From isn at c4i.org Tue Jan 4 06:31:49 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 4 06:47:33 2005 Subject: [ISN] Linux Security Week - January 3rd 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 3rd, 2005 Volume 6, Number 1n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "A 2005 Linux Security Resolution," "Unpatched Linux PCs Stay Secure For Months," and "Largest IPv6 network launched in China." --- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH: Happy New Year! This week advisories were released for netpbm, libtiff, imlib, Xpdf,CUPS, and ViewCVS. The distributors include Conectiva, Debian, Gentoo, and Mandrake. http://www.linuxsecurity.com/content/view/117722/150/ ------------------------------------------------------------------- A 2005 Linux Security Resolution Without a mission and plan, very little gets accomplished. The new year should not only be a time to set personal goals such as an exercise regiment, but also a time to focus on security practices and configurations. 2005 will be hostile, now is the time to prepare. http://www.linuxsecurity.com/content/view/117721/49/ ---- State of Linux Security 2004 In 2004, security continued to be a major concern. The beginning of the year was plagued with several kernel flaws and Linux vendor advisories continue to be released at an ever-increasing rate. This year, we have seen the reports touting Window's security superiority, only to be debunked by other security experts immediately after release. http://www.linuxsecurity.com/content/view/117655/49/ ----- Vincenzo Ciaglia Speaks Security 2004 Vincenzo Ciaglia of Linux Netwosix talks about this year of Linux Security. A full immersion in the world of Linux Security from many sides and points of view. http://www.linuxsecurity.com/content/view/117515/49/ ------ >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * SysAdmin to SysAdmin: Using RAID with PVFS under ROCKS 30th, December, 2004 I administer a newly deployed ROCKS compute cluster, and I use the Parallel Virtual Filesystem which comes with the ROCKS linux distribution to provide a parallel IO system. For those who are not familiar, check out my earlier ROCKS article, as well as my earlier article about PVFS. My cluster is slightly older hardware -- dual PIIIs, and each PC has two hard drives. http://www.linuxsecurity.com/content/view/117717 * Secure programmer: Call components safely 28th, December, 2004 How you handle calls and returns is as important as which components you call. Application programs typically make calls to other components, such as the underlying operating system, database systems, reusable libraries, Internet services (like DNS), Web services, and so on. http://www.linuxsecurity.com/content/view/117684 * Unix, Linux Security Bugs Patched 27th, December, 2004 Internet security research firm iDefense has announced a series of vulnerabilities and patches for a variety of Unix- and Linux-based products. http://www.linuxsecurity.com/content/view/117680 * Unpatched Linux PCs Stay Secure For Months 29th, December, 2004 The average unpatched Linux system survives for months on the Internet before being hacked, a report recently issued by the Honeypot Project claims. http://www.linuxsecurity.com/content/view/117697 * New, 'Critical' Windows Bug Lack Patches 28th, December, 2004 A trio of new and unpatched vulnerabilities in Microsoft Windows were made public on security mailing lists over the weekend, nudging some security vendors to alert users that their systems may be open to attack and hijacking. The vulnerabilities, first reported by a Chinese group and then posted to the Bugtraq mailing list, are in Windows' LoadImage API function, its animated cursor files, and in the way it handles help files. http://www.linuxsecurity.com/content/view/117686 * Largest IPv6 network launched in China 30th, December, 2004 An IPv6-based network linking 25 universities in 20 cities across China began operating on Saturday. The China Education and Research Network Information Center (CERNIC) announced the launch of the network, called CERNET2, which is thought to be the largest single IPv6 network yet created. CERNIC claimed it makes China a world leader in the race to build the next generation of the Internet. http://www.linuxsecurity.com/content/view/117715 +------------------------+ | Network Security News: | +------------------------+ * Linux, security skills projected hot skills for 2005 30th, December, 2004 Security, Web services and Linux jobs continue to dominate the IT help wanted ads and are projected to remain among the hottest skill and certification areas in 2005, according to research firms that specialize in tracking skills and certifications. http://www.linuxsecurity.com/content/view/117720 * What's Hot in 2005 28th, December, 2004 What technologies are going to be most important for you to survive 2005? We pull out our looking glass and tell you what's hot.We Don't Need No Stinking Power Cords! Power over Ethernet (PoE) technology will be deployed big-time, allowing wireless access points, VoIP phones, and many other devices to be used with less hassle and expense, because they... http://www.linuxsecurity.com/content/view/117687 * Web services skills a must for 2005 28th, December, 2004 Web services, security and Linux jobs continue to dominate the IT help wanted ads and are projected to remain among the hottest skill and certification areas in 2005, according to research firms that specialize in tracking skills and certifications. http://www.linuxsecurity.com/content/view/117688 * Phone Worm Source Code Out, Expect More Threats 29th, December, 2004 The source code for the most prevalent worm targeting mobile phones has been made public, security firms announced Wednesday, a dangerous disclosure that may lead to more effective attacks. http://www.linuxsecurity.com/content/view/117703 +------------------------+ | General Security News: | +------------------------+ * Linux and Open Source: The 2005 Generation 3rd, January, 2005 Sometimes people don't know when a revolution has happened until afterwards. Then, the historians tell us that 2004 was the year that open source started to become computing's mainstream. http://www.linuxsecurity.com/content/view/117740 * Security challenges spread to multiple fronts and IT jobs will rebound in 2005 3rd, January, 2005 In my last column, I reviewed the top security developments of 2004. Now I'm going to extrapolate on the trends that I see affecting IT security in 2005, both here and abroad. http://www.linuxsecurity.com/content/view/117741 * Biometric Sensors Keep Finger on Security 27th, December, 2004 Biometrics authentication technology should be a promising means to confirm a cardholder's authenticity. With a Linux-based radio frequency (RF) personalizer that reads and writes in memory, the administrator can set various parameters of the smart security controller, such as real-time clock, personal identification number (PIN) option, alarm options and reader delays. http://www.linuxsecurity.com/content/view/117675 * Security workers praise Sarbanes-Oxley 27th, December, 2004 Many security workers feel that government regulations aimed at protecting IT networks from threats are working, according to new survey. http://www.linuxsecurity.com/content/view/117682 * ENN Year in Review 2004: Virus Wars 30th, December, 2004 Malware used to be easy to detect and avoid. Virus writers would attach a malicious programme to an e-mail and distribute it as widely as possible. If any of the recipients opened the attachment, the virus could delete system and data files, search for confidential information and propagate itself on the local network. In those simple days, viruses were like vampires -- as long as you didn't invite them in, they couldn't do you any harm. If you refrained from opening e-mail attachments from strangers, then you were safe. http://www.linuxsecurity.com/content/view/117719 * Spam Punishment Doesn't Fit the Crime 28th, December, 2004 I hate spam as much as the next person, but recent decisions by courts in Iowa and Virginia demonstrate how fear of technology (and justifiable annoyance) can force the legal system to impose fines and sentences that are grossly disproportionate to the harm caused by spammers. http://www.linuxsecurity.com/content/view/117685 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jan 4 06:32:17 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 4 06:47:36 2005 Subject: [ISN] REVIEW: "Disaster Proofing Information Systems", Robert W. Buchanan Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKDPINSY.RVW 20041106 "Disaster Proofing Information Systems", Robert W. Buchanan, 2003, 0-07-140922-X, U$49.95/C$78.95/UK#36.99 %A Robert W. Buchanan %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2003 %G 0-07-140922-X %I McGraw-Hill Ryerson/Osborne %O U$49.95/C$78.95/UK#36.99 905-430-5000 fax: 905-430-5020 %O http://www.amazon.com/exec/obidos/ASIN/007140922X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/007140922X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/007140922X/robsladesin03-20 %P 268 p. %T "Disaster Proofing Information Systems" Buchanan proposes that we avoid disaster by building systems that have redundancies and are resistant to failure. In theory, this is an excellent idea. But he also implies that you can do this without any extra work or expense. Beware of people who tell you they can spin gold out of straw. Part one outlines the SHARED (somehow derived from "systems providing high availability through end-to-end resource distribution") methodology. Chapter one is a promotional piece for SHARED, featuring scattered examples, a disjointed structure, and verbiage that appears to be a rationale for the use of the system, but only if you don't examine it closely. This scattered and random approach is extended in chapter two, where the discussion of risk management confuses the qualitative and quantitative methods, and suggests that an alternative means of communications is a phone tree--if the phones are out. A lot of activity is suggested, most of it in the form of taking inventories, but the explanations of *how* to decide what goes on the various forms is very poor. The standard parts of a disaster recovery plan, such as hot sites, cold sites, and (in a rather idiosyncratic use of the term "co-location") multiple processing bureaus, are listed in chapter three. Chapter four pulls data out of thin air to fill in the forms for an "example" study. Part two talks about implementing SHARED. Chapter five discusses access devices, which seems to mean replacing your desktop computers with handhelds. Products for implementing the different types of redundancy with different platforms are listed in chapter six, although it is notable that clustering is described in the very limited Microsoft manner, rather than the broader and original sense. Chapter seven suggests that you write your applications properly. (How to do this is left as an exercise for the reader.) Database (referred to here as "data store") replication and backup is touched on in chapter eight. Various redundant topologies are suggested in chapter nine, but Buchanan makes several mistakes (suggesting, for example, one that avoids excessive communications--but would ensure a failure of communications in the event of the system failure that it is supposed to address). Chapter ten makes vague mentions of different market and operation types. Chapter eleven refers to generic testing activities. This book is hard to read, hard to understand, and provides very little useful information that is not addressed much more lucidly elsewhere (such as in Toigo's "Disaster Recovery Planning" [cf. BKDIRPL.RVW]). copyright Robert M. Slade, 2004 BKDPINSY.RVW 20041106 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu I summon the vast power of CERTIFICATION! ... Well, this is embarrassing; that's all I remember from the classes. - Scott Adams, Dilbert http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Tue Jan 4 06:32:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 4 06:47:37 2005 Subject: [ISN] Terrorism Fight Prods NSA to Look Beyond Its Fortress Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A43264-2005Jan2.html By Christian Davenport Washington Post Staff Writer January 3, 2005 Nicknamed "No Such Agency" and "Never Say Anything" for its legendary secrecy, the National Security Agency conceals its headquarters behind tall fences topped with barbed wire. Its employees are in the business of breaking codes, eavesdropping and guarding secrets. And its normally reticent leaders rarely call attention to themselves outside the agency's sprawling campus. So it was an extraordinary event when some of the agency's top officials emerged in Annapolis about a year ago at the opening of a business center dedicated to helping start-up homeland security companies. Their message was also extraordinary: The NSA needs help fighting the war against global terrorism. "I'm looking for new ideas," said Daniel G. Wolf, the NSA's information assurance director. "We want to hear what you have." In November, the agency announced that it would pump $445,000 into the center, whose companies are at the vanguard of security technology: finding cures for bioterrorism diseases, protecting computer networks from hackers, developing software designed to find terrorists. As the intelligence industry continues to expand since the Sept. 11, 2001, attacks, the clandestine agency is playing a more prominent -- and visible -- role in the Washington region. With plans to hire 7,500 new employees over five years, the NSA, already Anne Arundel County's largest employer, is undergoing its largest recruiting drive since the Cold War. The agency is also increasingly opening its doors to private companies for help in developing spy technologies. The business center in Annapolis is just one example of how the burgeoning intelligence industry is affecting the region. Highly secure office parks that house defense contractors have sprouted up near the agency's headquarters and nearby Baltimore-Washington International Airport. In Greenbelt, a headhunting agency that serves only clients with security clearances is seeing double-digit growth every month. Home to the Pentagon, CIA, FBI and NSA, the Washington area has long been a place where the intentionally vague phrase "I work for the government" has been code for one of the security agencies. But now, an increasing number of people demur when asked what they do for a living. "I'm a contractor for the Department of Defense, doing computer stuff," is how Jason, 31, of Annapolis answers. It's the computer stuff he hopes people focus on, because then they "think I'm an IT guy." And nothing ends a conversation faster than the words information technology, said Jason, who spoke only on the condition that his last name not be used. Copious Security Features >From the outside, the National Business Park, next to the NSA and Fort Meade, seems like an ordinary set of modern office buildings, just like the corporate parks all around Washington. But there is nothing ordinary about it. Built to exacting government security standards with a uniform concern -- protecting the technology designed to help intelligence agencies catch terrorists -- the buildings are part of a growing breed of highly secure commercial complexes with cloak-and-dagger amenities. Known as SCIFs -- sensitive compartmented information facilities -- they often have film on the windows to prevent eavesdropping, walls fitted with soundproof steel plates or white-noise makers embedded in the ceiling that prevent spy bugs from picking up top-secret conversations, according to developers and construction officials. Some even have a lattice of metal bars in the air ducts to keep out prowlers. The buildings at the National Business Park are loaded with SCIF space, said Randall M. Griffin, president and chief operating officer of Corporate Office Properties, which owns the site. But he would not discuss their specific security measures. Demand for secured office space has grown so much that all the park's 1.7 million square feet is leased, to such defense contracting giants as Northrop Grumman Corp., Computer Sciences Corp., Titan and Booz Allen Hamilton Inc. Construction of a second phase of the park, which would add 10 buildings comprising 1.3 million square feet, is underway. During an event at the Maryland State House last summer, in which it was announced that the NSA would be working more closely with state and local governments, NSA officials again stepped out in public view. And again they said they needed to tap into local companies for help. "It's growing out of an awareness that we can't solve all of our problems" alone, Eric C. Haseltine, the agency's associate director of research, told reporters. Intelligence spending has mushroomed in the years since Sept. 11. Previously, intelligence spending hovered around $30 billion a year, said John E. Pike, director of GlobalSecurity.org, an intelligence policy think tank. Since then, it's grown to about $40 billion annually, he said. Hoping to cash in on the growth, Anne Arundel helped start the Chesapeake Innovation Center, the country's first incubator that works exclusively with new homeland security companies. Walking into the center, in a squat brick building near downtown Annapolis, is a little like entering Q's laboratory in James Bond's world. In one office, researchers for PharmAthene are working on vaccines for diseases that could spread during a bioterrorism attack, including anthrax. Three flights up, Secure Processing Inc. is developing methods for businesses to keep their computer networks safe from insiders. You never know when someone posing as a loyal employee may try to steal important secrets, said Terence Flyntz, the company's chief executive. "We're talking about disgruntled employees, potential spies, even terrorists who could embed themselves and pretend they are something else," he said. "They could pose even as janitors," he added. Another company, Harbinger Associates, has developed software that can take an Arabic name, run through all its English spellings and match them against a watch list. Because Arabic names are often spelled many different ways in English, the person for whom authorities are looking can often slip by, according to the company. The software is almost complete, and Harbinger officials hope their product will soon be used behind the guarded walls of the NSA. 'Cleared' and Taking Off He's a high-tech wiz, which makes him marketable enough. But it's his top-level security clearance that makes him such a hot commodity. He's so sought after that he doesn't even have to hold down a steady job in one place. Instead, Derek, who would not provide his last name for security reasons, does freelance information technology work for the government and private companies looking for someone trusted to keep secrets. Derek, 34, earns about $170,000 a year, jumping from project to project. And whenever he needs a new gig, he goes to Kelly FedSecure, a Greenbelt-based personnel firm that works exclusively with "cleared" people. Richard Piske and business partner Gary Morris noticed the growing demand for workers qualified to work on classified projects. Two months after the Sept. 11 attacks, they founded a headhunting company and temporary agency for people with clearance. In 2003, the company was purchased by Kelly Services Inc., one of the largest personnel service companies in the country. And over the past year, Kelly FedSecure has had double-digit growth from month to month, Piske said. "The overall demand for cleared people . . . is up significantly since 9/11," he said. "And the forecasted demand is not projected to abate for the foreseeable future." Pat Hiban, a Columbia real estate broker, knew only that his former neighbors worked for the NSA. Every so often, an investigator he assumed was an FBI agent would knock on his door. Polite but persistent, the investigator would say he was updating background checks on Hiban's neighbors. "Have they done anything you'd think would be unpatriotic?" Hiban said the investigator would ask. Even after those visits, Hiban never pressed his neighbors for more detail about their lives. They simply were like a lot of people he meets, through business or the neighborhood, who quickly change the subject when employment comes up. "You get used to it around here," he said. "It happens pretty frequently." From isn at c4i.org Tue Jan 4 06:32:46 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 4 06:47:39 2005 Subject: [ISN] From Good To Great (Maybe) Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=MGTYF2PYUBHQ0QSNDBESKHA?articleID=56200650 By Martin J. Garvey Jan. 3, 2005 Business-continuity plans are good, but not good enough. Almost 80% of 300 respondents to InformationWeek Research's Outlook for 2005 survey, part of our quarterly Priorities series, say business-continuity plans are in good enough shape to ensure operations continue even in the event of a terrorist attack, but nearly 70% also cite business-continuity planning or disaster preparedness as a key priority this year. "There's always this dichotomy because companies include operational recovery and disaster recovery under business continuity," says David Hill, an analyst at IT market-research firm Mesabi Group. "Disaster recovery is in place, but few companies have covered all operational needs." They may have smart processes and technology to deal with extreme emergencies but not, say, for recovering data after a virus attack. Other areas for business-continuity improvement may center on performance issues. Companies are protected with backups on tape but likely would prefer a faster medium when they need to recover data. "With tape storage, recovery could take hours, and even days," Hill says. MidAmerica Bank, a wholly owned subsidiary of financial holding company MAF Bancorp Inc., has set up mirroring and recovery between sites on hard-disk storage--using a combination of Symmetrix Remote Data Facility and MirrorView software from EMC Corp., the bank moves information from headquarters to a hot-standby data center. That's the highest form of availability, with the company able to assure business units of data recovery within four hours, but the bank still wants to finesse its continuity efforts. That's because not all applications need to be recovered within four hours. So in 2005, Paul Stonchus, first VP and data-center manager at MidAmerica Bank, plans to create a multitiered recovery infrastructure. Under that plan, only five applications require recovery within a four-hour period. No hot-standby server will need to be at the recovery site for lower-ranked apps, so the bank could redeploy those servers as needed. If a case can be made to add other apps to the fast-recovery list, they will be added. "Our business units review their business-continuity processes, and we tie contingencies to our disaster-recovery plan," Stonchus says. "Our IT perspective is to always make data available to our users." There's always room for improvement in planning because companies learn from experience. Doug Smith, IT disaster-recovery manager at Southern Co., a utility-holding company, says Hurricane Ivan tested plans last year. "We already have much-improved communications-infrastructure views, but we're finding out what went wrong with our handling of Ivan," Smith says. "Our plan in 2005 is to combine the right combination of IT and operations so we have the right resources for support." But not everyone puts business-continuity plans into practice--and that's a problem. "Most business-continuity plans sit on a shelf, and they're never tested," says Peter Gerr, an analyst at IT market-research firm the Enterprise Strategy Group. "One out of five recovery efforts fails." From isn at c4i.org Wed Jan 5 07:59:30 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 5 08:19:35 2005 Subject: [ISN] Hackers Sniffing For Vulnerable Microsoft Servers Message-ID: http://www.techweb.com/wire/security/56900363 By TechWeb News January 04, 2005 A vulnerability within Microsoft's WINS (Windows Internet Naming Service), a component of popular server software such as Windows Server 2003, has been heavily exploited since the last day of 2004, several security organizations reported Tuesday. Although the vulnerability was patched in mid-December by Microsoft, the Internet Storm Center and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) at the Indiana University have seen a drastic increase in the number of probes directed at WINS services (TCP and UDP ports 42). "Patching these systems is now overdue," said the SAN Institute's Internet Storm Center in an online alert. "Additionally, WINS services probably should not cross your border router...so block these ports and keep the rif-raf out in case your local Windows Server Admins have not patched for this," the Center continued. The patch for the WINS issue can be found on Microsoft's Web site [1]. [1] http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx From isn at c4i.org Wed Jan 5 07:59:49 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 5 08:19:37 2005 Subject: [ISN] VXers creating 150 zombie programs a week Message-ID: http://www.theregister.co.uk/2005/01/05/mcafee_avert_report/ By John Leyden 5th January 2005 Malicious programs capable of turning home PCs into zombies controlled by hackers are growing at between 150 to 200 per week. McAfee's Anti-virus and Vulnerability Emergency Response Team (AVERT) reports that bots (now numbering over 7,000) and mass mailing viruses are the greatest threat to enterprises. Meanwhile exploits and adware account for over 60 per cent of the malicious threats impacting consumers. Already Windows PCs submitted to online scanning by McAfee contained an average of 13 adware components. It warns that spam encoded to take advantage of the latest exploits to install spyware will ramp up consumer security risks even higher. The number of computer viruses rated medium risk or higher by McAfee increased from 20 in 2003 to 46 in 2004, an increase of 13 per cent. By the end of 2004, McAfee's AVERT Labs had detected 17,000 new malware threats. Vulnerabilities discovered in 2004 totalled more than 2,800, down 25 per cent from 2003, however McAfee reckons that malicious hackers are becoming quicker at producing exploits. "In 2004, the rise in viruses, worms, phishing, adware and vulnerability exploitation has surpassed what was noted in 2003," said Vincent Gullotto, vice president of McAfee AVERT. "Although we saw a steady five per cent (year over year) decrease in the rate of virus production from 2000 to 2003, we have seen an increase in 2004 which can be partly attributed to Bagle and NetSky authors feuding, as well as a general lack of awareness in regards to adware and other such programs." From isn at c4i.org Thu Jan 6 06:05:38 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 6 06:20:43 2005 Subject: [ISN] From Russia with malice Message-ID: http://www.vnunet.com/analysis/1160302 Daniel Thomas Computing 05 Jan 2005 Virus writing is no longer the exclusive domain of teenage geeks designing malicious code in their bedroom. Criminals are earning millions by dropping viruses and trojans onto computers of unsuspecting home users, siphoning money from online bank accounts, trading stolen identities, distributing porn and blackmailing firms. And the former Soviet Union, with a high number of technically sophisticated but out of work programmers, is one of the major regions where this activity is on the increase. Some 4044 cases of internet fraud were reported in Russia between 1999 and 2002, according to the Russian Ministry of Internal Affairs. But in the first half of last year this grew dramatically, with 4,295 internet-based crimes reported by Russian police. The majority were based around malicious code and information theft. Over 90 per cent of malicious code now circulating around the internet is designed for criminal gain, says Eugene Kaspersky head of anti-virus research at Moscow-based Kaspersky Lab. 'It's being used for stealing money, for spam and advertising, and for internet crime rackets,' he says. Kaspersky's figures are backed by estimates from the Ukraine-based Computer Crime Research Centre which says the total amount of financial losses worldwide resulting from cybercrime exceeded $411bn at the end of last year. Speaking to Computing at the anti-virus lab's headquarters, located in a totalitarian-looking ex-communist party building on the outskirts of Moscow, Kaspersky scrolls through a list of hundreds of new viruses that have been caught using virus-detecting 'honey-pot' computers over the past five days. Some 420 of the 470 viruses identified by him and his team of 10 codebreakers during this time have been designed for criminal purposes, he says. 'There's a lot of money on the internet,' says Kaspersky. 'And it's very easy to develop a trojan or web page that looks like a bank's website.' Phishing, which uses social engineering and key-logging trojans to trick online banking customers into revealing financial details, is one of the fastest growing areas of computer crime, with 1142 active sites reported by the Anti-Phishing Working Group last October. Later this month, two men and two women from Russia, Estonia and Ukraine, will face trial at the Old Bailey for allegedly being part of a gang that conned customers into giving out bank details before stealing money from their accounts. 'It's hard to transfer money from these accounts as they can be traced, so often they will buy something using the details and then earn money by selling it,' says Kaspersky. Trojans, which use email attachments and web links to trick internet users into downloading code, are also being used take control of unsuspecting home and work computers. By building up a 'zombie army' - a network of thousands of compromised computers - hackers take ownership of a lucrative asset, which they can hire out to illegal spammers and criminal gangs wanting to extort money from ecommerce firms through distributed denial of service (DDOS) attacks which crash sites. 'There are internet shops for zombie networks where you can by 5,000 infected machines for $300,' says Kaspersky. Last July, the UK?s National Hi-Tech Crime Unit, working with its Russian Ministry of Internal Affairs equivalent, Division K, smashed a Russian crime racket responsible for extorting thousands of pounds from UK online bookmakers reliant on their website availability (Computing, 21 July). The gang, located in St Petersburg and south-west Russia, targeted prominent betting firms, including William Hill, Paddy Power and Blue Square, using DDOS attacks to bring down sites, and demanded between $10,000 and $40,000 to stop repeat occurrences. But despite recent successes by internet law enforcement agencies, Kaspersky believes the criminals are getting smarter, seeking out new ways to conceal their identity and earn money. Every time police capture cybercriminals they also reveal some of the methods they use to catch them, he says. 'There will be a lot more malicious code next year for two reasons,' says Kaspersky. 'Firstly the criminals will try and hide themselves using proxies and that will need more code.' 'Secondly people are doing more to protect themselves against these threats so criminals need to develop new malicious code to bypass this and build new zombie networks.' Where lucrative money-making opportunities spring up on the internet, organised crime groups will follow. And when new security measures shut the door on current exploits, new opportunities and flaws will be exposed, says Kaspersky. 'They will never stop their business, they will just find another way. The story will carry on year after year and because of this the anti-virus firms will not lose their jobs,' he says. Political hacktivism Home users are unknowingly having their computers commandeered by political activists as part of a plot to bring down Chechen rebel websites. An email virus claiming to contain pictures of nude glamour models is preying on male computer users, infecting their machines with code which takes control of their PC. The W32/Maslan-C worm infects PCs using an attached Playgirls2.exe file, spreads to other email users and then waits until the first day of every month to launch denial-of-service attacks on Chechen separatist sites, according to anti-virus firm Sophos. By creating an army of compromised computers the virus writer can bombard Chechen websites, including www.chechpress.com and www.kavkaz.org.uk, blasting them off the internet. These websites play a key role in the propaganda war between the Chechen rebels and the Kremlin, according to Sophos. Although there is no proof linking the Kremlin to the denial of service attacks, it follows moves by Russia to close down websites of Chechen rebels calling for independence in the region. Last November the Russian Foreign Ministry asked the Lithuanian government for an explanation as to why the websites - run by separatists out of Lithuania - had resumed activity. From isn at c4i.org Thu Jan 6 06:06:13 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 6 06:20:46 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-1 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2004-12-30 - 2005-01-06 This week : 31 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Maurycy Prodeus of iSEC has released detailed information about a vulnerability in Mozilla, which potentially can be exploited to gain system access on vulnerable systems. The vulnerability was fixed with the release of Mozilla 1.7.5, which is available from the vendors web site. References: http://secunia.com/SA13687/ -- A new vulnerability in Internet Explorer has been discovered, which can be exploited to compromise a users system. Currently, no vendor solution is available. Please refer to referenced Secunia advisory below for details. References: http://secunia.com/SA13704/ VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA13704] Internet Explorer FTP Download Directory Traversal 2. [SA13599] Mozilla / Mozilla Firefox Download Dialog Source Spoofing 3. [SA13482] Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting 4. [SA13645] Microsoft Windows Multiple Vulnerabilities 5. [SA13687] Mozilla "MSG_UnEscapeSearchUrl()" Buffer Overflow Vulnerability 6. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 7. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 8. [SA13251] Microsoft Internet Explorer Window Injection Vulnerability 9. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 10. [SA13671] Symantec Nexland Firewall Appliances Three Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13716] Soldner Secret Wars Multiple Vulnerabilities [SA13710] Macallan Mail Solution Two Vulnerabilities [SA13708] GFI MailEssentials / MailSecurity Mail Processing Denial of Service [SA13704] Internet Explorer FTP Download Directory Traversal UNIX/Linux: [SA13731] Conectiva update for mplayer [SA13726] Gentoo update for shoutcast-server [SA13724] Gentoo update for mozilla/firefox/thunderbird [SA13705] Fedora update for tetex [SA13698] Gentoo update for phprojekt [SA13729] Debian update for pcal [SA13707] Debian update for cupsys [SA13727] Gentoo update for mit-krb5 [SA13719] Gentoo update for linpopup [SA13723] Debian update for nasm [SA13703] ViewCVS "content-type" HTTP Response Splitting Vulnerability [SA13701] Bugzilla Internal Error Response Cross-Site Scripting [SA13706] Fedora update for kernel [SA13735] Red Hat update for vim [SA13730] Debian update for zip [SA13720] Gentoo update for a2ps [SA13715] Debian update for htmlheadline [SA13714] HtmlHeadLine.sh Insecure Temporary File Creation [SA13702] Debian update for perl [SA13733] Red Hat update for fam Other: Cross Platform: [SA13711] GNUBoard File Upload Vulnerability [SA13709] FlatNuke PHP Script Creation Vulnerability [SA13700] KorWeblog "lng" and "G_PATH" File Inclusion Vulnerability [SA13699] PhotoPost Classifieds Multiple Vulnerabilities [SA13697] ReviewPost PHP Pro Multiple Vulnerabilities [SA13722] MyBulletinBoard "uid" SQL Injection Vulnerability [SA13718] b2evolution "title" SQL Injection Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13716] Soldner Secret Wars Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2005-01-05 Luigi Auriemma has reported multiple vulnerabilities in Secret Wars, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct script insertion attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13716/ -- [SA13710] Macallan Mail Solution Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-01-03 Dennis Rand has reported two vulnerabilities in Macallan Mail Solution, which can be exploited by malicious people to bypass authentication or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13710/ -- [SA13708] GFI MailEssentials / MailSecurity Mail Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-04 Peter Kruse has reported a vulnerability in GFI MailSecurity and GFI MailEssentials, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13708/ -- [SA13704] Internet Explorer FTP Download Directory Traversal Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-03 Albert Puigsech Galicia has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13704/ UNIX/Linux:-- [SA13731] Conectiva update for mplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-06 Conectiva has issued an update for mplayer. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13731/ -- [SA13726] Gentoo update for shoutcast-server Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-06 Gentoo has issued an update for shoutcast-server. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13726/ -- [SA13724] Gentoo update for mozilla/firefox/thunderbird Critical: Highly critical Where: From remote Impact: Spoofing, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2005-01-05 Gentoo has issued updates for mozilla, firefox and thunderbird. These fix some vulnerabilities, which can be exploited to cause a DoS (Denial of Service), detect the presence of local files, spoof the file download dialog, disclose sensitive information, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13724/ -- [SA13705] Fedora update for tetex Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-04 Fedora has issued an update for tetex. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13705/ -- [SA13698] Gentoo update for phprojekt Critical: Highly critical Where: From remote Impact: System access Released: 2004-12-30 Gentoo has issued an update for phprojekt. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13698/ -- [SA13729] Debian update for pcal Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-06 Debian has issued an update for pcal. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13729/ -- [SA13707] Debian update for cupsys Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-03 Debian has issued an update for cupsys. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13707/ -- [SA13727] Gentoo update for mit-krb5 Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-06 Gentoo has issued an update for mit-krb5. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13727/ -- [SA13719] Gentoo update for linpopup Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-05 Gentoo has issued an update for linpopup. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13719/ -- [SA13723] Debian update for nasm Critical: Less critical Where: From remote Impact: System access Released: 2005-01-06 Debian has issued an update for nasm. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13723/ -- [SA13703] ViewCVS "content-type" HTTP Response Splitting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-03 Joxean Koret has reported a vulnerability in ViewCVS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13703/ -- [SA13701] Bugzilla Internal Error Response Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-04 Michael Krax has reported a vulnerability in Bugzilla, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13701/ -- [SA13706] Fedora update for kernel Critical: Less critical Where: From local network Impact: Unknown, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-01-04 Fedora has issued an update for the kernel. This fixes multiple vulnerabilities, where some have unknown impacts and others can be exploited to gain knowledge of sensitive information, cause a DoS (Denial of Service), or gain escalated privileges. Full Advisory: http://secunia.com/advisories/13706/ -- [SA13735] Red Hat update for vim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-06 Red Hat has issued an update for vim. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13735/ -- [SA13730] Debian update for zip Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-06 Debian has issued an update for zip. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13730/ -- [SA13720] Gentoo update for a2ps Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-05 Gentoo has issued an update for a2ps. This fixes two vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13720/ -- [SA13715] Debian update for htmlheadline Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-03 Debian has issued an update for htmlheadline. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13715/ -- [SA13714] HtmlHeadLine.sh Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-03 Javier Fern?ndez-Sanguino Pe?a has reported a vulnerability in HtmlHeadLine.sh, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13714/ -- [SA13702] Debian update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-03 Debian has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13702/ -- [SA13733] Red Hat update for fam Critical: Not critical Where: Local system Impact: Exposure of system information Released: 2005-01-06 Red Hat has issued an update for fam. This fixes an old security issue, which can be exploited by malicious, local users to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/13733/ Other: Cross Platform:-- [SA13711] GNUBoard File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-04 Jeremy Bae has reported a vulnerability in GNUBoard, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13711/ -- [SA13709] FlatNuke PHP Script Creation Vulnerability Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2005-01-05 Pierquinto "Mantra" Manco has reported a vulnerability in FlatNuke, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13709/ -- [SA13700] KorWeblog "lng" and "G_PATH" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-03 Min-sung Choi has reported a vulnerability in KorWeblog, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13700/ -- [SA13699] PhotoPost Classifieds Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2005-01-04 James Bercegay has reported some vulnerabilities in PhotoPost Classifieds, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13699/ -- [SA13697] ReviewPost PHP Pro Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2005-01-04 James Bercegay has reported some vulnerabilities in ReviewPost PHP Pro, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13697/ -- [SA13722] MyBulletinBoard "uid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-01-05 scottm has reported a vulnerability in MyBulletinBoard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13722/ -- [SA13718] b2evolution "title" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-01-06 r0ut3r has reported a vulnerability in b2evolution, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13718/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Thu Jan 6 06:06:30 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 6 06:20:48 2005 Subject: [ISN] India's Odd Couple: Cops and Tech Message-ID: http://www.wired.com/news/technology/0,1282,66123,00.html By Manu Joseph Jan. 05, 2005 MUMBAI, India -- India has a split personality. It is the Taj Mahal of outsourcing, the great global back office and one of the largest producers of engineering graduates. On the other hand, its law keepers are poignantly comic enforcers and interpreters of cyberlaws. Cybersecurity expert Raghu Raman said in 2004, police squads were known to confiscate evidence from some offices, returning with monitors and leaving computers behind. Computing teacher Vijay Mukhi said two years ago cops in Mumbai seized pirated software floppies and stapled them together as though they were documents, destroying the material. A sleuth from Mumbai's high-profile Cyber Crime Investigation Cell once told Wired News how he planned to tackle hacking: "Let hackers know that some tough people are out here.... I have killed Naxalites (regional terrorists who wage guerrilla warfare against police in some Indian states) in Andhra Pradesh (a state).... We cops have seen such tough situations that we know how to handle boys." Last month, another incident occurred. Avnish Bajaj, an American citizen of Indian origin who heads Baazee, a wholly owned subsidiary of eBay, was arrested on charges of sale and distribution of pornography. An engineering student had posted a listing on the portal to sell an e-mail with a video attachment of a sexual act involving a schoolgirl. Bajaj began to help the Delhi police, and even assisted in nabbing the boy who had posted the listing. On Dec. 17, Bajaj himself was arrested. Bajaj's lawyers applied for bail equipped with a printout of the portal's terms and conditions, which included users of Baazee vouching that their items were legal. The engineering student had accepted the terms and conditions by pressing the Accept button. But the court rejected the bail application, according to an executive of the portal, "stating that since there was no ink-based signature, it is void." (Bajaj has subsequently been released on bail). Mahesh Murthy, a technology investor, is shocked by the court's attitude. "That means, according to the court, all of India's e-commerce is illegal. The Information Technology Act that many industry people worked to put together, so that this country could be competent in the modern world, clearly validates electronic signature. But the court was not aware of it." Murthy himself has been a victim in the past. When he wanted to register a firm called Pinstorm Online last year, the Registrar of Companies "refused to grant me the name because the government officials out there did not comprehend the word 'online,'" Murthy said. "I had to change the name to Pinstorm Technologies. And, in my detailed application in which I described my company, I had to change the word 'internet' to 'computer network' because the officials did not think (the) internet was a credible medium for business. They told me that." In July 2001, Mumbai's Cyber Crime Investigation Cell launched its website, and a few days later it was hacked by 23-year-old Anand Khare, who guessed passwords and used readily available hacking tools. He pasted abusive messages about the cops, and invited them to catch him. He was nabbed, along with Mahesh Mhatre, who owned the cybercaf? where Khare had executed the hacking. It was a triumph for the Cyber Crime Investigation Cell after the public embarrassment of having its own website defaced. The cops held a meeting of businessmen to reassure them. A corporate executive who was present recalls a senior cop gnashing his teeth and declaring, "If there is a cybercrime committed in your office, just let us know. We will find him and get the confession out of him." Soon after his arrest, Mhatre told the media and the National Human Rights Commission that he was hit with belts and that a senior inspector asked him to lick his shoes. Following these allegations -- odd even by Indian standards -- Mumbai police announced they were searching for jobs for the boys. Khare was even placed in the firm of Mahatma Gandhi's great grandson Tushar Gandhi. Last month, a Mumbai tabloid wanted to demonstrate that the average Indian cop lived in a world far removed from everyday technology. It asked a constable to use his ATM card and photographed his every step. He did not know how to use the card and the machine swallowed it. He was left smiling sheepishly in the final frame. "The cop who checks your car license does not own a car," said Raghu Raman, who heads an information security firm called Mahindra Special Services Group. "The passport official who checks your passport does not go abroad. The cop to whom you go to register a credit card misuse does not own a credit card. If a cop is in no position to own a computer, how can he fight cybercrime? The field cop (and) the beat constable live in another world." From isn at c4i.org Thu Jan 6 06:06:42 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 6 06:20:50 2005 Subject: [ISN] Jury to get case of fan accused of hacking Message-ID: http://www.centredaily.com/mld/centredaily/sports/baseball/mlb/philadelphia_phillies/10577805.htm By L. Stuart Ditzen Inquirer Staff Writer Jan. 06, 2005 Though he moved away from the Philadelphia area 18 years ago, Allan E. Carlson's obsessive interest in the Phillies - and his hostile opinions about the team's management - only increased with time. Sitting in his apartment in Glendale, Calif., Carlson, 41, spent 70 hours a week hacking into other people's computers and using their e-mail addresses to spread his baseball gripes on the Internet. Carlson, who grew up in South Jersey, yesterday told a jury in U.S. District Court in Philadelphia, where he is on trial for computer crimes and identity theft, that he meant no harm. In 2001 and 2002, he was jamming computer systems at the Phillies and Philadelphia Newspapers Inc., which owns The Inquirer and the Philadelphia Daily News, with thousands of e-mails, but Carlson testified: "There's no way for me to know what was going on. I'm sitting in my apartment." That he might be causing problems "never occurred" to him, he said. Assistant U.S. Attorney Michael L. Levy, who is prosecuting the case, contended in his closing argument that Carlson caused a great deal of harm - and knew he was doing it. Levy said Carlson created havoc with a Phillies online ticket service and inundated the computer system of Knight Ridder Corp., parent of Philadelphia Newspapers, with so much spam e-mail that the company briefly had to take its computers off-line. Carlson, who is unemployed, said his main gripes were that Phillies management was spending too little money to build a winning team and that sports reporters and columnists in Philadelphia were not holding the team bosses accountable. Among other things, Carlson used the e-mail addresses of sportswriters to send ranting messages to tens of thousands of random e-mail addresses. That triggered masses of return e-mails to the writers whose names were used. One columnist received 60,000 returned e-mails, some with angry replies. Carlson also sent what Levy described as a racist e-mail to staff members at The Inquirer in 2002 in the name of Walker Lundy, the newspaper's editor at the time. Lundy testified as a prosecution witness. Carlson's lawyer, Mark T. Wilson, said in his closing argument that his client's behavior was "reprehensible" and maybe "crazy," but not criminal. "There is no evidence that he knew damage was occurring," Wilson said. "Nobody came back to him and said, 'Yo, you've got to stop this.' How does he know that all this damage is occurring?" Carlson is charged with 79 counts of computer-related crimes involving misuse of e-mail, unauthorized access of computers, and using the identities of other people with the intent to commit crimes. The jury is to begin deliberations today. From isn at c4i.org Fri Jan 7 07:40:47 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 7 07:56:36 2005 Subject: [ISN] Security UPDATE--Security Researchers Vulnerable to Buffer Underflow Attack?--January 5, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. The Key to Stopping Email Attacks: Sender ID Can't Do It http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BN3J0AB Exchange & Outlook Administrator http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BNwR0AR ==================== 1. In Focus: Security Researchers Vulnerable to Buffer Underflow Attack? 2. Security News and Features - Recent Security Vulnerabilities - Exploits on the Loose Against Unpatched Bugs in Windows - Netcraft Joins the Anti-Phishing Brigades 3. Security Matters Blog - Update Your Netcat Software for Windows 4. Security Toolkit - FAQ - Security Forum Featured Thread 5. New and Improved - Remotely Change Network Passwords ==================== ==== Sponsor: Postini ==== The Key to Stopping Email Attacks: Sender ID Can't Do It "Going nowhere fast," is how the media described recent efforts to develop an industry-wide email sender authentication standard. Even if some form of Sender ID is eventually adopted, spammers and hackers may be able to exploit the registration of IP addresses with Sender ID to improve their delivery of junk email. Effective real time IP address analysis and filtering is necessary ? not sender authentication. This white paper explains why enterprises do not need to rely on Sender ID and discusses better, proven email intrusion prevention solutions that already work today to stop spam, viruses and email attacks. Get answers now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BN3J0AB ==================== ==== 1. In Focus: Security Researchers Vulnerable to Buffer Underflow Attack? ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net It's inevitable: Someone posts proof-of-concept code, and almost immediately someone goes to work developing a malicious exploit. Do these exploiters have nothing better to do, nothing better to think about? Anyway, as you probably know by this time, a series of new Windows vulnerabilities was recently published in the usual places. And now at least one exploit, the Phel worm, is on the loose. The worm installs code on penetrated systems to open back doors and make those systems part of a Distributed Denial of Service (DDoS) network. The worm infects systems by using inroads through Microsoft Internet Explorer (IE), often without the user's knowledge. On the surface, these vulnerabilities and exploits might seem to come from opposing forces: On one side are "researchers" who release proof-of-concept code for their discoveries. On the other side are people who turn the proven concept into something malicious for their own nefarious purposes. The side that puzzles me is the alleged "researchers." Are they suffering some sort of mental buffer underflow attack (i.e., not clearly thinking things through)? They're very adept at finding security vulnerabilities, yet some of them fail to recognize one of the most obvious security problems of all--their own premature public revelations of explicit details of security weaknesses. It's possible that some researchers do see the problem and they simply don't care, which could mean that those particular researchers and the malicious coders are, for all intents and purposes, cohorts playing a dastardly game. Other researchers make a half-hearted effort to contact a vendor. In one relatively recent case of vulnerability reporting, a researcher claimed that he tried to contact a vendor but couldn't, so he thought it reasonable to release his detailed findings to the public. I happen to use the product in question, so I decided to try to contact the vendor myself. After about 60 seconds of clicking around on the vendor Web site, I found several contacts and emailed them the researcher's findings. Within 24 hours, the vendor emailed me back a solution. I then forwarded the vendor-provided solution to the researcher, who didn't bother to publish it! In this case, a so-called "researcher" could scour code for vulnerabilities, yet couldn't find any contact info for the vendor! Obviously, such researchers aren't really researchers at all. They too play a dastardly game. On another note, last week I wrote about an incident that involved Microsoft's release of a critical update for Windows Firewall that improves the way in which the firewall handles local subnet restrictions. The update wasn't part of Microsoft's monthly security bulletins. If you missed last week's newsletter, then you can read about the reasons why this happened in the December 29, 2004 Security UPDATE commentary (first URL below) and in the related news story "Critical Update for Windows Firewall Flies Under the Radar" (second URL below). http://www.windowsitpro.com/Article/ArticleID/44959/44959.html http://www.windowsitpro.com/Article/ArticleID/44834/44834.html A reader wrote in response to the commentary that, "The [Microsoft Baseline Security Analyzer (MBSA)] for use with SMS 2003 doesn't report the firewall update patch." The reader did add that, in his situation, the lack isn't an issue because he doesn't rely on local subnet restrictions for defining firewall exceptions. Nevertheless, the reader does point out another aspect of notifying users about critical updates that needs better attention from Microsoft. We posted an Instant Poll question last week that asks, "Do you think Microsoft should improve its security alerting process?" The possible answers are "Yes, it should send alerts about all security updates" and "No, the process works fine for me the way it is." So far, we haven't had a huge flood of people answer the question, but most of those who have answered have said "Yes." If you haven't taken 30 seconds to visit our Web site and answer the question, please do--the poll results will undoubtedly be read by Microsoft and could make a difference in how the company handles its security update alerting process in the future. That said, I hope you all had pleasant holidays. Best wishes to all of you for the new year, and until next time, have a great week! ==================== ==== Sponsor: Exchange & Outlook Administrator ==== Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BNwR0AR ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html Exploits on the Loose Against Unpatched Bugs in Windows Researchers have posted proof-of-concept code that can take advantage of vulnerabilities in Windows platforms. The concept code works against vulnerabilities in the Windows Help subsystem and in code used to load desktop icons and the Windows Help subsystem. http://www.windowsitpro.com/Article/ArticleID/44935/44935.html Netcraft Joins the Anti-Phishing Brigades Netcraft, a company known for its statistical analysis of a vast number of Web sites, has joined those groups who attempt to prevent phishing scams by releasing a new toolbar for Microsoft Internet Explorer (IE). The toolbar performs checks on URLs and enforces behavior changes in the Web browser. http://www.windowsitpro.com/Article/ArticleID/44927/44927.html ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Are You a Hacker Target? You are if you have an Internet connection faster than 384Kbps. In this free on-demand Web seminar, Alan Sugano will examine two attacks (an SMTP Auth Attack and a SQL Attack) that let spammers get into the network and relay spam. Find out how to keep the hackers out of your network and what to do if your mail server is blacklisted as an open relay. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BNsG0AC Get David Chernicoff's Essential Guide to Blade Servers The cost of setting up new servers, provisioning them, and managing their operation is a significant one, and reducing those costs results in quicker ROI and more easily justifiable initial expenses. Find out why blade server technology is an attractive methodology for addressing these concerns and implementing improvements in your server infrastructure. http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BNwT0AT Is Your Messaging Infrastructure Ready for Tomorrow's Risks? In this free Web seminar on February 17, 2005, Randy Franklin Smith reveals the new security threats as SPIM, spyware, phishing, and malware evolve and become tools for industrial espionage. You'll learn which kinds of attacks companies are reporting in increased numbers and the commonly held misconceptions about Microsoft security patches. Find out what threats deserve your attention. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BNwU0AU New eBook! Keeping Your Business Safe from Attack: Passwords and Permissions Master password and permissions basics with our latest free eBook and discover how to prevent most vulnerabilities and exploits with Microsoft's new tools. Firewalls, antivirus software, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) can all fail, but a strong permissions and authentication defense is priceless. Get the first chapter now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BNwV0AV ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Check out these recent entries in the Security Matters blog: Update Your Netcat Software for Windows An unchecked buffer in the popular Netcat tool for Windows could allow remote code execution. The vulnerability, discovered by Hat Squad, can be exploited when using the netcat -e option. http://www.windowsitpro.com/Article/ArticleID/44934/44934.html ==== 4. Security Toolkit ==== FAQ: How can I quickly search for shared folders that are published in Active Directory (AD)? by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Find the answer at http://www.winnetmag.com/Article/ArticleID/44921/44921.html Security Forum Featured Thread: Fending Off DDoS Attacks A forum participant writes that he helps run a major Internet-based retail operation and wonders if he can make any advance preparations to mitigate or alleviate the threat of Distributed Denial of Service (DDoS) attacks. Join the discussion at: http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=128838 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events ) True High-Availability for Microsoft Exchange Web Seminar--February 3 Discover solutions that minimize the likelihood of downtime in your Exchange implementation and help to ensure continuous Exchange application availability. In this free Web seminar, learn how you can ensure high-availability through the use of tools that analyze and proactively monitor the health of your entire Exchange environment. Register now! http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BNwW0AW ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Remotely Change Network Passwords Keroon Software offers Reset Local Password Pro 3.0, a Windows program that lets administrators change local passwords on one or more computers from a remote location. New features in this version include improved IP enumeration, the ability to change passwords on systems running Windows NT 4.0 without the need for Active Directory (AD) Client Extensions to be loaded, and a No Enumeration option that lets you turn off autopopulation of your list of computers. Reset Local Password Pro runs under Windows XP, Windows 2000, and Windows NT 4.0. It requires 10MB of RAM and 10MB of free hard disk space. Reset Local Password Pro costs $99.99, and a 14-day trial version is available. For more information, go to http://www.keroonsoftware.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Data Protection from NSI and Microsoft Instant recovery and data protection solutions for Exchange and SQL servers http://list.windowsitpro.com/cgi-bin3/DM/y/eiqa0MfYqv0Kma0BNdw0Aj ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://www.windowsitpro.com/forums About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Jan 7 07:41:15 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 7 07:56:38 2005 Subject: [ISN] Call For Articles: MISC Magazine - CanSecWest/core05 Message-ID: Forwarded from: Dragos Ruiu (Details in French Below) Win a trip to attend CanSecWest/core05. Get published in MISC Magazine. Contest Details: You just have to write an original article (3500-4000 words) for publication in MISC Magazine on any topic related to computer security: exploit writing, (anti-)virus, (anti-)forensics, network, protocol manipulation, honeypots, IDS/IPS, reverse engineering, telecoms, and so on... For a list of subjects already covered in the magazine have a look at http://www.miscmag.com/sommaire.php The best submitted article (details below) will win a free trip (airfare, hotel) and conference registration. All contest information available on http://www.miscmag.com/csw05-dl.php The conference website can be found at http://cansecwest.com The CanSecWest/core05 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. Many famous researchers contribute each year. The attendees are a multi-national mix of professionals involved on a daily basis with security work and provide a social networking opportunity to mingle with eminent technical researchers. It will be held on May 4-6 at the Mariott Renaissance hotel in downtown Vancouver, British Columbia, Canada. MISC is a french magazine focusing on information security. Each issue features an in-depth coverage of a specific topic through a series of articles exploring the subject. Beside this key theme regular columns provide the reader with advanced techniques pertaining to information security. Because security can not be limited to technical and scientific aspects MISC also covers domains like law or information warfare. The winning article submission receives: - registration for CanSecWest/core05 donated by the conference - 4 nights in the conference hotel (Mariott Renaissance) paid for by the conference (though incidental costs are still your responsibility). - a round-trip to Vancouver (Canada), paid by Diamond Edition (the winner must have a valid passport and visa if needed) - the publication of your article in MISC, paid at the regular MISC rate (to use as spending money on your trip). The committee will select the best article which will be published in MISC Magazine. The 5 following criteria will guide the committee's choice: 1) education: how much does it teach? 2) innovation: how is it new? 3) technical level: what is the technical level of the article? 4) applicability: does it affect a lot of people? 5) style: grammar, orthography, syntax, clarity, ... More than one article may be published in MISC Magazine, but only the best one will win the trip. To have a chance to win, send article submission by email to csw05@miscmag.com along with the following information before the 29th of January 2005: 1) Author, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). We need a real name and real contact details or we won't be able to pay for the trip. 2) Employer and/or affiliations. 3) 3 to 5 keywords describing the topic of the proposal 4) The article, written either in French or English, and using the style sheets available at http://www.miscmag.com/styles/ 5) Optionally, any samples (code or whatever) related to the article. 6) The folowing declaration: I, , hereby certify that the submitted article has been written by me and that I own the intellectual property contained in it. I, , give Diamond Editions the right to publish this article in their magazines. If a submission is incomplete, the article will not be considered for the challenge. Only one submission per person is allowed - if there are multiple submissions, only the last one will be considered. Please submit all proposals by January 29 latest. Results will be communicated to the participants on the 15th February 2005. MISC Magazine : http://www.miscmag.com CanSecWest/core05 : http://cansecwest.com --------------------- CanSecWest/core05 - MISC Magazine Gagner un s?jour pour assister ? CanSecWest/core05. Comment faire ? Simplement en ?crivant un article original de 3500-4000 mots sur le th?me de la s?curit? informatique : techniques d'exploits, (anti-)virus, (anti-)forensics, manipulation de r?seau, d?tournement de protocoles, pots ? miel et autres IDS/IPS, reverse engineering, t?l?coms, etc... Pour d?couvrir les sujets trait?s dans MISC, vous pouvez visiter http://www.miscmag.com/sommaire.php. Tous les d?tails sur : http://www.miscmag.com/csw05.php La conf?rence CanSecWest/core05 se compose de tutoriaux sur les questions actuelles, les techniques innovatrices et les meilleures pratiques dans le domaine de s?curit? de l'information. De prestigieux orateurs y participent chaque ann?e, permettant ainsi aux auditeurs de se tenir inform?s des derni?res nouveaut?s du secteur. Elle se d?roule du 4 au 6 Mai 2005 ? Vancouver (Canada). Le magazine fran?ais ? 100% s?curit? informatique ? MISC est compos? d'un dossier traitant de mani?re approfondie d'un th?me, et de nombreuses rubriques permettant ? chacun de d?couvrir les techniques avanc?es li?es ? la s?curit? de l'information. MISC traite ?galement des domaines connexes (droit ou guerre de l'information par exemple) car la s?curit? de l'information ne se limite pas ? des probl?mes techniques et scientifiques. Prix pour le vainqueur : - l'entr?e ? CanSecWest - 4 nuits d'h?tel ? l'h?tel de la conf?rence (Mariott Renaissance) - le billet d'avion pour se rendre ? Vancouver, achet? par Diamond Edition (le vainqueur devra disposer, si besoin, d'un passeport valide et d'un visa pour le Canada) - la publication de l'article, r?mun?r? au tarif normal des auteurs de MISC, dans un num?ro ? venir de MISC. Le jury s?lectionnera la meilleure proposition, qui sera ensuite publi?e dans MISC Magazine. La bar?me se d?compose en 5 crit?res, d'importance ?gale : 1) ?ducation : l'article est-il p?dagogique ? 2) innovation : quelle(s) part(s) de nouveaut? ? 3) technicit? : quel est le niveau technique de l'article ? 4) port?e : est-ce que cela concerne beaucoup de personnes ? 5) style : orthographe, grammaire, clart?, ... Tous les bons articles seront susceptibles d'?tre publi?s dans MISC, mais seul le meilleur remportera le voyage ? CanSecWest. Pour participer, il faut envoyer un mail ? csw05@miscmag.com avec les informations suivantes avant le Samedi 29 Janvier : 1) pr?sentation : nom, pr?nom, ville/pays d'origine, nationalit?, contact (e-mail, adresse postale, t?l?phone, fax) Attention : sans ces informations, votre prix ne pourra vous ?tre remis. 2) employeur et/ou affiliation 3) 3-5 mots cl? pour caract?riser l'article 4) l'article, ?crit en Anglais ou en Fran?ais, et respectant les feuilles de style : http://www.miscmag.com/styles/ 5) ?ventuellement, des exemples (codes ou autres) li?s ? l'article 6) La mention suivante : Je soussign? d?clare sur l'honneur ?tre l'auteur de l'article soumis afin de participer au concours, et que j'en d?tiens donc les droits de propri?t? intellectuelle. En cas de victoire, j'autorise Diamond Edition ? faire usage de mon article dans leurs publications. Tout mail incomplet invalidera la participation. Une seule participation par personne est autoris?e. Date limite de participation : Samedi 29 Janvier 2005, date de r?ception du mail faisant foi. Liens utiles MISC Magazine : http://www.miscmag.com CanSecWest/core05 : http://cansecwest.com -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Fri Jan 7 07:41:29 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 7 07:56:40 2005 Subject: [ISN] NIST raises VoIP concerns Message-ID: http://www.fcw.com/fcw/articles/2005/0103/web-voip-01-06-05.asp By Florence Olsen Jan. 6, 2005 Government administrators may not understand the complexity of installing security systems for Internet telephony, a new government study suggests [1]. Officials at the National Institute of Standards and Technology released a Jan. 5 report that examines security vulnerabilities in Internet-based telephone systems and raises concerns about an emerging technology that otherwise appears to offer many advantages over traditional telephone networks. Security concerns described in the 99-page report suggest that the cost and complexity of installing such systems is greater than people realize. Many government agencies, including the Defense Information Systems Agency, plan to use voice-over-IP networks. Military commanders rely heavily on such systems in Iraq and Afghanistan. Some administrators mistakenly assume that they can plug voice-over-IP components into a secure network and have secure voice communications. But the report's authors say that security measures such as firewalls and encryption used in traditional data networks are incompatible with current Internet-based telephone systems and can cause serious deterioration in the voice quality possible on such systems. The report states that "essential telephone services, unless carefully planned, deployed and maintained, will be at greater risk if based on voice over IP." For example, data networks must be adapted by adding firewalls designed specifically for voice over IP. To compensate for the current security vulnerabilities of voice-over-IP technology, NIST officials made several recommendations, including: * Creating separate subnetworks for voice and data traffic on IP networks, each with their own dynamic host configuration protocol servers. * Ensuring that 911 emergency service is available. * Securing physical access to the network's voice components to prevent unauthorized eavesdropping on conversations. [1] http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf From isn at c4i.org Fri Jan 7 07:41:49 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 7 07:56:42 2005 Subject: [ISN] SSL VPNs Will Grow 54% A Year, Become Defacto Access Standard: Report Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=NIOHIDQYVVDQSQSNDBESKHA?articleID=56900844 By Matthew Friedman Networking Pipeline Jan. 5, 2005 Spending on Secure Sockets Layer Virtual Private Networks (SSL VPN) will grow at a 53% compound annual growth rate, and SSL VPNs will surpass traditional IPsec VPNs as the de-facto remote access security standard by 2008, according to a new report from Forrester Research. In "SSL VPNs Poised for Significant Growth," Forrester associate analyst Robert Whiteley says companies are attracted by the technology's application-level simplicity. Unlike IPsec VPNs, which require special client software to access the network, SSL VPN supports a wide range of devices, from desktop computers to PDAs, and applications, while offering network administrators greater granularity of user information and providing better endpoint security. According to the report, some 44% of American businesses have deployed SSL VPNs, spending $97 million on the technology last year alone. Despite the impressive adoption rate for a technology that has been in the business mainstream for less than a year, Forrester expects SSL VPN deployments to continue to take off, with the market growing at a 53% compound annual growth rate to $1.2 billion in 2004. SSL VPNs are already well-entrenched in the financial and business services industries and in the public sector. Driven by the need to ensure endpoint security for online services, the financial services industry can boast a 56% penetration rate, with business services just behind at 51%. In both cases, Whiteley predicts a compound annual growth of 34% to 2010 which, though impressive, pales beside the expected SSL VPN growth in late-adopting industries. Indeed, Whiteley writes that retail and manufacturing are poised to leap into SSL VPN with gusto over the next few years. "Retail and wholesale allocates 7.8% of its IT spend to security ? more than even financial services," he notes. "This vertical shows the most SSL VPN potential because of its eye toward security, relatively little penetration to date, and the need for large, distributed deployments ? resulting in 82% annual market growth through 2010." Though only 29% of manufacturers are currently invested in SSL VPNs, Whitely expects that to change dramatically through 2010, predicting a phenomenal 94% compound annual growth rate. IPSec was a poor fit for this vertical's needs, Whiteley observes, but the application-layer flexibility of SSL VPNs should spur rapid adoption. "Manufacturing companies typically don't provide employees with corporate-managed laptops," he writes. "Thus, SSL VPNs allows a 'bring-your-own computer' model where manufacturing companies still control security and user policy but don't have to incur the cost of unnecessary IT infrastructure." From isn at c4i.org Fri Jan 7 07:42:02 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 7 07:56:45 2005 Subject: [ISN] Foreign Hackers Attack 430 Korean Websites Per Day Message-ID: http://english.chosun.com/w21data/html/news/200501/200501070019.html Kim Hee-seop Jan. 7, 2005 It has been learned that around 4,000 Korean Internet homepages have been hacked recently. The Ministry of Information and Communication (MIC) said Friday that according to its calculations, foreign professional hackers launched a daily average of 430 attacks on Korean websites between Dec. 29 and Jan. 6 (Thursday) and interfered with the administration of those sites. Users were either unable to connect to hacked homepages, or information on victimized sites failed to be properly displayed, with opening screens being erased or suffering other damage. The MIC said that most of the hacked sites were personal homepages or websites of small and medium businesses, which often have weak security capabilities and are vulnerable to attack. The hackers, who are known to be part of a foreign hacking group, have concentrated their assault on Internet bulletin boards written in PHP. The MIC posted cautionary information Friday concerning Internet security, and advised homepage administrators to quickly upgrade their programs. For information on hacking damage and ways to cope with the situation, refer to the website of the Korea Internet Security Center at www.krcert.or.kr. From isn at c4i.org Fri Jan 7 07:42:13 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 7 07:56:48 2005 Subject: [ISN] Baseball Fan/Spam Artist Found Guilty in Attacks on Philly Papers Message-ID: http://www.editorandpublisher.com/eandp/news/article_display.jsp?vnu_content_id=1000747720 By E&P Staff January 06, 2005 NEW YORK A Philadelphia Phillies fanatic was convicted today in federal court on 79 counts of hijacking -- the e-mail addresses of local sportswriters. Allan E. Carlson, 41, was accused of seizing the e-mail addresses of Philadelphia area sportswriters to spread his complaints about the baseball team's management. He was convicted of 79 counts of fraud, idenity theft, and computer hacking-related offenses. U.S. District Judge Berle M. Schiller asked the jury to resume deliberations to decide on the amount of financial loss Carlson's scam caused Philadelphia Newspapers Inc., publisher of The Philadelphia Inquirer and Daily News. Prosecutors said Carlson was angry that the papers' sportswriters were not more critical of Phillies management. Testifying in his own defense during the three-day trial, Carlson said he did not believe what he did was a crime or that it would cause harm to the newspapers. The federal jury deliberated only an hour before returning at noon with guilty verdicts on all counts against Carlson. He is a native of New Jersey who has lived in the Los Angeles area for several years. From isn at c4i.org Fri Jan 7 07:42:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 7 07:56:53 2005 Subject: [ISN] Japan Trying to Fend Off Chinese Cyber-Attacks Message-ID: http://www.voanews.com/english/2005-01-06-voa29.cfm By Steve Herman Tokyo 06-January-2005 A battle is underway between China and Japan in cyberspace, with Japanese officials claiming Chinese hackers are routinely attacking websites and Internet services in Japan. Among them is the homepage of the Yasukuni Shrine, a constant source of friction between the two countries. Japanese officials say cyber-attacks from China have been on the rise for several years. A particularly intense attack of e-mail barrages on the Internet home of the Yasukuni Shrine in Tokyo forced the web site's closure on January 1. A shrine spokesman has called the cyber-assault "terrorism" and a malicious challenge to all of Japan. The Shinto religious institution is dedicated to the souls of Japanese war dead, among them convicted war criminals from the Second World War. Beijing has repeatedly protested visits by Prime Minister Junichiro Koizumi to Yasukuni, saying the shrine glorifies Japan's military past and its invasion of China in the 1930s and 1940s. Kuninori So, an analyst at the Cyber Defense Institute in Tokyo says the recent cyber-assault on Yasukuni Shrine appears to have been well organized. "In this case, for Yasukuni, probably the attack caused by the Chinese hackers should be well organized and a certain amount of groups and people participating," he said. Mr. So adds the attacks ebb and flow with the state of Beijing-Tokyo relations, and on anniversaries of events that took place during Japan's occupation of China. Japan plans to set up a special government unit this year to combat cyber-terrorism. Police here say that while the Chinese attacks are numerous and a nuisance, they are more concerned about the possibility of Islamic militants and North Korean agents using the Internet to take control of or damage critical infrastructure, such as control systems for utilities or banks. From isn at c4i.org Mon Jan 10 10:16:42 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 10 10:34:03 2005 Subject: [ISN] Linux Advisory Watch - January 7th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 7th, 2005 Volume 6, Number 1a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mplayer, samba, wxgtk, cups, htmlheadline, nasm, zip, pcal, tiff, namazu, imlib2, selinux, tetex, pcmcia, kernel, mysql, gpdf, hotplug, linpopup, firefox, shoutcast, mit-kbr5, xine, phpgroupware, xzgv, vilistextum, vim, mc, and fam. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, and Red Hat. ---- Internet Productivity Suite: Open Source Security Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://store.guardiandigital.com/html/eng/products/software/ips_overview.sh= tml --- Network and Host Mapping In order to keep yourself secure you must understand your enemy. Prevention is the only protection from becoming the victim of a security exploit. The first step in doing this is to determine what services your servers offer, so you can secure them in the best manner possible. Network scanning can be used to determine potential communication channels. Mapping their existence facilitates the exchange of information with the host, and thus is quite useful for anyone wishing to explore their networked environment, including attackers. Scanning, as a method for discovering exploitable communication channels, has been around for ages. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful. Once these listeners are found, means to exploit the host can be developed. Unnecessarily offering a particular service to a hacker means another avenue to exploit the host. Many different types of scanning are currently available. These range from a simple ping test to see if the host is alive, network broadcasts, and even performing a "stealth" attack by manipulating the ICMP, TCP, or UDP information in a data packet, intentionally violating the protocol definition in an attempt to trick a firewall. Becoming familiar with the tools and techniques an attacker might use to probe a network is the only way to know what information is available if someone attempts to mount an attack against us. Among the things that can be determined from port scanning a machine include: - Services a host is offering which can then be used to construct the appropriate attack based on information gathered from this process - If there is in fact a host at the IP address that is being scanned - A topology map of our network, which can be used to determine where firewalls and other hosts are positioned, trusted relationships between those hosts, and routing and DNS information. - Operating system identification, vendor release and version, as well as applications and their versions - Disclosure of the username and owner of any process connected via TCP, which can then be used to determine, for example, the username of which the web server is running Linux Security Tip, by Ryan Maple: http://www.linuxsecurity.com/content/view/117271/141/ ---------------------- A 2005 Linux Security Resolution Year 2000, the coming of the new millennium, brought us great joy and celebration, but also brought great fear. Some believed it would result in full-scale computer meltdown, leaving Earth as a nuclear wasteland. Others predicted minor glitches leading only to inconvenience. The following years (2001-2004) have been tainted with the threat of terrorism worldwide. http://www.linuxsecurity.com/content/view/117721/49/ --- State of Linux Security 2004 In 2004, security continued to be a major concern. The beginning of the year was plagued with several kernel flaws and Linux vendor advisories continue to be released at an ever-increasing rate. This year, we have seen the reports touting Window's security superiority, only to be debunked by other security experts immediately after release. Also, Guardian Digital launched the new LinuxSecurity.com, users continue to be targeted by automated attacks, and the need for security awareness and education continues to rise. http://www.linuxsecurity.com/content/view/117655/49/ ----- Users Respond with Constructive Feedback When the new version of LinuxSecurity.com was launched on December 1st, we also asked our readers to " Tell us what you think ." You have spoken, and we appreciate that! We received hundreds of comments & requests, and have been addressing a majority of them. We thought it was important to share some of the comments with you. While some were purely positive acknowledgements, others were thoughtful criticisms. We take every critique into account and address each as resources become available or when the criticism becomes the concern of many. http://www.linuxsecurity.com/content/view/117614/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: mplayer vulnerabilities fix 5th, January, 2005 iDEFENSE[2] found a buffer overflow vulnerability[3] due to an error in dynamically allocating memory and further investigation by mplayer team found more vulnerabilities. This announcement fixes these vulnerabilities. http://www.linuxsecurity.com/content/view/117769 * Conectiva: Samba vulnerabilities fix 6th, January, 2005 Remote exploitation of an integer overflow vulnerability[2] in the smbd daemon could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. http://www.linuxsecurity.com/content/view/117793 * Conectiva: wxgtk2 library vulnerabilities fix 6th, January, 2005 Several vulnerabilities were found in libtiff, which may also be in wxGTK library, since it has a private copy of libtiff's source. http://www.linuxsecurity.com/content/view/117794 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: CUPS arbitrary code execution fix 31st, December, 2004 An iDEFENSE security researcher discovered a buffer overflow in xpdf, the Portable Document Format (PDF) suite. Similar code is present in the PDF processing part of CUPS. A maliciously crafted PDF file could exploit this problem, leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117725 * Debian: htmlheadline insecure temporary files fix 3rd, January, 2005 Javier Fern=C3=A1ndez-Sanguino Pe=C3=B1a has discovered multiple insecure u= ses of temporary files that could lead to overwriting arbitrary files via a symlink attack. http://www.linuxsecurity.com/content/view/117726 * Debian: nasm arbitrary code execution fix 4th, January, 2005 Jonathan Rockway discovered a buffer overflow in nasm, the general-purpose x86 assembler, which could lead to the execution of arbitrary code when compiling a maliciously crafted assembler source file. http://www.linuxsecurity.com/content/view/117756 * Debian: zip arbitrary code execution fix 5th, January, 2005 A buffer overflow has been discovered in zip, the archiver for .zip files.=09When doing recursive folder compression the program did not check the resulting path length, which would lead to memory being overwritten. A malicious person could convince a user to create an archive containing a specially crafted path name, which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117767 * Debian: pcal arbitrary code execution fix 5th, January, 2005 Danny Lungstrom discovered two buffer overflows in pcal, a program to generate Postscript calendars, that could lead to the execution of arbitrary code when compiling a calendar. http://www.linuxsecurity.com/content/view/117770 * Debian: tiff denial of service fix 6th, January, 2005 Dmitry V. Levin discovered a buffer overflow in libtiff, the Tag Image File Format library for processing TIFF graphics files. Upon reading a TIFF file it is possible to crash the application, and maybe also to execute arbitrary code. http://www.linuxsecurity.com/content/view/117780 * Debian: namazu2 cross-site scripting vulnerability fix 6th, January, 2005 A cross-site scripting vulnerability has been discovered in namazu2, a full text search engine. An attacker could prepare specially crafted input that would not be sanitised by namazu2 and hence displayed verbatim for the victim. http://www.linuxsecurity.com/content/view/117790 * Debian: imlib2 arbitrary code execution fix 6th, January, 2005 Pavel Kankovsky discovered that several overflows found in the libXpm library were also present in imlib and imlib2, imaging libraries for X11. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib or imlib2 to execute arbitrary code when the file was opened by a victim. http://www.linuxsecurity.com/content/view/117791 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora: selinux-policy-targeted-1.17.30-2.62 update 31st, December, 2004 Fix for postgres startup scripts. http://www.linuxsecurity.com/content/view/117729 * Fedora: tetex-2.0.2-14FC2.1 update 3rd, January, 2005 The updated tetex package fixes a buffer overflow which allows attackers to cause the internal xpdf library used by applications in tetex to crash, and possibly to execute arbitrary code. The Common Vulnerabilities and Exposures projects (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. http://www.linuxsecurity.com/content/view/117742 * Fedora: tetex-2.0.2-21.2 update 3rd, January, 2005 The updated tetex package fixes a buffer overflow which allows attackers to cause the internal xpdf library used by applications in tetex to crash, and possibly to execute arbitrary code. The Common Vulnerabilities and Exposures projects (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. http://www.linuxsecurity.com/content/view/117743 * Fedora: pcmcia-cs-3.2.7-2.1 update 3rd, January, 2005 This update fixes bug #135508, silencing a warning message on cardmgr startup. http://www.linuxsecurity.com/content/view/117750 * Fedora: pcmcia-cs-3.2.7-1.8.2.2 update 3rd, January, 2005 This update fixes bug #135508, silencing a warning message on cardmgr startup. http://www.linuxsecurity.com/content/view/117751 * Fedora: kernel-2.6.9-1.11_FC2 update 3rd, January, 2005 A large change over previous kernels has been made. The 4G:4G memory split patch has been dropped, and Fedora kernels now revert back to the upstream 3G:1G kernel/userspace split. http://www.linuxsecurity.com/content/view/117752 * Fedora: kernel-2.6.9-1.724_FC3 update 3rd, January, 2005 A large change over previous kernels has been made. The 4G:4G memory split patch has been dropped, and Fedora kernels now revert back to the upstream 3G:1G kernel/userspace split. http://www.linuxsecurity.com/content/view/117753 * Fedora: mysql-3.23.58-14 update 5th, January, 2005 work around SELinux restriction that breaks mysql_install_db (bug #141062). Add a restorecon to keep the mysql.log file in the right context (bz#143887). Fix init script to not need a valid username for startup check (bz#142328). Don't assume /etc/my.cnf will specify pid-file (bz#143724) http://www.linuxsecurity.com/content/view/117777 * Fedora: man-pages-ja-20041215-1.FC3.0 update 6th, January, 2005 prefer GNU fileutils's chown(1) rather than gnumaniak's. (#142077) http://www.linuxsecurity.com/content/view/117783 * Fedora: ruby-1.8.2-1.FC3.0 update 6th, January, 2005 New upstream release. http://www.linuxsecurity.com/content/view/117784 * Fedora: man-pages-ja-20041215-1.FC2.0 update 6th, January, 2005 ixed wrong filename for in.rlogind.8 man pages. prefer=09GNU fileutils's chown(1) rather than gnumaniak's. http://www.linuxsecurity.com/content/view/117785 * Fedora: tetex-2.0.2-14FC2.1 update 6th, January, 2005 The updated tetex package fixes a buffer overflow which allows attackers to cause the internal xpdf library used by applications in tetex to crash, and possibly to execute arbitrary code. The Common Vulnerabilities and Exposures projects (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. http://www.linuxsecurity.com/content/view/117786 * Fedora: tetex-2.0.2-21.2 update 6th, January, 2005 The updated tetex package fixes a buffer overflow which allows attackers to cause the internal xpdf library used by applications in tetex to crash, and possibly to execute arbitrary code. The Common Vulnerabilities and Exposures projects (cve.mitre.org) has assigned the name CAN-2004-1125 to this issue. http://www.linuxsecurity.com/content/view/117787 * Fedora: gpdf-2.8.0-8.2 update 6th, January, 2005 Applied patch to fix CAN-2004-1125 (bug #144210) http://www.linuxsecurity.com/content/view/117788 * Fedora: gpdf-2.8.0-4.2.fc2 update 6th, January, 2005 Applied patch to fix CAN-2004-1125 (bug #144210) http://www.linuxsecurity.com/content/view/117789 * Fedora: hotplug-2004_04_01-8.1 update 6th, January, 2005 This adds a fix to properly set the path for devices on USB removal. http://www.linuxsecurity.com/content/view/117792 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: LinPopUp Buffer overflow in message reply 4th, January, 2005 LinPopUp contains a buffer overflow potentially allowing execution of arbitrary code. http://www.linuxsecurity.com/content/view/117760 * Gentoo: a2ps Insecure temporary files handling 4th, January, 2005 The fixps and psmandup scripts in the a2ps package are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/117761 * Gentoo: Mozilla, Firefox, Thunderbird Various vulnerabilities 5th, January, 2005 Various vulnerabilities were found and fixed in Mozilla-based products, ranging from a potential buffer overflow and temporary files disclosure to anti-spoofing issues. http://www.linuxsecurity.com/content/view/117768 * Gentoo: shoutcast Remote code execution 5th, January, 2005 Shoutcast Server contains a possible buffer overflow that could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117771 * Gentoo: mit-kbr5 Heap overflow in libkadm5srv 5th, January, 2005 The MIT Kerberos 5 administration library (libkadm5srv) contains a heap overflow that could lead to execution of arbitrary code. http://www.linuxsecurity.com/content/view/117778 * Gentoo: tiff New overflows in image decoding 5th, January, 2005 An integer overflow has been found in the TIFF library image decoding routines and the tiffdump utility, potentially allowing arbitrary code execution. http://www.linuxsecurity.com/content/view/117779 * Gentoo: xine-lib Multiple overflows 6th, January, 2005 xine-lib contains multiple overflows potentially allowing execution of arbitrary code. http://www.linuxsecurity.com/content/view/117781 * Gentoo: phpGroupWare Various vulnerabilities 6th, January, 2005 Multiple vulnerabilities have been discovered in phpGroupWare that could lead to information disclosure or remote compromise. http://www.linuxsecurity.com/content/view/117798 * Gentoo: xzgv Multiple overflows 6th, January, 2005 xzgv contains multiple overflows that may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117806 * Gentoo: vilistextum Buffer overflow vulnerability 6th, January, 2005 Vilistextum is vulnerable to a buffer overflow that allows an attacker to execute arbitrary code through the use of a malicious webpage. http://www.linuxsecurity.com/content/view/117807 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: libtiff multiple vulnerabilities fix 6th, January, 2005 Several vulnerabilities have been discovered in the libtiff package. http://www.linuxsecurity.com/content/view/117801 * Mandrake: wcGTK2 vulnerabilities fix 6th, January, 2005 Several vulnerabilities have been discovered in the libtiff package; wxGTK2 uses a libtiff code tree, so it may have the same vulnerabilities. http://www.linuxsecurity.com/content/view/117802 * Mandrake: vim modeline vulnerabilities fix 6th, January, 2005 Several "modeline"-related vulnerabilities were discovered in Vim by Ciaran McCreesh. The updated packages have been patched with Bram Moolenaar's vim 6.3.045 patch which fixes the reported vulnerabilities and adds more conservative "modeline" rights. http://www.linuxsecurity.com/content/view/117803 * Mandrake: nasm buffer overflow vulnerability fix 6th, January, 2005 A buffer overflow in nasm was discovered by Jonathan Rockway. This vulnerability could lead to the execution of arbitrary code when compiling a malicious assembler source file. http://www.linuxsecurity.com/content/view/117804 * Mandrake: libtiff multiple vulnerabilities fix 6th, January, 2005 Several vulnerabilities have been discovered in the libtiff package. http://www.linuxsecurity.com/content/view/117805 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * Red Hat: mc security vulnerabilities fix 5th, January, 2005 An updated mc package that resolves several shell escape security issues is now available. http://www.linuxsecurity.com/content/view/117772 * Red Hat: fam security issue fix 5th, January, 2005 Updated fam packages that fix an information disclosure bug are now available. http://www.linuxsecurity.com/content/view/117773 * Red Hat: VIM security vulnerability fix 5th, January, 2005 Updated vim packages that fix a modeline vulnerability are now available. http://www.linuxsecurity.com/content/view/117774 * Red Hat: samba security issue fix 5th, January, 2005 Updated samba packages that fix an integer overflow vulnerability are now available for Red Hat Enterprise Linux 2.1. http://www.linuxsecurity.com/content/view/117775 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jan 10 10:17:15 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 10 10:34:05 2005 Subject: [ISN] The Hacker Foundation Releases SLA Project Message-ID: FOR IMMEDIATE RELEASE CONTACT: North America: B.K. DeLong Media Liaison The Hacker Foundation telephone: +1.617.797.2472 Christian Wright Media Liaison Packetstorm Security telephone: +1.312.399.5064 Europe: Emerson Tan Director Packetstorm Security telephone: +44.781.456.8265 e-mail: press@survivorlocationassistance.org THE HACKER FOUNDATION RELEASES SURVIVOR LOCATION ASSISTANCE PROJECT Organization distributes software as open-source and centralizes tracking of disaster victims. http://www.survivorlocationassistance.org -- 6 January 2005 -- The Hacker Foundation (THF) is pleased to announce the creation of the Survivor Location Assistance (SLA) project, a globally accessible web-based database system designed to help survivors, relatives, internally displaced people, and aid agencies connect with one another and to facilitate & coordinate the need to track all victims of disasters around the world. SLA's first application is now live and awaiting new entries - South Asian Tsunami - Survivor Location Assistance (SAT-SLA). The system is running on hardware donated by Packetstorm Security and on network connectivity provided by Asylum Networks Inc. The SLA project encourages the myriad of web sites and organizations currently maintaining lists of survivors, Internally Displaced People & the missing to contribute their dataset to the SAT-SLA database. Hospitals, aid agencies, & NGOs are also encouraged to share their registration information to ensure relatives of survivors are notified in a fast & timely manner that their loved ones are safe & alive. "The SLA project is why The Hacker Foundation was created," said THF President and Co-founder Jesse Krembs. "to bring useful technological resources to people in need. Our staff of volunteers has done an amazing job putting together a tool in such a short amount of time that can not only be used in this crisis, but hopefully for any humanitarian need." On the SLA Web site, users can add a new entry with identifying information about a person, or search the database to see if their relative has been located. By the end of 1Q 2005, THF and the SLA project hope to publicly release the source code for the system and begin fostering a development community around the open source solution. Those interested in making use of software more immediately can email the project at support@survivorlocationassistance.org . The SLA web site is located at http://www.survivorlocationassistance.org. "THF is releasing the SLA backend to anyone who requests it & opening our survivor data to the public," said Emerson Tan, Director of Packetstorm Security. "As more of the world gets connected via the Internet, we believe the SLA project has global potential to be used in tracking IDPs, thwarting the child slave-trading of orphans from such disasters, and assisting aid agencies & NGOs responding to humanitarian efforts similar to those in the Darfur region of Sudan." The SLA project is also seeking translation assistance for its web site, database and other resources to ensure global access and usability. "The world has many different languages," said THF's Krembs. "and disasters do not discriminate. We hope, with volunteer help, to be able to offer our information in Thai, Sinhala and other native tongues of those effected by the tsunami." About The Hacker Foundation The Hacker Foundation (THF) is a non-profit organization dedicated to establishing and maintaining a research & service organization to promote & explore the creative use of technological resources. Visit the Hacker Foundation web site at http://www.hackerfoundation.org. About Packetstorm Security Packetstorm Security is the world's largest free repository of Internet security information. It is staffed entirely by volunteers throughout the world and mirrored in many locations. Web site at http://www.packetstormsecurity.org. About Asylum Networks Asylum Networks provides Internet colocation services to customers with extremely demanding security requirements. The company operates in five countries (Switzerland, Luxembourg, Cayman Islands, Denmark, and the United States) each chosen to address either financial privacy concerns or provide excellent connectivity. Asylum Networks' portfolio includes international banks, financial institutions, and security-conscious corporations. Please visit them at http://www.asylum-networks.net. From isn at c4i.org Mon Jan 10 10:17:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 10 10:34:06 2005 Subject: [ISN] George Wackenhut Dies; Security Pioneer Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A54899-2005Jan6.html By Matt Schudel Washington Post Staff Writer January 7, 2005 George R. Wackenhut, the founder of a global security company that has guarded U.S. embassies, nuclear power plants and the trans-Alaska oil pipeline as well as neighborhood malls and countless private homes, died Dec. 31 of a heart ailment in Vero Beach, Fla. He was 85. A hard-nosed businessman who began his career as an FBI agent tracking down counterfeiters and check forgers, Mr. Wackenhut capitalized on the nation's growing concern about corporate and personal security as he expanded his Florida-based company from a four-man operation in 1954 to a multibillion-dollar corporation. In 1984, he launched a subsidiary to design and manage jails and detention centers for the burgeoning private prison market in the United States and abroad. In time, Wackenhut Corp. became the nation's second-largest private prison operator. When Mr. Wackenhut sold his company to a Danish firm in 2002, it operated in 54 countries and had $2.8 billion in revenue. Mr. Wackenhut was an outspoken political conservative with ties to powerful Republicans and high-ranking leaders of the military, FBI and CIA. His office, with chairs carved in the shape of elephants, reflected his political leanings. Frequent rumors that his company was in the employ of the CIA were never substantiated, but Mr. Wackenhut, who was obsessive about high-tech security gadgets in his private life, seemed to relish the suggestion. Several of his senior executives were, in fact, former CIA operatives, and his company's board of directors included former FBI director Clarence Kelly, former National Security Agency director Bobby R. Inman, and former Defense secretary and deputy CIA director Frank Carlucci. On rare occasions, his company's clandestine work did land in the headlines. In 1991, a U.S. House committee investigated charges that a Wackenhut executive, working for a consortium of oil companies, illegally spied on a whistleblower exposing environmental damage caused by the oil industry. The executive, who had also discussed trying to implicate a California congressman in his sting, resigned immediately after a meeting with Mr. Wackenhut. Wackenhut-operated prisons have had problems as well. In 1999, the company lost a $12 million annual contract to run a jail in Texas when several Wackenhut guards were indicted for having sex with female inmates. Nonetheless, Mr. Wackenhut cultivated an image of probity, toughness and precise military order. His teak-and-granite office was spotless, and he kept a barber's chair in his private bathroom to avoid leaving the office for a haircut. George Russell Wackenhut grew up in Upper Darby, Pa., outside Philadelphia. An outstanding athlete, he was a professional soccer goalie with the Philadelphia Nationals in his youth. He graduated from what is now West Chester University in Pennsylvania. Stationed in Hawaii with the Army Corps of Engineers, Mr. Wackenhut was present at the Japanese attack on Pearl Harbor on Dec. 7, 1941. He recalled that he was so close to a Japanese warplane that he could see the face of the pilot. After serving in the Pacific, he moved to Baltimore, where he received a master's degree in education from Johns Hopkins University and taught classes in physical education and health. In 1951, Mr. Wackenhut joined the FBI as a special agent in Indianapolis and Atlanta, resigning in 1954 to launch a company in Coral Gables, Fla., with three other former agents. At one point, they had to pass the hat to meet payroll, and the company's total assets amounted to $1.56. After early struggles -- including a fistfight between Mr. Wackenhut and one of his partners -- he took sole control of the company in 1958, naming it for himself. After working all day in the office, he sometimes worked as a security guard at night. By 1964, he had contracts to guard the Kennedy Space Center in Florida, as well as the Atomic Energy Commission's nuclear test site in Nevada. He branched out to include food service for prisons and to provide protection for companies going through labor strikes. The core of his business, though, was providing security guards to watch out for criminal activity. Ironically, his company moved from the Miami suburb of Coral Gables to Palm Beach Gardens, Fla., in part because Miami's high crime rate made it difficult to attract good workers. In 1994, an 800-page biography of Mr. Wackenhut, called "The Quiet American," [1] was published. When he sold his company for $570 million in 2002, he owned more than 50 percent of its stock. Even with a tight profit margin of 2.5 percent, the company's earnings allowed Mr. Wackenhut to live lavishly in homes scattered throughout the country. Until he moved to Vero Beach nine years ago, his primary residence was a $10 million turreted mansion near Miami decorated with firearms and medieval suits of armor. His house was wired with infrared and laser sensors, closed-circuit television monitors and photo-cell surveillance and had private radios for his family. Survivors include his wife of 61 years, Ruth Wackenhut of Vero Beach, who was the company's secretary for many years; two children, Janis Ward and Richard Wackenhut; seven grandchildren; and three great-grandchildren. [1] http://www.amazon.com/exec/obidos/ASIN/0963939505/c4iorg From isn at c4i.org Mon Jan 10 10:18:10 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 10 10:34:08 2005 Subject: [ISN] IE flaw threat hits the roof Message-ID: http://news.com.com/IE+flaw+threat+hits+the+roof/2100-1002_3-5517457.html By Dawn Kawamoto Staff Writer, CNET News.com January 7, 2005 Three unpatched flaws in Internet Explorer now pose a higher danger, a security company warned, after code to exploit one of the issues was published to the Internet. Secunia said Friday that it had raised its rating of the vulnerabilities in Microsoft's browser to "extremely critical," its highest rating. The flaws, which affect IE 6, could enable attackers to place and execute programs such as spyware and pornography dialers on victims' computers without their knowledge, said Thomas Kristensen, Secunia's chief technology officer. Exploit code for one of the vulnerabilities, a flaw in an HTML Help control, was published on the Internet on Dec. 21 in an advisory by GreyHats Security Group. "In order for us to rate a vulnerability as extremely critical, there has to be a working exploit out there and one that doesn't require user interaction," Kristensen said. "This is our highest rating and is the last warning for users to fix their systems." The exploit code can be used to attack computers running Windows XP even if Microsoft's Service Pack 2 patch has been installed, Secunia said. The company is advising people to disable IE's Active X support as a preventative measure, until Microsoft develops a patch for the problem. It also suggests using another browser product. The Secunia advisory also warns of another HTML Help control vulnerability that, when used in combination with a drag-and-drop flaw, could be used to attack PCs--though in that case, it would have to be with the interaction of the victim. The company first issued an alert about the three security holes in October. "Microsoft knew of this back in October," Kristensen said. "In my opinion, it's not fair to have a vulnerability known for two months without having an available patch, especially when every little detail (of the vulnerability) is out there." "Microsoft is now aware of all three issues, and I'm sure they're giving it an even higher priority," he added. Microsoft said it was investigating the public reports of the exploit, adding that the delay in fixing the IE patch was related to the extensive work needed to produce an effective patch. "It's important to note that security response requires a balance between time and testing, and Microsoft will only release an update that is as well engineered and thoroughly tested as possible--whether that is a day, week, month or longer," a Microsoft representative said. "In security response, an incomplete security update can be worse than no patch at all if it only serves to alert malicious hackers to a new issue." The company is advising people to check its safe browsing guidelines and to set their Internet security zone settings to "high." It also suggests that people continue installing automatic security updates from Service Pack 2. This latest discovery marks another setback in Microsoft's efforts to shore up its security. When Microsoft launched SP2 in August, Chair Bill Gates touted it as a significant step in fortifying systems against attacks. Secunia also offers users the ability to conduct an online test of their systems to see if they are vulnerable. From isn at c4i.org Mon Jan 10 10:18:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 10 10:34:11 2005 Subject: [ISN] GAO calls for security strategy Message-ID: http://www.fcw.com/fcw/articles/2005/0103/web-facilities-01-07-05.asp By Dibya Sarkar Jan. 7, 2005 Congressional auditors say a federal interagency committee in charge of coordinating the protection of government facilities needs a strategic plan for identifying priorities and implementing security measures, including leveraging technology. Such a plan would help the Interagency Security Committee (ISC) gain greater support within the federal government, provide detailed information on its needs, establish performance measures and propose strategies for challenges it faces, according to a recent report released Jan. 6 by the Government Accountability Office. [1] Those challenges include getting officials at agencies to agree to a governmentwide risk management process for assessing facilities, developing a compliance process so agencies can measure progress, educating senior-level staff about ISC and integrating physical security initiatives for the entire federal government and implementing change, the report states. The committee also needs more financial resources and greater staffing, according to the report. ISC officials have made some progress, especially in the past two years. They include issuing some security standards and guidance for agencies, developing a Web site for posting policies and guidance, developing a secure Web portal for members to exchange information, and creating standard operating procedures to improve the quality of information sharing. But they need to do more. The report identifies several major practices that could provide a framework for agencies' initiatives. They include using a risk management approach, information sharing, performance measurement and testing, aligning assets to an agency's mission, strategic workforce management, and using technology. The report states that GAO officials, inspectors general, facility security experts and agency officials agreed that security technology is crucial. But any technology should be carefully analyzed to determine whether the benefits outweigh the costs and effects on privacy and convenience. Some advanced technologies identified include smart cards and biometrics, detection and surveillance systems, X-ray scanners, and metal detectors. But sometimes other solutions, such as using trained dogs, may be more effective and less costly, the report states. "It is important to note that focusing on obtaining and implementing the latest technology is not necessarily a key practice by itself," according to the report. "Instead, having an approach that allows for cost-effectively leveraging technology to supplement and reinforce other measures would represent an advanced security approach in this area." ISC was formed after the 1995 Oklahoma City bombing to develop policies and standards, ensure compliance, oversee implementation, and share information. In 2003, the Homeland Security Department assumed responsibility of the committee from the General Services Administration. ISC was designated last year to oversee agencies' physical security plans related to Homeland Security Presidential Directive-7, which requires agency officials to identify critical infrastructures and develop plans for prioritization, protection, recovery and reconstitution of systems or resources. According to the report, DHS officials agreed with the overall conclusions and would implement GAO's recommendations. [1] http://www.gao.gov/new.items/d0549.pdf From isn at c4i.org Mon Jan 10 10:19:16 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 10 10:34:13 2005 Subject: [ISN] From Russia with malice Message-ID: Forwarded from: Thor > Kaspersky's figures are backed by estimates from the Ukraine-based > Computer Crime Research Centre which says the total amount of > financial losses worldwide resulting from cybercrime exceeded $411bn > at the end of last year. 411 billion in *losses*?? Does anyone else have issues with this figure? To give some perspective, that is more than the reported 2003 earnings of Citigroup, Bank of America, JP Morgan Chase, Morgan Stanley, Wells Fargo, Prudential Financial, Merrill Lynch, American Express, Bank One Corp, Hartford Financial, and US Bancorp all *COMBINED* with about 10 billion to spare. T From isn at c4i.org Tue Jan 11 01:44:03 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 11 02:01:20 2005 Subject: [ISN] Microsoft 'Titan' Will Zap 10 Top Worms Message-ID: http://www.eweek.com/article2/0,1759,1749818,00.asp By Ryan Naraine January 10, 2005 When the first version of Microsoft Corp.'s new malicious software removal tool is released on Tuesday, it will be pre-programmed to zap 10 of the most virulent worms and viruses, including Blaster, Sasser, MyDoom and Nachi. As previously reported, the tool will be released as a "critical" download and updated once a month as part of Microsoft's scheduled software patch cycle. According to a note released to Microsoft MVPs (Most Valuable Professionals), the initial version of the tool, code-named Titan, will be able to detect and delete the Blaster, Sasser, MyDoom, DoomJuice, Zindos, Berweb/Download.Ject, Gailbot and Nachi viruses. In the event of a major worm or virus outbreak, Microsoft will push out updates for the malicious software removal tool outside of the monthly cycle, according to Amy Carroll, director of product management in Microsoft's security business technology unit. The tool will also be pushed out to Windows users as a download through the Microsoft Download Center. Customers who have Automatic Updates turned on will automatically receive the download. It will also be made available as an ActiveX control on a malware removal section of Microsoft's home page. The tool is programmed to scan a PC for infections of known viruses, but it is not intended as a substitute for full anti-virus protection. After a scan is conducted, the Microsoft tool will present color-coded results: a red 'X' for an infected machine or a green checkbox if nothing is detected. Anti-virus vendor McAfee Inc. also provides a similar tool called Avert Stinger. Stinger, available as a free download, uses scan engine technology, including process scanning, digitally signed DAT files and scan performance optimizations, to disinfect systems. From isn at c4i.org Tue Jan 11 01:44:26 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 11 02:01:22 2005 Subject: [ISN] Hacker compromises data at George Mason University Message-ID: Forwarded from: William Knowles http://www.computerworld.com/securitytopics/security/story/0,10801,98848,00.html By Jaikumar Vijayan JANUARY 10, 2005 COMPUTERWORLD The names, photos and Social Security numbers of more than 32,000 students and staff at George Mason University in Fairfax, Va., have been compromised as the result of a hacker attack against the university's main ID server. The attack was discovered during a routine review of system files and prompted the school to disconnect the compromised server from the network, according to an e-mail sent to members of the university community yesterday by Joy Hughes, the school's vice president for information technology. "It appears that the hackers were looking for access to other campus systems rather than specific data," Hughes wrote in her e-mail. "However, it is possible that the data on the server could be used for identity theft." Law enforcement authorities and school officials are now investigating the incident, which was discovered last week but may have occurred as far back as November. The affected server contained information on "all members of the Mason community who have identification cards," Hughes said in her message. The intruders also installed tools on the ID server that allowed other campus servers to be probed. Hughes, however, offered no details about the other GMU systems that may have been probed. "There is no evidence that any of the data available on the Mason ID server has yet been used illegally," she wrote, while urging students and staff to contact the three major credit bureaus and place fraud alerts on their credit files. The university is the largest state college in Virginia, with more than 28,000 enrolled students and over 4,000 employees, according to the GMU Web site. Daniel Walsch, director of GMU's media center, said the break-in was discovered on Jan. 2. Preliminary indications are that hackers may have broken into the system as far back as late November, Walsch said. "We felt that everything was secure and that we had safeguarded against something like this," he said, noting that the university is looking to see what other systems were also broken into. "There were some hints that [the hackers] were trying to open some other doors. We are not sure if anything else was compromised." The incident is a black eye for an institution that is one of a few select universities to be designated as Centers of Academic Excellence in Information Assurance Education by the National Security Agency. Students at the university's Information Assurance Scholarship Program are placed in Defense Department jobs upon completion of the program, according to the school's Web site. "What concerns me is that they promote themselves as being big in the infosec world," with some of the best resources and staff in the academic world, said one part-time student who asked not to be identified. "In the 'Do as I say, not as I do' department, GMU has a Center for Secure Information Systems, [which is] both a research and teaching outfit," said another university source who also asked not to be named. "CSIS has numerous cooperative agreements with local defense and government contractors," which makes the break-in more significant, he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Jan 11 01:44:38 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 11 02:01:24 2005 Subject: [ISN] Security researcher to be jailed for finding bugs in software? Message-ID: http://www.zdnet.com.au/news/security/0,2000061744,39176657,00.htm By Munir Kotadia ZDNet Australia 11 January 2005 A French security researcher who published exploit codes that could take advantage of bugs in an anti-virus application, could be imprisoned for violation of copyright laws. In 2001, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002. However, Tena's actions were not viewed kindly by Tegam, who initiated legal action against the researcher. That action resulted in a case being brought to trial at a Court in Paris, France. The trial kicked off on January 4 after being deferred from its initially scheduled start date of October 5, 2004. The prosecution claims that Tena violated article 335.2 of the code of the intellectual property and is asking for a four month jail term and a 6,000 euro fine. Additionally, Tegam is proceeding with a civil case against Tena and asking for 900,000 euros in damages. Accoridng to Tena's Web site, his research "showed how the program worked, demonstrated a few security flaws and carried out some tests with real viruses. Unlike the advertising claimed, this software didn't detect and stop .100 percent of viruses.." Tena, who is currently a researcher for Harvard University in Massachusetts, said that Tegam responded in a "weird way" by first branding him a terrorist and then filing a formal complaint in Paris. During the resulting tribunal, Tena said the judge decided that because the published exploits included some re-engineered source code from Viguard.s software, he had violated French copyright laws. According to French security Web site K-OTik, Tena had technically broken copyright laws because his exploits were "not for personal use, but were communicated to a third party". However, K-OTik, which regularly publishes exploit codes, claims that the ruling could create a precedent so vulnerabilities in software, however critical, could not be declared publicly without prior agreement from the software publisher. K-OTik.s editors say the ruling is "unimaginable and unacceptable in any other field of scientific research". On Tena's Web site, he claims that If independent researchers are not allowed to freely publish their findings about security software then users will be only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said. "To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena. Philip N Argy, senior partner of the intellectual property and technology group at Australian law firm Mallesons Stephen Jaques, said that if a similar case was put to trial in Australia the prosecution would be unlikely to get a conviction because of our "fair comment provisions". "We have strong copyright protection as well as strong anti-hacking laws, but from what I can glean from the translations, all that Guillermito did was to publish the details of the parts of the code which contained serious bugs that made the software erroneously treat as a virus some legitimate software. I'd have thought that would be at least within the fair comment provisions of Australian copyright law," said Argy. The final ruling will be made in Paris on March 8, 2005. From isn at c4i.org Tue Jan 11 01:44:49 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 11 02:01:27 2005 Subject: [ISN] DallasCon 2005 Professional Information Security Conference Message-ID: Forwarded from: contact@dallascon.com DallasCon 2005 Professional Information Security Conference May 2-7, 2005 Dallas, Texas Limited Space Available - Pre-registration Ends February 15, 2005! DallasCon 2005 will focus on a practical approach to Network and Wireless Security geared directly to the Technical Professionals. The event will begin with a 4-days, intense hands-on Training Boot Camp in the areas of Network Penetration and Wireless Security, followed by a 2-Day Conference covering the latest research from leading security experts, researchers, and authors. Currently, hundreds of papers are being reviewed for submission at DallasCon 2005. Current topics include: VOIP Security, Wireless Hacking, Network Penetration, Encryption and much more. For more information visit http://www.DallasCon.com or contact 775-278-8911. From isn at c4i.org Tue Jan 11 01:45:01 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 11 02:01:29 2005 Subject: [ISN] Google exposes web surveillance cams Message-ID: http://www.theregister.co.uk/2005/01/08/web_surveillance_cams_open_to_all/ By Kevin Poulsen, SecurityFocus 8th January 2005 Blogs and message forums buzzed this week with the discovery that a pair of simple Google searches permits access to well over 1,000 unprotected surveillance cameras around the world - apparently without their owners' knowledge. Searching on certain strings within a URL sniffs out networked cameras that have Web interfaces permitting their owners to view them remotely, and even direct the cameras' motorized pan-and-tilt mechanisms from the comfort of their own desktop. Video surfers are using this knowledge to peek in on office and restaurant interiors, a Japanese barnyard, women doing laundry, the interior of an Internet collocation facility, and a cage full of rodents, among other things, in locales scattered around the world. News of the panoptical search queries apparently began on a community web forum, then spread to the widely-read BoingBoing weblog Wednesday and Thursday. In the past, geeks wanting to peek in on surveillance cams have driven around with receivers and special antenna rigs to pick up signals from wireless cameras. One of the Google search strings circulating summons a list of nearly 1,000 installed network cameras made by Swedish-based Axis Communications, the other turns up about 500 cameras sold by Panasonic. Neither company could be reached after hours Friday. According to their websites, both companies offer the ability to password-protect the Web interfaces to their cameras, and Axis has a feature that blocks access to webcams from all but approved Internet IP addresses. t's not apparent whether the security features are enabled by default. A FAQ on Panasonic's website includes a warning that their network cameras may not be right for "sensitive applications," and sports a broad disclaimer: "No specific claims are made pertaining to specific levels of security the camera offers." From isn at c4i.org Tue Jan 11 01:46:32 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 11 02:01:32 2005 Subject: [ISN] From Russia with malice (Two messages) Message-ID: Forwarded from: GertJan Hagenaars Apparently, InfoSec News wrote: % Forwarded from: Thor % % > Kaspersky's figures are backed by estimates from the Ukraine-based % > Computer Crime Research Centre which says the total amount of % > financial losses worldwide resulting from cybercrime exceeded $411bn % > at the end of last year. % % 411 billion in *losses*?? Does anyone else have issues with this % figure? To give some perspective, that is more than the reported 2003 % earnings of Citigroup, Bank of America, JP Morgan Chase, Morgan % Stanley, Wells Fargo, Prudential Financial, Merrill Lynch, American % Express, Bank One Corp, Hartford Financial, and US Bancorp all % *COMBINED* with about 10 billion to spare. % % T http://www.ebcvg.com/press.php?id=679 The top five malware families of all time including hybrids are: 1. MyDoom; 2. Netsky; 3. SoBig; 4. Klez; and 5. Sasser. The total economic damage worldwide from malware proliferation - with an additional 480 new species in 2004 alone - is now estimated to lie between $166bn and $202bn for 2004 by the mi2g Intelligence Unit. With an installed base of around 600 million Windows based computers worldwide, this works out roughly as average damage per installed machine of between $277 and $336. These numbers are too close for comfort. Two independant sources, so it must be true. Unless of course one copied and expanded on the acid-enhanced data dreams of the other... (All hype can eventually be traced back to mi2g.) CHeers, GertJan. -- +++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++ sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com /^...[discover].$/d Remembering Mike Carty 1968-1994 /^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix ' /usr/dict/words I'm Dutch, what's _your_ excuse? -=- Forwarded from: Jason Scott One of my favorite fudging of numbers during the Mitnick trial was that not only did his damages include the cost of developing Solaris in its entirety, it included the cost of building the buildings the developers were housed in. See, that's some tasty fudge. On Mon, 10 Jan 2005, InfoSec News wrote: > Forwarded from: Thor > > > Kaspersky's figures are backed by estimates from the Ukraine-based > > Computer Crime Research Centre which says the total amount of > > financial losses worldwide resulting from cybercrime exceeded $411bn > > at the end of last year. > > 411 billion in *losses*?? Does anyone else have issues with this > figure? To give some perspective, that is more than the reported > 2003 earnings of Citigroup, Bank of America, JP Morgan Chase, Morgan > Stanley, Wells Fargo, Prudential Financial, Merrill Lynch, American > Express, Bank One Corp, Hartford Financial, and US Bancorp all > *COMBINED* with about 10 billion to spare. > > T From isn at c4i.org Wed Jan 12 10:38:11 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 12 10:55:26 2005 Subject: [ISN] Security researcher to be jailed for finding bugs in software? Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" Cc: computerforensicsworld@yahoogroups.com, Seclegal@jscript.dk Date sent: Tue, 11 Jan 2005 00:44:38 -0600 (CST) From: InfoSec News > http://www.zdnet.com.au/news/security/0,2000061744,39176657,00.htm > > A French security researcher who published exploit codes that could > take advantage of bugs in an anti-virus application, could be > imprisoned for violation of copyright laws. I warned ya. OK, well not quite the same situation, but on page 21 of "Software Forensics" I noted that this type of situation might one day result in a malware author challenging evidence obtained by forensic examination on the basis of the laws supposedly supporting copyright by enveighing against reverse engineering. ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu If you surveyed a hundred typical middle-aged Americans, I bet you'd find that only two of them could tell you their blood types, but every last one of them would know the theme song from the Beverly Hillbillies. - Dave Barry http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Jan 12 10:38:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 12 10:55:29 2005 Subject: [ISN] Microsoft Patches Flaw in Service Pack 2 Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A1504-2005Jan11.html By Brian Krebs washingtonpost.com Staff Writer January 11, 2005 Microsoft Corp. on Tuesday issued a trio of software updates to fix security holes in computers powered by its Windows operating system, including one flaw that hackers are using to infiltrate PCs equipped with a massive security upgrade the company released just five months ago. The three patches, available at http://windowsupdate.microsoft.com, mend four different software holes. Two of the patches earned a "critical" rating from Microsoft, its most serious. The software giant said attackers could exploit three of the flaws merely by convincing users to visit a malicious Web site or open a specially crafted e-mail. The most severe of the flaws involves a glitch in the way Windows handles requests for "HTML help," a function that uses Microsoft's Internet Explorer Web browser to display instructions for using a variety of computer programs. The help-file flaw is present in nearly all versions of Windows, including computers running Windows XP that also have the Service Pack 2 security upgrade installed. Service Pack 2 was released to the public in August to fix a number of persistent security problems and two switch on key Windows XP security features, such as automatic downloading and installation of patches and a firewall to block unwanted Internet traffic. Stephen Toulouse, Microsoft's security program manager, said the company has seen only a handful of attempts to exploit the help-file security flaw. "Still, any amount of exploitation concerns us, and this update addresses that," he said. Oliver Friedrichs, senior manager of security response for Cupertino, Calif.-based security firm Symantec Corp., said his company has seen at least three different cases where malicious Web sites have used the help- file weakness to install spyware on vulnerable computers. Friedrichs cautioned that the other three security flaws remain serious threats, as computer code demonstrating how attackers could wield at least one of them now is publicly available online. Microsoft also released today a "malicious software removal tool," which scours Windows PCs for some of the more prolific Internet worms, including "Blaster," "Sasser," "Mydoom," "Gaobot" and "Nachi." The tool will be distributed to the more than 112 million Windows users who have opted to accept automatic security updates from Microsoft and will be updated once a month, Toulouse said. From isn at c4i.org Wed Jan 12 10:39:39 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 12 10:55:30 2005 Subject: [ISN] Intelligence Conference & Exposition, Feb 8-10, 2005 Message-ID: Forwarded from: David Jimenez Please visit the website at www.intelcon.us and have a look at the presenters who will be at the conference, along with the agenda National Intelligence Conference & Exposition, Feb 8-10, 2005, Arlington (Crystal City) INTELCON is a national conference and exposition on intelligence, and the relationship between intelligence and national security. Its goal is to annually bring together intelligence professionals and members of Congress in an informal setting on neutral ground to provide educational enhancement and discuss issues of common concern Program Tracks: Federal Civilian Dept. of Defense State/Local Law Enforcement Business Private Sector Professional Enhancement Seminars: Trends in Intelligence Technology Political, Policy and Legal Issues The Role of Congress in Intelligence Oversight Reforming the Intelligence Community Global Economic Espionage and Corporate Intelligence The View from Abroad Sharing Intelligence Getting the Public involved david David Jimenez, MSgt, USAF (Ret), CCA Intelligence Specialist, USBP, El Paso, Texas Faculty, Univ. of Texas @ El Paso & American Military Univ IALEIA Director of Training, Education, and Career Development Owner/Moderator: www.IntelligenceIsTheFuture.com From isn at c4i.org Wed Jan 12 10:40:05 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 12 10:55:32 2005 Subject: [ISN] Report: Water systems' security lapses Message-ID: http://edition.cnn.com/2005/US/01/10/epa.water.ap/index.html January 11, 2005 WASHINGTON (AP) -- Water utilities have installed computer-based remote controls "with little attention paid to security," leaving valves, pumps and chemical mixers for water supplies vulnerable to cyber-attack, according to an Environmental Protection Agency report. In a report Monday, the EPA's inspector general cited costs, lack of ability to check employees' backgrounds and poor communication between technical engineers and management for the shortcomings. Benjamin Grumbles, EPA's water chief, said Monday he agrees with the report's assessment that there are "a broad range of challenges" facing water utilities, particularly with wireless communications systems, but that his office now has a plan for making improvements. "We are actively working to provide additional tools to communities to enhance cyber security, providing funding for information that would be placed on a secure web site by the fall, to help utilities be more aware of potential threats to their computer systems," Grumbles said. His office also is getting help, he said, from the Homeland Security Department on ways of dealing with cyber threats and from an advisory council on how to help utilities measure their improvement. The computer-based controls were "developed with little attention paid to security, making the security of these systems often weak," the report says. As a result, many of the Supervisory Control and Data Acquisition networks used by water agencies to collect data from sensors and control equipment such as pumps and valves "may be susceptible to attacks and misuse." The danger is illustrated by an attack on an Australian waste management system in 2000, the report says. An engineer who had worked for the contractor that supplied the remote control equipment for the system used radio telemetry to gain unauthorized access and dump raw sewage into public waterways and the grounds of a hotel. EPA Inspector General Nikki L. Tinsley urged EPA to find out what is keeping specific water utility operators from making the systems secure, and to develop federal security measures that could be used to correct the problems. The review by Tinsley's office was suspended after a meeting with Grumbles' office, which agreed to incorporate her concerns into its work. Tinsley notes that EPA spent $250,000 (euro190,800) in 2002 to pay for research into how to improve security for computerized and automated systems and that Homeland Security began focusing on protections for the networks only last May. In September, Grumbles told a House Energy subcommittee that the Bush administration had "worked diligently" to improve security of water facilities including 54,000 community drinking water systems and 16,000 public wastewater treatment plants. The National Research Council, reviewing EPA's plan for improving water system protection, also has cited a need for more attention to security in designing the networks, and for heading off potential internal threats such as actions by a disgruntled employee. From isn at c4i.org Wed Jan 12 10:40:23 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 12 10:55:35 2005 Subject: [ISN] Hacker breaches T-Mobile systems, reads US Secret Service email Message-ID: http://www.theregister.co.uk/2005/01/12/hacker_penetrates_t-mobile/ By Kelly Martin SecurityFocus 12th January 2005 A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor US Secret Service email, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned. Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records. Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with web access to their T-Mobile email accounts. He did not have access to credit card numbers. The case arose as part of the Secret Service's "Operation Firewall" crackdown on internet fraud rings last October, in which 19 men were indicted for trafficking in stolen identity information and documents, and stolen credit and debit card numbers. But Jacobsen was not charged with the others. Instead he faces two felony counts of computer intrusion and unauthorized impairment of a protected computer in a separate, unheralded federal case in Los Angeles, currently set for a 14 February status conference. The government is handling the case well away from the spotlight. The US Secret Service, which played the dual role of investigator and victim in the drama, said Tuesday it couldn't comment on Jacobsen because the agency doesn't discuss ongoing cases - a claim that's perhaps undermined by the 19 other Operation Firewall defendants discussed in a Secret Service press release last fall. Jacobson's prosecutor, assistant US attorney Wesley Hsu, also declined to comment. "I can't talk about it," Hsu said simply. Jacobsen's lawyer didn't return a phone call. T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation. Company spokesman Peter Dobrow said Tuesday that nobody at T-Mobile was available to comment on the matter. Cat and Mouse Game According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall. "[A]m offering reverse lookup of information for a t-mobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEA#, and more," Ethics wrote. The Secret Service contacted T-Mobile, according to an affidavit filed by cyber crime agent Matthew Ferrante, and by late July the company had confirmed that the offer was genuine: a hacker had indeed breached their customer database, At the same time, agents received disturbing news from a prized snitch embedded in the identity theft and credit card fraud underground. Unnamed in court documents, the informant was an administrator and moderator on the Shadowcrew site who'd been secretly cooperating with the government since August 2003 in exchange for leniency. By all accounts he was a key government asset in Operation Firewall. On 28 July the informant gave his handlers proof that their own sensitive documents were circulating in the underground marketplace they were striving to destroy. He had obtained a log of an IRC chat session in which a hacker named "Myth" copy-and-pasted excerpts of an internal Secret Service memorandum report, and a Mutual Legal Assistance Treaty from the Russian Federation. Both documents are described in the Secret Service affidavit as "highly sensitive information pertaining to ongoing USSS criminal cases". At the agency's urging, the informant made contact with Myth, and learned that the documents represented just a few droplets in a full-blown Secret Service data spill. The hacker knew about Secret Service subpoenas relating to government computer crime investigations, and even knew the agency was monitoring his own Microsoft ICQ chat account. Myth refused to identify the source of his informational largesse, but agreed to arrange an introduction. The next day Myth, the snitch, and a third person using the nickname "Anonyman" met on an IRC channel. Over the following days, the snitch gained the hacker's trust, and the hacker confirmed that he and Ethics were one and the same. Ethics began sharing Secret Service documents and emails with the informant, who passed them back to the agency. Honeypot Proxy By 5 August the agents already had a good idea what was going on, when Ethics made a fateful mistake. The hacker asked the Secret Service informant for a proxy server - a host that would pass through web connections, making them harder to trace. The informant was happy to oblige. The proxy he provided, of course, was a Secret Service machine specially configured for monitoring, and agents watched as the hacker surfed to "My T-Mobile," and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York. Cavicchia was the agent who last year spearheaded the investigation of Jason Smathers, a former AOL employee accused of stealing 92 million customer email addresses from the company to sell to a spammer. The agent was also an adopter of mobile technology, and he did a lot of work through his T-Mobile Sidekick - an all-in-one cellphone, camera, digital organizer and email terminal. The Sidekick uses T-Mobile servers for email and file storage, and the stolen documents had all been lifted from Cavicchia's T-Mobile account, according to the affidavit. (Cavicchia didn't respond to an email query from SecurityFocus Tuesday.) By that time the Secret Service already had a line on Ethic's true identity. Agents had the hacker's ICQ number, which he'd used to chat with the informant. A web search on the number turned up a 2001 resume for the then-teenaged Jacobsen, who'd been looking for a job in computer security. The e-mail address was listed as ethics@netzero.net. The trick with the proxy honeypot provided more proof of the hacker's identity: the server's logs showed that Ethics had connected from an IP address belonging to the Residence Inn Hotel in Buffalo, New York. When the Secret Service checked the Shadowcrew logs through a backdoor set up for their use - presumably by the informant - they found that Ethics had logged in from the same address. A phone call to the hotel confirmed that Nicolas Jacobsen was a guest. Snapshots Compromised Eight days later, on 27 October, law enforcement agencies dropped the hammer on Operation Firewall, and descended on fraud and computer crime suspects across eight states and six foreign countries, arresting 28 of them. Jacobsen, then living in an apartment in Santa Ana in Southern California, was taken into custody by the Secret Service. He was later released on bail with computer use restrictions. Jacobson lost his job at Pfastship Logistics, an Irving, California company where he worked as a network administrator, and he now lives in Oregon. The hacker's access to the T-Mobile gave him more than just Secret Service documents. A friend of Jacobson's says that prior to his arrest, Jacobson provided him with digital photos that he claimed celebrities had snapped with their cell phone cameras. "He basically just said there was flaw in the way the cell phone servers were set up," says William Genovese, a 27-year-old hacker facing unrelated charges for allegedly selling a copy of Microsoft's leaked source code for $20.00. Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton. The swiped images are not mention in court records, but a source close to the defense confirmed Genovese's account, and says Jacobson amused himself and others by obtaining the passwords of Sidekick-toting celebrities from the hacked database, then entering their T-Mobile accounts and downloading photos they'd taken with the wireless communicator's built-in camera. The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer. From isn at c4i.org Thu Jan 13 11:17:19 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 13 11:34:34 2005 Subject: [ISN] Yet another cybersecurity chief steps down Message-ID: http://news.com.com/Yet+another+cybersecurity+chief+steps+down/2100-7348_3-5534064.html By Robert Lemos Staff Writer, CNET News.com January 12, 2005 The Department of Homeland Security's top bureaucrat in charge of cybersecurity and physical-infrastructure protection resigned on Tuesday, as the Bush administration nominated a federal judge and prosecutor to head the agency. The resignation of Robert Liscouski, director of the National Cyber Security Division, is the latest blow to the Department of Homeland Security's cybersecurity initiatives, which many industry experts have criticized as lacking leadership. In October, the agency's top cybersecurity official, Amit Yoran, resigned from the DHS amid industry calls to give the post more power. "There has been a revolving door on cybersecurity at the DHS," said Dan Burton, vice president of governmental affairs at security firm Entrust. "They have had three different heads of that division in the past 18 months, which has made it a challenge to have continuity and stability." While the industry has largely praised the Bush administration's position on cybersecurity, as spelled out in the National Strategy to Secure Cyberspace, security experts believe the information frontier has not been effectively patrolled. "The problems of the past have been largely because of the fallout of 9/11 and the focus of the federal government on physical security," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "Cybersecurity has been put in the backseat." News of the resignation came as the Bush administration announced its second nomination for the post of secretary of the Department of Homeland Security. The nominee, Michael Chertoff, has been a U.S. Court of Appeals judge, a U.S. attorney for New Jersey and an assistant U.S. attorney general. The administration's first pick, Bernard Kerik, bowed out of the nomination in early December after a variety of legal and ethical problems were publicized. While President Bush praised Chertoff for being a "practical organizer, a skilled manager and a brilliant thinker," the nominee is also a safe bet. Chertoff has passed muster in the Senate three times already, successfully being confirmed for three other government positions. For cybersecurity, Chertoff's nomination could signal a change in policy at the Department of Homeland Security, Entrust's Burton posited. Three years ago, Burton met with the nominee while Chertoff was at the Department of Justice, handling criminal prosecutions, including cybercrime cases, he said. "We will see how deeply he personally gets engaged in the focus on cybersecurity," Entrust's Burton said. "But clearly, at the top, we have someone that understands this issue." Sources knowledgeable about Chertoff's confirmation process believe Congress will quickly give the thumbs-up to the former judge and prosecutor. Liscouski will be leaving by February, a spokesperson for the Department of Homeland Security said. Security experts hope the new guard will bring a new focus on Internet and information security. "Attacks are occurring everyday in cyberspace," CSIA's Kurtz said. "Are terrorists behind those attacks? No. But we have criminals in cyberspace, and that needs far more attention from the federal government." From isn at c4i.org Thu Jan 13 11:18:40 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 13 11:34:37 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-2 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-01-06 - 2005-01-13 This week : 73 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Last Friday, Secunia increased the rating of Secunia advisory SA12889 from "Highly Critical" to "Extremely Critical", which is our most severe rating of vulnerabilities. Additional information about terms and the criticality ratings that we use can be found here: http://secunia.com/about_secunia_advisories/ The criticality rating was increased due to exploit code being released on public mailing lists, and the fact that no solution was available from the vendor. Secunia also made a demonstration available for people to test if their systems were affected: http://secunia.com/internet_explorer_command_execution_vulnerability_test/ On Tuesday, as part of Microsoft's monthly patch release cycle a patch was released for this vulnerability. More information can be found in referenced Secunia advisory below. References: http://secunia.com/SA12889/ -- In addition, Microsoft also issued two other security bulletins, which corrects vulnerabilities in the handling of Icon and Cursor files and in the Indexing Service. Please refer to Secunia advisories below for more information. References: http://secunia.com/SA13802/ http://secunia.com/SA13645/ -- Apple released a new version of their very popular media player iTunes, which correct a buffer overflow vulnerability in the handling of certain play lists. User are advised to update to the latest version. References: http://secunia.com/SA13804/ -- Details was released about a vulnerability in the Opera browser, which can be exploited using a specially crafted "data:" URI, potentially tricking users into opening malicious files. Currently, no vendor supplied solution is available. However, a good precautionary meassure is never to open files from untrusted sources. References: http://secunia.com/SA13818/ VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 2. [SA13599] Mozilla / Mozilla Firefox Download Dialog Source Spoofing 3. [SA13482] Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting 4. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 5. [SA13704] Internet Explorer FTP Download Directory Traversal 6. [SA13645] Microsoft Windows Multiple Vulnerabilities 7. [SA12321] Microsoft Internet Explorer Drag and Drop Vulnerability 8. [SA12959] Internet Explorer HTML Elements Buffer Overflow Vulnerability 9. [SA13251] Microsoft Internet Explorer Window Injection Vulnerability 10. [SA13737] Apache Tomcat "Tomcat Manager" Cross-Site Scripting ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13802] Microsoft Windows Indexing Service Buffer Overflow Vulnerability [SA13818] Opera "data:" URI Handler Spoofing Vulnerability [SA13781] Winamp Unspecified "in_cdda.dll" Buffer Overflow Vulnerability [SA13754] Amp II Engine Empty UDP Datagram Denial of Service [SA13738] WinHKI Archive Extraction Directory Traversal Vulnerability [SA13770] Gracebyte Network Assistant UDP Datagram Denial of Service [SA13786] Mozilla / Mozilla Firefox Dialog Overlapping Weakness UNIX/Linux: [SA13810] Gentoo update for imlib2 [SA13799] Gentoo update for koffice/kpdf [SA13798] Gentoo update for konqueror [SA13788] Gentoo update for mpg123 [SA13779] mpg123 Mpeg Layer-2 Buffer Overflow Vulnerability [SA13776] SUSE update for libtiff/tiff [SA13764] Gentoo update for dillo [SA13763] VHCS "include_path" File Inclusion Vulnerability [SA13760] Dillo "a_Capi_ccc()" Format String Vulnerability [SA13755] Fedora update for gpdf [SA13752] Debian update for imlib2 [SA13749] Conectiva update for wxgtk2 [SA13746] Mandrake update for libtiff [SA13744] Mandrake update for wxGTK2 [SA13739] Gentoo update for xine-lib [SA13811] Gentoo update for o3read [SA13780] Gentoo update for unrtf [SA13778] Gentoo update for pdftohtml [SA13775] pdftohtml "doImage()" Buffer Overflow Vulnerability [SA13774] Fedora update for libtiff [SA13772] Gentoo update for tikiwiki [SA13768] TikiWiki Wiki Edit Page Arbitrary Script Upload Vulnerability [SA13750] Debian update for tiff [SA13745] Gentoo update for phpgroupware [SA13741] Fedora update for exim [SA13740] Gentoo update for vilistextum [SA13809] Netscape Directory Server LDAP Request Handling Buffer Overflow [SA13808] Mandrake update for nfs-utils [SA13777] Ubuntu update for krb5 [SA13767] Debian update for linpopup [SA13757] Debian update for krb5 [SA13748] Conectiva update for samba [SA13800] Gentoo update for kdelibs [SA13797] Ubuntu update for mailman [SA13759] Debian update for kdelibs [SA13751] Debian update for namazu2 [SA13742] Mandrake update for nasm [SA13816] Gentoo update for hylafax [SA13815] Debian update for hylafax [SA13812] HylaFAX hfaxd Authentication Bypass Vulnerability [SA13805] UnixWare mountd Multiple Process Creation Denial of Service [SA13789] Squid NTLM fakeauth_auth Helper Denial of Service [SA13817] Debian update for exim [SA13796] Debian update for bmv [SA13793] BMV Insecure Temporary File Creation [SA13791] SquirrelMail Vacation Plugin Two Vulnerabilities [SA13785] Fedora update for kernel [SA13784] Linux Kernel Multiple Vulnerabilities [SA13758] iproute2 netbug Script Insecure Temporary File Creation [SA13756] Linux Kernel Binary Format Loaders Privilege Escalation [SA13743] Mandrake update for vim [SA13771] Debian lintian Insecure Temporary File Deletion Security Issue Other: [SA13766] Novell Netware CIFS Denial of Service Vulnerability [SA13753] Apple AirPort Express/Extreme WDS Denial of Service [SA13762] Amphor@ GATE Security Bypass Vulnerabilities Cross Platform: [SA13804] Apple iTunes Playlist Handling Buffer Overflow Vulnerability [SA13769] Zeroboard "dir" File Inclusion Vulnerability [SA13747] Sugar Sales "moduleDefaultFile" File Inclusion Vulnerability [SA13795] Guestserver "message" Script Insertion Vulnerability [SA13794] Dokeos Course Script Insertion Vulnerability [SA13783] Invision Community Blog Module "eid" SQL Injection [SA13765] VideoDB Multiple Vulnerabilities [SA13761] Greymatter Script Insertion Vulnerabilities [SA13801] Hitachi Directory Server LDAP Request Handling Buffer Overflow [SA13782] WoltLab Burning Board Lite "userid" Cross-Site Scripting [SA13737] Apache Tomcat "Tomcat Manager" Cross-Site Scripting ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13802] Microsoft Windows Indexing Service Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-11 A vulnerability has been reported in Microsoft Windows XP and 2003, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13802/ -- [SA13818] Opera "data:" URI Handler Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2005-01-12 Michael Holzt has discovered a vulnerability in Opera, which can be exploited by malicious people to trick users into executing malicious files. Full Advisory: http://secunia.com/advisories/13818/ -- [SA13781] Winamp Unspecified "in_cdda.dll" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-01-12 A vulnerability with an unknown impact has been reported in Winamp. Full Advisory: http://secunia.com/advisories/13781/ -- [SA13754] Amp II Engine Empty UDP Datagram Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-07 Luigi Auriemma has reported a vulnerability in the Amp II engine, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13754/ -- [SA13738] WinHKI Archive Extraction Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-01-06 Rafel Ivgi has discovered a vulnerability in WinHKI, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13738/ -- [SA13770] Gracebyte Network Assistant UDP Datagram Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-11 Network security team has discovered a vulnerability in Network Assistant, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13770/ -- [SA13786] Mozilla / Mozilla Firefox Dialog Overlapping Weakness Critical: Not critical Where: From remote Impact: Spoofing Released: 2005-01-12 mikx has discovered a weakness in Mozilla and Mozilla Firefox, which potentially can be exploited by malicious people to trick users into performing unintended actions. Full Advisory: http://secunia.com/advisories/13786/ UNIX/Linux:-- [SA13810] Gentoo update for imlib2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-01-12 Gentoo has issued an update for imlib2. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13810/ -- [SA13799] Gentoo update for koffice/kpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-11 Gentoo has issued updates for koffice and kpdf. These fix some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13799/ -- [SA13798] Gentoo update for konqueror Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-11 Gentoo has issued an update for konqueror. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13798/ -- [SA13788] Gentoo update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-11 Gentoo has issued an update for mpg123. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13788/ -- [SA13779] mpg123 Mpeg Layer-2 Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-11 Yuri D'Elia has reported a vulnerability in mpg123, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13779/ -- [SA13776] SUSE update for libtiff/tiff Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-11 SUSE has issued updates for libtiff and tiff. These fix some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13776/ -- [SA13764] Gentoo update for dillo Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-10 Gentoo has issued an update for dillo. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13764/ -- [SA13763] VHCS "include_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-10 FraMe has reported a vulnerability in VHCS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13763/ -- [SA13760] Dillo "a_Capi_ccc()" Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-10 Tavis Ormandy has reported a vulnerability in Dillo, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13760/ -- [SA13755] Fedora update for gpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-07 Fedora has issued an update for gpdf. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13755/ -- [SA13752] Debian update for imlib2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-01-07 Debian has issued an update for imlib2. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13752/ -- [SA13749] Conectiva update for wxgtk2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-01-07 Conectiva has issued an update for wxgtk2. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13749/ -- [SA13746] Mandrake update for libtiff Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-07 MandrakeSoft has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13746/ -- [SA13744] Mandrake update for wxGTK2 Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-07 MandrakeSoft has issued an update for wxGTK2. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13744/ -- [SA13739] Gentoo update for xine-lib Critical: Highly critical Where: From remote Impact: Unknown, System access Released: 2005-01-06 Gentoo has issued an update for xine-lib. This fixes some vulnerabilities, where some have an unspecified impact and others can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13739/ -- [SA13811] Gentoo update for o3read Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-12 Gentoo has issued an update for o3read. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13811/ -- [SA13780] Gentoo update for unrtf Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-11 Gentoo has issued an update for unrtf. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13780/ -- [SA13778] Gentoo update for pdftohtml Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-10 Gentoo has issued an update for pdftohtml. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13778/ -- [SA13775] pdftohtml "doImage()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-10 A vulnerability has been reported in pdftohtml, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13775/ -- [SA13774] Fedora update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-01-10 Fedora has issued an update for libtiff. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13774/ -- [SA13772] Gentoo update for tikiwiki Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-10 Gentoo has issued an update for tikiwiki. This fixes a vulnerability, which can be exploited by certain malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13772/ -- [SA13768] TikiWiki Wiki Edit Page Arbitrary Script Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-10 A vulnerability has been reported in TikiWiki, which can be exploited by certain malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13768/ -- [SA13750] Debian update for tiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-01-07 Debian has issued an update for tiff. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13750/ -- [SA13745] Gentoo update for phpgroupware Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2005-01-07 Gentoo has issued an update for phpgroupware. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/13745/ -- [SA13741] Fedora update for exim Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-01-07 Fedora has issued an update for exim. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13741/ -- [SA13740] Gentoo update for vilistextum Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-07 Gentoo has issued an update for vilistextum. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13740/ -- [SA13809] Netscape Directory Server LDAP Request Handling Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-01-12 A vulnerability has been reported in Netscape Directory Server, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13809/ -- [SA13808] Mandrake update for nfs-utils Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-12 MandrakeSoft has issued an update for nfs-utils. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13808/ -- [SA13777] Ubuntu update for krb5 Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-10 Ubuntu has issued an update for krb5. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13777/ -- [SA13767] Debian update for linpopup Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-10 Debian has issued an update for linpopup. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13767/ -- [SA13757] Debian update for krb5 Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-10 Debian has issued an update for krb5. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13757/ -- [SA13748] Conectiva update for samba Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-07 Conectiva has issued an update for samba. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13748/ -- [SA13800] Gentoo update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-01-11 Gentoo has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to conduct FTP command injection attacks. Full Advisory: http://secunia.com/advisories/13800/ -- [SA13797] Ubuntu update for mailman Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2005-01-12 Ubuntu has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13797/ -- [SA13759] Debian update for kdelibs Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-01-10 Debian has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to conduct FTP command injection attacks. Full Advisory: http://secunia.com/advisories/13759/ -- [SA13751] Debian update for namazu2 Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-07 Debian has issued an update for namazu2. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13751/ -- [SA13742] Mandrake update for nasm Critical: Less critical Where: From remote Impact: System access Released: 2005-01-07 MandrakeSoft has issued an update for nasm. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13742/ -- [SA13816] Gentoo update for hylafax Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-01-12 Gentoo has issued an update for hylafax. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13816/ -- [SA13815] Debian update for hylafax Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-01-12 Debian has issued an update for hylafax. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13815/ -- [SA13812] HylaFAX hfaxd Authentication Bypass Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-01-12 Patrice Fournier has reported a vulnerability in HylaFAX, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13812/ -- [SA13805] UnixWare mountd Multiple Process Creation Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-12 Yun Jonglim has reported a vulnerability in UnixWare, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13805/ -- [SA13789] Squid NTLM fakeauth_auth Helper Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-11 A vulnerability have been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13789/ -- [SA13817] Debian update for exim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-12 Debian has issued an update for exim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13817/ -- [SA13796] Debian update for bmv Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-12 Debian has issued an update for bmv. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13796/ -- [SA13793] BMV Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-12 Peter Samuelson has reported a vulnerability in BMV, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13793/ -- [SA13791] SquirrelMail Vacation Plugin Two Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-01-11 LSS Security Team has reported two vulnerabilities in the Vacation plugin for SquirrelMail, which can be exploited by malicious, local users to gain escalated privileges and disclose sensitive information. Full Advisory: http://secunia.com/advisories/13791/ -- [SA13785] Fedora update for kernel Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-01-11 Fedora has issued an update for the kernel. This fixes multiple vulnerabilities, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose sensitive information, or gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/13785/ -- [SA13784] Linux Kernel Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-01-11 Multiple vulnerabilities have been reported in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose sensitive information, or gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/13784/ -- [SA13758] iproute2 netbug Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-10 Javier Fern?ndez-Sanguino Pe?a has reported a vulnerability in iproute2, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13758/ -- [SA13756] Linux Kernel Binary Format Loaders Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-10 Paul Starzetz has reported a vulnerability in the Linux kernel, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13756/ -- [SA13743] Mandrake update for vim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-07 MandrakeSoft has issued an update for vim. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13743/ -- [SA13771] Debian lintian Insecure Temporary File Deletion Security Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-01-10 Jeroen van Wolffelaar has reported a security issue in lintian, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13771/ Other:-- [SA13766] Novell Netware CIFS Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-10 A vulnerability has been reported in NetWare 5.1 and 6.0, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13766/ -- [SA13753] Apple AirPort Express/Extreme WDS Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-12 Dylan Griffiths has reported a vulnerability in AirPort Express and Airport Extreme, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13753/ -- [SA13762] Amphor@ GATE Security Bypass Vulnerabilities Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-01-12 MaDj0kEr has reported some vulnerabilities in Amphor@ GATE, which potentially can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13762/ Cross Platform:-- [SA13804] Apple iTunes Playlist Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-12 Sean de Regge has reported a vulnerability in iTunes, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13804/ -- [SA13769] Zeroboard "dir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-10 Optik4Lab has reported a vulnerability in Zeroboard, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13769/ -- [SA13747] Sugar Sales "moduleDefaultFile" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-07 Santiago Cortes has reported a vulnerability in Sugar Sales, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13747/ -- [SA13795] Guestserver "message" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-01-12 SmOk3 has reported a vulnerability in Guestserver, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13795/ -- [SA13794] Dokeos Course Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-12 bratax has reported a vulnerability in Dokeos, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13794/ -- [SA13783] Invision Community Blog Module "eid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-01-11 darkhawk matrix has reported a vulnerability in the Invision Community Blog module for Invision Power Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13783/ -- [SA13765] VideoDB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-01-11 Multiple vulnerabilities have been reported in VideoDB, which can be exploited by malicious people to conduct SQL and cross-site scripting attacks, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13765/ -- [SA13761] Greymatter Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-11 FraMe has reported some vulnerabilities in Greymatter, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13761/ -- [SA13801] Hitachi Directory Server LDAP Request Handling Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-01-12 A vulnerability has been reported in Hitachi Directory Server, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13801/ -- [SA13782] WoltLab Burning Board Lite "userid" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-11 drhankey has reported a vulnerability in Burning Board Lite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13782/ -- [SA13737] Apache Tomcat "Tomcat Manager" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-06 Oliver Karow has discovered some vulnerabilities in Apache Tomcat, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13737/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Thu Jan 13 11:19:04 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 13 11:34:39 2005 Subject: [ISN] Microsoft Turns to External Patch Testers Message-ID: http://www.eweek.com/article2/0,1759,1750841,00.asp By Ryan Naraine January 12, 2005 Looking to improve?and possibly speed up - the creation and release of software security patches, Microsoft Corp. is implementing a closed beta program for external testing teams. The formalization of Redmond's new Security Update Validation Program clears the way for external patch testers to get "limited and controlled access" to security updates ahead of public release. The goal, according to company officials, is to provide a small number of dedicated external evaluation teams with access to the patches to test for application compatibility, stability and reliability in simulated production environments. Stephen Toulouse, program manager at the Microsoft Security Response Center, told eWEEK.com that the external evaluation program was implemented to add a new level of quality control to the engineering process. "We've always maintained that the most important thing is to make sure the patches are of a high quality. A faulty patch is worse than no patch at all. This program speaks to that commitment," Toulouse said. He made it clear that the outside testers had no access to information on the vulnerability addressed by the patch. "They're evaluating the updates in a private, closed-lab environment. They are required to sign an NDA [nondisclosure agreement] and they don't ever know what the patch is correcting. They're simply simulating a real-world deployment in a lab environment and looking for potential problems," Toulouse said. "The end result of this program is higher quality updates for customers to help ensure timely and effective deployment of patches." According to Debby Fry Wilson, a director in the security research center, the external testing teams were selected from trusted MVPs (Most Valuable Players), ISVs and managed customers who were capable of mimicking patch deployments in a lab environment. "They had to make a heavy commitment to provide a dedicated evaluation team and to restrict the use of the update to the test environment," Wilson said. "Based on customer feedback, one of the complaints we've dealt with was that security updates had problems with application compatibility, reliability and stability. We've done better in the last year, but we can always improve the engineering process," she said. It's a Catch-22 situation for the software giant as it struggles to balance the need for glitch-free updates rolled out in a timely manner. Security experts have long criticized the company for being slow to address critical software flaws. eEye Digital, a security research outfit, maintains a section on its Web page that features Microsoft patches that are long overdue. On the other hand, Microsoft has also had to cope with the embarrassment of having to recall faulty patches. In 2003, a buggy patch from Microsoft even opened the door to the widespread exploitation of a vulnerability in the Internet Explorer browser. "We're always looking at ways to create updates and get them rolled out to customers quickly. But, the testing is an important part of that process. With this program, the external evaluation teams aren't looking to make sure the vulnerability is fixed. They're testing to make sure that when the update is deployed across a network, it does not break existing applications," Toulouse said. From isn at c4i.org Thu Jan 13 11:19:17 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 13 11:34:41 2005 Subject: [ISN] The US Army is mad, and gunning for you Message-ID: http://www.theinquirer.net/?article=20675 By INQUIRER staff 12 January 2005 A FILING ON a forum from Phil DeLuca at America's Army game project indicates that the US Army is not at all happy at people s0dding about with its code. DeLuca said that the US Army is very unhappy with hackers and others breaching its licence agreements, and it knows who these people are. He said: "When you tamper with the [America's Army] game not only are you breaking the EULA, you're misusing Army property, and worse, you're misusing US Army computer programs and equipment". He said the US Army knows who the offenders are warned that "tampering with software and servers owned or used by the Army is cybercrime". And his filing on the forum, which you can read here [1], ends with a dire warning. He said: "We know who you are, and can track down where you play from. We have incontrovertible proof you did something illegal. The Army is angry, and we're coming for you". [1] http://forum.americasarmy.com/viewtopic.php?t=143447 From isn at c4i.org Thu Jan 13 11:19:36 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 13 11:34:43 2005 Subject: [ISN] DOD cyber sleuths swap secrets in Florida Message-ID: Forwarded from: William Knowles http://www.nwfusion.com/news/2005/0112dodcyber.html By Paul Roberts IDG News Service 01/12/05 The U.S. Department of Defense is making changes to streamline its response to online threats across the various branches of the military, and deal with a steady stream of new online woes, from hacking attempts to child pornography and threats posed by powerful portable storage devices such as iPods, according to senior DOD officials. The DOD blocked and traced 60,000 intrusion attempts on its unclassified networks in 2004, and wrestles with spam, illicit pornography and other common Internet threats. If left to fester the threats could hamper the massive defense agency, which relies on global, unclassified networks for critical business operations, said Lieutenant General Harry Raduege, director of the Defense Information Systems Agency. Raduege was speaking at the Department of Defense Cyber Crime Conference in Palm Harbor, Fla., an annual gathering of some of the government's top IT, computer forensic and research and development talent. The DOD is taking the threat to its networks seriously, as global information networks now play a crucial role supporting troops abroad, as well as critical logistics, financial, and medical information systems that the DOD relies on to support its employees and to communicate with suppliers in the U.S. and abroad, he said. "The importance of reliable, accessible networks is growing as we move to a netcentric world," he said. Larger, more open networks provide more opportunities for malicious hackers or terrorist groups to infiltrate those networks, stealing sensitive information or wreaking havoc on DOD operations, he said. The DOD is drafting organization-wide policies to respond to a number of threats that are well known to many private sector network administrators, including peer-to-peer file sharing applications, and vulnerable computer communications ports and protocols, he said. The DOD is also working to develop a list of IP addresses for a "do not block list" so that critical DOD communications are not accidentally blocked by ISPs and other organizations, he said. Networks that contain classified information are not connected to the public Internet and are not affected by the same threats that affect unclassified department networks, he said. A reorganization approved by the Joint Chiefs of Staff in Nov. 2004, should make it easier for the government to coordinate its response to cyber threats and create more discipline on DOD networks by creating clear lines of command from the U.S. Secretary of Defense, to the DOD's Strategic Command, to the various branches of the military, Raduege said. Asked whether the U.S. public should feel confident that the government is on top of cyber crime, Raduege said that the government's preparedness to deal with online threats had improved dramatically since the first "Solar Sunrise" exercise in the late 1990s. "We're good. We're very good," he said. With the theme of "Cyber crime: overcoming the challenges of new technology," the 4th annual DOD Cyber Crime Conference brought together 500 experts in technology, law and computer forensics to discuss ways to improve computer investigations, protect government networks from attack and coordinate the response to computer threats across the huge military and defense sectors. The conference offered a diverse set of mostly closed-door sessions, with topics such as "Cyber Jihad and the Globalization of Warfare" and "Current Trends in Digital Forensics." Child pornography has become a huge problem for DOD investigators, accounting for as much as 50% of the criminal digital evidence processing work done by the DOD's Defense Cyber Crime Center (DC3), said Steven Shirley, executive director of DC3. The proliferation of inexpensive digital cameras and scanners has caused instances of child pornography to mushroom in the military, as elsewhere in society, said Jim Christy, director of the Defense Cyber Crime Institute at DC3. Other hot topics at the show were techniques for capturing and analyzing data from a flood of new digital storage media, including Apple Inc. iPods, GPS (Global Positioning System) devices and portable USB (Universal Serial Bus) memory sticks, Christy said. Government investigators working on cases, ranging from homicides to espionage, need to be aware of the wide range of new places that valuable information could be stored, he said. "Twenty years ago, investigators used to walk right past the desktop computer when they were gathering evidence. Now they know enough to seize that, but we've got to get them to be aware of these other devices," he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Jan 14 03:14:48 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 14 03:31:18 2005 Subject: [ISN] Google patches Gmail security hole Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,98920,00.html By Matthew Broersma JANUARY 13, 2005 IDG NEWS SERVICE Google Inc. has fixed a bug in its Web-based e-mail service, Gmail, that allowed users to read the contents of other people's messages. HBX Networks, a Unix community group, discovered the bug while testing a Perl script intended to automate sending batches of newsletters. Messages sent to the group's own e-mail address contained HTML code in the "Reply To" field, and this code turned out to be the message body of other users' e-mail messages. The problem appears to be caused by a missing > character in the formatting of the "From" fields generated by the group's Perl script. "This, apparently, was enough to get GMail to provide us with some portion of someone else's messages," HBX members wrote in their analysis yesterday. They speculated that the missing character caused Google's application to read other data into this buffer -- a message that had been sent recently, for example. In at least one case, the intercepted e-mail contained username and password information, the group said. "Regardless of the specific failure, the result is a compromise of the privacy of communications over Gmail," the group wrote. "Message content and address information are easily -- if somewhat randomly -- available to unintended recipients." Google said the problem was fixed shortly after the HBX Networks report appeared. "At 10:15 a.m. PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous e-mails that had this problem will also no longer will be accessible. We appreciate your patience and we're sorry about the bug," Chris DiBona, Google's open-source program manager, said in an e-mail to the tech discussion site Slashdot. He urged users to report security bugs to security@google.com. HBX expressed concern that other such bugs might exist. "The appearance of this issue, at the user level, probably indicates a failure in GMail's code review and/or quality assurance standards, which may result in other, similar errors," the group wrote. While it is technically still in beta testing, Gmail has become one of the most popular Web-based e-mail services since its launch in April and has begun to come under the same scrutiny as other Google services. Last month, for example, Google fixed a flaw with its desktop search that could have allowed hackers to search the contents of a PC. Security problems are nothing new to Web e-mail. Last March, shortly before Gmail's launch, IT security firm GreyMagic Software demonstrated that scripts could be run in Hotmail and Yahoo Inc.'s Web e-mail, bypassing scripting restrictions. Scripts embedded in e-mail messages could have been used to steal passwords or spread worms, researchers said. The problem has been fixed. From isn at c4i.org Fri Jan 14 03:15:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 14 03:31:20 2005 Subject: [ISN] Think like a hacker Message-ID: http://www.networklifemag.com/weblogs/securitychief/2005/007187.html By Deb Radcliff Network Life, 01/09/05 Last week, I interviewed a hacker named Geoff Shivley, whose experiences remind me of the hackers I encountered while researching the infamous hacker Kevin Mitnick for a best-selling book. Like other hackers I know, Shivley started young, in middle school. And he began with phones payphones, specifically--which he switched on and off and made ring with musical tones to impress his friends. This, ahem, skill, is called "phreaking." And like the others, he didn't stop there. Soon, Shivley was hacking everything electronic. In his southern California school, one of his favorite tricks was to leave class during silent reading, hack the vending machines, and return with a backpack full of sodas for the class. By 1995, Shivley moved on to computers. He bought books on Unix, Visual Basic and cryptography; he read 2600, a hacker quarterly published by Emmanuel Goldstein, one of the FBI.s most watched hackers. And Shivley started writing code. His goal: To unleash a new AOL hack different than AOHELL, FATE and others that wreaked havoc on the online service back in the mid-90.s. He started a hacking group called AOA, for America On Acid, and passed around his evil code, which could change home pages and kick people off Web sites. Shivley.s code was ultimately used by hundreds of hackers in a 1996 three-day riot against the entire AOL community dubbed the "Valentine's Day Massacre." "I was young, 13. I thought it was a game," says Shivley, now 22. "I didn.t realize the impact of what I was doing and hadn.t realized how powerful computers actually were.. That same year Shivley hacked his way into a Unix box at a Fortune 100 electronics manufacturer in Texas. He changed a master password and issued a "kill" command. That.s when he realized the server he.d shut down was the network entry point for the company.s hundreds of telecommuters, who he.d just locked out from doing any work. Because he changed the master password, it took the company three days to get the system back up and running. That.s when Shivley realized what he was doing was illegal. And, with the law cracking down on hackers like Mitnick and Kevin Poulsen, he began to worry that federal agents would come after him, too. "I started getting really scared," he says. "I realized that computers can cause a lot of damage." At that time, Shivley also spotted an odd, off-white van parked outside his house for three weeks. His phones started acting strangely, with the telltale clicking and phantom rings indicative of a wiretap. He and his friends spotted federal agent-types tracking them as they went to and from the Balboa, Calif., chapter of the hacking group Blacklisted 411, a hacking group that made 2600 look like milk toast. "I was freaking out," Shivley tells me in a phone interview from his hotel in Maui, where he was waiting for the waves to calm so he could surf. "I started imagining myself being pulled from my bed and placed under arrest." That.s when Shivley dismantled his computer, tossed his hard drive and RAM into the bay and gave away his disks and manuals.and started helping people instead. At 15, he became the go-to-kid for his entire neighborhood. Before long, he was doing consulting work as a computer administrator for a large Internet backbone provider. After school, he.d take the train up to Wilshire Blvd. in Santa Monica, putting in late-night hours just blocks away from the Federal Building where agents were putting together a case against Mitnick, finally in custody. At 16, Shivley started streamlining the company.s Linux, Windows, Cisco and Nortel equipment. He.d work late nights hardening the systems by changing insecure configurations, and removing unneeded shells (code groups) and low-level DNS (Domain Name Service), closing ports, removing unneeded administrative functions and recompiling the kernel to tighten and streamline his Linux systems. "Whenever a new virus or worm came out, my machines didn.t get hit. But others did. And everyone wanted to know why. At first, I couldn.t figure it out. But then it dawned on me. I thought I was just doing good system administration. Then I realized I was doing security,. he says. In 1999, with the help of his businessman father, Shivley started PivX (www.PivX.com), a company that patched vulnerabilities in Windows systems on a consulting basis. With funding from friends and family, in 2002, PivX developed its first product. After a year in beta testing at Boeing, Edison, Hundai and others, PivX released Qwik-Fix Pro, which makes temporary changes to the Windows operating system to plug the holes that let in malicious code. For example, by locking down the local zones, it closes innumerable command execution vulnerabilities targeting Internet Explorer. And by closing the RPC DCOM vulnerability, it locks out hundreds of worm variants that exploit RPC DCOM, a standard feature in Windows operating systems. PivX had $2 million in revenues in 2004 and has a 45-member staff made up of some of the brightest hacker minds in the world. Not bad for a surfer who carries a skateboard around on his back. Qwik-Fix Pro has been nominated by SC Magazine for best network security and best intrusion solutions. But it's the $49 home version that.s got me most excited. I installed in on my Windows XP machine three weeks ago and I can.t even tell it.s there. Which is exactly what.s needed for home network users who can.t understand the difference between a virus and a worm, why they should close vulnerable ports on their computers, or why unpatched browsers can let in viruses, worms, spammers and identity thieves. PivX makes me wonder whether I still need the half-dozen security programs bogging down my system. Maybe I don.t have to keep all those signature files for spyware, Trojans, viruses and worms. After all, there are hundreds, sometimes thousands of variants hitting a single vulnerability. "All you need to do is change a single byte in the attack code and the anti-virus vendors have to create another attack signature to protect against it,. Shivley says. .Some security programs can eat up 20 percent of your processing power this way." In contrast, closing vulnerabilities takes zero processing power because all it does is patch holes. And there.s no need for signature updates and software downloads. When a new vulnerability is discovered, it quietly patches that, too. I'm not ready to toss my traditional security yet. But I.m thinking, maybe, just maybe, there can be a simple answer to this security mess we've gotten ourselves into. From isn at c4i.org Fri Jan 14 03:15:25 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 14 03:31:22 2005 Subject: [ISN] DHS, DOJ plan cybercrime survey Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2005/0110/web-survey-01-13-05.asp By Dibya Sarkar Jan. 13, 2005 In what they hope will become the premier measure of national cybercrime statistics, officials at the Homeland Security and Justice departments plan to survey 36,000 businesses this spring to examine the type and frequency of computer security incidents. Officials from both departments said there are currently no surveys that do what they envision the Computer Security Survey will do annually: provide statistically relevant national data on cybercrime across all U.S. businesses, especially those in critical infrastructure sectors. Patrick Morrissey, deputy director for law enforcement and intelligence in DHS' National Cyber Security Division, said no one really knows if the problem is getting better or worse or what sectors cybercriminals may be targeting. "We are awash in anecdotal evidence but little or nothing scientific or verifiable," he told members of the National Infrastructure Advisory Council Jan. 11 during a presentation. "With that being the case, decisions are being made in this area on incomplete information. Among other things this initiative is designed to help us address this gap." Better data could help form policy and improve resource allocation for government and the commercial sector, but few datasets are available on the national level. Other datasets such as the Computer Security Institute's annual survey examine only the organizations' members. That doesn't provide nationally representative data, officials said. Ramona Rantala, a statistician in the Justice Department's Bureau of Justice Statistics, said DHS and DOJ officials will ask about the prevalence and types of computer security incidents, where systems were vulnerable, and whether vulnerability was caused by an insecure wireless connection. It will also inquire about monetary losses and who committed the crimes, meaning whether they were general hackers, foreign competitors or current or former employees. The Computer Security Survey, which has been vetted by some groups, including the FBI and the President's Information Technology Advisory Committee, is still being reviewed by other organizations before distribution. Officials hope to get preliminary results by the end of the year if they get enough responses, and have final results within 12 to 15 months. The project will cost about $3.1 million, officials said. The full-scale survey is based on a questionnaire that was sent in 2001 to 500 businesses, 208 of which responded. Of the 198 responding companies that used computers -- 10 did not -- 74 percent reported they were victims of a cybercrime, such as embezzlement, fraud or theft of proprietary information. Two-thirds were victimized by a computer virus at least once, a quarter experienced denial-of-service attacks and a fifth said their computer systems were vandalized or sabotaged. Rantala said the full-scale survey will help determine what types of attacks are most common nationally. She said people tend to think that if you have one computer attack, you shore up everything and that prevents anything else from happening. But they fail to consider that hackers develop methods of attack quicker than businesses can respond to them. "In other words, they can open the door faster than we can relock it," she said. >From the survey, participating companies could also receive tailored reports of where they stand within their industry in terms of how many attacks they've been subject to, what kinds of technologies they used for protection, and percentage of their budget was used for that. "We'll give them a report with the industry total and with their specific values so that they'll know where they sit in that industry," Rantala said. "A lot of the [chief information officers] said they would love to be able to take this kind of information to their president and say, 'We need to put more money in this area. We need to put a higher percentage of our budget into this kind of technology because this is what everyone else in our industry is using.'" She also said the full-scale survey could help estimate losses from cybercrimes that many news publications publish. "Honestly, nobody I've talked to has any idea where they come from," she said. "I can't say the methodology isn't sound. I'm just saying I'm not aware of what it is because there are no national data out there." However, results will depend mainly on participation of the officials at the 36,000 businesses that will receive the questionnaire. For instance, the pilot survey, Rantala said, found that larger companies were less likely to respond than smaller companies. Officials at most of the large companies said they did not respond to voluntary surveys and that they receive too many surveys for them to answer. Rantala said it would take an act of Congress to make a survey mandatory, but officials from both departments prefer it be voluntary. However, she said Information Sharing Analysis Centers, trade associations and private-sector leaders could help urge participation in the full-scale survey. "What we're trying to avoid is having the businesses get multiple surveys," she said. "If they're only going to answer one, then we want it to be ours." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Jan 17 01:22:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 17 01:34:11 2005 Subject: [ISN] Linux Advisory Watch - January 14th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 14th, 2005 Volume 6, Number 2a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for php, ethereal, krb, kerberos, lintian, kdelibs, linpopup, bmv, exim, libc6, exim-tls, gopher, libtiff, gtk, selinux-policy-targeted, epiphany, kernel, yum, samba, cups, subversion, vim, samba, gdpdf, dillo, tikiwiki, pdftohelp, mpg123, imlib2, poppassed_pam, kde, nfs-utils, hylafax, fcron, lesstif, and unarj. The distributors include Contectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, Trustix, and TurboLinux. ---- Internet Productivity Suite: Open Source Security Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://store.guardiandigital.com/html/eng/products/software/ips_overview.sh= tml --- Ape about EtherApe It is always the same scene in Hollywood films. The networks are penetrated; cryptic images and characters are scrolling across the screen. We're being hacked! Did you ever wish you could keep a closer eye on your network? Sure we have sniffers and other tools, but did you ever want something graphical? I've always been a huge fan of ntop, but feel that it lacks on graphical end. My curiosity drives the question, what is happening on my network? Another interesting program that I enjoy using is EtherApe. It is a network monitor that displays traffic graphically. It supports a wide range of protocols and network types. The display is color-coded allowing users to quickly understand the type of traffic on a network. The project is several years old, originally being based on etherman. It is licensed under the GPL and is currently packaged for many different Linux distributions. The hardware requirements are minimal, however it does require you to use X and have libcap installed. With EtherApe you'll find the network monitoring has never been this fun. On an active network, one can easily be drawn to just watching the activity. It can be a very useful tool, but the entertainment value should not be discounted. One of the most useful features of EtherApe is the dynamic graphic images it creates. These can be used to further explain concepts or attacks methodologies to business decision makers who wouldn't normally understand the output of tcpdump. More information about EtherApe can be found at the project website: http://etherape.sourceforge.net/ Also, for those of you who are just curious, severals screenshots are also available: http://etherape.sourceforge.net/images/ Until next time, cheers! Benjamin D. Thomas ---------------------- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ --- A 2005 Linux Security Resolution Year 2000, the coming of the new millennium, brought us great joy and celebration, but also brought great fear. Some believed it would result in full-scale computer meltdown, leaving Earth as a nuclear wasteland. Others predicted minor glitches leading only to inconvenience. The following years (2001-2004) have been tainted with the threat of terrorism worldwide. http://www.linuxsecurity.com/content/view/117721/49/ --- State of Linux Security 2004 In 2004, security continued to be a major concern. The beginning of the year was plagued with several kernel flaws and Linux vendor advisories continue to be released at an ever-increasing rate. This year, we have seen the reports touting Window's security superiority, only to be debunked by other security experts immediately after release. Also, Guardian Digital launched the new LinuxSecurity.com, users continue to be targeted by automated attacks, and the need for security awareness and education continues to rise. http://www.linuxsecurity.com/content/view/117655/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: php4 Fixes for multiple php4 vulnerabilities 13th, January, 2005 This announcement fixes seven vulnerabilities[2] found by Stefan Esser and four other vulnerabilities. For further information, please refer to php4's changelog[3]. http://www.linuxsecurity.com/content/view/117904 * Conectiva: ethereal Fixes for security vulnerabilities in ethereal 13th, January, 2005 This update fixes several vulnerabilities[2,3,4] in ethereal. http://www.linuxsecurity.com/content/view/117905 * Conectiva: krb5 Fix for buffer overflow in libkadm5srv 13th, January, 2005 Michael Tautschnig noticed that the MIT Kerberos 5 administration library (libkadm5srv) contains a heap buffer overflow[2] in password history handling code which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) host. http://www.linuxsecurity.com/content/view/117911 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: kerberos arbitrary code execution fix 7th, January, 2005 A buffer overflow has been discovered in the MIT Kerberos 5 administration library (libkadm5srv) that could lead to the execution of arbitrary code upon exploition by an authenticated user, not necessarily one with administrative privileges. http://www.linuxsecurity.com/content/view/117819 * Debian: lintian insecure temporary directory fix 10th, January, 2005 Jeroen van Wolffelaar discovered a problem in lintian, the Debian package checker. The program removes the working directory even if it wasn't created at program start, removing an unrelated file or directory a malicious user inserted via a symlink attack. http://www.linuxsecurity.com/content/view/117827 * Debian: kdelibs arbitrary FTP command execution fix 10th, January, 2005 Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command. http://www.linuxsecurity.com/content/view/117828 * Debian: linpopup arbitrary code execution fix 10th, January, 2005 Stephen Dranger discovered a buffer overflow in linpopup, an X11 port of winpopup, running over Samba, that could lead to the execution of arbitrary code when displaying a maliciously crafted message. http://www.linuxsecurity.com/content/view/117829 * Debian: bmv insecure temporary file creation fix 11th, January, 2005 Peter Samuelson, upstream maintainer of bmv, a PostScript viewer for SVGAlib, discovered that temporary files are created in an insecure fashion. A malicious local user could cause arbitrary files to be overwritten by a symlink attack. http://www.linuxsecurity.com/content/view/117857 * Debian: HylaFAX unauthorised access fix 11th, January, 2005 Patrice Fournier discovered a vulnerability in the authorisation subsystem of hylafax, a flexible client/server fax system. A local or remote user guessing the contents of the hosts.hfaxd database could gain unauthorised access to the fax system. http://www.linuxsecurity.com/content/view/117872 * Debian: exim arbitrary code execution fix 12th, January, 2005 Philip Hazel announced a buffer overflow in the host_aton function in exim, the default mail-tranport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address. http://www.linuxsecurity.com/content/view/117878 * Debian: New libc6 packages fix insecure temporary files 12th, January, 2005 Several insecure uses of temporary files have been discovered in support scripts in the libc6 package which provices the c library for a GNU/Linux system. Trustix developers found that the catchsegv script uses temporary files insecurely. Openwall developers discovered insecure temporary files in the glibcbug script. These scripts are vulnerable to a symlink attack. http://www.linuxsecurity.com/content/view/117889 * Debian: New exim-tls packages fix arbitrary code execution 13th, January, 2005 Philip Hazel announced a buffer overflow in the host_aton function in exim-tls, the SSL-enabled version of the default mail-tranport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address. http://www.linuxsecurity.com/content/view/117903 * Debian: New gopher packages fix several vulnerabilities 13th, January, 2005 "jaguar" has discovered two security relevant problems in gopherd, the Gopher server in Debian which is part of the gopher package. http://www.linuxsecurity.com/content/view/117915 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora: sane-backends-1.0.15-1.4 update (corrected) 7th, January, 2005 This is version 1.0.15 of the sane-backends scanner drivers. This package also resolves the issues concerning device permissions for USB scanners which are always connected. http://www.linuxsecurity.com/content/view/117815 * Fedora: libtiff-3.6.1-9.fc3 update 7th, January, 2005 The updated libtiff package fixes an integer overflow which could lead to a buffer overflow in the tiffdump utility. http://www.linuxsecurity.com/content/view/117820 * Fedora: libtiff-3.5.7-22.fc2 update 7th, January, 2005 The updated libtiff package fixes an integer overflow which could lead to a buffer overflow in the tiffdump utility. http://www.linuxsecurity.com/content/view/117821 * Fedora: gtk2-2.4.14-2.fc3 update 7th, January, 2005 The updated gtk2 package fixes several cases of missing locking in the file chooser which could cause deadlocks in threaded applications. http://www.linuxsecurity.com/content/view/117822 * Fedora: selinux-policy-targeted-1.17.30-2.68 update 7th, January, 2005 Allow ldconfig to run with full privs. http://www.linuxsecurity.com/content/view/117823 * Fedora: epiphany-1.2.7-0.2.0 update 10th, January, 2005 Rebuild because of Mozilla API changes. http://www.linuxsecurity.com/content/view/117840 * Fedora: epiphany-1.2.7-0.2.2 update 10th, January, 2005 Rebuild because of Mozilla API changes. http://www.linuxsecurity.com/content/view/117841 * Fedora: policycoreutils-1.18.1-2.3 update 10th, January, 2005 backport restorecon and fixfiles from rawhide. to eliminate bad warning. messages and fix handling of rpm files http://www.linuxsecurity.com/content/view/117842 * Fedora: selinux-policy-targeted-1.17.30-2.68 update 10th, January, 2005 Require policycoreutils for selinux-policy-targeted. Run ldconfig as an unconfined_domain http://www.linuxsecurity.com/content/view/117843 * Fedora: kernel-2.6.10-1.8_FC2 update 10th, January, 2005 This update rebases the kernel to match the upstream 2.6.10 release, and adds a number of security fixes by means of adding the latest -ac patch. http://www.linuxsecurity.com/content/view/117849 * Fedora: kernel-2.6.10-1.737_FC3 update 10th, January, 2005 This update rebases the kernel to match the upstream 2.6.10 release, and adds a number of security fixes by means of adding the latest -ac patch. http://www.linuxsecurity.com/content/view/117850 * Fedora: yum-2.1.12-0.fc3 update 10th, January, 2005 New yum release fixes many small bugs. http://www.linuxsecurity.com/content/view/117851 * Fedora: system-config-samba-1.2.23-0.fc3.1 update 11th, January, 2005 Unfortunately there have slipped in some bugs in this release which were detected after the sign and push request went out. The bugs in question prevent proper configuring of global preferences. http://www.linuxsecurity.com/content/view/117859 * Fedora: system-config-services-0.8.17-0.fc3.1 update 11th, January, 2005 throw away stderr to not be confused by error messages (#142983). don't hardcode python 2.3 (#142246). remove some cruft from configure.in http://www.linuxsecurity.com/content/view/117860 * Fedora: cups-1.1.20-11.9 update 11th, January, 2005 This package fixes a small regression introduced by FEDORA-2004-574. http://www.linuxsecurity.com/content/view/117861 * Fedora: cups-1.1.22-0.rc1.8.3 update 11th, January, 2005 This package fixes a small regression introduced by FEDORA-2004-575. http://www.linuxsecurity.com/content/view/117862 * Fedora: subversion-1.1.2-2.3 update 11th, January, 2005 This update includes the latest release of Subversion 1.1, including a number of bug fixes. http://www.linuxsecurity.com/content/view/117863 * Fedora: initscripts-7.55.2-1 update 11th, January, 2005 This update fixes the mouting of usbfs on boot, along with various other accumulated fixes. http://www.linuxsecurity.com/content/view/117875 * CORRECTION: Fedora Core 2 Update: epiphany-1.2.7-0.2.0 12th, January, 2005 Rebuild because of Mozilla API changes. http://www.linuxsecurity.com/content/view/117885 * CORRECTION: Fedora Core 2 Update: epiphany-1.2.7-0.2.2 12th, January, 2005 Rebuild because of Mozilla API changes. http://www.linuxsecurity.com/content/view/117886 * Fedora Core 2 Update: vim-6.3.054-0.fc2.1 12th, January, 2005 Ciaran McCreesh discovered a modeline vulnerability in VIM. It is possible that a malicious user could create a file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. Javier Fern=C3=A1ndez-Sanguino Pe=C3=B1a discovered insecure usage of temporary files in two scripts shipped with vim. It is possible that a malicious user could guess the names of the temporary files and start a symlink attack. http://www.linuxsecurity.com/content/view/117887 * Fedora Core 3 Update: vim-6.3.054-0.fc3.1 12th, January, 2005 Ciaran McCreesh discovered a modeline vulnerability in VIM. It is possible that a malicious user could create a file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. Javier Fern=C3=A1ndez-Sanguino Pe=C3=B1a discovered insecure usage of temporary files in two scripts shipped with vim. It is possible that a malicious user could guess the names of the temporary files and start a symlink attack. http://www.linuxsecurity.com/content/view/117888 * Fedora: system-config-samba-1.2.26-0.fc3.1 update 12th, January, 2005 ignore case of share name when deleting share (#144504). when double clicking share, open properties dialog. assume default is "security =3D=3D user" to avoid traceback on users dialog (#144511). update main window when changing share path (#144168). include Ukranian translation in desktop file (#143659). http://www.linuxsecurity.com/content/view/117892 * Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.72 12th, January, 2005 Allow dhcpd and nscd to read certs files in usr_t. Allow postgresql to use ypbind and fix db creation calls. http://www.linuxsecurity.com/content/view/117899 * Fedora Core 2 Update: gpdf-2.8.2-1.1 13th, January, 2005 Update to 2.8.2. Remove all patches, they are upstream http://www.linuxsecurity.com/content/view/117912 * Fedora Core 3 Update: gpdf-2.8.2-1.2 13th, January, 2005 Update to 2.8.2. Remove all patches, they are upstream http://www.linuxsecurity.com/content/view/117913 * Fedora Core 3 Update: exim-4.43-1.FC3.1 13th, January, 2005 This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0021 and CAN-2005-0022 to these, respectively. http://www.linuxsecurity.com/content/view/117914 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: dillo Format string vulnerability 9th, January, 2005 Dillo is vulnerable to a format string bug, which may result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117831 * Gentoo: TikiWiki Arbitrary command execution 10th, January, 2005 A bug in TikiWiki allows certain users to upload and execute malicious PHP scripts. http://www.linuxsecurity.com/content/view/117832 * Gentoo: pdftohtml Vulnerabilities in included Xpdf 10th, January, 2005 pdftohtml includes vulnerable Xpdf code to handle PDF files, making it vulnerable to execution of arbitrary code upon converting a malicious PDF file. http://www.linuxsecurity.com/content/view/117833 * Gentoo: UnRTF Buffer overflow 10th, January, 2005 A buffer overflow in UnRTF allows an attacker to execute arbitrary code by way of a specially crafted RTF file. http://www.linuxsecurity.com/content/view/117852 * Gentoo: mpg123 Buffer overflow 10th, January, 2005 An attacker may be able to execute arbitrary code by way of specially crafted MP2 or MP3 files. http://www.linuxsecurity.com/content/view/117853 * Gentoo: konqueror Java sandbox vulnerabilities 11th, January, 2005 The Java sandbox environment in Konqueror can be bypassed to access arbitrary packages, allowing untrusted Java applets to perform unrestricted actions on the host system. http://www.linuxsecurity.com/content/view/117854 * Gentoo: Kpdf, Koffice More vulnerabilities in included Xpdf 11th, January, 2005 KPdf and KOffice both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code if a user is enticed to view a malicious PDF file. http://www.linuxsecurity.com/content/view/117855 * Gentoo: KDE FTP KIOslave Command injection 11th, January, 2005 The FTP KIOslave contains a bug allowing users to execute arbitrary FTP commands. http://www.linuxsecurity.com/content/view/117864 * Gentoo: imlib2 Buffer overflows in image decoding 11th, January, 2005 Multiple overflows have been found in the imlib2 library image decoding routines, potentially allowing the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117865 * Gentoo: o3read Buffer overflow during file conversion 11th, January, 2005 A buffer overflow in o3read allows an attacker to execute arbitrary code by way of a specially crafted XML file. http://www.linuxsecurity.com/content/view/117867 * Gentoo: HylaFAX hfaxd unauthorized login vulnerability 11th, January, 2005 HylaFAX is subject to a vulnerability in its username matching code, potentially allowing remote users to bypass access control lists. http://www.linuxsecurity.com/content/view/117868 * Gentoo: poppassd_pam Unauthorized password changing 11th, January, 2005 poppassd_pam allows anyone to change any user's password without authenticating the user first. http://www.linuxsecurity.com/content/view/117874 * Gentoo: CUPS Multiple vulnerabilities 12th, January, 2005 CUPS was vulnerable to multiple vulnerabilities and as a fix we recommended upgrading to version 1.1.23_rc1. This version is affected by a remote Denial Of Service, so we now recommend upgrading to the final 1.1.23 release which does not have any known vulnerability. http://www.linuxsecurity.com/content/view/117879 * Gentoo: Exim Two buffer overflows 12th, January, 2005 Buffer overflow vulnerabilities, which could lead to arbitrary code execution, have been found in the handling of IPv6 addresses as well as in the SPA authentication mechanism in Exim. http://www.linuxsecurity.com/content/view/117900 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: g-wrap compilation error fix 10th, January, 2005 A compilation error in g-wrap prevented gnucash from running on Mandrakelinux 10.1/x86_64. The updated packages correct the problem. http://www.linuxsecurity.com/content/view/117846 * Mandrake: xscreensave bug with KDE fix 10th, January, 2005 A bug in xscreensaver existed when running under KDE. When selecting a screensaver, it can be tested and seen properly, but when it actually is supposed to start, only a black screen would come up. http://www.linuxsecurity.com/content/view/117848 * Mandrake: kde numerous bugs fix 11th, January, 2005 Updates are provided for various components of kdeaddons, kdebase, kdelibs, kdenetwork, and kdepim that fix a variety of bugs. http://www.linuxsecurity.com/content/view/117866 * Mandrake: nfs-utils 64bit vulnerability fix 11th, January, 2005 Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117877 * Mandrake: hylafax vulnerability fix 12th, January, 2005 Patrice Fournier discovered a vulnerability in the authorization sub-system of hylafax.=09A local or remote user guessing the contents of the hosts.hfaxd database could gain unauthorized access to the fax system. http://www.linuxsecurity.com/content/view/117901 * Mandrake: Updated imlib packages fix 12th, January, 2005 Pavel Kankovsky discovered several heap overflow flaw in the imlib image handler.=09An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a user (CAN-2004-1025). As well, Pavel also discovered several integer overflows in imlib. These could allow an attacker, creating a carefully crafted image file, to cause an application linked with imlib to execute arbitrary code or crash (CAN-2004-1026). http://www.linuxsecurity.com/content/view/117902 +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ * Trustix: fcron, kernel vulnerabilities 13th, January, 2005 Security vulnerabilites have been found in fcronsighup, the program used by fcrontab to tell fcron it should reload its configuration. Fcron 2.9.5.1 fixes the reported bugs and improves fcronsighup's overall security. http://www.linuxsecurity.com/content/view/117918 * Trustix: glibc iproute setup tsl-utils bug fixes 13th, January, 2005 glibc: Added success/failure to nscd.init to make it consistent with other init scripts. iproute: Now make /etc/iproute2/* config(noreplace). setup: Added lmtp ports in /etc/services. tsl-utils: Now handle more release tags in kernel names. Take II. http://www.linuxsecurity.com/content/view/117919 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Updated lesstif package fixes image vulnerability 12th, January, 2005 An updated lesstif package that fixes flaws in the Xpm library is now available for Red Hat Enterprise Linux 2.1. http://www.linuxsecurity.com/content/view/117893 * RedHat: Updated unarj package fixes security issue 12th, January, 2005 An updated unarj package that fixes a buffer overflow vulnerability and a directory traversal vulnerability is now available. http://www.linuxsecurity.com/content/view/117894 * RedHat: Updated CUPS packages fix security issues 12th, January, 2005 Updated CUPS packages that fix several security issues are now available. http://www.linuxsecurity.com/content/view/117895 * RedHat: Updated nfs-utils package fixes security 12th, January, 2005 An updated nfs-utils package that fixes various security issues is now available. http://www.linuxsecurity.com/content/view/117896 * RedHat: Updated Pine packages fix security vulnerability 12th, January, 2005 An updated Pine package is now available for Red Hat Enterprise Linux 2.1 to fix a denial of service attack. http://www.linuxsecurity.com/content/view/117897 * RedHat: Updated Xpdf packages fix security issues 12th, January, 2005 Updated Xpdf packages that fix several security issues are now available. http://www.linuxsecurity.com/content/view/117898 * RedHat: Updated libtiff packages fix security issues 13th, January, 2005 Updated libtiff packages that fix various integer overflows are now available. http://www.linuxsecurity.com/content/view/117906 * RedHat: Updated mozilla packages fix a buffer overflow 13th, January, 2005 Updated mozilla packages that fix a buffer overflow issue are now available. http://www.linuxsecurity.com/content/view/117907 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: libtiff/tiff remote system compromise 10th, January, 2005 Libtiff supports reading, writing, and manipulating of TIFF image files. iDEFENSE reported an integer overflow in libtiff that can be exploited by specific TIFF images to trigger a heap-based buffer overflow afterwards. http://www.linuxsecurity.com/content/view/117830 +---------------------------------+ | Distribution: TurboLinux | ----------------------------// +---------------------------------+ * TurboLinux: php, httpd multiple vulnerabilities 13th, January, 2005 The vulnerabilities can allow remote attackers to cause a denial of service and possibly execute arbitrary code. http://www.linuxsecurity.com/content/view/117908 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jan 17 01:23:08 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 17 01:34:13 2005 Subject: [ISN] Hacker can't hide from his past Message-ID: http://news.zdnet.com/2100-1009_22-5536822.html By Robert Lemos CNET News.com January 14, 2005 For five years, Czech student Marek Strihavka programmed computer viruses as part of the underground group 29A. A twist of fate, however, has led the former virus writer to take a job stopping digital pests like those he used to create. About a year after leaving 29A, which takes its name from the base-16 representation of 666, the 22-year-old resident of Brno in the Czech Republic became the main developer of Zoner Software's antivirus system. Now Strihavka finds himself under attack. The Czech police have raided his home and confiscated his computer equipment as part of an investigation into the Slammer worm. In addition, some antivirus companies are attacking Zoner for hiring a known virus writer. In an interview with CNET News.com, the man who used to be "Benny" claims that he never took part in spreading his programs on the Internet and maintains that virus writers contribute to online security. Q: Why did you join a virus-writing group like 29A? What is the purpose of the group? A: The purpose of 29A has always been technical progress, invention and innovation of new and technically mature and interesting viruses. 29A distances itself from virus-spreading, since 29A always tried to act as a security group, not any cybergang, as has been portrayed in the media. 29A just wants to share ideas with others, and source code is a way of expression. People that (have known me for) some time know very well that I've always distanced myself from spreading (viruses) and that I never did such a stupid thing. I am not member of 29A anymore, since I try to orient myself on my work, which I like as much as virus writing. How many viruses have you coded? What sort of projects did you pursue and why? A lot. I don't know the exact number. But I always tried to come up with something new, never seen before. I coded viruses for platforms that were considered infect-resistant. I found some satisfaction in programming, just because I like logical and abstract thinking. This is not about any sort of "cyberterrorism." Do you think that coding viruses has any ethical or moral implications? Writing technically new and innovative viruses is like writing exploits for new programs. Coming up with new ideas advances the Internet, since it becomes more prepared against real attacks. I don't see anything wrong with saying, "Hey! This can be abused! There is a bug! You are not prepared for this!" without doing a single cent of real damage. What has made you stop coding viruses? Do you still view the virus underground in the same way? I am still the same. I am still interested in computer security, but now from the other side. I'm trying to fight viruses by finding better ways of detection. I am glad that I can use the skills I achieved by studying viruses in practice and real life. Antivirus companies frequently say that no virus writer should ever have a job in security. What are your views of this opinion? That is funny. Why? Just because a lot of skilled virus writers already have jobs in the antivirus industry. I don't want to cause any problems to my friends, so I won't give concrete examples. But believe me, this is just marketing theater for customers--the truth is a bit different. In any event, who else should code antivirus programs? Who else has the experience and technical skills for fighting viruses? Some antivirus firms say that I have no moral right to do it, but...almost all ex-members and current members of 29A are employed in the antivirus and information technology security industry. What sort of work do you do for Zoner? Has your virus-writing experience made your programming better? I take care of ZAV (Zoner Antivirus) core--this means all those low-level functions for scanning, unpacking, emulation, heuristics, ZAV database maintenance and new detection patterns. Since elementary school, I have been interested in computer viruses, and I focused on computer security. So I think I am the right person to program antivirus. Should virus writers and releasers be tolerated on today's Internet? Does your answer depend on how the Internet has changed or the virus-writing community? I think that source code is just a form of expression, and this should be legal, since freedom of speech is protected. I never spread any of my viruses, and I always thought doing so to be a stupid act. All that I am interested is a programming--nothing else. The Internet is changing, and spammers and phishers should not be tolerated, of course. But people from 29A--and others who are only studying, publishing and not releasing self-replicating programs--are the last people that cause any real or virtual damage and should not be persecuted. From isn at c4i.org Mon Jan 17 01:23:39 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 17 01:34:15 2005 Subject: [ISN] Experts warn of trick to bypass IE download warnings Message-ID: http://www.nwfusion.com/news/2005/0114experwarn.html By Paul Roberts IDG News Service 01/14/05 A computer security researcher and an anti-virus company are warning Microsoft customers about an unpatched hole in the company's Internet Explorer Web browser that could allow a remote attacker to bypass security warnings and download malicious content onto vulnerable systems. The warnings came after the hole was identified on the Bugtraq Internet security discussion list by someone using the name "Rafel Ivgi." The hole affects Internet Explorer (IE) version 6.0.0, including the version released with Windows XP Service Pack 2. The vulnerability allows malicious attackers to bypass warnings designed to inform users when a file is being passed to their computer using a specially-crafted HTML Web document. Microsoft was not able to comment on the hole in time for this story. Security software company Symantec issued a vulnerability alert about the hole Friday and cited Ivgi, which also provided code proving that the hole existed. According to the Bugtraq message and Symantec alert, an IE feature designed to catch references to file downloads does not detect a particular HTML event, known as "onclick," when it is combined with the common HTML tag, which designates the beginning and ending of the main part of a Web page. Malicious Internet users could use the onclick event in combination with another function called "createElement" to create an IFRAME, or "inline frame," which is an HTML element that allows external objects to be inserted into another HTML document. Attackers could link the IFRAME to a malicious Web page that downloaded a malicious file to the user's computer when the page was clicked on, without generating a warning in the Information bar, Symantec said. There is no patch available for the new hole, and no specific exploit code is required to take advantage of the hole, Symantec said. IE users are advised to avoid links provided by unknown or untrusted sources, to keep from being lured to a malicious Web site. IE users can also configure the browser to disable the execution of script code and active content, though doing so could have adverse effects on the way IE functions, Symantec said. The news comes just three days after Microsoft issued software patches for several serious Windows security holes and released a new tool that lets users remove malicious software from their PCs, and amid increasing competition in the Web browser market from the Mozilla Foundation's Firefox browser. On Tuesday, the Redmond, Wash., software company published security bulletins and patches for two critical holes, one in the Windows HTML Help system and the other in Windows code that handles cursor, animated cursor and icon formats. From isn at c4i.org Mon Jan 17 01:23:27 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 17 01:34:17 2005 Subject: [ISN] Bellua Cyber Security Asia 2005 Message-ID: Forwarded from: Anthony Zboralski Dear all, Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005 The Largest Hacking and Security Conference in Asia. JAKARTA, - 17 January, 2005 - The largest hacking and security conference in Asia will take place in Jakarta, Indonesia at the Hotel Borobudur from 21st to 24th March 2005. Between 500 to 700 delegates and visitors are expected. PT Bellua Asia Pacific is very pleased to announce that over 35 speakers and tutors from numerous disciplines will join Bellua Cyber Security Asia 2005 to discuss present and future information security issues through an intensive series of workshops, presentations, technical sessions and demonstrations. Some new attacks and vulnerabilities will be unveiled for the first time in Jakarta! The conference talks will be spread across 2 concurrent tracks focusing on both business and technical aspects of information security. Ethical hacking & security contests will let novices develop their skills and challenge experts in their favorite arenas, allowing all a chance to win prizes. Business matchmaking sessions will also be run during the event. Pricing: Online registration is now open! US$320 for early bird registration (until 15th February)! Important dates: 21-22 March 2005: BCS Asia 2005 Workshops 23-24 March 2005: BCS Asia 2005 Conference http://www.bellua.com/bcs2005/asia05.speakers.html The Keynote Speakers: Bapak DR. Sofyan Djalil, Minister of Communications and Information (Indonesia) [tentative] Onno Purbo (Indonesia) The Business Track: John Grygorcewicz - The Importance of Security in Business Processes (Australia) Fetri Miftach - Building Security into Treasury Systems (Indonesia) Ralph K. Logan - The Practice and Business of Code Auditing (United States) Emmanuel Gadaix - Telecom Security: Hacking SS7 Networks (France) Fabrice Marie - Hacking Internet Banking Applications (France) Philip Victor - Converging Security Awareness into the Organisation's Culture (Malaysia) Jim Geovedi - Day to Day Security for Managers, Users and SMEs (Indonesia) Gan Subramaniam - BS7799 a Journey not a Destination (United Kingdom) John Howie - Compliance Management: Is Patch Management Dead? (United States) Phil Leifermann - Enterprise Security Management (Australia) Roberto Preatoni & Fabio Ghioni - Cyber Terrorism and Cyber War (Italy) The Technical Track: The Grugq - Digital Forensics and the Art of Anti-Forensics (United Kingdom) Adam J. O'Donnell - The Interplay of Diversity and Security (United States) David Maynor - DMA: The Unknown Attack Vector (United States) Cesar Cerrudo - Windows IPC Exploitation (Argentina) Archim - Sun Bloody Daft Solaris Mechanisms (United Kingdom) Don Bailey "North" - Once a Thief, Kernel Rootkit (United States) S.K. Chong - Windows Local Kernel Exploitation (Malaysia) Fyodor Yarochkin & Meder Kydyraliev - Advanced Intrusion Data Normalisation and Correlation (Kyrgyzstan) Julien Vanegue & Sebastien Soudan - Distributed Binary Manipulation (France) Marc Schonefeld - Java & Secure Programming (Germany) Shreeraj Shah - Web Application Kung-Fu, The Art of Defense (India) Stefano Zanero - Unsupervised Learning for Intrusion Detection (Italy) Panel Discussion: Honeypot & Honeynet Ralph K. Logan - The Honeynet Project (United States) Kamal Hilmi Othman - Honeypot and Internet Background Noise (Malaysia) Marek Bialoglowy - Deploying Custom Honeypot to catch Insider Hackers (Poland) Panel Discussion: The Security and Hacking Community Skyper - Ralf Kaiser - Editor in Chief of Phrack Magazine Onno Purbo - Internet For Every One (Indonesia) Roberto Preatoni (Italy) http://www.bellua.com/bcs2005/asia05.workshops.html Business Workshops: (more workshops to be added soon) John Ellingson - The Reality of Identity Theft - (1 Day) Phil Leifermann - Enterprise Security Management - (1 Day) Technical Workshops: (more workshops to be added soon) The Grugq - Practical Digital Forensic Analysis and Incident Response (1 Day) The Grugq - File System Intensive: Unix's File Systems (1/2 Day) The Grugq - File System Intensive: Window's File Systems (1/2 Day) Arian J. Evans - Web Application Exploitation in the Wild (1/2 Day) Arian J. Evans - Building Secure Web Applications (1/2 Day) Shreeraj Shah - Web Application: Attacks and Defense (2 Days) Sensepost - Hacking by Numbers: Bootcamp Edition (2 Days) Sensepost - Hacking by Numbers: Combat Edition (2 Days) Jonathan Hassell - Deploying Network Access Quarantine Control in Windows (1/2 Day) Marc Schonefeld - Ying and Yang of Java Security Programming (1/2 Day) Don Bailey - Plan9: OS Internals from a Rabbit's Perspective (1/2 Day) Cesar Cerrudo - Hacking and Defending MS SQL Server (1/2 Day) Silver Sponsors: Bispro Consulting, M-Sistem Bronze Sponsors: Telecom Security Task Force, Unipro Media Partners: The Hacker's Choice, Phrack Magazine, Packet Storm, HackintheBox, HERT, ISN, Ebizzasia, Zone-H Press Contacts: Anthony Zboralski PT Bellua Asia Pacific +62 818 699 084 anthony.zboralski@bellua.com For questions regarding event registration, please call +62 21 391 8330. For questions regarding sponsorship, please call +62 818 699 084 For general event questions, please email bcs2005@bellua.com. -- Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005 21-22 March - The Workshops - 23-24 March - The Conference bcs2005@bellua.com - Phone: +62 21 391 8330 HP:+62 818 699 084 From isn at c4i.org Mon Jan 17 01:23:53 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 17 01:34:19 2005 Subject: [ISN] ISP suffers apparent domain hijacking Message-ID: http://news.com.com/ISP+suffers+apparent+domain+hijacking/2100-1025_3-5538227.html [I'll be willing to bet Panix's domain was hijacked largely in part to the new ICANN Policy on Transfer of Registrations between Registrars. ( http://www.icann.org/transfers/policy-12jul04.htm ) I have heard about a number of high profile domain hijackings this weekend. - WK] By Steven Musil Staff Writer, CNET News.com January 16, 2005 A New York Internet service provider said Sunday it was working to recover its domain name and e-mail services after suffering an apparent hijacking. A Panix.com representative said ownership of the domain had been moved sometime Friday evening to a company in Australia, the domain name server (DNS) records had been moved to the United Kingdom, and that the company's mail had been redirected to a company in Canada. "We are pulling our hair out here," said the representative, who spoke on condition of anonymity. The company warned that most customers will either have no access to the Panix.com domain or will arrive at a false site. E-mail to the domain is being directed to the false site and "should be considered lost or compromised," the ISP said in its posting. It is unclear how the domain could have been transferred without the consent of the owner, and the representative expressed frustration with the domain registrars. "The registrars have not been as cooperative as common sense would dictate," the representative said. As a temporary workaround, the company suggested using the Panix.net domain in place of the Panix.com domain. The company said that it was working around the clock to recover the domain, but warned that may not happen until Monday due to time zone differences. In September, German police said a teenager had admitted to hijacking the domain of the eBay Germany Web site. The domain hijack attack happened at the end of August when visitors to the eBay.de site were redirected to a different DNS, meaning that they could not access auctions. Panix, which was founded in 1989, provides Internet access and e-mail services to New York City, Long Island, Westchester, Rockland County and New Jersey. From isn at c4i.org Mon Jan 17 01:24:06 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 17 01:34:22 2005 Subject: [ISN] Man accused of 'zombie' web blitz Message-ID: http://news.bbc.co.uk/2/hi/uk_news/scotland/4175801.stm 14 January, 2005 A man has been arrested on suspicion of launching attacks over the internet after an operation between Scottish police and the US Secret Service. A number of houses were searched in the Elgin area of north east Scotland on Friday and computers seized. Officers were investigating attacks in which compromised computers - known as zombies - are used to flood websites with useless traffic. A 27-year-old from Elgin is due to appear in court in the town on Monday. The searches were carried out by officers from the Scottish Drug Enforcement Agency's (SDEA) National Hi-Tech Crime Unit. They were part of Operation Casper, a joint investigation which has concentrated on what are known as "denial of service attacks". A spokesman for the SDEA said these typically used hundreds of "compromised" computers to launch attacks. "Over the past year we have seen a considerable rise in this type of attack, some of which also form the basis for extortion attacks," the SDEA said. Its crime co-ordinator, Detective Chief Superintendent Stephen Ward, said: "Operation Casper has involved the SDEA working closely with the US Secret Service and is an excellent example of how law enforcement agencies, working together, can impact on internet-related crime. "Business groups, organisations and individuals can all be subject of internet criminality and I would like to reiterate this agency's commitment to police this criminal behaviour in all its guises. "The internet does offer criminals new ways of committing crime but it also offers investigative opportunities to law enforcement that the SDEA will continue to exploit." From isn at c4i.org Mon Jan 17 01:24:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 17 01:34:25 2005 Subject: [ISN] Military eyes virtual war on terror Message-ID: Forwarded from: William Knowles http://www.gcn.com/vol1_no1/daily-updates/34817-1.html By Susan M. Menke GCN Staff 01/14/05 Terrorists are turning our own inventions against us, says military theorist Capt. Terry Pierce, an associate dean at the Naval Postgraduate School in Monterey, Calif. "The 9/11 terrorists took existing technology that we invented.airliners.and turned them into bombs," he said. Terrorists are using other technologies we invented, such as the Internet, mobile phones and instant messaging, that have a global reach. The U.S. military is "very good at fighting force-on-force or state-on-state," Pierce said. "The terrorists can't compete with us at that level, so they go to a different level. They become embedded within the population. We have to go to a different method. to separate them from the civilians". Pierce said the postgraduate school, Office of Naval Research and Homeland Security Department are all working on so-called precipitating technologies to decloak the terrorists. "We've accepted that terrorists are operating in this new domain, he said." Although Pierce cited technological innovations such as unmanned aerial vehicles and microsatellites as "potentially very disruptive," he said it is equally important to develop social science constructs by studying how terrorists form worldwide networks. Another weapon, he said, is the joint expeditionary strike group, commanded by leaders who are not afraid to exploit technology in unexpected ways. In one ESG exercise he participated in, Pierce said, "we took advantage of the fact that we were so far away from Washington and could do some innovative things. The sailors and Marines experimented with technology in different ways without the typical oversight by contractors telling them how to use it." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Jan 18 06:37:43 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 18 06:45:16 2005 Subject: [ISN] Canadian lawsuit raises messaging privacy issue Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,98979,00.html By Jaikumar Vijayan JANUARY 14, 2005 COMPUTERWORLD Private messages exchanged using corporate BlackBerry wireless devices may not be quite so private after all. In a lawsuit filed in Toronto this week, the Canadian Imperial Bank of Commerce (CIBC) submitted scores of BlackBerry e-mails and messages as evidence that several former executives took confidential information from the company and tried to recruit others while they were still employees at the bank. The lawsuit was filed against Genuity Capital Markets, a Toronto-based investment management firm started by six former employees of CIBC. The messages submitted as evidence include so-called PIN messages sent between users with the BlackBerry's personal identification numbers instead of e-mail addresses. This form of BlackBerry communication is generally considered more private than using e-mail addresses because PIN messages are sent directly from one BlackBerry device to another. Standard BlackBerry e-mails, on the other hand, are routed via a BlackBerry Enterprise Server and can be logged and archived like any other e-mail messages. BlackBerry devices are manufactured by Waterloo, Ontario-based Research In Motion Ltd., which claims more than 2 million subscribers at thousands of companies worldwide. "PIN messaging is common in financial circles and workgroups," said an executive at a Toronto-based technology vendor who asked not to be identified. "It's kind of like an SMS or instant message" that can't be monitored or logged by the Blackberry Enterprise Server itself, the executive said. As a result, many use the feature to exchange private and sensitive information with one another. The fact that CIBC logged such messages is bound to come as a surprise to many users, said Thomas Smith, a director of the International BlackBerry User Group in Mountain View, Calif. "I wasn't aware that PIN messages could be logged, but I'm not completely shocked either," said Smith, who administers more than 500 BlackBerry devices at the Houston-based company he works for. He asked that the company not be named. Users of such devices "without question" believe that PIN messages can't be logged, Smith said. That's a mistake, said Rob Moffat, president of Wallace Wireless, a vendor of software for BlackBerry devices in Amherst, N.Y. "There is some misunderstanding about the ability to archive such messages," he said. "The perception is that people can send PIN messages and there's no traceability." The reality is that such messages can indeed be logged, said Moffat, whose company sells software that, among other things, allows companies to log BlackBerry PIN communications. The function has been available as a rarely used part of a broader business continuity software suite for some time now. But it's increasingly being used by financial services companies and government organizations to log BlackBerry communications, he said. "There's specific Nasdaq, NASD and Sarbanes-Oxley stuff that these companies need to comply with," Moffat said. The news should come as no surprise to security professionals, said Pete Lindstrom, an analyst at Malvern, Pa.-based Spire Security LLC. "Most people think of peer-to-peer communications as being a person-to-person thing. But somewhere in between there's almost always a server intercepting this stuff and logging it." From isn at c4i.org Tue Jan 18 06:38:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 18 06:45:18 2005 Subject: [ISN] Linux fights off hackers Message-ID: http://www.vnunet.com/news/1160588 Iain Thomson vnunet.com 17 Jan 2005 Linux systems are getting tougher for hackers to crack, security experts have reported today. A study by not-for-profit IT security testing organisation Honeynet Project [1] has shown that, on average, Linux systems today take three months to fall prey to hackers, up from 72 hours in equivalent tests conducted between 2001 and 2002. The 2004 results came after a team of researchers set up 19 Linux and four Solaris 'honeypots' in eight countries including the UK. Honeypots are unpatched internet-connected computers designed to be targets for hackers. "Default installations of Linux distributions are getting harder to compromise," said the report. "New versions are more secure by default, with fewer services automatically enabled, privileged separation in services such as OpenSSH, host-based firewalls filtering inbound connections, stack protection for common threats and other security mechanisms." During the tests only four Linux honeypots were compromised (three running Red Hat 7.3 and one with Red Hat 9). Two of those systems were broken by brute force password attacks rather than by operating system vulnerabilities. By contrast unpatched Windows systems exposed in a similar way in tests last year by Symantec lasted a few hours, or in some cases minutes. But there was bad news for Solaris users, with three out of the four honeypots running Solaris 8 or 9 hacked within three weeks. However, a fourth has been online for six months without being compromised. [1] http://project.honeynet.org/ From isn at c4i.org Tue Jan 18 06:38:11 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 18 06:45:21 2005 Subject: [ISN] Microsoft to become security outfit by next month Message-ID: http://www.theinquirer.net/?article=20745 By Nick Farrell 17 January 2005 AN ANALYST at corporate crystal ball gazers, JP Morgan, is predicting that the Mighty Microsoft will penetrate the anti-virus market by February 15th. Adam Holt says that he sees Supreme Vole Bill Gates standing before a large group of people showing them his latest big offering. It looks like it might be the RSA Security conference in San Francisco on February 15, where Gates is down as the guest speaker Hold didn't say if he saw people applauding or booing, but he expects the program to be on sale in the third quarter, probably as a subscription service, to compete with Symantec and McAfee. There might be several different protection programs bungled, er, bundled into the service. A spokesVole declined to comment on the astounding predictions when Bloomburg hacks rang her up. However, we have to admit it is a pretty good bet that it will happen. Our very own INQ augurer reports that the liver of the lamb he hit with his Jaguar over the weekend, indicated somewhere along the ides of February for the announcement too. Microsoft bought AV maker Giant last month and promptly released its anti-spyware hastily re-dressed in Vole's colours. Giant has other AV software which probably just needs a similar treatment before becoming VoleWare. From isn at c4i.org Tue Jan 18 06:38:26 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 18 06:45:23 2005 Subject: [ISN] Phishers, virus writers exploit tsunami disaster Message-ID: http://star-techcentral.com/tech/story.asp?file=/2005/1/18/technology/9933974&sec=technology January 18, 2005 PETALING JAYA: Computer security firms have issued warnings about phoney e-mail and fraudulent websites that seek to exploit the Asian Tsunami disaster to steal confidential data or spread malicious viruses. Sophos Plc has discovered a mass-mailing worm that poses as a plea for donations. The VBSun-A worm (W32/VBSun-A) spreads via e-mail, tempting innocent users into clicking its malicious attachment by pretending to be information about how to donate to a tsunami relief effort. However, running the attached file will not only forward the virus to other Internet users but can also initiate a denial-of-service (DoS) attack against a German hacking website, the British antivirus company said in a statement. A DoS attack seeks to crash a webserver by overloading it with a flood of requests for data. E-mail sent by the VBSun-A worm arrive with the subject line "Tsunami Donation! Please help!" and the message text "Please help us with your donation and view the attachment below! We need you!" The worm has an attachment named "tsunami.exe." Sophos recommends that recipients delete the e-mail and not open the attachment. "Duping innocent users into believing that they may be helping the tsunami disaster aid efforts shows virus writers stooping to a new low," said Graham Cluley, senior technology consultant at Sophos. "This gruesome insensitivity is a despicable ploy to get curious computer users to run malicious code on their computers. "Everyone should be wary of unsolicited e-mail attachments, and visit the established charity websites (www.google.com/tsunami_relief.html) instead if they wish to assist those suffering as a result of the disaster," he added. Further details about VBSun-A can be found at www.sophos.com/virusinfo/analyses/w32vbsuna.html. VBSun-A is not the first virus to try and take advantage of the tsunami disaster, Sophos said. The VBS/Geven-B worm tried to spread a sick message earlier this month that the tsunami was God's revenge on "people who did bad on Earth." Not only have criminals in Taiwan send SMS (short message service) messages posing as the Red Cross, but a variety of fraudulent e-mail and phishing websites impersonating donation collection sites have also cropped up, warned Tokyo-based antivirus company Trend Micro Inc. Such cases have already cropped in Australia, Canada, China, England, Singapore and the United States, Trend Micro said in a statement. These cases include e-mail messages that give account information for wiring donations or links to what appears to be relief websites. Trend Micro said donors should be careful when using search engines to find relief organisations. One such donor used a search engine to find the China Charity Federation's website; the organisation's actual website is www.chinacharity.cn, but instead he found www.chinacharity.cn.net (an additional .net was present). Donors should make certain they are donating money to an actual charitable organisation, and not a phisher posing as one. They should also NOT forward e-mail asking for donations without first confirming their authenticity, in order to prevent more victims from falling prey. In addition, users should not click on any links in the body of an e-mail, even if it is a known address -- these addresses should be typed manually into the address bar. If an e-mail soliciting donations is suspicious, users can forward them to Trend Micro as an attachment (do not forward directly as the body of the e-mail) to let experts determine its authenticity free of charge: Suspicious e-mail containing links: antifraud@support.trendmicro.com. Suspicious e-mail not containing links: hoaxes@support.trendmicro.com. Nigerian scam Trend Micro also warned that the infamous Nigerian Letter scam operators have "revamped" their fraudulent practice -- which usually takes the form of seeking help from outsiders to transfers hundreds of millions of dollars in a frozen account -- to now enable a businessman to donate billions of dollars to relief efforts. The e-mail claiming to be from a rich businessman who is dying from oesophageal cancer appears with the subject "HOW YOU CAN BE OF HELP TO TSUNAMI VICTIMS." The body of the text includes a lengthy letter, explaining how the author contracted cancer and will not live long, and is willing to donate his US$1.2bil (RM4.6bil) located in a European bank to the victims of the tsunami. The letter says, "I will want you to assist me transfer this deposit into your bank account and dispatched (sic) it to TSUNAMI VICTIMS. Please kindly contact me through my private e-mail address below." Trend Micro reminded users not to make contact as requested if they receive this e-mail -- not only will they not receive their "service fee," but they might also see their own savings washed away. Sri Lankan 'phisherman' The company said it also recently received fraudulent e-mail in Australia claiming to be from a victim of the disaster. The apparent author of the letter, Ram-Kisha Narayan, claims to be a fisherman from Sri Lanka whose wife and three children died in the tsunami, while his house and fishing boat were swept away, along with half of the houses in his village. The letter states that he is seeking financial assistance for all the fishermen in his village so that their fishing boats can be repaired or replaced, and their livelihoods restored. The village described in the letter is Klalutara, a resort town south of the capital Colombo. An Associated Press report showed comparison photos of this area before and after the tsunami, leaving a deep impression in many people around the world. The suspicious part of this e-mail is that the bank account information included is at Postbank in the Netherlands, Trend Micro noted. Another e-mail from Phuket vividly describes the tsunami washing away the alleged author's family, "... my beautiful daughter was calling me daddy to come and save her, but there was nothing I could do, because the flood was very heavy and dangerous." The moving letter asks for financial assistance to be wired to London through Western Union, as locals there are helping him rebuild his life. From isn at c4i.org Tue Jan 18 06:38:38 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 18 06:45:27 2005 Subject: [ISN] Panix recovers from domain hijack Message-ID: http://www.theregister.co.uk/2005/01/17/panix_domain_hijack/ By John Leyden 17th January 2005 Updated - The hijack of its domain name on Friday (14 January) has thrown the operations of a New York ISP into turmoil. Panix staff worked around the clock over the weekend to recover services after the rug was pulled out from under its business. "Panix's main domain name, panix.com, has been hijacked by parties unknown," the ISP said in a statement on a temporary site Panix.net. "The ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and Panix.com's mail has been redirected to yet another company in Canada." "For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site... as a temporary workaround, you can use the panix.net domain in place of panix.com." Panix warned customers that hijackers could have captured passwords inadvertently submitted to the bogus site. By Sunday, Panix had recovered its Panix.com domain from Australian domain hosting / registration firm Melbourne IT, where the purloined domain was parked, back to its natural home at Dotster. Root servera have already been updated but the distributed nature of the net's Domain Name System means that it will take up to 24 hours before normality is restored fully. Domain transfer rules that came into effect last November mean that inter-registry transfer requests are automatically approved after five days unless countermanded by the owner of a domain. Contrary to our earlier report speculating that Panix may have fallen foul of these rules, the company said its domain was taken without any warning. Panix, established in 1989 and New York's oldest commercial ISPs, said neither it nor its registrar received any notification of the proposed changes. Ed Ravin, systems administrator at Panix, added: "Our registrar, Dotster, told us that according to their system, the domain had not been transferred, even though the global registry was pointing at Melbourne IT. Something went wrong with the Internet registry system at the highest levels." Domain hijacks were a problem even before ICANN's revised rules came into effect. Last September, German police arrested a teenager who admitted hijacking the domain of eBay Germany as part of a "prank". Visitors to eBay Germany were redirected to a site hosted by internet provider Intergenia AG. Netcraft advises users to 'lock up' domain to safeguard against the possibility of "errant transfers". Even this safeguard is not foolproof, according to Panix, which said taking this precaution failed to stop its domain been hijacked. From isn at c4i.org Tue Jan 18 06:38:53 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 18 06:45:31 2005 Subject: [ISN] Hacker breaches computers that store UCSD Extension student, alumni data Message-ID: http://www.signonsandiego.com/news/education/20050118-9999-1m18hack.html By Eleanor Yang UNION-TRIBUNE STAFF WRITER January 18, 2005 A hacker breached the security of two University of California San Diego computers that stored the Social Security numbers and names of about 3,500 students and alumni of UCSD Extension. The breach, which left the personal information exposed for as long as a couple of days, is the third such incident at UCSD in the past year. University officials said yesterday that there is no evidence of identity theft. An investigation showed the hacker was using the servers to store music and movies, UCSD spokeswoman Dolores Davies said. "This one was a real low-level breach," Davies said. "The exposure time was real short. Still, it's something we take seriously." UCSD Extension provides a range of continuing-education and certificate programs. Those people affected had completed work on a UCSD Extension certificate within the past five years. The breach was discovered in mid-November, and those who were affected were mailed notification letters the first week of January. Under state law, companies and state agencies are required to contact those whose computerized personal information, including Social Security numbers, has been compromised. The notification letter recommends that recipients get a copy of their credit report and place fraud alerts on their credit files to avoid identity theft. Officials said it took two months to notify those who were affected because officials first needed to determine the extent of the breach. While most of the university has phased out using Social Security numbers for identification purposes, those stored on the server were among the last used for that reason, UCSD officials said. Last spring, hackers breached security at the San Diego Supercomputer Center and the university's Business and Financial Services Department. In the larger of the two security breaches, four computers storing Social Security and driver license numbers for 380,000 UCSD students, alumni, faculty, employees and applicants were targeted. University officials said they don't know of any problems with identity theft following that incident. For those with questions about the UCSD Extension breach, the university has set up a hotline: (858) 534-0427. From isn at c4i.org Tue Jan 18 06:39:08 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jan 18 06:45:33 2005 Subject: [ISN] Hacker reads Paris Hilton's e-mail Message-ID: http://msnbc.msn.com/id/6836110/ By Jeannette Walls MSNBC Jan. 18, 2005 Poor Paris Hilton doesn't have too much luck when it comes to privacy issues. The partying heiress has been the victim of a hacker who somehow got access to her Blackberry and was reading her private e-mails, says a source. "It became obvious to her what was going on," says the source. "She was pretty upset about it. It's one thing to have people looking at your sex tapes, but having people reading your personal e-mails is a real invasion of privacy." Hilton's rep couldn't be reached for comment. From isn at c4i.org Wed Jan 19 02:54:06 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 19 02:59:48 2005 Subject: [ISN] Think like a hacker (Two messages) Message-ID: Forwarded from: Jason Scott Hello, William. Once the documentary I'm working on is done, I'm turning back to look at journalistic overviews of Hackers, and while there have been many people who have done good work, a lot of it would best be defined as "suspect". In this case, I was idly wondering why I'd never heard of Deb Radcliff's "Best-Selling" Mitnick book. I've wasted a bit of time this early morning trying to match her name to it, and I am, simply, failing. Obviously, she didn't write a book on Mitnick; she did some sort of research for another book on Mitnick, but which one? What got me going on this was the word "best-selling". Authors don't write that their books are "best-selling" unless they, themselves, have something they are "selling". Dissing phone phreaking, which has specifically different nomenclature over the years but also contains a lot of rich history, also didn't help. This from someone who "spoke" at a HOPE conference, which itself is based off of a phreaking magazine; you'd think she's give the term a tad more respect. My question is: what the hell is the book she so happily calls best-selling but won't bother giving the title of? Her own SITE won't even tell me: http://www.google.com/search?hl=en&lr=&safe=off&c2coff=1&q=+site%3Awww.deb.radcliff.com+mitnick I'm sorry, that's just suspicious behaviour. Why call something best-selling and not even tell you what it is? On Fri, 14 Jan 2005, InfoSec News wrote: > http://www.networklifemag.com/weblogs/securitychief/2005/007187.html > > By Deb Radcliff > Network Life, 01/09/05 -=- Forwarded rom: Jason Scott Further searching using Amazon's "Search Inside the Book" feature shows that Deb Radcliff is thanked by Jonathan Littman for editing help in his book "The Watchman: The Twisted Life and Crimes of Kevin Poulsen". Since Littman is also the author of "The Fugitive Game: Online with Kevin Mitnick", I am going to make the slight jump that this the the "Best-Selling" Kevin Mitnick book that she helped do research for. She is, however, not thanked, mentioned or discussed in the book in any fashion that I could find. Is this it? Am I correct? Is she dropping Kevin Mitnick's name because she did some background checks for Littman for his Mitnick book? Disclosure: I really, really like Kevin Poulsen. He wrote the best article on me and my work that I've ever read. As a result I am not fond of Jonathan Littman and his work. From isn at c4i.org Wed Jan 19 02:54:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 19 02:59:50 2005 Subject: [ISN] Call for DEFCON Capture the Flag Organizers. Message-ID: Forwarded from: The Dark Tangent -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Call for DEFCON Capture the Flag Organizers. - ----------------------------------- Wanted: An evil large multinational corporation, or... An nefarious group of genius autonomous hackers, or... A shadowy government organization from somewhere in the world To: Host, recreate, and innovate the worlds most (in)famous hacking contest. Why: For everlasting fame, intrusive media interviews, the respect of your peers, or the envy of your enemies. Do you have what it takes and know what we're talking about? The Story: After taking it to the next level, creating a spectators sport out of geeks sitting at their keyboards 0wning machines, and fabulous recognition around the world, the Ghetto Hackers have retired their Root Foo as the hosts of DEFCON's Capture The Flag. Our contest is not over, merely in transition to the next keepers of the flame. This is the opportunity you and your crew, company, or government has been waiting for. You too can pour your heart, countless hundreds of hours into planning, producing, and executing the world's most famous contest of hacking skills. Like all of our contests, they are run by volunteers. Our intent is to make a game that's fun for its participants. While the Ghetto did a fabulous job of allowing CTF to be a team and spectators sport through scoring visualizations, commentators, game updates, et cetera, this is not a requirement. They took it to a new level in one area, and you can take it to another. The heart hacking has many facets. Your constraints: You must design a cool contest. This contest could have a multiplayer/team aspect, but does not have to. Your contest can be based on previous games, but shouldn't be a mere replication of previous games. You can determine the teams/participants before DEFCON, or at the conference. You can have multiple contests (for example, one contest with individuals, one with teams). You determine the constraints, size of teams, allowing remote teams to play, and more. You design the network topology. You determine the rules. Your group will determine the winner, and the losers. The idea behind this CFP is not to ask people to reproduce past Capture the Flags, but to have your group reinvent and create something new, based on the same ideas of creativity and energy. Challenge your friends! You MUST: Clearly communicate the rules to the participants before the contest, set up clear eligibility requirements (if any) before the conference, set up the network, provide any infrastructure that you wish to be part of the game, referee the game while it is taking place, create a scoring system, and determine winners. The easier it is for contestants to understand how to win, the more fair the contest will feel. The contest must end no later than two hours before the end of DEFCON (5pm Sunday) in order to provide time for final scoring and the awards ceremony. Your contest MUST NOT: Interfere with the DEFCON networks (ie: it must be a separate network), interfere with the 'live internet', involve non-consensual parties (ie: anyone who hasn't explicitly agreed to take part in the contests), take bribes that are not equally shared with the DEFCON staff. In the past network traffic on CTF has been captured for later forensic analysis by groups such as shmoo, and Source Fire and shared with the community to further ids and network sniffer developers. Expect that we will give access to those wanting to capture traffic while not actively participating in the contest. Suggestions: Allowing 'lone gunman' to participate (not require group play). This could be a separate contest, or they could participate in competition with teams (handicaps for teams, perhaps) Allowing 'outside players', perhaps a VPN connection with one representative at DEFCON, the rest of a shadowy team located elsewhere in the globe. Incorporating non intrusion/defense techniques to the game - stenography, covert communication channels, riddles/puzzles, social engineering, hardware hacking, radio direction finding, etc. A 'theme' (like forensics, covert channels, attacking, defending, application security, host security, etc.) that would be announced beforehand with the contest focused around the theme. You will be judged: On any innovations or revolutionary enhancements to the game. On the feasibility of your team getting all the work done (note: we will publicly humiliate you if you get accepted and fail to perform!). On the amount of fun (as measured in FunMeters) that participants will have. Resources we can provide: Badges to the conference and access to the CTF area for setup on Thursday, the day before the con. Physical space roughly equal to that which has been provided at past DEFCONs. Tables for participants to use. Screens and LCD projectors to display data with. Network connections from the net if necessary. Some network gear and power strips - please let us know early what you need so we can plan for it. Prizes for the winning people or teams. Research pointers: If you haven't been to DEFCON before, you should understand the environment your contest must operate in! http://www.defcon/ will get you started. These may help give you an idea about past contests, what has worked, and what hasn't. Ceazar gave a presentation on running hacking contests at Black Hat Asia (learn from a master): http://www.blackhat.com/presentations/bh-asia-04/bh-jp-04-pdfs/bh-jp-04-eller/bh-jp-04-eller.pdf Shmoo's CTF sniffing project: http://www.shmoo.com/cctf/ DC 10 Rules: http://www.DEFCON.org/html/DEFCON-10/dc-10-post/DEFCON-10-ctf-rules.html DC 11 CTF Announcement: http://www.DEFCON.org/html/DEFCON-11/events/dc-11-ctf-teams.html White paper on a teams participation: http://www.cse.ogi.edu/~crispin/discex3_autonomix_DEFCON.pdf Ceazar briefly discusses CTF before GH ran the contest: http://www.antioffline.com/10/ghettohackers.html While there is no formal submission form to fill out, you should address as many of these issues as you can. This will be a two way process if you make the initial cut. We want you to succeed as much as you do! Think long and hard if this challenge is for you and your friends, then contact ctf at defcon dot org with your proposal. A discussion area has been created on the DEFCON forums (http://forum.defcon.org/) under the DEFCON 13 Events section to cover new ideas, ask for feedback, and get an idea of what is going on. Thank you, The Dark Tangent -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBQe3i7w6+AoIwjTCUAQLTBQf8CIsYWP674Dyazq3kiYNukTR1lqEdAEQu VVeRruKe4IJ4eS+IqH/TTf0B2Eu42fjX6W/EHIhYeBrbQ8zSGxiGrozA6l1j+H78 uNlvWIB4BUhL3A0rR7neHrxodVXrp2XfRWTrZNtZoJbPSmYDhM5UGB6pgcClci/Z JhzR9oZ4Y9gQTBC7/bnNjt+Ps9BS6k3G5z6Zcg3Et+IfCXAxOFdeXtrTtUTKvm8Y zJ/Q9384KlZwsjT7HNE9IvBuKoRCrU7t7fdT8hX+wc6XbaZE0N3lgmMu3Ft/T1OW BpwwMDsGJ5sbHZAojlo1BC5h59awYelEdVg58Lj/pfIw2JpCMNu4WA== =z0od -----END PGP SIGNATURE----- From isn at c4i.org Wed Jan 19 02:54:49 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 19 02:59:52 2005 Subject: [ISN] Hacker threat to Apple's iTunes Message-ID: http://news.bbc.co.uk/1/hi/technology/4184887.stm 18 January, 2005 Users of Apple's music jukebox iTunes need to update the software to avoid a potential security threat. Hackers can build malicious playlist files which could crash the program and let them seize control of the computer by inserting Trojan code. A new version of iTunes is now available from the Apple website which solves the problem. Security firm iDefence, which notified users of the problem, recommended that users upgrade to iTunes version 4.7.1. The problem affects all users of iTunes - Windows and Mac OS - running versions 4.7 and earlier. Users can automatically upgrade iTunes by opening the "look for updates" window in the program. The security firm says users should avoid clicking on or accessing playlist files - which have the file extension of .pls or .m3u - which have come from unknown sources. Itunes is the world's most popular online music store with more than 200 million songs downloaded since it launched in 2003. From isn at c4i.org Wed Jan 19 02:55:00 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 19 02:59:54 2005 Subject: [ISN] Sidebar: Fill Your Jump Bag Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,98913,00.html By Dan Verton JANUARY 17, 2005 COMPUTERWORLD A "jump bag" is a collection of critical items you might need during crisis response when an attacker invades your network. It should contain these items: * Tape recorder or minidisk * Backup media * Binary backup software * CDs with statically linked binaries of critical OS executables * Forensic software * Windows NT and 2000 resource kits * Bootable CD-ROMs * USB token memory device * External hard drive * Small hub * Patch cables * Laptop with dual operating system capability * Call list and cell phone * Plastic baggies for handling evidence * Extra notebooks for taking notes From isn at c4i.org Wed Jan 19 02:55:30 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 19 02:59:56 2005 Subject: [ISN] Darwin flaws survive in Apple's Mac OS X Message-ID: http://news.com.com/Darwin+flaws+survive+in+Apples+Mac+OS+X/2100-1002_3-5540955.html By Robert Lemos Staff Writer, CNET News.com January 18, 2005 A source-code audit of the open-source operating system from which Apple Computer borrowed much of the code for Mac OS X revealed four vulnerabilities of varying severity in Apple's software, a security company said Monday. The flaws in Darwin affect Mac OS X version 10.3--dubbed Panther--and are caused by memory errors in the kernel, according to an advisory released by ImmunitySec, the security company that found the flaws. "In terms of criticalness, this kind of bug mostly affects remote systems with multiple users," said David Aitel, founder and security consultant with ImmunitySec, adding that since Mac OS X is most often used on the desktop, the flaws will not be overly important on most people's systems. The company originally found the flaws in June and published them to a private list of customers but did not notify Apple. It published the flaws on Monday, after presenting them at a seminar. Apple confirmed that it had not been told of the flaws and said it was analyzing the vulnerabilities but would not elaborate. ImmunitySec found the flaws by analyzing the publicly available source code of the Darwin operating system, which implements a variant of Unix known as BSD. Darwin forms the core of Apple's modern Mac OS X operating system, and the flaws found by the security company also affected Apple's operating system. The flaws include a bug in Mac OS X's SearchFS function, several kernel memory overflows and a logic bug in the AT command, which is used to schedule tasks by the operating system. From isn at c4i.org Wed Jan 19 02:55:46 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 19 02:59:58 2005 Subject: [ISN] Book Review: Forensic Discovery Message-ID: http://books.slashdot.org/books/05/01/18/2110235.shtml [ http://www.amazon.com/exec/obidos/ASIN/020163497X/c4iorg - WK] Author: Dan Farmer & Wietse Venema Pages: 198 Publisher: Addison Wesley Professional Rating: 10 Reviewer: Ben Rothke ISBN: 020163497X Summary: Forensic Discovery overview Security luminaries Dan Farmer and Wietse Venema wrote one of the first vulnerability scanners (SATAN) almost 10 years ago; SATAN was the precursor to ISS Scanner, Retina and nmap. Venema wrote such well-known security applications as the TCP Wrapper program and the Postfix mail server. Farmer and Venema's new book Forensic Discovery is a valuable book that grounds a computer-savvy reader in the world of digital forensics. An image of a pipe by artist Ren? Magritte is on the cover with the caption Ceci nest pas une pipe. ("This is not a Pipe.") The picture demonstrates that an object exists on many planes; the simple recognition of the picture initiates the belief that we are seeing something, but it is only known in representation. Surrealist painting and digital forensics coalesce in that the digital forensic investigator must think broadly and unconventionally in order to reconstruct an incident, all the time keeping in mind that often what initially seems obvious is neither real nor correct. The material in the book is an outgrowth of a one-time seminar the authors gave in 1999 on digital forensics and analysis. At the seminar, Farmer and Venema rolled out The Coroner's Toolkit (TCT), a collection of tools for gathering and analyzing forensic data on a Unix system. TCT is heavily referenced throughout the book. The book initially seems thin, at just 198 pages, but there is no filler and the information is presented in a fast and furious manner. Part one of the book comprises 35 pages and is an introduction to the foundations of digital forensics and what to look for in an digital investigation. Part two (chapters 3-6) is the nucleus of the book, which quickly gets into low-level details about file systems and operating system environments. While other forensics books focus exclusively on the discovery and gathering of data; Forensic Discovery adds needed insight on how to judge the trustworthiness of the observation and the data itself. Again, the idea is that not everything is as obvious as it may initially seem. An effective investigation often requires intense analysis, where meaningful conclusions take time. Chapter 4, "File System Analysis," notes that while computers have significantly evolved since their inception, little has changed in last 30 years in the way that file systems actually handle data. Chapter 5, "Systems and Subversion," is particularly interesting as it deals with system startup and shutdown, from a forensics perspective. The chapter shows that there are thousands of possible opportunities to subvert the integrity of a system without directly changing a file during startup and shutdown. A crucial decision that must be made during an incident is whether to shut down the system or let it remain on-line. There are advantages and disadvantages to each approach, and the book details them. Part three (chapters 7-8) is about the persistence of deleted file information. The authors' research reveals that data can be quite resistant to destruction. The book shows that a huge amount of data and metadata can survive intended deletion as well as accidental damage. Forensic Discovery is unusual in that other books on forensics are often nothing more than checklists and step-by-step instructions on what to do during an incident. Forensic Discovery provides a broad framework on the nature of data and how it can be recovered for forensic purposes. By understanding the underlying operating system, the act of analyzing and dealing with a security breach becomes much easier. The book's target reader is anyone who wants to deepen his understanding of how computer systems work, as well as anyone who is likely to become involved with the technical aspects of computer intrusion or system analysis. The topics are too advanced, to make it the right book for the novice system administrator. For the technical reader, though, Forensic Discovery is one of the best computer security books published in the last year. The value of the information is immense, and the extensive experience that the authors bring is unmatched. From isn at c4i.org Wed Jan 19 02:55:59 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 19 03:00:02 2005 Subject: [ISN] Lapse at Melbourne IT Enabled Panix.com Hijacking Message-ID: http://news.netcraft.com/archives/2005/01/18/lapse_at_melbourne_it_enabled_panixcom_hijacking.html By richm January 18, 2005 Domain registrar Melbourne IT today acknowledged that it failed to properly confirm a transfer request for Panix.com, allowing the domain for the New York ISP to be hijacked for most of the weekend. The Panix incident has focused attention on recent ICANN rule changes that allow domains to be transferred more easily, which some registrars warned would also make it easier to hjack domains. The hijacking disabled all email and Internet access for thousands of Panix customers, and persisted despite active efforts by the North American Network Operators Group (NANOG) to assist Panix in recovering the domain. The delays were blamed on unresponsiveness by several providers within the domain management system, but especially Melbourne IT, which appears to have no readily-accessible support on weekends. The Panix.com hijacking was not reversed until Melbourne IT's offices opened in Australia Monday morning (late Sunday in New York). "There was an error in the checking process prior to initiating the transfer, and thus the transfer should never have been initiated," Bruce Tonkin, the chief technology officer of Melbourne IT wrote in a message to the NANOG mailing list. "The loophole that led to this error has been closed." Tonkin did not describe the "loophole" but said the transfer of the domain from Dotster to Melbourne IT was initiated through an account at a Melbourne IT reseller, which was set up using stolen credit cards. "That reseller is analysing its logs and cooperating with law enforcement," he wrote. Tonkin's explanation solves the mystery of how the hijacking occurred, but will bring greater scrutiny of new ICANN rules implemented in November, which allowed transfers to proceed with a customer confirmation by the "gaining" registrar but without a similar approval by the "losing" registrar. Networks Solutions and a number of other registrars locked down all customer domains as a precautionary step, warning that the changes could lead to hijackings. Domain locking prevents changes in the registrar, contact information and nameservers for a domain. Dotster did not automatically lock its domains, but Panix officials insisted that Panix.com had been locked. "No notification was received by either our registrar, Dotster, or us," says Ed Ravin, systems administrator at Panix, told CIO Today. "Whoever did this found a way to transfer domains without going through the normal process, and it's possible that anyone else's domain could be hijacked the same way." Once Panix realized what had happened, it contacted .com registry operator VeriSign and tried to reach the registrars involved. "I spent *hours* trying to find working contact info for MIT and Dotster," Panix CEO Alex Rosen said. "I didn't find useful 24-hour NOC-type info anywhere. MIT apparently has no weekend support at all; I finally located their CEO's cellphone in an investor-relations web page." Melbourne IT, which sells its domains through Yahoo and many other hosting firms, defended its claim of 24/7 customer service for resellers and technical contacts (although not retail customers), but said it will evaluate whether it can improve. "We are looking at our processes to ensure that incidents such as occurred with panix.com can be addressed more quickly within Melbourne IT, and also checking to ensure that an appropriate number of external people have access to the right contacts at Melbourne IT to fast track serious issues," Tonkin wrote. Others called for a broader solution to fraudulent domain transfers. "What the panix.com case clearly demonstrates is a lack of an emergency rollback procedure in the face of a bad transfer," Mark Jeftovic wrote at CircleID, a portal for discussion of domain and DNS issues. "Clearly, something went wrong in this case. Despite panix.com's belief that their registrar locks were set, somehow the domain was transferred. It matters little why or how it happened. The point is there is no emergency rollback procedure in place when something like this happens and there needs to be." Last week ICANN began seeking feedback on the November rule changes. From isn at c4i.org Thu Jan 20 04:45:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 20 04:50:53 2005 Subject: [ISN] Security UPDATE--Search Engines Increase Web Site Security--January 19, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free White Paper: Email Encryption and Compliance http://ad.doubleclick.net/clk;13435400;8214395;z?http://www.windowsitpro.com/whitepapers/postini/emailencryption/index.cfm?code=0119sec_p Exchange & Outlook Administrator http://ad.doubleclick.net/clk;13435310;8214395;z?http://www.exchangeadmin.com/rd.cfm?code=fsep2351up ==================== 1. In Focus: Search Engines Increase Web Site Security 2. Security News and Features - Recent Security Vulnerabilities - The Scoop on Microsoft's Malicious Software Removal Tool - AMD Adds Holographic Security Labels to Processors - Review: Security Explorer 4.8 3. Security Matters Blog - The Race to Protect Customers - A Matter of Daze 4. Security Toolkit - FAQ - Security Forum Featured Thread 5. New and Improved - Secure Middleware Repriced and Repackaged ==================== ==== Sponsor: Postini ==== Free White Paper: Email Encryption and Compliance New regulations, legal liability issues and evolving threats have recently bumped the issue of secure email transmission to the top of IT security managers "To Do" list. In this free white paper you'll learn how simple and cost effective is it to implement TLS-based secure email transmission. Download this whitepaper now to find out how to support the dual goals of securing email transmission while preserving the administrator's ability to filter out spam, viruses and prevent email content policy violations. http://ad.doubleclick.net/clk;13435400;8214395;z?http://www.windowsitpro.com/whitepapers/postini/emailencryption/index.cfm?code=0119sec_p ==================== ==== 1. In Focus: Search Engines Increase Web Site Security ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Back in July 2004, I mentioned a whitepaper, "Demystifying Google Hacks," by Debasis Mohanty. The paper outlines several ways in which someone can use a particular search syntax in Google to query for sites that might have known vulnerabilities. The paper is at the first URL below. The Security UPDATE in which I wrote about it is at the second URL below. http://www.infosecwriters.com/texts.php?op=display&id=191 http://www.windowsitpro.com/Article/ArticleID/43376/43376.html For example, Google supports query syntax that uses the commands intitle:, inurl:, allinurl:, filetype:, intext:, and more. Google isn't the only search engine that supports this sort of query syntax. MSN Search, AlltheWeb, Yahoo! Search, and others support a similar syntax to varying degrees. As you know, the Santy worm, which takes advantage of search engine queries to find vulnerable sites, was released around the Christmas holidays. Recently, someone posted a message to a popular techno-gadget-related blog site stating that he'd found a search query that can locate vulnerable Webcams. If worm writers and other people are using search engines to find vulnerabilities, you might want to try the same techniques to check your own Web sites for vulnerabilities. Instead of typing or pasting query after query into search engines, you can use scripts to store queries and automate the actual querying and result-gathering process. Another solution is to use a tool specifically designed for the task. Foundstone (now a division of McAfee) recently released a new version of its SiteDigger tool (2.0) that automates the process of using Google to scan for vulnerabilities in a given site. http://www.foundstone.com/resources/proddesc/sitedigger.htm SiteDigger 2.0 has several added capabilities. Foundstone boasts that it now provides "10 times more results." The tool also has an improved user interface, an expanded Help file, an improved results page, and improvements for signature updates. The company also said that SiteDigger 2.0 produces less false positives, which means it's less prone to alert you to problems that don't really exist. The new tool can also perform raw searches, and as you might expect, it can detect some of the latest vulnerabilities, such as overly exposed Webcams. SiteDigger requires the Microsoft .NET Framework and also relies on the Google API, so you'll need to obtain the API license key, which is a simple process. More information about how to get the license key can be found at Foundstone's SiteDigger Web page. I wonder why Foundstone limits SiteDigger to Google queries. I think the tool would be even more useful if the company added support for other major search engines. Nevertheless, it's a useful tool as it stands. Get yourself a copy and check it out. ==================== ==== Sponsor: Exchange & Outlook Administrator ==== Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now! http://ad.doubleclick.net/clk;13435310;8214395;z?http://www.exchangeadmin.com/rd.cfm?code=fsep2351up ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html The Scoop on Microsoft's Malicious Software Removal Tool Microsoft's Malicious Software Removal Tool (MSRT) is now available and will be updated on the second Tuesday of each month, according to Microsoft. The tool is essentially a consolidation of the company's other malware cleaning tools. The new all-in-one tool is currently designed to remove the Blaster, MyDoom, Sasser, Zindos, Nachi, Gaobot, Doomjuice, and Berbew forms of malware. http://www.windowsitpro.com/Article/ArticleID/45064 AMD Adds Holographic Security Labels to Processors To help thwart illegitimate copies of its Processor-in-a-Box (PIB) technology, Advanced Micro Devices (AMD) has added new holographic labels to ensure authenticity. http://www.windowsitpro.com/Article/ArticleID/45055 Review: Security Explorer 4.8 ScriptLogic's Security Explorer 4.8 lets administrators quickly and easily audit and adjust permission attributes for NTFS file systems, registries, and shares on local or remote computers. The program executes quickly and displays exactly what you want: directories, files, and their associated permissions. Read Jeff Fellinge's review on our Web site. http://www.windowsitpro.com/Article/ArticleID/44699 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) True High-Availability for Microsoft Exchange Web Seminar--February 3 Discover solutions that minimize the likelihood of downtime in your Exchange implementation and help to ensure continuous Exchange application availability. In this free Web seminar, learn how you can ensure high-availability through the use of tools that analyze and proactively monitor the health of your entire Exchange environment. Register now! http://www.windowsitpro.com/seminars/highavailability/index.cfm?code=0117emailannc Got NDS? Get The Essential Guide to an NDS-to-Active Directory Migration Migrating from NDS or eDirectory to AD can present complexities and pitfalls. For a smooth transition, you must prepare for the challenge and simplify your migration processes. The Essential Guide to an NDS-to-Active Directory Migration shows you how to perform a successful migration with minimal impact on your organization. Download this guide today. http://www.windowsitpro.com/essential/index.cfm?code=0117emailannc Windows Connections Conference Spring 2005 Mark your calendar for Windows Connections Spring 2005, April 17-20, 2005, at the Hyatt Regency in San Francisco. Sessions jam-packed with tips and techniques you need to know to ensure success in today's enterprise deployments. Get the complete brochure online or call 203-268-3204 or 800-505-1201 for more information. http://ad.doubleclick.net/clk;13381178;8214395;l?http://www.winconnections.com Sensible Best Practices for Exchange Availability Web Seminar--January 27 If you're discouraged about not having piles of money for improving the availability of your Exchange server, join Exchange MVP Paul Robichaux for this free Web seminar and learn how to maximize your existing configuration. Survive unexpected outages, plan for the unplannable, and evaluate what your real business requirements are without great expense. Register now! http://www.windowsitpro.com/seminars/exchangeavailability/index.cfm?code=0117emailannc ==================== ==== 3. Security Matters Blog ==== by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Check out these recent entries in the Security Matters blog: The Race to Protect Customers Ever wonder what goes on inside a company that provides security solutions on "Patch Tuesday"? Learn about the scramble that takes place in order to protect customers before exploits are turned loose on the unsuspecting public. http://www.windowsitpro.com/Article/ArticleID/45063 A Matter of Daze The day after "Patch Tuesday" can reasonably be called "Exploit Wednesday" because, invariably, someone will learn how to take advantage of the published vulnerabilities and release loads of technical information within 24 hours. http://www.windowsitpro.com/Article/ArticleID/45076 ==== 4. Security Toolkit ==== FAQ, by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: I have Zone Labs' ZoneAlarm firewall installed, and it's reporting a problem with Microsoft Application Error Reporting. What's causing this error? Find the answer at http://www.windowsitpro.com/Article/ArticleID/44922 Security Forum Featured Thread: File-Based Restrictions in Folders A forum participant writes that his company has a shared folder that contains all the company's official business files, including a lot of multimedia files (such as .mpg and .avi files) that need to be backed up. He wants to know if there is any way to restrict users from putting personal .mpg, .avi, .mp3, and other files into particular folders on his server so that these personal files won't fill his tape backups? Join the discussion at: http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=129022 ==================== ==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events ) Ensure Successful Token Authentication Take the first steps toward leaving passwords behind and implementing tokens for your users and systems. Register now for this free Web seminar and find out how you can future-proof your investment, while making a solid business case to justify the costs. Discover pitfalls to avoid, the right combinations to use, key evaluation and testing points and critical success factors for rollout time. Sign up today and become an expert on the range of technologies and applications supported by today's token technologies! http://www.windowsitpro.com/seminars/tokenauthentication/index.cfm?code=0124emailannc ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Secure Middleware Repriced and Repackaged SSH Communications Security offers a new pricing model and new versions of its SSH Tectia secure middleware solution. One new version of SSH Tectia Server lets large enterprises begin protecting their business applications without any desktop-software investment. When SSH Tectia is used to protect one business application, SSH Tectia Connector client software licenses will be provided free of charge. This new pricing model enables customers to start with one application and expand their licenses as their business needs grow and helps companies more quickly comply with requirements such as Sarbanes-Oxley. The second targeted version of SSH Tectia Server is designed for secure system administration, enabling system administrators to remotely administer application servers and other resources using a secure connection. For more information about SSH Tectia and its pricing, go to http://www.ssh.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://ad.doubleclick.net/clk;13273616;8214395;i?http://www.argent.com/w/whitepapers_mom.html?Source=WNT%20Sponsored%20Link ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://www.windowsitpro.com/forums About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jan 20 04:45:35 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 20 04:50:55 2005 Subject: [ISN] LayerOne Call For Papers Message-ID: Forwarded from: LayerOne CFP LayerOne 2005 April 23 & 24, 2005 Los Angeles, California At the Pasadena Hilton http://layerone.info/ The second LayerOne conference is now officially accepting papers and presentations for speaker selection. We are looking for people to speak on a broad range of topics; however, we encourage all submissions. To give you an idea of the sorts of things that were covered last year: - CryptoMail: mail encryption for all. - Life Hacks and Hacked Lives - How the DMCA is Threatening to Strangle Reverse Engineering and the Future of Interoperability - Visual Deep Packet Inspection - A User-Centric Distributed Social Software Architecture Please note that we'd love to see as broad a range of topics this year as we did last year, so don't consider this to be a strict guideline on what we'd like people to be submitting. If you've got something that you think will fit, by all means send it in. To see a list of topics from 2004, click here. Please be sure to include the following information in your submission: - Presentation name - A one-sentence synopsis of your presentation - A longer one to three paragraph synopsis or short outline of what you plan on covering - Names of and URLs to presenter(s) - A short (single-paragraph) biography of the presenter(s) Once everything's ready to go, send your submission to cfp [at] layerone [dot] info no later than March 1, 2005. All papers submitted by then will receive either an acceptance or rejection notice no later than March 15th, 2005. Speaker selection is expected to be finalised on this date. Although we only have one speaking track, please bear in mind that speaking slots are limited to one hour. How you use that time is entirely up to you - but most people tend to divide it between presentation and a Q&A session. If you think your presentation will run longer please advise us when you turn in your proposal and we will do our best take your needs into consideration. If the presentation is based on code or a particular technique the presenter must be one of the developers of the code/technique and be prepared to perform a demonstration. We look forward to reading over your submissions, which we are sure will be outstanding. Once again, if you have any questions or submissions please email cfp [at] layerone [dot] info. Thank you for your interest, and we look forward to seeing you there. -noid ::::::::::::: WEB://23.org PGP://23.org/~noid/pgp.html "Perfect is the enemy of good enough" - Admiral SG Gorshkov ::::::::::::: From isn at c4i.org Thu Jan 20 04:45:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 20 04:50:57 2005 Subject: [ISN] Oracle Patch Fixes 23 'Critical' Vulnerabilities Message-ID: http://www.eweek.com/article2/0,1759,1752589,00.asp By Ryan Naraine January 19, 2005 Oracle Corp. late Tuesday issued a "critical patch update" to address 23 security holes in its database and application server products. The patches were released as part of Oracle's first quarterly patching cycle and fix a series of undisclosed flaws ranging from manipulation of data, exposure of sensitive information, privilege escalation and denial-of-service attacks. The vulnerabilities affect users of the Oracle Database 10g Release 1, Oracle9i Database Server, Oracle Application Server, Oracle9i Application Server, Oracle Collaboration Suite and Oracle E-Business Suite and Applications Release. In an advisory (PDF file), Oracle said the first quarter patch update is a cumulative update that also contains nonsecurity fixes that are required (because of interdependencies) on the security fixes. Secunia, a private security research outfit, rates the flaws as "moderately critical" and warned that exploitation could lead to PL/SQL injection attacks. Oracle's alert did not provide specific information on the attack scenarios and Next Generation Security Software Ltd., one of the private firms that reported the vulnerabilities, said it would withhold details about the flaws until April 18. "This three-month window will allow Oracle database administrators the time needed to test and apply the patch set before the details are released to the general public," NGS Software officials said. Secunia's advisory contains minor details of the bugs, which include a boundary error in the Networking component that can be exploited by malicious database users to crash the database via a specially crafted connect string. Another error in the Spatial component can potentially be exploited to disclose information, manipulate data, or cause a DoS condition. The next batch of patches from Oracle is scheduled for April 12. Oracle had originally announced it would release patches on a monthly schedule, but the company shifted away from that plan in November in favor of the quarterly cycle. In the past, Oracle has been criticized for its lackadaisical approach to addressing critical security flaws. At the Black Hat security conference in Las Vegas last year, NGS Software pushed the envelope by releasing details on more than two dozen security holes in Oracle products that had not been fixed. At the time, NGS Software said Oracle was aware of the vulnerabilities - some of them critical - for several months. From isn at c4i.org Thu Jan 20 04:46:01 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 20 04:50:59 2005 Subject: [ISN] IT security problems cause two agencies to slip in PMA scorecard Message-ID: http://www.gcn.com/vol1_no1/daily-updates/34843-1.html By Jason Miller GCN Staff 1/19/05 Systems security concerns caused the Veterans Affairs Department.s and the Small Business Administration.s e-government initiatives to drop a grade each in the latest ratings on the President.s Management Agenda. Clay Johnson, the Office of Management and Budget.s deputy director for management, said in a letter released today that these were two of four agencies that slipped up in the final grading for fiscal 2004. Johnson said the Defense Department dropped a grade under the competitive sourcing initiative because it was not announcing competitions as planned, and the Office of Personnel Management fell to red under improved financial performance because its inspector general found new material weaknesses. Each quarter, the administration gives agencies green, yellow or red scores for their efforts to meet the goals of the five agenda items. Green means an agency has met all the standards for success, yellow means it has met some but not all and red means there are serious problems. OMB grades each agency on its overall status and on its progress toward implementing the agenda items. While these four agencies tripped up under the latest scores, seven agencies improved, including the Social Security Administration, which earned a green under e-government. In all, the administration handed out 39 green scores, 51 yellow and 40 red, compared with 35 greens, 55 yellows and 40 reds in the September evaluation. Veterans. and SBA.s slips under e-government mark the first time an agency has dropped a color grade since the September 2003 rating, four scorecards ago. Still, under e-government, eight agencies received greens, 10 earned yellows and eight got reds, the same count as the last scorecard. The Smithsonian Institution remains the only agency with red scores in every category, while SSA and the departments of Energy and Transportation are green in four of five categories. Karen Evans, OMB.s administrator for e-government and IT, said in a letter released with the scorecard that the White House.s plans for e-government will continue along the same path of identifying .new opportunities for stronger management of federal government IT investments.. In the letter, she said the human resources and financial management Lines of Business Consolidation initiatives will save $5 billion over the next 10 years because of the standardization of business processes and functions. Agencies will begin selecting shared service providers in 2005 and shut down existing financial or human resources systems once migration to the shared service providers is complete. OMB.s new chief architect, Richard Burk, by the end of the month will deliver a strategic plan for the Federal Enterprise Architecture. Burk also will lead OMB.s efforts to work more closely with agencies to help them improve their architectures and gain the benefits of using their EAs. Evans also said 26 agencies.up from two last year.are using the P3P standard to provide a summary privacy notice accessible by public browsers. And 16 of 24 agencies reported 90 percent or more of their IT systems were certified and accredited as secure. Last year only 13 agencies said they had reached the 90 percent mark. From isn at c4i.org Thu Jan 20 04:46:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 20 04:51:01 2005 Subject: [ISN] The party's over... Message-ID: http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2005/01/16/nhamm16.xml&sSheet=/news/2005/01/16/ixhome.html By Tim Walker Filed: 16/01/2005 Even when the game was up for the soi-disant Michael Edwards-Hammond, he still couldn't help himself. "I am confident that I did nothing wrong at Windsor Castle," he told me outside Wandsworth police station after his arrest for allegedly impersonating a police officer within the grounds of the Queen's Berkshire home. "I've attended many functions with the princes - Charles, Andrew, Harry and William - at private households. I believe that the Royal Family will welcome this occurrence because it shows how lax royal security is. And perhaps, as Charles has commented to me, it should be the job of the Army's most elite unit to take charge of it. "If this episode results in our monarchy being protected as it should be protected, then I feel I've performed a service, not a crime. In terms of my forthcoming appearance in court, I will call figures from the world of television and royal circles who will speak in my defence." At an earlier appearance at Heathrow police station, he had gone further and told me: "I am considering calling Charles, William and Harry as witnesses. My case is being dealt with directly by [the then Home Secretary] David Blunkett and [the Metropolitan Police Commissioner] Sir John Stevens." Blame it on an early interest in drama at school or his time working as an estate agent in London, but Edwards-Hammond has long had at best a nodding acquaintance with the truth. As it became clear at Isleworth Crown Court last week - when, curiously enough, not one of his distinguished friends turned up to speak in his defence - the double-barrelled name is probably the most modest of the fabrications of this extraordinarily persuasive 36-year-old decorator's son from Bexhill-on-Sea. Over the years, plain Michael Hammond, Edward is his middle name, has duped a succession of supposedly intelligent people and organisations with his tall tales. When he telephoned the Metropolitan Police to tell them that he was a surgeon fighting his way through heavy London traffic to save the life of a child, they gave him a motorcycle escort. Other roles he has taken include a film producer - a ruse that has got him into numerous parties, gossip columns and the beds of aspiring actresses - and a "renowned" polo expert. Senior police officers are a speciality and those performances have resulted in innumerable innocent members of the public being searched on his orders, an Asian family being taken into custody and several harmless pedestrians being held at gunpoint near Downing Street. And he also found the time to strike up friendships with not only the Royal Family, but also Dannii Minogue, the singer; Jordan, the glamour model; Caroline Stanbury, Prince Andrew's former companion; and Ren?e Zellweger, the Oscar-winning actress. He was also best mates with Sir Elton John. They have all, of course, denied his fanciful tales. "I checked with Elton and he has never heard of Michael Hammond," says David Furnish, Sir Elton's lover. A spokesman for Clarence House repeated the line: "None of the princes can recall meeting this man. They meet hundreds of people at the polo matches, usually for just a second or two, so it is not surprising they don't remember him." While it is true that Hammond did accept newspaper "tip-off" fees for his tall tales about his own private life, fame or "validation" appeared to be the spur and there appears to be some sympathy for him. "People ask how could we have been taken in by him," one female socialite told me last week. "The fact is we didn't care. He was young, good-looking, amusing and heterosexual, and in London the women outnumber the men at even the most glamourous of parties." Jessica Callan, the wily editor of the Mirror's 3am diary, recalls seeing Hammond at Sir Elton John's post-Oscars party in Los Angeles last year. "I was used to seeing him at Bafta parties and lots of run-of-the-mill events, but this one was exclusive and I was staggered he had got in, but of course that wasn't enough for him. He called me over and said, 'Jessica, let me introduce you to my mate Robin Williams.' He shouted to Robin and he came over. That's the thing about people like Robin - they assume that they must have met this guy, but simply forgotten him, so they play along. They don't want to create a scene. That's what enables people like Hammond to go undetected for so long." There have been society conmen before - one thinks of Guiy de Montfort, who preyed on a succession of wealthy, vulnerable women - but selfdestruction seems always to be part of their make up. For Hammond, it was his doomed attempt to bluff his way into Windsor Castle and for de Montfort it was inviting Nigel Dempster to one of his parties. In no time at all, the great Daily Mail gossip columnist saw him for the phoney he was. If, instead of putting all their energy into deceiving people, men like Hammond had channelled it into nine-to-five jobs, you can't help but imagine that they would now be on the boards of FTSE 100 companies. Why did they feel such a compulsion to set themselves up for dramatic falls? "I think Michael felt shame about who he was and where he had come from," said a woman who had been "close" to him. "The trouble with shame is that it always seems to come with a subconscious desire for punishment." Hammond, who has 102 previous offences, most for fraud and deception and two for impersonating a police officer, will find out what his punishment will be on February 4, when he returns to Isleworth for sentencing. From isn at c4i.org Fri Jan 21 03:05:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 21 03:08:38 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-3 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-01-13 - 2005-01-20 This week : 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: 23 vulnerabilities have been reported in various Oracle products. Some have an unknown impact and others can be exploited to disclose sensitive information, gain escalated privileges, conduct PL/SQL injection attacks, manipulate information, or cause a DoS (Denial of Service). Additional details about the 23 vulnerabilities can be found in the referenced Secunia advisory below. References: http://secunia.com/SA13862 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 2. [SA13599] Mozilla / Mozilla Firefox Download Dialog Source Spoofing 3. [SA13482] Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting 4. [SA13804] Apple iTunes Playlist Handling Buffer Overflow Vulnerability 5. [SA13786] Mozilla / Mozilla Firefox Dialog Overlapping Weakness 6. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 7. [SA13792] Check Point Firewall-1 NG SmartDefense RFC2397 Bypass Weakness 8. [SA12041] Microsoft Outlook / Word Object Tag Vulnerability 9. [SA13818] Opera "data:" URI Handler Spoofing Vulnerability 10. [SA13704] Internet Explorer FTP Download Directory Traversal ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13868] Halocon Empty UDP Datagram Denial of Service Vulnerability [SA13881] NodeManager Professional Buffer Overflow Vulnerability [SA13861] BlackBerry Enterprise Server Mobile Data Service Denial of Service [SA13879] Kazaa Lite K++ K-Sig Directory Traversal Weakness [SA13872] Internet Explorer Global Variables Local File Detection Weakness UNIX/Linux: [SA13912] Debian update for imagemagick [SA13910] Ubuntu update for xpdf/cupsys [SA13908] Ubuntu update for imagemagick/libmagick6 [SA13895] SUSE update for php4/mod_php4 [SA13893] AWStats "configdir" Parameter Arbitrary Command Execution [SA13892] ImageMagick PSD Image Decoding Buffer Overflow [SA13886] SGI Advanced Linux Environment Multiple Updates [SA13885] SGI Advanced Linux Environment Multiple Updates [SA13852] Conectiva update for ethereal [SA13851] Conectiva update for php4 [SA13850] Red Hat update for libtiff [SA13906] Avaya Products ncompress Vulnerability [SA13894] Debian update for chbg [SA13889] Debian update for gallery [SA13865] Gentoo update for poppassd_pam [SA13864] Gentoo update for squid [SA13863] Debian update for mc [SA13859] Midnight Commander Multiple Unspecified Vulnerabilities [SA13856] Gentoo update for tnftp [SA13855] Debian update for gopherd [SA13905] Debian update for cupsys [SA13904] CUPS xpdf "Decrypt::makeFileKey2()" Buffer Overflow [SA13888] Mandrake update for cups [SA13882] Solaris/SEAM Kerberos 5 Administration Library Vulnerability [SA13871] VMware ESX Server Three Vulnerabilities [SA13880] Avaya Products Multiple Vulnerabilities [SA13915] UnixWare Chroot Escape Vulnerability [SA13914] Debian update for mysql [SA13911] Debian update for queue [SA13909] GNU Queue Buffer Overflow Vulnerabilities [SA13907] Red Hat update for kernel [SA13891] Ubuntu update for vim [SA13890] Debian update for playmidi [SA13884] Debian GATOS xatitv "exported_display()" Buffer Overflow [SA13876] Ubuntu update for kernel [SA13867] MySQL mysqlaccess Script Insecure Temporary File Creation [SA13858] SGI IRIX inpview Privilege Escalation Vulnerability [SA13857] Fedora update for kernel [SA13853] Debian update for exim-tls [SA13900] Clam AntiVirus RFC2397 Bypass Weakness Other: Cross Platform: [SA13903] Xpdf "Decrypt::makeFileKey2()" Function Buffer Overflow [SA13854] PRADO "page" File Inclusion Vulnerability [SA13849] MPM Guestbook Pro "header" File Inclusion Vulnerability [SA13901] vBulletin Unspecified Vulnerability [SA13877] ExBB Nested BBcode Script Insertion Vulnerability [SA13875] SparkleBlog Multiple Vulnerabilities [SA13874] ITA Forum SQL Injection Vulnerabilities [SA13873] PHP Gift Registry SQL Injection Vulnerabilities [SA13869] SafeHTML Hexadecimal HTML Entities Security Bypass [SA13862] Oracle Products 23 Vulnerabilities [SA13887] Gallery "username" Cross-Site Scripting Vulnerability [SA13866] Minis "month" Directory Traversal Vulnerability [SA13860] Horde "url" and "group" Cross-Site Scripting Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13868] Halocon Empty UDP Datagram Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-17 Luigi Auriemma has reported a vulnerability in Halocon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13868/ -- [SA13881] NodeManager Professional Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-18 Tan Chew Keong has reported a vulnerability in NodeManager Professional, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13881/ -- [SA13861] BlackBerry Enterprise Server Mobile Data Service Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-01-17 A vulnerability has been reported in BlackBerry Enterprise Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13861/ -- [SA13879] Kazaa Lite K++ K-Sig Directory Traversal Weakness Critical: Not critical Where: From remote Impact: Manipulation of data, DoS Released: 2005-01-18 Rafel Ivgi has discovered a weakness in Kazaa Lite K++, which can be exploited by malicious people to create or overwrite files on a user's system. Full Advisory: http://secunia.com/advisories/13879/ -- [SA13872] Internet Explorer Global Variables Local File Detection Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-01-18 Berend-Jan Wever has discovered a weakness in Internet Explorer, which can be exploited by malicious people to detect the presence of local files. Full Advisory: http://secunia.com/advisories/13872/ UNIX/Linux:-- [SA13912] Debian update for imagemagick Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-19 Debian has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13912/ -- [SA13910] Ubuntu update for xpdf/cupsys Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-19 Ubuntu has issued updates for cupsys, libcupsimage2, libcupsys2-gnutls10, xpdf-reader, and xpdf-utils. These fix a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13910/ -- [SA13908] Ubuntu update for imagemagick/libmagick6 Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-19 Ubuntu has issued updates for imagemagick and libmagick6. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13908/ -- [SA13895] SUSE update for php4/mod_php4 Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, System access Released: 2005-01-18 SUSE has issued updates for php4 and mod_php4. These fix multiple vulnerabilities, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13895/ -- [SA13893] AWStats "configdir" Parameter Arbitrary Command Execution Critical: Highly critical Where: From remote Impact: Unknown, System access Released: 2005-01-18 Two vulnerabilities have been reported in AWStats, where one has an unknown impact and the other can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13893/ -- [SA13892] ImageMagick PSD Image Decoding Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-18 Andrei Nigmatulin has reported a vulnerability in ImageMagick, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13892/ -- [SA13886] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-01-17 SGI has issued a patch for SGI Advanced Linux Environment. This fixes multiple vulnerabilities, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), bypass certain security restrictions, conduct script insertion attacks, gain knowledge of sensitive information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13886/ -- [SA13885] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: System access, DoS, Privilege escalation Released: 2005-01-17 SGI has issued a patch for XFree86, VIM, and glibc. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), perform certain actions with escalated privileges, gain escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13885/ -- [SA13852] Conectiva update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-01-13 Conectiva has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13852/ -- [SA13851] Conectiva update for php4 Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, System access Released: 2005-01-13 Conectiva has issued an update for php4. This fixes some vulnerabilities, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13851/ -- [SA13850] Red Hat update for libtiff Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-13 Red Hat has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13850/ -- [SA13906] Avaya Products ncompress Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-19 Avaya has confirmed an old vulnerability in ncompress, which is included in various products. This can potentially be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13906/ -- [SA13894] Debian update for chbg Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-18 Debian has issued an update for chbg. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13894/ -- [SA13889] Debian update for gallery Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-01-18 Debian has issued an update for gallery. This fixes some vulnerabilities, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13889/ -- [SA13865] Gentoo update for poppassd_pam Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-01-14 Gentoo has issued an update for poppassd_pam. This fixes a vulnerability, which can be exploited by malicious people to change system passwords. Full Advisory: http://secunia.com/advisories/13865/ -- [SA13864] Gentoo update for squid Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2005-01-17 Gentoo has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13864/ -- [SA13863] Debian update for mc Critical: Moderately critical Where: From remote Impact: Unknown, Privilege escalation, DoS Released: 2005-01-14 Debian has issued an update for mc. This fixes multiple vulnerabilities, where many have an unknown impact and others can be exploited to cause a DoS (Denial of Service) or potentially perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/13863/ -- [SA13859] Midnight Commander Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Privilege escalation, DoS Released: 2005-01-14 Multiple vulnerabilities have been reported in Midnight Commander, where many have an unknown impact and others can be exploited to cause a DoS (Denial of Service) or potentially perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/13859/ -- [SA13856] Gentoo update for tnftp Critical: Moderately critical Where: From remote Impact: Manipulation of data, System access Released: 2005-01-14 Gentoo has issued an update for tnftp. This fixes a vulnerability, allowing malicious people to overwrite local files. Full Advisory: http://secunia.com/advisories/13856/ -- [SA13855] Debian update for gopherd Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-01-14 Debian has issued an update for gopherd. This fixes some vulnerabilities with unknown impacts. Full Advisory: http://secunia.com/advisories/13855/ -- [SA13905] Debian update for cupsys Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-19 Debian has issued an update for cupsys. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13905/ -- [SA13904] CUPS xpdf "Decrypt::makeFileKey2()" Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-19 A vulnerability has been reported in CUPS, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13904/ -- [SA13888] Mandrake update for cups Critical: Moderately critical Where: From local network Impact: Manipulation of data, DoS, System access Released: 2005-01-18 MandrakeSoft has issued an update for cups. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain files, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13888/ -- [SA13882] Solaris/SEAM Kerberos 5 Administration Library Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-17 Sun has acknowledged a vulnerability in Solaris and SEAM, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13882/ -- [SA13871] VMware ESX Server Three Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, System access Released: 2005-01-17 VMware has acknowledged some vulnerabilities in ESX Server, which can be exploited to disclose sensitive information in kernel memory, bypass certain security restrictions, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13871/ -- [SA13880] Avaya Products Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Spoofing, Privilege escalation Released: 2005-01-17 Avaya has acknowledged multiple vulnerabilities in various products, which potentially can be exploited to gain unauthorised access to other websites, bypass certain security restrictions, or gain escalated privileges. Full Advisory: http://secunia.com/advisories/13880/ -- [SA13915] UnixWare Chroot Escape Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-01-19 Simon Roses Femerling has reported a vulnerability in UnixWare, which can be exploited by malicious, local users to break out of the chroot jail. Full Advisory: http://secunia.com/advisories/13915/ -- [SA13914] Debian update for mysql Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information, Privilege escalation Released: 2005-01-19 Debian has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13914/ -- [SA13911] Debian update for queue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-19 Debian has issued an update for queue. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13911/ -- [SA13909] GNU Queue Buffer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-19 jaguar has reported some vulnerabilities in GNU Queue, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13909/ -- [SA13907] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-01-19 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/13907/ -- [SA13891] Ubuntu update for vim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-19 Ubuntu has issued updates for kvim, vim, vim-gnome, vim-gtk, vim-lesstif, vim-perl, vim-python and vim-tcl. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13891/ -- [SA13890] Debian update for playmidi Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-19 Debian has issued an update for playmidi. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13890/ -- [SA13884] Debian GATOS xatitv "exported_display()" Buffer Overflow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-17 Debian has issued an update for gatos. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13884/ -- [SA13876] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-01-17 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/13876/ -- [SA13867] MySQL mysqlaccess Script Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information, Privilege escalation Released: 2005-01-17 Javier Fern?ndez-Sanguino Pe?a has reported a vulnerability in MySQL, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13867/ -- [SA13858] SGI IRIX inpview Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-14 iDEFENSE has reported a vulnerability in SGI IRIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13858/ -- [SA13857] Fedora update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-14 Fedora has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13857/ -- [SA13853] Debian update for exim-tls Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-13 Debian has issued an update for exim-tls. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13853/ -- [SA13900] Clam AntiVirus RFC2397 Bypass Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2005-01-19 The vendor has acknowledged a weakness in Clam AntiVirus, which allows malware to bypass detection. Full Advisory: http://secunia.com/advisories/13900/ Other: Cross Platform:-- [SA13903] Xpdf "Decrypt::makeFileKey2()" Function Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-19 A vulnerability has been reported in Xpdf, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13903/ -- [SA13854] PRADO "page" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-14 Paul Brereton has reported a vulnerability in PRADO, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13854/ -- [SA13849] MPM Guestbook Pro "header" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-13 SmOk3 has reported a vulnerability in MPM Guestbook Pro, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13849/ -- [SA13901] vBulletin Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-01-18 A vulnerability with an unknown impact has been reported in vBulletin. Full Advisory: http://secunia.com/advisories/13901/ -- [SA13877] ExBB Nested BBcode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-19 Algol has reported a vulnerability in ExBB, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/13877/ -- [SA13875] SparkleBlog Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-01-17 Kov?cs L?szl? has discovered some vulnerabilities in SparkleBlog, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13875/ -- [SA13874] ITA Forum SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-01-17 RusH security team has reported some vulnerabilities in ITA Forum, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13874/ -- [SA13873] PHP Gift Registry SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-01-17 Madelman has reported some vulnerabilities in PHP Gift Registry, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/13873/ -- [SA13869] SafeHTML Hexadecimal HTML Entities Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-01-17 Christian Stocker has reported a vulnerability in SafeHTML, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13869/ -- [SA13862] Oracle Products 23 Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-01-19 23 vulnerabilities have been reported in various Oracle products. Some have an unknown impact and others can be exploited to disclose sensitive information, gain escalated privileges, conduct PL/SQL injection attacks, manipulate information, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13862/ -- [SA13887] Gallery "username" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-18 Rafel Ivgi has discovered a vulnerability in Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13887/ -- [SA13866] Minis "month" Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2005-01-17 Madelman has reported a vulnerability in Minis, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13866/ -- [SA13860] Horde "url" and "group" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-14 Robert Fly has reported two vulnerabilities in Horde, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13860/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ======================================================================== From isn at c4i.org Fri Jan 21 03:06:39 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 21 03:08:40 2005 Subject: [ISN] Security UPDATE--Search Engines Increase Web Site Security--January 19, 2005 Message-ID: Forwarded from: matthew patton > ==== 3. Security Matters Blog ==== > by Mark Joseph Edwards, > http://www.windowsitpro.com/securitymatters > > Check out these recent entries in the Security Matters blog: > > The Race to Protect Customers > Ever wonder what goes on inside a company that provides security > solutions on "Patch Tuesday"? Learn about the scramble that takes > place in order to protect customers before exploits are turned loose > on the unsuspecting public. > http://www.windowsitpro.com/Article/ArticleID/45063 from the article: "The engineers have 24 hours to meet service-level agreements with their customers to determine what has changed in the software and to deliver tests that the customers can use to decide whether their systems need to be patched." Now I can understand wanting to know what MS changed in a patch but if there is a critical or important patch released, on what possible basis would you NOT patch it unless you think you've mitigated the risk or bought yourself some time thru other methods, or you flat-out don't trust MS to break your box? Why would you think the patch doesn't apply to your system? If you run a service that has a new patch out, it's trivially obvious that the patch applies to you and needs to be applied. Why would you need a tool written in less than 24hrs by over-caffinated coders to tell you the software on a box was the vulnerable version? If it's not patched, of course it's bloody vulnerable. I don't get what the "program to test to see if you're vulnerable" buys anybody. Sure, it's useful if you're in the vulnerability scan market and you want to release a signature overnight. Do IT shops really have no clue what resources they supposedly are responsible for that they launch a vuln probing tool every patch Tuesday+1 to get a list of boxes they gotta fix? From isn at c4i.org Fri Jan 21 03:07:01 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 21 03:08:42 2005 Subject: [ISN] Oracle Patch Fixes 23 'Critical' Vulnerabilities Message-ID: Forwarded from: security curmudgeon : In the past, Oracle has been criticized for its lackadaisical approach : to addressing critical security flaws. At the Black Hat security : conference in Las Vegas last year, NGS Software pushed the envelope by : releasing details on more than two dozen security holes in Oracle : products that had not been fixed. : : At the time, NGS Software said Oracle was aware of the vulnerabilities - : some of them critical - for several months. Several months? From this round of patches.. http://www.red-database-security.com/content6.html History: 03 April 2003 Oracle was informed 18 April 2003 Bug confirmed 18 Januar 2005 Oracle published alert 69 Just under two years for this issue? http://archives.cnn.com/2002/TECH/industry/01/21/oracle.unbreakable.idg/ Oracle Corp. Chairman and Chief Executive Officer Larry Ellison said Thursday that Oracle software remains unbreakable and mocked a memo sent this week by arch rival Bill Gates stressing to Microsoft Corp.'s employees the importance of security in the company's products. http://www.osvdb.org/searchdb.php?action=search_title&vuln_title=oracle&Search=Search "Microsoft isn't good at security. We're good at that.." -- Larry Ellison From isn at c4i.org Fri Jan 21 03:07:12 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 21 03:08:46 2005 Subject: [ISN] Symantec security site trips over spyware Message-ID: http://www.theage.com.au/articles/2005/01/19/1106074829004.html By Online Staff January 19, 2005 Symantec's security website SecurityFocus, which runs the well-known Bugtraq vulnerability mailing list, has been forced to retract one of its columns [1] in which it claimed that only people who validated their copies of Windows online could download Microsoft's spyware beta. The column, by Mark D. Rasch, J.D., who is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc., was posted on January 18. In the article, Rasch wrote: Early last month Microsoft announced that it would permit downloads of a beta version of its anti-spyware software from its website. However, users attempting to download the software are informed that "[t]his download is available to customers running genuine Microsoft Windows. Please click Continue to begin Windows validation." The website then uploads an executable file called "GenuineCheck.exe" to the users computer. However, in reality, users can click on the Continue button and proceed to a page where they have the choice of downloading the spyware beta after validating their copy of Windows or without going through the validation process. Today, an editor's note was seen on the article: "This column is in error. The download site for Microsoft's anti-virus software strongly encourages users to run the company's validation software, but does not require it. SecurityFocus apologizes (sic) for the mistake." SecurityFocus is owned by Symantec which, in 2002, purchased what was until then one of the most comprehensive databases of vulnerabilities available, for $US75 million. [1] http://securityfocus.com/columnists/292 From isn at c4i.org Fri Jan 21 03:07:27 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jan 21 03:08:48 2005 Subject: [ISN] Safe E-Mailing for Dummies Message-ID: http://www.wired.com/news/infostructure/0,1377,66324,00.html By Michelle Delio Jan. 20, 2005 Citibank is worried about you. PayPal is peeved and is about to pull the plug on your account unless you take action right now. EBay is perturbed about your latest auction purchase, Visa is fretting that someone may be up to no good with your credit card, and some bank named SunTrust needs your mother's maiden name immediately if not sooner. Plus, at least a dozen of your friends and colleagues have apparently sent e-mails promising you love, lust, a cool game or access to vital information if you'll just click on the attached file. Yes, it's just another happy day in your spam- and scam-packed inbox. Happily, help is available. Ciphire Mail, a new and soon-to-be-open-source application, aims to put an end to these sorts of annoyances with strong and user-friendly e-mail authentication and encryption. E-mail authentication -- confirmation that the stated sender actually sent the message in question -- could make many e-mail hassles fade away, since most scams and computer viruses rely on bogus sender information to lull recipients into a false sense of security. Encryption is also a good idea, given the increasing prevalence of snoopy software. The Ciphire Mail application, free for individual users, nonprofit organizations and the press, works in conjunction with all standard e-mail programs. It operates almost invisibly in the background, encrypting and decrypting e-mail missives and digitally signing each message to confirm its source. Ciphire Labs didn't develop new encryption algorithms or authentication methods for Ciphire Mail. The idea was just to make the best existing technology "way easier to use," said Laird Brown, chief strategist for the Zurich, Switzerland-based company. In close to a month of testing, Ciphire Mail performed almost perfectly on computers running Windows XP and Mac OS X version 10.3, with Outlook 2003, Eudora and the Thunderbird mail clients on the Windows box, and Eudora and Thunderbird on the Mac. Setup was a snap: Just download and install the client, choose which e-mail addresses you want to associate with Ciphire, enter a password, and the application sets itself up. Working with the program is just as simple. When two people using the Ciphire client exchange e-mails, the client intercepts e-mail right after the Send button is pressed, and before it leaves the computer. The recipient's security certificate is retrieved at the Ciphire Certificate Directory, security checks are performed, and then the message and any attachments are encrypted with the recipient's key. Incoming e-mail is also intercepted before it appears in a user's inbox, the message is decrypted (if necessary) and the sender is authenticated using the corresponding certificate from the Ciphire Certificate Directory. What Ciphire Mail is doing in the background is automatically managing each user's set of public and private cryptographic keys. The public key is sent to Ciphire's servers and the private one is stored on the user's machine. This allows two users to communicate using encryption without having to exchange private keys, as they must do using other e-mail encryption programs. No delays in sending or receiving e-mail were noticeable during testing. "The difference between Ciphire Mail and other technologies in our zone is the difference between using and learning how to use," Brown said. "And none of this has been done at the expense of security. If anything, we're more secure than the others." Every Ciphire certificate contains three different 2,048-bit public keys (RSA, DSA and ElGamal). Ciphire Mail encrypts all e-mails with two layers. One layer is RSA (with AES) and the other layer is ElGamal (with Twofish). If a message is sent to someone who doesn't use Ciphire Mail, the program simply signs the message, allowing the recipient to confirm that the message came from the apparent sender. All of the authentication, encryption and decryption chores were carried out flawlessly on both test machines. My only problems with Ciphire Mail were petty aggravations; one would have been avoided if I had read the manual, and the other issue will be addressed in a future release. The primary annoyance was having to enter a password to log into Ciphire Mail on every reboot of the computer. There's no option to have the program save the password and automatically login. While this makes sense from a security standpoint, it's also irritating when you know your machine is secure and protected from unauthorized physical or remote access. Brown said that automatic login is the feature most requested by Ciphire Mail users, and a "remember my password" feature will be added to a future version of the program. That's a good thing, as I also hated waiting the minute or so after booting my computer for Ciphire to load and request my password. Opening my e-mail client before Ciphire loaded caused mail transfer errors fixable only by rebooting the e-mail application. The only other problem I experienced was sparked by the password-entry issue. When performing some upgrades on my computer that involved a lot of rebooting, I uninstalled Cipher Mail to avoid the incessant requests for my password. I didn't realize I needed to first deactivate my account before uninstalling the application, and subsequently received several important encrypted e-mails, sent by other Ciphire users, that I couldn't read. Reinstalling the program as per Ciphire's help files and then forwarding the e-mails to myself didn't help -- I just received forwarded copies of gibberish. Eventually, I had to request that the senders send me unencrypted copies of their messages. It was my mistake -- deactivation is clearly explained in the manual -- but it would have been helpful if Ciphire also included a message about deactivating the account in the uninstall routine. But by and large, Ciphire Mail is flawless, doing what it says it will do with virtually no effort on the part of its users. So why give all this wonderfulness away for free? According to Brown, Ciphire Labs wants to "share the wealth" that it hopes will soon be generated by the commercial version of Ciphire Mail for enterprises, expected to be released in spring 2005. Ciphire Labs also intends to release the source code to Cipher Mail within the year, after the application is out of beta and the code is deemed stable. From isn at c4i.org Mon Jan 24 04:36:55 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 24 04:45:51 2005 Subject: [ISN] Linux Advisory Watch - January 21st 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 21st, 2005 Volume 6, Number 3a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for twiki, xine, libtiff, mc, gatos, playmidi, chbg, cups, imagemagick, mysql, xpdf, xtrlock, mysql, sword, squid, gimp, dovecot, dhcp, bind, vixie-cron, sysklogd, alsa-lib, grep, kernel-utils, ethereal, mpg123, playmidi, and krb5. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, and TurboLinux. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn07 --- Assurance via Documentation In all business environments management must give a certain level of trust to staff in order for work to get done. In security, trust is extremely important. Security managers must trust staff to properly setup and configure systems, give appropriate access, and fix vulnerabilities as they arise. Trusting staff to get the job done is a fundamental part of doing business. As a manager, how can one be sure that the security staff is properly addressing security issues? How can one be sure that vulnerabilities are fixed and logs are monitored? Peter F. Drucker, a well known writer on business management topics once wrote, "if you cannot measure it, you cannot manage it." This is directly relevant to security. How can a manager be sure that the backups are getting done? Are the IDS and firewall logs properly monitored? A manager can easily have trust in employees, but assurance also must be provided. Management should require staff to log backups, log reviews, server patching, etc. Rather than trusting staff to get the job done, it is necessary to have assurance. All general security maintenance tasks can be, and should be audit-able. How will extra paper work help security? Will staff get fed up with all of the extra documentation? The purpose of extra documentation is not to burden staff, it is to increasingly justify security spending. If a security department is properly doing its job, incidents will have little affect. However, if the department isn't doing its job, something catastrophic could happen. It is hard for people not in security to see the value in spending more money when there are no security incidents. Having audit-able documented evidence of thwarted security attempts, log reviews, etc. can have a huge impact on the image of the security department. Rather than relying on trust, giving assurance and quantifying security will help get the budget necessary to have the appropriate level of protection. Until next time, cheers! Benjamin D. Thomas ---------------------- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ --- A 2005 Linux Security Resolution Year 2000, the coming of the new millennium, brought us great joy and celebration, but also brought great fear. Some believed it would result in full-scale computer meltdown, leaving Earth as a nuclear wasteland. Others predicted minor glitches leading only to inconvenience. The following years (2001-2004) have been tainted with the threat of terrorism worldwide. http://www.linuxsecurity.com/content/view/117721/49/ --- State of Linux Security 2004 In 2004, security continued to be a major concern. The beginning of the year was plagued with several kernel flaws and Linux vendor advisories continue to be released at an ever-increasing rate. This year, we have seen the reports touting Window's security superiority, only to be debunked by other security experts immediately after release. Also, Guardian Digital launched the new LinuxSecurity.com, users continue to be targeted by automated attacks, and the need for security awareness and education continues to rise. http://www.linuxsecurity.com/content/view/117655/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: twiki Fix for twiki remote vulnerability 14th, January, 2005 A vulnerability in twiki was found where a remote attacker could exploit it to run arbitrary shell commands on the server. For further information on this vulnerability, please, refer to the authors' announcement[2]. http://www.linuxsecurity.com/content/view/117926 * Conectiva: xine-lib Fixes for xine-lib vulnerabilities 19th, January, 2005 Ariel Berkman discovered a buffer overflow vulnerability[2] in demux_aiff.c, where it reads specific input data into an array without checking the input size. http://www.linuxsecurity.com/content/view/117967 * Conectiva: libtiff3 Fixes for libtiff vulnerabilities 20th, January, 2005 This announcement fixes several integer overflow vulnerabilities[3,4] that were encountered in libtiff by iDefense which could lead to remote arbitrary code execution. http://www.linuxsecurity.com/content/view/117982 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New mc packages fix several vulnerabilities 14th, January, 2005 ndrew V. Samoilov has noticed that several bugfixes which were applied to the source by upstream developers of mc, the midnight commander, a file browser and manager, were not backported to the current version of mc that Debian ships in their stable release. http://www.linuxsecurity.com/content/view/117925 * Debian: New gatos packages fix arbitrary code execution 17th, January, 2005 Erik Sj=C3=B6lund discovered a buffer overflow in xatitv, one of the programs in the gatos package, that is used to display video with certain ATI video cards. xatitv is installed setuid root in order to gain direct access to the video hardware. http://www.linuxsecurity.com/content/view/117938 * New playmidi packages fix local root exploit 17th, January, 2005 Erik Sjolund discovered that playmidi, a MIDI player, contains a setuid root program with a buffer overflow that can be exploited by a local attacker. http://www.linuxsecurity.com/content/view/117939 * Debian: New gallery packages fix several vulnerabilities 17th, January, 2005 Several vulnerabilities have been discovered in gallery, a web-based photo album written in PHP4. http://www.linuxsecurity.com/content/view/117942 * Debian: New queue packages fix buffer overflows 18th, January, 2005 "jaguar" of the Debian Security Audit Project has discovered several buffer overflows in queue, a transparent load balancing system. http://www.linuxsecurity.com/content/view/117951 * Debian: New chbg packages fix arbitrary code execution 18th, January, 2005 Danny Lungstrom discoverd a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine. http://www.linuxsecurity.com/content/view/117952 * Debian: New CUPS packages fix arbitrary code execution 19th, January, 2005 iDEFENSE has reported a buffer overflow in xpdf, the portable document format (PDF) suite. Similar code is present in the PDF processing part of CUPS. A maliciously crafted PDF file could exploit this problem, resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117963 * Debian: New ImageMagick packages fix arbitrary code execution 19th, January, 2005 Andrei Nigmatulin discovered a buffer overflow in the PSD image-decoding module of ImageMagick, a commonly used image manipulation library. Remote exploition with a carefully crafted image could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117964 * Debian: New mysql packages fix insecure temporary files 19th, January, 2005 Javier Fernandez-Sanguino Pena from the Debian Security Audit Project discoverd a temporary file vulnerability in the mysqlaccess script of MySQL that could allow an unprivileged user to let root overwrite arbitrary files via a symlink attack and could also could unveil the contents of a temporary file which might contain sensitive information. http://www.linuxsecurity.com/content/view/117965 * Debian: New xpdf packages fix arbitrary code execution 19th, January, 2005 iDEFENSE has reported a buffer overflow in xpdf, the portable document format (PDF) suite. A maliciously crafted PDF file could exploit this problem, resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117966 * Debian: New xtrlock packages fix authentication bypass 20th, January, 2005 A buffer overflow has been discovered in xtrlock, a minimal X display lock program which can be exploited by a malicious local attacker to crash the lock program and take over the desktop session. http://www.linuxsecurity.com/content/view/117981 * Debian: New sword packages fix arbitrary command execution 20th, January, 2005 Ulf Harnhammar discovered that due to missing input sanitising in diatheke, a CGI script for making and browsing a bible website, it is possible to execute arbitrary commands via a specially crafted URL. http://www.linuxsecurity.com/content/view/117990 * Debian: New squid packages fix denial of service 20th, January, 2005 Several vulnerabilities have been discovered in Squid, the internet object cache, the popular WWW proxy cache. http://www.linuxsecurity.com/content/view/117991 * Fedora Core 3 Update: kernel-2.6.10-1.741_FC3 14th, January, 2005 Fix slab corruption in ACPI video code. http://www.linuxsecurity.com/content/view/117924 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 2 Update: system-config-kickstart-2.5.19-1.fc2 14th, January, 2005 This update fixes bug #143946, where system-config-kickstart cannot load kickstart configuration files. It also incorporates all the other fixes and improvements that have taken place since the FC2 version of this utility. http://www.linuxsecurity.com/content/view/117934 * Fedora Core 3 Update: gimp-2.2.2-0.fc3.2 16th, January, 2005 This is a major version upgrade from 2.0.x to 2.2.x but it is designed to be binary compatible in order that old plug-ins and scripts continue to work. http://www.linuxsecurity.com/content/view/117937 * Fedora: NetworkManager-0.3.3-1.cvs20050112.1.fc3 update 17th, January, 2005 Please see RPM Changelog for fixes and new features since the last version. http://www.linuxsecurity.com/content/view/117948 * Fedora Core 3 Update: gimp-help-2-0.1.0.6.0.fc3.1 18th, January, 2005 The GIMP User Manual is a newly written User Manual for the GIMP. http://www.linuxsecurity.com/content/view/117953 * Fedora Core 3 Update: gimp-2.2.2-0.fc3.3 18th, January, 2005 clip thumbnail quality at 75 and don't barf on saving images at quality 0 http://www.linuxsecurity.com/content/view/117954 * Fedora Core 2 Update: dovecot-0.99.13-4.FC2 18th, January, 2005 This is a bug fix update for the Dovecot IMAP server. This brings the Red Hat Dovecot rpm up to date with the latest upstream release from Timo Sirainen, version 0.99.13 released on Jan 6th 2005. http://www.linuxsecurity.com/content/view/117955 * Fedora Core 3 Update: dovecot-0.99.13-3.FC3 18th, January, 2005 This is a bug fix update for the Dovecot IMAP server. This brings the Red Hat Dovecot rpm up to date with the latest upstream release from Timo Sirainen, version 0.99.13 released on Jan 6th 2005. http://www.linuxsecurity.com/content/view/117956 * Fedora Core 3 Update: dhcpv6-0.10-11_FC3 19th, January, 2005 Updated dhcpv6 package, adding Relay Agent support, Support for prefix delegation to radvd on interface other than lease reception interface and Fix cores on resolv.conf and radvd.conf update http://www.linuxsecurity.com/content/view/117969 * Fedora Core 3 Update: dhcp-3.0.1-30_FC3 19th, January, 2005 Updated DHCP and DHCLIENT packages. http://www.linuxsecurity.com/content/view/117970 * Fedora Core 3 Update: bind-9.2.4-8_FC3 19th, January, 2005 Updated BIND packages. http://www.linuxsecurity.com/content/view/117971 * Fedora Core 3 Update: vixie-cron-4.1-20_FC3 19th, January, 2005 Updated vixie-cron package. http://www.linuxsecurity.com/content/view/117972 * Fedora Core 3 Update: sysklogd-1.4.1-26_FC3 19th, January, 2005 Updated sysklogd packages. http://www.linuxsecurity.com/content/view/117973 * Fedora Core 3 Update: gpdf-2.8.2-2.2 19th, January, 2005 Add patch for CAN-2005-0064 http://www.linuxsecurity.com/content/view/117976 * Fedora Core 2 Update: gpdf-2.8.2-2.1 19th, January, 2005 Add patch for CAN-2005-0064 http://www.linuxsecurity.com/content/view/117977 * Fedora Core 2 Update: cups-1.1.20-11.10 20th, January, 2005 This package fixes a buffer overflow which may possibly allow attackers to execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures projects (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. http://www.linuxsecurity.com/content/view/117983 * Fedora Core 3 Update: cups-1.1.22-0.rc1.8.4 20th, January, 2005 This package fixes a buffer overflow which may possibly allow attackers to execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures projects (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. http://www.linuxsecurity.com/content/view/117984 * Fedora Core 3 Update: alsa-lib-1.0.6-7.FC3 20th, January, 2005 A flaw in the alsa mixer code was discovered, which disabled stack execution protection for the libasound.so library distributed with Fedora Core 3. The effect of this flaw resulted in stack execution protection, through NX or Exec-Shield, which was disabled for any application linked to libasound. http://www.linuxsecurity.com/content/view/117985 * Fedora Core 3 Update: grep-2.5.1-31.4 20th, January, 2005 This update fixes a small regression in handling multibyte input for "grep -Fi", and further improves performance when processing UTF-8 input. http://www.linuxsecurity.com/content/view/117992 * Fedora Core 2 Update: xpdf-3.00-3.7 20th, January, 2005 Applied patch to fix CAN-2005-0064 (bug #145050) http://www.linuxsecurity.com/content/view/117993 * Fedora Core 3 Update: xpdf-3.00-10.2 20th, January, 2005 Applied patch to fix CAN-2005-0064 (bug #145050) http://www.linuxsecurity.com/content/view/117994 * Fedora Core 2 Update: kernel-utils-2.4-9.1.131_FC2 20th, January, 2005 Update microcode_ctl to 1.11 (#131885) http://www.linuxsecurity.com/content/view/117997 * Fedora Core 3 Update: kernel-utils-2.4-13.1.49_FC3 20th, January, 2005 Update microcode_ctl to 1.11 http://www.linuxsecurity.com/content/view/117998 * Fedora Core 3 Update: hal-0.4.6-1.FC3 20th, January, 2005 New upstream release http://www.linuxsecurity.com/content/view/118004 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Squid Multiple vulnerabilities 16th, January, 2005 Squid contains vulnerabilities in the the code handling NTLM (NT Lan Manager), Gopher to HTML and WCCP (Web Cache Communication Protocol) which could lead to denial of service and arbitrary code execution. http://www.linuxsecurity.com/content/view/117936 * Gentoo: ImageMagick PSD decoding heap overflow 20th, January, 2005 ImageMagick is vulnerable to a heap overflow when decoding Photoshop Document (PSD) files, which could lead to arbitrary code execution. http://www.linuxsecurity.com/content/view/118003 * Gentoo: Ethereal Multiple vulnerabilities 20th, January, 2005 Multiple vulnerabilities exist in Ethereal, which may allow an attacker to run arbitrary code, crash the program or perform DoS by CPU and disk utilization. http://www.linuxsecurity.com/content/view/118005 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: CUPS multiple vulnerabilities fix 17th, January, 2005 A buffer overflow was discovered in the ParseCommand function in the hpgltops utility. An attacker with the ability to send malicious HPGL files to a printer could possibly execute arbitrary code as the "lp" user (CAN-2004-1267). http://www.linuxsecurity.com/content/view/117947 * Mandrake: Updated mpg123 packages fix 19th, January, 2005 A vulnerability in mpg123's ability to parse frame headers in input streams could allow a malicious file to exploit a buffer overflow and execute arbitray code with the permissions of the user running mpg123. http://www.linuxsecurity.com/content/view/117978 * Mandrake: Updated playmidi packages 19th, January, 2005 Erik Sjolund discovered a buffer overflow in playmidi that could be exploited by a local attacker if installed setuid root. Note that by default Mandrakelinux does not ship playmidi installed setuid root. http://www.linuxsecurity.com/content/view/117979 * Mandrake: Updated xine packages fix 19th, January, 2005 iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CAN-2004-1187). As well, they discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CAN-2004-1188). http://www.linuxsecurity.com/content/view/117980 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Updated kernel packages fix security 18th, January, 2005 Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. http://www.linuxsecurity.com/content/view/117962 * RedHat: Updated krb5 packages fix security 19th, January, 2005 Updated Kerberos (krb5) packages that correct buffer overflow and temporary file bugs are now available for Red Hat Enterprise Linux. http://www.linuxsecurity.com/content/view/117974 * RedHat: Updated php packages fix security issues 19th, January, 2005 Updated php packages that fix various security issues are now available for Red Hat Enterprise Linux 2.1. http://www.linuxsecurity.com/content/view/117975 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: php4, mod_php4 remote code execution 17th, January, 2005 Stefan Esser and Marcus Boerger found several buffer overflow problems in the unserializer functions of PHP (CAN-2004-1019) and Ilia Alshanetsky (CAN-2004-1065) found one in the exif parser. Any of them could allow remote attackers to execute arbitrary code as the user running the PHP interpreter. http://www.linuxsecurity.com/content/view/117944 +---------------------------------+ | Distribution: Turbo Linux | ----------------------------// +---------------------------------+ * TurboLinux: xpdf Buffer overflow 20th, January, 2005 These vulnerabilities may allow remote attackers to execute arbitrary code via malformed PDF files. http://www.linuxsecurity.com/content/view/117986 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jan 24 04:39:15 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 24 04:45:53 2005 Subject: [ISN] Harvard Drug Records, Confidential Data Vulnerable Message-ID: http://www.thecrimson.com/today/article505402.html By J. HALE RUSSELL and ELISABETH S. THEODORE Crimson Staff Writers January 21, 2005 The confidential drug purchase histories of many Harvard students and employees have been available for months to any internet user, as have the e-mail addresses of high-profile undergraduates whose contact information the University legally must conceal, a Crimson investigation has found. Administrators shut down a Harvard website contributing to the breach minutes after The Crimson demonstrated the problem yesterday afternoon. But at press time, sensitive data - including the drug histories of those insured by the University - remained vulnerable to anyone who obtains a student or professor's non-confidential Harvard ID number. The now-disabled Harvard website, iCommons Poll Tool, required nothing more than a free, anonymous Hotmail account and five minutes to look up the eight-digit ID of any student, faculty or staff member. A list of all three prescription drugs purchased by one student at University Health Services (UHS) Pharmacy was accessed by The Crimson by typing his ID number and birthday into another website, run by Harvard drug insurer PharmaCare. Birthdates of undergraduates are published to fellow students, and are in many cases more widely available on sites such as anybirthday.com. Last night, the insurer's website still required nothing more than these two pieces of information to provide a list of drugs purchased by anyone covered by Harvard's drug insurance policy - which is mandatory for all undergraduates and also covers many faculty and staff. UHS, after being alerted to the security issues on PharmaCare's website by The Crimson yesterday, said it immediately called the insurer for an explanation. "We.re in contact with PharmaCare," UHS Compliance Officer Barbara Skane said yesterday evening. "We've expressed to them how serious this is and that we're asking their senior management to look into it to see what we can do to correct any inappropriate access." She added she did not yet know whether PharmaCare's website might violate HIPAA, a federal law prohibiting the unauthorized disclosure of individual medical records. Moreover, from the now-disabled University website, it took under a minute to produce the ID number and e-mail address of a student who told The Crimson he had been granted security status at Harvard under the Family Educational Rights and Privacy Act (FERPA) because his family is prominent in international politics. "If a student contacts their Registrar and requests total privacy under FERPA, this FERPA status...must also [be] recorded in the central directory system," wrote Jane E. Hill, Harvard's Directory Services project manager, in an e-mail. FERPA legally requires universities not to disclose or verify directory information, including names and e-mail addresses, of individuals with a secure flag, except as required for specific educational purposes. This protection is used both by "publicity-shy" celebrities and for students who - are legitimately terrified of some potentially harmful person.a woman trying to disappear from a stalker, for example," wrote former Dean of the College Harry R. Lewis '68 in an e-mail. Additionally, though Faculty policy prohibits it, many professors still e-mail their students all class grades listed by ID numbers. Thus any of the 311 students in Psychology 1 this year, among others, could have also used the disabled website to determine what exam grades their classmates received - a confidential academic record. After the iCommons Poll Tool was shut down last night, University Technology Security Officer Scott Bradner said that "there's no condition under which [the ID number] should have been shared, It was not a design feature." The glitch - and the vulnerabilities that remain - underscore the difficulties posed to information privacy by the widespread use of ID numbers to verify identity, even though those numbers are often not kept secret. "The University has a custodial obligation to protect the personal information of its students, its faculty and its employees," said Marc Rotenberg '82, executive director of the Electronic Privacy Information Center, after learning of The Crimson's findings. "People need to understand how pervasive the University's information gathering and collating capabilities are... The impact on the Harvard community in terms of the privacy exposure is substantial". SKELETON KEYS These vulnerabilities stem from Harvard.s use of a non-confidential number to verify identity and access secure systems. ID numbers, which Bradner says are considered "non-public but not secret," are often widely distributed - to course heads and staff, on printed ID cards and even to students planning a barbecue. Though most Harvard websites with secure information require a confidential PIN or other password in addition to the ID, The Crimson has identified a number of online applications.ranging from PharmaCare to network access to mail forwarding - that require nothing more than an ID number and birthday, or ID and last name. Computer security experts say such use of a non-secure identifier as a password is a serious and common problem. "The ID number, much like the Social Security Number, has always had this problem of operating both as a record identifier and as a password," Rotenberg said. "It.s the interchangeable nature of the identifier that creates a security risk". Until yesterday afternoon, exploiting such vulnerabilities could have been made easier by the long-standing glitch in the polling tool. The website, which allows people to design and conduct surveys, enabled anyone - with or without Harvard affiliation.to search the entire Harvard directory by first or last name, e-mail address or Harvard ID number. Unlike other campus directories, the system did not hide users who have requested FERPA security from the University, or respect other user-set restrictions on the distribution of their directory data. A series of steps common in conducting a poll enabled any iCommons user to directly look up the ID number of any Harvard affiliate - from secure-flagged students to University President Lawrence H. Summers. No other public system permits students to search ID numbers or to associate ID numbers with names. Susan Rogers, project manager for iCommons, was surprised when The Crimson demonstrated the technique for looking up a FERPA protected student.s information, though she had previously planned to remove the search by ID number feature. She added yesterday evening that preliminary analysis of the usage logs of the poll tool showed that prior to pulling the site, only The Crimson had used the method that non-Harvard affiliates could use to gain access. BEHIND UNPINNED DOORS But even if iCommons is fixed, The Crimson has identified a variety of web tools that require no more than the non-secret ID, or a combination of ID and last name or birthday, to access information that would generally be considered confidential. For instance, anyone on campus can delete or register a Harvard network connection just knowing an individual's ID and last name. This would permit someone to illegally share files traceable to another person's identity. A last name and ID are also the keys to choosing course sections and accessing the Student Employment Office's jobs database. Only an ID is required to access the Office of Career Services. MonsterTrak job listings database. With a Harvard ID and birthday - obtainable by undergraduates through an online facebook, and more widely through websites like anybirthday.com.a user can post or download resum?s on someone else.s eRecruiting account or access the online UHS health insurance waiver form. Individuals can also activate an e-mail address for someone who is eligible for a Faculty of Arts and Sciences account but has not requested one. Setting up all campus mail to forward to a different physical address requires the ID and the last four digits of a student's social security number.often obtainable by searching online directories like Lexis-Nexis and Accurint. Accessing mail forwarding would also show the individual's current Harvard address, which for a secure-flag student could result in the disclosure of their on-campus whereabouts. The most sensitive data accessible with only a Harvard ID and birthday, though, appears to be that from Harvard.s primary drug insurance provider, PharmaCare. Bradner said the healthcare industry is under unusually strict requirements to protect sensitive information, in part due to HIPAA. "Despite that, there are a lot of people in the healthcare industry who just don.t get it," he said. "If indeed they.re using just [ID and birthday] to identify somebody, that.s an example of just not getting it". Skane, the UHS compliance officer, said that without more information from PharmaCare she was unsure whether Harvard or PharmaCare would be able to determine whether unauthorized individuals had used the site. A PharmaCare spokeswoman last night said she was unaware that information about past pharmacy drug purchases was available through its website. Jerome B. Tichner Jr., an attorney practicing healthcare law at Boston-based Brown and Rudnick, said that while he could not comment on PharmaCare.s specific case, current law requires insurance providers to "maintain reasonable safeguards to protect against improper access and disclosure of healthcare records." "If an entity [covered by HIPAA] does not have adequate security systems, and it.s very easy for any third party to walk in or log in and obtain pharmaceutical information or other - healthcare information, that may pose liability concerns," he said. Lewis, who is also a computer science professor and will teach a Core course next semester on computers and public policy, said he has advocated since 1996 for clearer Harvard policies on ID privacy. "Ten years ago the most you could get with a Harvard ID number was a bag lunch,. he said. .But now data of all kinds are on web servers for reasons of convenience, and those Harvard ID numbers, if those are the keys, suddenly are much more powerful tools to get at sensitive information." "It.s too bad that everything hasn.t been shifted over to PIN authentication, which should today represent the minimum of security for confidential university records," Lewis added. From isn at c4i.org Mon Jan 24 04:39:32 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 24 04:45:55 2005 Subject: [ISN] Call for Papers - PHRACK #63 Message-ID: Forwarded from: dontreply@phrack.org [-]=====================================================================[-] +++++++++++++++++++++++++++ =: P H R A C K - F I N A L := +++++++++++++++++++++++++++ ...a glorious era comes to an end. #63 will be our last PHRACK RELEASE -- EVER... FINAL CALL FOR PAPERS * FINAL CALL FOR PAPERS * FINAL CALL FOR PAPERS ----------------------------------- Deadline: 10 July 2005 at 11:59pm http://www.phrack.org/cfp_final.txt ----------------------------------- Phrackstaff is pleased to bring you our LAST EVER CALL FOR PAPERS for the FINAL RELEASE of PHRACK. We are preparing for a hardcover and ezine release at a major hacker convention near you! We ask everyone to submit a paper. Great care will be taken to ensure that only the best articles make it into PHRACK FINAL. As usual, papers can be on any topic related to the following: - hacking - phreaking - spying - carding - cybernetics - radio - electronics - forensics - reverse engineering - cryptography - anarchy - conspiracy - world news Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available to the public, as often as possible, free of charge. PHRACK STAFF <--- preparing for hex2005 phrackstaff@phrack.org Post Scriptum: - Phrackstaff will keep the website running for at least 2 years after PHRACK FINAL. - The last T-Shirts are sold for just $14.95 now. Enjoy it! - More about our decision in the release. Thanks and Goodbye. [-]=====================================================================[-] From isn at c4i.org Mon Jan 24 04:39:49 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 24 04:45:57 2005 Subject: [ISN] DOD fights 'Net Message-ID: Forwarded from: William Knowles http://www.fcw.com/fcw/articles/2005/0117/web-wolf-01-21-05.asp By Frank Tiboni Jan. 21, 2005 The second-highest public official at the Pentagon considers computer security so important to military operations that he sent a memo last year to department leaders telling them they must "Fight the Net." "Protection of DOD computer network systems is a key priority. Leaders at every echelon must be personally involved in the defense and protection of our computer networks," said Deputy Defense Department Secretary Paul Wolfowitz in the memo, "DOD Network Defense." The Pentagon's top information assurance official said Wolfowitz issued the memorandum because he wants all department personnel who use a computer to take a personal responsibility in protecting the Global Information Grid, the network of DOD business and war-fighting systems. "Everybody must understand the importance of practicing good computer security," said Robert Lentz, director of information assurance in the Office of the Assistant Secretary of Defense for Networks and Information Integration and Chief Information Officer. Wolfowitz offered five tips to improve computer security department-wide: * Employ information assurance best practices for proper network configurations. * Use accepted password management practices. * Minimize access privileges through need-to-know criteria. * Increase awareness of cross-domain file transfer security procedures. * Eliminate unauthorized use of readily exploitable software such as peer-to-peer file sharing and remote access applications. In the two-page memo dated Aug. 15, he acknowledged the hacking of military systems. "Recent exploits have reduced operational capabilities on our networks," Wolfowitz said. "Failure to secure our networks will weaken our war-fighting ability and potentially put lives at risk." He cited poor network management and vigilance as the culprit. "While great strides have been made in a number of areas, we continue to be negatively impacted when deficiencies in our information systems are successfully exploited," Wolfowitz said. "In most cases, proper vulnerability management would have prevented this." Lentz declined comment on the hackings mentioned in the memo citing operational concerns. "Take it [the memo] at face value," he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Jan 24 04:40:04 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 24 04:45:59 2005 Subject: [ISN] IRS underestimates IT security weaknesses Message-ID: http://www.gcn.com/vol1_no1/daily-updates/34887-1.html By Mary Mosquera GCN Staff 01/21/05 The process the IRS has used to track IT program and system security weaknesses is flawed and ineffective, the Treasury Inspector General for Tax Administration's office said in a report released this week. As a result, the IRS provided the Treasury Department and the Office of Management and Budget with inaccurate and misleading information related to the Federal Information Security Management Act. "The system-level (Plans of Action and Milestones) did not accurately and completely describe the security weaknesses and milestones, understated the number of weaknesses, and overstated progress in addressing the weaknesses," said Gordon Milbourn III, Treasury.s assistant inspector general for audit, in the report. The review took place in April and May but auditors took into account IRS progress in its next FISMA report dated September. IRS prepared near-identical plans for each system, noting broad categories of weaknesses instead of specific weak points. The agency did not provide detailed actions to correct the problems nor the names of the managers responsible for them, according to the report. In its most recent action report, IRS listed 319 weaknesses for its 80 major systems. But those weaknesses only represent management control problems, such as lack of certification and accreditation, security and tested contingency plans. They do not include operational and technical control weaknesses, the report said. IRS assumed that if a system had been certified and accredited, most noted weaknesses could be closed. .This assumption is not valid since certified and accredited systems can still have security weaknesses,. the IG said. IRS has since established a working group of IT modernization and business unit executives to figure out how best to manage the process for correcting security problems, said Daniel Galik, chief of IRS mission assurance and security services. IRS will provide detailed corrective actions by line item instead of grouping the actions "to ensure there is not a perception of underreporting of corrective actions," he said in a written response earlier this month. IRS will also team with Treasury to acquire an automated application that will standardize and streamline all action plan reporting and tracking across the department, he said. Treasury is adapting its process for reporting and tracking financial management weaknesses through its Joint Audit Management Enterprise System in order to synchronize its security reporting. This will create one source for tracking corrective actions related to audits by TIGTA and the Government Accountability Office, Galik said. From isn at c4i.org Wed Jan 26 02:31:10 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 26 02:34:36 2005 Subject: [ISN] Prosecutors ask 37-month sentence for Hopkins teen in Internet worm case Message-ID: Forwarded from: William Knowles http://www.startribune.com/stories/789/5204679.html Paul Levy Star Tribune January 26, 2005 Jeffrey Lee Parson, the Hopkins teenager who unleashed an Internet worm that infected an estimated 48,000 computers and caused more than $1 million in damage, should be sentenced to 37 months in prison, according to a formal recommendation made by federal prosecutors today. Parson's sentencing is scheduled for Friday in U.S. District Court in Seattle. Parson, 19, who was arrested during his senior year at Hopkins High School, pleaded guilty in August to releasing the widely publicized Internet virus. "Parson's worm was not an aberrant moment in a young person's life, but instead was just the latest in a string of escalating efforts by Parson to take over other people's computers, destroy their web sites, and otherwise use his computer skills for his own selfish amusement, personal gain and/or to harm others," U.S. Attorney John McKay and assistant U.S. attorney Annette L. Hayes wrote in their sentencing memorandum. The prosecutors then requested that Judge Marsha J. Pechman sentence Parson to 37 months in prison -- the maximum he could be sentenced under a plea agreement that suggested a sentence between 1? years and three years and one month. But Parson's attorneys had hoped for a much lighter sentence -- six months in prison with three years supervised probation, according to a notification sent to the U.S. Probation and U.S. Attorney's offices six days ago. The defense attorneys also wrote that Parsons should spend an additional six months in a community treatment center and another six months in home detention. Prosecutors said that if the judge follows the sentencing recommendation of Parson's attorneys, the plea agreement will be withdrawn and Parsons must stand trial. Parson's worm was a variant of the original Blaster worm that victimized millions of computer users, whether in homes or on corporate networks, the prosecutors wrote in their recommendation to the court. The original Blaster virus cost computer users their e-mail access while shutting down government agencies, large banks and transportation systems. The original Blaster worm also had a large impact on Microsoft Corporation. The virus directed the infected computers to launch a denial-of-service attack against domain names through which Microsoft distributes security information to its customers. Parson "had a key role in causing all this damage" because he released a variant of the original Blaster worm "knowing what the worm was capable of doing, and intending to damage individual computer users and Microsoft," the prosecutors wrote. Parson's worm was responsible for about $1.22 million in damage, according to the prosecutors' estimates. Parson's virus included a program that, when loaded on a targeted computed, allowed other computers access to private files, the prosecutors wrote. The 6-foot-4-inch, 320-pound Parson, known online as "teekid," was the first person arrested in connection with the Blaster attacks. Upon his arrest in August 2003, experts said there was no reason to believe Parsons knew Blaster's original author. Parson is being sentenced in Seattle, where the Blaster investigation began. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Jan 26 02:31:28 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 26 02:34:39 2005 Subject: [ISN] Japanese government, U.S. security expert meet in court Message-ID: http://security.itworld.com/4368/050125japansecurity/page_1.html Paul Kallender IDG News Service Tokyo Bureau 1/25/05 A U.S. security expert appearing in a Tokyo court on Tuesday accused the Japanese government of pushing a dagger against the heart of free speech. Ejovi Nuwere, chief technology officer of SecurityLab Technologies Inc., in Boston, Massachusetts, is suing the Japanese government for ?30 million (US$291,000) for allegedly censoring his criticisms of Japan's online citizens registry database, called Juki Net. In a lawsuit filed last November against Japan's Ministry of Internal Affairs and Communications (MIC), Nuwere alleged that the ministry stopped him from making a presentation at a conference earlier that month in which he planned to discuss his concerns about the security of the database. He said he brought the case to defend his human rights under the Japanese constitution. Juki Net is a national network of databases that contain the names and personal details of nearly every person residing in Japan. It has been surrounded by controversy, particularly over security concerns, since before its launch in 2003. Nuwere was one of three experts hired by the Nagano prefectural government to test the security of the system last year. The experts successfully managed to compromise servers in part of the system maintained by the prefectural government. Nuwere had intended to describe these experiences in his talk. In his deposition, which he read to the Tokyo court on Tuesday, Nuwere alleged that the MIC had put pressure on both him and the conference organizers, forcing him to cancel his speech shortly before he went on stage. This last-minute interference came after a month of negotiations between Nuwere and the MIC, and after the ministry had ignored requests to discuss their objections to the speech, Nuwere said. Accompanied by his lawyer, Tsutomu Shimizu, and facing three judges at the Tokyo Regional Court, Nuwere spent about five minutes reading out his deposition as a nine-member legal team representing the government looked on. "The government should not be allowed to censor thoughts, opinions and speech in a democracy," Nuwere told the judges. "We must constantly challenge any attempt to ignore the constitution. If we don't ... it will only be a piece of paper with words and signatures, an insignificant document," he said. Nuwere also alleged that the MIC had already partially admitted censoring parts of Nuwere's speech in a Jan. 18 response to his initial petition. "The government has pushed a dagger ever so slightly against the heart of free speech in this country," Nuwere told the court. The Nagano prefectural government had expressed no concerns about his presentation, and as a security expert with 10 years of experience he understood the confidentiality agreements he had been required to honor when making his presentation, Nuwere said in an interview outside the court. Throughout his deposition he made repeated references to the notion that he was one person defending his rights against the power of the Japanese government. "I thought it quite interesting that they had prepared an army of lawyers against me," he said in the interview. Lawyers for the government are scheduled to present their opening statement at a hearing on March 22. Contacted by telephone Tuesday, the government's lawyers declined to comment on the case. The two sides are expected to have gathered the evidence needed for trial by the end of August, Shimizu said outside the court. "I am going to play the best hand I can with the cards that I have been dealt," he said. From isn at c4i.org Wed Jan 26 02:31:43 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 26 02:34:40 2005 Subject: [ISN] Developers say FIPS 140-2, WiFi security are big hurdles Message-ID: http://www.gcn.com/vol1_no1/daily-updates/34902-1.html By Susan M. Menke GCN Staff 01/25/05 Developers at a recent encryption conference in Toronto said their toughest job is plugging security holes in their products to meet the encryption requirements of Federal Information Processing Standard 140-2. The conference, sponsored by elliptical-curve cryptography vendor Certicom Corp. of Mississauga, Ont., drew 60 top systems integrators and middleware vendors from around the world, who were subsequently surveyed about their concerns. "FIPS 140-2 compliance is difficult and time-consuming," Certicom's Brendan Ziolo said. "A surprising number of implementations fail, and the testing can take eight to 12 months." About 30 percent of new crypto modules do not pass the FIPS 140-2 tests, designed by the National Institute of Standards and Technology, he said, and about 20 percent of returning modules still have security flaws. Another hurdle is wireless security, "A lot of middleware developers are looking to extend their applications to wireless, but the Wired Equivalent Privacy algorithm was broken very quickly, and no real standard has replaced it," Ziolo said. In the survey, developers ranked fast, efficient performance as the top criterion for organizations trying to strengthen encryption security. Other important concerns are quality of the chosen algorithm and access to the source code, they said. Sixty percent of the respondents said they use open-source and other publicly available algorithms during product development; 40 percent continue to use it in their production systems. From isn at c4i.org Wed Jan 26 02:31:58 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 26 02:34:43 2005 Subject: [ISN] Security organisation's Web site hacked Message-ID: http://news.zdnet.co.uk/0,39020330,39185308,00.htm Dan Ilett ZDNet UK January 24, 2005 The Information Systems Security Association's UK Web site [1] was defaced earlier this month after a server upgrade The UK arm of the Information Systems Security Association (ISSA) has admitted its Web site was hacked into and defaced earlier this month. The organisation's Web site, which has the logo "the global voice of the information security profession", was hacked after its server was upgraded. "In mid-December we switched to a different server and upgraded the software," said Richard Starnes, president of the ISSA UK. "In the patching process, some of the patches were missed. The Web site was subsequently hacked. We took the Web site down, removed the vulnerability, audited the Web site and reported it to the proper authorities." The ISSA UK Web site, which is sponsored by security companies Sophos, (ISC)2 and Websense, was hacked on January 7th, Starnes confirmed. According to a report on a hacking Web site [2], a hacker dubbed iskorpitx penetrated and defaced the ISSA Web site on January 7th at 19:39. The mirror image of the defacement hack showed large pictures of the Turkish flag and a message saying "HACKED By iSKORPiTX (Turkish Hacker)". The browser is then diverted to another Web site, which displays a large photo of dolphins. The ISSA board in the US includes representatives from Dell, Forrester Research and Symantec. The ISSA says it is the largest international not-for-profit association specifically for information security professionals. [1] http://www.issa-uk.org/ [2] http://www.zone-h.org/ From isn at c4i.org Wed Jan 26 02:32:12 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jan 26 02:34:45 2005 Subject: [ISN] DallasCon 2005 Information Security Conference Message-ID: Forwarded from: contact@dallascon.com DallasCon 2005 Information Security Conference May 2-7, 2005 - Dallas, Texas http://www.DallasCon.com Space is Limited - Early Bird Registration Ends February 15, 2005! Hear cutting-edge presentations from world's leading security experts, compete in the "Capture the Server" contest and be there for the official release of PHLAK 0.3. PHLAK is a modular live security Linux distribution designed for technical professionals. DallasCon 2005 will begin on May 2 with four Days of intense hands-on security training, followed by a two-day information packed conference, focusing on a practical approach to Network and Wireless Security. If you are a technical professional who is interested in learning about the latest threats and trends in the field of Information Security needed to protect your company's networks and assets, then you cannot miss DallasCon 2005! Don't Delay! To take advantage of the incredible pre-registration prices, you must register before February 15, 2005. For more information, visit http://www.DallasCon.com From isn at c4i.org Thu Jan 27 02:25:02 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 27 02:30:00 2005 Subject: [ISN] Accused hacker's remarks stricken Message-ID: http://www.nwanews.com/story.php?paper=adg§ion=Business&storyid=106007 By BRIAN BASKIN January 25, 2005 A Florida man's alleged admission to two business associates that he stole information about millions of people from Acxiom Corp. cannot be admitted in his coming trial, a U.S. District Court judge ruled Monday. Scott Levine, former chief executive officer of Boca Raton bulk e-mail firm Snipermail.com Inc., will go on trial in March in Little Rock. He was indicted in July and faces 144 counts related to his reported hacking into Acxiom's databases and downloading private information, such as credit card data, about millions of consumers. A U.S. District Attorney at Levine's indictment by a Little Rock jury in July said the incident "may be the largest intrusion of personal data ever." Monday's ruling will prevent the jury from hearing two of Levine's former associates, Magdiel Castro and Jeff Richman, recount an August 2003 conversation the three had with Levine's lawyer, David Garvin. Much of the talk during the 45-minute car ride between Garvin's Miami law office and Snipermail offices in Boca Raton is also now off limits. Judge Bill Wilson Jr. ruled Monday that anything Levine said in Garvin's office, shortly after Levine discovered he was under investigation, was still subject to attorney-client privilege. At the time both men believed Levine's lawyer might represent them in a joint defense, Wilson said. Castro, Snipermail's president, and Richman, a company vice president, hired other attorneys, and eventually joined the government's case against Levine. Richman testified Monday that Levine was distraught after learning he was under investigation. "He put his head in his hands and said, ' I've been downloading all of this information, '"" Richman said, before Wilson ordered the comment stricken from the record on the objection of Garvin, who represented Levine on Monday. For the rest of their testimony, Richman and Castro generally avoided the specifics of the case, though both made it clear on several occasions that Levine admitted guilt. "It's a game. I'm addicted to it, and I couldn't stop," Levine said in the car, according to Castro. Wilson said he would allow one of Levine's Aug. 7, 2003, comments into the trial, as well as anything Richman and Levine witnessed after the ride back to Boca Raton. The comment that Wilson allowed was that on the ride home, Levine said, "If there was no data, there was no crime," according to Richman. Once they reached Snipermail, Richman and Castro said they helped hide computers by placing them in Snipermail's basement. Levine told them the computers contained incriminating evidence, the two men said. Wilson also struck Richman's testimony that Garvin hinted that Levine should destroy any stolen data. "I've never had a situation like what Richman pulled today," Garvin said immediately after taking the stand Monday as a witness. "Often a very weak case becomes a very strong case when the client does something illegal when he's under investigation." Wilson said he believed Garvin's side of the story. "It would put the defendant's lawyer on trial rather than the defendant," Wilson said. But he said he was less inclined to delay the start of the trial, after Garvin said he needed at least 30 more days to analyze the data the government found on Snipermail computers. "Some of the data came corrupted... and my computer expert is ill and in the hospital," Garvin said. From isn at c4i.org Thu Jan 27 02:25:33 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 27 02:30:03 2005 Subject: [ISN] Black Hat new content on-line & Registration now open for Asia and Europe. Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello ISN readers, I would like to make some brief announcements about past as well as upcoming Black Hat events. First, new content is on-line from our Tokyo, Japan conference. Please check out our free media archives of past presentations: http://www.blackhat.com/html/bh-media-archives/bh-archives-2004.html#Asia-2004 The media for the audio speeches (most in both English and Japanese) as well as the presentations are on-line. We would like to thank the speakers and participants that made it to last years Black Hat Tokyo, and look forward to seeing you in Tokyo again next year. Second, registration is now open for both the Europe and Asia Trainings and Briefings! Register now to take advantage of our early bird specials and save. This year we have an expanded training program that includes new topics and trainers. For example, Joe Grand will present a hands-on hardware hacking course "Under the Hood: Hands-On Hardware Hacking and Defense Techniques". Laurent Oudot will be transferring his extensive honeypot expertise to his students in a new two day Black Hat course entitled "Hackers on Honeypots". Among our returning trainers is Black Hat's reverse engineer Halvar Flake teaching security-specific code-analysis in "Analyzing Software for Security Vulnerabilities". Class size for all courses is limited, so register early to ensure a spot. Black Hat Trainings and Briefings Europe, Amsterdam: March 29th to April 1st Black Hat Trainings and Briefings Asia, Singapore: April 5th to the 8th To register visit http://blackhat.com/html/bh-registration/bh-registration.html And last, but not least, the CFP for the large Las Vegas conference will go on-line February 1st. It is shaping up to be a fantastic conference with more technical training topics and speakers. We are looking forward to some excellent submissions! Jeff Moss Black Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQEVAwUBQfdLGEqsDNqTZ/G1AQLgcwf7B+YVWF4Lmh4lDyW8a0rLE++yHfV/aKtk ts1gwUpj6LGe7f+331FuzXdPzFC9/ZcdJYE/TlrQ/d+stZE3JWGrTOdayBlHdYgU dtkXmX8KYognFJINKSg/MZQN45VHsA18OMDZ1LQvIjCU+IcdeT7ofTtGpFxcmSak kVK8PhVH2meUKF1EOaj/SzEy4pUaY5zgoCuIej63hkoIYvZrFW41GLQnWRqpBJ1+ yTGxVt+ocGRi1iRBZ8oi8wV+rUYKnJQLvUXuApwPK23e0Ym3sYIdQQTpHJbbyLB+ Gl/8IU3TbSTSykZbqNcOvHrlniNaND5hAK3xZNKTEetd5Npy0tMH0g== =Kzvw -----END PGP SIGNATURE----- From isn at c4i.org Thu Jan 27 02:26:03 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 27 02:30:04 2005 Subject: [ISN] Security organisation's Web site hacked Message-ID: Forwarded from: Harlan Carvey > "In mid-December we switched to a different server and upgraded the > software," said Richard Starnes, president of the ISSA UK. "In the > patching process, some of the patches were missed." Missed? If security organizations aren't doing it, how can we expect other organizations that handle sensitive personal data to do the same? ===== ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------ From isn at c4i.org Thu Jan 27 02:26:18 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 27 02:30:08 2005 Subject: [ISN] Government releases specs for security checklists Message-ID: http://www.gcn.com/vol1_no1/daily-updates/34910-1.html By Dawn S. Onley GCN Staff 01/26/05 The National Institute of Standards and Technology and the National Security Agency have released a specification to standardize IT security checklists. NIST and NSA collaborated with representatives from industry to develop the Extensible Configuration Checklist Description Format (XCCDF) [1] as a way to provide a uniform format for security checklists, benchmarks and other configuration guidance. In their document, NIST and NSA noted that the use of such checklists "can markedly reduce the vulnerability exposure of an organization." By developing a single format for use in government, there is the added benefit that agencies can easily share checklist information, NIST and NSA said. The Cyber-Security R&D Act of 2002 directed NIST to create and maintain a checklist of settings and option selections that will minimize security risks for hardware and software used within the federal government. "A uniform and widely used format for security benchmarks, checklists and related documents will help to improve security of government and private IT installations by enabling more timely and effective knowledge sharing and by fostering automated security testing and monitoring," according to an NSA statement. [1] http://csrc.nist.gov/checklists/docs/xccdf-spec-1.0.pdf From isn at c4i.org Thu Jan 27 02:27:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 27 02:30:11 2005 Subject: [ISN] NIST report urges caution with VoIP security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,99258,00.html By Matt Hamblen JANUARY 26, 2005 COMPUTERWORLD A new report from the National Institute of Standards and Technology urges federal agencies and other organizations to take care in switching to voice-over-IP technology because of security concerns. The 99-page NIST report, "Security Considerations for Voice over IP Systems," includes nine recommendations for IT managers to help them implement VoIP in a secure manner. "Lower cost and greater flexibility are among the promises of VoIP for the enterprise, but VoIP should not be installed without careful consideration of the security problems introduced," the report says. "Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VoIP components into their already-secure networks and remain secure. However, the process is not that simple," the report says. The report, authored by NIST computer security experts Richard Kuhn and Thomas Walsh, as well as Steffen Fries of Siemens AG, appeared in draft form last June and was formally released in final form earlier this month. Today, NIST included excerpts from it in an e-mail newsletter. Among its recommendations, the report calls for building logically separate voice and data networks where practical, instead of building a single converged network. It also calls for using VoIP firewalls and routinely testing them. Another recommendation says that "if practical," VoIP softphones should not be used where either security or privacy is a priority. A softphone involves using an ordinary PC with a headset and special software instead of a typical telephone unit. Many analysts and even VoIP hardware vendors have discussed VoIP security for years, but the predominant thinking seems to be that such systems can be installed in a secure way (see story) [1]. Many analysts believe that a bigger concern for enterprises weighing VoIP use is whether enough business-centered applications can be used atop a VoIP system to make it worthwhile, not whether the systems can be made secure. One analyst, Zeus Kerravala at The Yankee Group in Boston, noted today that the report doesn't seem to have had much impact on companies deploying the technology. Many large enterprises and many federal agencies, some with tens of thousands of users, are already deploying VoIP systems effectively and securely, he said. "Obviously it's important to think about security with VoIP, but to say some of what they've said, especially about softphones, shows a little bit of backwards thinking," Kerravala said. "I think, somewhat, it's written by Luddites." Kerravala said that softphones can be made secure, depending on the desktop software being used. "I think that if you are the head of the CIA, you already probably have a secure desktop environment that will support a softphone," he said. Vendors are beginning to treat VoIP phones as true computing devices, and Cisco Systems Inc. and other vendors have started installing digital certificates on IP phones, Kerravala said. "The more IP telephony becomes an appliance, you have to think it will be more secure," he said. Ray Bjorklund, an analyst at Federal Sources Inc. in McLean, Va., said the report might be especially valuable for federal agencies involved in war or national security efforts in which network security is paramount. "If an operation overseas were suddenly relying on IP to transmit voice through a satellite or through the Public Switched Telephone Network with many places for potential failure, that's a particular problem for the national security community," he said. Even a large corporation such as a bank might not have the level of security need that a wartime agency would want, he said. Some federal agencies are already deploying VoIP, at least within divisions or branches, he said. Included in that number is the U.S. Marine Corps, which is deploying combat systems that rely on Internet phones. The Defense Information Systems Agency is also developing a strategy for departmentwide VoIP usage, officials said last year. Bjorklund said the NIST report is noteworthy if only because NIST is a government agency and independent of market influences. "This is worth noting, and not like a white paper from a vendor, which could be just a little biased," he said. He agreed that VoIP can be made secure for most administrative and business applications, although he questioned whether it can be made secure with today's technology for the most sensitive government needs. "Someday, vendors will get the technology so that government will feel comfortable with it, but that day's not here yet," he said. One of the authors, Kuhn, said in an interview today that NIST provides advice on all kinds of technologies and nothing in the VoIP report is designed to warn people away from using the technology entirely. "VoIP is moving ahead very, very fast. in the commercial and government sectors, Kuhn said" "We don't want to scare people away from this. But we want to point out that this is complex technology and there are a lot of security considerations that they may not have thought of. It.s more than just moving data." The range of security products for VoIP security is "pretty good" and has advanced appreciably in the last year since the report was started, he said. "You can get the security tools, and it's a question of finding the right vendor for your needs," Kuhn said. [1] http://www.computerworld.com/networkingtopics/networking/story/0,10801,98961,00.html From isn at c4i.org Thu Jan 27 02:27:36 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 27 02:30:13 2005 Subject: [ISN] The United States' battle to secure cyberspace Message-ID: http://news.com.com/The+United+States+battle+to+secure+cyberspace/2008-1082_3-5550064.html By Robert Lemos Staff Writer, CNET News.com January 26, 2005 Robert Liscouski doesn't hesitate to explain why he's leaving the Department of Homeland Security: He pledged two years, and time's up. Liscouski thus becomes the latest high-ranking cybersecurity official to leave the DHS, where protecting the U.S. information infrastructure made up only part of his duties. But Liscouski, formerly the chief information officer for the Coca-Cola Company, says this is not another sign of the disarray alleged by DHS detractors. What's more, he believes the department has received a bad rap from critics who claim the DHS has done little to protect cyberspace. CNET News.com spoke with Liscouski about the DHS's commitment to cybersecurity, the criticisms of the agency and why the DHS resembles nothing so much as a high-pressure start-up--albeit without stock options. Q: There's been criticism from the technology industry that the Bush administration hasn't moved fast enough in implementing the national strategy. How do you respond? Put the criticism aside and take a look at what we've done. There was no organization responsible for cybersecurity prior to the DHS, and within less than two years we not only created an organization which is specifically responsible for information technology and cybersecurity, but we went from an aggregated budget of about $10 million to $80 million. We've got the National Cyber Alert System, which was launched this last year, which is delivering information to American secured computer systems, and we've got 270,000 direct subscribers there. We've increased situational awareness in the cybercommunity through the US-CERT Web site. We've established a cybersecurity readiness and response system, which is a 24-7 system, which is effectively responsible for tracking incident and trend data....We disseminate US-CERT data through classified briefings. I can go through the entire list of accomplishments, but I would say we've done a very good job and it's all user-focused. The industry allied with the government to create the National Cyber Security Partnership and then came up with five different working groups, which issued reports. But we have seen little else from them since. Has private industry participation stalled? No. Actually, I would argue that the private sector is working well with the department. I've looked at what the task force working groups have done so far. Software assurance and governance working groups in particular have done a tremendous job. We've got more to do, no question about it. But you know, we've got engagement; we've got good leadership there....It's a classic case of you can't just rush that process quicker by adding more people and more resources. Some things do take time to implement. People are more worried about the physical threats than cyberthreats. Do you think that's going to change in the future and that cybersecurity will be a bigger part of the equation? Or do you think the mix we have right now is about right? Well, I think you are making an assumption that your perception is correct. I would challenge you on that. I would suggest that you're seeing the most visual things, such as the police out in force with all sorts of SWAT gear standing in front of buildings. Because of the visual aspect, you see our reaction to a threat--checkpoints and a lot of things that would make a much better media visual then talking about cybersecurity. I don't necessarily agree that we've only been focusing on the physical side. But I would tell you that the dominant threat that we face today is a physical threat versus a cyberthreat in terms of where al-Qaida is focusing, and al-Qaida is still the predominant threat that we look at. But that's not at the exclusion of the other cyberthreats. Such as? There are plenty of examples where cyberattacks have manifested themselves and they have not been a threat. We've taken coordinated action, working with our partners in the federal sector to mitigate the attack, investigate the attack and get awareness about what's going on. It just doesn't create the visual that the physical side does. So you know, when we talk about one dominating the other, much of that has to do with the fact that we are somewhat driven at a tactical level by the threats that we face, and we're not going to let another 9-11 happen. But we're surely not going to turn a blind eye to cyberspace so we can have a 9-11 version of a cyberwar. We've got a very active and very aggressive approach there. I think it's just not fair to represent one as dominating the other. What remains to be done? I actually employed software (while) working for a Fortune 50 company, and I would tell you that my biggest push was getting the vendors to make sure that they are going to give us solid, workable software that I could rely upon. While the industry is criticizing the government, they are not vocal about their own issues. To suggest that this monkey is only on the government's back takes some pressure off the private sector. But it doesn't do the user community any service because nobody is looking out for them. I see that as our job. I'm going to continue to push that agenda outside the government as well as inside the government. I think you're going to see more about the user community being the emphasis and more focus on getting educated and becoming more aware. There has been a lot of turnover within the cybersecurity side of the DHS. Lawrence Hale is leaving. Amit Yoran has left. And it goes back to Richard Clarke, who left a comparable post just before the DHS was formed. Is that indicative of some sort of difficulty on the cybersecurity side? It's regular government turnover. I would say some of those in the industry who are getting more vocal would argue that the turnover indicates a problem. But many of these people have put their time in. Part of it is, I need more senior positions to which I can promote people to reward their hard work. I cannot compete with the private sector in keeping good people. Lawrence Hale is a very bright guy, a very talented guy, and he's put in 24 years. Amit told us he would give us a solid year. He's a good guy, and he gave it a shot, and we got a year. In my case, I committed to (being assistant) secretary, when I came on board back in February 2003, for two solid years. You know these jobs are hard. When you've done a start-up environment--and you know what the hours are and how hard the pace is--(you know) that particularly in a constantly changing environment in which you have to keep your pressure on for execution, you have transitions. I pretty much fulfilled my commitment to the secretary and had always desired to move back to the private sector. This is basically a start-up organization in which the pressure here is as intense as it is anywhere else in the private sector. Let somebody else have as much fun as I have. From isn at c4i.org Thu Jan 27 02:27:48 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jan 27 02:30:16 2005 Subject: [ISN] US to tighten nuclear cyber security Message-ID: http://www.theregister.co.uk/2005/01/26/nuclear_cyber_security/ By Kevin Poulsen SecurityFocus 26th January 2005 Federal regulators are proposing to add computer security standards to their criteria for installing new computerized safety systems in nuclear power plants. The US Nuclear Regulatory Commission (NRC) quietly launched a public comment period late last month on a proposed 15-page update to its regulatory guide "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants." The current version, written in 1996, is three pages long and makes no mention of security. The replacement would expand existing safety and reliability requirements for digital safety system, and infuse security requirements into every stage of a system's lifecycle, from drawing board to retirement. Last year the United Nations' International Atomic Energy Agency (IAEA) warned of growing international concern about the potential for cyber attacks against nuclear facilities, and said it was finalizing new security guidelines of its own. No successful targeted attacks against plants have been publicly reported, but in 2001 the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall. The NRC draft advises against such interconnections. It also advises plant operators to consider the effect of each new system on the plant's cyber security, and to develop response plans to deal with computer incidents. Vendors are told how to reduce the risk of saboteurs planting backdoors and logic bombs in safety system software during the development phase. "I really liked the notion of making people aware that they need to address security throughout the process of developing new software and systems, and not just as a test at the end," says Chris Wysopal, a Boston-based computer security researcher with the Symantec Corporation. "They talked about that going all the way back to the requirement phase, which I thought was good." But for all its breadth, adherence to the new guidelines would be strictly voluntary for operators of the 103 nuclear reactors already running in the US - a detail that irks some security experts. In filed comments, Joe Weiss, a control systems cyber security consultant at KEMA, Inc., argued the regulatory guide shouldn't be limited to plant safety systems, and that existing plants should be required to comply. "There have been numerous cases of control system cyber security impacts including several in commercial nuclear plants," Weiss wrote. "Many nuclear plants have connected their plant networks to corporate networks making them potentially vulnerable to cyber intrusions." Wysopal, who reviewed the draft at SecurityFocus' request, agrees that it could use more juice. "It's kind of sad," he says. "I see that people have all these great notions of how we can build software and systems more securely, but it's always voluntary." The NRC is accepting public comments on the new guide until 11 February. From isn at c4i.org Mon Jan 31 04:06:47 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 31 04:10:35 2005 Subject: [ISN] Teen Sentenced for Releasing Blaster Worm Variant Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A44886-2005Jan28.html By Gene Johnson Associated Press Writer January 28, 2005 SEATTLE -- A Minnesota teenager was sentenced Friday to 18 months in prison for unleashing a variant of the Blaster Internet worm in 2003 that he programmed to attack a Microsoft Corp. Web site. Jeffrey Lee Parson, 19, of Hopkins, Minn., was a high school senior when he downloaded and modified the worm. His variant launched a distributed denial-of-service attack against a Microsoft site as well as personal computers. The government estimated Parson's Blaster version crippled more than 48,000 computers. Parson initially pleaded innocent, but changed his plea to guilty last summer to one count of intentionally causing or attempting to cause damage to a protected computer. U.S. District Judge Marsha Pechman said she was sentencing him at the low end of the agreed-upon range because although he was 18 at the time of the attack his maturity level was much younger than that. Parson will serve his time at a low-security prison. He had faced a maximum penalty of 10 years in prison and a $250,000 fine. "I know I've made a huge mistake and I hurt a lot of people and I feel terrible," Parson told the judge. He will still have to pay restitution to Microsoft and to people whose computers were affected in an amount to be determined at a hearing set for Feb. 10. The judge imposed three years of supervised release following his prison term, during which Parson can only use computers for business and education. She also ordered him to complete 100 hours of community service. Pechman told Parson: "What you've done is a terrible thing. Aside from injuring individuals and their computers you shook the foundation of the system." Authorities have said Parson admitted that he previously launched attacks against other organizations, including the Motion Picture Association of America and the Recording Industry Association of America. Collectively, different versions of the virus-like worm, alternately called LovSan or Blaster, snarled corporate computer networks worldwide, affecting millions of machines. Parson told investigators he built into his version of the Blaster worm a method for reconnecting to victim computers later, according to court papers. Infected computers automatically registered themselves with Parson's Web site so he could keep track of them. Parson was charged in Seattle because Microsoft is based in suburban Redmond. He had been out of jail on a $25,000 pretrial bond pending sentencing. He was not allowed to leave his home in Minnesota except to go to work, or if supervised and preapproved by the court. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Jan 31 04:06:59 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 31 04:10:39 2005 Subject: [ISN] Juniper bitten by software bug Message-ID: http://www.nwfusion.com/edge/news/2005/0127juniper.html By Jim Duffy Network World 01/27/05 Cisco is not the only one with vulnerable routing software. Juniper this week is telling all M- and T-Series router customers running releases of JUNOS software developed prior to Jan. 7, 2005, to upgrade the software or suffer a "serious security vulnerability." "This vulnerability could be exploited either by a directly-attached neighboring device or by a remote attacker that can deliver certain packets to the router," according to a Juniper Technical Bulletin obtained by Network World. "Routers running vulnerable JUNOS software are susceptible regardless of the router's configuration. It is not possible to use firewall filters to protect vulnerable routers." Juniper has assigned a risk level of "High" to this vulnerability. The bug is a blow to Juniper which prides itself on the stability and reliability of its software, especially when compared to Cisco's IOS. To fix it, Juniper has modified JUNOS software to address the vulnerability, according to the technical bulletin. All versions of JUNOS software built on or after Jan. 22, 2005, contain the modified code, the bulletin states, while software built between Jan. 7 and Jan.y 22 may contain the modified code, depending on the specific JUNOS release. "All customers are strongly encouraged to upgrade their software to a release that contains the modified code," the bulletin urges. The bug was brought to the attention of the U.S. Computer Emergency Readiness Team by Qwest. Qwest declined to comment further on the vulnerability, citing a non-disclosure agreement with Juniper. Juniper customer BellSouth says it was impacted by the bug and applied software patches to fix it. BellSouth says none of its customers were affected by it. Cox Communications, which recently announced a deployment of Juniper M320 edge routers, rewrote some code and said its customers were not affected. Juniper declined to comment beyond what was stated in the technical bulletin. From isn at c4i.org Mon Jan 31 04:07:31 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 31 04:10:41 2005 Subject: [ISN] Classified Dutch military documents found on Kazaa Message-ID: http://www.theregister.co.uk/2005/01/30/dutch_classified_info_found_on_kazaa/ By Jan Libbenga 30th January 2005 At least 75 pages of highly classified information about human traffickers from the Dutch Royal Marechaussee - a service of the Dutch armed forces that is responsible for guarding the Dutch borders - have been leaked to the controversial weblog Geen Stijl (No Style). The documents, whicn contain phone numbers and tapped conversations, were found unencrypted on Kzaa, the public file sharing service. The likeliest explanation for their appearance is that a member Dutch Royal Marechaussee worked on the documents from home and unintentionally shared his entire hard drive with the rest of the world, through Kazaa. Initially, Geen Stijl wanted to reveal juicy details from the leaked documents, but backed off in the face of legal threats by the Public Prosecutor. The weblog says it will co-operate fully with investigators. The disclosure of the classified documents is yet another security lapse for the Dutch public prosecutor's office. In October last year, a leading Dutch prosecutor resigned after he throwing out his old PC with the rubbish. The hard disk contained hundreds of pages of confidential information about high profile crime cases, as well as his credit card number, social security number and personal tax files. From isn at c4i.org Mon Jan 31 04:07:41 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 31 04:10:44 2005 Subject: [ISN] ITL Bulletin for January 2005 Message-ID: Forwarded from: Elizabeth Lennon INTEGRATING IT SECURITY INTO THE CAPITAL PLANNING AND INVESTMENT CONTROL PROCESS By Joan S. Hash Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Introduction To assist federal agencies with effectively integrating security into the capital planning and investment control (CPIC) process, NIST's Information Technology Laboratory has released Special Publication (SP) 800-65, Integrating IT Security into the Capital Planning and Investment Control Process. It provides tips and pointers in addition to a sample methodology, which can be used to address prioritization of security requirements in support of agency business units. The publication describes risk factors that should be considered in addressing security investments and links the current Office of Management and Budget (OMB) guidance in this area to the current Federal Information Security Management Act (FISMA), including the Plan of Action and Milestones (POA&M) process that all agencies are required to implement. This ITL Bulletin summarizes NIST SP 800-65. Background Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security and capital planning practitioners. However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities. In addition, with increased competition for limited federal budgets and resources, agencies must ensure that available funding is applied towards the agencies' highest-priority IT security investments. Applying funding towards high-priority security investments supports the objective of maintaining appropriate security controls, both at the enterprise-wide and system level, commensurate with levels of risk and data sensitivity. This special publication introduces common criteria against which agencies can prioritize security activities to ensure that corrective actions identified in the annual FISMA reporting process are incorporated into the capital planning process to deliver maximum security in a cost-effective manner. The implementation of IT security and capital planning practices within the federal government is driven by a combination of legislation, rules and regulations, and agency-specific policies. FISMA requires agencies to integrate IT security into their capital planning and enterprise architecture processes, conduct annual IT security reviews of all programs and systems, and report the results of those reviews to OMB. Therefore, the implementation of FISMA legislation effectively integrates IT security and capital planning because agencies must document resource and funding plans for IT security. Furthermore, implementation of FISMA legislation ensures that agency resources are protected, ensures that risk is effectively managed, and requires agencies to incorporate IT security into the life cycle of their information systems. OMB's FISMA reporting guidance also suggests that agencies use NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems, to evaluate their security programs. The results of the self-assessment should be documented in the agency's annual FISMA report and logged in the agency's POA&M, along with POA&M inputs from other appropriate sources. The agency must then determine the costs and timeframes associated with mitigating the weaknesses identified in the POA&Ms. These costs are captured in the system or program's annual OMB Exhibit 300 and in the enterprise-wide Exhibit 53, which are the funding vehicles submitted to OMB to secure an operating budget. Methodology To address the capital planning and IT security requirements imposed on federal IT investments, NIST recommends a seven-step framework for integrating IT security into the capital planning process for enterprise-level IT security activities and individual system IT security activities: * Enterprise-level investments - those security investments that are ubiquitous across the agency and will improve the overall agency's security posture (for example, an enterprise-wide firewall or intrusion detection system [IDS] acquisition or public key infrastructure [PKI]). * System-level investments - those security investments designed to strengthen a discrete system's security posture (for example, strengthening password controls or testing a contingency plan for a particular system). The framework assists federal agencies in integrating IT security into the capital planning process by providing a systematic approach to selecting, managing, and evaluating IT security investments. The methodology relies on existing data inputs so it can be readily implemented at federal agencies. Inputs for the methodology include: * Enterprise-Level Information o Stakeholder rankings of enterprise-wide initiatives o Enterprise-wide initiative IT security status o Cost of implementing remaining appropriate security controls for enterprise-wide initiatives * System-Level Information o System categorization (see NIST Federal Information Processing Standard 199, Standard for Security Categorization of Federal Information and Information Systems) o Security compliance o Corrective action cost The seven-step methodology can help agencies identify high-priority corrective actions for immediate funding. The seven steps include: 1. Identify the Baseline: use information security metrics or other available data to baseline the current security posture. 2. Identify Prioritization Requirements: evaluate security posture against legislative and Chief Information Officer (CIO)-articulated requirements and agency mission. 3. Conduct Enterprise-Level Prioritization: prioritize potential enterprise-level IT security investments against mission and financial impact of implementing appropriate security controls. 4. Conduct System-Level Prioritization: prioritize potential system-level corrective actions against system category and corrective action impact. 5. Develop Supporting Materials: for enterprise-level investments, develop concept paper, business case analysis, and Exhibit 300. For system-level investments, adjust Exhibit 300 to request additional funding to mitigate prioritized weaknesses. 6. Implement Investment Review Board (IRB) and Portfolio Management: prioritize agency-wide business cases against requirements and CIO priorities and determine investment portfolio. 7. Submit Exhibit 300s, Exhibit 53, and Conduct Program Management: ensure approved 300s become part of the agency's Exhibit 53; ensure investments are managed through their life cycle (using Earned Value Management for Development/Modernization/Enhancement investments and operational assessments for steady state investments) and through the General Accounting Office (GAO) Information Technology Investment Management (ITIM) maturity framework. The process presented is intended to serve as a model methodology. Agencies should work within their investment planning environments to adapt and incorporate the pieces of this process into their own unique processes to develop workable approaches for CPIC. If incorporated into an agency's processes, the methodology can help ensure that IT security is appropriately planned for and funded throughout the investment's life cycle, thus strengthening the agency's overall security posture. This systematic approach can help agencies: * Identify relevant OMB and other guidance that applies to governing federal government IT security investment decisions; * Explain how current security requirements relate and support the IT CPIC process; * Understand the IT investment management process phases-Select, Control, and Evaluate-as they relate to security investments; * Identify CPIC-related roles and responsibilities required to manage IT security investments; * Explain the best practices IT security management process and why it is important for making sound IT security investment decisions; * Understand how to develop security requirements and appropriate supporting documentation for IT acquisition; * Identify steps and materials required to complete a sound business case in support of investment requests; and * Understand implementation issues associated with incorporating IT security into the CPIC process. Federal IT Security and Capital Planning Legislation, Regulations, and Guidance FISMA provides overarching requirements for securing federal resources and ensuring that security is incorporated into all phases of the investment life cycle. FISMA codifies specific responsibilities of federal agency officials, addresses protection of agency information resources, calls for agency officials to manage risk to an appropriate level, and requires agencies to incorporate security into the life cycle of information systems. FISMA requires agencies to complete an annual program review that includes conducting self-assessments for all agency systems and conducting a FISMA independent evaluation. Results from these activities are compiled into a comprehensive FISMA report, which is submitted to OMB along with the budget year financial documentation. The corrective actions that agencies identify to mitigate weaknesses found in the FISMA report are documented and tracked in the POA&M. FISMA reporting includes providing a status of security weaknesses in key areas of a security program. As required by FISMA, OMB provides specific guidance annually. FISMA reporting guidance specifies reporting formats and identifies required actions associated with the quarterly and annual reporting. The POA&M process provides a direct link to the capital planning process. The POA&M information includes the costs of corrective actions that have to be captured in the Exhibit 300 and rolled into the Exhibit 53, which provides an overview of an agency's IT portfolio. The Exhibit 53 includes a rollup of all Exhibit 300s and additional IT expenses from across the agency. All IT investments are identified by mission area and include their budget year and life-cycle cost, as well as the percentage of their costs that are devoted to IT security. All costs are totaled across the agency to provide an overall picture of the agency's IT portfolio. Costs associated with each POA&M item are required to map to annual budget requests in the Exhibit 300s and the Exhibit 53. These costs are captured as a component of the percentage of IT security, or the percentage of the total investment for the budget year associated with IT security in the Exhibit 300, and are then aggregated in the Exhibit 53. Typically, these costs include direct costs of providing IT security for the specific IT investments. Examples include the following: * Risk assessment o Security planning and policy o Certification and accreditation (C&A) o Specific security controls o Authentication or cryptographic applications o Education, awareness, and training o System reviews/evaluations (including system security test and evaluation [ST&E]) o Oversight or compliance inspections o Development or maintenance of agency reports to OMB and corrective action plans as they pertain to the specific investment o Contingency planning and testing o Physical and environmental controls for hardware and software o Auditing and monitoring o Computer security investigations and forensics o Reviews, inspections, audits, and other evaluations performed on contractor facilities and operations o Privacy impact assessments. * Products, procedures, and personnel that have an incidental or integral component and/or a quantifiable benefit for the specific IT investment. Examples include the following: o Configuration or change management control o Personnel security o Physical security o Operations security o Privacy training o Program/system evaluations whose primary purpose is other than security o System administrator functions o System upgrades with new features that obviate the need for other stand-alone security controls. * Allocated security control costs for networks that provide some or all necessary security controls for associated applications. Examples include the following: o Firewalls o IDSs o Forensic capabilities o Authentication capabilities (e.g., PKI) o Additional 'add-on' security considerations. Ongoing security costs (operations and maintenance costs) are combined with the specific remediation costs and are submitted to OMB in the Exhibit 300s and Exhibit 53 for the budget year. Select, Control, Evaluate Process In concert with the OMB capital planning and NIST security requirements, agencies use GAO's best practices, three-phased investment life-cycle model for federal IT investments, Select, Control, and Evaluate, to ensure that investment management practices, including security, are disciplined and thorough throughout each phase of the investment life cycle. The Select phase refers to activities associated with assessing and prioritizing current and proposed IT projects based on mission needs and improvement priorities and then creating a portfolio of IT projects to address the needs and priorities. Typical Select phase activities include screening new projects; analyzing and ranking all projects based on benefit, cost, and risk criteria; selecting a portfolio of projects; and establishing project review schedules. The Control phase refers to activities designated to monitor the investment during its operational phase to determine if the investment is within the cost and schedule milestones established at the beginning of the investment life cycle. Typical processes involved in the Control phase include using a set of performance measures to monitor the developmental progress for each IT project to enable early problem identification and resolution. The Evaluate phase refers to determining the efficacy of the investment, answering the question, "Did the investment achieve the desired results and performance goals identified during the Select phase?" IT Management Hierarchy Integrating IT security into the capital planning process requires input and collaboration across agencies and functions. NIST SP 800-65 suggests a hierarchical approach to capital planning in which investment decisions are made at both the enterprise and operating unit levels. While specific practices for investment management vary greatly at the operating unit level because of varying sizes and missions of the operating units, the process generally mirrors the process at the departmental level. The CIO formulates and articulates IT security priorities to the organization to be considered within the context of all agency investments. Priorities may be based on agency mission, executive branch guidance such as the President's Management Agenda, OMB guidance, or other external/internal priorities. Examples of security priorities include certifying and accrediting all systems or implementing PKI throughout the enterprise. (It is important to note that OMB/Executive Branch guidance or laws should be ranked highest among these priorities.) Once operating units finalize their IT portfolios and budget requests for the budget year, they forward their requests to the agency-level decision makers. At the agency level, several committees evaluate IT portfolios from the operating units, culminating in a review by the IRB. The IRB then decides on an agency-level IT portfolio and forwards recommendations to the agency head for review. Once the agency-level IT portfolio is approved by the agency head, the necessary Exhibit 300s and Exhibit 53 are forwarded to OMB to obtain funding. Conclusion NIST Special Publication 800-65 describes in detail the underpinning methodology which can be easily applied to address security requirement integration and prioritization into an agency's capital planning and investment planning process using well-understood concepts related to the current FISMA framework and existing NIST standards and guidance. The publication is available at http://csrc.nist.gov/publications/nistpubs/index.html. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Mon Jan 31 04:07:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jan 31 04:10:47 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-4 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-01-20 - 2005-01-27 This week : 100 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: ADVISORIES: Two vulnerabilities have been reported in Sun Java Plug-in, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system. The vendor has issued updated versions. References: http://secunia.com/SA13918/ -- Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. In addition, a vulnerability was reported in iSync mRouter for Mac OS X, which can be exploited by local users to escalate their privileges. More information can be found in Secunia advisories below. References: http://secunia.com/SA13965/ http://secunia.com/SA14005/ VIRUS ALERTS: During the last week, Secunia issued 1 MEDIUM RISK virus alert. Please refer to the grouped virus profile below for more information: Bagle.bj - MEDIUM RISK Virus Alert - 2005-01-27 11:16 GMT+1 http://secunia.com/virus_information/14877/bagle.bj/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 2. [SA13482] Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting 3. [SA14005] Mac OS X Security Update Fixes Multiple Vulnerabilities 4. [SA13918] Sun Java Plug-In Two Vulnerabilities 5. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 6. [SA13599] Mozilla / Mozilla Firefox Download Dialog Source Spoofing 7. [SA13862] Oracle Products 23 Vulnerabilities 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 9. [SA13861] BlackBerry Enterprise Server Mobile Data Service Denial of Service 10. [SA13251] Microsoft Internet Explorer Window Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA13986] W32Dasm Import/Export Functions Buffer Overflow [SA13969] DivX Player ".dps" Skin File Directory Traversal Vulnerability [SA13966] Golden FTP Server Pro "RNTO" Command Buffer Overflow [SA13964] Comersus Cart Multiple Vulnerabilities [SA13985] Spectrum Cash Receipting System Weak Password Encryption UNIX/Linux: [SA14043] Gentoo update for graphicsmagick [SA14028] Red Hat update for xpdf [SA14021] Fedora update for koffice [SA14020] Fedora update for kdegraphics [SA14019] Fedora update for kdelibs [SA14018] Debian update for xine-lib [SA14014] Conectiva update for xpdf [SA14011] Avaya Products Multiple Vulnerabilities [SA14007] Gentoo update for awstats [SA14005] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA14004] Mandrake update for tetex [SA14003] Mandrake update for kdegraphics [SA13998] Mandrake update for koffice [SA13997] Mandrake update for gpdf [SA13996] Mandrake update for xpdf [SA13994] SUSE realplayer Multiple Vulnerabilities [SA13991] Fedora update for tetex [SA13974] Gentoo update for tetex/cstetex/ptex [SA13963] SGI Advanced Linux Environment Multiple Updates [SA13960] GraphicsMagick PSD Image Decoding Buffer Overflow [SA13958] Gentoo update for koffice/kdegraphics [SA13957] teTeX Multiple Vulnerabilities [SA13949] Gentoo update for xpdf/gpdf [SA13945] Fedora update for xpdf [SA13941] Debian update for sword [SA13939] Conectiva update for libtiff3 [SA13934] KOffice "Decrypt::makeFileKey2()" Buffer Overflow [SA14048] Fedora update for enscript [SA14038] Openswan XAUTH/PAM Buffer Overflow Vulnerability [SA14036] Mandrake update for bind [SA14026] BNC IRC proxy FD_SET Overflow Vulnerability [SA14023] Conectiva update for squid [SA14022] Fedora update for ethereal [SA14009] BIND "q_usedns" Array Buffer Overflow Vulnerability [SA14008] BIND Validator Denial of Service Vulnerability [SA14002] Mandrake update for kernel [SA13990] Gentoo update for evolution [SA13989] Gentoo update for konversation [SA13983] Mandrake update for squid [SA13979] Mandrake update for ethereal [SA13975] Debian update for enscript [SA13973] Ubuntu update for enscript [SA13968] GNU Enscript Multiple Vulnerabilities [SA13967] Ubuntu update for evolution [SA13955] Debian update for ethereal [SA13954] Gentoo update for ethereal [SA13953] Ubuntu update for squid [SA13952] UnixWare update for OpenSSL [SA13951] Debian update for unarj [SA13946] Ethereal Multiple Unspecified Packet Dissector Vulnerabilities [SA13943] Debian update for squid [SA13999] Mandrake update for cups [SA13956] Gentoo update for cups [SA13940] Fedora update for cups [SA14013] SCO OpenServer update for wu-ftpd [SA13978] Mandrake update for mailman [SA13950] Gentoo update for mailman [SA14050] Debian update for libdbi-perl [SA14044] Gentoo update for perl/dbi [SA14040] Astaro update for kernel [SA14015] Perl DBI ProxyServer.pm Insecure Temporary File Creation [SA14012] SCO OpenServer scosession Privilege Escalation Vulnerability [SA13995] Debian update for vdr [SA13992] Sun Solaris DHCP Administration Utilities Vulnerability [SA13987] Debian update for zhcon [SA13982] Mandrake update for zhcon [SA13977] zhcon Arbitrary File Content Disclosure [SA13972] Red Hat update for kernel [SA13970] FireHOL Insecure Temporary File Creation Vulnerabilities [SA13965] Mac OS X iSync mRouter Buffer Overflow Vulnerability [SA13961] SUSE update for kernel [SA13959] Gentoo update for mysql [SA13944] Ubuntu update for php4 [SA13938] Debian xtrlock Security Bypass Vulnerability [SA13933] Ghostscript Various Scripts Insecure Temporary File Creation [SA13932] Ubuntu update for apache-utils [SA13947] SCO OpenServer update for bind [SA14037] Sun Solaris UDP End Point Handling Denial of Service Other: [SA14049] Juniper JUNOS Unspecified Packet Processing Denial of Service [SA14032] Cisco IOS IPv6 Packet Processing Denial of Service [SA13942] OfficeConnect Wireless 11g Access Point Information Disclosure [SA14034] Cisco IOS BGP Protocol Processing Denial of Service [SA14031] Cisco IOS MPLS Packet Processing Denial of Service [SA13971] Xerox WorkCentre Pro PostScript Directory Traversal Cross Platform: [SA13948] TikiWiki "temp" Arbitrary Script Execution Vulnerability [SA14027] Citadel/UX FD_SET Overflow Vulnerability [SA14001] MoinMoin Unspecified Search ACL Security Bypass Vulnerability [SA13980] IDA Pro Import Library Name Handling Buffer Overflow [SA13976] BRIBBLE webadmin Authentication Bypass Vulnerability [SA13962] SquirrelMail Three Vulnerabilities [SA13935] Help Desk Reloaded Unspecified Login Vulnerability [SA14000] phpEventCalendar Events Script Insertion Vulnerability [SA13988] Exponent CMS "module" Parameter Cross-Site Scripting Vulnerability [SA14010] iChain Mutual Authentication Unauthorised Resource Access [SA13936] OpenH323 Gatekeeper Multiple Sockets Buffer Overflow ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA13986] W32Dasm Import/Export Functions Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-25 Luigi Auriemma has reported a vulnerability in W32Dasm, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13986/ -- [SA13969] DivX Player ".dps" Skin File Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-25 Luigi Auriemma has discovered a vulnerability in DivX Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13969/ -- [SA13966] Golden FTP Server Pro "RNTO" Command Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-24 barabas mutsonline has reported a vulnerability in Golden FTP Server Pro, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13966/ -- [SA13964] Comersus Cart Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-01-25 raf somers has reported some vulnerabilities in Comersus Cart, which can be exploited by malicious people to bypass certain security restrictions, and conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13964/ -- [SA13985] Spectrum Cash Receipting System Weak Password Encryption Critical: Not critical Where: Local system Impact: Brute force, Exposure of sensitive information Released: 2005-01-26 Paul J Docherty has reported a security issue in Spectrum Cash Receipting System, which potentially can be exploited by malicious, local users to disclose user credentials. Full Advisory: http://secunia.com/advisories/13985/ UNIX/Linux:-- [SA14043] Gentoo update for graphicsmagick Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-27 Gentoo has issued an update for graphicsmagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14043/ -- [SA14028] Red Hat update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-27 Red Hat has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14028/ -- [SA14021] Fedora update for koffice Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 Fedora has issued an update for koffice. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14021/ -- [SA14020] Fedora update for kdegraphics Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 Fedora has issued an update for kdegraphics. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14020/ -- [SA14019] Fedora update for kdelibs Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2005-01-26 Fedora has issued an update for kdelibs. This fixes some vulnerabilities, which can be exploited by malicious people to conduct FTP command injection attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/14019/ -- [SA14018] Debian update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 Debian has issued an update for xine-lib. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14018/ -- [SA14014] Conectiva update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 Conectiva has issued an update for xpdf. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14014/ -- [SA14011] Avaya Products Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-01-26 Avaya has acknowledged multiple vulnerabilities in various products, which potentially can be exploited to cause a DoS (Denial of Service), gain escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14011/ -- [SA14007] Gentoo update for awstats Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 Gentoo has issued an update for awstats. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14007/ -- [SA14005] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access Released: 2005-01-26 Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/14005/ -- [SA14004] Mandrake update for tetex Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 MandrakeSoft has issued an update for tetex. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14004/ -- [SA14003] Mandrake update for kdegraphics Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 MandrakeSoft has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14003/ -- [SA13998] Mandrake update for koffice Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 MandrakeSoft has issued an update for koffice. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13998/ -- [SA13997] Mandrake update for gpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 MandrakeSoft has issued an update for gpdf. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13997/ -- [SA13996] Mandrake update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-26 MandrakeSoft has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13996/ -- [SA13994] SUSE realplayer Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-25 SUSE has acknowledged some vulnerabilities in realplayer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13994/ -- [SA13991] Fedora update for tetex Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-25 Fedora has issued an update for tetex. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13991/ -- [SA13974] Gentoo update for tetex/cstetex/ptex Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2005-01-24 Gentoo has issued updates for tetex, cstetex and ptex. These fix some vulnerabilities, which can be exploited by malicious people to compromise a user's system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13974/ -- [SA13963] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Manipulation of data, DoS, System access Released: 2005-01-24 SGI has issued a patch for SGI Advanced Linux Environment. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), manipulate certain files, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13963/ -- [SA13960] GraphicsMagick PSD Image Decoding Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-24 A vulnerability has been reported in GraphicsMagick, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13960/ -- [SA13958] Gentoo update for koffice/kdegraphics Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-24 Gentoo has issued updates for koffice and kdegraphics. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13958/ -- [SA13957] teTeX Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2005-01-24 Some vulnerabilities has been reported in teTeX, which potentially can be exploited by malicious people to compromise a user's system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13957/ -- [SA13949] Gentoo update for xpdf/gpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-24 Gentoo has issued updates for xpdf and gpdf. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13949/ -- [SA13945] Fedora update for xpdf Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-20 Fedora has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13945/ -- [SA13941] Debian update for sword Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-21 Debian has issued an update for sword. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13941/ -- [SA13939] Conectiva update for libtiff3 Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-20 Conectiva has issued an update for libtiff3. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13939/ -- [SA13934] KOffice "Decrypt::makeFileKey2()" Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-21 A vulnerability has been reported in KOffice, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13934/ -- [SA14048] Fedora update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-27 Fedora has issued an update for enscript. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14048/ -- [SA14038] Openswan XAUTH/PAM Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-27 A vulnerability has been reported in Openswan, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14038/ -- [SA14036] Mandrake update for bind Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-27 MandrakeSoft has issued an update for bind. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14036/ -- [SA14026] BNC IRC proxy FD_SET Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-26 3APA3A has reported a vulnerability in BNC IRC proxy, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14026/ -- [SA14023] Conectiva update for squid Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2005-01-27 Conectiva has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), bypass certain security restrictions and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14023/ -- [SA14022] Fedora update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-01-26 Fedora has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14022/ -- [SA14009] BIND "q_usedns" Array Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-26 A vulnerability has been reported in BIND, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14009/ -- [SA14008] BIND Validator Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-26 A vulnerability has been reported in BIND, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14008/ -- [SA14002] Mandrake update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-01-26 MandrakeSoft has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited to gain knowledge of sensitive information, cause a DoS (Denial of Service), bypass certain security restrictions, or gain escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/14002/ -- [SA13990] Gentoo update for evolution Critical: Moderately critical Where: From remote Impact: System access, Privilege escalation Released: 2005-01-25 Gentoo has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system or by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13990/ -- [SA13989] Gentoo update for konversation Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-25 Gentoo has issued an update for konversation. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13989/ -- [SA13983] Mandrake update for squid Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-01-25 MandrakeSoft has issued an update for squid. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13983/ -- [SA13979] Mandrake update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-01-25 MandrakeSoft has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13979/ -- [SA13975] Debian update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-25 Debian has issued an update for enscript. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13975/ -- [SA13973] Ubuntu update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-25 Ubuntu has issued an update for enscript. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13973/ -- [SA13968] GNU Enscript Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-25 Erik Sj?lund has reported some vulnerabilities in GNU Enscript, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13968/ -- [SA13967] Ubuntu update for evolution Critical: Moderately critical Where: From remote Impact: System access, Privilege escalation Released: 2005-01-25 Ubuntu has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system, or by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13967/ -- [SA13955] Debian update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-01-21 Debian has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13955/ -- [SA13954] Gentoo update for ethereal Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2005-01-21 Gentoo has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13954/ -- [SA13953] Ubuntu update for squid Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-01-21 Ubuntu has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13953/ -- [SA13952] UnixWare update for OpenSSL Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-21 SCO has issued updates for OpenSSL. These fix three vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13952/ -- [SA13951] Debian update for unarj Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-21 Debian has issued an update for unarj. This fixes two vulnerabilities, which potentially can be exploited by malicious people to overwrite files or compromise a user's system. Full Advisory: http://secunia.com/advisories/13951/ -- [SA13946] Ethereal Multiple Unspecified Packet Dissector Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-01-21 Multiple vulnerabilities have been reported in Ethereal, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13946/ -- [SA13943] Debian update for squid Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-01-20 Debian has issued an update for squid. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13943/ -- [SA13999] Mandrake update for cups Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-26 MandrakeSoft has issued an update for cups. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13999/ -- [SA13956] Gentoo update for cups Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-24 Gentoo has issued an update for cups. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13956/ -- [SA13940] Fedora update for cups Critical: Moderately critical Where: From local network Impact: System access Released: 2005-01-20 Fedora has issued an update for cups. This fixes a vulnerability, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13940/ -- [SA14013] SCO OpenServer update for wu-ftpd Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-01-26 SCO has issued an update for wu-ftpd. This fixes a vulnerability, which can be exploited by malicious, authenticated users to circumvent certain restrictions. Full Advisory: http://secunia.com/advisories/14013/ -- [SA13978] Mandrake update for mailman Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-25 MandrakeSoft has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13978/ -- [SA13950] Gentoo update for mailman Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-24 Gentoo has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13950/ -- [SA14050] Debian update for libdbi-perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-27 Debian has issued an update for libdbi-perl. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14050/ -- [SA14044] Gentoo update for perl/dbi Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-27 Gentoo has issued updates for perl and DBI. These fix some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14044/ -- [SA14040] Astaro update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-27 Astaro has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14040/ -- [SA14015] Perl DBI ProxyServer.pm Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-27 Javier Fern?ndez-Sanguino Pe?a has reported a vulnerability in Perl DBI, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14015/ -- [SA14012] SCO OpenServer scosession Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-26 A vulnerability has been reported in scosession in OpenServer, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14012/ -- [SA13995] Debian update for vdr Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-01-25 Debian has issued an update for vdr. This fixes a vulnerability, which can be exploited by malicious, local users to manipulate sensitive information. Full Advisory: http://secunia.com/advisories/13995/ -- [SA13992] Sun Solaris DHCP Administration Utilities Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-25 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13992/ -- [SA13987] Debian update for zhcon Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-01-25 Debian has issued an update for zhcon. This fixes a vulnerability, which can be exploited by malicious, local users to disclose the contents of arbitrary files. Full Advisory: http://secunia.com/advisories/13987/ -- [SA13982] Mandrake update for zhcon Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-01-25 MandrakeSoft has issued an update for zhcon. This fixes a vulnerability, which can be exploited by malicious, local users to disclose the contents of arbitrary files. Full Advisory: http://secunia.com/advisories/13982/ -- [SA13977] zhcon Arbitrary File Content Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-01-25 Erik Sj?lund has reported a vulnerability in zhcon, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/13977/ -- [SA13972] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Unknown, Privilege escalation, DoS Released: 2005-01-24 Red Hat has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/13972/ -- [SA13970] FireHOL Insecure Temporary File Creation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-24 Sam Couter has reported some vulnerabilities in FireHOL, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13970/ -- [SA13965] Mac OS X iSync mRouter Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-26 Braden Thomas has reported a vulnerability in iSync, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/13965/ -- [SA13961] SUSE update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-01-24 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/13961/ -- [SA13959] Gentoo update for mysql Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information, Privilege escalation Released: 2005-01-24 Gentoo has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13959/ -- [SA13944] Ubuntu update for php4 Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-01-21 Ubuntu has issued an update for php4. This fixes a vulnerability, which can be exploited to access files outside the "open_basedir" root and potentially bypass safe_mode restrictions. Full Advisory: http://secunia.com/advisories/13944/ -- [SA13938] Debian xtrlock Security Bypass Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-01-20 Debian has issued an update for xtrlock. This fixes a vulnerability, which can be exploited by a malicious person with physical access to a system to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13938/ -- [SA13933] Ghostscript Various Scripts Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-21 Javier Fern?ndez-Sanguino Pe?a has reported some vulnerabilities in Ghostscript, which potentially can be exploited by malicious, local users to conduct certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13933/ -- [SA13932] Ubuntu update for apache-utils Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-01-20 Ubuntu has issued an update for apache-utils. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/13932/ -- [SA13947] SCO OpenServer update for bind Critical: Not critical Where: From local network Impact: DoS Released: 2005-01-21 SCO has issued an update for bind in OpenServer. This fixes a vulnerability, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/13947/ -- [SA14037] Sun Solaris UDP End Point Handling Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2005-01-27 A vulnerability has been reported in Sun Solaris, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14037/ Other:-- [SA14049] Juniper JUNOS Unspecified Packet Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-27 A vulnerability has been reported in JUNOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14049/ -- [SA14032] Cisco IOS IPv6 Packet Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-27 A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14032/ -- [SA13942] OfficeConnect Wireless 11g Access Point Information Disclosure Critical: Moderately critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2005-01-20 A vulnerability has been reported in 3Com OfficeConnect Wireless 11g Access Point, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13942/ -- [SA14034] Cisco IOS BGP Protocol Processing Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-01-27 A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14034/ -- [SA14031] Cisco IOS MPLS Packet Processing Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-27 A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14031/ -- [SA13971] Xerox WorkCentre Pro PostScript Directory Traversal Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-01-24 A vulnerability has been reported in Xerox WorkCentre Pro, which can be exploited by malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/13971/ Cross Platform:-- [SA13948] TikiWiki "temp" Arbitrary Script Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-01-21 Some vulnerabilities have been reported in TikiWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/13948/ -- [SA14027] Citadel/UX FD_SET Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-01-26 3APA3A has reported a vulnerability in Citadel/UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14027/ -- [SA14001] MoinMoin Unspecified Search ACL Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-01-26 A vulnerability has been reported in MoinMoin, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14001/ -- [SA13980] IDA Pro Import Library Name Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-01-25 Lord Yup has reported a vulnerability in IDA Pro, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/13980/ -- [SA13976] BRIBBLE webadmin Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-01-25 A vulnerability has been reported in BRIBBLE, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/13976/ -- [SA13962] SquirrelMail Three Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-01-24 Three vulnerabilities have been reported in SquirrelMail, which can be exploited by malicious people to gain knowledge of sensitive information or conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13962/ -- [SA13935] Help Desk Reloaded Unspecified Login Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-01-24 A vulnerability with an unknown impact has been reported in Help Desk Reloaded. Full Advisory: http://secunia.com/advisories/13935/ -- [SA14000] phpEventCalendar Events Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-01-26 Madelman has reported a vulnerability in phpEventCalendar, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14000/ -- [SA13988] Exponent CMS "module" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-01-26 y3dips has reported a vulnerability in Exponent CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/13988/ -- [SA14010] iChain Mutual Authentication Unauthorised Resource Access Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-01-27 A security issue has been reported in Novell iChain, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14010/ -- [SA13936] OpenH323 Gatekeeper Multiple Sockets Buffer Overflow Critical: Less critical Where: From local network Impact: DoS Released: 2005-01-24 A vulnerability has been reported in OpenH323 Gatekeeper, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/13936/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45