing efforts also under the NSA's purview. The White House Office of Management and Budget currently directs efforts by civilian agencies to secure their computer networks. The NSA's information security programs are highly regarded among experts. "Bring it on. This clearly ought to be done," said Paul Kurtz, a former White House cybersecurity adviser and head of the Washington-based Cyber Security Industry Alliance, a trade group. "This will raise the bar across the federal government to a far more secure infrastructure." Congress has directed the NSA and the Department of Homeland Security to study the architecture and policies of computers for sharing sensitive homeland security information. In the latest blueprint for U.S. intelligence spending, lawmakers warned that attackers always search for weak links and that connecting distant systems "will further increase the vulnerability of networks that originally were developed to be susbstantially isolated from one another." It's unclear how the NSA's efforts would affect private companies, which own and operate many of the electrical, water, banking and other systems vital to government. Wolf said the agency already works to secure such systems important to military installations, but he denied that NSA would have any new regulatory authority over private computers. "When we talk about being the traffic cop, we're not in charge of these networks," Wolf said. "We're not running these networks." It also was unclear how much the effort might cost. "If you're going to have a network that everyone in government can get into, that means some agencies are going to have to come up to meet new, higher standards, and that's expensive," said James Lewis, director of technology policy at the Center for Strategic and International Studies, a conservative think-tank. From isn at c4i.org Wed Feb 16 10:06:12 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:19 2005 Subject: [ISN] Security gaps in federal computers Message-ID: http://cnews.canoe.ca/CNEWS/Canada/2005/02/15/931808-cp.html February 15, 2005 OTTAWA (CP) - The personal information of Canadians is at risk due to "significant weaknesses" in government computer security that leave the digital door open to hackers and thieves, says the auditor general. In a highly critical report Tuesday, Sheila Fraser warns that federal agencies have failed to keep up with the demands of the electronic age, making sensitive files vulnerable. "If security weaknesses allowed someone to access a database or confidential information, Canadians' trust in the government would be greatly eroded," the report says. "Further, if a citizen's privacy were violated because of a failure to keep confidential information secure, it could cause that person hardship and seriously undermine the government's efforts to deliver services to Canadians electronically." Fraser told a news conference she was disappointed the government doesn't meet its own minimum standards for information technology security, even though most of them have been well known for more than a decade. The auditor general likened it to a homeowner leaving the back door open - eventually someone will break in. "Government must fill in the gaps," she said. "There are weaknesses in the system." But Fraser stopped short of urging Canadians to avoid using online federal services, saying she would continue to file her tax return by computer. Information security is becoming increasingly important given that the federal government wants Canadians to have electronic access to key information and transactions by the end of the year. Growing use of the Internet, portable computer devices and wireless technologies have made access to data easy and affordable, the report notes. "This environment provides more opportunities for problems to occur, such as theft of data, malicious attacks or criminal actions." Treasury Board President Reg Alcock, minister responsible for government security policy, acknowledged the concerns Tuesday but said it's a "tough area for any organization, because the technology's always changing," requiring ongoing vigilance. New Democrat MP Peter Julian said the government doesn't seem to be taking the auditor general's points as seriously as it should. Fraser found the Treasury Board Secretariat was "not adequately fulfilling its role of monitoring and overseeing" the state of security across the government. Last May, the secretariat surveyed 90 departments and agencies on their security practices. Of the 46 that responded, only one agency met the basic requirements of the government security policy and related standards. The survey found: * Sixteen per cent of departments didn't even have an information security policy. Of those that did, 33 per cent indicated it hadn't been formally approved by management. * More than one-quarter of departments didn't have a policy requiring a plan to keep critical systems and services running in the event of a major attack or power failure. Other internal studies flagged similarly worrisome problems. "Vulnerability assessments, conducted in departments and agencies over the last two years, have revealed significant weaknesses that, if exploited, could result in serious damage to government information systems," says Fraser's report. Despite the potential for difficulties, many departments and agencies had yet to adequately assess threats and risks to their computer systems. In addition, there was often lax control of access to sensitive data and programs by people without authority to see it, the report says. In some cases, computer passwords were not set properly, and most organizations had no comprehensive program for monitoring who was using their digital networks. Fraser says there have been some advances since 2002 when she last examined these issues, but overall the government has made "unsatisfactory progress." Reasons for the continuing gaps include lack of money and people, as well as little interest in information technology security among senior management, the report says. Fraser's recommendations include preparation of action plans indicating when each department and agency intends to comply with security requirements. The report says the Treasury Board Secretariat has "responded positively" to the recommendations and, in some cases, is already taking action. From isn at c4i.org Wed Feb 16 10:06:54 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:22 2005 Subject: [ISN] Bad O-S design blamed for rise in bots Message-ID: http://www.smh.com.au/news/Breaking/Bad-OS-design-blamed-for-rise-in-bots/2005/02/15/1108229972070.html By Sam Varghese February 15, 2005 Computer users are today forced to wear the side effects of operating systems which had been designed with functionality and not security in mind, a senior executive of a major anti-virus company says. Allan Bell, the marketing director for McAfee Asia Pacific, made the comment in connection with today's release of a pan-European study into crime and the internet, titled the Virtual Criminology Report. The study was commissioned by McAfee and conducted by security expert and computer criminologist Dr Peter Troxler, a researcher at ETH Zurich, the Swiss Federal Institute of Technology, with input from hi-tech crime units in Britain, France, Germany, the Netherlands, Spain and Italy. Bell said the study was borne out of the success of an earlier white paper, also on cyber crime in Europe. The paper was mostly done in-house and after a largely positive response, McAfee decided to undertake this broader study. The activity documented by Dr Troxler includes extortion and protection rackets, fraud and theft on a pan-European and global scale, as well as new net-only scams. Referring to specifics, Bell said one example of functionality providing a way into a user's computer was the auto-execution of attachments in Outlook Express. "Someone may receive a music file and this email client is set to play it as soon as the email is opened; a malicious attacker can send a music file and also attach code that executes in the background while the music is playing," he said. "It's nice for the user but it has a big downside." The study says cyber crime had evolved from the stage where lone individuals were staging exploits to prove something to their peers, to one where an organised 'cyber mafia' was mobilising thousands of zombies to commit crime on a global scale. It said in Russia, the Ministry of Internal Affairs counted 7053 cybercrime cases in 2003, almost double that in 2002 (3782); last year, that number was 4995 in the first half of the year. The study illustrates the extent to which cyber crime is now a silent affair - the machines which are used are owned by people who do not know they are part of a vast bot network. Bell said that the way things were done, it was extremely difficult to track the IP of the actual criminal with the degree of certainty required to bring about a conviction. The rate of growth of worms and malware was also increasing, with the study pointing out that while signature files for 300 new malicious threats was being put out per month some time back, today this figure had tripled to about 900 to 1000 per month, with the increase largely being in the number of bots. The study said that an estimated 70 percent of malicious code was written purely for profit. Further, organised gangs were recruiting lower-level attackers, the so-called script kiddies, and paying them to create malicious code for phishing, credit card and extortion scams. It quoted a spokesperson from Britain's National Hi-Tech Crime Unit (NHTCU) as saying: "We have seen intelligence to suggest that European organised crime is hiring hackers to carry out computer attacks." Gangs in Sweden, Latvia, and Russia were found to targeting business worldwide with British bookmakers and businesses in Australia and Japan affected. The study cited the case of Peter White a.k.a. 'iss' who offered the use of a bot in protection rackets for $US28,000 per month. Dr Troxler's investigation found that the going rate was as little as ?100 an hour for use of these bots. Dr Troxler also discovered evidence in Britain, the Netherlands, France and Italy of organised criminals exploiting script kiddies and hackers to do their bidding. In Germany, an organised network called Liquid FX had exploited the skills of young hackers to find vulnerable networks. The report found that more hardened criminals were hiding behind script kiddies to reduce their own exposure to risk, just as a drug runner would hide behind a teenaged dealer. Dr Troxler predicted that corporate espionage using bot-nets was one area that would see an increase in the next 12 months and cited the case of Jay Echouafi in Massachusetts who hired three script kiddies called Emp, Rain and sorCe to launch an attack on the websites of three competitors. They used a bot to launch the attack. Bell said the sole purpose of the study was to educate people and not to spread panic. From isn at c4i.org Wed Feb 16 10:07:19 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:25 2005 Subject: [ISN] IE 7.0 Leaves Windows 2000 Users Out in the Cold Message-ID: http://www.eweek.com/article2/0,1759,1765331,00.asp By Ryan Naraine February 15, 2005 SAN FRANCISCO - After months of hemming and hawing on plans for a standalone Internet Explorer upgrade before Longhorn, Microsoft Corp. now plans to push out a browser refresh by July or August this year. But the news that IE 7.0 will be available only to Windows XP SP2 (Service Pack 2) customers isn't likely to sit well with security experts who argue that the threat from the Firefox browser is at the center of Microsoft's aggressive anti-spyware and anti-virus plans. The percentage of Web surfers using Firefox has risen steadily since June, but Microsoft officials are sidestepping the issue altogether. "When you run a business and you worry only about what your competitors are doing, that's not a long-term business proposition. You really need to be listening to your customers and that's what we're doing," said Gytis Barzdukas, director of product management in Microsoft's security business technology unit. "Yes, Firefox has come out with technologies that customers are evaluating. But, at our end, we can't worry too much about that. Customers have told us they want us to take a leadership position in security and they want us to make sure we secure the browsing experience," Barzdukas said in an interview with eWEEK.com. Like Microsoft Chairman Bill Gates, who announced the new version of IE at the RSA Conference here, Barzdukas stressed that IE 7.0 will build on and expand the progress made with SP2 and put in place defenses against malware, spyware and phishing attacks. Asked to explain the rationale for limiting IE 7.0 to XP SP2 users when the majority of businesses are still running Windows 2000, Barzdukas left the door open slightly. "Windows XP SP2 is the scope of the project at the moment. That's what we feel comfortable committing to. We haven't closed the door on potentially providing it to other platforms," he said. However, Barzdukas argued that it was much easier for a company to consider migration to a new operating system than testing and deploying significant product upgrades. "When you do a certain amount of engineering, it gets to a tipping point. Customers have to decide whether to spend a lot of resources making sure their existing applications work properly. Or, they can decide that it's much more feasible to move to a new operating system," he said. "When we do all this engineering work, the architecture is changed significantly. In some cases, it's more expedient for customers to just move to a new operating system where the enhancements are easier to deploy," Barzdukas said. Last year, when Microsoft rolled out XP SP2 and declined to offer the security enhancements to Windows 2000 users, analysts grumbled that the Redmond, Wash.-based software giant was using security as a carrot to get businesses to upgrade. "Will customers be migrating [to XP] because they're trying to get the security benefits? Or are they spending money because Microsoft isn't shoring up Windows 2000 adequately? That's a legitimate question to ask," security analyst Michael Silver said at the time. Those criticisms are bound to resurface this time around as details of the security goodies in IE 7.0 start to dribble out. On the Internet Explorer blog, Dean Hachamovitch, head of the IE team, said the company would compare Windows 2000 customers' needs with the "engineering and logistical complexity" of back-porting the enhancements. "That's all I can say on that topic," he said. It's not yet clear if IE 7.0 will include nonsecurity enhancements that Web developers have been demanding. Those include fixed positioning in CSS (Cascading Style Sheets) and improved support for PNG (Portable Network Graphic). "We're not yet prepared to go into details about what will or won't be included in IE 7.0," Barzdukas said. The company has been using its Channel 9 Wiki to solicit feature ideas and feedback from IE users. From isn at c4i.org Wed Feb 16 10:07:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Feb 16 10:11:27 2005 Subject: [ISN] Security lapses at nuclear plants spark terror fears Message-ID: http://news.scotsman.com/uk.cfm?id=176262005 JAMES KIRKUP POLITICAL CORRESPONDENT 16 Feb 2005 A LITANY of security failures at British nuclear sites has been revealed by government investigators, raising fears of a terrorist attack. The incidents, which even included a burglary, were uncovered by the Office for Civil Nuclear Safety (OCNS), an arm of the UK Atomic Energy Authority. The watchdog?s reports are not normally published, but have come to light because of the Freedom of Information Act. During the 12 months ending April 2004, the agency recorded more than 40 security breaches, including eight incidents it classified as "failures of security leading to unacceptable or undesirable consequences". The disclosure could not come at a worse time for the government, which is preparing to authorise the controversial construction of a new generation of nuclear power stations later this year. The security failures identified in the report included: * Security guards at nuclear plants failed to respond to intruder alarms when a burglary was in progress; * Two unauthorised people were able to walk unchallenged around restricted areas; * Classified information was left exposed to theft or electronic interception. Several laptops and at least one CD containing restricted data were stolen; * Carelessness in handling documents meant that "sensitive" documents were found by members of the public. While the breaches were not violations of security around nuclear material itself, access to information about the operations and lay-out of nuclear sites could make the difference between a terrorist attack succeeding and failing. Since the Twin Towers attacks on 11 September, 2001, security has been stepped up at sensitive British sites including nuclear plants. Last year, the Parliamentary Office of Science and Technology, which advises MPs, found that while nuclear plants were relatively well protected, the disclosure of information could make them vulnerable. A ground-based attack "would require detailed site-specific knowledge of plant operations and design", the office concluded. The OCNS report said that at least one attempt to gain access to restricted sites was foiled when two individuals with forged papers were turned away as they tried to enter a rail yard. While government spokesmen would not identify which nuclear plants were involved in the security breaches, it is understood that the incidents were spread across all civil atomic facilities in Britain. There are seven active nuclear sites in Scotland. Norman Baker, the Liberal Democrat environment spokesman, said the flaws revealed by the OCNS report had damaged the case for nuclear power. "The nuclear industry always has the potential to cause environmental, security and terrorism problems, which is why it is more important for the industry to follow correct procedures and precautions than if it was making baked beans," he said. "It is now clear that the industry has not been following those procedures." The Department of Trade and Industry has responsibility for the nuclear sector and the OCNS. A spokesman said: "The director of Civil Nuclear Security has undiminished confidence in existing security arrangements. These have been significantly enhanced since 11 September, 2001, and are continually reviewed." From isn at c4i.org Thu Feb 17 04:42:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:24 2005 Subject: [ISN] Flash Review: A Hacker Manifesto Message-ID: Forwarded from: security curmudgeon : http://www.amazon.com/exec/obidos/ASIN/0674015436/c4iorg : : Title: A Hacker Manifesto : Author: McKenzie Wark : Pages: 160 pages : Publisher: Harvard University Press : Reviewer: f0rensik [at] attrition.org : ISBN: 0674015436 : : A Hacker Manifesto is a tough read. I've found that reading some parts : and then going back to others helps me make sense of it, but it's just : very dense. Also, the author loves to say things in convoluted and : difficult ways whenever he can. It's as if he's showing off how many big : words he knows; and annoying as hell. This book is on my "to review" list as well. As f0rensik says, reading this book is more likely to cause more headache than deep thought. It is clear that Wark is well read and has thought about the topics extensively. His choice in how to present the material is lacking. Imagine a poorly translated and convoluted book on some obscure philosophy, apply it to the hacker mindset, and you have _A Hacker Manifesto_. Personally I am hoping Wark will go back and release a companion to this book that strips out all the 5 point words he could dig up, and expand on some ideas and put them in a little more real world context. In doing that, I believe Wark potentially have the next great piece on defining the hacker mindset, and exploring how they will continue to shape our future. From isn at c4i.org Thu Feb 17 04:43:58 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:27 2005 Subject: [ISN] Security UPDATE -- A New IPS Test Report -- February 16, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. An Evaluation of the Total Cost of Ownership of Email Security Solutions http://list.windowsitpro.com/t?ctl=21C9:4FB69 Security Administrator http://list.windowsitpro.com/t?ctl=21D2:4FB69 ==================== 1. In Focus: A New IPS Test Report 2. Security News and Features - Recent Security Vulnerabilities - Serious Flaws in Symantec and F-Secure Protection Products - Microsoft Investigating Anti-Anti-Spyware Trojan 3. Security Matters Blog - How to Detect Network Sniffers 4. Security Toolkit - FAQ - Security Forum Featured Thread 5. New and Improved - A Faster IPS ==================== ==== Sponsor: Postini==== An Evaluation of the Total Cost of Ownership of Email Security Solutions Quantifying the Total Cost of Ownership (TCO) of email security solutions is a notoriously difficult task. Discover how Total Cost of Ownership is much more than the initial acquisition cost of a solution, and how you can save thousands of dollars each year without sacrificing accuracy, control or effectiveness in protecting your email systems. Download this free whitepaper now! http://list.windowsitpro.com/t?ctl=21C9:4FB69 ==================== ==== 1. In Focus: A New IPS Test Report ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You might recall that The NSS Group periodically releases in-depth test reports that can be very useful to security administrators looking for solutions. Over the past couple of years, I have written twice about the group's product testing for Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). In my September 24, 2003 article "Evaluating Intrusion Detection Systems," I wrote about the group's tests of IDSs for 10Mbps/100Mbps Ethernet and Gigabit Ethernet networks. In my March 17, 2004 article "Evaluating Intrusion Prevention Systems," I wrote about the group's tests of IPSs. http://list.windowsitpro.com/t?ctl=21D9:4FB69 http://list.windowsitpro.com/t?ctl=21D5:4FB69 The NSS Group recently finished its second round of tests and has made the results available online. According to the group, testing "consists of seven sections within three primary areas: performance and reliability, security accuracy, and usability." The group also said that "the brand new test suite contains more than 800 individual tests, many of which are run multiple times, to provide the most thorough and complete evaluation anywhere of IPS products available today." An interesting tidbit from the latest report is that nine vendors signed up for the recent tests. However four of the products didn't make the cut during stringent testing, so the final report covers the five remaining products. The current report includes detailed test information about BroadWeb NetKeeper NK-3256T 3.6.0, Fortinet FortiGate-800, SecureSoft Absolute IPS NP5G 1.1, Top Layer IPS 5500 3.3, and V-Secure V-100 7.0. A couple of other interesting notes are related to performance. During earlier tests, The NSS Group measured IDS and IPS top traffic- processing speeds of 1Gbps to 2Gbps; this year, top speeds well exceeded that threshold. So the group decided to launch a new multigigabit IPS test later this year. Ten vendors have reportedly already signed up for the next test. It's also interesting to note that industry analysts had previously claimed that IDS and IPS systems were things of the past. But something is seriously wrong with that "analysis," because IDS and IPS systems are still being used, and according to The NSS Group, the number of available products has actually grown! The group said that over the last year, it has improved the testing suite and introduced a new methodology to conduct in-depth tests of rate-based IPS systems, which gives a more accurate evaluation of their capabilities as compared to the evaluation of content-based IPS systems. The report itself is great information for security administrators looking for evaluations of prospective product choices. The report is also valuable in that it offers details about the group's test methodologies as well as about the hardware and software solutions the group uses to conduct its tests. As has been the case in the past, the results of the new report are freely available at the group's Web site (see the first URL below). If you missed the past reports, you can find those online too (see the second URL below). If you want a copy of all reports on CD-ROM or copies of selected reports in PDF format, you can purchase those at the Web site. http://list.windowsitpro.com/t?ctl=21DE:4FB69 http://list.windowsitpro.com/t?ctl=21E0:4FB69 Until next time, have a great week. ==================== ==== Sponsor: Security Administrator ==== Try a Sample Issue of Security Administrator! Security Administrator is the monthly newsletter from Windows IT Pro that shows you how to protect your network from external intruders and control access for internal users. As an added bonus, paid subscribers get access to over 1900 searchable articles on the Web. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here! http://list.windowsitpro.com/t?ctl=21D2:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=21D0:4FB69 Serious Flaws in Symantec and F-Secure Protection Products Internet Security Systems (ISS) reported that its X-Force research team has discovered a serious vulnerability in a Symantec parsing engine that's used in several of the company's products. ISS X-Force also discovered a critical flaw in F-Secure's antivirus and Internet security products. The flaw is in the way the products scan files that are compressed with ARJ compression. http://list.windowsitpro.com/t?ctl=21D7:4FB69 Microsoft Investigating Anti-Anti-Spyware Trojan by Paul Thurrott Microsoft is investigating a new electronic attack that attempts to disable the Microsoft AntiSpyware beta product so that it can surreptitiously install spyware on users' systems. http://list.windowsitpro.com/t?ctl=21D8:4FB69 ==================== ==== Resources and Events ==== Get Ready for SQL Server 2005 Roadshow in a City Near You Get the Facts about Migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=21CC:4FB69 Fax Servers: Integrate. Automate. Communicate Attend this free Web seminar and receive a complimentary 30-day software evaluation, industry whitepaper, and a Starbuck's gift card! Join industry expert David Chernicoff and learn how leading organizations are incorporating fax technologies to empower users and enhance existing investments in infrastructure and applications while providing substantial ROI. Register now! http://list.windowsitpro.com/t?ctl=21CD:4FB69 Sensible Best Practices for Exchange Availability Web Seminar If you're discouraged about not having piles of money for improving the availability of your Exchange server, join Exchange MVP Paul Robichaux for this free Web seminar and learn how to maximize your existing configuration. Survive unexpected outages, plan for the unplannable, and evaluate what your real business requirements are without great expense. Register now! http://list.windowsitpro.com/t?ctl=21C8:4FB69 Keeping Critical Applications Running in a Distributed Environment Get up to speed fast with solid tactics you can use to fix problems you're likely to encounter as your network grows in geographic distribution and complexity and learn how to keep your network's critical applications, such as Active Directory and Exchange, running. Don't miss this exclusive opportunity--register now! http://list.windowsitpro.com/t?ctl=21CA:4FB69 Discover All You Need to Know About 64-bit Computing in the Enterprise In this free Web seminar, industry guru Michael Otey explores the need for 64-bit computing and looks at the type of applications that can make the best use of it. He'll explain why the most important factor in the 64-bit platform is increased memory. Discover the best platform for high performance and learn how you can successfully differentiate, migrate, and manage between 32-bit and 64-bit technology. Register now! http://list.windowsitpro.com/t?ctl=21CB:4FB69 ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=21DF:4FB69 Check out this recent entry in the Security Matters blog: How to Detect Network Sniffers I found a new free tool that can help detect network sniffers on your network. The new tool, Promqry 1.0, was developed by Tim Rains at Microsoft. http://list.windowsitpro.com/t?ctl=21DA:4FB69 ==== 4. Security Toolkit ==== FAQ by John Savill, http://list.windowsitpro.com/t?ctl=21DB:4FB69 Q. How can I enable complex passwords on my Windows Server 2003 Active Directory (AD) domain? Find the answer at http://list.windowsitpro.com/t?ctl=21D6:4FB69 Security Forum Featured Thread: Monitoring File System Changes Jay wonders whether there's a utility that can monitor for file system changes when an application is installed. Jay wants to be able to detect all the files that have been added, deleted, or changed during the installation process. Join the discussion at http://list.windowsitpro.com/t?ctl=21CE:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Plus, paid subscribers receive exclusive online library access to every article we've ever published. Order now! http://list.windowsitpro.com/t?ctl=21D4:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com A Faster IPS TippingPoint, a division of 3Com, announced that the TippingPoint 5000E Intrusion Prevention System (IPS), which can perform total packet inspection at 5Gbps with real-world traffic, will ship next month. TippingPoint claims that the 5Gbps throughput rate is "more than double any other IPS's maximum rated throughput." TippingPoint 5000E comes with eight Gigabit Ethernet ports able to protect four network segments. The TippingPoint product line is automatically kept up-to-date through the Digital Vaccine service to protect against the latest worms, viruses, Trojan horses, Denial of Service (DoS) attacks, spyware, and Voice over IP (VoIP) threats. For more information about TippingPoint 5000E, go to http://list.windowsitpro.com/t?ctl=21E3:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=21E4:4FB69 Quest Software See Active Directory in a whole new light. And get a free flashlight! http://list.windowsitpro.com/t?ctl=21E5:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=21E1:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=21D3:4FB69 View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=21D1:4FB69 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Feb 17 04:44:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:29 2005 Subject: [ISN] Software firms fault colleges' security education Message-ID: http://news.com.com/Software+firms+fault+colleges+security+education/2100-1002_3-5579014.html By Robert Lemos Staff Writer, CNET News.com February 16, 2005 SAN FRANCISCO -- Software companies are taking colleges to task for not producing computer science graduates who know how to create secure programs. In a two-hour panel session Tuesday at the Secure Software Forum here, Oracle, Microsoft and other software makers attempted to analyze why flawed software is still overwhelmingly the rule and not the exception in the industry. A major contributor, the companies said, is college students' lack of a good grounding in secure programming. "Unfortunately, if you are a vendor, you have to train your developers until the universities start doing it," said Mary Ann Davidson, chief security officer at Oracle, who kicked off the panel discussion that, while separate from the ongoing RSA Security Conference, addressed many of the same topics. The panel discussion is the software industry's latest soul-searching on security. While companies claim to want more secure software, in most cases, they have yet to put their money where their mouth is. Many software makers believe that better training of computer science graduates is a key step toward improving software quality, but some security researchers have criticized the industry, pointing out that industry demand for programmers generally does not give preference to those trained in secure programming. Fred Rica, a partner in PricewaterhouseCoopers' Threat and Vulnerability Assessment Services, likened the situation to sports. "Colleges produce athletes capable of going on to the NFL because their football programs know what is needed," he said. "We have to be very clear what types of skills we need from future graduates." Such thinking is driving Microsoft and other security companies to try and influence curricula at colleges. Microsoft has pledged $500,000 to 10 universities as part of a contest to create trustworthy-computing curricula, and several security firms have also established scholarships at a handful of schools. Private industry is not the only one attempting to kick-start better security education at universities. Several federal agencies, including the Department of Defense and the National Security Agency, have named several college programs as National Centers of Academic Excellence in a variety of security disciplines. Oracle's Davidson said education is only a start, noting that better tools need to be developed to spot common flaws. Such tools should be used by all developers because even well-trained, well-meaning developers can miss errors in programs. In one case, Oracle's security staff missed one out of 21 flaws during an audit, a mistake that cost the company $1 million to fix later, she said. "Even the people who 'get it' need good, automated tools," she said. However, others on the panel laid the blame for the problems squarely at the feet of software makers. Until companies are willing to foot the bill for security, applications will not get better, Rica said. When given a choice to put new features into a product or secure the old ones, software makers do not hesitate. "Functionality still trumps security," he said. "Functionality is still king." A Gartner study found that while companies put a lack of skills as a priority on their list of problems to be fixed, funding for developer training is second-to-last on their budgets. Ira Winkler, a security consultant and part of the panel, criticized the focus on college education and stressed that companies should not rely on schools to train developers. "I'm not going to hire someone straight out of college because they don't know anything," he said. "We need people who have on-the-job training." From isn at c4i.org Thu Feb 17 04:47:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:32 2005 Subject: [ISN] [Vmyths.com ALERT] mi2g issues absurdly precise guesstimates Message-ID: Forwarded from: Vmyths.com Virus Hysteria Alert Vmyths.com Virus Hysteria Alert Truth About Computer Security Hysteria 16 February 2005 CATEGORY: Hysteria related to a publicity stunt On 16 February 2005, computer security firm "mi2g" unveiled its guesstimates for "global economic damage" over the last nine years resulting from "all types of digital risk manifestations." Vmyths dismisses mi2g's figures as a blatant publicity stunt. Every guess in mi2g's report is absurdly precise. In 2004, for example, they calculated the total "global economic damage" at $456,134,500,000 to $557,497,700,000. These figures reveal an accuracy of plus or minus $100,000, worldwide, for "all types of digital risk manifestations" in 2004. mi2g used SEVEN significant figures in many of their guesses. In economic terms, it means mi2g's underlying data must be accurate TO THE DIME, if not to the penny. As in, "the MyDoom attack caused precisely $368,714.2 in total economic damage to corporate site X, while the Klez virus caused precisely $117,644.9 in total economic damage to military site Y..." No respected economics expert will declare five significant figures -- let alone seven! -- for the total cost of the World Trade Center attack in September 2001. It would violate the economic analogy for Heisenberg's Uncertainty Principle. Yet mi2g offers absurdly precise global computer security economic damage guesstimates for every year back to 1995. mi2g has never explained how THEY ALONE can acquire enough absurdly accurate microeconomic data to satisfy their macroeconomic forecast model. Assuming such a model even exists. mi2g has repeatedly declared "$1,500.00" for the cost of one manday. But here's the catch: they won't call it a manday. Rather, they call it an "equivalent person day." mi2g has never adequately defined this term. We've highlighted mi2g in multiple Hysteria Alerts and we maintain a "Hysteria roll call" resource on them dating back to 1999: mi2g "Hysteria roll call" resource: http://Vmyths.com/resource.cfm?id=64&page=1 Hysteria Alerts archive: http://Vmyths.com/resource.cfm?id=34&page=1 mi2g has threatened to sue Vmyths for libel (see < http://Vmyths.com/rant.cfm?id=497&page=4 > for details). For the record: we stand by our criticisms. However, Vmyths prides itself for an industry-leading "corrections and clarifications" page. Anyone may write to VeaCulpa@Vmyths.com to contest our claims & accusations. Anyone may visit http://Vmyths.com/rant.cfm?id=470&page=4 to rebut our opinions & criticisms. Do the math, folks. mi2g's guesstimates are a publicity stunt. Stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com Rob@Vmyths.com (319) 646-2800 CATEGORY: Hysteria related to a publicity stunt --------------- Useful links ------------------ Remember this when virus hysteria strikes http://Vmyths.com/resource.cfm?id=31&page=1 Common clich?s in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 False Authority Syndrome http://Vmyths.com/fas/fas1.cfm From isn at c4i.org Thu Feb 17 04:47:17 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:34 2005 Subject: [ISN] With D+ On Their Report Card, Federal Security Officers Try A Study Group Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=60401476 By Eric Chabrow InformationWeek Feb. 16, 2005 The consistent failure of many federal agencies to secure their IT systems effectively has prompted government officials to create a new organization, to be funded by the private sector, to help federal chief information security officers improve cybersecurity. The formation of the CISO Exchange, announced Wednesday, came as the House Government Reform Committee issued a federal computer security report card in which the average grade for 2004 was a D+. Federal CISOs need better guidance to comply with the 2002 law that requires agencies to secure their IT systems and networks. In a survey of one-quarter of federal CISOS, 70% say they want clarification of guidelines; 53% recommended that guidance be improved on the annual security control tests conducted by agencies' inspectors general. "It's not sufficient to keep admonishing these guys," says Stephen O'Keefe, the head of an IT public relations, research, and events firm, who will serve as the CISO group's executive. "We have to provide a forum where they can have a seat at the table, learn from others, and get feedback on ideas." The creation of the CISO Exchange was announced by Rep. Tom Davis, the Virginia Republican who chairs the Government Reform Committee and the federal CIO Council, a congressionally mandated group of CIOs who represent major federal departments and agencies. Unlike the CIO Council, the CISO Exchange will be an informal organization aimed at giving 117 federal departmental and agency CISOs a common voice. The exchange will be co-chaired by Justice Department CIO Van Hitch, who chairs the CIO Council's cyber security and privacy committee, and Government Reform Committee staff director Melissa Wojciak. Davis, in a statement, said the exchange is patterned after other government efforts to cross-pollinate ideas and best practices between the private sector and government in order "to move our government to the top of the class in IT security." The CISO Exchange will hold quarterly education meetings as well as produce a report on federal IT security priorities and operations. O'Keefe says 100% of CISO Exchange funding will come from business, mostly IT security companies and not government coffers. No company has been asked to commit money to the venture, since O'Keefe says that CISO Exchange wanted to await the announcement of the group's formation before soliciting contributions. He says a number of companies have expressed interest in supporting the exchange, which doesn't yet have a budget. Seven cabinet departments received a grade of F on their computer security report card: Agriculture, Commerce, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, and Veterans Affairs. The grades for Commerce and Veterans Affairs dropped from 2003 scores of C- and C, respectively. The biggest jump in performance occurred at Transportation, which received an A- after getting a D+ in 2003. The Agency for International Development had the highest grade, an A+, up from a C- in 2003. In the CISO survey, conducted by IT security management provider Telos Corp., an IT security management provider, the vast majority of security officers said there was no correlation with the scorecard grades they received and government funding of IT security initiatives. "If there are no incentives for agencies to continue to comply with FISMA requirements," Telos chief security officer Richard Tracy says, "what's the point?" From isn at c4i.org Thu Feb 17 04:47:31 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:36 2005 Subject: [ISN] Hacker who broke into mobile network pleads guilty Message-ID: http://www.cnn.com/2005/TECH/02/16/cell.phone.hacker.ap/ February 16, 2005 LOS ANGELES, California (AP) -- A hacker who broke into the network of T-Mobile USA Inc. and accessed personal information on hundreds of customers including a Secret Service agent has pleaded guilty to a felony hacking charge. Nicholas Lee Jacobsen, a 21-year-old computer engineer who now lives in Oregon, entered his plea Tuesday in U.S. District Court in Los Angeles. He faces up to five years in federal prison and a $250,000 fine when he is sentenced May 16. The break-in targeted the network of Bellevue, Washington-based T-Mobile USA, which has 16.3 million customers nationwide. It was discovered during a broader Secret Service investigation. T-Mobile acknowledged the hacker was able to view the names and Social Security numbers of 400 customers, all of whom it said were notified in writing about the break-in, which lasted at least seven months. The company said customer credit card numbers and other financial information were not revealed. Prosecutors alleged Jacobsen posted a notice on an online bulletin board that said he could look up the name, Social Security number, birth date and passwords for voice mails and e-mails for T-Mobile customers. Jacobsen was accused of targeting the desktop computer of a Secret Service agent on his trail. The agent, Peter Cavicchia, was also a T-Mobile customer and sometimes used the wireless network to communicate about the case, unaware it wasn't safe. Jacobsen was arrested in October in Orange County, where he used to live, and was later released on $25,000 bail. From isn at c4i.org Thu Feb 17 04:47:54 2005 From: isn at c4i.org (InfoSec News) Date: Thu Feb 17 04:52:38 2005 Subject: [ISN] Researchers find security flaw in SHA-1 algorithm Message-ID: http://www.nwfusion.com/news/2005/0216reseafind.html By Paul Roberts IDG News Service 02/16/05 Security experts are warning that a security flaw has been found in a popular and powerful data encryption algorithm, dubbed SHA-1, by a team of scientists from Shandong University in China. The three scientists are circulating a paper within the cryptographic research community that describes successful tests of a technique that could greatly reduce the speed with which SHA-1 could be compromised. Although the cracking technique could not be carried out practically, it does compromise the integrity of the algorithm and could lead to more advanced attacks that would render SHA-1 useless, affecting many Internet security products that use it to generate digital signatures, according to Bruce Schneier, founder and CTO of Counterpane Internet Security. SHA-1 is a popular encryption algorithm that was developed by the U.S. National Security Agency (NSA) in 1995 after a weakness was discovered in a predecessor algorithm, called the Secure Hash Algorithm, or "SHA." The algorithm is among those most commonly used to generate "hashes," or unique strings of values that are used to encrypt and decrypt digital signatures, Schneier said. SHA-1 is used to create signatures by most of the popular security protocols on the Internet, including SSL and PGP (Pretty Good Privacy), he said. A research team of three scientists: Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, is circulating a paper called Collision Search Attacks on SHA-1 that describes methods for creating so-called "collisions" with the SHA-1 algorithm 2,000 times more quickly than had been possible before. "It's phenomenal research," Schneier said. "There's a lot of really impressive math." A "collision" is an occurrence in which two messages have an identical hash value. It opens the door to forging valid signatures generated using SHA-1. Cryptographers rely on "non repudiation" in algorithms, the concept that two identical hash signatures cannot be created by different signers, said Michael Szydlo, a senior research scientist at RSA Security's RSA Labs. The results of the paper mark a significant improvement over previous methods of cracking SHA-1 but still require a massive number of attempts to work -- a number expressed by 1 with thirty zeros after it, he said. That number of tries could take 1,000 years for a single personal computer to execute and is not practical for all but a few government entities, such as the National Security Agency (NSA), or wealthy private corporations to try, Schneier said. However, once an algorithm is broken, other scientists can often move quickly to refine the process and produce even better results, he said. "There's an old (U.S. National Security Agency) maxim: Attacks always get better. They never get worse," Schneier said. However, the approach used by the Chinese researchers is novel enough that cryptography experts aren't sure whether it can be refined, Szydlo said. The paper has not yet been published but will probably appear on the Web page of the International Association for Cryptographic Research, he said. Although practical attacks that target SHA-1 are still some time off, cryptographers will have to decide on a replacement for SHA-1 within the next couple of years, and organizations that rely on secure protocols that use SHA-1 will have to evaluate whether the algorithm is adequate to use for secure transactions, experts agree. "Do you want your online bank account vulnerable to a 1-in-1000 chance that someone could break it?" Schneier asked. From isn at c4i.org Fri Feb 18 04:27:32 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:19 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-7 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-02-10 - 2005-02-17 This week : 70 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Since the IDN Spoofing issue was reported again on 7th February, it has spawned a new intense debate about who is to blame and whether it actually constitutes a vulnerability. The issue is rather simple. Currently, it is possible to register domain names under e.g. the .com top level domain (TLD), which utilises national character sets such as Chinese, Scandinavian, Cyrillic, and others. This huge variety of characters can be used to display domain names, which appear very similar to traditional ASCII character based domains. This can obviously be exploited to trick people into believing that they are actually on a trusted web site in a much more convincing way than the usual obfuscated ASCII based domains names with missing dots, slight misspellings, use of "1" instead of "l" and so on. Those, who are in favour of using IDN domains, argue that either the browser vendors should spawn an informational message to the user whenever an IDN domain is visited with a clear indication of the individual national characters or that the registrars should blacklist domain names and characters that could be exploited trick the users. In other words, either users must live with yet another informational / warning pop-up about a potentially dangerous issue, or we all have to trust and rely on the registrars ability to figure out all possible malicious combinations of thousands of different characters, which most people have never seen before. While it is clear that the Internet to a certain degree discriminates the non-english speaking parts of the world because only a limited subset of the standard ASCII characters are allowed in domains names, the IDN standard actually allows for one very easy solution that won't discriminate anyone and at the same time will leave the domains as trustworthy as they are today: Allow the Japanese to use Japanese characters under .jp, the Chinese under .cn, the Germans under .de and so forth. This will effectively limit the use of national characters to national domains and the users, who are used to those characters - those users are also the users, who will truly benefit from the use of national characters. After all, the .com TLD was meant to be the commercial top level domain that could be used and accessed by businesses all over the world. Accessing a .com domain with Chinese letters would be almost impossible using an English keyboard. There are a lot of very good reasons why ICANN, the browser vendors, and other parties should go back to the drawing board and reconsider the implementation of the IDN standard before Microsoft launches IDN support in Internet Explorer, as this certainly will spawn a massive race between legitimate businesses, who try to protect their trademarks and the scamsters, who want to trick credit card details and other valuable information from the users. Being a Danish national, I appreciate being able to use the Danish national characters under the .dk top level domain, but I see absolutely no need for the use of those characters under .com and other international top level domains. Kind regards, Thomas Kristensen CTO, Secunia VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profile below for more information: Mydoom.AS - MEDIUM RISK Virus Alert - 2005-02-17 09:25 GMT+1 http://secunia.com/virus_information/15293/mydoom.as/ Mydoom.bb - MEDIUM RISK Virus Alert - 2005-02-17 03:19 GMT+1 http://secunia.com/virus_information/15463/mydoom.bb/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1.?? [SA14163] Mozilla Products IDN Spoofing Security Issue 2.?? [SA14179] Symantec Multiple Products UPX Parsing Engine Buffer Overflow 3.?? [SA14160] Mozilla / Firefox Three Vulnerabilities 4.?? [SA11165] Microsoft Internet Explorer Multiple Vulnerabilities 5.?? [SA14164] Safari IDN Spoofing Security Issue 6.?? [SA14209] VeriSign i-Nav Plug-In IDN Spoofing Security Issue 7.?? [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 8.?? [SA14154] Opera IDN Spoofing Security Issue 9.?? [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 10. [SA14295] Linux Kernel Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14283] Sami HTTP Server Denial of Service and Directory Traversal [SA14274] IBM WebSphere Application Server JSP Source Code Disclosure [SA14304] Internet Explorer/Outlook Express Status Bar Spoofing [SA14256] ZoneAlarm / Integrity "NtConnectPort()" Hook Invalid Pointer Dereference UNIX/Linux: [SA14315] Ubuntu update for lesstif2 [SA14301] Conectiva update for XFree86 [SA14287] Debian update for awstats [SA14260] SGI Advanced Linux Environment update for less/xpdf [SA14259] SGI Advanced Linux Environment Multiple Updates [SA14318] Debian update for emacs21 [SA14308] Gentoo update for lighttpd [SA14307] Gentoo update for emacs/xemacs [SA14305] Mandrake update for emacs [SA14297] lighttpd "%00" Application Source Code Disclosure Vulnerability [SA14296] Ubuntu update for kernel [SA14295] Linux Kernel Multiple Vulnerabilities [SA14288] Mandrake update for mailman [SA14282] Gentoo update for opera [SA14281] Fedora update for xemacs [SA14279] Red Hat update for python [SA14267] Trustix Updates for Multiple Packages [SA14258] Conectiva update for evolution [SA14257] SUSE update for mailman [SA14252] SUSE Updates for Multiple Packages [SA14251] Red Hat update for squid [SA14314] Gentoo update for kdeedu [SA14306] KDE fliccd Buffer Overflow Vulnerabilities [SA14261] SGI Advanced Linux Environment update for krb5 [SA14303] Debian update for htdig [SA14290] Gentoo update for postgresql [SA14285] Sun Solaris FTP Server PASV Commands Denial of Service [SA14280] Red Hat update for postgresql [SA14276] Gentoo update for htdig [SA14275] Gentoo update for pdns [SA14271] Squid FQDN Lookup Denial of Service Vulnerability [SA14269] Gentoo update for mod_python [SA14255] ht://Dig "config" Parameter Cross-Site Scripting Vulnerability [SA14253] Open WebMail Login Page Cross-Site Scripting Vulnerability [SA14249] Ubuntu update for mod_python [SA14316] Gentoo update for wpa_supplicant [SA14310] Debian update for postgresql [SA14309] Mandrake update for rwho [SA14286] Sun Solaris ARP Flooding Denial of Service Vulnerability [SA14278] Debian update for netkit-rwho [SA14266] netkit-rwho rwhod Packet Validation Denial of Service [SA14265] Gentoo webmin Encrypted Root Password Disclosure [SA14300] Debian update for synaesthesia [SA14292] Gentoo update for VMware [SA14291] VMware Workstation gdk-pixbuf Path Searching Vulnerability [SA14277] Debian toolchain-source "tpkg-*" Privilege Escalation [SA14270] Linux Kernel Memory Disclosure and Privilege Escalation [SA14264] Gentoo update for perl [SA14254] KDE kdelibs dcopidlng Script Insecure Temporary File Creation [SA14250] Debian update for xpcd [SA14248] xpcd Buffer Overflow Vulnerabilities [SA14317] Debian update for typespeed [SA14312] Typespeed Format String Vulnerability Other: Cross Platform: [SA14311] HP Web-Enabled Management Software HTTP Server Buffer Overflow [SA14268] ELOG Two Vulnerabilities [SA14273] Quake3 Engine Query Handling Denial of Service Vulnerability [SA14272] CubeCart "language" Local File Inclusion Vulnerability [SA14263] Siteman Site Owner Registration Security Bypass Vulnerability [SA14293] BrightStor ARCserve Backup Discovery Service SERVICEPC Buffer Overflow [SA14299] AWStats Multiple Vulnerabilities [SA14298] BEA WebLogic Server/Express User Account Enumeration [SA14294] OpenConf Title Script Insertion Vulnerability [SA14289] PHP-Nuke Cross-Site Scripting Vulnerabilities [SA14262] NewsBruiser Comment System Security Bypass Vulnerability [SA14313] wpa_supplicant EAPOL-Key Frames Buffer Overflow [SA14284] Mercuryboard "debug" Debug Information Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14283] Sami HTTP Server Denial of Service and Directory Traversal Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2005-02-15 Ziv Kamir has reported two vulnerabilities in Sami HTTP Server, which can be exploited by malicious people to disclose sensitive information or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14283/ -- [SA14274] IBM WebSphere Application Server JSP Source Code Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-14 A vulnerability has been reported in WebSphere Application Server, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14274/ -- [SA14304] Internet Explorer/Outlook Express Status Bar Spoofing Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-02-17 bitlance winter has discovered a weakness in Internet Explorer/Outlook Express, which can be exploited by malicious people to trick users into visiting a malicious web site by obfuscating URLs. Full Advisory: http://secunia.com/advisories/14304/ -- [SA14256] ZoneAlarm / Integrity "NtConnectPort()" Hook Invalid Pointer Dereference Critical: Not critical Where: Local system Impact: DoS Released: 2005-02-14 iDEFENSE has reported a vulnerability in various ZoneAlarm products and Check Point Integrity Client, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14256/ UNIX/Linux:-- [SA14315] Ubuntu update for lesstif2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-02-17 Ubuntu has issued an update for lesstif2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14315/ -- [SA14301] Conectiva update for XFree86 Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-15 Conectiva has issued an update for XFree86. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14301/ -- [SA14287] Debian update for awstats Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-15 Debian has issued an update for awstats. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14287/ -- [SA14260] SGI Advanced Linux Environment update for less/xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-14 SGI has issued a patch for less and xpdf in SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14260/ -- [SA14259] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-02-14 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited to cause a DoS (Denial of Service), gain escalated privileges, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14259/ -- [SA14318] Debian update for emacs21 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-17 Debian has issued an update for emacs21. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14318/ -- [SA14308] Gentoo update for lighttpd Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-16 Gentoo has issued an update for lighttpd. This fixes a vulnerability, which can be exploited by malicious people to disclose some potentially sensitive information. Full Advisory: http://secunia.com/advisories/14308/ -- [SA14307] Gentoo update for emacs/xemacs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-16 Gentoo has issued updates for emacs and xemacs. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14307/ -- [SA14305] Mandrake update for emacs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-16 MandrakeSoft has issued an update for emacs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14305/ -- [SA14297] lighttpd "%00" Application Source Code Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-16 A vulnerability has been reported in lighttpd, which can be exploited by malicious people to disclose some potentially sensitive information. Full Advisory: http://secunia.com/advisories/14297/ -- [SA14296] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Exposure of sensitive information, DoS Released: 2005-02-16 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information or cause a DoS (Denial of Service), or by malicious people to cause a DoS or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14296/ -- [SA14295] Linux Kernel Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Exposure of sensitive information, DoS Released: 2005-02-16 Some vulnerabilities have been reported in the Linux kernel. These can be exploited by malicious, local users to gain knowledge of potentially sensitive information or cause a DoS (Denial of Service), or by malicious people to cause a DoS or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14295/ -- [SA14288] Mandrake update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-15 MandrakeSoft has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to gain knowledge of users' passwords. Full Advisory: http://secunia.com/advisories/14288/ -- [SA14282] Gentoo update for opera Critical: Moderately critical Where: From remote Impact: Spoofing, Exposure of system information, Privilege escalation, System access Released: 2005-02-15 Gentoo has issued an update for opera. This fixes some vulnerabilities, which can be exploited by malicious people to disclose some system information, spoof the content of websites, trick a user into executing malicious files and compromise a user's system. Full Advisory: http://secunia.com/advisories/14282/ -- [SA14281] Fedora update for xemacs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-15 Fedora has issued an update for xemacs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14281/ -- [SA14279] Red Hat update for python Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-02-14 Red Hat has issued an update for python. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14279/ -- [SA14267] Trustix Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-02-14 Trustix has issued updates for bind, clamav, cpio, cups, mod_python, perl, postgresql, python and squid. These fix some vulnerabilities, one with an unknown impact and others which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), disclose and manipulate sensitive information, bypass certain security restrictions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14267/ -- [SA14258] Conectiva update for evolution Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-02-17 Conectiva has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14258/ -- [SA14257] SUSE update for mailman Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-15 SUSE has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to gain knowledge of users' passwords. Full Advisory: http://secunia.com/advisories/14257/ -- [SA14252] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-02-14 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service) and compromise a user's system. Full Advisory: http://secunia.com/advisories/14252/ -- [SA14251] Red Hat update for squid Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2005-02-14 Red Hat has issued an update for squid. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), bypass certain security restrictions, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14251/ -- [SA14314] Gentoo update for kdeedu Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-17 Gentoo has issued an update for kdeedu. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and potentially by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14314/ -- [SA14306] KDE fliccd Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-16 Erik Sj?lund has reported some vulnerabilities in KDE, which can be exploited by malicious, local users to gain escalated privileges and potentially by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14306/ -- [SA14261] SGI Advanced Linux Environment update for krb5 Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-02-14 SGI has issued a patch for krb5 in SGI Advanced Linux Environment. This fixes two vulnerabilities, which can be exploited to perform certain actions on a vulnerable system with escalated privileges or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14261/ -- [SA14303] Debian update for htdig Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-15 Debian has issued an update for htdig. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14303/ -- [SA14290] Gentoo update for postgresql Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2005-02-15 Gentoo has issued an update for postgresql. This fixes a vulnerability, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14290/ -- [SA14285] Sun Solaris FTP Server PASV Commands Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-15 Sun has acknowledged an older vulnerability in Sun Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14285/ -- [SA14280] Red Hat update for postgresql Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS Released: 2005-02-14 Red Hat has issued an update for postgresql. This fixes various vulnerabilities, which can be exploited by malicious users to gain escalated privileges, cause a DoS (Denial of Service), or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14280/ -- [SA14276] Gentoo update for htdig Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-14 Gentoo has issued an update for htdig. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14276/ -- [SA14275] Gentoo update for pdns Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-14 Gentoo has issued an update for pdns. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14275/ -- [SA14271] Squid FQDN Lookup Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-14 A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14271/ -- [SA14269] Gentoo update for mod_python Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-14 Gentoo has issued an update for mod_python. This fixes a vulnerability, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14269/ -- [SA14255] ht://Dig "config" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-14 Michael Krax has reported a vulnerability in ht://Dig, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14255/ -- [SA14253] Open WebMail Login Page Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-14 Oriol Torrent Santiago has reported a vulnerability in Open WebMail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14253/ -- [SA14249] Ubuntu update for mod_python Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-11 Ubuntu has issued an update for mod_python. This fixes a vulnerability, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14249/ -- [SA14316] Gentoo update for wpa_supplicant Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-17 Gentoo has issued an update for wpa_supplicant. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14316/ -- [SA14310] Debian update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2005-02-16 Debian has issued an update for postgresql. This fixes some vulnerabilities, which can be exploited by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14310/ -- [SA14309] Mandrake update for rwho Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-17 MandrakeSoft has issued an update for rwho. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14309/ -- [SA14286] Sun Solaris ARP Flooding Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-15 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14286/ -- [SA14278] Debian update for netkit-rwho Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-14 Debian has issued an update for netkit-rwho. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14278/ -- [SA14266] netkit-rwho rwhod Packet Validation Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-14 Vlad902 has reported a vulnerability in netkit-rwho, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14266/ -- [SA14265] Gentoo webmin Encrypted Root Password Disclosure Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-02-14 Gentoo has issued an update for webmin. This fixes a security issue, which may disclose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/14265/ -- [SA14300] Debian update for synaesthesia Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-15 Debian has issued an update for synaesthesia. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14300/ -- [SA14292] Gentoo update for VMware Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-15 Gentoo has issued an update for VMware. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14292/ -- [SA14291] VMware Workstation gdk-pixbuf Path Searching Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-15 Tavis Ormandy has discovered a vulnerability in VMware Workstation, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14291/ -- [SA14277] Debian toolchain-source "tpkg-*" Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-14 Sean Finney has reported some vulnerabilities in toolchain-source, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14277/ -- [SA14270] Linux Kernel Memory Disclosure and Privilege Escalation Critical: Less critical Where: Local system Impact: Unknown, Exposure of sensitive information, Privilege escalation Released: 2005-02-15 Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to disclose kernel memory or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14270/ -- [SA14264] Gentoo update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-14 Gentoo has issued an update for perl. This fixes two vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14264/ -- [SA14254] KDE kdelibs dcopidlng Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-14 Davide Madrisan has reported a vulnerability in KDE kdelibs, which can be exploited by malicious, local users to perform certain actions with escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/14254/ -- [SA14250] Debian update for xpcd Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-11 Debian has issued an update for xpcd. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14250/ -- [SA14248] xpcd Buffer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-11 Erik Sj?lund has reported some vulnerabilities in xpcd, which may be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14248/ -- [SA14317] Debian update for typespeed Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-02-17 Debian has issued an update for typespeed. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14317/ -- [SA14312] Typespeed Format String Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-02-17 Ulf H?rnhammar has reported a vulnerability in Typespeed, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14312/ Other: Cross Platform:-- [SA14311] HP Web-Enabled Management Software HTTP Server Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-16 A vulnerability has been reported in HP HTTP Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14311/ -- [SA14268] ELOG Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-02-15 Two vulnerabilities have been reported in ELOG, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14268/ -- [SA14273] Quake3 Engine Query Handling Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-14 Luigi Auriemma has reported a vulnerability in Quake3 Engine, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14273/ -- [SA14272] CubeCart "language" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-14 John Cobb has reported a vulnerability in CubeCart, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14272/ -- [SA14263] Siteman Site Owner Registration Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-15 A vulnerability has been reported in Siteman, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14263/ -- [SA14293] BrightStor ARCserve Backup Discovery Service SERVICEPC Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-02-15 cybertronic has reported a vulnerability in BrightStor ARCserve/Enterprise Backup, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14293/ -- [SA14299] AWStats Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2005-02-15 GHC has reported some vulnerabilities in AWStats, which potentially can be exploited by malicious, local users to gain escalated privileges, and by malicious people to disclose system information and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14299/ -- [SA14298] BEA WebLogic Server/Express User Account Enumeration Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-02-15 A security issue has been reported in WebLogic Server and WebLogic Express, which can be exploited by malicious people to enumerate valid user accounts. Full Advisory: http://secunia.com/advisories/14298/ -- [SA14294] OpenConf Title Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-15 RedTeam has reported a vulnerability in OpenConf, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14294/ -- [SA14289] PHP-Nuke Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-02-15 Janek Vind "waraxe" has reported two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14289/ -- [SA14262] NewsBruiser Comment System Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-02-17 Jarno has reported a vulnerability in NewsBruiser, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14262/ -- [SA14313] wpa_supplicant EAPOL-Key Frames Buffer Overflow Critical: Less critical Where: From local network Impact: DoS Released: 2005-02-17 A vulnerability has been reported in wpa_supplicant, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14313/ -- [SA14284] Mercuryboard "debug" Debug Information Disclosure Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-02-15 Lostmon has discovered a weakness in Mercuryboard, which can be exploited by malicious people to disclose some system information. Full Advisory: http://secunia.com/advisories/14284/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 18 04:28:08 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:22 2005 Subject: [ISN] Clarke rips Microsoft over security Message-ID: http://seattlepi.nwsource.com/business/212437_rsaclarke17.html By TODD BISHOP SEATTLE POST-INTELLIGENCER REPORTER February 17, 2005 SAN FRANCISCO -- Don't expect Richard Clarke to rely on Microsoft Corp.'s anti-virus or anti-spyware programs to protect his own computer. "Given their record in the security area, I don't know why anybody would buy from them," the former White House cybersecurity and counterterrorism adviser said yesterday, when asked for his thoughts on Microsoft's forthcoming line of security software. The observation came during an impromptu interview on the sidelines of the RSA computer security conference in San Francisco, where Clarke took part in panel discussions with other experts in technological and national security. His take on Microsoft's planned security-software offerings underscores one of the major challenges the Redmond company will face as it proceeds -- the fact that many of the online threats encountered by computer users take advantage of vulnerabilities in the company's own products. Microsoft has been trying to reduce and fix vulnerabilities as part of a broader companywide initiative to improve security and related issues. Bill Gates this week also announced plans to supplement those efforts by offering anti-spyware software free to individual Windows users. The company also plans to release an anti-virus product this year and introduce a new version of Internet Explorer this summer -- about a year sooner than expected -- to boost security. But Clarke, during one panel discussion yesterday, called on Microsoft and other software companies to become more publicly accountable in their efforts to develop secure software. He said he asked Microsoft last year to disclose the specific quality-assurance practices it was following in the pursuit of more-secure software code. The idea, he said, would be for the software industry to collectively come up with a set of best practices for secure software development. Outside experts would then be able to judge how well each company lives up to those practices. "There's no fine involved, there's no liability involved, but the marketplace is better informed, and the marketplace works better when it knows what's going on," Clarke said, drawing a round of applause from the crowd at San Francisco's Moscone Center. Panelists compared the concept to the effort to hold public companies to standards for financial reporting under the Sarbanes-Oxley Act. Asked about the issue afterward, Clarke acknowledged that he doesn't believe Microsoft would ever agree to such a plan. In a statement responding to Clarke's comments, Microsoft said it has formalized its internal security efforts by adopting an official life cycle that it uses to develop secure software, in addition to publishing books and other materials about the methods it follows. At the same time, the company said it makes its security-related tools available to independent developers, works with other companies on security issues and offers formal training on security. "The market is demanding security now, and that hard work is going forward already," said Amy Roberts, director of product management in Microsoft's Security Business and Technology Unit, in the statement. During a panel discussion on technology regulation, Rick White, a former Republican congressman from Washington state, agreed with Clarke that it would be good to establish visible standards by which companies could be judged in the marketplace. "I think that's a blueprint for something that probably works," said White, now chief executive of technology lobbying organization TechNet. "It's just a question of how far you get the government involved." But on the subject of government involvement, White and Clarke disagreed, as illustrated by a related discussion of Internet service providers. Clarke said he would want to see government regulation of ISPs to ensure that they offer adequate levels of security to their customers. But White warned that regulation in general could hinder technological advances. "We have a great thing going in terms of innovation in this country," he said. "We're leading the world and we need to be able to continue to do that." Another panelist, security expert Bruce Schneier, said it was important to remember that the underlying goal of software companies is financial, no matter how well intentioned their security efforts. "Companies are not charities," Schneier said. "They don't do this stuff out of the goodness of their heart. They do it because the marketplace demands it, they do it because liability demands it, they do it because regulation demands it, they do it because competition demands it. Something has to demand it." Along those lines, he said, "The marketplace will only go so far." Clarke, who advised four presidents, rose to a new level of prominence last year with charges that President Bush failed to take the terrorist threat seriously prior to the Sept. 11 terrorist attacks. A book by Clarke and his testimony before the 9/11 Commission detailed his efforts to sound the alarm about terrorism. He raised similar themes yesterday, saying that industry and government need to pay greater attention to the risk of cyberterrorism. "Regulation is neither good nor bad -- it depends upon the industry and the regulation. There is smart regulation. But industry should bear this in mind when they resist any regulation: After we have a major incident, there will be much worse regulation than you could get now." From isn at c4i.org Fri Feb 18 04:28:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:24 2005 Subject: [ISN] Security Lacking at Major Canada Power Plants - TV Message-ID: Forwarded from: William Knowles http://www.metronews.ca/reuters_national.asp?id=56498 February 16, 2005 OTTAWA (Reuters) - Security at two of Canada's most important electricity generating plants is so lax that terrorists would have no trouble at all getting in, according to a television report. A team from the French-language RDI channel wandered around the Manic-5 and Robert Bourrassa hyrdo-electric plants in the remote James Bay area of French-speaking Quebec without seeing a single security guard. The plants, linked to a series of giant dams, supply power to Quebec and the north-eastern United States. In a special report, which was aired on Tuesday night, the RDI team drove in an unmarked van to the center of the Robert Bourassa generating station. They then passed through an unlocked door and made their way to the control panels without once being challenged. The plants are run by provincially-owned Hydro Quebec, which went to court on Tuesday to seek an injunction preventing RDI from showing the report on security grounds. Hydro-Quebec president Andre Caille said in a statement he was troubled by the RDI report, adding that "we are taking all the means at our disposal to ensure the security of our installations." The RDI team, which filmed the report last week, said they had not spotted a single close-circuit camera. At one point a reporter was seen scaling a gate near a major dam without being challenged. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Feb 18 04:29:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:26 2005 Subject: [ISN] Hackers "shoot" the security pros at the RSA Convention Message-ID: http://www.tomshardware.com/hardnews/20050217_180417.html By Humphrey Cheung February 17, 2005 San Francisco (CA) - From the second floor of the Moscone Convention Center, a trio of hackers points their Bluetooth Sniper Rifle at the show attendees below. Bluetooth devices have become commonplace, especially with the technical crowd at the RSA Convention. Maybe thousands of Bluetooth devices were worn by attendees. The guys at Flexilis may have scanned them all. James Burgess, from Flexilis, a wireless think tank, says that the BlueSniper gun is a very simple concept. "It's basically a gun stock, with an antenna on it. The thing that makes it cool is the gumstick PC built into the magazine. It is completely self-contained." Flexilis demonstrated a similar gun at the 2004 Defcon Convention in Las Vegas. That gun was hastily put together, basically with rubber bands and tie straps. This updated version was better looking and much bigger. So big the Flexilis guys had to mount it on a tripod. Constructing the gun was easy. A tube shaped antenna, tuned for Bluetooth frequencies, was attached to an aftermarket gun stock. LMR-400 cable connects the antenna to a miniature computer, located in the magazine of the gun. The total cost of the parts was less than $500. While the gun looks impressive, John Hering says, "The real magic happens inside the computer." The magazine containing a small computer is loaded into the gun. A bright blue LED glows on the outside of the gun, after the magazine is inserted and turned on. The computer is powered by a 400Mhz Xscale processor and has serial output. It accepts the Bluetooth signals from the antenna and has an MMC slot, which can store and accepts all the signals from the Bluetooth antenna. Kevin Mahaffey, the main programmer at Flexilis, explains their homegrown software can find vulnerable phones, list their services and perform exploits. During our demonstration, he only showed off the vulnerability and service scans, but he says that it would have been trivial to crash or even rip contact lists from vulnerable phones. In a few minutes of scanning, the group picked up more than one hundred phones. The phones were listed by the MAC address, which is the unique hardware address burned into every phone. All of this information can be stored on a MMC card inside the gumstick computer - making the BlueSniper gun self-contained. So for the security professionals at the RSA Security Conference, don't forget to look up, as you are being watched. From isn at c4i.org Fri Feb 18 04:29:42 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:29 2005 Subject: [ISN] RSA: Microsoft on 'rootkits': Be afraid, be very afraid Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99843,00.html By Paul Roberts FEBRUARY 17, 2005 IDG NEWS SERVICE Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals. The researchers discussed the growing threat posed by kernel rootkits at a session at the RSA Security Conference in San Francisco this week. The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms. With names like "Hacker Defender," "FU" and "Vanquish," the programs are the latest generation of remote system-monitoring software that has been around for years, according to Mike Danseglio and Kurt Dillard, both of Microsoft's Security Solutions Group. The programs are used by malicious hackers to control, attack or ferret information from systems on which the software has been installed, typically without the owner's knowledge, either by a virus or after a successful hack of the computer's defenses, they said. Once installed, many rootkits run quietly in the background but can easily be spotted by looking for memory processes that are running on the infected system, monitoring outbound communications from the machine, or checking for newly installed programs. However, kernel rootkits that modify the kernel component of an operating system are becoming more common. Rootkit authors are also making huge strides in their ability to hide their creations, said Danseglio. In particular, some newer rootkits are able to intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools, said Danseglio. The increasingly sophisticated rootkits and the speed with which techniques are migrating from rootkits to spyware and viruses may be the result of influence from organized online criminal groups that value stealthy, invasive software, said Dillard One rootkit, called Hacker Defender, released about a year ago, even uses encryption to protect outbound communications and can piggyback on commonly used ports such as TCP Port 135 to communicate with the outside world without interrupting other applications that use that port, he said. The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products, the researchers said. In fact, some of the most powerful tools for detecting the rootkits are designed by rootkit authors, not security companies, they said. There are few strategies for detecting kernel rootkits on an infected system, especially because each rootkit behaves differently and uses different strategies to hide itself. It is sometimes possible to spot kernel rootkits by examining infected systems from another machine on a network, said Dillard. Another strategy to spot kernel rootkits is to use Windows PE, a stripped-down version of the Windows XP operating system that can be run from a CD-ROM, to boot a computer and then compare the profile of the clean operating system to the infected system, according to Dillard and Danseglio. Microsoft researchers have developed a tool called Strider GhostBuster that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate that a kernel rootkit is running, according to a paper published by Microsoft Research. The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said. Although rootkits are not unique to Windows, the popular operating system is a rich target and makes it easy for malicious hackers to disguise the presence of such programs, according to Jonathan Levin of Symantec Corp.'s @stake division, who attended the presentation at the RSA conference. The operating system's powerful application programming interfaces make it easy to mask behaviors on the system. Microsoft's Internet Explorer Web browser is also a frequent avenue for malicious hackers, viruses and worms that could drop a rootkit on a vulnerable Windows system, Levin said. Better tools could be built to detect the current crop of kernel rootkits. However, rootkit authors are adept at spotting new detection techniques and modifying their programs to slip around them, Danseglio said. "These people are smart. They're very smart," he said. From isn at c4i.org Fri Feb 18 04:30:06 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:31 2005 Subject: [ISN] Davis questions security of Treasury Web site Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35113-1.html By Mary Mosquera GCN Staff 02/17/05 Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, wrote today to Van Zeck, the Treasury Department's commissioner of the Public Debt, to express concern over the safety and security of personal information collected on the www.treasurydirect.gov Web site, which enables people to purchase government savings bonds electronically. Treasury received a D+ on the 2004 federal computer security scorecard Davis' committee released yesterday. "I am concern(ed) about the extent of personal information that is required to be disclosed on the Web site," Davis wrote. While many online financial transactions require individuals to submit their credit card account numbers, treasurydirect.gov instructs users to electronically transmit their Social Security number, driver's license number, bank routing number and account number, home address, date of birth and e-mail address, in addition to other personal information. "Expecting individuals to provide their personal banking account information rather than relying on their credit card information is troubling to me," Davis said. Transacting online purchases with a credit card provides a shield to consumers that is not available to individuals who transmit personal bank account routing and Social Security numbers over the Internet. Davis also found troubling a disclaimer in the Web site's privacy and security notice that Treasury cannot guarantee the confidentiality of the personal information as it travels across the Internet. However, the notice said the Bureau of the Public Debt uses the Secure Sockets Layer protocol and 128-bit encryption technology to protect the information. "We'll be taking a look at other Web sites. Part of the effort to promote e-gov is to have citizens feel confident that the information they provide will be safe and secure. Otherwise it will be hard to promote e-gov," said House Government Reform Committee spokesman Drew Crockett. From isn at c4i.org Fri Feb 18 04:31:57 2005 From: isn at c4i.org (InfoSec News) Date: Fri Feb 18 04:35:33 2005 Subject: [ISN] Confidential data left on old PCs Message-ID: http://www.vnunet.com/news/1161309 [Time for our yearly report on how used hard drives bought from eBay elicit sensitive security information. Guess what, nothing has changed! http://seclists.org/lists/isn/2003/Jan/0072.html - WK] Peter Warren Computing 17 Feb 2005 Highly-sensitive information such as passwords and user names of company executives has been found on used computer disk drives bought on eBay. Researchers at the University of Glamorgan analysed some 100 randomly-sourced PC hard disks, and discovered that more than half contained data from organisations such as multinational companies, universities and a primary school. Data on the disks included: * staff records, passwords, internal emails and financial details * school reports, a list of pupils, and letters to parents * a document template for university degree certificates. Attempts had been made to destroy data on nearly half the disks in the study, but significant material remained intact. 'On at least seven of the disks that I have seen there was enough information to allow a hacker to get into an organisation,' said Dr Andy Jones, security research group leader for BT Exact, who examined the disks. The government issues guidelines to businesses and public bodies on the proper disposal of computer equipment, much of it freely available online. But the University of Glamorgan research, seen exclusively by Computing, suggests that even the most diligent organisations can still be affected. Information from Swedish insurance company Skandia was uncovered, even though the firm invests in data destruction. 'This is not embarrassing for us, it's absolutely horrifying,' said a Skandia spokeswoman. 'We pay to have our data wiped thoroughly, so we are going to have to investigate to discover how it happened and make sure it does not happen in the future.' Southampton University says it has launched an investigation, after passwords and staff emails were discovered by the research. The university uses a specialist company to wipe disks before disposal of equipment. 'We need to find out what happened and ensure it doesn't happen again,' said a spokeswoman. Agrochemicals company Monsanto says it will investigate how details of crop research from its Cambridge offices was found. 'We assume this is an isolated incident which has arisen during the restructuring of our Cambridge offices, when a number of IT items were disposed of at the end of their working lives,' said a spokesman. 'It seems a serious lapse in our procedures for the disposal of surplus IT kit has occurred.' Computing has requested that all disks and data recovered by the University of Glamorgan research are returned to their original owners or destroyed. From isn at c4i.org Tue Feb 22 09:13:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:23:52 2005 Subject: [ISN] Hackers post Paris Hilton's address book online Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99934,00.html [My understanding of the Danger Hiptop/T-Mobile Sidekick is that unlike Blackberry's or Palm PDA's, the Sidekick does a real time sync with the T-Mobile servers automatically. Update a note, take a photo or a phone number and the information is transmitted on the fly back to T-Mobile network servers, compromise the internal servers, and more then likely you wouldn't need physical access to PDA to steal the data. - WK] By Paul Roberts FEBRUARY 21, 2005 IDG NEWS SERVICE Hackers penetrated the crystalline ranks of Hollywood celebrity Saturday, posting the cellular phone address book of hotel heiress and celebrity Paris Hilton on a Web page and passing the phone numbers and e-mail addresses of some of Tinsel Town's hottest stars into the public realm. A copy of Hilton's T-Mobile USA Inc. cell phone address book appeared on the Web site of a group calling itself "illmob." The address book contains information on over 500 of Hilton's acquaintances, including super celebrities such as Eminem and Christina Aguilera. It is not known how the information was obtained, but the release of the contact book may be further fallout from a hack of T-Mobile's servers that came to light in January. The Hilton address book was posted on the illmob Web site early Sunday and is a simple HTML table listing the phone numbers and e-mail addresses for acquaintances, along with other useful information, such as the number of the San Francisco Hilton Hotel and celebrity attorney Robert Shapiro. The leak is bound to prompt a furious round of unplanned number changes among Hilton's coterie, after fans and curious Web surfers learned of the hack and began dialling their favorite celebrities. Eminem's phone number was changed. Limp Bizkit front man Fred Durst's voice mailbox was full. Tennis star Anna Kournikova's number was busy, despite repeated attempts to get through. Robert Shapiro's answering machine picked up when called and provided a number to page the star attorney in an emergency. There was no answer at Hilton's home, nor did sister Nicky Hilton answer calls to her phone. Reached by phone, actor Kevin Connelly, of the cable television show "Entourage," said he had received between 200 and 300 phone calls since early Sunday, as word of the hacked address book spread across the Internet. Connelly plays opposite Adrian Grenier in the HBO show about a young celebrity and his colorful entourage of old school chums. He declined to comment on whether he knew Hilton or why his name appeared in her T-mobile phone list. Connelly, who received at least one other call while on the line with this reporter, said he would likely change his phone number today to stop the harassment. It was unclear yesterday how the cell phone contact list was obtained. However, Hilton's was one of a number of celebrity cell phones that was reportedly compromised in an attack on T-Mobile's network that netted information on 400 of the company's customers, including sensitive information from the account of a U.S. Secret Service agent. In January, the Bellevue, Wash., mobile carrier acknowledged that Nicholas Jacobsen, a California-based hacker, compromised its internal computer systems in 2003 and viewed the Social Security numbers of 400 customers. T-Mobile, which is part of Deutsche Telekom AG, did not immediately respond to requests for comment late Sunday. Jacobsen pleaded guilty last week to one felony charge of accessing a protected computer and causing reckless damage. He is scheduled to be sentenced in May and faces a maximum possible sentence of five years imprisonment and a $250,000 fine. From isn at c4i.org Tue Feb 22 09:13:26 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:23:55 2005 Subject: [ISN] Book Review: Managing Information Security Risks: The OCTAVE Approach Message-ID: http://books.slashdot.org/books/05/02/21/2129224.shtml [http://www.amazon.com/exec/obidos/ASIN/0321118863/c4iorg - WK] Author: Christopher Alberts and Audrey Dorofee. Pages: 471 Publisher: Addison-Wesley Longman Rating: 5 Reviewer: Jose Nazario ISBN: 0321118863 Summary: An introduction to information security risk management using the OCTAVE method Authors Alberts and Dorofee are the principal developers of OCTAVE and are staff members at the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU), where CERT has offices. As such, they're the right people to describe OCTAVE. The CERT OCTAVE website area explains the process in more detail. Needless to say, OCTAVE is a very large, complex, heavy process for an organization to go through, with some arguable benefits. Very few organizations have done so to the best of my knowledge -- most of them are scared off by the complexity of the whole undertaking. This brings up a very important point. It's important to state the difference between a critique of the OCTAVE method and the book itself. OCTAVE is interesting in that it's an attempt to formalize the complex process of information security evaluations. Despite its shortcomings and turnoffs, it has a purpose, and I wont dispute it for the most part. The book, instead, covers an abbreviated format of OCTAVE. It's important to focus on the strengths and weaknesses of the book and not the topic. The books is organized into three main parts. Part 1 (covering chapters 1 and 2) is an introduction to the principles being discussed in the book. The method itself, and therefore these chapters, focus on a formal evaluation of information security risks and how to manage them. The principles focus on enumeration of assets, their threats and vulnerabilities, and then remediation of the threats to minimize the risk. The section introduces the core concepts to this philosophy. Part 2 of the book, covering chapters 3 through 11, server two main purposes, preparation and then execution of the method. Chapter 3 introduces the fundamentals of the OCTAVE method, specifically how the three phases (asset-based threat profiles, vulnerability identification, and security strategy planning) fit together. The inputs of the method and its outputs are then described; you'll be using them in later chapters. Chapter 4 helps you prepare for the approach in your organization, including how important it is to get management buy-in, who will participate, and how to organize the evaluation. Project managers will adore this chapter. The next few chapters cover the meat of the OCTAVE method. Chapter 5 covers processes 1 to 3, where assets are enumerated and the current state of the security profile is captured, as well. This step is crucial for building a baseline and knowing what you'll have to cover. Chapter 6 leads you through the threat profile, where you examine assets that you've identified as critical and the security requirements for them. And finally, in Chapter 7, the basic identification steps are done as you identify critical infrastructure components to examine later on. This is done so that you can work efficiently, as opposed to studying every asset in depth. By studying classes of assets you can (hopefully) achieve the same coverage without spending valuable time repeating the process. Chapters 8 and 9 deal with the commonly understood parts, the actual vulnerability and risk analysis. Chapter 8 discusses vulnerability assessment tools and some basic questions to ask about them, but leaves the actual evaluation of those tools up to another text. Chapter 9 then helps you undertake the actual risk analysis, such as the impact of any threat being realized or the probability that one would be encountered. This is what most people think of when they think of an information security audit. This gets to what is perhaps my biggest complaint about the book. It doesn't teach you how to think creatively about threats to information security. Instead, you're told to enumerate assets and threats against them via brainstorming, as though you'll somehow "get it" the first time (or every time). For someone new to the field, this can be hard, because not all assets are obvious -- and not all threats are understood. It's a hard skillset to teach, but it should have been attempted with more gusto. Chapters 10 and 11 close the big circle of an information security audit, by developing an information security protection strategy. It's basically a series of outlines of meetings and their agendas as you present the findings of the evaluation but are (obviously) vague in the absence of any concrete findings. This is probably a good time to raise another objection to this book. My second biggest complaint is that the authors never cut to the heart of what the OCTAVE method is trying to do. Sure, the book covers a stripped-down version of OCTAVE, but it doesn't ever get at how you can really adapt this to your organization. Instead, it's a series of rigid steps in the OCTAVE method. If you attempt to do something different for whatever reason, you're on your own. Again, an attempt to work in some flexibility beyond what is present in Chapter 12 (An Introduction to Tailoring OCTAVE, the start of part 3) would have been welcome. This chapter just keeps you inside the narrow confines of the OCTAVE approach. Chapter 13 attempts to bring this home by discussing the practical applications for an organization. They attempt to discuss how a small company would utilize OCTAVE, but to be honest it's so heavy and time-consuming it's hard to see how they would employ anything but the barest of concepts to their workflow. Three other examples are given: a very large distributed organization, an integrated Web portal service provider (which faces unique threats), and large and small organizations. Again, while this chapter attempts to show how to tailor OCTAVE to anything but the largest and most diligently staffed of organizations, it falls to get to the salient points of the method. Instead, it tries to foist the process on them. Finally, chapter 14 tries to bring it all home and discuss the information security life cycle of analysis, monitoring, control, and implementation (not in that order). They hope that OCTAVE has become a part of this process and show how it complements and matures this process. Instead, I wonder if an organization will think about the effort they just expended and be reluctant to do this again. The appendices are piles of worksheets, charts and workflows to go through with OCTAVE. You can make photocopies and use them if you implement the OCTAVE approach. It's very hard to take consider these methods strong enough when you read about the report card government agencies received for information security. While they may have not been following OCTAVE, it's hard to see how a book that so superficially treats the subject matter can help anyone do better. Almost everything is just a high-level line-item risk-and-mitigation strategy. Things like "Our organization cannot deliver effective or efficient health care without PIDS" and an impact of "High" are, to put it mildly, interesting in their superficiality. So many things are simply glossed over, yet so many worksheets remain. On the other hand, if a fair treatment of threats, assets, and the like were fully discussed the book would be many more volumes, a significantly more tedious tome, and too sensitive to the shifting sands of time. Overall the book does a decent job of covering OCTAVE's core premises, but doesn't really provide much beyond that. It's a complex process that doesn't work well for a number of organizations. Instead of helping organizations see how to use it, the authors simply keep presenting OCTAVE for what it is, which makes me question the value of this book beyond someone who has already decided to implement OCTAVE. It doesn't seem like it has a lot to offer anyone who doesn't have a large body of knowledge in information security management and a staff to deploy with worksheets in hand. The book simply fails to contribute greatly beyond the very narrow specifics of OCTAVE. From isn at c4i.org Tue Feb 22 09:13:40 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:23:57 2005 Subject: [ISN] Microsoft in Quandary Over Virus Security Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A43410-2005Feb22.html By Allison Linn The Associated Press February 22, 2005 SEATTLE -- If Microsoft Corp. doesn't do more to stem Internet attacks, the company risks further alienating customers unhappy with the multitude of threats already facing its ubiquitous software. Sell its own security products, on the other hand, and Microsoft faces a potential backlash from some of its allies - the companies that now provide an extra layer of security for its Windows operating system, Internet Explorer browser and other products. With a powerhouse like Microsoft becoming a direct competitor, they could get squeezed out. What a quandary. Last week, Microsoft Chairman Bill Gates confirmed plans to sell antivirus products to both consumers and big businesses by the end of the year. But the Redmond company is mum on cost and features. Speaking at a security conference, Gates also said the company would give consumers a free tool for combating spyware, a pesky and growing threat that can monitor users' activities, hinder computer performance and create other hassles. Microsoft also will sell a more sophisticated antispyware product to businesses. Executives in the security industry say they believe Microsoft's promise to continue sharing security information and working with other security companies even after it becomes a direct competitor. Analyst Gregg Moskowitz with Susquehanna Financial Group said both sides have an incentive to "continue to play nice with each other." The security companies are dependent on Microsoft to make sure their defenses run smoothly, while Microsoft cannot risk having competing security products break down and wreak more havoc on Windows, Moskowitz said. "A very significant number of people, if they don't have a good security experience, they're going to hold it against Microsoft - even if they're using another vendor," Moskowitz said. Still, John Schwarz, president and chief operating officer of Symantec Corp., would rather see Microsoft concentrate on fixing security flaws. "We believe they'd be better off in focusing on making sure that their platform, the Windows operating system, is less subject to attack," Schwarz said. Microsoft has worked feverishly to better secure its products, including updating Windows XP with a new firewall and other security measures. But given their widespread use, the products are near-constant targets of attacks that take advantage of loopholes and flaws to hijack computers, steal personal information and cripple businesses. McAfee Inc. President Gene Hodges calls its new competitor an example of "capitalism at its best." But he said it will only be a fair fight if all companies have a level playing field in which everyone sells, rather than gives away, products. Microsoft's move to sell antivirus software appears fair so far, Hodges said, though he said Microsoft's decision to give away an antispyware product could hurt smaller players who can't afford such giveaways. "We would have rather they entered the market for spyware and competed," Hodges said. Security companies including McAfee already sell antispyware products, generally charging between $30 and $40, though a few give away versions or trials for free. Microsoft has downplayed the competitive angle, saying they are simply responding to requests from customers for more protection options. Amy Roberts, a director with the company's security and business unit, said the company is most concerned about people who have no extra protection at all. Peter Kuper, an analyst with Morgan Stanley, believes Microsoft is most interested in protecting its Windows franchise, not finding a new way to make money. The security problems are costly and damaging to Microsoft's reputation, he said, and failure to address the threats could drive more customers to competing products such as the Mozilla Firefox browser or Apple Computer Inc.'s Mac OS computers. "They're not winning the war. They're not winning the battle," Kuper said. "So Microsoft is saying, `I don't care whether it's free, as long as it's something. That's better than nothing.'" Kuper isn't expecting Microsoft to immediately snag much market share from Symantec, McAfee and others. But he noted that, while Microsoft may not be looking at security as a big revenue stream, the cash-rich company could easily afford to undercut its competitors. Symantec's Schwarz said he worries that Microsoft's clout could also discourage smaller security companies from entering the market or staying in it, effectively reducing options for consumers. Microsoft's prior moves into new markets - including trouncing browser pioneer Netscape by shipping its Windows systems with Internet Explorer, now such a common target of Web-based attacks - have gotten the company in hot water with antitrust regulators in the United States and Europe. But for now at least, some competitors say they aren't planning to take this battle to court. Symantec's Schwarz argues that his company's products will have an edge, especially with business customers, because they protect more than just Microsoft products. And McAfee's Hodges said he's confident his company's reputation will keep customers loyal. "I'd rather fight Microsoft in the marketplace because we're convinced we can whip them," Symantec Chief Executive John Thompson said at the security conference where Gates spoke. "So this is not about showing up in Washington or whining on someone's doorstep about what Microsoft can or might do." From isn at c4i.org Tue Feb 22 09:13:55 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:23:59 2005 Subject: [ISN] Thinking Outside the Security Box Message-ID: http://www.wired.com/news/privacy/0,1848,66647,00.html By Ryan Singel Feb. 18, 2005 SAN FRANCISCO -- The 2005 version of the nation's pre-eminent cybersecurity conference features hundreds of speakers and 275 exhibitors bombarding the estimated 13,000 attendees with PowerPoint presentations and free USB memory keys in an effort to sell their particular firewall, smart card or fingerprint reader. To find some of the most interesting offerings on the floor, Wired News met up with cryptography expert Jonathan Callas, who has been attending the RSA Conference since 1993, when the show had fewer attendees than there are exhibitors in 2005. Callas currently serves as the CTO of PGP, a company that sells encryption software to corporations and government and is now working to make e-mail encryption easy for almost anyone with a computer. Callas took time from working the floor to give Wired News a kick-the-tire tour of the expo, where vendors vie to scan the high-tech conference badges of potential clients or partners. Here are three companies that Callas thought were interesting enough to turn over his badge to for scanning -- not the best or worst of show, just a few he found innovative and clever, or worth a further look. As usual, RSA included a slew of biometric applications, from iris readers to fingerprint scanners. Though Callas started the tour expressing skepticism about previous years' biometric offerings, he turned over the badge to at least one company selling a fingerprint reader. Privaris is a small Fairfax, Virginia-based startup that makes a key-chain-size fingerprint fob that can be used to log on to a computer, open a garage door or enter a building. The reader, which has 300 Kb worth of memory, matches a person's fingerprint to a template stored on the device, and then sends an encrypted security code to any remote reader, using either Bluetooth or low-frequency RFID (without being vulnerable to bluesnarfing). The $179 fob, which has been on the market for just eight months, has already been tested by North Carolina law enforcement to verify the identities of truck drivers who haul hazardous materials, and is one of two fingerprint-based technologies in a Transportation Security Administration-funded pilot program to tighten airport worker security, according to Megan Prosser, product manager for Privaris. Though the mention of biometrics often invokes worries of Big Brother, privacy should not be a concern, according to Prosser. "The fingerprint template never leaves the device, so there's no need for a biometric database, which eliminates privacy concerns," Prosser said. Callas likes the idea since it takes something like a secure parking access card that works well enough and makes it better, by adding a layer of authentication. "They are one-plussing it," Callas said. Callas also counts himself a fan of WholeSecurity, a company that works to prevent spoofing, worms, key logging and phishing attacks. But the company's software eschews the typical strategy of relying on blacklists of virus names or of websites pretending to be PayPal. Instead, the company's software looks for behaviors or signs that a website with the Citibank logo is fake or that a computer on a corporate network is trying to send out information in a sneaky manner. Callas prefers this approach to relying on lists that might only get updated after attacks have been reported elsewhere. "WholeSecurity is cool because they are behavior-based," Callas said. "Their rules are that nobody should be e-mailing this information or that this application should not be sniffing and that you should not be going to an unknown website with Citibank's logo and entering password information." While most computer users won't find themselves using the full, always-on power of WholeSecurity's software -- which is sold only as enterprise software -- many already use the company's technology without even knowing it. For example, eBay included the company's anti-phishing algorithms in its Internet Explorer toolbar. Though Callas is a technologist through and through, he also likes the simplicity of a service called Authentify, which helps cut down on online fraud using an antique technology known as the telephone. Companies use Authentify to verify a customer's ID when a person first signs on to their bank account or if an account primarily used for checking balances is used at 4 a.m. to transfer $10,000 to an account in the Ukraine, according to CEO Peter Tapling. The software pops up a screen that informs the user that a quick phone call to one of the phone numbers associated with the account is necessary to complete the transaction. The company then calls the number and asks for some authentication information or records the person's voice. Though two years ago Authentify executives were wondering whether they had a decent business model, last year the company handled 4 million transactions and called 165 countries using voice recordings in 30 different languages. One ISP, which found itself battling to keep spammers from signing up for accounts and then sending millions of e-mails before the new accounts got terminated, has eradicated the problem by using Authentify and simply requiring new customers to have their responses taped. "For real customers, it is very easy. For phishers, it's game over," Tapling said. Callas loves the simplicity of the solution, which he compared to the days of bulletin board systems, when administrators concerned about unknown people dialing into their modem bank would call the prospective user back on a regular phone line. "Spammers don't want to have their voice recorded on tape," Callas said. "This is a great deterrent factor. It gets rid of untraceablity, which a lot of network attacks rely on." From isn at c4i.org Tue Feb 22 09:14:06 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:24:01 2005 Subject: [ISN] Singapore Unveils Plan to Battle 'Cyber Terror' Message-ID: http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=7698536 Feb 22, 2005 SINGAPORE (Reuters) - Singapore is to spend $23 million over three years to battle online hackers and other forms of "cyber-terrorism" in one of the world's most connected countries, government officials said Tuesday. Describing the infrastructure behind the Internet as a "nerve system" in Singapore, Deputy Prime Minister Tony Tan said a new National Cyber-Threat Monitoring Center would maintain round-the-clock detection and analysis of computer virus threats. "We cannot afford to treat the threats from cyber terrorists, cyber criminals and irresponsible hackers lightly," Tan said in a speech while unveiling an information-technology security "master plan" in the tech-savvy city-state. "Infocomm security is as important in protecting Singapore as is physical security at our borders," added Tan, who is also Coordinating Minister for Security and Defense. Singapore has one of the world's highest Internet penetration rates, with 50-60 percent of its 4.2 million people living in homes wired to the Internet. The affluent, predominantly ethnic Chinese island has also steadily tightened security since the September 2001 attacks on the United States, from patrols of heavily armed police in busy shopping districts to tighter security at border points. In 2003, Singapore passed strict legislation to allow monitoring of all computer activity and for police to take pre-emptive action to protect state computers from cyber attack. Tan said the money would also be used to help businesses tighten security for online financial transactions while guiding them to work with the government in maintaining cyber security. The Cyber-Threat Monitoring Center will link up with companies that provide anti-virus systems and governments running similar centers, including the United States and Australia. It is expected to be fully operational by the second half of 2006. From isn at c4i.org Tue Feb 22 09:14:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Feb 22 09:24:03 2005 Subject: [ISN] From layers to assurance Message-ID: http://www.fcw.com/fcw/articles/2005/0214/web-assurance-02-18-05.asp By Florence Olsen Feb. 18, 2005 SAN FRANCISCO - The problem of securing software continues to preoccupy Homeland Security Department and Defense Department officials, many of whom say the commonly used "layered defense" against insecure and malicious applications is not working. Layered-defenses rely on security measures added to each level through which data passes, including networks, systems and applications. However, that approach "is riddled with holes," said Joe Jarzombek, the Pentagon's deputy director for software assurance. A better approach, said Jarzombek and others who spoke here at the RSA Conference, may be to spend more on software assurance testing and better training ? perhaps even mandatory certification ? of software developers. "We want to shift the paradigm from patch management to software assurance," said Hun Kim, deputy director for policy and strategic initiatives at DHS' National Cyber Security Division. Government interest in secure software extends beyond DHS and DOD to Capitol Hill, Jarzombek said. As part of a new Software Assurance Initiative at DHS, department officials are working with members of the Institute of Electrical and Electronics Engineers to collect the best available knowledge of secure software development, Kim said. DHS and IEEE will then make it available free to colleges and universities for developing new courses in software assurance. Another aspect of the software initiative, Kim said, will be to help acquisition officials buy secure software using DHS-developed standards, specifications and acquisition language for software assurance. Kim said he hopes that everything achieved through the DHS program will have far-reaching benefits. "We're trying to raise the level of software assurance for the nation, not just DHS," he said. DOD officials, who are working with National Security Agency officials on a variety of similar initiatives, said the lack of software assurance warrants more attention and funding than it has received. Some software products are attacked or infiltrated with malicious code even before they are shipped, Jarzombek said. One aspect of NSA's software assurance program is investigating how software products, especially commercial products, are built. DOD's software consumers know little about "who is doing the code and what is in the code," said Daniel Wolf, director of the Information Assurance Directorate at NSA. Lawmakers are concerned about the outsourcing of software coding overseas, but the same problem exists with domestic outsourcing, said Ron Moritz, senior vice president and chief security strategist at Computer Associates, which makes software security products. "There's no difference whether you're outsourcing to Virginia or offshore if you don't have mechanism to understand what you're getting back," he said. Software assurance testing such as NSA officials conduct through a program known as the National Information Assurance Partnership is a proven way to improve the quality and trustworthiness of software, Wolf said. Software company officials have criticized NIAP as too time-consuming and expensive, but it has nevertheless improved software security, Wolf said. NIAP personnel have found that between 35 percent and 45 percent of the products submitted for evaluation have security problems, which the vendors then fix, Wolf said. "We've also seen products disappear from the market" after an evaluation, he said. But primarily because the NIAP program has drawn considerable criticism, DHS officials have commissioned the Institute for Defense Analyses to review it, Kim said. In addition to more rigorous software assurance testing, employee training and certification may finally get the attention they deserve, said Robert Lentz, director of the Information Assurance Directorate at DOD. Employees who operate military networks are not certified for that responsibility, but Pentagon officials are going to change that, he added. Some officials interested in software assurance think it might be a good idea if software developers had to certify their work and be held liable if software is faulty or unsafe. In disciplines such as mechanical and civil engineering, engineers must certify that a bridge they have built is safe, Wolf said. "Should we do the same in software? Where's the accountability?" Accountability, he said, should be more than a coupon for the next software release. From isn at c4i.org Tue Feb 22 09:14:51 2005 From: isn at c4i.org (InfoSec New