From isn at c4i.org Fri Jul 1 05:35:55 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 1 05:43:53 2005 Subject: [ISN] Hacker logs onto FWP hunter database, but no information stolen Message-ID: Forwarded from: security curmudgeon : http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt : : By NICK GEVOCK : Chronicle Staff Writer : June 29, 2005 : : A hacker broke into a Montana Department of Fish, Wildlife and Parks : computer database containing personal information about hunters last : month, but officials say no data was stolen. : The database includes personal information about hunters, including : Social Security numbers, along with data on where they hunted and : whether they killed game. : : Upon discovering the hacking, FWP immediately contacted Sam Mason, a : state data security specialist, who determined the hacker hadn't : downloaded any information, Aasheim said. : Based on a review of the database after the incident, it appears that : the hacker was looking for storage space for files, Mason said. Because all of the system logs clearly show this? And the logs were not altered? : Luckily, Aasheim said, the agency's databases use Oracle software, which : compresses inforamtion into a code that is not visible to hackers as : readable text. "Not visible to hackers" is quite amusing, given the nature of hacking and how many hackers are responsible for reversing just about everything, including encryption/obfuscation schemes. And heaven forbid the hacker know Oracle commands, because I think Oracle can read that "inforamtion" (sic). : In addition, the database takes up 12 gigabytes of disc storage that : can't be accessed in pieces. So the machine has 12 gigs of RAM to load it into memory? Oh wait.. of course it can be accessed in pieces. Maybe he couldn't download the raw database in pieces, but Oracle sure can query it in such a way as to display pieces. : A transfer of that size would take time, but the hacker was only on the : server for a few minutes. Or the logs were zapped past a certain point. It's hard to swallow this story, that they detected the intrusion, responded and can *guarantee* that no data was stolen. Any company/agency that runs the swiss cheese we call Oracle should know better. From isn at c4i.org Fri Jul 1 05:36:11 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 1 05:44:06 2005 Subject: [ISN] Fake Microsoft security alert includes Trojan patch Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,102907,00.html By Robert McMillan JUNE 30, 2005 IDG NEWS SERVICE A new wave of spam that disguises itself as a Microsoft Corp. security bulletin contains a link to malicious software that gives attackers complete access to the infected machine, security researchers are reporting. The e-mail, which began circulating late Tuesday, identifies itself as Microsoft Security Bulletin MS05-039, and offers a link to what it claims is a patch against the Sober Zafi and Mytob worms. In fact, there is no such thing as Microsoft Security Bulletin MS05-039, and real Microsoft security bulletins offer links to a Microsoft download site, rather than to the patches themselves, said Mikko Hypponen, director of antivirus research at F-Secure Corp. The phony patch is a variant of the SDBot Trojan software, which is at present not detected by antivirus software products, according to a report from security research firm WebSense Inc. The risk of someone downloading this Trojan appears to be very low right now, because the server hosting the Trojan downloads no longer appears to be active, Hypponen said. That server, which appeared to be hosted by ThePlanet.com Internet Services Inc., apparently has exceeded its allowed bandwidth, he said. "I think this particular case is not going to be a problem anymore, but nevertheless I think it was a fairly interesting case," Hypponen said. "I wouldn't be surprised to see more of this happening." The Swen e-mail worm, which began circulating in 2003, used a similar technique, he said. From isn at c4i.org Fri Jul 1 05:36:27 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 1 05:44:22 2005 Subject: [ISN] Bank workers biggest ID theft threat Message-ID: http://deseretnews.com/dn/view/0,1249,600145529,00.html By Paul Nowell Associated Press July 1, 2005 CHARLOTTE, N.C. . When two of the nation's largest banks were forced to notify thousands of customers that their financial records may have been stolen, there wasn't a hacker, a missing laptop or a lost box of backup computer tapes to blame. This time, police believe, customers of Wachovia Corp. and Bank of America Corp. were the victims of bank employees, workers whose jobs at the Charlotte-based banks granted them access to information valuable enough to sell for $10 an account. Security experts believe it's that battle against insiders . the theft of Social Security numbers and other sensitive data by those with the authority to access it . that will consume banks and other financial institutions as they fight a recent run of security breaches that doesn't appear to be waning. "We've got a nasty problem and it keeps getting worse over the past couple of months," said Peter G. Neumann, a security expert with SRI International in Menlo Park, Calif. "Insiders have always been a concern, it's just that (institutions) are finally admitting it." Security experts like Neumann believe inside jobs have the potential to be far more damaging to consumers than accidental losses of data, or attacks by hackers similar to one disclosed June 17 at Atlanta-based CardSystems Solutions Inc., which exposed 40 million credit and debit card accounts. And the protections banks use to thwart hackers . firewalls and encryption, for example . have no ability to stop ill-intentioned employees who have authorized access to secure information. The insider case at Bank of America, Wachovia and two other banks. involving a far smaller number of accounts than the hackers' assault on CardSystems Solutions . could prove to be far worse for consumers, said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc., an information technology research firm. "It may not be bigger, but that stuff is a lot more dangerous," Litan said. "These are people who have access to a lot more personal information, so it's very serious." Wachovia and Bank of America were forced to alert more than 100,000 customers in May after police in New Jersey charged nine people, including seven bank workers, in a plot to steal financial records of thousands of bank customers. "About 70 to 80 percent of the risk is from insiders, although not all of them are as malicious as the case in New Jersey," said Steve Roop, vice president of marketing at San Francisco-based Vontu, a firm specializing in data loss prevention. "Sometimes it is well meaning but poorly informed workers." As might be expected when the subject is security, neither Wachovia nor Bank of America are willing to explain in detail efforts they take to protect sensitive data from employees who want to illegally sell private account information. "All of our associates must adhere to a code of ethics and to company policy," said Tara Burke, a spokeswoman for Bank of America. "And our bank associates only have access to the information they need to provide service to our customers." The bank does perform criminal background checks on all new employees, using fingerprinting and other screening methods. Contract labor suppliers must perform criminal checks on temporary employees they supply to the bank, she said. But the problem with background checks is that they don't work, said Jim Stickley, chief technology officer at TraceSecurity, a Baton Rouge, La.-based security company. "Sure, (it works) if you are looking at a murderer or someone with a criminal record. But there are a million idiots out there who are lucky so they don't have a record," he said. "No matter what you do, all it takes is one person who is down on his luck or realizes he can make a lot of money doing this. Then you have your biggest nightmare." In all, Burke said, Bank of America spends about $250 million annually on various security measures and protections, and has hundreds of associates whose sole function is to protect information. Wachovia spokeswoman Christy Phillips said the bank employs similar protections, including offering programs and training to educate employees how to safeguard information. Background screening is a longtime policy at Wachovia and there are tools and procedures that limit access to information to employees whose jobs require such access. "We routinely review our processes and make changes as appropriate," she said. Among the other difficulties the banks face when working with employees, Roop said, is a high level of turnover. "These banks hire hundreds of new people every month," Roop said. Among the steps banks can take to fight insider ID theft is to individually limit each employee's access to customer information, Litan said. Such a system specifies exactly what customer information each employee can see, touch and update. But that also requires managers to constantly monitor the clearance levels of thousands of individual employees. Another way to police insider theft is "the intimidation factor," Stickley said. While some workers might complain that their rights are being infringed by aggressive monitoring of their work activities, Stickley said they need to understand "they are dealing with extremely confidential information that can wreck a lot of peoples' lives." And at the office, Litan said, bank employees working with sensitive information know that aggressive security comes with the job. "Their phone conversation are recorded all the time," she said. "They know there are no rights when it comes to private business." But in the end, even the experts said protecting sensitive information from insiders comes down to basic human honesty. "If someone wants to do it, they are going to do it," Stickley said. From isn at c4i.org Fri Jul 1 05:35:28 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 1 05:44:33 2005 Subject: [ISN] Medica ignored warnings, says ex-employee Message-ID: http://www.startribune.com/stories/462/5481317.html Glenn Howatt Star Tribune June 29, 2005 The former manager of computer security for Medica Health Plans said the company ignored repeated warnings that its information system was vulnerable to attack and abuse. Scott Charleson, the health plan's security engineer until early 2004, said Medica didn't act on his recommendation to "lock down" the computer system and protect sensitive information, including personal information about Medica's 1.2 million members. That and other measures could have prevented two Medica computer administrators from allegedly sabotaging the company's computers and downloading data earlier this year, Charleson said. "I left the company in January 2004 because it was clear to me that they had no intention of taking action on serious security issues until something blew up," he said. Officials of the Minnetonka-based health plan denied that they skimped on security during Charleson's tenure. The two accused employees were fired and Medica sued them in April. They have not been charged with a crime. "We detected something happened, we analyzed it, investigated it ... and took appropriate action," said Chris Grillo, Medica's director of information security. Still, it took Medica's security investigators at least 45 days to detect problems and another 20 days before the company took direct action to stop the employee alleged to have done the most damage, according to court documents. During that time, the system was sabotaged four times, limiting legitimate access by employees and vendors. Confidential business documents were copied, including personnel information about the information technology department as well as letters to outside attorneys concerning lawsuits, according to court documents. Evidence destroyed The perpetrators knew they were being tracked because they read the e-mails of security investigators. They found and used a secret account and password that the investigators had created to stabilize the system. Instead, the account was used to disable the accounts of 12 employees, the documents said. And even after Medica had identified the suspects, they erased the hard drives of their company laptops without interference, destroying critical evidence, according to court documents. Charleson said it shouldn't have taken Medica two months to find and stop insiders from creating computer havoc. He said such companies should have programs in place to "watch the watchers," the systems operators who have the most opportunity to cause damage. Charleson said he wanted to hire an outside company to test Medica's security. "Not once, from December 2001 to January 2004, was there a security audit by a third-party security company," he said. Charleson said his proposals were never vetoed outright. But as top managers kept delaying decisions, he grew more concerned. "I know that I am missing attacks on our network," he wrote in a memo in 2002 to his supervisors. "Maybe they are not successful, maybe they are and we just haven't found it yet. Either way, it's my worst nightmare." Medica defense Medica officials disagree with Charleson's assessment of the company's computer security then and now. But they acknowledge that there were disagreements at the time about how to improve security. "Were there differences of opinion about how to handle that? There probably was," said spokesman Larry Bussey. "But from the highest levels on down, security was an issue that people cared about and committed to." Grillo said that since he became security officer in March 2004, the system has been tested several times through internal and external audits. Most recently, an outside auditor found Medica to be in compliance with federal standards requiring health plans to protect member privacy. "I have been with Medica now for a year and a half, and the security mindset is excellent compared to what I've seen in other industries," said Grillo. In response to this year's security breach, Medica has tightened its hiring practices and has limited broad administrative access to the system. In the end, Medica did find the alleged perpetrators, and even though it is not completely certain about what information was downloaded, the evidence suggests that it did not include personal information about Medica members. Detection difficult Grillo said Medica has and did have all of the safeguards that Charleson proposed. "The hardest thing to do is detect an authorized person doing unauthorized things," Grillo said. One of the former employees, he said, was in charge of the company's e-mail system. Periodic audits would have found that sensitive e-mails were being copied, he said, but immediate detection would be possible only if the company scrutinized every keystroke the employee made. Medica said it has enough evidence to prove that the two former employees were responsible for the security breaches. However, attorneys representing the employees, Austin Vhason and Pushpa Leadholm, have said the shortcomings of Medica's system will be an issue for the defense. Court papers filed on behalf of Leadholm allege that Medica didn't take appropriate steps to protect its secret and confidential data, leaving the door open to countless electronic intruders and calling into question whether the system has recorded enough electronic fingerprints to point to the real culprits. Both employees denied any wrongdoing. In its suit, Medica seeks to recover the downloaded data, inspect the two suspects' home computers and recover the costs of detecting the security breaches. From isn at c4i.org Fri Jul 1 05:35:37 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 1 05:44:46 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-26 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-06-23 - 2005-06-30 This week : 51 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in XML-RPC for PHP, which can be exploited by malicious people to compromise a vulnerable system. Additional detail can be found in the Secunia advisory below. Reference: http://secunia.com/SA15852 -- Security researcher Ron van Daal has found a vulnerability in phpBB, which can be exploited by malicious people to compromise a vulnerable system. A very similar vulnerability in phpBB was exploited by the "Santy" worm last year. Everyone using phpBB are advised to apply patches as soon as possible. Reference: http://secunia.com/SA15845 -- Several vulnerabilities have been reported in RealOne Player, RealPlayer, Helix Player and Rhapsody, which can be exploited by malicious people to overwrite local files or to compromise a user's system. The vendor has released patches, please review the referenced Secunia advisory for details. Reference: http://secunia.com/SA15806 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15489] Mozilla / Firefox / Camino Dialog Origin Spoofing Vulnerability 2. [SA15491] Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability 3. [SA15488] Opera Dialog Origin Spoofing Vulnerability 4. [SA15474] Safari Dialog Origin Spoofing Vulnerability 5. [SA15806] RealOne / RealPlayer / Helix Player / Rhapsody Multiple Vulnerabilities 6. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 7. [SA15411] Opera "javascript:" URL Cross-Site Scripting Vulnerability 8. [SA15845] phpBB "highlight" PHP Code Execution Vulnerability 9. [SA15492] Internet Explorer for Mac Dialog Origin Spoofing Vulnerability 10. [SA15827] Adobe Reader / Acrobat Two Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15837] ActiveBuyandSell Cross-Site Scripting and SQL Injection [SA15832] Sukru Alatas Guestbook Exposure of User Credentials [SA15818] Dynamic Biz Website Builder Admin Login SQL Injection [SA15803] DUware DUclassmate SQL Injection Vulnerabilities [SA15802] DUware DUforum SQL Injection Vulnerabilities [SA15801] DUware DUpaypal Pro SQL Injection Vulnerabilities [SA15800] DUware DUamazon Pro SQL Injection Vulnerabilities [SA15847] Hosting Controller "error" Cross-Site Scripting Vulnerability [SA15838] IA eMailServer LIST Command Denial of Service Vulnerability [SA15828] Inframail SMTP and FTP Denial of Service Vulnerabilities [SA15819] NateOn Messenger Directory Listing Disclosure Vulnerability UNIX/Linux: [SA15839] SUSE update for realplayer [SA15825] Fedora update for HelixPlayer [SA15814] Red Hat update for realplayer/helixplayer [SA15813] Sun Solaris GNOME libgdk_pixbuf Image Handling Vulnerabilities [SA15856] Ubuntu update for ruby [SA15854] Plans "evt_id" SQL Injection Vulnerability [SA15848] Mandriva update for imagemagick [SA15827] Adobe Reader / Acrobat Two Vulnerabilities [SA15858] Gentoo update for heimdal [SA15849] Mandriva update for spamassassin [SA15835] Clam AntiVirus clamav-milter Database Update Denial of Service [SA15824] Fedora update for gedit [SA15823] Gentoo update for clamav [SA15820] Trustix update for multiple packages [SA15817] Red Hat update for spamassassin [SA15815] Red Hat update for FreeRADIUS [SA15811] ClamAV Quantum Decompressor Denial of Service Vulnerability [SA15804] SUSE update for razor-agents [SA15799] SGI Advanced Linux Environment Multiple Updates [SA15834] Mandriva update for squid [SA15809] Sun Solaris Samba Wildcard Filename Matching Denial of Service [SA15844] Ubuntu update for dbus [SA15841] Sun Solaris Runtime Linker Privilege Escalation Vulnerability [SA15836] Fedora update for kernel [SA15833] Mandriva update for dbus [SA15807] SUSE update for sudo [SA15822] Ubuntu update for kernel [SA15812] Linux Kernel "syscall()" Argument Handling Denial of Service Other: [SA15851] Blue Coat Products TCP Timestamp Denial of Service [SA15826] Nortel Communication Server FTP Service Denial of Service [SA15853] Dominion SX Insecure File Permission Security Issues Cross Platform: [SA15855] PostNuke XML-RPC Library PHP Code Execution Vulnerability [SA15852] XML-RPC for PHP Unspecified PHP Code Execution Vulnerability [SA15845] phpBB "highlight" PHP Code Execution Vulnerability [SA15842] CSV_DB / i_DB Arbitrary Command Execution Vulnerability [SA15806] RealOne / RealPlayer / Helix Player / Rhapsody Multiple Vulnerabilities [SA15830] PHP-Fusion Two Vulnerabilities [SA15829] PHP-Nuke "off-site Avatar" Script Insertion Vulnerability [SA15805] UBB.threads Multiple Vulnerabilities [SA15808] IBM DB2 Universal Data Authorisation Checking Bypass ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15837] ActiveBuyandSell Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-06-27 Dedi Dwianto has reported some vulnerabilities in ActiveBuyandSell, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15837/ -- [SA15832] Sukru Alatas Guestbook Exposure of User Credentials Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-06-28 basher13 has reported a security issue in Sukru Alatas Guestbook, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15832/ -- [SA15818] Dynamic Biz Website Builder Admin Login SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-06-28 basher13 has reported a vulnerability in Dynamic Biz Website Builder (QuickWeb), which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15818/ -- [SA15803] DUware DUclassmate SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-23 Dedi Dwianto has reported some vulnerabilities in DUclassmate, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15803/ -- [SA15802] DUware DUforum SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-23 Dedi Dwianto has reported some vulnerabilities in DUforum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15802/ -- [SA15801] DUware DUpaypal Pro SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-23 Dedi Dwianto has reported some vulnerabilities in DUpaypal Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15801/ -- [SA15800] DUware DUamazon Pro SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-23 Dedi Dwianto has reported some vulnerabilities in DUamazon Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15800/ -- [SA15847] Hosting Controller "error" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-29 ActionSpider has reported a vulnerability in Hosting Controller, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15847/ -- [SA15838] IA eMailServer LIST Command Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-28 Reed Arvin has reported a vulnerability in IA eMailServer, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15838/ -- [SA15828] Inframail SMTP and FTP Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-28 Reed Arvin has reported two vulnerabilities in Inframail Advantage Server Edition, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15828/ -- [SA15819] NateOn Messenger Directory Listing Disclosure Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information Released: 2005-06-29 Park Gyu Tae has reported a vulnerability in NateOn Messenger, which can be exploited by malicious users to disclose system information. Full Advisory: http://secunia.com/advisories/15819/ UNIX/Linux:-- [SA15839] SUSE update for realplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-27 SUSE has issued an update for realplayer. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15839/ -- [SA15825] Fedora update for HelixPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-27 Fedora has issued an update for HelixPlayer. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15825/ -- [SA15814] Red Hat update for realplayer/helixplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-24 Red Hat has issued updates for RealPlayer and HelixPlayer. These fix a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15814/ -- [SA15813] Sun Solaris GNOME libgdk_pixbuf Image Handling Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-24 Sun Microsystems has acknowledged some vulnerabilities in GNOME for Solaris, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15813/ -- [SA15856] Ubuntu update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-06-29 Ubuntu has issued an update for ruby. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15856/ -- [SA15854] Plans "evt_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-06-29 A vulnerability has been reported in Plans, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15854/ -- [SA15848] Mandriva update for imagemagick Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-06-29 Mandriva has issued an update for imagemagick. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/15848/ -- [SA15827] Adobe Reader / Acrobat Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-06-28 Two vulnerabilities have been reported in Adobe Reader and Adobe Acrobat for Mac OS, which may grant elevated permissions on certain folders or can be exploited by malicious people to execute arbitrary local programs on a user's system. Full Advisory: http://secunia.com/advisories/15827/ -- [SA15858] Gentoo update for heimdal Critical: Moderately critical Where: From local network Impact: System access Released: 2005-06-29 Gentoo has issued an update for heimdal. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15858/ -- [SA15849] Mandriva update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-29 Mandriva has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15849/ -- [SA15835] Clam AntiVirus clamav-milter Database Update Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-28 Damian Menscher has reported a vulnerability in clamav-milter, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15835/ -- [SA15824] Fedora update for gedit Critical: Less critical Where: From remote Impact: System access Released: 2005-06-27 Fedora has issued an update for gedit. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15824/ -- [SA15823] Gentoo update for clamav Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-27 Gentoo has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15823/ -- [SA15820] Trustix update for multiple packages Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of system information, Privilege escalation, DoS Released: 2005-06-27 Trustix has issued various updated packages. These fix some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or execute commands with escalated privileges, or by malicious people to cause a DoS (Denial of Service) or gain knowledge of certain system infomation. Full Advisory: http://secunia.com/advisories/15820/ -- [SA15817] Red Hat update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-24 Red Hat has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15817/ -- [SA15815] Red Hat update for FreeRADIUS Critical: Less critical Where: From remote Impact: Manipulation of data, DoS Released: 2005-06-24 Red Hat has issued an update for FreeRADIUS. This fixes some vulnerabilities, which potentially can be exploited by malicious users to conduct SQL injection attacks or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15815/ -- [SA15811] ClamAV Quantum Decompressor Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-24 A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15811/ -- [SA15804] SUSE update for razor-agents Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-23 SUSE has issued an update for razor-agents. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15804/ -- [SA15799] SGI Advanced Linux Environment Multiple Updates Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-06-23 SGI has issued a patch for SGI Advanced Linux Environment. This fixes multiple vulnerabilities, which can be exploited by malicious people to disclose sensitive information, conduct directory traversal attacks, extract files to arbitrary directories, or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/15799/ -- [SA15834] Mandriva update for squid Critical: Less critical Where: From local network Impact: Spoofing Released: 2005-06-27 Mandriva has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to spoof DNS lookups. Full Advisory: http://secunia.com/advisories/15834/ -- [SA15809] Sun Solaris Samba Wildcard Filename Matching Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-06-24 Sun Microsystems has acknowledged a vulnerability in Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15809/ -- [SA15844] Ubuntu update for dbus Critical: Less critical Where: Local system Impact: Hijacking Released: 2005-06-28 Ubuntu has issued an update for dbus. This fixes a vulnerability, which can be exploited by malicious, local users to hijack a session bus. Full Advisory: http://secunia.com/advisories/15844/ -- [SA15841] Sun Solaris Runtime Linker Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-29 Przemyslaw Frasunek has reported a vulnerability in Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15841/ -- [SA15836] Fedora update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-06-27 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/15836/ -- [SA15833] Mandriva update for dbus Critical: Less critical Where: Local system Impact: Hijacking Released: 2005-06-27 Mandriva has issued an update for dbus. This fixes a vulnerability, which can be exploited by malicious, local users to hijack a session bus. Full Advisory: http://secunia.com/advisories/15833/ -- [SA15807] SUSE update for sudo Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-06-24 SUSE has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to execute arbitrary commands with escalated privileges. Full Advisory: http://secunia.com/advisories/15807/ -- [SA15822] Ubuntu update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2005-06-27 Ubuntu has issued an update for the kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15822/ -- [SA15812] Linux Kernel "syscall()" Argument Handling Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2005-06-27 A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15812/ Other:-- [SA15851] Blue Coat Products TCP Timestamp Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-29 Blue Coat has acknowledged a vulnerability in some products, which can be exploited by malicious people to cause a DoS (Denial of Service) on an active TCP session. Full Advisory: http://secunia.com/advisories/15851/ -- [SA15826] Nortel Communication Server FTP Service Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-06-29 Nortel Networks has acknowledged an old vulnerability in Communication Server 1000 (CS1000), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15826/ -- [SA15853] Dominion SX Insecure File Permission Security Issues Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2005-06-29 Dirk Wetter has reported two security issues in Dominion SX, which can be exploited by malicious, local users to disclose sensitive information, cause a DoS (Denial of Service), and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/15853/ Cross Platform:-- [SA15855] PostNuke XML-RPC Library PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-29 A vulnerability has been reported in PostNuke, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15855/ -- [SA15852] XML-RPC for PHP Unspecified PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-29 A vulnerability has been reported in XML-RPC for PHP, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15852/ -- [SA15845] phpBB "highlight" PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-28 Ron van Daal has reported a vulnerability in phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15845/ -- [SA15842] CSV_DB / i_DB Arbitrary Command Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-28 blahplok has reported a vulnerability in CSV_DB, which can be exploited by malicious people to execute arbitrary commands. Full Advisory: http://secunia.com/advisories/15842/ -- [SA15806] RealOne / RealPlayer / Helix Player / Rhapsody Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2005-06-24 Several vulnerabilities have been reported in RealOne Player, RealPlayer, Helix Player and Rhapsody, which can be exploited by malicious people to overwrite local files or to compromise a user's system. Full Advisory: http://secunia.com/advisories/15806/ -- [SA15830] PHP-Fusion Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-06-27 Easyex has discovered two vulnerabilities in PHP-Fusion, which can be exploited by malicious people to conduct script insertion attacks or disclose sensitive information. Full Advisory: http://secunia.com/advisories/15830/ -- [SA15829] PHP-Nuke "off-site Avatar" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-27 FJLJ has reported a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15829/ -- [SA15805] UBB.threads Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2005-06-24 James Bercegay has reported some vulnerabilities in UBB.threads, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and disclose sensitive information. Full Advisory: http://secunia.com/advisories/15805/ -- [SA15808] IBM DB2 Universal Data Authorisation Checking Bypass Critical: Less critical Where: From local network Impact: Security Bypass, Privilege escalation Released: 2005-06-24 A vulnerability has been reported in IBM DB2 Universal Database, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15808/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jul 1 05:36:41 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 1 05:45:00 2005 Subject: [ISN] The 12-minute Windows heist Message-ID: http://www.zdnet.com.au/news/security/0,2000061744,39200021,00.htm By Renai LeMay ZDNet Australia 01 July 2005 There is a 50 percent chance your unprotected Windows PC will be compromised within 12 minutes of going online, says security vendor Sophos. Highlighting the increasing speed of online attacks in research covering the last six months of virus activity, the vendor said the news was mostly grim. Authors of malware such as spam, viruses, phishing scams and spyware increased both the volume and sophistication of their assaults, releasing almost 8,000 new viruses in the first half of 2005 and increasingly teaming up in joint ventures to make money. The new-virus figure is up 59 percent on the same period last year. "With financial gain rather than notoriety becoming more of a motivation, spammers and virus writers have been drawn together with more traditional criminal elements," said Sophos Australia and New Zealand senior technical consultant Sean Richmond. While the usual virus culprits like Zafi-D, Netsky-P and Sober-N came under the spotlight, Sophos said growth in Trojan attacks -- where malicious software allows a remote attacker to gain backdoor access to a PC -- was perhaps the most significant development in the malware-creation field. "Sophos has seen a three-fold increase in the number of key-logging Trojans so far this year," the company said. "Trojans are delivered to target organisations via e-mail attachments or links to Web sites. They are often used by remote hackers to steal priviledged information, and very often to launch further attacks." But Sophos made it clear the news wasn't all bad. "Businesses in Australia and New Zealand mostly have it right when it comes to protecting their desktops, servers and gateways," said Richmond. "On the other hand, we've seen significant numbers of unprotected home computers become zombies for spammers," Richmond praised the Australian telecomms regulator for its recent move to press charges against Perth-based alleged spammer Wayne Mansfield. Mansfield is one of Australia's most notorious Internet marketeers and stands accused of sending at least 56 million -- mostly unsolicited -- e-mails in the period after the Spam Act was enacted in April 2004. Events further afield also caught Sophos' attention, as it highlighted several recent prosecutions of virus and privacy-related Internet crime. One dealt with the impending trial of German teenager Sven Jaschan, who has admitted writing the Netsky and Sasser worms, while another involved the arrest of a Cypriot man who was spying on a 17-year-old girl via her own Webcam. "Four United Kingdom phishers were also jailed this week," said the company. From isn at c4i.org Fri Jul 1 05:37:09 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 1 05:45:12 2005 Subject: [ISN] Linux Advisory Watch - July 1st 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 1st, 2005 Volume 6, Number 26a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for crip, Network Manager, HelixPlayer, gedit, gzip, selinux, gnome, openssh, libwpd, openoffice, openssh, binutils, totem, rgmanager, magma-plugins, iddev, fence, dlm, cman, css, GFS, mod_perl, Heimdal, and sudo. The distributors include Debian, Fedora, Gentoo, and Red Hat. --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- Linux File & Directory Permissions Mistakes By: Pax Dickinson Greetings, gentle reader, and welcome to linuxsecurity.com and our new recurring series of articles on security related mistakes and how to avoid them. I'm your host, Pax Dickinson, and today we'll be reviewing basic Linux file and directory permissions and how to avoid some common pitfalls in their use, in this episode of Hacks From Pax. One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. I've witnessed systems administrators whose response to a user complaining about being denied access to a given file is to chmod 777 the file (or entire directory tree) in question. This is an absolutely disastrous security practice, the administrator has just granted write access to the file to any user on the system. Any compromised service will allow an attacker to modify the file, which could result in further access depending on the file in question. For example, an attacker gaining write access to a script that is occasionally run by root can parlay this seemingly minor security hole into full root access for himself. * Never make files world-writable. Most files do not need to be world readable either. * You can search for world-writable files under your current directory by issuing the following command: find . -perm -2 -print A related mistake is in the misuse of suid root binaries. These are programs which can be launched by a user but run with all the privileges of root. These programs are needed to perform tasks such as changing a user's password, since that requires a write to the system's password file which normally cannot be modified by anyone but root. A flaw that allows an attacker to gain a shell prompt in such a program can give an attacker root access to the system. These binaries should be carefully limited and must be kept up to date with appropriate security patches to minimize their risk. A common backdoor installed by successful attackers is a copy of /bin/sh set suid root. This can be run by any user on the system, without a password, and will result in full root access. Read Complete Article: http://www.linuxsecurity.com/content/view/119415/49/ ---------------------- Measuring Security IT Success In a time where budgets are constrained and Internet threats are on the rise, it is important for organizations to invest in network security applications that will not only provide them with powerful functionality but also a rapid return on investment. http://www.linuxsecurity.com/content/view/118817/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New crip packages fix insecure temporary files 30th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119456 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: NetworkManager-0.4-18.FC4 24th, June, 2005 This update to NetworkManager includes a number of enhancements. http://www.linuxsecurity.com/content/view/119413 * Fedora Core 3 Update: kernel-2.6.11-1.35_FC3 24th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119414 * Fedora Core 4 Update: HelixPlayer-1.0.5-1.fc4.2 27th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119417 * Fedora Core 3 Update: HelixPlayer-1.0.5-0.fc3.2 27th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119418 * Fedora Core 3 Update: gedit-2.8.1-2.fc3.1 27th, June, 2005 An updated gedit package that fixes a file name format string vulnerability is now available. http://www.linuxsecurity.com/content/view/119419 * Fedora Core 4 Update: gedit-2.10.2-4 27th, June, 2005 An updated gedit package that fixes a file name format string vulnerability is now available. http://www.linuxsecurity.com/content/view/119420 * Fedora Core 3 Update: gzip-1.3.3-15.fc3 27th, June, 2005 In this gzip update there are fixed three small security problems. http://www.linuxsecurity.com/content/view/119423 * Fedora Core 3 Update: selinux-policy-targeted-1.17.30-3.13 27th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119424 * Fedora Core 4 Update: gnome-panel-2.10.1-10.1 28th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119429 * Fedora Core 3 Update: openssh-3.9p1-8.0.2 28th, June, 2005 This is a bug fix update fixing two bugs in ssh client and server code. http://www.linuxsecurity.com/content/view/119431 * Fedora Core 4 Update: libwpd-0.8.2-1.fc4 29th, June, 2005 Better handle broken wordperfect documents http://www.linuxsecurity.com/content/view/119437 * Fedora Core 4 Update: openoffice.org-1.9.112-1.1.0.fc4 29th, June, 2005 fix a raft of i18n issues http://www.linuxsecurity.com/content/view/119438 * Fedora Core 3 Update: openssh-3.9p1-8.0.2 (corrected) 29th, June, 2005 This is a bug fix update fixing two bugs in ssh client and server code. http://www.linuxsecurity.com/content/view/119439 * Fedora Core 3 Update: selinux-policy-targeted-1.17.30-3.15 29th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119440 * Fedora Core 4 Update: selinux-policy-targeted-1.23.18-17 29th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119441 * Fedora Core 3 Update: binutils-2.15.92.0.2-5.1 29th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119442 * Fedora Core 4 Update: binutils-2.15.94.0.2.2-2.1 29th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119443 * Fedora Core 4 Update: totem-1.0.4-1 29th, June, 2005 Updated package. http://www.linuxsecurity.com/content/view/119444 * Fedora Core 4 Update: rgmanager-1.9.34-5 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119445 * Fedora Core 4 Update: magma-plugins-1.0.0-2 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119446 * Fedora Core 4 Update: iddev-2.0.0-1 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119447 * Fedora Core 4 Update: magma-1.0.0-1 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119448 * Fedora Core 4 Update: gulm-1.0.0-2 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119449 * Fedora Core 4 Update: fence-1.32.1-1 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119450 * Fedora Core 4 Update: dlm-1.0.0-3 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119451 * Fedora Core 4 Update: cman-1.0.0-1 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119452 * Fedora Core 4 Update: ccs-1.0.0-1 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119453 * Fedora Core 4 Update: GFS-6.1.0-3 29th, June, 2005 Updated upstream sources. http://www.linuxsecurity.com/content/view/119454 * Fedora Core 4 Update: mod_perl-2.0.1-1.fc4 29th, June, 2005 So FC4 will no longer depend on a pre-release... http://www.linuxsecurity.com/content/view/119455 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Clam AntiVirus Denial of Service vulnerability 27th, June, 2005 Clam AntiVirus is vulnerable to a Denial of Service attack when processing certain Quantum archives. http://www.linuxsecurity.com/content/view/119421 * Gentoo: Heimdal Buffer overflow vulnerabilities 29th, June, 2005 Multiple buffer overflow vulnerabilities in Heimdal's telnetd server could allow the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119434 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: sudo security update 29th, June, 2005 An updated sudo package is available that fixes a race condition in sudo's pathname validation. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119436 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Fri Jul 1 05:40:14 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 1 05:45:22 2005 Subject: [ISN] Cybersecurity group looks to Europe for help Message-ID: Forwarded from: matthew patton > "At first, I thought Washington needs a new association like a hole > in the head. there's a rare opinion... > The U.S. government isn't taking cybersecurity seriously enough, he > said, noting that it reduced research and development spending for > the area in its latest budget. Oh I'm sure R&D is useful and all but seriously, who cares about gov't funding? The security companies are where the R&D should be happening. Marcus' interview a little while ago said that there is scant little that is new or has been new in security for a couple of decades. I agree with him. What is sorely lacking is clue and caring about security right down to the system admins (users are IMO a hopeless cause). A certain organization I work for has all machines with full Internet IP's. Oh sure there is a border firewall way up the foodchain but given the size of the installation in question it's not exactly a one-way door. I found an IP330 that had been sitting on the shelf for over a year and call me crazy but I don't trust the tens of thousands of computers connected to this network space not to mention the users all across the world who don't have to come thru the choke-points. And the manager looks at me like I'm from Mars ("but we're behind XXX's firewall") when I suggest that not only should we be protecting our servers but also the oftimes highly sensitive material their people have stashed on servers hither and yon. > "As we've seen over the last few months, a lack of attention to > detail can spill into the papers," Kurtz said. But where are the crushing fines for sloppy data-handling? How about a $100/person fine? Mastercard would be out what, 4 Billion? That'll make them sit up and pay attention! Hospitals, banks, pharma companies likewise. Now wouldn't it make a whole lot of sense to do security RIGHT in the first place? Where is the legislation that revokes the notion that the companies own the data? It's MY information and life that hangs in the balance. If you want it, you PAY me to access it and you furthermore are prohibited from selling it unless I say you can. > "We need to raise these issues, but at the same time, we need to > make sure that the government doesn't overreact," Kurtz said. eh? The only thing the gov't does is overreact. And generally the results are intended to make the average citizen far worse off than before while rewarding those who line Congresscritter pockets. I seriously doubt the American economy will blow up if the identity industry is wiped off the planet. Banks used to do just fine issuing loans and mortgages to the townfolk and undertaking their own due-diligence to evaluate an applicant's credit worthyness. So what if the rediculously easy personal credit dries up? Wouldn't our society be a heck of a lot better off if people quit extending themselves far above their means to pay and then defaulting left and right? Weren't more strict rules passed to try to put a finger in the dam of bankruptcy that shouldn't have happened in the first place if the financial industry wasn't playing fast and loose with risk? > "There's a lot of debate about the roles and responsibility of > government and industry in information security. This is one of the > things we are trying to work out," he said. NIST has had some decent guidelines. SANS has a rather short list but a list nonetheless. DoD et. al. have various methods to "certify" an information system but most of it's bunk unfortunately and does little to nothing to actually provide for security engineering. Bad designs should not be tolerated, period. If we could make failure to comply and failure to execute leading to compromise = triggering big fines so much the better. There is a cost to doing security right. There is NO cost associated with doing security wrong if at all. And that is the problem. From isn at c4i.org Tue Jul 5 03:19:27 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 5 03:38:27 2005 Subject: [ISN] The coming Web security woes Message-ID: http://news.com.com/The+coming+Web+security+woes/2010-1071_3-5772012.html By Declan McCullagh July 4, 2005 Our esteemed leaders in the U.S. Congress are vowing to enact new laws targeting data thieves, backup-tape burglars and other information-age miscreants. We should be worried. Any reasonable person, of course, should agree that such thefts must be punished and data warehouses should let us know if our information falls into the hands of criminals. But a bill announced last week by Sens. Arlen Specter, R-Penn., and Patrick Leahy, D-Vt., goes far beyond reasonable data security precautions. It amounts to a crackdown on individuals, bloggers and legitimate e-mail list moderators. Anyone who runs a Web site with registered users and receives income from it (Blogads and Google Ads count) should be concerned. The Specter-Leahy bill says that if that site's list of user IDs or e-mail addresses is compromised, each registered user must be notified via U.S. mail or telephone. Refusal to do so can be punished with $55,000-a-day fines and prison time of up to five years. That's remarkable but not as extreme as the second requirement: The Web master or mailing list operator might have to "cover the cost" of 12 monthly credit reports of each person whose e-mail addresses was lost or purloined. For a popular site with 10,000 registered users, that would be a princely sum. If monthly credit reports cost $15 a person, that's $1.8 million over a year. Sure, it's annoying if your e-mail address ends up in the hands of a spammer, but there's no connection to identity fraud. Independent Web site owners should not be bankrupted by making them cough up that kind of cash: The penalty is unrelated to any harm. Previous Next James Maule, who maintains the Maule family genealogy site, worries he might be at risk of hefty fines. Maule, a law professor at Villanova University, says he hasn't found an exception in the bill to let his genealogy database off the hook: "I have more than 10,000 names, of whom many are dead." Other sections of the proposed law, called the Personal Data Privacy and Security Act, are highly rigid. For example, anyone running an ad-supported Web site or mailing list with 10,000 or more registered users must "implement a comprehensive personal data privacy and security program," create a "risk assessment" to "identify reasonably foreseeable" vulnerabilities, "assess the likelihood" of security breaches, "assess the sufficiency" of policies to protect against them, publish the "terms of such program," do "regular testing of key controls" to test security, select only superior "service providers" after doing "due diligence," and regularly "monitor, evaluate and adjust" security policies. Law of unintended consequences Specter and Leahy probably intended to target large businesses that employ teams of corporate lawyers and would view this as just more government paperwork. Unfortunately, though, that's not what their proposed law actually says. Tracy Schmaler, a Leahy spokeswoman, said that the bill could be changed before a final vote. "We don't want to place any undue limitations on mailing lists, Web sites, and so on," Schmaler said. "The intent of this is not to make listservs or bloggers pay for credit reports." Perhaps the problems with this bill can be fixed. But I'm starting to think that any similar effort will suffer from similar problems--it'll be overly regulatory and not aimed at actual wrongdoing. Many state proposals fall into that trap. Politicians don't like to admit this because it makes for fewer press conferences, but sometimes new laws aren't the answer. Take Bank of America's embarrassing loss of a backup tape--which happened even though the company was subject to the detailed security regulations of the Gramm-Leach Bliley Act. An alternative might be to rely on a general-purpose rule that punishes negligence. Courts are already moving in that direction--at least if appellate decisions in New Hampshire and Michigan are any indications. That approach would make for fewer Senate press conferences, true, but the end result might make a lot more sense. -=- Declan McCullagh is CNET News.com's Washington, D.C., correspondent. He chronicles the busy intersection between technology and politics. Before that, he worked for several years as Washington bureau chief for Wired News. He has also worked as a reporter for The Netly News, Time magazine and HotWired. From isn at c4i.org Tue Jul 5 03:20:50 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 5 03:38:41 2005 Subject: [ISN] Senators propose sweeping data-security bill Message-ID: Forwarded from: Mark Bernard Dear Associates, We knew something had to happen and while US and Canadian companies are scrambling to become compliant with new SAS 70 and CICA 70 audit standards by November 16th yet another new regulation looms with even more changes coming. A couple things stand out the mandatory implementation of a "comprehensive personal data privacy and security program" , 5 years in prison for attempting to cover up a system intrusion/break in, the use of social security numbers by credit bureaus (that's not allowed here in Canada). Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Kenneth Blanchard: "The key to successful leadership today is influence, not authority." ----- Original Message ----- From: "InfoSec News" To: Sent: Thursday, June 30, 2005 4:46 AM Subject: [ISN] Senators propose sweeping data-security bill > http://news.com.com/Senators+propose+sweeping+data-security+bill/2100-7348_3-5769156.html > > By Declan McCullagh > Staff Writer, CNET News.com > June 29, 2005 > > Corporate data-security practices would be hit with an avalanche of > new rules and information burglars would face stiff new penalties > under a far-reaching bill introduced Wednesday in the U.S. Senate. > > The bill represents the most aggressive--and at 91 pages, the most > regulatory--legislative proposal crafted so far in response to a slew > of high-profile security breaches in the last few months. > > "Reforms like these are long overdue," Sen. Patrick Leahy, a Vermont > Democrat, said in a floor speech. "This issue and our legislation > deserve to become a key part of this year's domestic agenda so that we > can achieve some positive changes in areas that affect the everyday > lives of Americans." > > One portion of the bill, named the Personal Data Privacy and Security > Act, restricts the sale or publication of Social Security numbers. > Also, businesses would be prohibited from requiring SSNs except in a > narrow set of circumstances such as obtaining credit reports and > applying for a job or an apartment. > > Leahy, who had hinted at his plans in a speech in March and had his > personal information lost by Bank of America, is co-sponsoring the > bill with Pennsylvania Sen. Arlen Specter. Because Specter is the > Republican chairman of the influential Judiciary committee, the > measure could move swiftly through the normally torpid legislative > process. > > "This is an evolving problem that is gigantic," Specter said at a > press conference in the Capitol building. He predicted quick action > because "we're not dealing with a highly controversial subject where > there will be significant differences of opinion." > > While portions of the proposal are sure to be criticized by businesses > that would be faced with more paperwork and compliance requirements, > Congress nevertheless seems eager to act. In speech after speech, > politicians have pledged to enact more laws to respond to the data > mishaps--promises that have occasionally raised eyebrows because many > of the intrusions were already illegal. > > Spurring politicians along has been series of security snafus > involving firms including ChoicePoint--which claims to have fixed its > problems--Bank of America, payroll provider PayMaxx, and Reed Elsevier > Group's LexisNexis service. Other suggestions have included narrower > measures to restrict the sale of SSNs or mandate notices of security > breaches. From isn at c4i.org Tue Jul 5 03:26:06 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 5 03:38:57 2005 Subject: [ISN] Hacker logs onto FWP hunter database, but no information stolen Message-ID: Forwarded from: Harlan Carvey Cc: ngevock@dailychronicle.com, isn@c4i.org Wow, yet another example of how the popular media just gets it so wrong...and I'm not even going to go near the use of the term "hacker" issue... http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt > : > : By NICK GEVOCK > : Chronicle Staff Writer > : June 29, 2005 > : > : A hacker broke into a Montana Department of Fish, Wildlife and > : Parks computer database containing personal information about > : hunters last month, but officials say no data was stolen. > > : The database includes personal information about hunters, > : including Social Security numbers, along with data on where > : they hunted and whether they killed game. > : > : Upon discovering the hacking, FWP immediately contacted Sam Mason, > : a state data security specialist, who determined the hacker hadn't > : downloaded any information, Aasheim said. > > : Based on a review of the database after the incident, it appears > : that the hacker was looking for storage space for files, Mason said. > > Because all of the system logs clearly show this? And the logs were > not altered? Were they altered? And were the logs that were examined the _right_ logs? And was the necessary level of auditing enabled to detect this? If you're not auditing for successful logins to a system (only failures), then you don't have anything in the logs that will tell you if someone actually, successfully logged in. > : Luckily, Aasheim said, the agency's databases use Oracle software, > : which compresses inforamtion into a code that is not visible to > : hackers as readable text. > > "Not visible to hackers" is quite amusing, given the nature of > hacking and how many hackers are responsible for reversing just > about everything, including encryption/obfuscation schemes. And > heaven forbid the hacker know Oracle commands, because I think > Oracle can read that "inforamtion" (sic). No kidding! I read that in the article, and immediately thought to myself, wow, someone is really pulling the wool over someone's eyes! > : In addition, the database takes up 12 gigabytes of disc storage > : that can't be accessed in pieces. > > So the machine has 12 gigs of RAM to load it into memory? Oh wait.. > of course it can be accessed in pieces. Maybe he couldn't download > the raw database in pieces, but Oracle sure can query it in such a > way as to display pieces. So, are they saying that state employees cannot access a single hunter's record, and that instead they have to access the entire 12 GB? Wow, this really goes to show a couple of things...that there are some IT folks out there who have no idea what's going on, but also that there are some "journalists" that really have no clue. After all, what is the purpose of a database? And even Oracle's databases can be queried to return single records, or "pieces". > : A transfer of that size would take time, but the hacker was only > : on the server for a few minutes. > > Or the logs were zapped past a certain point. It's hard to swallow > this story, that they detected the intrusion, responded and can > *guarantee* that no data was stolen. Any company/agency that runs > the swiss cheese we call Oracle should know better. Well, we really need to take these things with a grain of salt, keeping in mind that this stuff is coming to us third- and fourth-hand, through several filtering mechanisms. First, there's the IT folks who aren't versed in the products they use, and certainly aren't versed in simple troubleshooting and IR activities. The second layer filter that adds more noise and removes signal is the author of the article. Instead of asking the "hard" question, one like, "why would someone have to download the entire database?", he simply knods his head, and trots off to fill space on some page in the paper. Here's another thing I found interesting in the article: > "Based on a review of the database after the incident, it appears > that the hacker was looking for storage space for files, Mason said. > > Hackers often use such databases as a temporary location for storing > pirated software so it can be downloaded by others without leaving a > trail." Such databases? How about simply "systems"? These "hackers" who are trying to set up warez servers aren't looking for databases, they're looking for fat pipes, lots of disk space. And just the acts of uploading and downloading the files leaves a "trail". Again, the author had a great opportunity to ask some tough questions here, rather than simply accept what was said and type it up. If I were a hunter in Montana, I'd want to know things like, why is the system w/ my SSN and address accessible by a "hacker"? I'd want to know exactly what happened...how did the "hacker" gain initial access to the system (was it an insecure FTP server running on the database system?), and how can the state of Montana guarantee that the "hacker" didn't run any queries against the database. The author of the article could have asked questions like this...but as with other articles like this, such things are noticeably absent. God forbid someone ask these questions, and people actually start getting held responsible for their actions...like putting databases with personal information on insecure machines connected to the Internet... H ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------ From isn at c4i.org Tue Jul 5 03:26:22 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 5 03:39:09 2005 Subject: [ISN] Hackers attack Mashreqbank Message-ID: http://www.itp.net/news/details.php?id=16534 By Peter Branton 3 July, 2005 Mashreqbank suspended some of its online banking services last week, citing the threat of hacking attacks. The bank said it had detected evidence it was being targeted by hackers. Customers were sent an urgent e-mail warning to change their passwords from a safe PC and the bank temporarily suspended third-party payments online. A spokesperson for the bank said that any such attacks had been unsuccessful, with no customer accounts in danger. "Let me stress none of our customers' bank accounts have been compromised for international wire transfers and this is a precautionary measure only," the spokesperson said. In a statement, Mashreqbank said that its IT security officers had detected a large number of failed attempts at logging in to access accounts for funds transfer from unconventional IP addresses. This activity "normally indicates hackers" the statement said. "Online banking still remains a very secure channel and the temporary suspension of online third party funds transfers will be reactivated within a day or two," said the bank's spokesperson. "The e-mail alert is part of our continuous efforts to enhance safety for online banking services, which we normally do on a regular basis, in addition to regular updates on security measures that we post on our web site," the statement said. Mashreqbank customers last week received an e-mail alert, stating the bank had detected a "heightened level of internet hacking activity" in recent weeks. The alert advised them to change their password from a PC that "you are sure has been verified not to have any viruses or spyware installed." Users may have installed malicious programs which could capture their login ID or password, the alert said. Temporary restrictions on third party transfers were put in place to ensure that we had time to alert you to specific hacking activity," the e-mail alert added. According to security experts, financial institutions in the region are coming under increasing attack from hackers and other cyber-criminals, although banks are notoriously reluctant to come forward and discuss such issues. Earlier in the year, security firm Symantec warned that few banks in the region were aware of how vulnerable their systems were (see IT Weekly 26 March - 1 April 2005). "Banks in the Middle East are not doing enough to protect their systems against security attacks," Kevin Isaac, regional director for Symantec Middle East and Africa, said at the time. He said then that he was aware of a number of banks that had been attacked this year, although he declined to name the banks involved. Justin Doo, managing director of Trend Micro Middle East and Africa, said that Mashreqbank should be lauded for speaking out about the security concerns and not "brushing them under the carpet" as others had done, he claimed. "It does make a big difference when someone is prepared to step forward and say something. Far too many firms fail to come forward on this," he said. "I think that this highlights the fact that as internet usage increases in this region, we will see more focus here from malicious attackers. Internet usage here is growing faster than awareness of the dangers," he claimed. From isn at c4i.org Tue Jul 5 03:26:34 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 5 03:39:28 2005 Subject: [ISN] Michigan Aims to Block Spam Sent to Kids Message-ID: http://newsobserver.com/24hour/technology/story/2530584p-10910230c.html By KATHY BARKS HOFFMAN The Associated Press July 3, 2005 LANSING, Mich. (AP) - Parents can now sign up for what Michigan officials say is the nation's first registry aimed at keeping spammers from sending children inappropriate e-mail. The new law bans sending messages to children related to such things as pornography, illegal or prescription drugs, alcohol, tobacco, gambling, firearms or fireworks. Parents and schools will be able to register children's e-mail addresses. "From my perspective as a parent, I'm horrified by what comes in" to her three children's e-mail accounts, Gov. Jennifer Granholm said during a news conference Thursday. "This will put an end, we hope, to inappropriate e-mail getting to our children." Signing up for the registry is free, and parents soon will be able to add their children's instant message IDs, mobile phone numbers, fax numbers and pager numbers. E-mail senders must comply with the new law by Aug. 1. Violators face up to three years in jail or fines up to $30,000 if convicted of breaking the law, and could face civil penalties of up to $5,000 per message sent. Some Internet safety experts have said anti-spam laws have been difficult to enforce and others worry the lists will give hackers a way to get access to a large database of children. Public Service Commission Chairman Peter Lark said safeguards, including encryption of e-mail addresses and other information, will keep the Michigan registry secure. Utah is getting ready to set up a similar registry for children there. -=- http://www.michigan.gov/protectmichild From isn at c4i.org Tue Jul 5 03:26:47 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 5 03:39:46 2005 Subject: [ISN] Indian Air Force gets ready for cyber warfare Message-ID: http://www.financialexpress.com/fe_full_story.php?content_id=95482 By HUMA SIDDIQUI July 04, 2005 NEW DELHI: Information warfare is an emerging area. It relates to computer virus attacks, precision attacks on command and control nodes and soft and hard skill capabilities to significantly degrade or paralyse the information structure of the adversary. "Although there is a chance of hackers doing some damage, they cannot affect equipment because they have stand-alone computerised systems integral to the weapon system and equipment. However, anything on a network or dependent on satellite-based functioning can be affected," say officials in the Indian Air Force (IAF). Exploitation of technologies by developed countries is bringing about profound changes in the operational concept of warfare. Use of satellites, high altitude aircraft, unmanned aerial vehicles (UAVs), sensors and digital communications in high intensity conflicts have brought in the new paradigm of information warfare. Countries that can leverage cutting-edge technologies in the development of weapon systems will have the strength to leapfrog obstacles they may encounter during war. Presently, the IAF is in the process of acquiring technology for communications and computer networks. It plans to use a multi-sensor command and control constellation (MC2C) based around the use of radars, unmanned aerial vehicles (UAVs), airborne warning and control systems (AWACS), and aerostats. "Of all the three forces, the Navy and Air Force take the cake when it comes to IT implementation", say officials in the Army. Agrees Air Commodore NK Chibber, secretary general, Pacific Telecommunication Council (PTC) India Chapter, "Though we have still not reached the stage being totally computerised, many of our air systems are fully automated thanks to usage of IT." To counter such attacks, many Indian agencies are working on IT-based defence systems. The Centre for Development of Advanced Computing's (C-DAC) Networking and Internet Software Group (NISG) at Pune is working on the development of core network security technologies, which include C-DAC's Virtual Private Network (C-VPN), a crypto package (C-Crypto) and prototypes of e-commerce applications. Besides, DRDO has been successful in integrating security mechanisms in the Army Radio Engineering Network (AREN) and Army Static Switch Communication Network (ASCON). Recently, a study team was formed at Air HQ which analysed various communication needs of Air Force and proposed a solution which is scalable, reliable and secure. The team interacted with user directorates and command HQs to assess their bandwidth requirements. Based on these interactions, the team proposed an architecture for IAF Wide Area Network (WAN) project which is scalable and highly reliable to meet both peace and wartime needs of IAF. While India's defence forces are increasingly using IT, the pace of IT-enablement definitely needs to be speeded up. And cooperation between the private sector and the defence sector is a must, especially when it comes to India?s software sector. From isn at c4i.org Tue Jul 5 03:27:04 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 5 03:40:04 2005 Subject: [ISN] Security UPDATE -- So You Found a Security Problem, Now What? -- June 29, 2005 Message-ID: Forwarded from: security curmudgeon Cc: mark@ntsecurity.net : 1. In Focus: So You Found a Security Problem, Now What? : : ==== 1. In Focus: So You Found a Security Problem, Now What? ==== : by Mark Joseph Edwards, News Editor, mark at ntsecurity / net : When you find a security problem, what do you do? The obvious answer is : to contact the company that produced the product. However, alerting a : company to your discovery of a problem in one of its products can be a : challenge. Lots of companies simply don't prepare for reports of : problems in their products and services. Their employees don't know what : to do when people try to report problems. Nor do their Web sites or : product documentation provide any information about who to contact for : security matters. Worse, several companies go so far as to tell you that unless you have a customer support contract ($$), then you can not open a ticket with them. : Like many of you, I subscribe to a lot of security mailing lists. I : can't even begin to remember the number of times I've read a message to : one of those lists from someone asking how to contact a given company. : The messages typically say something like, "I found a security problem : in Product XYZ. I tried to contact the company via email and received no : response. Does anybody have security contact info for the company?" : The trend seems to be to establish a "security@" or possibly a "secure@" : email address that people can use to report potential security problems. : Vendors should consider establishing such an address, if they haven't : already. Tens of thousansd of sites do not maintain RFC addresses such as postmaster@, hoping that all of these companies will use security@ may be asking a lot. In fact, at least one large company seems to be retiring this type of address. Microsoft retiring abuse@microsoft.com http://spamkings.oreilly.com/archives/2005/06/microsoft_retir.html Until companies standardize and use these addresses, security researchers can also use the Open Source Vulnerability Database vendor dictionary. This was created to help alleviate this problem and provide a single database with security contact information, knowledge base URLs and more. Anyone is welcome to contribute information to the database, and we especially hope vendors will do so. http://osvdb.org/vendor_dict.php From isn at c4i.org Tue Jul 5 03:27:47 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 5 03:40:18 2005 Subject: [ISN] Linux Security Week - July 4th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 4th, 2005 Volume 6, Number 28n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Linux to the rescue: A review of three system rescue CDs," "We Don't Need the GPL Anymore," and "Senators propose sweeping data-security bill." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.sh= tml --- LINUX ADVISORY WATCH This week, advisories were released for crip, Network Manager, HelixPlayer, gedit, gzip, selinux, gnome, openssh, libwpd, openoffice, openssh, binutils, totem, rgmanager, magma-plugins, iddev, fence, dlm, cman, css, GFS, mod_perl, Heimdal, and sudo. The distributors include Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/119466/150/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ --- Introduction: Buffer Overflow Vulnerabilities Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. http://www.linuxsecurity.com/content/view/118881/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * ActiveState Releases ActivePerl, ActivePython & ActiveTcl for Sun's Solaris 10 28th, June, 2005 ActiveState, a leading provider of developer tools and services for dynamic languages, today announced the release of ActiveState's ActivePerl, ActivePython, and ActiveTcl language distributions for Sun's Solaris 10. http://www.linuxsecurity.com/content/view/119430 * Linux to the rescue: A review of three system rescue CDs 30th, June, 2005 We've all had this nightmare. You turn on your functioning Windows/Linux PC, and all you get is a blank screen, or a message telling you that certain files are missing, or the kernel has panicked for some obscure reason. Nothing works, and you need the data on your machine. Yes, now's the time to whip out that trusty backup disk, and heave a sigh of relief that all the important stuff is backed up, right? Well, think again. http://www.linuxsecurity.com/content/view/119458 * What is the Best Firewall for Servers? 28th, June, 2005 I maintain a bunch of servers at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003. And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts. So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US $100? http://www.linuxsecurity.com/content/view/119427 * Xen Developers Focus on Security 28th, June, 2005 With the next major release of the Xen Virtual Machine Monitor expected this August, the project's developers have turned their attention to a new issue: security. Over the last few months, a group of the project's open source developers have begun work on a "security enhanced" version of Xen called XenSE that is similar in concept to the Security Enhanced Linux project backed by the U.S. National Security Agency (NSA). http://www.linuxsecurity.com/content/view/119426 * Browser Identification For Web Applications 27th, June, 2005 Browser identification is not a new concept. With the focus having shifted to desktops from networks and servers, a topic such as remote browser identification needs to be revisited. http://www.linuxsecurity.com/content/view/119425 * The Going Gets Hot 28th, June, 2005 As if angry customers, declining consumer confidence, and the threat of fines weren't enough, business executives have something new to mull on the troubling issue of lost or stolen customer data. Two U.S. senators are floating the prospect of jail time for business leaders who knowingly conceal such breaches. If top managers can't secure data in a well-guarded environment, well, perhaps they'll find themselves in one. http://www.linuxsecurity.com/content/view/119428 * Virtual Private Servers Virtualize the OS 29th, June, 2005 In today's never-ending crusade to reduce IT costs, various techniques are used to squeeze every drop of computing power out of servers. One popular technique is consolidation. Through consolidation, under used servers are subdivided into smaller, more usable pieces. And with these pieces, you generally achieve greater server performance overall. Often, it completely eliminates the need for some of the physical servers. http://www.linuxsecurity.com/content/view/119432 * Open-source projects get free checkup by automated tools 29th, June, 2005 More open-source software projects are gaining the benefits of the latest code-checking software, as the programs' makers look to prove their worth. On Tuesday, code-analysis software maker Coverity announced that its automated bug finding tool had analyzed the community-built operating system FreeBSD and flagged 306 potential software flaws, or about one issue for every 4,000 lines of code. The tool, which identifies certain types of programming errors, has previously been used to find flaws in other open-source software, including the Linux kernel and the MySQL database. http://www.linuxsecurity.com/content/view/119433 * Open source .not big' in SMEs 30th, June, 2005 Open source software has not made a big impact in small to medium enterprises (SMEs), according to a report by research firm BMI-TechKnowledge . .SME IT End-User Trends and Market Forecast.. BMI-T analyst Astrid Hamilton says 74% of the 165 respondents indicated they were not currently considering the use of open source software (OSS). Fifteen percent of respondents said they were using OSS, while 11% said they were considering using it. http://www.linuxsecurity.com/content/view/119457 * Return of the Anti-Zombies 30th, June, 2005 It's a recurring theme on security discussion lists: Someone ought to build a worm that infects insecure systems and remedies the problems on them. http://www.linuxsecurity.com/content/view/119460 * Final Draft of ISO 27001 Released 1st, July, 2005 Following hot on the heels of the publication of the latest release of ISO 17799, ISO have published the final draft of ISO 27001. This is the eagerly awaited replacement for BS7799-2, the Information Security Management Systems standard. It is anticipated that the final version will be published before the end of the year. http://www.linuxsecurity.com/content/view/119462 * ESR: "We Don't Need the GPL Anymore" 1st, July, 2005 Recently, during FISL (F=F3rum Internacional de Software Livre) in Brazil, Eric Raymond gave a keynote speech about the open source model of development in which he said, "We don't need the GPL anymore. It's based on the belief that open source software is weak and needs to be protected. Open source would be succeeding faster if the GPL didn't make lots of people nervous about adopting it." Federico Biancuzzi decided to interview Eric Raymond to learn more about that. http://www.linuxsecurity.com/content/view/119467 * White hat heroes 4th, July, 2005 Scanit is holding an ethical hacking course from September 4-8 2005 at Knowledge Village in Dubai in a bid to encourage regional network professionals to use the black arts of hacking to make their companies safer. The course is intended for network and system engineers that want to learn how to assess the security of their IT infrastructure and IT consultants who want to learn to perform in-depth security assessments. http://www.linuxsecurity.com/content/view/119476 * Rats in the security world 4th, July, 2005 Not too long ago my wife and I decided to try out a Chinese restaurant in our area we had never visited before. I was looking at the menu and my wife gasped, then laughed a bit. I looked up and she pointed out a rat crawling right under the restaurant's buffet table. http://www.linuxsecurity.com/content/view/119477 * Italian Police 1 / Privacy 0 27th, June, 2005 The cryptographic services offered by the Autistici/Inventati server, housed in the Aruba web farm, have been compromised on 15th June 2004. We discovered the fact on 21st June 2005. One year later. One year ago the authorities (i.e. the postal police), during the investigation that led to the suspension of an email account (croceneraanarchica-at-inventati.org), shut down our server without any notice, and copied the keys necessary for the decryption of the webmail. Since then, they potentially had access to all the data on the disks, including sensible information about our users. This happened with the collaboration of Aruba, our provider. http://www.linuxsecurity.com/content/view/119416 * Senators propose sweeping data-security bill 30th, June, 2005 Corporate data-security practices would be hit with an avalanche of new rules and information burglars would face stiff new penalties under a far-reaching bill introduced Wednesday in the U.S. Senate. The bill represents the most aggressive--and at 91 pages, the most regulatory--legislative proposal crafted so far in response to a slew of high-profile security breaches in the last few months. http://www.linuxsecurity.com/content/view/119459 * Hackers unleash industrial spy Trojan 29th, June, 2005 IT security experts have detected a malware-based hack attack that attempts to gain unauthorised access to the networks of specifically targeted domains. http://www.linuxsecurity.com/content/view/119435 * Phishing Up By 226 Percent 1st, July, 2005 Phishing is up dramatically over the last two months according to data released Thursday by computer maker IBM and message filtering firm Postini. http://www.linuxsecurity.com/content/view/119468 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Jul 6 05:43:12 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 6 05:48:51 2005 Subject: [ISN] Police arrest Chinese hacker in Tokyo Message-ID: http://washingtontimes.com/upi/20050706-040227-8401r.htm July 6, 2005 Police have arrested a Chinese university student in Tokyo, accusing him of hacking into companies' computer systems to obtain information on their customers. Yu Hua, 27, a student at a private university and resident of Tokyo, is accused of violating the anti-hacking law, the Mainichi Shimbun reported Wednesday. He had placed an advertisement on an Internet bulletin board offering the customer information for sale. Yu admitted to the allegations during questioning, telling investigators he needed money for his tuition fees. In the specific case for which he was arrested, police said Yu used his home computer to hack into the computer system of the Club Tourism travel agent between March 15 and 17, obtaining about 160,000 pieces of personal information on its customers, including their passwords and names. Investigators are questioning him over allegations that he also hacked into the computer systems of 13 other companies and obtained approximately 360,000 pieces of personal information on their customers. The police suspect that Yu used Chinese software that allows users to look for security loopholes in computer systems. From isn at c4i.org Wed Jul 6 05:42:47 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 6 05:49:09 2005 Subject: [ISN] German teenager admits in court to creating Sasser worm Message-ID: http://www.networkworld.com/news/2005/070505-sasser.html By John Blau IDG News Service 07/05/05 German teenager Sven Jaschan confessed at his trial Tuesday to creating last year's Sasser computer worm that crashed hundreds of thousands of computers worldwide after spreading at lightning speed over the Internet. Jaschan's admission is a reiteration of the confession he made last year when he was arrested . He is on trial in the city of Verden, Germany, where he faces charges of computer sabotage, data manipulation and disruption of public systems. The 19-year-old teenager admitted to the alleged offenses "in every detail," Verden District Court spokeswoman Katharina Kr?tzfeldt said in a telephone interview. The charges carry a maximum sentence of five years in prison but Kr?tzfeldt said that Jaschan, who was 17 and a minor at the time of his arrest, will face a lesser penalty. The penalty could be a warning or some form of public service work, but also confinement in a juvenile detention center. Jaschan could also face civil lawsuits brought against him by companies whose IT systems were infected by the computer worm, according to Kr?tzfeldt. "This is a possibility that could happen after his trial in Verden," she said. The indictment lists 142 companies, according to Kr?tzfeldt. It includes several big companies that reported attacks, including the German postal company Deutsche Post and Delta Airlines. Although security experts estimate the damages caused by the worm to be in the millions of dollars, Kr?tzfeldt said the indictment lists an amount of around ?130,000 ($155,000). At the time of his arrest in May 2004, Jaschan had confessed to creating the computer worm and several variants of the Netsky virus. He was arrested at the family's home in Waffensen, Germany, after Microsoft received a tip from an informant seeking a reward from the software company. Sasser, a self-executing piece of software code, exploited a hole in a component of Windows called the Local Security Authority Subsystem Service, or LSASS. The worm scanned the Internet searching for vulnerable computers. On April 13, Microsoft had released a software patch, MS04-011, which plugs the LSASS hole, but many companies and individuals had not installed it in time to prevent the Sasser worm from affecting their systems. From isn at c4i.org Wed Jul 6 05:43:00 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 6 05:49:26 2005 Subject: [ISN] Decoys Suggested for Pentagon Network Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/07/03/AR2005070300888.html By Dawn S. Onley Special to The Washington Post July 4, 2005 Two of the Pentagon's leading technologists propose defending the military's Global Information Grid by using decoy networks and "honey pots" to fool hackers. The goal is to lure intruders into these areas and away from operational networks. "No other enterprise in the world has responsibility for a communications network quite like the GIG," Army Col. Carl W. Hunt, technology director for the Joint Task Force for Global Network Operations, said at the Army Small Computer Program conference in Las Vegas last month. The Defense Department is developing the Global Information Grid as the next-generation information technology architecture to be used by the military and intelligence agencies. Hunt and Doug Gardner, director of the applied technology unit of the joint task force, wrote a recent paper outlining ways to keep malicious intruders from penetrating the GIG. The paper was presented at the Institute of Electrical and Electronics Engineers Workshop on Information Assurance last month at the U.S. Military Academy in West Point, N.Y. The diversion strategy, called Net Force Maneuver, would lead hackers "to systems where we are prepared to receive them," Hunt and Gardner wrote. It's a technique that technology experts outside the Pentagon have called a honey pot. "These systems will collect information on methodologies, techniques and tools while providing a realistic 'playground' for the intruder," Hunt and Gardner wrote. "This playground will be devoid of real system information but will keep the intruder occupied. The goal here then is to ensure the intruder does not know which systems are real and which ones aren't." Ross Stapleton-Gray, senior research analyst at Skaion Corp., a computer security company in North Chelmsford, Mass., said the idea has merit, but it wouldn't necessarily be easy for the Defense Department to achieve. Phantom Defense Department networks "would be an interesting challenge: They'd need to behave sufficiently realistically as to convince prospective attackers that they were authentic, yet not reveal too much about the real networks," he said. Stapleton-Gray said he could imagine the Defense Department running a continuous simulation of parts of networks "in parallel with the real ones. When outsiders show up and start probing around the fake networks, you can track all their activities, even feed them information on fictional vulnerabilities, and see what they do." Hunt and Gardner warned Defense officials that Net Force Maneuver is no silver bullet. They said it would need to be combined with other protective measures that are now being developed. -=- Dawn S. Onley is a senior writer for Government Computer News. For more on this and other topics concerning technology in government, go tohttp://www.gcn.com. From isn at c4i.org Wed Jul 6 05:43:25 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 6 05:49:49 2005 Subject: [ISN] Jackson hackers tell how they got access Message-ID: http://www.cantonrep.com/index.php?Category=9&ID=231245 By Melissa Griffy Repository staff writer July 6, 2005 JACKSON TWP. - Always log out. That's one of the first things you learn when you use a computer. But one day last spring, Jackson High student David Paola stumbled across an exception to the "always log out" rule - a teacher failed to exit the school's grading system. "Pinnacle (the grading program) was open and completely accessible to anybody who would have moved the mouse as we had," wrote Paola in his narrative statement released by Jackson police as part of the department's investigation. Paola and his friend and classmate Adam Gross were enrolled in an evening course at Jackson High in preparation for college entrance exams when they made the discovery. When their senior year began in August, Paola said he found that teachers' user names, and sometimes their passwords, were located on students' schedules. Paola began accessing the Pinnacle program two times a week, "sometimes less, rarely more frequently," he wrote. As honor students who were respected by their peers and teachers, neither Paola nor Gross aroused suspicion. Gross said they watched a teacher type in his user name and password, and figured it out by trial and error. The duo saved the information on a computer drive about the size of a car key. That way they could access the information anywhere. But Paola said he only changed grades while in Jackson High's library in the mornings, and sometimes during study halls. There, he was able to access local administrator accounts and even the school's e-mail server. The students said they found staff information, including Social Security numbers, was accessible along with security cameras and the school's sprinkler system. Paola admitted to changing grades for himself and three other students, including Nathan Johnson. Johnson told police Paola asked him to insert a disk into one of his teacher's computers. Johnson said he was aware that the software would extract the codes necessary for Paola to change his grades in that particular class. When a fellow student turned the seniors in, their scheme came to a halt - so did their hopes for honors diplomas. The students were barred from the Jackson Local graduation ceremony in May. They were found guilty of unauthorized use of property, a first-degree misdemeanor. Paola, Gross and Johnson will serve their house arrest and community service, but school officials said the district will live with the ramifications for quite some time. From isn at c4i.org Wed Jul 6 05:45:03 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 6 05:50:02 2005 Subject: [ISN] Debian struggling with security Message-ID: http://news.zdnet.co.uk/software/linuxunix/0,39020390,39207235,00.htm Renai LeMay ZDNet Australia July 05, 2005 Debian is facing difficulties getting timely security updates to users of its Linux distribution due to lack of manpower and software problems. The issues recently surfaced when Debian released the latest version of its Linux distribution early in June, according to Martin Schulze, a member of the organisation's security team. That release, Schulze wrote on his blog, caused configuration problems on the server which was responsible for distributing security updates -- and it hasn't been functioning properly since. "Several security updates aren't built on all architectures as they should be," the developer wrote only yesterday. "Currently, it's totally unreliable." Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems. The problems have seen Debian fall behind competitors like Red Hat in releasing updates to widely-used programs. For example, although spam-filtering package SpamAssassin was updated by its creator to fix a remote denial-of-service vulnerability on 6 June, Debian provided the update on 1 July, while Novell's SuSE got the fix a week earlier on 23 June, Gentoo Linux on the 21st and Red Hat's Fedora still earlier on the 16th. A similar situation occurred when the 'sudo' package needed an update in mid-June. In addition a number of security-related bugs are listed on Schulze's Web site as being unfixed, although the site also notes the data may be inaccurate as it is automatically generated. Although Debian's infrastructure problems have not been as prominently discussed as the manpower issues on the project's mailing lists, giving some developers more authority is one idea that has been discussed as a way of speeding up the release of security updates. As one developer put it: "The problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out." Another agreed, calling for the size of the security team to be increased from seven to 21. From isn at c4i.org Thu Jul 7 02:45:24 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 7 02:50:52 2005 Subject: [ISN] Security UPDATE -- Really Simple Syndication Security -- July 6, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Protecting Your Company by Managing Your Users' Internet Access http://list.windowsitpro.com/t?ctl=DD4C:4FB69 Testing Your Security Configuration http://list.windowsitpro.com/t?ctl=DD4B:4FB69 ==================== 1. In Focus: Really Simple Syndication Security 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Released Update Rollup 1 for Windows 2000 SP4 - Bluetooth Security Essentials - Preventing Data Loss When Using EFS 3. Security Toolkit - Security Matters Blog - FAQ 4. New and Improved - Prevention Is Better than the Cure ==================== ==== Sponsor: Protecting Your Company by Managing Your Users' Internet Access ==== Companies pay plenty of attention to hardening their servers and networks but pay little attention to how uncontrolled Internet access from within an organization can represent a significant legal and security risk. For example, users who browse a malicious Web site can become infected with a Trojan or other malware without their knowledge as a result of vulnerabilities in Internet Explorer. Internet filtering technology is a key player in mitigating these threats. This white paper discusses the various methods available for Internet filtering and how to use them to increase security and decrease legal exposure. Download this free white paper now! OR Do You Know If Your Network Is At Risk Of A Trojan Attack? Discover the various methods available for controlled Internet access and how to use them to increase security and decrease legal exposure. http://list.windowsitpro.com/t?ctl=DD4C:4FB69 ==================== ==== 1. In Focus: Really Simple Syndication Security ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net As you probably know by now, Really Simple Syndication (RSS) technology is hotter than a firecracker. The technology is slated to explode into the world of even more users with the eventual release of the next version of Windows (code-named Longhorn). A slight wave of concern about security has started to grow with Microsoft's announcement that it will build RSS technology into Longhorn. Because Windows is so widely used and RSS will be built in, people have pointed out that RSS could become intruders' avenue of choice for exploiting systems. RSS can be used to deliver all kinds of content, and by far the most popular content is HTML-based text. However, RSS can be used to deliver more than just text. You might be aware that there are ways to include file attachments in an RSS feed. As a result, we now have exceptionally great technologies such as podcasting, which is a way of delivering audio files as RSS-item attachments. Likewise, RSS can be used to deliver video, software updates, documents, spreadsheets, and all sorts of other files. The possibilities are nearly unlimited. And therein resides the concern. RSS is a delivery vehicle for content. Some type of helper application is required to read, view, listen to, or otherwise handle that content. For example, if you have RSS deliver an MP3 audio file, then at some point, you'll launch your MP3 player to listen to that file. The same goes for HTML, video, documents, and so on. If any of the applications used to handle RSS-related data have security vulnerabilities, of course intruders will eventually find a way to deliver an exploit. Because RSS is so widely used and RSS feeds are typically updated in a somewhat automated fashion, the potential is high that someone could exploit a large number of systems very quickly. For example, a problem in your Web browser or media player software could be exploited by delivering specially crafted content. Combined attacks could be used too. For example, you might subscribe to an RSS feed at a major news site. An intruder might find a way to tweak your HOSTS file and DNS cache so that, unknown to you, your RSS aggregator or RSS reader goes to some other site instead. The RSS aggregator or RSS reader would then pull content from that illegitimate site and possibly launch an exploit on your system. All the while, you're none the wiser, thinking you've simply pulled the latest news articles, which of course would be designed to look exactly like the real thing. The bottom line is that RSS isn't much of a security risk and poses few, if any, problems in and of itself. The real risks, so far as I can see, are that RSS feeds often interface with other problematic software, such as browsers, assorted media-playing software, and word processing software. To protect users, those applications need to be developed to be as secure as possible. If that isn't accomplished, computer users will be less likely to use the great RSS technology we now enjoy. ==================== ==== Sponsor: Testing Your Security Configuration ==== Over a decade ago the Department of Defense (DoD) released a statement saying, "Hack your network, or the hackers will do it for you. Up until that point, the value of vulnerability scanning and penetration testing was questionable. Today, vulnerability-scanning hackers, Internet-traveling worms, and roving bots are common. The DoD's advice given 10 years ago still holds true: You should conduct regular vulnerability and penetration testing audits to validate your security policy. This free white paper will discuss how to identify and fix vulnerabilities, discover and use vulnerability assessment tools, evaluate your security investment and more. Download your free copy now! http://list.windowsitpro.com/t?ctl=DD4B:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=DD52:4FB69 Microsoft Released Update Rollup 1 for Windows 2000 SP4 Microsoft released Update Rollup 1 for Windows 2000 SP4, which contains all updates and patches issued as of April 30, 2005. A spokesperson for Microsoft said that there will be no Service Pack 5 for Windows 2000 and that Update Rollup 1 won't be a requirement in order to receive support during Windows 2000's extended support phase. The company believes that "the Update Rollup will meet customer needs more appropriately than a new service pack." http://list.windowsitpro.com/t?ctl=DD5A:4FB69 Bluetooth Security Essentials Microsoft introduced comprehensive Bluetooth support for desktops and laptops in Windows XP Service Pack 2 (SP2), and for smart phones and Pocket PCs in Windows CE. As with its better-known cousin Wi-Fi, security questions have arisen about Bluetooth. John Howie takes a look at the fundamentals of Bluetooth, including its security features and potential risks and walks you through the process of securing your Bluetooth implementation. http://list.windowsitpro.com/t?ctl=DD56:4FB69 Preventing Data Loss When Using EFS Many people use the Encrypting File System (EFS) to protect their confidential files but later lose that information when they upgrade their computer or lose the computer and try to restore from backups. Randy Franklin Smith explains how to avoid losing data when using EFS. http://list.windowsitpro.com/t?ctl=DD58:4FB69 ==================== ==== Resources and Events ==== Recover Your Active Directory Get answers to all your Active Directory recovery questions here! Join industry guru Darren Mar-Elia in this free Web seminar and discover how to use native recovery tools and methods, how to implement a lag site to delay replication, limitations to native recovery approaches, and more. Learn how you can develop an effective AD backup strategy. Register today! http://list.windowsitpro.com/t?ctl=DD4E:4FB69 Are Your Prepared to Answer Your CEO for Money Lost When Your Systems Are Down? In this free Web seminar, you'll get the tools you need to ensure your systems aren't going down. You'll discover the various categories of high-availability and disaster-recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a nondisruptive, automatic switchover to a secondary server. Register Now! http://list.windowsitpro.com/t?ctl=DD4F:4FB69 SQL Server 2005 Features for Developers SQL Server 2005 offers great features for every role: DBAs, Business Intelligence (BI) analysts, and developers. In this free Web seminar, you'll discover the numerous features and productivity enhancements over SQL Server 2000, including Common Table Expressions (CTEs), DDL triggers, XML data type, using T-SQL commands, and more. http://list.windowsitpro.com/t?ctl=DD50:4FB69 Back By Popular Demand--SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=DD51:4FB69 You Could Win An iPod Mini! Your expert opinion makes a difference--tell us what you think about industry conferences and events. Your feedback is very valuable to us. Take this short survey today! http://list.windowsitpro.com/t?ctl=DD53:4FB69 ==================== ==== Featured White Paper ==== Is Your Network at Risk of a Trojan Attack? Uncontrolled Internet access from within an organization can represent a significant legal and security risk. Internet filtering technology is a key player in mitigating these threats. In this white paper, learn the various methods available for Internet filtering and how to use them to increase security and decrease legal exposure. Download this free white paper now! http://list.windowsitpro.com/t?ctl=DD4D:4FB69 ==================== ==== Hot Release ==== FREE Download - The Next Generation of End-point Security is Available Today. NEW NetOp Desktop Firewall's fast 100% driver-centric design offers a tiny footprint that protects machines from all types of malware even before Windows loads and without slowing them down. NetOp provides process & application control, real-time centralized management, automatic network detection & profiles and more. Try it FREE. http://list.windowsitpro.com/t?ctl=DD4A:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Any Problems with Win2K Update Rollup 1? by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=DD5E:4FB69 I've heard a couple of reports of problems regarding the new Update Rollup 1 package for Windows 2000 Service Pack 4 (SP4). Have you experienced any problems? http://list.windowsitpro.com/t?ctl=DD57:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=DD5C:4FB69 Q: How can I use a script to determine password-expiration dates for users in a domain or an organizational unit (OU) and send an email message to accounts whose passwords expire soon? Find the answer at http://list.windowsitpro.com/t?ctl=DD59:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Check Out the New Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database (over 1900 security articles)! Order now: http://list.windowsitpro.com/t?ctl=DD55:4FB69 Exclusive Content for VIP Subscribers! Get inside access to all of the content and vast resources from Windows IT Pro, SQL Server Magazine, Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security, with over 26,000 articles at your fingertips. Your VIP subscription also includes a 1- year print subscription to Windows IT Pro and a VIP CD (includes entire article database). Sign up now: http://list.windowsitpro.com/t?ctl=DD5B:4FB69 ==================== ==== 4. New and Improved ==== by Dustin Ewing, products@windowsitpro.com Prevention Is Better than the Cure Symantec has released Symantec Critical System Protection 4.5, an intrusion-prevention solution for desktops and servers running Windows, UNIX, and Linux OSs. Symantec Critical System Protection enforces behavior-based security policies that defend and proactively protect applications on client and server platforms. The software is designed to protect against day-zero attacks and maintain system compliance. Buffer overflow and memory-based attack protection provide an added defense against sophisticated attacks. The product includes a high-performance firewall that monitors inbound and outbound network traffic connections and can block by port, protocol, and IP address range. For pricing and more information, see the company's Web site. http://list.windowsitpro.com/t?ctl=DD60:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you. whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Link ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=DD49:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=DD5F:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=DD54:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jul 7 02:45:49 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 7 02:51:11 2005 Subject: [ISN] USC admissions site cracked wide open Message-ID: http://www.theregister.co.uk/2005/07/06/usc_site_cracked/ By Robert Lemos SecurityFocus 6th July 2005 A programming error in the University of Southern California's online system for accepting applications from prospective students left the personal information of users publicly accessible, school officials confirmed this week. The flaw put at risk "hundreds of thousands" of records containing personal information, including names, birth dates, addresses and social-security numbers, according to the person who discovered the vulnerability. The Web programming error allowed the discoverer, who asked only to be identified by the alias "Sap," to slip commands to the site's database through the log-in interface. "The authentication process can be bypassed, and you can find the information for any student who has filled out an application online," said the discoverer, who claimed to be a security-savvy student who found the flaw during the process of applying to USC, stated in an email to SecurityFocus. "From there, you can view or change profile info, (and get) the person's user name and password combo. Entire tables can be exposed, remote command execution, you name it. Basically, they are owned." USC's Information Services Division confirmed the problem and shuttered the site this week as a precaution, but did not confirm the size of the potential data leak or whether the university plans to tell applicants of the issue. SecurityFocus notified the university of the issue two weeks ago after being tipped off by the discoverer. The university initially removed the log-in functionality from the site for several days, but allowed applicants to log in for most of last week. USC completely blocked access to the site this week. "We are investigating the matter and will have more information available soon," USC spokeswoman Usha Sutliff said on Tuesday. The potential privacy issues come as other high-profile data leaks among financial institutions has focused attention on organizations' general failures in securing customer information. In the most recent case, MasterCard International outed credit-card processor CardServices Solutions for failing to secure transactions, leading to tens of thousands of cases of fraud and potentially putting as many as 40 million credit-card accounts at risk. "Companies and organizations still don't understand the value of what they are protecting, and as a result they are not putting adequate resources towards that protection," said Richard Purcell, CEO of independent privacy consultancy Corporate Privacy Group. For example, many colleges and universities used a student's social security number as their primary student identifier, until recently, he said. Some schools still have not stopped the practice. "They are printing social-security numbers on ID cards, transcripts and reports," Purcell said. The University of Southern California is the latest college in the United States to discover flaws in its online systems. The University of Connecticut notified its students, staff and faculty last week that a computer hacking tool had been found on a server containing 72,000 personal records, including social security numbers, dates of birth, phone numbers, and addresses, according to published reports. In March, Boston College acknowledged that 100,000 records from its alumni database may have been copied, while a laptop owned by a researcher at the University of California at Berkeley and containing personal information on 1.4 million Californians was found to be compromised last October. Incidents at many other colleges - including the Georgia Institute of Technology, University of Texas at Austin, George Mason University, and the University of California at Los Angeles - have also put personal information at risk. The vulnerability in USC's online Web application system is a relatively common and well-known software bug, known as database injection or SQL injection. A lack of security checks on user input allows a hostile user to submit a database command rather than a log-in name. The command could cause the database to send its information back to the attacker or aid the attacker in compromising the computer system hosting the database. "All this stuff gets back to the fact that we are still building this thing called the internet and security varies all over the map," said Richard Smith, an independent privacy and security consultant based in Boston. "Some people understand it very well and others don't." The person who discovered the flaw was able to access at least four database records using the vulnerability. The exploit information and the records were forwarded to USC officials two weeks ago by SecurityFocus. The issue is still being investigated, but under California's Security Breach Information Act, also know as S.B. 1386, organizations that may have disclosed sensitive personal information, including social security numbers, must notify the people affected of the potential breach. USC has not said when, or even if, the school intends to notify applicants who used the system that their data may have been at risk. Copyright ? 2004 From isn at c4i.org Thu Jul 7 02:46:04 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 7 02:51:28 2005 Subject: [ISN] Exploit heightens risk from old Firefox flaw Message-ID: http://news.com.com/Exploit+heightens+risk+from+old+Firefox+flaw/2100-1002_3-5776978.html By Joris Evers July 6, 2005 Computer code that could be used to attack systems with older versions of Firefox has been released on the Internet, security experts have warned. The exploit code takes advantage of a security vulnerability in Firefox 1.0.1 and earlier versions of the open-source Web browser, the French Security Incident Response Team, or FrSIRT, said in an advisory posted Wednesday. The bug exists because of an error in the way the older versions of Firefox handle GIF images. An attacker could gain control of a PC by luring the user to a Web page or sending an e-mail containing a specially crafted image, according to FrSIRT, which rates the issue "critical." Only Firefox 1.0.1 and earlier are vulnerable. The image-parsing problem was fixed in Firefox 1.0.2, which was released in March. Since then, two more Firefox updates have been released, mostly to address security issues. The most recent version is Firefox 1.0.4, which was released in May. Because the security bug was quashed more than three months ago, the exploit release is less of a concern, said Michael Sutton, a lab director at security company iDefense. "Given the length of time during which patches have been available, I would consider the release of this exploit to be a credible threat, but not critical," he said. A representative for the Mozilla Foundation, the maker of Firefox, said most of the browser's users have upgraded to version 1.0.4. Mozilla encourages people to check for updates regularly and update their browser when a new version is available, the representative said. Previous Next Since the debut of Firefox 1.0 in November, its usage has grown at a rapid pace. Security has been a main selling point for Firefox over Microsoft's rival Internet Explorer. The number of downloads of the software is close to passing the 70 million mark, according to the download counter Spread Firefox Web site. That total represents downloads of all versions, so it doesn't necessarily represent individual users. Firefox has demonstrated that the mature Web browser market, dominated by Internet Explorer, can be shaken up. IE has begun to see its market share dip slightly--a first in a number of years. Firefox U.S. usage share reached nearly 7 percent at the end of April, according to tracking company WebSideStory. Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. From isn at c4i.org Thu Jul 7 02:46:18 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 7 02:51:39 2005 Subject: [ISN] Zlib Security Flaw Exposes Swath of Programs Message-ID: http://www.eweek.com/article2/0,1895,1834632,00.asp By Larry Seltzer and Steven J. Vaughan-Nichols July 6, 2005 A serious security flaw has been identified in Zlib, a widely used data compression library. Fixes have begun to appear, but a large number of programs could be affected. Zlib is a data compression library that is used by many third-party programs and is distributed with many operating systems, including many Linux and BSD distributions. Microsoft Corp. and other proprietary software companies also use the library in many programs. These companies can do so because Zlib is licensed under liberal BSD-style license. This isn't the first time that the popular Zlib has been the center of a security concern. In 2002, a problem with how it handled memory allocation became a major concern. This time, the flaw is a buffer overflow in the decompression process. Because the program doesn't properly validate input data, it can be fed bad data, which can lead to a buffer overflow. This, in turn, means that if a user opens a file with a Zlib-enabled application, such as a Web browser or data compression tool, which contains specially malformed compressed data, an attacker could execute arbitrary code as the user. If this user were running as a system administrator the flaw would run at that level as well. Since Zlib is so ubiquitous, this represents a serious security concern. It's not clear how many programs are affected, but some operating system distributions are widely exposed. According to one source, numerous key packages in the Fedora Core 3 distribution use Zlib. Symantec Corp. reports that AIX, Debian, FreeBSD, Gentoo, SuSE, Red Hat, Ubuntu and many other operating systems are affected. Some versions of Microsoft's DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, among other programs, also use Zlib and are potentially vulnerable. Microsoft is currently looking into what vulnerabilities may exist in its software because of the Zlib problem. As Ormandy said, "Everything from the Linux kernel to OpenSSH, Mozilla and Internet Explorer makes use of Zlib, and any application that understands PNG [portable network graphics] image [format] is likely to use it." If exploited, this flaw could lead to DoS (denial of service) attacks on the targeted machine. This buffer overflow could also be used to allow a hacker unaurhorized access to a system. At this time, however, Symantec reports, there are no known exploits. In the open-source operating systems, deploying application fixes for this problem will tend to be straightforward. That's because in these operating systems the Zlib library is usually linked dynamically to applications. Thus, simply updating the operating system with the new library will take care of the problem for most applications. On other systems, however, and even with some open-source applications, each application will need to be patched. "Zlib is statically linked quite often, especially on non-Unix platforms such as Windows; however, on Linux, BSD and [similar operating systems] it's more conventional to use dynamic linking, especially as Zlib is so widely used on these platforms that it reduces lots of unnecessary duplication," explained Ormandy. Activity at the Zlib development site has been sparse for some time, and the main developers seem to have moved on to other projects. We received no response to our attempts to contact the developers in time for this story. However, Ormandy said, "Zlib is very mature and stable, so development is sporadic, but it's certainly not dead. Mark Adler [a Zlib co-author] responded to my report with a patch and an in-depth investigation and explanation within 24 hours, and I believe he expects to release a new version of Zlib very soon." In the meantime, many open-source operating systems already have patches for the buffer problem. These include Debian, FreeBSD, Gentoo, SuSE and Ubuntu. From isn at c4i.org Thu Jul 7 02:44:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 7 02:51:57 2005 Subject: [ISN] 'Hunting season' for computer attackers Message-ID: http://www.theglobeandmail.com/servlet/story/LAC.20050706.RSECURITY06/BNPrint/theglobeandmail/TopStories By SIMON AVERY July 6, 2005 TECHNOLOGY REPORTER TORONTO -- Their anonymous ranks include extortionists who threaten to crash companies' on-line operations. They play with powerful viruses to surreptitiously lift personal data off PCs. And they brazenly wander through electronic bazaars to freely trade stolen information, malicious computer code and access to hijacked networks. A new generation of sophisticated, amorphous and highly co-ordinated Internet criminals is not only costing businesses billions of dollars; it's testing people's faith in on-line technology and pushing global law enforcement to the limit, industry experts warn. "It's hunting season right now. It's unbelievable how [flagrant] the attackers are. They know right now is the time because law enforcement has no resources and there's no universal jurisdictional law," says Ryan Purita, a forensic examiner with Totally Connected Security Ltd. in Vancouver. "Thieves are just going 'wow, what a wicked time.' " Attackers are increasingly co-ordinating their activities by sharing and selling malicious code and stolen information. They are streamlining operations and hiring at an incredible rate, says Claudiu Popa, president of Informatica Corp., a Toronto-based network consultancy. The recent onslaught of focused attacks on computer systems worldwide may be starting to test the public's confidence in the Internet and could threaten to undermine emerging technologies, some industry experts say. "This is the year we're seeing cybercrime, or the potential of cybercrime, begin to affect how people use the Internet," said James Lewis, senior fellow at the Center for Strategic and International Studies in Washington, D.C. It has taken the better part of a decade to persuade the mainstream user to shop and bank on-line. But just as the technology is finally starting to deliver on promises made during the dot-com boom, Mr. Lewis says a significant portion of the population is questioning the safety of the medium. "If people can't feel confident about using the Internet, they will begin to back off from using it. This is one of the greatest social costs of cybercrime," he said yesterday. Law enforcement around the world is struggling to track and locate the threats, said Mr. Lewis, who was commissioned by McAfee Inc., a large security software company based in California, to write a report on organized crime and the Internet. "There's been substantial effort on behalf of law enforcement. But the best you can say is that they're barely keeping up with it," he said. In the past few weeks, several major breaches of consumer financial data have come to light. In one instance, forty million credit card accounts were exposed to a breach and at least 200,000 records were stolen from Atlanta-based CardSystems Solutions Inc., which processes credit card and other payments for banks and merchants across North America. Further, Equifax Canada Inc., the credit reporting company, revealed that it had suffered a security breach that gave criminals access to personal financial information for hundreds of Canadians. Threats may come in the form of electronic Trojan horses, which lie behind fake Web links or attach themselves to e-mails, appearing as harmless files that actually contain malicious code. When a file is opened, the code installs itself on the recipient's computer and is programmed to surreptitiously take control of the device. Infected computers are known as bots, or zombies, and they become part of an army of machines under the control of an attacker, who can use them to bombard a site with traffic and even bring it down. These battalions of bots have been used in countless attacks on companies that do business on the Web. On-line betting firms, including CanBet Ltd. and William Hill Sportsbook, have been favourite targets, with attackers demanding payments of tens of thousands of dollars to back off. Some Trojans planted inside companies' computers actually reroute corporate traffic to an illegitimate destination. Once the electronic bridge is in place, criminals intercept, monitor and retrieve all the sensitive information they want. They may dismantle the connection days before a company's IT department realizes what happened. Web-based chat rooms and Internet relay chat, a technology that allows users to set up discussion channels on-line anonymously, are favourite forums for exchanging information and recruiting. There are also countless websites set up to blatantly promote criminal activity, such as the International Association for the Advancement of Criminal Activity (http://www.iaaca.com). Some cybergangs hide in plain sight. The HangUP Team, a Russian gang that has eluded the law for several years, carries out a dialogue of hacker exploits on its site and bears the logo "In Fraud We Trust." Mobile devices such as cellphones that can surf the Web or act as credit cards will be attractive targets of cybercrooks in the next year, as users begin to store more valuable information on their handheld devices. In addition, voice over Internet protocol (VoIP) will give attackers a new way to exploit computer vulnerabilities to interfere with phone services, Mr. Lewis said. The trend toward mobile computing is already opening up a giant hole in many networks. When users plug their laptops or personal digital assistants into a corporate network, they run the risk of importing malicious code. "Mobile devices represent a new way for mischief to come into a company and they are hard to control," said Robert Gleichauf, chief technology officer of security at Cisco Systems Inc. Police use a variety of techniques to track attackers, including tracing the Internet protocol (IP) address assigned to the computer by its Internet service provider. "You always leave a trail, just like a murderer does. Your IP address is your fingerprint, your DNA," Mr. Purita said. That trail, however, is frequently impossible to track. Most advanced attackers employ a process of looping and weaving, which means running their traffic through zombie computers in multiple countries. "The further physically removed they are, the harder it becomes to find them," said Howard Schmidt, former special adviser for cyberspace security at the White House and president of R&H Security Consulting in Seattle. Getting a handle on the number of attacks is difficult because many businesses don't report them for fear of hurting their reputations, said inspector Rob Currie, director of the RCMP's technological crime branch. He says his group receives a call from a large Canadian company almost every week reporting a breach or seeking counsel on a "hypothetical" breach. "IT security breaches are [now] part of daily life." Phishing for trouble $61.9-MILLION: ESTIMATED COST OF CYBER CRIME IN 2004 75-150 MILLION: ESTIMATED NUMBER OF PHISHING E-MAILS SENT EACH DAY 300: NUMBER OF NEW PIECES OF MALICIOUS SOFTWARE WORLDWIDE EACH MONTH IN 2004 $1,200: AVERAGE COST OF PHISHING SCAMS PER VICTIM IN U.S. 60,000: ESTIMATED NUMBER OF VICTIMS OF PHISHING SCAMS (FOOLING USERS TO HAND OVER PERSONAL INFORMATION TO COUNTERFEIT WEB SITES) IN 2004 50+: ESTIMATED PERCENTAGE OF NORTH AMERICAN HOME COMPUTERS INFECTED BY MALICIOUS SOFTWARE 2,000: NUMBER OF NEW PIECES OF MALICIOUS SOFTWARE WORLDWIDE EACH MONTH IN 2005 1 HOUR: ESTIMATED PERIOD WITHIN WHICH AN UNPROTECTED COMPUTER ON-LINE WILL BE PROBED BY MALICIOUS SOFTWARE SOURCES: FBI, MCAFFEE INC. AND GARTNER INC. From isn at c4i.org Thu Jul 7 02:46:39 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 7 02:53:00 2005 Subject: [ISN] Wi-Fi cloaks a new breed of intruder Message-ID: http://www.sptimes.com/2005/07/04/State/Wi_Fi_cloaks_a_new_br.shtml By ALEX LEARY Times Staff Writer July 4, 2005 ST. PETERSBURG - Richard Dinon saw the laptop's muted glow through the rear window of the SUV parked outside his home. He walked closer and noticed a man inside. Then the man noticed Dinon and snapped his computer shut. Maybe it's census work, the 28-year-old veterinarian told his girlfriend. An hour later, Dinon left to drive her home. The Chevy Blazer was still there, the man furtively hunched over his computer. Dinon returned at 11 p.m. and the men repeated their strange dance. Fifteen minutes later, Dinon called police. Police say Benjamin Smith III, 41, used his Acer brand laptop to hack into Dinon's wireless Internet network. The April 20 arrest is considered the first of its kind in Tampa Bay and among only a few so far nationwide. "It's so new statistics are not kept," said Special Agent Bob Breeden, head of the Florida Department of Law Enforcement's computer crime division. But experts believe there are scores of incidents occurring undetected, sometimes to frightening effect. People have used the cloak of wireless to traffic in child pornography, steal credit card information and send death threats, according to authorities. For as worrisome as it seems, wireless mooching is easily preventable by turning on encryption or requiring passwords. The problem, security experts say, is many people do not take the time or are unsure how to secure their wireless access from intruders. Dinon knew what to do. "But I never did it because my neighbors are older." A drive through downtown St. Petersburg shows how porous networks can be. In less than five minutes, a Times reporter with a laptop found 14 wireless access points, six of which were wide open. "I'll guarantee there are tons of people out there who have their wireless network being exploited but have no idea," Breeden said. "And as we see more people utilizing wireless, we'll see more people being victimized." Prolific Wi-Fi growth Wireless fidelity, or "Wi-Fi," has enjoyed prolific growth since catching on in 2000. More than 10-million U.S. homes are equipped with routers that transmit high-speed Internet to computers using radio signals. The signals can extend 200 feet or more, giving people like Dinon the ability to use the Web in the back yard of his Crescent Heights home but also reaching the house next door, or the street. Today someone with a laptop and inexpensive wireless card can surf the Web via Wi-Fi at Starbucks or eat a bagel and send instant messages at Panera Bread. Libraries, hotels, airports and colleges campuses are dotted with Wi-Fi "hotspots." Even entire cities are unplugging. "The information age is over. The information is out there," said Jim Guerin, technology director for the city of Dunedin, which will soon be the first city in Florida to go completely Wi-Fi. "Now it's the connectivity age. It opens up a whole new area for ethics, legal boundaries and responsibilities. It's a whole new frontier." There's a dark side to the convenience, though. The technology has made life easier for high-tech criminals because it provides near anonymity. Each online connection generates an Internet Protocol Address, a unique set of numbers that can be traced back to a house or business. That's still the case with Wi-Fi but if a criminal taps into a network, his actions would lead to the owner of that network. By the time authorities show up to investigate, the hacker would be gone. "Anything they do traces back to your house and chances are we're going to knock on your door," Breeden said. Breeden recalled a case a few years ago in which e-mail containing death threats was sent to a school principal in Tallahassee. The e-mail was traced back to a home, and when investigators arrived, they found a dumbfounded family. The culprit: a neighborhood boy who had set up the family's Wi-Fi network and then tapped into it. In another Florida case, a man in an apartment complex used a neighbor's Wi-Fi to access bank information and pay for pornography sites. But he slipped up. The man had sex products sent to his address. "The morning we did a search warrant, we found an antenna hanging out his window so he could get a better signal from his neighbor's network," Breeden said. Last year, a Michigan man was convicted of using an unsecured Wi-Fi network at a Lowe's home improvement store to steal credit card numbers. The 20-year-old and a friend stumbled across the network while cruising around in a car in search of wireless Internet connections - a practice known as "Wardriving." (The name has roots in the movie WarGames, in which Matthew Broderick's character uses a computer to call hundreds of phone numbers in search of computer dialups, hence "war dialing.") A more recent threat to emerge is the "evil twin" attack. A person with a wireless-equipped laptop can show up at, say, a coffee shop or airport and overpower the local Wi-Fi hotspot. The person then eavesdrops on unsuspecting computer users who connect to the bogus network. At a technology conference in London this spring, hackers set up evil twins that infected other computers with viruses, some that gather information on the user, the Wall Street Journal reported. Not all encryption is rock solid, either. One of the most common methods called WEP, or Wired Equivalent Privacy, is better than nothing but still can be cracked using a program available on the Web. "Anybody with an Internet connection and an hour online can learn how to break that," said Guerin, the Dunedin network administrator. Two years ago when the city of Dunedin first considered Wi-Fi, Guerin squashed the idea because of WEP's inadequacy. Dunedin's network, however, will be protected by the AES encryption standard, used by the Department of Defense. Passwords will be required, and each computer will have to be authenticated by the network. There also will be firewalls. "I'm confident to say our subscribers are at zero risk for that kind of fraud," Guerin said. Leaving the door open Not everyone has sinister intentions. Many Wardrivers do it for sport, simply mapping the connections out there. Others see it as part public service, part business opportunity. When they find an unsecured network, they approach a homeowner and for a fee, offer to close the virtual door. Some Wi-Fi users intentionally leave their networks open or give neighbors passwords to share an Internet connection. There is a line of thought that tapping into the network of a unsuspecting host is harmless provided the use is brief and does not sap the connection, such as downloading large music files. "There is probably some minority of people who hop on and are up to no good. But I don't know there is any sign it's significant," said Mike Godwin of Public Knowledge, a public interest group in Washington, D.C., focused on technology. "We have to be careful," Godwin said. "There's a lot of stuff that just because it's new triggers social panic. Normally the best thing to do is sit back and relax and let things take their course ... before acting on regulation." Randy Cohen, who writes "The Ethicist" column in the New York Times Magazine , was swayed by Godwin's thinking. When asked by a Berkeley, Calif., reader if it was okay to hop on a neighbor's Wi-Fi connection, Cohen wrote: "The person who opened up access to you is unlikely even to know, let alone mind, that you've used it. If he does object, there's easy recourse: nearly all wireless setups offer password protection." But, Cohen went on to ask, "Do you cheat the service provider?" Internet companies say yes. "It's no different if I went out and bought a Microsoft program and started sharing it with everyone in my apartment. It's theft," said Kena Lewis, spokeswoman for Bright House Networks in Orlando. "Just because a crime may be undetectable doesn't make it right." "I'll probably never know' In a way Dinon was fortunate the man outside his home stuck around since it remains a challenge to catch people in the act. Smith, who police said admitted to using Dinon's Wi-Fi, has been charged with unauthorized access to a computer network, a third-degree felony. A pretrial hearing is set for July 11. It remains unclear what Smith was using the Wi-Fi for, to surf, play online video games, send e-mail to his grandmother, or something more nefarious. Prosecutors declined to comment, and Smith could not be reached. "I'm mainly worried about what the guy may have uploaded or downloaded, like kiddie porn," Dinon said. "But I'll probably never know." --Times staff writer Matthew Waite contributed to this report. Alex Leary can be reached at 727 893-8472 or leary@sptimes.com MINIMIZING THE RISKS Here are a few tips to minimize potential threats to a Wi-Fi network: Enable WEP (Wired Equivalent Privacy). Even though WEP uses weak encryption and is breakable, it still provides an effective first measure of defense by encrypting the traffic between your wireless card and access point. Use 64-bit WEP to gain some security benefit without slowing down your network unnecessarily. You can also use WPA, a similar security protocol that's tougher to crack. Make sure both your access point and card support it. Change your SSID (service set identifier) to something nondescriptive. You do not want to give out your name, address, or any other useful information to potential hackers. Also, don't use the default SSID. Change the default password on your access points. The defaults of most network equipment are well known. Enable MAC based filtering. Using this feature, only your unique wireless cards can communicate with your access point. Turn off your access points when you are not using them. Why risk being scanned or being broken into if you are not using your wireless network? Position your access points toward the center of your house or building. This will minimize the signal leak outside of its intended range. If you are using external antennas, selecting the right type of antenna can be helpful in minimizing signal leak. Don't send sensitive files over Wi-Fi networks. Most Web sites that perform sensitive transactions like shopping with a credit card or checking bank account information use Secure Socket Layer (SSL) technology. Sources: Force Field Wireless, www.forcefieldwireless.com TampaBay.com columnist Jeremy Bowers. [Last modified July 6, 2005, 12:18:59] From isn at c4i.org Thu Jul 7 02:44:37 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 7 02:53:18 2005 Subject: [ISN] Hacker attacks college server Message-ID: http://www.statenews.com/article.phtml?pk=30684 By AMY DAVIS The State News July 7, 2005 More than 27,000 students were informed by e-mail on Tuesday that their Social Security numbers could have been compromised by an attack on the College of Education's server. The server housed information that included student names, addresses, student courses and personal identification numbers. After the intrusion was discovered at the beginning of April, the server was taken off-line and a computer forensic investigation on the incident was started, said College of Education Assistant Dean Gail Nutter. Now, the college no longer maintains student Social Security numbers on its server. Because personal information could have been accessed, Judith Collins, director of MSU's Identity Theft Partnerships in Prevention and associate professor of criminal justice, said students should immediately call their credit companies to put a fraud alert on their accounts. "If someone has a name and Social Security number, they can apply for a credit card, so this is a major issue," Collins said. She added that no business or university is immune to intrusions. Curriculum and teaching graduate student Nick Husbye said he isn't concerned about the security of his personal information, but he wished the university had warned students of the intrusion earlier. "If they knew in April, it would have been more pertinent to let us know then, but I'm going to trust my college that they had a reason to let us know now," Husbye said. Husbye said he will continue to keep an eye on his credit report. "That is what you should do anyway - you just need to be vigilant about your own stuff," he said. The attack on the College of Education server is the latest in a string of similar intrusions on MSU servers. Last week, an intrusion was discovered within MSU's Department of Human Resources, which could have allowed the culprit to gain access to the Social Security numbers of all MSU employees and retirees. David Gift, vice provost for Libraries, Computing & Technology, said MSU's policy of fully disclosing all intrusions gives the illusion that it's happening all of the time. "These security breeches are happening so frequently these days that it doesn't matter if you know about the intrusion," Gift said, adding that unknown intrusions can happen almost as frequently and are a greater threat. The university is taking a number of steps to protect sensitive information, Gift said. MSU is bolstering work security and minimizing sensitive information's potential exposure by eliminating personal data that doesn't need to be stored for a long period of time. Gift said most computer intrusions are done for reasons other than to steal data, such as people seeking file space to illegally move files around. He added that it's difficult to determine the culprit of any hacking attempt because the culprits take extra measures to disguise their identities. Adult education graduate student Jonathan Lembright received the e-mail about the computer server break-in and said he wasn't very concerned about the attack. "I trust that MSU is doing their best to see our security is watched," Lembright said. -=- Amy Davis can be reached at davisam8 at msu.edu. Staff writer Maggie Lillis contributed to this report. From isn at c4i.org Fri Jul 8 04:19:36 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 8 04:33:11 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-27 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-06-30 - 2005-07-07 This week : 101 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: An exploit has been published for the "javaprxy.dll" Memory Corruption vulnerability in Internet Explorer. This qualified the advisory for an Extremely Critical rating. Currently no patch is available from the vendor, however, the vendor has suggested various workarounds, see the Secunia Advisory for details. Reference: http://secunia.com/SA15891 A highly critical vulnerabiltiy has been discovered by iDEFENSE in the popular Adobe Acrobat Reader for Unix, allowing malicious people to compromise a users system if they open a maliciously crafted PDF document. Reference: http://secunia.com/SA15934 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15891] Internet Explorer "javaprxy.dll" Memory Corruption Vulnerability 2. [SA15852] XML-RPC for PHP PHP Code Execution Vulnerability 3. [SA15489] Mozilla / Firefox / Camino Dialog Origin Spoofing Vulnerability 4. [SA15491] Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability 5. [SA15845] phpBB "highlight" PHP Code Execution Vulnerability 6. [SA15934] Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow Vulnerability 7. [SA15806] RealOne / RealPlayer / Helix Player / Rhapsody Multiple Vulnerabilities 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 9. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 10. [SA15904] BLOG:CMS XML-RPC PHP Code Execution Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15891] Internet Explorer "javaprxy.dll" Memory Corruption Vulnerability [SA15940] Documentum eRoom File Sharing Vulnerability [SA15961] McAfee IntruShield Security Management System Multiple Vulnerabilities [SA15933] Peer-to-Peer Chat and File Sharing Application (PrivaShare) Denial of Service [SA15932] Access Remote PC User Credentials Disclosure [SA15894] SSH Tectia Server Insecure Private Key Permissions [SA15885] Prevx Pro 2005 Intrusion Prevention Feature Bypass [SA15863] Hitachi Multiple Hibun Products Security Restriction Bypass UNIX/Linux: [SA15974] Ubuntu update for zlib [SA15972] Red Hat update for zlib [SA15969] Gentoo update for zlib [SA15968] SUSE update for zlib [SA15966] Mandriva update for zlib [SA15964] Debian update for zlib [SA15959] FreeBSD update for zlib [SA15947] MailWatch for MailScanner XML-RPC PHP Code Execution [SA15946] Gentoo update for tikiwiki [SA15945] Fedora update for php [SA15934] Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow Vulnerability [SA15931] Conectiva update for cacti [SA15929] Gentoo update for realplayer [SA15923] Fedora update for zlib [SA15920] Trustix update for multiple packages [SA15917] phpGroupWare XML-RPC PHP Code Execution Vulnerability [SA15916] eGroupWare XML-RPC PHP Code Execution Vulnerability [SA15915] Ubuntu update for libapache2-mod-php4/php4-pear [SA15909] UnixWare update for mozilla [SA15905] Gentoo phpBB "highlight" PHP Code Execution Vulnerability [SA15897] Gentoo update for PEAR XML_RPC [SA15888] Mandriva update for php-pear [SA15880] Community Link Pro "file" Shell Command Injection Vulnerability [SA15973] Debian update for trac [SA15898] Gentoo update for wordpress [SA15887] Mandriva update for kernel [SA15886] Mandriva update for kernel-2.4 [SA15875] Fedora update for binutils [SA15856] Ubuntu update for ruby [SA15965] SUSE update for heimdal [SA15858] Gentoo update for heimdal [SA15948] Debian update for bzip2 [SA15939] Conectiva update for bzip2 [SA15938] Conectiva update for clamav [SA15937] Conectiva update for gzip [SA15921] Debian update for razor [SA15919] Debian update for clamav [SA15901] Courier Mail Server Memory Corruption Vulnerability [SA15896] Debian update for spamassassin [SA15871] FreeBSD ipfw Packet Matching Security Issue [SA15869] FreeBSD update for bzip2 [SA15867] FreeBSD TCP Stack Implementation Vulnerabilities [SA15860] SUSE update for clamav [SA15859] Clam AntiVirus Two File Handling Denial of Service Vulnerabilities [SA15930] Net-snmp Stream-based Protocol Denial of Service [SA15906] OpenLDAP / pam_ldap / nss_ldap Password Disclosure Security Issue [SA15963] GNATS Arbitrary File Overwrite Security Issue [SA15955] Debian "apt-setup" Insecure File Permission Security Issue [SA15935] Conectiva update for sudo [SA15913] Centericq Insecure Temporary File Creation [SA15912] Kpopper Insecure Temporary File Creation [SA15899] log4sh Insecure Temporary File Creation [SA15890] Debian update for sudo [SA15889] ekg Insecure Temporary File Creation [SA15882] Debian update for crip [SA15881] Red Hat update for sudo [SA15878] crip Insecure Temporary File Creation [SA15877] Avaya CMS/IR lpadmin Arbitrary File Overwrite Vulnerability [SA15943] Debian update for gaim [SA15874] NetBSD Audio Drivers ioctl Denial of Service Vulnerability Other: [SA15970] Xerox WorkCentre Pro Multiple Vulnerabilities [SA15876] Avaya Products TCP Timestamp Denial of Service Cross Platform: [SA15952] Jinzora "include_path" File Inclusion Vulnerability [SA15949] zlib "inftrees.c" Buffer Overflow Vulnerability [SA15944] TikiWiki XML-RPC PHP Code Execution Vulnerability [SA15927] Mark Kronsbein MyGuestbook "lang" File Inclusion Vulnerability [SA15922] Jaws "path" File Inclusion and XML-RPC PHP Code Execution [SA15910] nabopoll "path" File Inclusion Vulnerability [SA15908] Cacti "no_http_headers" Security Bypass and Shell Command Injection [SA15904] BLOG:CMS XML-RPC PHP Code Execution Vulnerability [SA15903] PhpWiki XML-RPC PHP Code Execution Vulnerability [SA15895] Nucleus XML-RPC PHP Code Execution Vulnerability [SA15893] EasyPHPCalendar "serverPath" File Inclusion Vulnerability [SA15884] phpPgAds XML-RPC PHP Code Execution Vulnerability [SA15883] phpAdsNew XML-RPC PHP Code Execution Vulnerability [SA15873] Pavsta Auto Site "sitepath" File Inclusion Vulnerability [SA15872] Drupal PHP Code Execution Vulnerabilities [SA15862] Serendipity XML-RPC Unspecified PHP Code Execution Vulnerability [SA15861] PEAR XML_RPC PHP Code Execution Vulnerability [SA15951] PHPXmail Authentication Bypass Vulnerability [SA15942] QuickBlogger Comment Script Insertion Vulnerability [SA15941] phpPgAdmin "formLanguage" Local File Inclusion Vulnerability [SA15926] Covide Groupware-CRM User ID SQL Injection Vulnerability [SA15918] osTicket "t" SQL Injection Vulnerability [SA15914] Geeklog Unspecified SQL Injection Vulnerability [SA15911] PHPNews "prevnext" SQL Injection Vulnerability [SA15902] Plague News System SQL Injection and Security Bypass Vulnerabilities [SA15900] Quick & Dirty PHPSource Printer Directory Traversal Vulnerability [SA15865] Comdev eCommerce Review Script Insertion Vulnerability [SA15864] Comdev News Publisher Cross-Site Scripting and PHP Code Execution [SA15950] MediaWiki Move Template Cross-Site Scripting Vulnerability [SA15928] AutoIndex PHP Script "search" Cross-Site Scripting Vulnerability [SA15868] Soldier of Fortune II Ignore Command Denial of Service ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15891] Internet Explorer "javaprxy.dll" Memory Corruption Vulnerability Critical: Extremely critical Where: From remote Impact: DoS, System access Released: 2005-07-01 SEC Consult has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15891/ -- [SA15940] Documentum eRoom File Sharing Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-07-07 c0ntex has reported a vulnerability in Documentum eRoom, which can be exploited by malicious users to conduct script insertion attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/15940/ -- [SA15961] McAfee IntruShield Security Management System Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-07-07 Several vulnerabilities have been reported in McAfee Intrushield IPS Management Console, which can be exploited by malicious users to conduct cross-site scripting attacks, bypass security restrictions, and gain escalated privileges in the web application. Full Advisory: http://secunia.com/advisories/15961/ -- [SA15933] Peer-to-Peer Chat and File Sharing Application (PrivaShare) Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-07 basher13 has discovered a vulnerability in PrivaShare, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15933/ -- [SA15932] Access Remote PC User Credentials Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-07-06 Kozan has discovered a security issue in Access Remote PC, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15932/ -- [SA15894] SSH Tectia Server Insecure Private Key Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-07-01 A security issue has been reported in SSH Tectia Server and SSH Secure Shell for Windows Servers, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15894/ -- [SA15885] Prevx Pro 2005 Intrusion Prevention Feature Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-07-01 Tri Huynh has discovered two vulnerabilities in Prevx Pro 2005, which can be exploit to bypass security features provided by the product. Full Advisory: http://secunia.com/advisories/15885/ -- [SA15863] Hitachi Multiple Hibun Products Security Restriction Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-06-30 Two security issues have been reported in various Hitachi Hibun products, which can be exploit by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15863/ UNIX/Linux:-- [SA15974] Ubuntu update for zlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-07 Ubuntu has issued an update for zlib. This fixes a vulnerability, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application, or potentially to execute arbitrary code. Full Advisory: http://secunia.com/advisories/15974/ -- [SA15972] Red Hat update for zlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-07 Red Hat has issued an update for zlib. This fixes a vulnerability, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application, or potentially to execute arbitrary code. Full Advisory: http://secunia.com/advisories/15972/ -- [SA15969] Gentoo update for zlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-07 Gentoo has issued an update for zlib. This fixes a vulnerability, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application, or potentially to execute arbitrary code. Full Advisory: http://secunia.com/advisories/15969/ -- [SA15968] SUSE update for zlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-07 SUSE has issued an update for zlib. This fixes a vulnerability, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application, or potentially to execute arbitrary code. Full Advisory: http://secunia.com/advisories/15968/ -- [SA15966] Mandriva update for zlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-07 Mandriva has issued an update for zlib. This fixes a vulnerability, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application, or potentially to execute arbitrary code. Full Advisory: http://secunia.com/advisories/15966/ -- [SA15964] Debian update for zlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-07 Debian has issued an update for zlib. This fixes a vulnerability, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application, or potentially to execute arbitrary code. Full Advisory: http://secunia.com/advisories/15964/ -- [SA15959] FreeBSD update for zlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-07 FreeBSD has issued an update for zlib. This fixes a vulnerability, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application, or potentially to execute arbitrary code. Full Advisory: http://secunia.com/advisories/15959/ -- [SA15947] MailWatch for MailScanner XML-RPC PHP Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-07 A vulnerability has been reported in MailWatch for MailScanner, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15947/ -- [SA15946] Gentoo update for tikiwiki Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-07 Gentoo has issued an update for tikiwiki. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15946/ -- [SA15945] Fedora update for php Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2005-07-06 Fedora has issued an update for php. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15945/ -- [SA15934] Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-06 A vulnerability has been reported in Adobe Acrobat Reader, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15934/ -- [SA15931] Conectiva update for cacti Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2005-07-07 Conectiva has issued an update for cacti. This fixes some vulnerabilities, which can be exploited by malicious people to conduct SQL injection attacks or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15931/ -- [SA15929] Gentoo update for realplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-06 Gentoo has issued an update for realplayer. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15929/ -- [SA15923] Fedora update for zlib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-07 Fedora has issued an update for zlib. This fixes a vulnerability, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application, or potentially to execute arbitrary code. Full Advisory: http://secunia.com/advisories/15923/ -- [SA15920] Trustix update for multiple packages Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, DoS, System access Released: 2005-07-04 Trustix has issued various updated packages. These fix some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), to overwrite arbitrary files, to compromise a vulnerable system, or by malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15920/ -- [SA15917] phpGroupWare XML-RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-04 A vulnerability has been reported in phpGroupWare, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15917/ -- [SA15916] eGroupWare XML-RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-04 A vulnerability has been reported in eGroupWare, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15916/ -- [SA15915] Ubuntu update for libapache2-mod-php4/php4-pear Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-05 Ubuntu has issued updates for libapache2-mod-php4 and php4-pear. These fix a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15915/ -- [SA15909] UnixWare update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2005-07-04 SCO has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to gain knowledge of potentially sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/15909/ -- [SA15905] Gentoo phpBB "highlight" PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-05 Gentoo has acknowledged a vulnerability in phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15905/ -- [SA15897] Gentoo update for PEAR XML_RPC Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-04 Gentoo has issued an update for PEAR XML_RPC. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15897/ -- [SA15888] Mandriva update for php-pear Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-01 Mandriva has issued an update for php-pear. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15888/ -- [SA15880] Community Link Pro "file" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-30 spher3 and mozako have reported a vulnerability in Community Link Pro, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15880/ -- [SA15973] Debian update for trac Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2005-07-07 Debian has issued an update for trac. This fixes a vulnerability, which can be exploited by malicious users to disclose sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15973/ -- [SA15898] Gentoo update for wordpress Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, System access Released: 2005-07-05 Gentoo has issued an update for wordpress. This fixes some vulnerabilities, which can be exploited by malicious people to manipulate mail messages, conduct cross-site scripting and SQL injection attacks, and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15898/ -- [SA15887] Mandriva update for kernel Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-07-01 Mandriva has issued an update for kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information, cause a DoS (Denial of Service), or gain escalated privileges, or by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/15887/ -- [SA15886] Mandriva update for kernel-2.4 Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-07-01 Mandriva has issued an update for kernel-2.4. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information, cause a DoS (Denial of Service), or gain escalated privileges, or by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/15886/ -- [SA15875] Fedora update for binutils Critical: Moderately critical Where: From remote Impact: System access Released: 2005-06-30 Fedora has issued an update for binutils. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15875/ -- [SA15856] Ubuntu update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-06-29 Ubuntu has issued an update for ruby. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15856/ -- [SA15965] SUSE update for heimdal Critical: Moderately critical Where: From local network Impact: System access Released: 2005-07-07 SUSE has issued an update for heimdal. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15965/ -- [SA15858] Gentoo update for heimdal Critical: Moderately critical Where: From local network Impact: System access Released: 2005-06-29 Gentoo has issued an update for heimdal. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15858/ -- [SA15948] Debian update for bzip2 Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-07 Debian has issued an update for bzip2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15948/ -- [SA15939] Conectiva update for bzip2 Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-06 Conectiva has issued an update for bzip2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15939/ -- [SA15938] Conectiva update for clamav Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-06 Conectiva has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15938/ -- [SA15937] Conectiva update for gzip Critical: Less critical Where: From remote Impact: System access Released: 2005-07-06 Conectiva has isused an update for gzip. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15937/ -- [SA15921] Debian update for razor Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-06 Debian has issued an update for razor. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15921/ -- [SA15919] Debian update for clamav Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-06 Debian has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15919/ -- [SA15901] Courier Mail Server Memory Corruption Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-04 A vulnerability has been reported in Courier Mail Server, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15901/ -- [SA15896] Debian update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-01 Debian has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15896/ -- [SA15871] FreeBSD ipfw Packet Matching Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-06-30 A security issue has been reported in FreeBSD, which can be exploited by malicious people to bypass the firewall ruleset. Full Advisory: http://secunia.com/advisories/15871/ -- [SA15869] FreeBSD update for bzip2 Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-30 FreeBSD has issued an update for bzip2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15869/ -- [SA15867] FreeBSD TCP Stack Implementation Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-30 FreeBSD has issued an update for the TCP stack. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) on active TCP sessions. Full Advisory: http://secunia.com/advisories/15867/ -- [SA15860] SUSE update for clamav Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-30 SUSE has issued an update for clamav. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15860/ -- [SA15859] Clam AntiVirus Two File Handling Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-30 Two vulnerabilities have been reported in clamav, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15859/ -- [SA15930] Net-snmp Stream-based Protocol Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-07-06 A vulnerability has been reported in Net-snmp, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15930/ -- [SA15906] OpenLDAP / pam_ldap / nss_ldap Password Disclosure Security Issue Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-07-04 A security issue has been reported in OpenLDAP, pam_ldap and nss_ldap, which can be exploit by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15906/ -- [SA15963] GNATS Arbitrary File Overwrite Security Issue Critical: Less critical Where: Local system Impact: Security Bypass, Manipulation of data, System access Released: 2005-07-07 A security issue has been reported in GNATS, which can be exploited by malicious, local users to overwrite arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/15963/ -- [SA15955] Debian "apt-setup" Insecure File Permission Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-07-07 Alexander Mader has reported a security issue in Debian apt-setup, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15955/ -- [SA15935] Conectiva update for sudo Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-07-06 Conectiva has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to execute arbitrary commands. Full Advisory: http://secunia.com/advisories/15935/ -- [SA15913] Centericq Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-07-05 Eric Romang has reported a vulnerability in Centreicq, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15913/ -- [SA15912] Kpopper Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-07-05 Eric Romang has reported a vulnerability in Kpopper, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15912/ -- [SA15899] log4sh Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-07-04 Eric Romang has reported a vulnerability in log4sh, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15899/ -- [SA15890] Debian update for sudo Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-07-01 Debian has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to execute arbitrary commands with escalated privileges. Full Advisory: http://secunia.com/advisories/15890/ -- [SA15889] ekg Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-07-05 Eric Romang has reported a vulnerability in ekg, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15889/ -- [SA15882] Debian update for crip Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-30 Debian has issued an update for crip. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15882/ -- [SA15881] Red Hat update for sudo Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-06-30 Red Hat has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to execute arbitrary commands with escalated privileges. Full Advisory: http://secunia.com/advisories/15881/ -- [SA15878] crip Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-06-30 Justin Rye has reported a vulnerability in crip, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15878/ -- [SA15877] Avaya CMS/IR lpadmin Arbitrary File Overwrite Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-06-30 Avaya has acknowledged a vulnerability in Avaya Call Management System (CMS) and Avaya Interactive Response (IR), which can be exploited by malicious, local users to overwrite arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/15877/ -- [SA15943] Debian update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-07-06 Debian has issued an update for gaim. This fixes two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15943/ -- [SA15874] NetBSD Audio Drivers ioctl Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2005-07-01 A vulnerability has been reported in NetBSD, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15874/ Other:-- [SA15970] Xerox WorkCentre Pro Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information, DoS Released: 2005-07-07 Several vulnerabilites have been reported in WorkCentre Pro MicroServer Web Server, which can be exploited by malicious people to gain unauthorized access, cause a DoS (Denial of Service), or conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15970/ -- [SA15876] Avaya Products TCP Timestamp Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-30 Avaya has acknowledged a vulnerability in some products, which can be exploited by malicious people to cause a DoS (Denial of Service) on an active TCP session. Full Advisory: http://secunia.com/advisories/15876/ Cross Platform:-- [SA15952] Jinzora "include_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-07 A vulnerability has been reported in Jinzora, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15952/ -- [SA15949] zlib "inftrees.c" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-07 A vulnerability has been reported in zlib, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application, or potentially to execute arbitrary code. Full Advisory: http://secunia.com/advisories/15949/ -- [SA15944] TikiWiki XML-RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-07 A vulnerability has been reported in TikiWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15944/ -- [SA15927] Mark Kronsbein MyGuestbook "lang" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-06 SoulBlack Security Research has discovered a vulnerability in Mark Kronsbein MyGuestbook, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15927/ -- [SA15922] Jaws "path" File Inclusion and XML-RPC PHP Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-06 Two vulnerabilities have been reported in Jaws, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15922/ -- [SA15910] nabopoll "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-04 V4mu has discovered a vulnerability in nabopoll, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15910/ -- [SA15908] Cacti "no_http_headers" Security Bypass and Shell Command Injection Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, System access Released: 2005-07-04 Stefan Esser has reported two vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15908/ -- [SA15904] BLOG:CMS XML-RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-04 A vulnerability has been reported in BLOG:CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15904/ -- [SA15903] PhpWiki XML-RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-04 A vulnerability has been reported in PhpWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15903/ -- [SA15895] Nucleus XML-RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-01 A vulnerability has been reported in Nucleus, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15895/ -- [SA15893] EasyPHPCalendar "serverPath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-05 Mafia_Boy has reported a vulnerability in EasyPHPCalendar, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15893/ -- [SA15884] phpPgAds XML-RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-01 A vulnerability has been reported in phpPgAds, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15884/ -- [SA15883] phpAdsNew XML-RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-01 James Bercegay has reported a vulnerability in phpAdsNew, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15883/ -- [SA15873] Pavsta Auto Site "sitepath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-30 V4mu has reported a vulnerability in Pavsta Auto Site, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15873/ -- [SA15872] Drupal PHP Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-30 Two vulnerabilities have been reported in Drupal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15872/ -- [SA15862] Serendipity XML-RPC Unspecified PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-30 A vulnerability has been reported in Serendipity, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15862/ -- [SA15861] PEAR XML_RPC PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-06-30 James Bercegay has reported a vulnerability in PEAR XML_RPC, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15861/ -- [SA15951] PHPXmail Authentication Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-07-07 Stefan Lochbihler has reported a vulnerability in PHPXmail, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15951/ -- [SA15942] QuickBlogger Comment Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-07-06 Donnie Werner has reported a vulnerability in QuickBlogger, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15942/ -- [SA15941] phpPgAdmin "formLanguage" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-07-07 A vulnerability has been reported in phpPgAdmin, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15941/ -- [SA15926] Covide Groupware-CRM User ID SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-07-06 Hans Wolters has reported a vulnerability in Covide Groupware-CRM, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15926/ -- [SA15918] osTicket "t" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-07-04 edisan and foster have discovered a vulnerability in osTicket, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15918/ -- [SA15914] Geeklog Unspecified SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-07-05 Stefan Esser has reported a vulnerability in Geeklog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15914/ -- [SA15911] PHPNews "prevnext" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-07-04 A vulnerability has been reported in PHPNews, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15911/ -- [SA15902] Plague News System SQL Injection and Security Bypass Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-07-04 Easyex has reported two vulnerabilities in Plague News System, which can be exploited by malicious people to conduct SQL injection attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15902/ -- [SA15900] Quick & Dirty PHPSource Printer Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-07-04 Seth Alan Woolley has discovered a vulnerability in Quick & Dirty PHPSource Printer, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15900/ -- [SA15865] Comdev eCommerce Review Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-06-30 basher13 has reported a vulnerability in Comdev eCommerce, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15865/ -- [SA15864] Comdev News Publisher Cross-Site Scripting and PHP Code Execution Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-06-30 basher13 has reported two vulnerabilities in Comdev News Publisher, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15864/ -- [SA15950] MediaWiki Move Template Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-07-07 A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15950/ -- [SA15928] AutoIndex PHP Script "search" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-07-06 mozako has discovered a vulnerability in AutoIndex PHP Script, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15928/ -- [SA15868] Soldier of Fortune II Ignore Command Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-06-30 Luigi Auriemma has reported a vulnerability in Soldier of Fortune II, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15868/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jul 8 04:19:58 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 8 04:33:27 2005 Subject: [ISN] Legislation to elevate cybersecurity post may die in Senate Message-ID: http://www.govexec.com/dailyfed/0705/070705tdpm1.htm By Greta Wodele and Randy Barrett National Journal's Technology Daily July 7, 2005 Legislation that would promote cybersecurity efforts within the Homeland Security Department could wither on the vine again this year, despite agreement among lawmakers, the private sector and government officials that the department must do more to prevent cyber attacks. The House in May overwhelmingly approved a measure, H.R. 1817 [1], to tweak programs at the department. It includes a provision to elevate the cybersecurity mission by promoting the director of the department's cybersecurity division to the assistant secretary level. "The cybersecurity mission is too important too handle at this relatively low level," read a summary of the legislation authored by the House Homeland Security Committee. While similar legislation has been introduced in the Senate, it is unlikely the chamber would vote on a bill this year. It has been bogged down with fights over President Bush's nominees and legislative work is expected to slow further as senators will debate Bush's nomination to the Supreme Court. Industry representatives have applauded the House language, which was introduced last year as a stand-alone bill. However, that measure was never sent to the House floor for a vote. Industry groups repeatedly have urged the government to do more to protect against debilitating cyber attacks on critical infrastructure -- a majority of which is owned by the private sector. "This can come up and bite us in a number of ways," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "I hope Secretary [Homeland Security Secretary Michael] Chertoff and the administration will see fit to give [the position] more attention. A deputy secretary will not do." Tech industry executives said Homeland Security is nearly wholly focused on physical security issues -- not electronic ones. Chertoff is currently reviewing department staffing, and some hope he will act to name a high-level cyber-security secretary soon. "I have a sense Secretary Chertoff understands something is rotten in the state of Denmark," said Harris Miller, president of the Information Technology Association of America. "How can it be a critical issue when the U.S. government has buried the position five levels down?" A government report in late May reinforced supporters' arguments for the elevated position. A study conducted by the Government Accountability Office, the investigative wing of Congress, found that the department had not fully addressed 13 responsibilities, including drafting a plan to protect critical infrastructure and identifying cyber threats and vulnerabilities. The department agreed at the time that officials had much more to do on the cyber-security front but disagreed with GAO that it has not made significant progress on that mission since the department's inception nearly three years ago. Despite the sense of urgency, the department has yet to name a new director of the cybersecurity division. The former chief, Amit Yoran, resigned late last year. Andy Purdy, the acting director, has been running the division temporarily. [1] http://capwiz.com/govexec/issues/bills/?billtype=H.R.&billnumb=1817&congress=109 From isn at c4i.org Fri Jul 8 04:20:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 8 04:33:47 2005 Subject: [ISN] Computer snooping a growing problem Message-ID: http://www.suntimes.com/output/news/cst-nws-spy07.html BY DAVE NEWBART Staff Reporter July 7, 2005 One person "lost everything.'' For someone else, everything "just shut down.'' These people were not reciting the impact of a hurricane or tornado. Rather, they were telling what happened when their computers became infected by programs known as spyware. The comments, part of a study released Wednesday by the Pew Internet & American Life Project, show just how big a problem spyware has become to the nation's estimated 135 million Internet users. The project surveyed 2,000 people by phone in May and June. The study's authors defined spyware as tracking software that is secretly placed on a computer. The programs can significantly slow a computer, route it to Web sites you don't want to visit or cause an annoying stream of ads to pop up. The study found that spyware has disrupted the computer lives of 43 percent of surfers. That means an estimated 59 million people have spyware or adware on their computers, the study found. Adware is defined as tracking programs that come bundled with other software and that users knowingly download, although they don't necessarily want the adware. But the problem could be even bigger. A study released last year found that 80 percent of users actually had such spyware or adware on their computers. "There is a trust gap,'' said Douglas Sabo, a member of the board of directors for the National Cyber Security Alliance, which did that study. Consumers believe they are safer than they actually are, he said. Whatever the number, the threat has caused more than nine of 10 users to alter their online behavior, either by not visiting certain Web sites, not downloading music or video files or not opening e-mail attachments, the Pew survey found. How to fight back "They scale back on what they are doing online,'' said Susannah Fox, who authored the study. But many surfers could do even more to protect themselves, like using anti-spyware software, virus-protection programs and firewalls And few surfers actually read user agreements that appear before they download free stuff from the net. Those agreements often spell out in fine type that adware is a part of the deal. To demonstrate how few read the agreements, one Web site offered $1,000 to the first person who read the agreement in full and wrote in. Some 3,000 people downloaded the agreement before anyone claimed the money, the Pew study said. Averaged $129 to fix it Fox said 90 percent of users want better notice of adware. Sixty percent said they would have paid for the software if they knew it came with adware. Those whose computers have been slowed down or even hijacked by spyware spent an average of $129 to fix a problem, she said. Bob Bulmash, founder of Private Citizen, a privacy advocacy group in Naperville, said the federal government needs to do more to stop the purveyors of spyware. "It spies on who we are,'' he said. "It's the most grievous type of theft.'' From isn at c4i.org Fri Jul 8 04:20:35 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 8 04:34:03 2005 Subject: [ISN] MS UK defaced in hacking attack Message-ID: http://www.theregister.co.uk/2005/07/06/msuk_hacked/ By John Leyden 6th July 2005 Microsoft's UK web site was defaced late on Tuesday night with a message in support of Venezuelan hacker Rafa. Defacement archive Zone-H reports that well-known defacer Apocalypse hacked into Microsoft's UK web site (microsoft.co.uk) and uploaded a picture with the message "FREE RAFA - HACK IS NOT A CRIME" (recorded in an archive here [1]). The site has since been restored to normal operation and the offending GIF removed. A Microsoft spokesman said it was aware of the attack, which technical staff are investigating. "There is no reason to believe customer data or any other sensitive information has been compromised," he said. Although somewhat embarrassing all early indications are that the attack was not serious. Apocalypse has been targeting US institutions and the government sites for months, always posting messages in support of Venezuelian hacker Rafael (Rafa) Nunez-Aponte, a suspected member of the World of Hell hacking crew. Rafa is in custody in the US following his arrest in Miami in April over a series of alleged attacks on US Department of Defense servers dating back to 2001. Previous targets of Apocalypse's "digital graffiti" attacks have included Stanford University (archive here) and US Navy web sites. Zone-H reckons that misconfiguration of Microsoft's UK web server permitted the latest attack. For the record, Microsoft's UK site runs Microsoft's IIS 6 web server software on Windows 2003 servers. ? [1] http://www.zone-h.org/en/defacements/mirror/id=2531794 From isn at c4i.org Fri Jul 8 04:18:14 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 8 04:34:19 2005 Subject: [ISN] Comment: We Still Lack Protective Imagination Message-ID: Forwarded from: Richard Forno The London bombs went off over 12 hours ago. So why is CNN-TV still splashing "breaking news" on the screen? There's been zero new developments in the past several hours. Perhaps the "breaking news" is that CNN's now playing spooky "terror attack" music over commercial bumpers now filled with dramatic camera-phone images from London commuters that appeared on the Web earlier this morning. Aside from that, the only new development since about noon seems to be the incessant press conferences held by public officials in cities around the country showcasing what they've done since 9/11 and what they're doing here at home to respond to the blasts in London.....which pretty much comes down to lots of guys with guns running around America's mass transit system in an effort to present the appearance of "increased security" to reassure the public. While such activities are a political necessity to show that our leaders are 'doing something' during a time of crisis we must remember that talk or activity is no substitute for progress or effectiveness. Forget the fact that regular uniformed police officers and rail employees can sweep or monitor a train station just as well as a fully-decked-out SWAT team -- not to mention, they know it better, too. Forget that even with an added law enforcement presence, it's quite possible to launch a suicide attack on mass transit. Forget that a smart terrorist now knows that the DHS response to attacks is to "increase" the security of related infrastructures (e.g., train stations) and just might attack another, lesser-protected part of American society potentially with far greater success. In these and other ways today following the London bombings, the majority of security attention has been directed at mass transit. However, while we can't protect everything against every form of attack, our American responses remain conventional and predictable -- just as we did after the Madrid train bombings in 2004 and today's events in London, we continue to respond in ways designed to "prevent the last attack." In other words, we are demonstrating a lack of protective imagination. Contrary to America's infatuation with instant gratification, protective imagination is not quickly built, funded, or enacted. It takes years to inculcate such a mindset brought about by outside the box, unconventional, and daring thinking from folks with expertise and years of firsthand knowledge in areas far beyond security or law enforcement and who are encouraged to think freely and have their analyses seriously considered in the halls of Washington. Such a radical way of thinking and planning is necessary to deal with an equally radical adversary, yet we remain entrenched in conventional wisdom and responses. Here at home, for all the money spent in the name of homeland security, we're not acting against the terrorists, we're reacting against them, and doing so in a very conventional, very ineffective manner. Yet nobody seems to be asking why. While this morning's events in London is a tragedy and Londoners deserve our full support in the coming days, it's sad to see that regarding the need for effective domestic preparedness here in the United States, nearly 4 years after 9/11, it's clear that despite the catchy sound-bytes and flurry of activity in the name of protecting the homeland, the more things seem to change, the more they stay the same. -rick Infowarrior.org From isn at c4i.org Fri Jul 8 04:20:55 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 8 04:34:33 2005 Subject: [ISN] Prosecution urges probation for Sasser author Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/07/07/AR2005070701256.html July 7, 2005 BERLIN (Reuters) - Prosecutors have asked for a two-year suspended jail sentence for the man who wrote the Sasser Internet worm that wreaked havoc in big businesses and homes worldwide last year, a German court said on Thursday. The court in the western town of Verden said the defense had argued for a one-year probation as a maximum sentence for 19-year-old Sven Jaschan, who has confessed to creating the worm and pleaded guilty to all charges. The prosecution also wants Jaschan to perform 200 hours of community service during a three-year probationary period, the court -- expected to announce a verdict on Friday -- said in a statement. Jaschan has admitted to data manipulation, computer sabotage and interfering with public services after the Internet attack which knocked out an estimated 1 million computers among home users and companies from early May 2004. Sasser victims ranged from the British Coastguard to the European Commission, Goldman Sachs and Australia's Westpac Bank. Some security firms called it the most destructive worm ever. The Sasser worm disabled computers by spreading on the ubiquitous Microsoft Windows operating system. Because he was still a minor when some of the events occurred, media and the public were not allowed to attend the trial of the computer studies' student. He could face a maximum jail sentence of five years according to German law. Jaschan, who authorities described as a "computer freak," was identified as the author after Microsoft offered a reward of $250,000 for information leading to his arrest. It is believed he began creating programs, including the Netsky virus, to seek out and destroy other viruses. From isn at c4i.org Fri Jul 8 04:21:11 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 8 04:36:39 2005 Subject: [ISN] Firewalls a dangerous distraction says expert Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=3992 By Rodney Gedda Computerworld Australia 07 July 2005 A preoccupation with firewalls is diverting attention and resources away from the more important issue of locking systems down, according to an expert. Computer security researcher at the San Diego Supercomputing Center (SDSC), Abe Singer said companies can spend 90 percent of their security efforts on firewalls and not much of anything else. "I'm not saying firewalls are completely irrelevant, but how much effort do you spend on security?" Singer asked. "Do security at the host, not just the perimeter. You should be worried about what users are doing, because if an attacker is going through the perimeter [without secure hosts] then it's game over." Speaking at the Australian Unix and open systems user group (AUUG), Singer prides himself on the claim that the SDSC has gone four years without a root-level intrusion to its systems - without using a firewall. "At the SDSC we don't use a firewall, it's not feasible," he said. "Since we have to secure hosts individually if we had a firewall it would be so open it would be useless." Singer said there is a perception that a firewall is a must-have. He cited Visa's server requirements for online merchants which stated they must have a firewall, but did not specify any configuration details. "Too much of the security budget is being spent on firewalls which also get too much attention [and] it's also 'cool' to have a new firewall to play with," he said, adding that other appliances like intrusion detection and prevention systems are an extension of the same idea. "People are attracted to the idea that security can be bought [and] it's hard to differentiate between marketing hype and reality," he said. "We have a known 'good' config and when we find something is bad it's consistently fixed." Singer is adamant that intrusion will not be stopped by a firewall and attackers have used Trojan SSH clients to steal user names and passwords. Other practices Singer recommends include not running services you don't need, for example, services that are only required internally don't need to be external. "You really need to think through your processes [and] relying on a firewall means you're probably doing security wrong," he said. "Surveys have shown that 60 percent of security breaches are internal but 70 percent of people are worried about hackers on the outside. Internal breaches are worse, because someone has a level of access and knows where the assets are. If an attacker was really looking at compromising a company's assets he or she would get a job in the mail room." From isn at c4i.org Fri Jul 8 04:21:29 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 8 04:36:53 2005 Subject: [ISN] E-Vote Guidelines Need Work Message-ID: http://www.wired.com/news/evote/0,2645,68116,00.html By Kim Zetter July 07, 2005 In an effort to keep pace with changing technology and address widespread security concerns about electronic voting machines, the federal government has released new guidelines for voting systems. The guidelines, published in late June, call for vendors to follow better programming practices and make some suggestions for addressing problems with vote integrity. Computer security experts say the guidelines are a step in the right direction, but fall short of making voting systems secure. They also don't require systems to produce a voter-verified paper audit trail, which would allow voters to confirm their vote. The government is accepting public comment on the guidelines for 90 days, after which it will revise them, if needed, and release them for states to adopt. But there has been some confusion on whether these should be considered final guidelines, or simply a first step toward more permanent guidelines. Avi Rubin, a Johns Hopkins University computer science professor and technical director of the university's Information Security Institute, said the new guidelines are an improvement but contain some serious security red flags. He also said they have some requirements that, had they been included in previous versions of voting system guidelines, would have prevented voting systems made by Diebold Election Systems from being certified. "One problem with the Diebold code was that it had large, complex multi-logic statements with no comments (from the designers)," Rubin said. "That wouldn't pass this standard." Comments are a standard programming convention, where software designers include plain-text comments in the software code that can help anyone reading the code track changes to the software and understand what function specific lines of code perform. Rubin was part of a group of computer scientists who examined source code for the Diebold system in 2003 and found, in addition to a number of security problems, that the code didn't follow basic programming conventions -- indicating that the programmers were unskilled and had few or no quality-control procedures in place. Rubin's findings prompted voting activists to call for the Diebold system to be decertified and helped launch a voting-machine reform movement that included a demand for paper audit trails. The new guidelines were created by the Technical Guidelines Development Committee, headed by the acting director of the National Institutes of Standards and Technology, and composed of election officials and people with varying technical abilities. The committee created the guidelines for the U.S. Election Assistance Commission, a new federal entity that Congress created after the election problems in Florida in 2000 to improve the integrity and efficiency of elections. Voting system guidelines, or standards, are not mandatory. States can choose to adopt the standards and require vendors that sell voting systems in their state to adhere to them. Currently, 38 states and the District of Columbia require voting systems used in the state to meet the standards in whole or in part. The new guidelines update previous sets created in 1990 and revised in 2002, which many computer scientists considered inadequate because they failed to address certain security issues or to establish good software-development practices and testing procedures. Those criticisms haven't been satisfied by the new standards, Rubin said. One concern is the use of commercial off-the-shelf software, or COTS. Voting vendors that use COTS in their machines -- such as Diebold, which uses a Windows operating system in its touch-screen voting system -- don't have to pass the off-the-shelf software through testing and certification procedures. Rubin was also disappointed to see that the guidelines don't prohibit the use of telecommunications in election systems. Many electronic voting systems have modems that allow election officials to connect the machines to a phone line to transmit election results. Rubin and other computer scientists say this could allow someone to hack the machine. "All of the standard threats that would come up (when you have) a networked system, they didn't address," Rubin said. That's primarily because there are no perfect solutions for protecting voting machines from attack if they're networked in such a way, he said. "Given that we can't do anything about them, you shouldn't use telecommunications in voting," Rubin said. "But they don't seem to be willing to take a stand against things that are really insecure." Rubin also thought the testing requirements should include real attack tests conducted by design red teams that would try to find ways to hack the system. "Red team" is a term used to describe testers who attempt to break into a system to test its security vulnerabilities. When a red-team test was performed on the Diebold system after Rubin's report came out in 2003, the team found they could hack the system easily in several ways -- tests the lab that certified the machines didn't perform. Rubin recently launched a private company with three other computer security experts that will conduct such tests. Rubin said, however, that his company will only test voting equipment pro bono in order to remove any potential conflict of interest with his academic work on voting system security. Sanford Morganstein, president of Populex, a company that makes a voting machine that produces a paper ballot card, was disappointed that the guidelines don't require a paper audit trail, but instead leave it to states to decide whether to make one mandatory. Currently, 20 states require their voting machines to have a voter-verified paper audit trail. "There are about two or three of us (vendors who) believe strongly in the paper trail," Morganstein said. "We think democracy depends on the will and the confidence of the voters. And we think paper trails enhance confidence." "They would definitely win over the respect of (the) computer science community if they did verified voting," Rubin said. "But they would have a mutiny on their hands from (some of the) vendors and election officials. They're trying to walk a middle ground. But I don't think that's necessary for them to do. I think they should do what's right." Ron Rivest, a computer scientist at MIT and one of the founders of RSA Security, was a member of the committee that created the guidelines. He said the committee was simply following guidance from the Election Assistance Commission. "I think the committee had guidance from EAC that what they wanted to see was language specifying how to use a (voter-verified paper audit trail) if a state would choose to do so, rather than trying to say whether VVPAT should be demanded." To that end, they provided guidelines for the VVPAT. Rivest said that given the time frame the committee had to create the guidelines -- which are supposed to be in place by 2006 -- he considered the standards a big improvement over previous ones, precisely because they include language about a paper audit trail. But he said no one should consider these the final word on voting system standards. He said the voting system guidelines are a work in progress. "If anybody tries to interpret these as a final product ... they may be disappointed," Rivest said. "But they may be happy to see which direction they're going in. We didn't have time to do a comprehensive job on security. It's a set of first steps. The security work has just begun. I encourage people to send in comments." Rivest said the telecommunications issue would likely be among the security issues that his group revisits when they embark on the next version of the standards. Both he and Mat Heyman, spokesman for NIST, said they understood that the standards were meant to be a preliminary version that would be put in place for the 2006 elections. "I think the (committee) members would expect there would be other revisions out in time to be relevant to the 2008 elections," Rivest said. But according to EAC spokeswoman Jeannie Layson, the guidelines released for public comment are meant to be permanent guidelines, once the EAC releases a final version following the public comment period. "Certainly as technology evolves, we will continue working with NIST and the TGDC to amend them as necessary," Layson said. "But as far as I know, this is a permanent set of guidelines." From isn at c4i.org Fri Jul 8 04:21:39 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 8 04:37:06 2005 Subject: [ISN] 2 indictments against 9 PIs in Trojan Horse affair Message-ID: http://www.globes.co.il/serveen/globes/docview.asp?did=931923&fid=942 Yitzhak Danon 7 July 05 The Tel Aviv District Prosecutor today filed two indictments with the Tel Aviv District Court in the Trojan Horse affair. The indictments were filed against nine private investigators employed by Modiin Ezrahi Ltd., Zvi Krochmal Investigations, and Pelosoff-Balali. The indictments accuse the suspects of industrial espionage, fraudulent receipt, uploading computer viruses, hacking computers with criminal intent, wiretapping, use of wiretaps, invasion of privacy, and managing an unauthorized database. Prosecutors claim that the industrial espionage discovered by the international police investigation operated in three rings: a ring that created the Torjan Horses Michael and Ruth Haephrati, whom Israel has applied to the UK for extradition; a ring of private investigators, including those indicted; and a ring of companies and private parties who ordered the industrial espionage in order to obtain information about competitors and other individuals. The investigation against this third ring is not yet over. All the accused are under arrest, and prosecutors want to extend their remand until proceedings are completed. From isn at c4i.org Mon Jul 11 04:08:28 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 11 04:14:47 2005 Subject: [ISN] TOORCON 2005 CALL FOR PAPERS Message-ID: TOORCON 2005 CALL FOR PAPERS Papers and presentations are being accepted for ToorCon 2005 to be held at the Convention Center in San Diego, CA on September 24th-26th. Please email your submissions to cfp@toorcon.org, submissions will be accepted until August 15th 2005. ABOUT TOORCON ToorCon is just around the corner again this year. In its 7th running year, it is still San Diego's exclusive hacker convention, bringing together Southern California's hacker community year after year to attend the high quality presentations and participate in the annual festivities. This year we are still aiming to provide the same highly technical lectures you've come to know and love, but also set the theme as "Smoke & Mirrors" which will highlight the voodoo magic behind computer security and have a focus on Anonymity, Spoofing Techniques, Phishing, and other kung foo exploitation methods. We will also be offering an intensive full-day Deep Knowledge Seminars on Friday the 16th that we are accepting submissions for. SUBMISSION OF PAPERS ToorCon only accepts talks on new technologies and methodologies that have been recently developed. We will not accept papers that have already been presented prior to 2005, unless they present fundamental concepts or conform to any of the outlined topics below. Special consideration will be given to papers addressing the following topics: * Cryptography & Privacy * Anonymity Concepts * Forensics, Tracking & Phishing * Advanced Attack Methods (Exploits, Reverse Engineering, etc) * Hardware & Protocol Attacks All talks should be 60 minutes in length including time for delegate participation and questions at the end of the presentation. Inclusion of any talk related tools, white papers or source code will help during the selection process. While we try to facilitate speakers' requests for equipment, we may not be able to accommodate all requests. In cases where we cannot guarantee special equipment the speaker is expected to supply hardware and/or software. Each speaker is also expected to bring their own laptop to display their presentation. All talks must be vendor neutral, while speakers are welcome to present on behalf of a company - sales pitches will be thrown out. REMUNERATION For each chosen presentation ToorCon will give the speaker and 1 guest free admission to the conference. SPEAKER REQUIREMENTS Please include the following information with your submission: 1. What title you are submitting your paper under. 2. A valid e-mail address AND telephone number where you can be reached. 3. Number of people that will be presenting. 4. A brief biography on why you are qualified to speak on your topic. This will be used on www.toorcon.org as well as in any press material for the conference. 5. If you are speaking under a company name, please specify for which company you work. 6. Would you like to be considered for speaking at the Deep Knoweldge Seminars? Note that by presenting at ToorCon 2005 you grant ToorCon permission to reproduce, distribute and/or advertise your talk as seen fit. FURTHER INFORMATION Please visit http://www.toorcon.org for further conference information. LOCATION INFORMATION This year's event will be held at the San Diego Convention Center. The reception and conference will take place on September 16th-18th in meeting rooms 30A-E and the East Terrace at the San Diego Convention Center's upper level. September 16th-18th, 2005 San Diego Convention Center 111 W. Harbor Drive San Diego, CA 92101 http://www.sdccc.org IMPORTANT DATES July 7th, 2005: Official Call For Papers issued. August 15th, 2005: Call for Papers closes. August 29th, 2005: Final submission of complete material for CDs and printing September 16-18th, 2005: ToorCon 2005 From isn at c4i.org Mon Jul 11 04:09:20 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 11 04:15:08 2005 Subject: [ISN] Ballmer: Microsoft Wants a Bigger Piece of the Software, Services Pie Message-ID: http://www.eweek.com/article2/0,1895,1835544,00.asp By Mary Jo Foley July 10, 2005 MINNEAPOLIS - Microsoft may love its partners. But that isn't stopping the company from continuing to encroach on areas that have traditionally been its partners' turf. At the final day of Microsoft's worldwide partner conference here on Sunday, Microsoft CEO Steve Ballmer kicked off his morning keynote with repeated shouts of "I love you, partners!" But shortly thereafter, Ballmer warned the company's channel partners that Microsoft has its sights set on some markets that partners have had to themselves until now. Ballmer said that Microsoft is planning to make deeper forays into the business intelligence, document workflow, security and managed services arenas in the coming decade. Ballmer's revelations should come as no surprise to company watchers. Microsoft increasingly has been adding analytics capabilities to more of its Office, server and tools products in the past couple of years. Company officials have acknowledged they are planning to add document-workflow and security features to Office 12 and Windows Longhorn, which are both due next year. And Microsoft's consulting services division has been testing the first of what could become a family of managed services that Microsoft is expected to start rolling out later this year. "Things will evolve," Ballmer told partner show attendees. "Our product line and spaces where we offer solutions like business intelligence and security need to evolve. "We need to evolve together," Ballmer continued. "Neither you nor we should be 100 percent committed to doing things exactly way we do today 10 years from now. We need to commit to continue to evolve, but evolve together. And we need to make sure we respect our mutual skills and talents and mutual opportunities." As part of his keynote, Microsoft invited three partners to participate in an on-stage panel. Two of the three asked Ballmer about Microsoft's intentions regarding competition with its partner base. "We [Microsoft] are extending the footprint of our horizontal, very general business products," Ballmer acknowledged. "But we don't think that should be an issue for us and the partners in this room. Maybe an issue between us and Oracle, or us and SAP, but not between us and partners in this room." On the line-of-business applications front, Microsoft has been trying to steer its partners to build on top of its ERP (enterprise resource planning) and CRM (customer relationship management) products, as opposed to continue to develop their own application technology. Ballmer said Microsoft's goals is to continue to work equally well with partners whether they integrate vertically with Microsoft's stack or prefer to build horizontally. From isn at c4i.org Mon Jul 11 04:10:04 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 11 04:16:29 2005 Subject: [ISN] Researchers, vendors, ISPs attack 'Net attackers Message-ID: http://www.networkworld.com/news/2005/070805-sruti.html By Tim Greene NetworkWorld.com 07/08/05 Some of the best Internet minds in the world met Thursday to discuss a wide range of methods to rid the Web of malicious traffic. The Usenix invitation-only workshop, called Steps to Reducing Unwanted Traffic on the Internet (SRUTI), brought together more than 50 academics from all over the world as well as technical staff from equipment vendors and ISPs to develop methods to cut down on spam, viruses, worms and distributed denial-of-service (DDoS) attacks - methods that are practical at an operational level. (?Sruti,? by the way, is a Sanskrit word meaning "that which is heard.") Participants exposed fresh ideas to expert criticism, sometimes resulting in helpful suggestions and sometimes pointing out significant problems. One promising proposal would help wipe out the bulk of DDoS attacks near their sources, but not those attacks in which the aggressor machines use spoofed IP addresses. Even though the proposal wouldn't block all attacks, it was still considered feasible because it would mitigate the bulk of DDoS exploits that rely on networks of unspoofed zombie machines - botnets - to fire off the attacks. On the flip side, another presentation advanced a relatively simple method of encrypting e-mail that would also authenticate the sender and receiver. But this was pretty much shot down when one attendee pointed out that encrypting e-mail would render useless spam filters that search content and subject lines for key words. "You have just proposed an excellent tool for spammers," he said. The author didn't have an answer for that. Practicality seemed the watchword for the day. The author of the presentation on blocking DDoS attacks said there have been proposals that would be extremely effective if there were separate IP address spaces for servers and clients. "This has real possibilities if only we were redesigning the Internet from scratch," said Mark Handley, a researcher from University College London in the U.K. Instead, Handley?s proposal would introduce devices near Internet servers and at the edge routers of ISPs to mark and monitor traffic to the servers. When a DDoS attack was detected, these devices would shut down at the edge router traffic from addresses identified as the source of the attack. These devices could effectively reduce DDoS traffic within a single ISP's network, Handley said. This enforcement could be extended to other ISPs and block attacks even closer to the source if the ISPs involved could develop enough trust to share knowledge about their networks, he said. While DDoS drew much attention, SRUTI presenters also focused much of their time on spam, which accounts for the vast majority of e-mail crossing the Internet. Dealing with spam One researcher described a way to analyze the senders and recipients of e-mail in conjunction with a traditional spam filter to boost the overall effectiveness of spam protection. The algorithm reduces the amount of good e-mail that is identified as spam by about 20%, according to Jussara Almeida, a researcher at Universidade Federal de Minas Gerais in Brazil. "This is important since the cost of false positives is usually believed higher than the cost of false negatives," she said. The study by her team divided senders and recipients into groups based on who routinely receives legitimate e-mail from whom. The memberships of these groups - essentially contact lists - are more stable than criteria used for other screening methods such as looking for keywords, Almeida said. Spammers can change the words selected for spam to duck keyword filters, but establishing themselves as members of trusted groups is more difficult, she said. The algorithm weighs the probability that any message sent from a certain group of senders to a specific group of recipients is spam. It is effective at sorting a certain percentage as definitely spam and definitely not spam, with a gray area in between. The researchers are working to tweak the algorithm to reduce the size of the gray area, she said. A similar method of sorting IP voice-mail spam - spam over IP telephony, or SPIT - also relies on senders and receivers. This is key in filtering SPIT because the point is to get rid of the unwanted messages without having to waste time listening to them, which would be required if the content were examined. "You don't have to look at content to get a pretty good idea of what is going on," said Steve Bellovin, a professor at Columbia University and a moderator at SRUTI. "This has been useful in the intelligence community for years." Researchers from University of North Texas, Denton, have come up with a voice spam detection server they say can identify a spitter after just three calls to users in a group, such as a corporation. The server analyzes where calls are from and whether those sources are likely to be spam based on the experience users have had with calls from the same source, said Ram Dantu, a researcher at the university. Other ideas floated at the workshop ranged from setting up honeypots to lure in spammers and then tie up their resources, to simulating network congestion to see how suspicious traffic streams respond as a way to determine whether a person is behind the session or a zombie machine sending automated responses. In aggregate the 13 papers presented last week represent a springboard for producing a faster Internet, said Dina Katabi, co-chairman of the workshop. "I think the talks have proposed promising solutions that address important problems," she said. From isn at c4i.org Tue Jul 12 06:11:28 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 12 06:19:04 2005 Subject: [ISN] DHS information security plans lacking, GAO says Message-ID: http://www.govexec.com/dailyfed/0705/0701105p1.htm By Daniel Pulliam dpulliam at govexec.com July 11, 2005 The Homeland Security Department has yet to establish an adequate information security program, congressional auditors found after spending nearly a year reviewing its cybersecurity policies and plans. Since the formation of Homeland Security in 2003, the department has struggled to manage its various components' computer systems, according to a new Government Accountability Office report. Complying with the 2002 Federal Information Security Management Act and guidance from the Office of Management and Budget for securing computer systems has proven to be difficult. Failure to implement established security policies has limited the department's ability to protect its information, the report (GAO-05-700) [1] stated. "Until DHS addresses these weaknesses and fully implements a comprehensive, departmentwide information security program, its ability to protect the confidentiality, integrity and availability of its information and information systems will be limited," the report stated. The report, requested by Sen. Joseph Lieberman, D-Conn., ranking member of the Senate Homeland Security and Governmental Affairs Committee, commended DHS for making "significant progress in developing and documenting a departmentwide information security program," but noted that weaknesses continue to threaten the security of its computer systems. On Monday, Lieberman urged the department to follow GAO's recommendations. "How can the department possibly protect the nation's critical cyberstructure if it cannot keep its own house in order?" Lieberman said. "More than two years after the department was formed, it should have a better grasp on protecting its own systems and information." The 36-page review assessed four major DHS components - the US VISIT program, the Immigration and Customs Enforcement bureau, the Transportation Security Administration, and the Emergency Preparedness and Response division-- in five areas of security practices and management. In the five areas - assessing risks, security plans, security testing and evaluations, corrective action plans, and continuity of operation plans - no component was satisfactory in more than two areas. The report stated that DHS has developed policies that could serve as a framework for a security program, but gaps in those plans prevent its implementation. Homeland Security received an F grade in cybersecurity [2] along with seven other agencies rated by a congressional committee in February. In a response to the GAO report, Robert West, DHS chief information security officer, wrote that the department is doing more than just documenting an information security program. West cited the success of a pilot certification and accreditation program and a departmentwide inventory of systems and applications, scheduled to be completed in August. [1] http://www.gao.gov/new.items/d05700.pdf [2] http://www.govexec.com/dailyfed/0205/021605p1.htm From isn at c4i.org Tue Jul 12 06:11:58 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 12 06:19:27 2005 Subject: [ISN] Iron Mountain Loses More Tapes Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=165701015 By Steven Marlin InformationWeek July 8, 2005 City National Bank has become the second company in two months to experience a loss of backup tapes in transit by Iron Mountain Inc. The Los Angeles-based bank disclosed Thursday that two tapes containing sensitive data, including Social Security numbers, account numbers, and other customer information, were lost during transport to a secure storage facility. The bank said the data was formatted to make the tapes difficult to read without highly specialized skills, but declines to say if they were encrypted. It said there's no evidence that data on the tapes has been compromised or misused. Iron Mountain said it lost the tapes in April. The tapes were in a small container of backup tapes belonging to a Texas-based Internet services provider that hosts applications for City National and other banks. The incident has been investigated by federal law-enforcement officials and no evidence has been found of identity-theft relating to the loss. In May, Time Warner revealed that tapes containing data, including names and Social Security numbers, on 600,000 current and former employees disappeared in March while being shipped to an offsite storage facility operated by Iron Mountain. Other lost-tape incidents that have made headlines this year have involved Bank of America, Citigroup, and Ameritrade. In a letter to customers, City National said it was conducting a comprehensive review of its security procedures. "Clearly, information security is a growing concern throughout business everywhere," the letter said. Iron Mountain, in a statement, said, "Given the criticality of disaster recovery and the need for privacy protection, we continue to recommend that companies encrypt back-up tapes that contain personal information." Under California's Security Breach Notification law, companies are required to provide notice of a breach in the security of data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In providing notification, City National did "more than was required" on behalf of our clients, a spokeswoman says. A bill introduced last month in Congress would require such notification, but exempts companies if a risk assessment conducted with law enforcement determines that the risk of fraud is minimal. It also exempts companies if compromised data can't be used to commit fraud or if the company has a security program reasonably designed to block the data's use for fraudulent transactions. Only 7% of businesses encrypt all backup tapes, according to Enterprise Strategy Group. Alternatives to backup tapes, such as electronic disk backups, are being used by many companies; Citigroup is starting to use it this month following its tape-loss incident. AmeriVault Corp., a provider of disk-based backup systems, is recommending that customers prioritize applications for backup purposes and designate the most critical ones for disk backup and less-critical ones for tape. "You don't need to rely on one solution," says AmeriVault president and CEO Bud Stoddard. Prioritization, he says, "allows you to protect 10% to 20% of your data electronically instead of relying on trucks and tapes." From isn at c4i.org Tue Jul 12 06:12:13 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 12 06:19:47 2005 Subject: [ISN] UK's NASA hacker breaks his silence Message-ID: http://software.silicon.com/security/0,39024655,39150245,00.htm By Jo Best 11 July 2005 The British man thought to have hacked into 53 US government agencies' computer systems has spoken out about his discoveries in Nasa's networks. The 39-year-old from north London told The Guardian he initially started his hacking career when looking for evidence of a UFO cover-up. Using a software program, Gary McKinnon was able to discover senior network administrators who didn't use passwords. "You get on to easy networks, like Support and Logistics, in order to exploit the trust relationship that military departments have between each other, and once you get on to an easy thing, you find out what networks they trust and then you hop and hop and hop, and eventually you think, 'That looks a bit more secretive'," McKinnon told The Guardian. McKinnon said he was eventually able to access the US' Space Command network, where he found evidence of an extra terrestrial mission. "I found a list of officers' names," he claims, "under the heading 'Non-Terrestrial Officers'... What I think it means is not earth-based. I found a list of 'fleet-to-fleet transfers' and a list of ship names. I looked them up. They weren't US Navy ships. What I saw made me believe they have some kind of spaceship, off-planet." McKinnon, however, said he can't remember much about the project as he had been "smoking a lot of dope at the time". The hacker has also denied that he had made Washington's computer system inoperable, although he did admit he may have deleted some government files by accidentally pressing the wrong key. While McKinnon is facing the possibility of up to 70 years in jail, it seems Nasa has more to worry about than the British man known as 'Solo' in the hacking community. McKinnon continued: "Once you're on the network, you can do a command called NetStat - Network Status - and it lists all the connections to that machine. There were hackers from Denmark, Italy, Germany, Turkey, Thailand... every night for the entire five to seven years I was doing this." From isn at c4i.org Tue Jul 12 06:12:43 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 12 06:20:09 2005 Subject: [ISN] Long-lived hacker mag shuts down Message-ID: http://news.com.com/Long-lived+hacker+mag+shuts+down/2100-7349_3-5783383.html By Will Sturgeon Special to CNET News.com July 11, 2005 Hacker magazine Phrack is to close its doors after almost 20 years serving the darker side of the Internet and communications community. Yet the antivirus and security industries are coming out to say they will be sorry to see the back of the title that was run by, and for the benefit of, those they seek to thwart. In its earliest days, the magazine dealt with issues such as phone "phreaking," or cracking the telephone networks to make long-distance calls, for example. In later times, it became a community space for those writing malicious code and sharing exploit information. Its popularity was a bonus for those involved in the war against cybercrime, and its disappearance will remove the most immediate insight into the thinking of the hacker community. Pete Simpson, ThreatLab manager at security company Clearswift, said he is very surprised to see Phrack disappear. He added that a world without the journal is actually less secure. "Phrack's visibility was a blessing in disguise, pretty much in the same way as the Full Disclosure community," Simpson said, referring to the unmoderated Full Disclosure forum for disclosure of security information. In the past, some hackers have brought about their own downfall by feeling the need to brag about what they have done and what they are capable of. The loss of Phrack will certainly remove a coveted platform. But Simpson believes something else will inevitably come in to fill the gap left behind. "If Phrack as an organ does disappear, then I would expect new outlets to pop up and fill the information void," Simpson said. "There must be younger hackers able and willing to take up the mantle." Simon Perry, a security strategy executive at Computer Associates International, said: "Phrack closing its doors does reduce some visibility into the thoughts of the 'dark side.'" Previous Next While it will always be possible to find anything relating to hacking "if you search long and hard enough" online, Perry said, "Phrack was great as a 'one-stop shop.'" And as long as both sides of the fight knew what and where that shop was, it created a more level playing field. But Perry added that a lack of clarity about why Phrack has made this decision could still be a cause of concern. "I note that even on their Web site they say they might be back in 2006 or 2007," he said. That could indicate they "have something better to do" in the meantime, which may make for a case of 'watch this space' for the security industry, he added. The 63rd and final edition of Phrack will come out as a hardback collectors copy and will be available to attendees at the DefCon conference in Las Vegas between July 29 and 31, as well as at the What The Hack conference in the Netherlands from July 28 to 31. Will Sturgeon of Silicon.com reported from London. From isn at c4i.org Tue Jul 12 06:13:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 12 06:21:12 2005 Subject: [ISN] DOD cyberwarriors in a war of attrition Message-ID: Forwarded from: William Knowles http://www.fcw.com/article89526-07-11-05-Web By Frank Tiboni July 11, 2005 Military officials can better protect their communications systems by building fake networks or Honeynets to divert adversaries away from critical systems and to gain intelligence on their attack methods, a top official in the Defense Department's cyberdefense organization suggests in a new paper. The new computer defense strategy is called Net Force Maneuver. "For Net Force Maneuver, our objective is to draw the adversaries away from real, mission-critical systems while learning as much about their attack techniques and capabilities as possible," said Army Col. Carl Hunt, director of technology and analysis/J-9 in the Joint Task Force for Global Network Operations (JTF-GNO), in the paper "Net Force Maneuver: A NetOps Construct." To use Net Force Maneuver, military officials must better understand their networks, the technologies available to better operate them and their adversaries' capabilities, Hunt said. He co-wrote the paper with Doug Gardner, director of the Applied Technology Unit in JTF-GNO, and Jeffrey Bowes, technical director of the Joint Information Operations Division of Northrop Grumman's Information Technology TASC unit. The paper appeared in the 2005 Information Assurance Proceedings publication produced for the Institute of Electrical and Electronics Engineers Computer Society's Systems, Man and Cybernetics IA Workshop held in June at the U.S. Military Academy at West Point, but was announced at the Army IT Conference in Las Vegas earlier that month. Hunt also describes the military's current computer network defense strategy as a battle against attrition. "Unfortunately, attrition is a reasonable characterization of our defensive computer network strategy today, with one major caveat," he said. "With the exception of an occasional arrest, our adversaries are able to inflict a substantial amount of harassment and a measurable amount of damage upon DOD communications networks at practically no cost to themselves." Hunt went on to say, "It's probably only a slight exaggeration to say we are fighting an attrition battle where we are the only ones being attrited." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Jul 12 06:13:02 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 12 06:21:43 2005 Subject: [ISN] Fear, Anger, Distrust Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,103060,00.html Opinion by Frank Hayes JULY 11, 2005 COMPUTERWORLD Can your users change when it comes to security? Yes, probably. At least that's what two surveys that came out last week suggest. The Pew Internet & American Life Project polled 1,300 Internet users about spyware and related problems (the results are online at Pewinternet.org). Meanwhile, Computerworld.com columnist Larry Ponemon reported on a Ponemon Institute survey of 400 people who were victims of a personal data breach [QuickLink 55301] [1]. Neither study is intended to be about changing what users do. But the lessons they offer in that line are pretty compelling. Unfortunately, you may not much like those lessons. See, the main thing that's clear from both studies is that fear, anger and distrust are what motivate users to change. In the Pew survey, 91% of users said fears about malware have made them change how they deal with e-mail, the Web, downloads and even software user agreements. And, according to the Ponemon survey, most of those whose personal information is leaked will dump the bank, credit card or other company that exposed their data. So users will change -- if they get afraid, angry or distrustful. That might be useful in getting them to stop doing risky, insecure things. But only if you make sure they're not afraid, angry or distrustful in your direction. So threatening them with punishment for breaking security rules won't work. Neither will trying to force them to obey or lying to them. No wonder IT's standard techniques for getting users to behave always fail. They're exactly the wrong approach. Then what might work? Beyond fear, anger and distrust, there are some other useful insights to be gleaned from these studies: * Users like the personal touch. According to the Ponemon survey, users who got a phone call after their personal data was exposed were much more likely to trust the company than were users who just got a written notice. Lesson for IT: Memos don't work. Personal contact is expensive, and lots of IT people could use some polish on their people skills. But if you want to change behavior, you'll need to do it one on one. * Users drag their feet, but they want a quick response from others. The Pew survey says two-thirds of users will wait a week or more before dealing with a suspected spyware infection, and 20% will never deal with it. But the Ponemon results say users resent any delay in being informed of a security breach. Lesson: You need to respond fast, then convey that urgency to users so they'll call you as soon as they suspect a problem instead of letting it fester. * Users pass the buck. Pew says users often blame friends or family for spyware infections. ("Nope, it's not my fault.") Lesson: Never mind the blame for past problems. Focus on things that "we" -- meaning users and IT staffers -- can do to avoid this problem going forward. * Users do better with follow-ups. In fact, Ponemon says that 82% of users expected more help than they got after their data was exposed. Lesson: Don't do just enough. Don't tell them just once. Remind them. Repeat the message. Then check back to reinforce it with a positive spin. ("Everything working OK? Still keeping an eye out for those bad e-mail attachments?") * Finally, users want more information. Really. Ponemon says 67% of users thought the information they got after a security breach was incomplete or unreliable. Pew says 60% of users who have spywarelike problems can't figure out what's wrong. Lesson: Give users that information. Make it straight, clear and useful. Ask for questions. Make sure users understand your answers. You want them to clearly grasp security threats and the damage they can do. After all, now that you know the strongest motivators of change for users, you want their fear, anger and distrust aimed squarely at security threats -- where they belong. -=- Frank Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes at computerworld.com. [1] http://www.computerworld.com/q?55301 From isn at c4i.org Wed Jul 13 06:14:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 13 06:23:20 2005 Subject: [ISN] Whitehall Fails to Plug IT Theft Message-ID: http://www.egovmonitor.com/node/1843 By eGov monitor Newdesk 11 July, 2005 Most computers stolen from the Home Office, show Government statistics Central government departments have reported to have suffered at least 150 cases of computer theft in the last six months, according to official figures. The Home Office alone recorded 95 incidents of computer items being stolen between January and June 2005 ? equivalent to a theft taking place in the Department every other day. By comparison, the Ministry of Defence reported 23 computer thefts to date in 2005, down from a total of 153 in the previous year. Ministers made the disclosures in response to a series of parliamentary questions tabled by Liberal Democrat MP Paul Burstow into incidents of computer hacking, fraud and theft in each department. In a written answer, Doug Touhig, a junior minister at the MoD, said the Ministry had also experienced 30 attempted computer hacking incidents so far in 2005, having only reported 36 for the whole of 2004. However the Minister gave an assurance that "none of the reported incidents of hacking had any operational impact". Most of these incidents were due to internal security breaches, rather than external threats. Half of the cases were classed as "internal ? misuse of resources". Instances of reported computer thefts in other departments were in single figures so far this year, and most recorded no cases of IT systems being accessed illegally. The Department for Transport said it had experienced 71 cases of computer hacking in 2003-4, 31 in the following year and one incident since April. The Treasury, the Department for International Development and the Department for Education and Skills said their IT systems had been breached on one occasion in 2004-5. Figures from the DfES show that in the two years since 2003/4, it experienced 37 incidents of computer theft, all but one of which were "perpetrated by insiders". The Department of Health said it did not distinguish between losses and theft of IT equipment, but said there were 44 such incidents in 2004-5, costing it almost ?40,000. Figures provided by Health Minister Jane Kennedy put the total sum lost by the Department over the last four years at ?233,000. From isn at c4i.org Wed Jul 13 06:15:13 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 13 06:23:32 2005 Subject: [ISN] Microsoft patches IE, Word, Windows Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,103158,00.html By Robert McMillan JULY 12, 2005 IDG NEWS SERVICE Microsoft Corp. has released three software updates that patch critical security flaws in its products, including a patch for an Internet Explorer vulnerability first reported last week. The company also released patches for Microsoft Word and for a feature of the Windows operating system used by a number of applications. All three of the patches, which Microsoft calls "updates," are rated "critical," meaning that the flaws they fix could allow malicious code to be installed on a user's computer with very little user action. The updates, released as part of the company's monthly security bulletin [1], affect current versions of Windows and Internet Explorer as well as some older versions of Word, according to Stephen Toulouse, security program manager at Microsoft's security response center. The Internet Explorer and Windows patches appear to be the most significant, since the flaws they address could be used by an attacker to take control of a user's system via a maliciously encoded Web page, said Neel Mehta, team leader of X-Force research at security vendor Internet Security Systems Inc. (ISS) in Atlanta. The Internet Explorer bug is significant because security experts have already shown a way that it could be exploited by an attacker, he said. Last week, Microsoft issued a work-around to the problem, which concerns a file used by Internet Explorer called Javaprxy.dll. Today's patch fixes the underlying problem, Metha said. ISS is also concerned about the Windows vulnerability, which relates to a feature called the Microsoft Color Management Module. This software is used to ensure that colors look the same when they are being rendered on different types of hardware and is employed by a number of widely used applications, including Microsoft Outlook and Internet Explorer, Metha said. "Our initial analysis shows it being pretty conducive to exploitation," Metha said. "Any application that uses the built-in Windows facilities to show JPEG images, or possibly some other images, could be an attack vector for this vulnerability." In fact, Microsoft has already privately been made aware of exploits of this flaw, Toulouse said. The Word vulnerability, which could allow an attacker to gain control of a user's system when a maliciously encoded Word document is opened, doesn't affect the most recent version of the word processor. However, users of Word 2000 and 2002 will need to install the patch, Toulouse said. The three patches are detailed in Microsoft Security Bulletins MS05-35, MS05-36 and MS05-37. A new version of a previously released bulletin entitled MS05-33 was also released after Microsoft discovered that the Windows bug that it addresses also affects the company's Services for Unix 2.0 and 2.1. products, Toulouse said. All three of the patches will probably require a reboot in order to take effect, Toulouse said. "If the files are in use when the update is applied, and in these cases they're pretty much going to be, that is what forces a reboot," he said. [1] http://www.microsoft.com/technet/security/bulletin/ms05-jul.mspx From isn at c4i.org Wed Jul 13 06:15:25 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 13 06:23:44 2005 Subject: [ISN] Major Oracle Patch Covers Enterprise Products, Database Server Message-ID: http://www.eweek.com/article2/0,1895,1836304,00.asp By Lisa Vaas July 12, 2005 Oracle has released a set of 49 patches that addresses new flaws in multiple versions of its Database Server, Application Server, Collaboration Suite, E-Business and Applications, and Enterprise Manager products. The patches are available on OTN (the Oracle Technology Network) [1]. The product flaws vary in terms of exploitability. Oracle Database has 12 flaws, including a flaw in Database 10g's Oracle OLAP (online analytical processing) that requires Database privilege?execute on olapsys?but which, according to Oracle's posting, is both easily accessible and would have a wide impact. Oracle's Application Server also has a dozen flaws that span the range in terms of authorization required, severity of impact and ease of exploitation. Collaboration Suite has six flaws and E-Business Suite has 17, while Enterprise Manager has two. The new database vulnerabilities addressed by this Critical Patch Update don't affect Oracle Database Client-only installations (installations that don't have the Oracle Database Server installed). Therefore, according to Oracle's posting, it is not necessary to apply this Critical Patch Update to client-only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations. The Oracle Database Server, Enterprise Manager and Oracle Application Server patches are cumulative, containing all fixes from the previous Critical Patch Update. Not so for E-Business Suite or Collaboration Suite patches, however, so customers using these products should refer to previous Critical Patch Updates to identify previous fixes they need to apply. This is the third of Oracle's Critical Patch Updates since the company started cumulative patch releases in January. Jon Oltsik, an analyst at Enterprise Strategy Group, said that Oracle customers are mostly comfortable with Oracle's new patching strategy, but they would like Oracle to be more proactive with emergency patches. "If any are high impact, if I were a customer and had a major investment in Oracle, I wouldn't want to wait around for the cumulative patch release," he said. "I want to know about them immediately and apply them immediately." In contrast, Microsoft offers custom services for big enterprise customers. Oracle has resisted that, Oltsik said, since it's more difficult from a process perspective to offer such services. "[But] if I'm a big customer, I don't care about your processes," he said. "If I'm buying from you, give me good service." "People tend to criticize Microsoft from [the standpoint of] general security and number of vulnerabilities," Oltsik said. "But from [the perspective of] patching and management strategies, they're very, very good and flexible. I'd say, more so than Oracle." [1] http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html From isn at c4i.org Wed Jul 13 06:15:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 13 06:23:56 2005 Subject: [ISN] Worse Than Death Message-ID: http://www.nytimes.com/2005/07/12/opinion/12tierney.html By JOHN TIERNEY tierney@nytimes.com July 12, 2005 Last year a German teenager named Sven Jaschan released the Sasser worm, one of the costliest acts of sabotage in the history of the Internet. It crippled computers around the world, closing businesses, halting trains and grounding airplanes. Which of these punishments does he deserve? A) A 21-month suspended sentence and 30 hours of community service. B) Two years in prison. C) A five-year ban on using computers. D) Death. E) Something worse. If you answered A, you must be the German judge who gave him that sentence last week. If you answered B or C, you're confusing him with other hackers who have been sent to prison and banned from using computers or the Internet. But those punishments don't seem to have deterred hackers like Mr. Jaschan from taking their place. I'm tempted to say that the correct answer is D, and not just because of the man-years I've spent running virus scans and reformatting hard drives. I'm almost convinced by Steven Landsburg's cost-benefit analysis showing that the spreaders of computer viruses and worms are more logical candidates for capital punishment than murderers are. Professor Landsburg, an economist at the University of Rochester, has calculated the relative value to society of executing murderers and hackers. By using studies estimating the deterrent value of capital punishment, he figures that executing one murderer yields at most $100 million in social benefits. The benefits of executing a hacker would be greater, he argues, because the social costs of hacking are estimated to be so much higher: $50 billion per year. Deterring a mere one-fifth of 1 percent of those crimes - one in 500 hackers - would save society $100 million. And Professor Landsburg believes that a lot more than one in 500 hackers would be deterred by the sight of a colleague on death row. I see his logic, but I also see practical difficulties. For one thing, many hackers live in places where capital punishment is illegal. For another, most of them are teenage boys, a group that has never been known for fearing death. They're probably more afraid of going five years without computer games. So that leaves us with E: something worse than death. Something that would approximate the millions of hours of tedium that hackers have inflicted on society. Hackers are the Internet equivalent of Richard Reid, the shoe-bomber who didn't manage to hurt anyone on his airplane but has been annoying travelers ever since. When I join the line of passengers taking off their shoes at the airport, I get little satisfaction in thinking that the man responsible for this ritual is sitting somewhere by himself in a prison cell, probably with his shoes on. He ought to spend his days within smelling range of all those socks at the airport. In an exclusive poll I once conducted among fellow passengers, I found that 80 percent favored forcing Mr. Reid to sit next to the metal detector, helping small children put their sneakers back on. The remaining 20 percent in the poll (meaning one guy) said that wasn't harsh enough. He advocated requiring Mr. Reid to change the Odor-Eaters insoles of runners at the end of the New York City Marathon. What would be the equivalent public service for Internet sociopaths? Maybe convicted spammers could be sentenced to community service testing all their own wares. The number of organ-enlargement offers would decline if a spammer thought he'd have to appear in a public-service television commercial explaining that he'd tried them all and they just didn't work for him. Convicted hackers like Mr. Jaschan could be sentenced to a lifetime of removing worms and viruses, but the computer experts I consulted said there would be too big a risk that the hackers would enjoy the job. After all, Mr. Jaschan is now doing just that for a software security firm. The experts weren't sure that any punishment could fit the crime, but they had several suggestions: Make the hacker spend 16 hours a day fielding help-desk inquiries in an AOL chat room for computer novices. Force him to do this with a user name at least as uncool as KoolDude and to work on a vintage IBM PC with a 2400-baud dial-up connection. Most painful of all for any geek, make him use Windows 95 for the rest of his life. I realize that this may not be enough. If you have any better ideas, send them along. From isn at c4i.org Wed Jul 13 06:14:38 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 13 06:24:14 2005 Subject: [ISN] Trial Begins in Arkansas Hacker Case Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/07/12/AR2005071201423.html By DAVID HAMMER The Associated Press July 12, 2005 LITTLE ROCK, Ark. -- Four Acxiom Corp. employees told jurors Tuesday about their discovery that the database-management company's computer system had been penetrated, and how they responded. The group testified as federal prosecutors opened their case against a Florida man accused of hacking into Acxiom Corp.'s system and downloading credit card numbers and other personal information. Scott Levine, former chief executive of the bulk e-mail firm Snipermail.com Inc., based in Boca Raton, Fla., faces 144 counts from a July 2004 indictment in what prosecutors described as one of the largest computer crime cases ever. Levine is accused of stealing 8.2 gigabytes of information from Acxiom, one of the world's largest database companies. The violations occurred from around April 2002 to August 2003. The data included names, home addresses, phone numbers, e-mail addresses, bank and credit card numbers involving millions of individuals. But prosecutors determined that no identity fraud was committed. There was, however, a sale of information to a marketing company, prosecutors say. Tuesday, Levine trucked several boxes of documents from U.S. District Judge William R. Wilson Jr.'s courtroom after five government witnesses testified in the case. Jamie Holt, Jay Calloway, Dave Cramer and Steve Bour described how they discovered their data had been breached and how they reported it to the FBI and Secret Service. U.S. Attorney Bud Cummins said that turned out to be a great benefit to the investigation. "It turned out to be advantageous to us because the FBI and Secret Service have different assets in different parts of the country, with their expertise in cybercrime," Cummins said. Levine's former colleague at Snipermail, Jeff Berstein, also began testimony for the government Tuesday by describing Snipermail's inner workings. After the jury was dismissed for the day, Levine's lawyer, David Garvin, asked Wilson to exclude testimony about Levine's previous role as the head of a Florida energy resaler called Friendly Power. The prosecutors argued that Snipermail essentially picked up where Friendly Power left off after it was fined $250,000. Wilson was still considering the matter Tuesday evening. Some of the evidence in the case is sealed and Wilson signed an order Tuesday "barring the gratuitous identification of Acxiom clients affected by the facts that give rise to this case." The indictment alleged that Levine and six co-workers decrypted passwords to gain greater access to Acxiom data and would "incorporate the stolen data into the Snipermail system and sell the newly acquired information together with their existing data to Snipermail clients." The counts against Levine included unauthorized access of a protected computer, conspiracy, access device fraud, money laundering and obstruction of justice. ? 2005 The Associated Press From isn at c4i.org Wed Jul 13 06:16:26 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 13 06:24:28 2005 Subject: [ISN] PacSec/core05 Call For Papers Message-ID: Forwarded from: Dragos Ruiu English url: http://pacsec.jp/speakers.html?LANG=ENGLISH Japanese url: http://pacsec.jp/speakers.html?LANG=JAPANESE PacSec/core05 CALL FOR PAPERS World Security Pros To Converge on Japan November 15/16 TOKYO, Japan -- To address the increasing importance of information security in Japan, the best known figures in the international security industry will get together with leading Japanese researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks and defenses will be presented at the third annual PacSec conference. The PacSec/core05 meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets, and to collaborate on practical solutions to computer security issues. In a relaxed setting with a mixture of material bilingually translated into both English and Japanese, the eminent technologists can socialize and attend training sessions. Announcing the opportunity to submit papers for the third annual PacSec/core05 network security training conference. The conference will be held November 15/16th in Tokyo at the Aoyama Diamond Hall. The conference focuses on emerging information security tutorials - it will be a bridge between the international and Japanese information security technology communities. Please make your paper proposal submissions before Aug 1 2005. Slides for the papers must be submitted by October 1st 2005. The conference is November 15th and 16th 2005, presenters need to be available in the days before to meet with interpreters. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to core05@pacsec.jp. Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The PacSec/core05 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. Please forward the above information to core05@pacsec.jp to be considered for placement on the speaker roster. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 15/16 2005 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Wed Jul 13 06:18:07 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 13 06:24:42 2005 Subject: [ISN] Iron Mountain Loses More Tapes Message-ID: Forwarded from: Mark Bernard Dear Associates, fyi.... I think the biggest fear here, is that incident after incident leaves more and more private information out there floating around for someone with the right resources to accumulate for future use. After all, every hardened criminal knows that there's a cooling off period of several months before the merchandise can be moved or used, but yet industry and government can't stop the bleeding of information. Some might like to suggest that the tapes are gone and we'll never see or hear about them again. However, if you ask any Law Enforcement person they'll tell you that most crimes are perpetrated because the criminal has two advantages, opportunity and time. Based on that fact we have to ask ourselves during our risk management efforts, what have we done to take away time and opportunity? It would appear that in some cases nothing.... And to think that we haven't even begun to address the hardened criminals who make their own time and opportunities. Who deliberately seek out weak links within our risk management chain of custody to exploit them. Every time the same company losses data again and again they get more attention by Cyber Criminals. After all the message that the company is sending with multiple information losses is that they are either to big and incapable of moving quickly enough to shutdown the vulnerability or completely incapable of shutting it down. As for the technology factor, well there are lots of used systems for sale that can handle compressed data. As for encryption, well the key to cracking encrypting is publicly available over the Internet. So you see its a matter of developing a sound strategy and integrating effective risk mitigation techniques based on your specific business needs. Time and opportunity is all that it will take and there will be more news articles like this one..... its currently unavoidable! The only question that we can't answer is who's company will be next and what will be the final result of their losses? ======= beginning of excerpt ========= Iron Mountain Loses More Tapes http://www.informationweek.com/story/showArticle.jhtml?articleID=165701015 By Steven Marlin InformationWeek July 8, 2005 City National Bank has become the second company in two months to experience a loss of backup tapes in transit by Iron Mountain Inc. The Los Angeles-based bank disclosed Thursday that two tapes containing sensitive data, including Social Security numbers, account numbers, and other customer information, were lost during transport to a secure storage facility. The bank said the data was formatted to make the tapes difficult to read without highly specialized skills, but declines to say if they were encrypted. It said there's no evidence that data on the tapes has been compromised or misused. ======= end of excerpt =============== Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by Kenneth Blanchard: "The key to successful leadership today is influence, not authority." From isn at c4i.org Fri Jul 15 01:29:16 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:44:38 2005 Subject: [ISN] Medical firm's files with personal data stolen Message-ID: http://www.azcentral.com/arizonarepublic/business/articles/0713biodyne13.html Matt Hanson The Arizona Republic July 13, 2005 The personal information of 57,000 Blue Cross Blue Shield of Arizona customers was stolen from a Phoenix-based managed care company. Arizona Biodyne, an affiliate of Magellan Health Services that manages behavioral health for Blue Cross of Arizona, began last Friday notifying customers and providers whose information was lost in the latest theft in which financial, personal or medical records were taken. The stolen information included policyholders' addresses, phone numbers, Social Security numbers and dates of birth. They also contained partial treatment histories for some patients and certain information about the doctors who provided that care, Biodyne spokeswoman Erin Somers said. Most of the people at risk from the Biodyne theft live in Arizona. It is unclear whether the thieves knew what they had when they stole a safe. Biodyne reported to police on June 29 that a safe containing computer backup tapes was stolen from its office at 8900 N. 22nd Ave., Suite 206. "There was quite a bit of data on those computer backup tapes," said Somers, when explaining why it took more than a week to start notifying customers. "We wanted to take a hard look and a detailed look at the information that was backed up on the tapes." Blue Cross is working with Biodyne to notify people whose information might have been in the safe, Blue Cross spokeswoman Regena Frieden said. "If people's information had been included on the tapes, then they would have received or will receive a letter from Arizona Biodyne," Frieden said. Biodyne also set up a toll-free number and an e-mail account to answer the questions of people whose information was stolen. The company declined to make the number and address public, fearing that people who are not at risk would flood them with requests and slow response time to those whose information was stolen. Joy, who received the notification letter and asked that her full name not be used, said it instructs her to contact a long list of companies and government organizations to make sure her information has not been misused. "I'm going to call the (Arizona) Department of Motor Vehicles, my bank and all my financial institutions and all the credit agencies," said Joy, who works at a medical office in Mesa. She added that she has been watching her credit-card statements closely since the financial data breach reported by Atlanta-based CardSystems Solutions Inc. last month. Biodyne and Blue Cross said it is not clear whether the people who took the safe did so with the intent to use people's personal information. "Nobody knows whether this information has been accessed, can be accessed or that the thieves even knew what was in the safe," Frieden said. This is the first time a company working with Blue Cross has had such a problem, she added. But several other companies have reported personal information stolen in recent months, during a time when concern for identity theft is on the rise. Even large, high-profile corporations have been hit by major data breaches during recent years. Citigroup Inc., Bank of America Corp. and DSW Shoe Warehouse are among the national companies that have fallen victim. The last leak in Arizona happened just last month at the Tucson office of CardSystems. The company, which processes credit-card transactions, told the FBI on May 23 and then made public on June 17 what was perhaps the largest data breach in history. A computer hacker stole the card numbers and three-digit security codes of 40 million cardholders. Two years earlier, thieves stole computer hard drives from the Phoenix office of TriWest Healthcare Alliance. These computers contained medical records and Social Security numbers for more than 500,000 military personnel. The best that Biodyne can do for now is to educate those who are at risk, Somers said. "We want people to be aware of that fact and know what to do if they are concerned," Somers said. -=- 12 News contributed to this article. From isn at c4i.org Fri Jul 15 01:29:38 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:44:50 2005 Subject: [ISN] Worse Than Death Message-ID: Forwarded from: Jason Scott Since I've been working on a bunch of research about how hackers have changed in perception in journalism over the years (watch out!) I heard about this article and thought that it'd make a good book-end: and here in 2005, we are calling for the Death Penalty for hackers. But we're not. This article is just a big useless op-ed riff off of an already-existent article, itself a sort of summarization of a book the author has also written. To wit: Tierney just remixes the work of Steven Landsburg, who he at least credits in this article. I would immediately shitcan the contents of the NY Times article and go back to the source: http://slate.msn.com/id/2101297 This article, "Feed the Worms Who Write Worms to the Worms", cold-calculates the cost of hackers, the cost of murderers, the cost of their relative damage, the fact we execute murderers, and therefore draws the conclusion we should really execute hackers, if we look at things like the cost-benefit related to hacker damage. it should be noted that Landsburg has a book out for sale called "Fair Play: What Your Child Can Teach You About Economics, Values, and the Meaning of Life". Slate reviewed his book in this 1997 article: http://archive.salon.com/books/sneaks/1997/12/23review.html And that review contains the helpful line: "Economists writing for general audiences are largely a gentlemanly, helpful lot, channeling ego into explaining ideas and concepts. Landsburg is the great exception, a breast-beating showoff as exhibitionistic and domineering as a bad actor. I read him with horror and exasperation. He's the Gary Oldman of popular-economics writers." That is to say, Landsburg writes sensationalistic articles using economics as a jumping-off point to say outrageous things. End of story. On Wed, 13 Jul 2005, InfoSec News wrote: > http://www.nytimes.com/2005/07/12/opinion/12tierney.html > > By JOHN TIERNEY > tierney@nytimes.com > July 12, 2005 > > Last year a German teenager named Sven Jaschan released the Sasser > worm, one of the costliest acts of sabotage in the history of the > Internet. It crippled computers around the world, closing businesses, > halting trains and grounding airplanes. > > [...] From isn at c4i.org Fri Jul 15 01:29:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:45:08 2005 Subject: [ISN] VeriSign buys security researcher iDefense for $40 million Message-ID: http://www.networkworld.com/news/2005/071405-verisign-idefense.html By Robert McMillan IDG News Service 07/14/05 Looking to flesh out its line of managed security services products, VeriSign has snapped up network security researcher iDefense. The $40 million cash acquisition was completed Wednesday, according to VeriSign. IDefense,in Reston, Va., provides early warning assessment of Internet security threats to a fairly select group of government and very large enterprise clients, said Chris Babel, vice president of Managed Security Services at VeriSign. By acquiring the company, VeriSign hopes to be able to market the iDefense research products to a wider audience, while at the same time using data from VeriSign's security monitoring operations to bolster the iDefense research, he said. The 45-person research company will retain the iDefense name, but will operate as a division within Babel's group, he said. VeriSign, in Mountain View, Calif., has no plans to move the iDefense team from their present location, he said. VeriSign's managed security services business provides managed firewalls, intrusion detection and vulnerability alerting under the VeriSign Managed Security Services brand. Last year, VeriSign strengthened its position in this market by spending $135 million to acquire Guardent , a security services provider in Waltham, Mass. That acquisition was completed in February 2004. From isn at c4i.org Fri Jul 15 01:31:35 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:46:26 2005 Subject: [ISN] Linux and Windows security neck and neck Message-ID: http://www.vnunet.com/vnunet/news/2139790/surveys-useless-security Iain Thomson vnunet.com 14 July 2005 There is little to choose between Microsoft and Linux in terms of operating system security, according to experts, but misleading figures and surveys are muddying the waters for IT managers evaluating the platforms. Graham Titterington, principal analyst at Ovum, told vnunet.com that, while in security terms the gap between Linux and Microsoft had shortened, Linux had the edge. However, he suggested that the mass of statistics put out by both sides was obfuscating the issue. "A couple of years ago Linux was without doubt more secure than Windows, but things have changed a lot," said Titterington. "My hunch would be that Linux still has the edge but it's difficult to tell with all this misleading information being pumped out. "Just doing a head count of vulnerabilities is useless, for example, if you're not grading the seriousness of the vulnerabilities." He added that Microsoft had made real progress on security in the past two years, but that the increasing number of Linux enthusiasts coming into the market would help the open source alternative in the long run. John Engates, chief technology officer at managed hosting company Rackspace, which offers both Linux and Windows hosted servers, said: "If you think about where you get Linux talent it's in the younger generation. "Linux has a slight advantage in that computer science students are learning it, but Microsoft has made life easier for non-techies, particularly with its improved patches." Engates added that his company manages 13,000 servers, roughly half of which are open source and half Microsoft. He claims to see little difference between the security on either platform. From isn at c4i.org Fri Jul 15 01:33:21 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:46:46 2005 Subject: [ISN] Libraries 1, hacker 0 in showdown Message-ID: http://www.pioneerlocal.com/cgi-bin/ppo-story/localnews/current/gl/07-14-05-632905.html BY JOHN P. KELLY STAFF WRITER July 14, 2005 Twenty-two suburban libraries were thrust into the predigital dark ages last week after a hacker hijacked their central computer server. Names, phone numbers and addresses for nearly 480,000 patrons in the suburban library consortium Cooperative Computer Services were vulnerable, though apparently left untouched in what culminated in a three-day tit-for-tat between technicians at the Arlington Heights-based company and the hacker. "We're confident we have defeated the intruder without any data loss or lasting damage," Administrator Richard Shurman said. June infiltration The hacker, who may have infiltrated the system sometime in June, used the server as a haven to set up an illegal online file sharing network, Shurman said. Technical consultants were called in last week to combat the hacker and, as a security measure, temporarily crippled the computer network that links the libraries' circulation and catalog information. They also disabled iBistro, an online catalog that lets patrons check book availability from home. The move caused libraries from Wilmette to Cary to resort to old-fashioned methods of checking out material and -- with card catalogs largely purged in the 1990s -- guesswork to locate books on the shelf. By Monday afternoon, the internal network was expected to be almost fully restored, though iBistro was off-line until Tuesday. Back to basics Several patrons who check book availability and reserve materials online called the Winnetka-Northfield Public Library District to find out why the system was down, Library Director Barbara Aron said. "It was totally out of our control," Aron said. Library staff members resorted to hand-writing check-out slips and couldn't check in books that had been returned late last week. Shurman said an investigation was ongoing but refused to say whether law enforcement officials were involved. "At this point, I need to be kind of close mouthed about it," Shurman said. Thom Morris, library computer services administrator at the Northbrook Public Library, said it took two to three times longer to track down books, if they could be found at all, during the three days the system was down. Morris said a "primitive" back-up system was used to record when patrons checked out books and said the break down was a "huge inconvenience for library staff and patrons." Shurman said Cooperative Computer Services will fast-track a software upgrade that was planned for later this year and said the incident would result in a financial setback of less than $10,000. Minor disruptions Peggy Hamil, executive director of the Glencoe Public Library, said librarians in the area were surprised to learn of the security breach but said it caused only minor disruptions at the library. Hamil decided not to notify patrons of the hacking because no valuable personal data was susceptible and an alert would be "more disturbing than informative." "This is simply a reminder that nothing is ever completely safe from the efforts of someone with malicious intent and technical knowledge," Hamil said. Daniel Walters, president of the Public Library Association, said libraries have been "sporadic targets" of malicious cyber attacks, but the aim is generally the destruction, not theft, of data. From isn at c4i.org Fri Jul 15 01:36:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:47:01 2005 Subject: [ISN] Government computer systems struck by intruders Message-ID: http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1121363949740_36/ CTV.ca News Staff July 14 2005 CTV News has learned Canada's ultra-secret spy agency recently detected what the Communications Security Establishment says were: "a series of sophisticated intrusions into the federal government's computer systems." The agency, Canada's national cryptologic agency, says the attacks were minimal, and refuses to divulge exactly what the hackers were after or reveal their identities. But Julie Spillan, federal director of The Canadian Cyber Response Centre, admits: "There is a threat to Canada in the cyber realm." Spillan says the hackers targeted specific, sensitive information. "Economic information is typically the most sought after" in these types of intrusions, she reveals. Foreign intelligence agencies and organized crime have been known to attempt to steal information over the Internet from the Prime Minister's Office, the departments of Foreign Affairs and National Defence and Canada's central bank. Microsoft Chief of security John Weigelt says hackers will go after any information they deem to be of value. "That might be anywhere from a strategic document, a company document, personal information and perhaps financial information." Cyber terror But security officials are monitoring most closely those hackers bent on creating terror using the Net. Cyber terrorists can potentially shut down power grids, throw railway switches, open floodgates on dams and adjust pressure values on pipelines carrying water, gas and oil. Former Canadian Security Intelligence Service agent Michel Juneau-Katsuya is quoted on the Department of Public Works and Government Services website saying: "[a]ll governments are faced with regular attacks from hackers. Most of the attempts are from loners who enjoy breaking into government computers and are motivated by a host of reasons, but terrorists and foreign intelligence agencies are also in on the act." Any department responsible for setting strategy for the Government of Canada is vulnerable, says Weigelt, including those "working with industry or dealing with financial instruments, as well as those that would protect our personal information." Weigelt says for the most part, control systems for government information are kept on separate systems from the Internet. "And unless there's an insider that has access to those types of systems, it would be very difficult to get into those control systems." But hackers do get through. And the creation of programs in Ottawa to combat cyber attacks highlights the vulnerability of large computer systems. In February, Deputy Prime Minister and Minister of Public Safety and Emergency Preparedness Anne McLellan announced Canada's participation in Microsoft's global Security Cooperation Program (SCP). She also announced the establishment of the Canadian Cyber Incident Response Centre, which oversees cyber threats to Canada's infrastructure. "In a global environment where we are increasingly reliant on information technology, we have a responsibility to do everything we can to reduce the risk of cyber threats that could have an impact on our shared critical infrastructure," said McLellan. Weigelt says under the SCP program, Microsoft would help out any Canadian government department that, for instance, becomes plagued with a malicious worm -- a program that spread easily and quickly across the web. Such worms include the notorious Blaster and Sasser worms. Instances of institutions under cyber attack: * In July last year, the Ottawa Citizen obtained a report revealing that Defence Department employees were being targeted by e-mails designed to plant viruses and other malicious codes inside military computers. * Defence Department records confirm that hackers were able to gain access to military computers on at least 10 occasions in 2003. * Rob Wright, the prime minister's national security adviser, spoke earlier this year of "various examples of hackers" who have stolen sensitive government information, adding there's evidence of individuals who could sell that information. * In 2000, stats released from the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburg show that 1,334 computer security incidents were reported world-wide in 1993, compared to 9,859 in 1999 and, in the first three quarters of 2000, the number of incidents rose to 15,167. * In 1999, it took a 17-year-old high school student in the U.S. just 10 minutes to breach the Defence Department's computer system. "The DND site was an easy target," Russell Sanford told the Citizen in 2002. "It was pretty weak." From isn at c4i.org Fri Jul 15 01:30:36 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:47:14 2005 Subject: [ISN] Security UPDATE -- The Perils of Mobile Computing -- July 13, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Testing Your Security Configuration http://list.windowsitpro.com/t?ctl=E44A:4FB69 Windows Master CD http://list.windowsitpro.com/t?ctl=E45A:4FB69 ==================== 1. In Focus: The Perils of Mobile Computing 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Baseline Security Analyzer v2.0 Now Available - Active Directory Federation Services for Non-Microsoft Platforms 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Partnering for Better Security ==================== ==== Sponsor: Testing Your Security Configuration ==== Over a decade ago the Department of Defense (DoD) released a statement saying, "Hack your network, or the hackers will do it for you. Up until that point, the value of vulnerability scanning and penetration testing was questionable. Today, vulnerability-scanning hackers, Internet-traveling worms, and roving bots are common. The DoD's advice given 10 years ago still holds true: You should conduct regular vulnerability and penetration testing audits to validate your security policy. This free white paper will discuss how to identify and fix vulnerabilities, discover and use vulnerability assessment tools, evaluate your security investment and more. Download your free copy now! http://list.windowsitpro.com/t?ctl=E44A:4FB69 ==================== ==== 1. In Focus: The Perils of Mobile Computing ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Over the past few years, wireless networks have spread all over the place. Some cities and towns even provide free Internet access over public networks. Chances are high that unless you live in a very rural area, one or more of your neighbors has a home wireless network. Chances are also high that many of those neighboring wireless networks are wide open, and anybody can connect without the owner's permission. And, invariably, sooner or later somebody does just that. With the proliferation of wireless networks comes the very attractive opportunity to use mobile computing in all sorts of ways. For example, many coffee shops offer free wireless access, as do libraries and restaurants. So if you're a telecommuter working on the road somewhere, or just want to check your email or do a little Web surfing without going back to your own network, you can use any number of public wireless networks. A problem with the ease-of-use that open wireless networks offer is that invariably some people can't resist using an open wireless network even if it's not expressly made open for the public. That's when simple wardriving can become a criminal act. After all, the unauthorized use of a network is a crime in most places today. So if you discover a wireless network and decide to use it, you might be committing a crime. Last week, a precedent for increased arrests began to develop in Florida. A man discovered that another man was sitting outside his house in a vehicle while using a laptop. The man in the house apparently had an open wireless network, and the man in the vehicle had connected to the wireless network without permission and was using it for what are at this time unknown purposes. Eventually, the homeowner informed the police, who subsequently arrested and charged the man in the vehicle. He now faces a criminal case. The man's illegal use of someone else's network is puzzling. If I understand correctly, the incident took place in St. Petersburg, which is the fourth largest city in Florida with a population of nearly 250,000. Certainly, there must be many places that offer free public wireless network access, so why did the man choose to break into someone else's network? I don't know, but the incident does raise some interesting questions. What if that man was using a computer provided by his company? Or what if he was checking email on his company's mail server? Would that then make the company liable for the man's actions? If nothing else, the incident points out that businesses that provide wireless devices to their employees should probably consider implementing policies that stipulate acceptable use of those devices. Without such policies, businesses are more open to potential legal problems if employees misuse company equipment. If you're interested in the details of this story, then use your favorite news site search engine to look for the terms "wireless" and "Florida," and add the terms "Smith" and "Dinon" if you need to narrow the search results. ==================== ==== Sponsor: Windows Master CD ==== Why Do You Need the Windows IT Pro Master CD? There are three good reasons to order our latest Windows IT Pro Master CD. One, because it's lightning-fast, portable tool that let you search for solutions by topic, author, or issue. Two, because it includes our Top 100 Windows IT Pro Tips. Three, because you'll also receive exclusive, subscriber-only access to our entire online article database. Click here to discover even more reasons: http://list.windowsitpro.com/t?ctl=E45A:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=E452:4FB69 Microsoft Baseline Security Analyzer 2.0 Now Available On July 1, Microsoft released Microsoft Baseline Security Analyzer (MBSA) 2.0. The new version supports Windows Server Update Services (WSUS) and includes a new command line interface to perform local and remote scans. http://list.windowsitpro.com/t?ctl=E458:4FB69 Active Directory Federation Services for Non-Microsoft Platforms Windows Server 2003 R2 will support Web-based single-sign-on (SSO) and federated authentication using Active Directory (AD) as the backend. Centrify aims to enable the technology on non-Microsoft platforms. http://list.windowsitpro.com/t?ctl=E459:4FB69 ==================== ==== Resources and Events ==== Identify the Key Security Considerations for Wireless Mobility Wireless and mobile technologies are enabling enterprises to gain competitive advantage through accelerated responsiveness and increased productivity. In this free Web seminar, you'll receive a checklist of risks to factor in when considering your wireless mobility technology evaluations and design. Sign up today and learn all you need to know about firewall security, transmission security, OTA management, management of third-party security applications, and more! http://list.windowsitpro.com/t?ctl=E450:4FB69 Learn to Sort Through Sarbanes-Oxley, HIPPA, and More Legislation Quicker and Easier! In this free Web seminar, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance- related tasks that reduce IT efficiency. Turn these mandates into automated and cost-effective solutions. Register now! http://list.windowsitpro.com/t?ctl=E44D:4FB69 New Cities Added--SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=E451:4FB69 Integrate Your Compliance System With Backup and Recovery Discover the issues involved with integrating your compliance system with backup and recovery, including backup schedules, pros and cons of outsourcing backup media storage and management, the DR implications of backing up compliance data, the possibility of using alternative backup methods to provide backup and compliance in a single system, and more. You'll learn what to watch out for when combining the two functions and how to assess whether your backup/restore mechanisms are equal to the challenge. http://list.windowsitpro.com/t?ctl=E44E:4FB69 Influencers 2005: Thriving In The Face Of Regulation: How to Accommodate the New Corporate Governance Regime and Achieve Optimum Financial Performance Join Arthur Levitt, former chairman of the SEC, Arnold Hanish, and Scott Mitchell as they discuss the most important management challenge facing businesses today--Wednesday, July 20 at 11:00 a.m. EDT. Register here: http://list.windowsitpro.com/t?ctl=E44C:4FB69 You Could Win An iPod Mini! Your expert opinion makes a difference--tell us what you think about industry conferences and events. Your feedback is very valuable to us. Take this short survey today! http://list.windowsitpro.com/t?ctl=E453:4FB69 ==== Featured White Papers ==== Is Your Company Legally Required to Have an Email Compliance and Retention Policy? Gain an understanding of general retention and compliance issues and Microsoft Exchange Server's built-in archiving and compliance features and get guidance on the first steps to take when starting an archiving regime. Plus--discover how to analyze trends and usage across your messaging store. http://list.windowsitpro.com/t?ctl=E44B:4FB69 ==================== ==== 3. Security Toolkit ==== Security Update for Internet Explorer by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=E45E:4FB69 Microsoft released a security update for Internet Explorer (IE) 5.x and 6.0. Microsoft article 903235 discusses the matter. http://list.windowsitpro.com/t?ctl=E457:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=E45C:4FB69 Q: How can I enable the Anonymous SID to be part of the Everyone group in Windows XP and later? Find the answer at http://list.windowsitpro.com/t?ctl=E456:4FB69 Audit File Access (Two messages in this thread) A reader wants to know whether there are any third-party tools to implement domain-wide file auditing. He needs to be able to dump log data into a database, including which files were accessed, when they were accessed, the name of the user who accessed the files, and the computer that the files were accessed from. Join the discussion at http://list.windowsitpro.com/t?ctl=E44F:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Check Out the New Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database (over 1900 security articles)! Order now: http://list.windowsitpro.com/t?ctl=E455:4FB69 Exclusive Content for VIP Subscribers! Get inside access to all of the content and vast resources from Windows IT Pro, SQL Server Magazine, Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security, with over 26,000 articles at your fingertips. Your VIP subscription also includes a 1- year print subscription to Windows IT Pro and a VIP CD (includes entire article database). Sign up now: http://list.windowsitpro.com/t?ctl=E45B:4FB69 ==================== ==== 4. New and Improved ==== by Dustin Ewing, products@windowsitpro.com Partnering for Better Security Apani Networks announced that its In-depth Network Security (INS) system is available from HP. HP will provide first-line support for customers around the world, as well as security-compliance consulting and onsite services as needed. INS provides complete network-access control, dynamic implementation of network security policies, and point-to-point encryption. It will allow organizations to manage security relationships for an entire network from a centralized point. This centralization reduces infrastructure costs and provides a security audit trail, which is essential for compliance regulation requirements. For more information, visit the company's Web site http://list.windowsitpro.com/t?ctl=E460:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Link ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=E449:4FB69 ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=E45F:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=E454:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Jul 15 01:30:52 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:47:26 2005 Subject: [ISN] Nation's Top Cyber-Security Post Elevated Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/07/13/AR2005071301733.html By Brian Krebs washingtonpost.com Staff Writer July 13, 2005 As part of a major reorganization outlined today, the Department of Homeland Security announced plans to give more bureaucratic heft to its top official in charge of keeping computer infrastructure secure, a move that critics of federal cyber-security policy have espoused for years. Under a restructuring plan detailed by DHS Secretary Michael Chertoff, the upgraded position -- which will now include the nation's telecommunications infrastructure in its area of responsibility -- would be placed inside of a new directorate within the department, just two positions below the Chertoff's. The previous cyber-security director was situated five organizational rungs below the DHS secretary. The department's current top cyber-security post remains unfilled following several recent high-profile resignations within the division. None of the three officials who held the post remained in the position for much more than a year, and all cited frustration with a lack of consistent access to highly placed administration officials. Lawmakers in Congress and private sector officials -- many of whom have maintained that DHS cyber-security leaders have been denied the sufficient authority and resources to do their jobs -- roundly praised the reorganization plan, saying it should give the cyber division and its top officials much-needed legitimacy and direction. Marcus Sachs, a former White House cyber-security advisor for the Bush administration, said the department's cyber division has failed in one of its most basic functions: providing early warning about widespread Internet attacks. "There still isn't any timely reaction or response to the bad things happening online because they still have a very deeply bureaucratic process that prevents them from sounding the alarm," said Sachs, who now directs the SANS Internet Storm Center in Bethesda. "Hopefully this new position will give the [cyber division] the political clout it needs to push its agenda." Rep. William "Mac" Thornberry (R-Tex.), who along with Rep. Zoe Lofgren (D-Calif.) co-authored legislation to elevate the authority of the department's top cyber official, said the development would "help ensure that these issues ... don't get buried by layers of bureaucracy," but added that much will depend on the quality of the candidate picked for the new position. "It's important to have someone who is credible and that [the] industry has confidence in ... someone who can build the kind of trust and information-sharing relationship that you have to have to be successful in an effort where 90 percent of nation's computer infrastructure is in private hands," Thornberry said. The shift should help the department build greater credibility with both Congress and the IT industry, said Harris Miller, president of the Arlington-based Information Technology Association of America. "The appropriators on the Hill have been skeptical about [funding] requests from DHS because it's hard to justify spending more money on cyber when everyone thinks you're doing a crappy job with what you've been given," Miller said. "This new position should help the department set some clear priorities and timetables and a way to achieve those goals in a more meaningful partnership with the private sector." The roles and responsibilities for the department's cyber czar were first laid out in the Bush administration's National Strategy to Secure Cyberspace, a document released in February 2003 -- when DHS came into being -- that envisioned protecting key areas of the Internet from digital sabotage as part of a broader strategy for guarding vital U.S. assets. At the time, industry officials pushed for the person in charge of those efforts to hold an assistant-secretary-level position with direct access to then-secretary Tom Ridge. Instead, the position was placed several steps down in a job that answered to Robert P. Liscouski, then the department's assistant secretary for infrastructure protection. Liscouski resigned in January amid criticism that he had impeded initiatives from the cyber-division that might have given it a higher profile, part of a string of resignations in and around the division. In Oct. 2004, former cyber director Amit Yoran unexpectedly quit the post after little more than a year. Yoran's predecessor, Howard Schmidt, stepped down after just three months on the job. Schmidt replaced Richard Clarke, the department's first director, who abruptly left the department three months earlier after it became clear he would not be included in regular consultations with the Homeland Security director. Liscouski had argued that cyber-security should be integrated with other security considerations, such as the physical security of power plants and transportation systems. The reorganization plan would give the new assistant secretary position sole responsibility for cyber-security and telecommunications security. Although no full-scale cyber-attacks have occurred, terrorists and organized online criminal gangs can use the Internet for everything from passing messages to transferring money. And because so many networks interconnect, cyber-security experts warn that a weak link could threaten major avenues of commerce. Digital attacks against governments, businesses and consumers cost companies and individuals tens of millions of dollars a year. Some of the priorities highlighted in the Bush administration's cyber-security plan including creating and managing a national disaster-recovery and cyber-response system, establishing a national program to reduce software security vulnerabilities, and sharing more information on cyber threats with private-sector companies and state and local governments. ? 2005 Washingtonpost.Newsweek Interactive From isn at c4i.org Fri Jul 15 01:31:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:47:48 2005 Subject: [ISN] Chinese Hackers Might Hit Japanese Websites via Korean Servers Message-ID: http://english.donga.com/srv/service.php3?bicode=040000&biid=2005071460188 JULY 14, 2005 by Sun-Hong Park It is reported that Chinese hackers might mount major attacks on Japanese websites via Korean servers on August 15. The news is causing a stir in Korea. The Korean servers, which the hackers might use to avoid IP tracing, include not only those of universities but also those of some government agencies. The report will continue to create ripple effects across Korea. Hong Kong's Wen Wei Po reported on July 2, "The Association of China's Red Hackers, one of the world's five hacking groups, plans to launch formidable attacks on the anti-Chinese websites in Japan between July and September." The Association of China's Red Hackers, the largest hacker association, consists of students and graduates of Peking University's Center of Science and Society. Wen Wei Po added that the association grouped their members into three teams with each one focusing on the following three tasks: collecting information to find weak points of their targets; preparing for Japan's counterattacks; and hitting Japan's anti-Chinese websites including that of Fusosha, a center of contention over distorted history textbook. One member of the Chinese hackers' group told his Korean acquaintance, "They have chosen three candidate servers of a Korean gaming company and universities as their hacking routes. The security level of those servers is lower than expected. So they are thought to be proper for avoiding IP tracking." The hacker said, "As of July 13, 45,000 hackers in China joined our plan. Keep an eye on us on August 15." In April this year, Chinese hackers coincided their attacks on Japanese websites with mass anti-Japanese demonstrations across Mainland China. But their attempts failed because the Japanese authorities blocked all Chinese IP addresses. That is why the Chinese hackers want to hijack Korean IP addresses this time. They seem to believe that if they launch assaults via Korean servers, Japan would find it hard to block the Korean IP addresses. On the matter, Han Seong-guk, a computer engineering professor at Wonkwang University, commented, "If Chinese hackers are allowed to exploit Korean servers freely, that is tantamount to our giving up Korea's sovereignty in cyber warfare. If they use Korean servers without permission, it means that they are able to easily change the content of information there." From isn at c4i.org Fri Jul 15 01:31:21 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 15 01:48:05 2005 Subject: [ISN] Desktop port proliferation a security risk? Message-ID: http://www.theregister.co.uk/2005/07/14/desktop_port_security_risk/ By Robert Lemos SecurityFocus 14th July 2005 Software maker Opera's decision to support BitTorrent has added to some security experts' worries that applications which require open connections through firewalls are becoming increasingly popular. Last week, the Norwegian company revealed that its latest technical preview adds support for downloading BitTorrent files, or torrents. BitTorrent, a peer-to-peer protocol that speeds files sharing by allowing every client to serve up pieces of a large file, requires that firewalls allow connections to the client software. With the adoption, the alternative Internet browser is the latest application to ask users to open ports, the numerical addresses that software applications use for communication. Some voice-over-Internet applications also require a direct connection to the Internet and need ports to be open if the hardware is placed behind a firewall. If such applications grow more popular, security may suffer, said Johannes Ullrich, chief research officer for the Internet Storm Center, a network-threat monitoring service hosted by the SANS Institute. "Opening more ports is never a good idea," he said. "Adding more functionality to heavily attacked applications like Web browsers isn't that great (of an idea) either." BitTorrent is the latest peer-to-peer application to gain general popularity beyond its core group of file sharers. While many security experts worry about Trojan horses spreading through file sharing networks, the fact that voice-over-IP and BitTorrent protocols can require exceptions to firewall protections has worried others. "At this point, we see almost no malicious activity in this space, but I think it's the big underdeveloped malware market," Ullrich said. Opening ports in network or personal firewall protections increases reliance on the security of the program that receives the data. Yet, in many cases, unsophisticated users are placing peer-to-peer software on their computers, without considering whether the programs have made security a priority, said Rick Robinson, senior security architect for voice-over-IP security provider Avaya. "There are the hobbyist applications, such as games and file sharing, where your concern is not about reliably or security, but achieving the execution of the application," he said. "With such unsophisticated software, you are running the risk of weak security." The creator of BitTorrent, Bram Cohen, argues that such concerns are overstated. To date, no major flaw in the main BitTorrent clients has been publicly disclosed. Moreover, even though a random list of Internet addresses downloading a particular file can be easily obtained, the protocol uses hashes to prevent man-in-the-middle attacks. "The BitTorrent protocol is designed to be very simple and clean, so the chance that there is a flaw in there is much less than, say, an HTML parser," said Cohen, who also founded BitTorrent.com. "Moreover, if you are using the main BitTorrent client, the chance of being exploited by a peer is very small." Cohen acknowledges, however, that much of the security of BitTorrent--and other programs that allow incoming connections--rely on the peer-to-peer client software's security. "If you are accepting incoming connections, then that opens up the possibility that you could be exploited if there are flaws in your code," he said. Cohen has not seen Opera's implementation of BitTorrent. While Opera has added a warning dialog box to the process of downloading torrent files, adding BitTorrent support to the browser does not increase risk, said Christen Krogh, vice president of engineering for Opera. "When you leave a program open for downloading things from the Net or leaving ports open, you should always consider security," he said. "But having support for the BitTorrent protocol for the browser, doesn't skew the security picture very much." Other peer-to-peer software makers have managed to avoid the issue altogether. Voice-over-IP software provider Skype, for example, allows incoming connections through firewall software without explicitly opening ports. Hardware-based services, such as Vonage, typically call for the VoIP gateway to be placed in front of the firewall. Only when the hardware is placed inside a local network does the user need to open ports. Blizzard Entertainment uses the BitTorrent protocol for updating its massively multiplayer online role-playing game, World of Warcraft. While updates can still be downloaded from behind a firewall, the transfer rate is much slower. However, the software only opens up communication for a very short time, the company said in a statement. "This does not present any additional security risk compared to any other standard Internet-based network communication," the company said. "The port is opened by the Blizzard Downloader, is used for patch up/downloads, and it remains closed otherwise." Such peer-to-peer software should still undergo increased scrutiny for security holes, said Brian Martin, a moderator for the Open Source Vulnerability Database. "Just because of their deployment and popularity, the programs should definitely be audited more heavily," he said. "If a popular (peer-to-peer) client did have a vulnerability, you are probably talking about tens to hundreds of thousands of people who might be vulnerable." Copyright ? 2005 From isn at c4i.org Mon Jul 18 06:18:08 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 18 06:24:53 2005 Subject: [ISN] Stolen data worries financial institutions Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,103244,00.html by Michael Crawford JULY 15, 2005 COMPUTERWORLD AUSTRALIA SYDNEY -- Recent data losses at financial institutions has increased industry concerns about unauthorized access, according to Deloitte's 2005 Global Security Survey released this week. The survey of global financial institutions found a 21% increase over last year in concerns about unauthorized access to personal information. It was rated an area of concern by 83% of all respondents. Kevin Shaw, Deloitte security service Asia Pacific leader, said the high level of fear reflected the fact that breaches of customer privacy had the potential to undermine trust in financial institutions at a most fundamental level. "There is a lot of focus now on addressing these issues, but storage of credit card numbers is a process of policy and procedure. The CardSystems breach was a result of failure by [the company] to follow its own policy and it was using the data in ways it should not have when it got hacked; there isn't a technical solution for this," Shaw said. "The growth in external attacks has slowed because financial institutions have become far more effective at deploying technological defenses such as intrusion detection, antivirus solutions and content filtering and monitoring, which means criminals have shifted their focus from technology attacks to human behavior and gaps in policy enforcement and governance. "They now prey on staff in financial institutions and their customers and any weakness they can find in human behavior." Shaw said Australian banks are performing well by global standards, particularly with staff training and threat awareness. However, financial institutions worldwide are struggling to keep pace with the changing nature of IT security attacks. Shaw said the role of a chief privacy officer is integral to combating the security landscape. "At a global level, only 49% of respondents had established the role of chief privacy officer, although 5% acknowledged that they would have one by the end of the year," Shaw said. "In Australia, most of the large financial institutions indicate they have some form of a privacy officer function. However, it is becoming increasingly critical that they consider an investment in a chief privacy officer with appropriate funding and authority." From isn at c4i.org Mon Jul 18 06:18:28 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 18 06:25:13 2005 Subject: [ISN] Defection Spotlights Chinese Way of Spying Message-ID: http://www.latimes.com/news/nationworld/world/la-fg-espionage15jul15,1,4871850.story??coll=la-headlines-world By Mark Magnier Times Staff Writer July 15, 2005 BEIJING - The defection of a senior Chinese diplomat in Australia who claims he helped oversee a vast spy network has cast a spotlight on China's espionage activities at a time of increased global trade tensions and concern over Beijing's military spending. Chen Yonglin, the first secretary of the Chinese Consulate General in Sydney, chose a particularly embarrassing moment to go public against his employer - a rally last month in Australia marking the 16th anniversary of the Tiananmen Square crackdown on pro-democracy demonstrators. At an impromptu news conference shortly after Australia turned down his request for political asylum, the bookish Chen announced that he'd spent the last four years managing a network of 1,000 informants and spies in Australia on behalf of the Chinese government. Their primary target, he added, were members of Falun Gong, a quasi-religious group banned in China as an "evil cult," and those advocating independence for Tibet, Taiwan and East Turkmenistan. Beijing immediately disputed his claims and similar charges by Hao Fengjun, a second Chinese official applying for an Australian visa. The allegations are "fabrication and lies," Foreign Ministry spokesman Liu Jianchao said in Beijing. "Sino-Australia relations should not pay a price for two such people and two such incidents." "We have some Chinese who don't like China that much and want to profit for their own personal agenda," Fu Ying, China's ambassador to Australia, said last week. Chen "now appears to be hating China so much, but China offered him the best a young man can have." The incident could reverberate beyond Australian shores, analysts said, emboldening China's critics at a time when Defense Secretary Donald H. Rumsfeld and other Washington conservatives are expressing concern about Beijing's intentions and questioning its growing military spending. The case has also embarrassed the government of Prime Minister John Howard, which critics accuse of putting trade ahead of human rights to avoid angering Beijing, a charge the administration denies. China is Australia's third-largest trading partner, with annual bilateral commerce worth $22.7 billion, and a voracious consumer of its natural resources. The two nations are also discussing a free-trade agreement to strengthen ties further. Opposition lawmakers accused the Howard administration of immediately informing the Chinese government when Chen submitted his application and rejecting his request for a safe meeting place. Last Friday, Australia granted Chen a permanent visa. Hao has petitioned for a protection visa, and his case is now awaiting a decision. Part of the equation, analysts said, is that neither Chen nor Hao ? who claims to have worked in the Chinese city of Tianjin at a security office charged with stamping out Falun Gong before fleeing to Australia - appears to be a huge intelligence catch. "For Western intelligence agencies, knowing how China monitors Falun Gong is not so important," said Steve Tsang, a China scholar at Oxford University. "I suspect that's why they didn't grant Chen's first application. If he was involved in a missile program or counterespionage, that would probably be a different thing." Like those of most countries, China's intelligence efforts employ a system of concentric circles, analysts said. Unlike U.S. intelligence agencies, with their reliance on satellite data and high technology, China is known for its "humint," or human intelligence. "They can and do send out thousands of people with limited tasking, flooding the target country," said Larry M. Wortzel, a former U.S. Army attache in Beijing now at the Heritage Foundation, a conservative think tank in Washington. China has three kinds of spies, asylum-seeker Hao told Australian reporters: "professional spies" paid to collect information, "working relationship" spies operating in business circles and "friends" in less formal networks, a category analysts said Chen's 1,000 spies would fall into. China employs a relatively small number of well-trained, professional spies, intelligence analysts said, charged with digging up the most sensitive military secrets and strategic policy. In the second tier, China relies on well-placed front companies and scientists to go after key technologies, including dual military and civilian-use products that are easier to acquire than top-secret military items. "But you use dual-use or trading companies as far from the embassy as possible," said an intelligence expert who declined to be identified. "They're a big radioactive tag." In one recent case, a Chinese American couple in Wisconsin was arrested on suspicion of selling China $500,000 worth of computer parts with potential applications in enhanced missile systems. But it's China's biggest concentric ring that often garners the most attention. Beijing is known for gathering small bits of information from "friends" ? Chinese businesspeople, students, scientists, trade delegations and tourists traveling overseas - which it assembles into a bigger picture. "They spread a rather wide net," said James R. Lilley, a former CIA station chief and U.S. ambassador to China. "It's often a rather blurred line between 'cooperator' and 'undercover agent.' " People may be motivated to provide information by money, patriotism, flattery or various forms of persuasion, analysts said. An overseas Chinese with a family back home might be approached, said Oxford's Tsang, and told: "I understand you have a daughter trying to get into college. I hear she may not be so bright, but I have a friend at that college and can put in a good word." China's approach, sometimes referred to as "1,000 grains of sand," has complicated life for foreign counterintelligence agencies already burdened by the U.S.-declared war on terrorism, analysts said. "There are 150,000 students from China. Some of those are sent here to work their way up into the corporations," Dan Szady, the FBI's assistant director for counterintelligence, told the National Intelligence Conference and Exposition in Arlington, Va., in February. "There are about 300,000 Chinese visitors annually and 15,000 delegations touring the U.S. every year." Many of these people are potential spies, he added, gathering information or being questioned when they return to China. "Even as we increase our numbers of agents, we can't possibly totally stop it," Szady said. But the intelligence expert who requested anonymity said there was a temptation to believe that everyone who vaguely looks Chinese is busy funneling information back to Beijing. "There's a lot of hysteria," he said, citing an unsubstantiated claim by a bipartisan congressional commission five years ago that China operates 3,000 front companies in the United States. "It's jingoism of the highest order," he said. "Also, what they do in appealing to patriotism is not a lot different from the French and the Israelis. The Israelis pulled a lot of the same motherland appeals with [Jonathan Jay] Pollard," an American military analyst sentenced to life imprisonment in 1986 for leaking secrets to Israel. Espionage also works both ways. In 1995, the Australian media reported that China's embassy in Canberra, the capital, was bugged as part of a joint Australian-U.S. spy operation. And a U.S.-made Boeing 767 bought for then-Chinese President Jiang Zemin in 2000 reportedly contained more than 20 spying devices. One analyst said that even if Chen's claim of 1,000 spies in Australia was accurate, they were almost certainly not all well-trained field agents. "The idea that they have such a large number working on behalf of Chinese intelligence seems a bit dubious," said Jonathan D. Pollack, director of strategic research at the Naval War College in Newport, R.I. "It's obvious that anyone wanting to defect wants to up their value." From isn at c4i.org Mon Jul 18 06:18:51 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 18 06:25:30 2005 Subject: [ISN] Personal Wireless Security Devices and Software Mailing List Message-ID: Forwarded from: John Kleinschmidt Greetings! PersonalWireless.org is happy to announce the creation of the 'Personal Wireless Security Devices and Software List'. This list was created to discuss issues related to personal wireless devices such as the Blackberry, Palm devices, smartphones and any of the new technologies being developed for the corporate, personal and home wireless market. For more information and details on this list, including subscription, please see: http://www.c2security.org/mailman/listinfo/bb-security Thank you for your time, John Kleinschmidt John@Personalwireless.org From isn at c4i.org Mon Jul 18 06:19:05 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 18 06:25:55 2005 Subject: [ISN] Misawa airman busted one rank, docked pay for hacking Message-ID: http://www.estripes.com/article.asp?section=104&article=30396 By Jennifer H. Svan Stars and Stripes Pacific edition July 17, 2005 MISAWA AIR BASE, Japan - An airman first class with the 35th Communications Squadron was sentenced to 10 days of confinement and reduced in rank to E-2 for trying to hack into personal computer files on base. James A. Stout, formerly a technician in the base's Network Control Center, also will forfeit two-thirds of his pay and allowances for one month. Stout pleaded guilty in a summary court-martial Thursday to violating Air Force instruction governing transmission of information by the Internet, and to breaking a federal law by intentionally accessing a computer without authorization. While working on a government computer during an overnight shift on Dec. 3, 2004, Stout downloaded two hackers' programs from the Internet in an attempt to decrypt the base's user name and password file, giving him access to all base user accounts, including e-mail, according to prosecutor Capt. Jason Spence of the 35th Fighter Wing's Office of the Staff Judge Advocate. He copied it to a second computer and ultimately uploaded the user name and password file and a decryption program onto a personal Web server via the Internet, the prosecutor said. He was caught after Pacific Air Forces' Network Operations Security Center, which monitors Internet traffic, notified the base of a possible intrusion into its computer system, Spence said. Three communications squadron airmen traced Stout back to the government computer during the time of the incident by reviewing security log-ins, Spence said. Stout never succeeded in breaking the code, having deleted the file and decryption programs from his government computers and Web server in the same work shift after he became aware that PACAF had notified the Network Control Center of the problem. Stout claimed he was bored and wanted to access his supervisor's account to grant himself higher computer rights that he could use on the job to fix network problems, Spence said. He also said he wanted to see other parts of the network, including personal computer files, such as e-mail. When Stout transferred the Misawa files from his government computer to a personal Web server over the Internet, "a third-party person - foreign government, terrorist, hacker - could have taken our password file and copied it to their own computer while it was in transit," possibly allowing them to access Misawa's unclassified database, Spence said in court. If a third party obtained access and deleted that file, "it would bring the mission to a halt - basically, everything is in there," he said. ? 2003 Stars and Stripes. From isn at c4i.org Tue Jul 19 04:49:01 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 19 04:55:21 2005 Subject: [ISN] Clinton Twp. considers new system for computer security Message-ID: http://www.detnews.com/2005/macomb/0507/18/B04-250700.htm By Edward L. Cardenas The Detroit News July 18, 2005 CLINTON TOWNSHIP -- The Clinton Township Board of Trustees tonight will consider a state-of-the-art fingerprint access system for township computers, the first such system to be used in Macomb County. The proposed system uses fingerprint technology rather than passwords and would be funded through federal Homeland Security money. "We have really tried to get into the 21st century," said Brian Moynihan, director of Clinton Township's department of information technology. "Once you make it available, you have to make it secure." Clinton Township officials initially instituted a standard password policy in March for employees who use the computers. While the password system provided some security, there was room for lapses if employees wrote down passwords or shared them, officials say. To provide an even higher level of security, the township began to investigate using fingerprint technology to log into the community's computer system. Similar systems are used by U. S. Department of Defense, the California Police Department and the city of Glendale, California. No other Macomb County communities use this technology, Moynihan said. Some township employees have had the chance to try out the new system and at least one, Planning Director Carlo Santia, said he welcomes the high-tech system for its ability to simplify working life. "The (old) passwords are a combination of seven numbers and letters," Santia said. "This will just make it so much easier. It provides a unique password or entry into the system that can't be duplicated by someone else." The Board of Trustees will consider seeking bids on a system during its board meeting at 6:30 p.m. today in the Civic Center, 40700 Romeo Plank. Moynihan said the system could be used in up to 300 desktop computers in the township hall, police and fire departments. The cost would be about $55,000 for hardware, software, licensing and maintenance . "Information security is our paramount concern," Moynihan said. The township's information technology department has used the system successfully for nearly three months. It involves a small 2- by 3-inch sensor attached to the computer that takes a quick snapshot of the finger print, which serves as a sort of "key" to access to the computer. "It is infinitely more secure than a password," added Moynihan. -=- You can reach Edward L. Cardenas at (586) 468-0529 or ecardenas at detnews.com. From isn at c4i.org Tue Jul 19 04:49:14 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 19 04:55:40 2005 Subject: [ISN] Cost of US cyber attacks plummets Message-ID: http://www.theregister.co.uk/2005/07/18/csi_fbi_security_survey/ By John Leyden 18th July 2005 The cost of individual cyber attacks fell dramatically in the US last year but unauthorised access and the theft of proprietary information remain top security concerns. The 10th annual Computer Crime and Security Survey, put together by the Computer Security Institute (CSI) in conjunction with information security experts at the FBI, shows financial losses resulting from security breaches down for the fourth successive year. The cost of breaches averaged $204,000 per respondent - down 61 per cent from last year's average loss of $526,000. Virus attacks continue as the source of the greatest financial pain, making up 32 per cent of the overall losses reported. But unauthorized access showed a dramatic increase and replaced denial of service as the second most significant contributor to cybercrime losses. Unauthorised access was fingered for a quarter (24 per cent) of losses reported in the CSI/FBI Computer Crime and Security Survey 2005. Meanwhile losses from theft of proprietary information doubled last year, based on the survey of 700 computer security practitioners in various US corporations, universities and government agencies. The study found fears about negative publicity are preventing organisation from reporting cybercrime incidents to the police, a perennial problem the CSI/FBI study reckons is only getting worse. Assuming that this isn't true of what respondents also told CSI's researchers (academics from the University of Maryland), the study presents a picture of reducing cyber crime losses that contrasts sharply with vendor-sponsored studies. Chris Keating, CSI Director, said its study suggests that organizations that raise their level of security awareness but warns against complacency in the face of a changing cybercrime threat. "Individual users are more exposed to computer crime than ever, due to the growth in identity theft schemes. We can't help but note the shift in the survey results toward more financial damage due to theft of sensitive company data. This is an ominous, though not unexpected, development and underscores the need to insist that enterprise networks be properly safeguarded," he said. The CSI/FBI Computer Crime and Security Survey aims to help determine the scope of computer crime along with promoting security awareness. It can be downloaded from the CSI's website GoCSI.com (PDF - registration required) [1]. ? [1] http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml From isn at c4i.org Tue Jul 19 04:49:27 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 19 04:55:59 2005 Subject: [ISN] NIST invites comment on draft standard Message-ID: http://www.fcw.com/article89611-07-18-05-Web By Florence Olsen July 18, 2005 Computer scientists at the National Institute of Standards and Technology have released draft versions of two documents that they consider to be among the most important in a recent series of NIST documents on information security. One is a small publication describing minimum security requirements that will become mandatory after the Commerce Department secretary signs the document, as he is expected to do at the end of this year. That document is "Draft Federal Information Processing Standard (FIPS) Publication 200: Minimum Security Requirements for Federal Information and Information Systems." [1] A second document, "Draft Special Publication 800-53A: Guide for Assessing the Security Controls in Federal Information Systems," [2] is a 152-page guide to developing a cost-effective information security program based an agency's assessment of its risks. Both documents are meant to help federal agencies secure their information systems and comply with the Federal Information Security Management Act (FISMA) of 2002, NIST officials said. "We have attempted to provide a security standard that establishes a level of security due diligence for federal agencies in protecting their information and information systems," Ron Ross, project leader for NIST's FISMA Implementation Project, writes in the introduction to "FIPS Publication 200." NIST will accept comments on "Draft Special Publication 800-53A" until 5 p.m. EDT Aug. 31 at sec-cert@nist.gov. Comments on "Draft FIPS Publication 200" will be accepted until 5 p.m. EDT Sept. 13 at draftfips200.nist.gov. [1] http://csrc.nist.gov/publications/drafts/FIPS-200-ipd-07-13-2005.pdf [2] http://csrc.nist.gov/publications/drafts/sp800-53A-ipd.pdf From isn at c4i.org Tue Jul 19 04:49:42 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 19 04:56:18 2005 Subject: [ISN] Visa to Bar Transactions by Processor Message-ID: http://www.nytimes.com/2005/07/19/business/19visa.html By ERIC DASH July 19, 2005 Visa USA said yesterday that it would stop allowing the payment processor CardSystems Solutions to handle its transactions, months after the processor left the records of millions of cardholders at risk for fraud. "CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations in a memorandum sent to several banks. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system." Cardholders and merchants should not be affected by the change. Visa said its decision to remove CardSystems came after a review and an independent investigation found that the payment processor had improperly stored cardholder data and did not have the proper controls in place. It is unclear if MasterCard and American Express will take similar action, but with Visa accounting for more than half of all card transactions, the move raises questions about the future of CardSystems. "I've never heard of them booting off a processor," said Avivah Litan, a security analyst at Gartner Inc., a technology research group. "The worst thing that I've heard is a processor that had to cough up $1 million." The move came at least two months after Visa first learned that data had been compromised and just days before its executives, along with those of other major card companies, have been called to testify in Washington about their security practices. The chief executive of CardSystems, John M. Perry, is also expected to testify on Thursday. In a statement released yesterday, CardSystems said Visa's decision was unexpected and upsetting. "We are disappointed and very surprised that Visa has decided to take this action today, not only because of the impact that it will have on our employees, but the disruption that it will cause to our 110,000 merchant customers," the processor said in a statement. "We hope that Visa will reconsider." Visa has given at least 11 banks, which hired CardSystems to handle the merchant transactions, until the end of October to change processors, the memo said. Until then, CardSystems will be allowed to process Visa transactions as long as it has corrected any problems and allows a Visa-affiliated monitor on site to oversee its operations in Tucson. CardSystems is also banned from handling Visa transactions from its international affiliates or any new merchants, processors or member banks in the United States. Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May. Visa, however, said that despite "some remediation efforts" since the incident was reported, the actions by CardSystems were not enough. "Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on member financial institutions and merchants as well as the significant concerns it raised for cardholders," the company said in a statement. At this point, it is unclear what the other branded card companies will do. MasterCard has previously said that it was giving CardSystems a "limited amount of time to demonstrate compliance with MasterCard security requirements" but never laid out a specific timetable. Sharon Gamsin, a MasterCard spokeswoman, did not return calls seeking comment. Judy Tenzer, an American Express spokeswoman, said the company did not comment about its relationships with vendors. Leslie Sutton, a Discover Financial spokeswoman, could not offer an immediate response. Visa's decision is the latest development since the disclosure in mid-June that the CardSystems computer network had been compromised, putting the cardholder names, account numbers and security codes of as many as 40 million credit and debit cardholders at risk for fraud. The information of about 22 million Visa cardholders was exposed; MasterCard reported the data of 14 million of its cardholders was potentially at risk; and the rest largely belonged to customers of American Express and Discover. At the time, Mr. Perry of CardSystems acknowledged that the company had been improperly storing data, violating Visa and MasterCard security rules. He said data thieves directly obtained information related to some 200,000 cardholder accounts. The F.B.I and a group of federal banking regulators are now investigating. In its statement, Visa offered its most scathing indictment of those security violations to date. The chief executive of CardSystem had "stated that the company knowingly retained unmasked magnetic stripe cardholder data, purportedly for 'research purposes,' " Visa said. "Visa's security requirements were adopted precisely for the purpose of protecting cardholder information and guarding against the type of data compromise recently experienced by CardSystems." In the letter Visa sent to the banks, Mr. Murphy suggested that the data breach occurred as early as August 2004. From isn at c4i.org Tue Jul 19 04:48:48 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 19 04:56:37 2005 Subject: [ISN] Symantec website under DDoS attack Message-ID: http://software.silicon.com/malware/0,3800003100,39150478,00.htm By Dan Ilett 18 July 2005 An email worm is recruiting computers for a coordinated attack on antivirus vendor Symantec's website. Since Friday, email filtering vendor MessageLabs has intercepted 13,717 copies of the worm, dubbed Breatel.A-mm, and has issued a medium-level warning. The worm travels as an email attachment, under the subject lines: "Message could not be delivered", "Error", or "Mail Delivery System". If the attached file is opened, the computer connects to a botnet - a network of thousands of hacker-controlled computers used for illegal activity - and begins to send data to the Symantec website in the hope of crashing it. According to antivirus company F-Secure, the worm attachment contains a message to Symantec that says: "easy to talk but hard to work :) what about working in symantec? :P it is not only a mass mail worm it is also a lsass worm :)" A Symantec spokesman said that the company's infrastructure was built to withstand such attacks. The first copy of the worm was sent from Northern Ireland, MessageLabs said. From isn at c4i.org Wed Jul 20 01:44:14 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 20 01:50:30 2005 Subject: [ISN] Oracle dragging heels on unfixed flaws, researcher says Message-ID: http://news.com.com/Oracle+dragging+heels+on+unfixed+flaws,+researcher+says/2100-1002_3-5795533.html By Joris Evers Staff Writer, CNET News.com July 19, 2005 Serious unpatched security flaws exist in certain Oracle products, according to a German security researcher who said the software maker has not fixed the bugs despite knowing about them for two years. Alexander Kornbrust of Red Database Security published alerts on six security vulnerabilities on Tuesday. Five of the reported bugs are in the Oracle Reports enterprise reporting tool. Another is in Oracle Forms, a technology that is part of Oracle Developer Suite and is used to build applications. "I reported these bugs two years ago," Kornbrust said in an e-mail to CNET News.com. In April, to pressure the company into providing fixes, he told the software maker that he would publish details on the bugs if they were not patched as part of the company's July security bulletin. The most serious vulnerabilities could let an attacker gain control over an Oracle user's systems, according to the alerts. Kornbrust deems three of the bugs "high risk," two "medium risk" and one "low risk." The problems affect various versions of the Oracle products, including the newest 10g versions, he said. Oracle declined to comment on Kornbrust's report of the flaws. A company representative did say that Oracle believes details on vulnerabilities should not be disclosed before a patch is available. "We are disappointed when researchers act contrary to this industry best practice," the representative said in an e-mailed statement. Kornbrust is a respected researcher, security experts from VeriSign's iDefense and eEye Digital Security said. He has discovered bugs in Oracle products in the past and those have been fixed by the software maker, they said. Public disclosure of flaws turns up the heat on Oracle to remedy the problems but also increases the risk of attacks, said Steve Manzuik, a product manager at eEye. "It gives other people the spot to look to find the actual problems," he said. Previous Next The time that Kornbrust claims Oracle has left the vulnerabilities unpatched is "phenomenal," said Michael Sutton, a lab director at iDefense. "If true, this is one of the worst examples that I've seen of a software vendor not responsibly addressing known vulnerabilities. I'm hopeful that Oracle will publicly respond to this allegation as customers deserve an explanation," Sutton said. eEye's Manzuik agreed. "You don't even see that with the longest Microsoft vulnerability," he said. There must have been some sort of miscommunication between Oracle and Kornbrust, he suggested. Kornbrust believes Oracle could be playing for time. "It is easier to fix the bug silently in the next release and to wait until an old product is no longer supported," he said. Pete Finnigan, a security specialist in York, England, said there may be as much as 250 reported but unfixed flaws in Oracle products. "Maybe they simply have not enough security people in-house to fix the bugs," he said. Kornbrust said that he is not aware of anyone exploiting the flaws. He has offered workarounds in his advisories to protect systems. Finnigan and eEye's Manzuik recommend users apply those, after making sure the workarounds don't break their systems. From isn at c4i.org Wed Jul 20 01:44:30 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 20 01:50:52 2005 Subject: [ISN] Lawsuit claims law firm hacked into Net library site Message-ID: Forwarded from: Marjorie Simmons http://www.bizjournals.com/philadelphia/stories/2005/07/18/story5.html Larry Rulison Staff Writer Philadelphia Business Journal July 18, 2005 VALLEY FORGE -- An intellectual property law firm here is being sued in federal court, accused of hacking into a well-known Internet library to get evidence for a separate civil lawsuit it was defending for a client. The law firm, Harding Earley, Follmer & Frailey, is vehemently denying any wrongdoing, although it admits it legally searched the library, known as the Internet Archive, for old Web site pages produced by Healthcare Advocates Inc., a Philadelphia company that sued Harding Earley's client in federal court in 2003. In that lawsuit, Healthcare Advocates sued a Blue Bell company with a similar name called Health Advocate Inc. for misappropriation of trade secrets, unfair competition, fraud and copyright and trademark infringement, among other allegations. Both companies help consumers deal with health insurance companies and claims. The judge in the case ruled in favor of the defendants earlier this year before it even went to trial, a decision that is now under appeal. Although it has saved a whole host of digital material, including texts, audio, moving images and software, the Internet Archive is well-known among researchers and journalists for its popular search engine called the Wayback Machine that allows people to look at old Web pages that have since been changed or updated. The Internet Archive is a nonprofit organization based in San Francisco, and use of the Wayback Machine is free. Web site owners can contact the group if they do not want their pages archived. On July 8, attorneys for Healthcare Advocates from the firm of McCarter & English sued Harding Earley and the Internet Archive, claiming that employees at the law firm hacked into the Wayback Machine to produce old Healthcare Advocates Web pages for discovery in the 2003 civil case. Among the allegations are violations of the Computer Fraud and Abuse Act by hacking into the Wayback Machine. The company is also alleging that the Internet Archive did not adequately protect the company's Web pages from viewing after the company took recommended steps to block viewing in 2003. The McCarter & English lawyer leading the case is Scott Christie, a former federal prosecutor who most recently headed the computer hacking and intellectual property unit of the U.S. Attorney's Office in New Jersey. Christie said the case is unlike any other he has ever seen. He does not know of any other case where a law firm had been sued over this type of allegation. "Computer hacking is not an acceptable discovery technique," Christie said. "I was sort of surprised by the prospect that a law firm would be involved. Hacking, for whatever purpose, is unacceptable." Although it has not been served with the lawsuit yet, Harding Earley is denying the allegations. Partner John Earley said this week in an interview that the suit was "merit less" and that no one at the firm hacked into the Wayback Machine; instead, employees merely used the Wayback Machine search engine as anyone else would. He said his employees were looking for old Healthcare Advocates Web pages to help prove his clients' case, but they never did anything illegal to get to any information that was blocked. "What didn't come up, we didn't get," Earley said. "Certainly, we didn't do [hacking]. It's kind of ridiculous." Officials at the Internet Archive were not available for comment before deadline this week. The group has not been served with the lawsuit, a spokeswoman said. lrulison at bizjournals.com | 215-238-5136 From isn at c4i.org Wed Jul 20 01:44:44 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 20 01:51:16 2005 Subject: [ISN] GAO: Critical infrastructure needs more cybersecurity protections Message-ID: http://www.fcw.com/article89620-07-19-05-Web By Michael Arnone July 19, 2005 The Homeland Security Department is failing to adequately protect the nation's critical infrastructure and the information technology that supports it, the Government Accountability Office told the Senate today. DHS has made strides in improving cybersecurity but has not yet addressed long-standing cybersecurity deficiencies, said David Powner, GAO's director for IT management issues. He addressed the Senate Homeland Security and Government Affairs Subcommittee on Federal Financial Management, Government Information and International Security. "Until it effectively confronts and resolves these underlying challenges, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our nation's critical infrastructures, and our nation will lack the strong cybersecurity focal point envisioned in federal law and policy," Powner said. Critical infrastructure includes systems necessary for the nation to function smoothly, including transportation, health care, the power supply and communications. DHS should act on GAO suggestions, some dating back to 2001, to enhance cybersecurity for critical infrastructure, Powner said in his written testimony submitted to the Senate subcommittee. These include: * Develop a generally accepted methodology to strategically analyze cyberthreats and warn against them. * Create a more detailed strategy to better protect the IT-dependent control systems for critical infrastructure with the private sector. * Establish metrics, policies and procedures to improve information sharing with the private sector. * Finish threat and vulnerability assessments for each sector of infrastructure. DHS still has not accomplished several key duties laid out for it in President Bush's 2002 National Strategy to Secure Cyberspace, Powner wrote. It still has not developed a national cyberthreat assessment, nor has it assessed each sector's vulnerabilities or identified cross-sector interdependencies as the strategy calls for, he wrote. The high turnover of personnel in key cybersecurity positions weakens the National Cybersecurity Division's power to plan and fulfill activities, Powner wrote. In the past year, the NCSD director, the undersecretary for the Information Analysis and Infrastructure Protection directorate and three other senior staff members have left the department, he wrote. Powner advocated increasing the power of the NCSD's director to improve the agency's ability to form partnerships and share information. He also noted that DHS' hiring and contracting practices have led some candidates not to apply for NCSD vacancies, because they have to wait unreasonably long to be considered. Slow payments to contractors have caused NCSD to lose some contracted services, he added. In addition, DHS has done a poor job of making critical infrastructure stakeholders aware of the department's cybersecurity activities and the value of the information it provides, he testified. DHS has failed at cultivating private sector relationship, he said. Agency personnel have been too reluctant to share important information, Powner said in his written testimony. "An official from the water sector noted that when representatives called DHS to inquire about a potential terrorist threat, they were told that DHS could not share any information and that they should "watch the news," he wrote. Infrastructure stakeholders in turn don't openly share their cybersecurity information with DHS, he wrote. Infrastructure representatives are unclear on how DHS will use information, share it and protect it, he wrote. From isn at c4i.org Wed Jul 20 01:44:55 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 20 01:51:35 2005 Subject: [ISN] Security skills shortage may worsen Message-ID: http://www.zdnet.com.au/news/security/soa/Security_skills_shortage_may_worsen/0,2000061744,39203238,00.htm By Stephen Withers ZDNet Australia 20 July 2005 There is a security skills shortage, and "it's going to get a lot worse," delegates at the Gartner Security Summit were told yesterday by Nick Tate, chairman of AusCERT and CIO at the University of Queensland. During the CIO/CSO (chief security officer) panel session, Tate pointed to the drop in entry to tertiary IT courses, which will flow through to a reduction in the number of graduates in another year or two. "I don't feel particularly confident [about the supply of skilled staff]," he added, although in the longer term any shortages are likely to attract people to careers in IT security. He also noted the growth in interest in double degrees such as Law/IT as an entry point to an IT career. His fellow panellists agreed that shortages exist. "The industry is suffering a shortage," said Gary Blair, head of security practice at National Australia Bank, but security people seek employers that are serious about the area, such as banks. Blair is looking to develop existing staff and to hire selected individuals to round out the organisation's skill sets. "I'm slightly nervous," said Jonathan Palmer, CIO at the Australian Bureau of Statistics, about the security skills issue. However, he is "a bit worried about accreditation schemes because they can turn into portability passports," but suggests one way to keep staff is to engage them as fully as possible in the organisation so they identify as an 'ABS person' as much as an 'IT security person'". -=- The writer is a NAB shareholder. From isn at c4i.org Wed Jul 20 01:45:18 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 20 01:52:50 2005 Subject: [ISN] Rival allegedly interfered with doctors' answering service Message-ID: http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--servicesabotage0719jul19,0,4939557.story?coll=ny-region-apnewyork By JIM FITZGERALD Associated Press Writer July 19, 2005 WHITE PLAINS, N.Y. -- The founder of a company that runs answering services for doctors tried to destroy a competitor by hacking into the firm's computer so that patients heard either a busy signal or sexual moaning when they tried to call their physicians, the Westchester district attorney said Tuesday. Gerald Martin, 37, of Pawling, also made crank calls to his rival's employees, dispatched a moving truck to its headquarters and sent its customers forged papers indicating it was being audited by the state, said District Attorney Jeanine Pirro. She said the case was "a fascinating example of when competition crosses the line into criminal behavior." Martin interfered with "the sacrosanct ability of a patient to call a doctor," Pirro said. Stuart Hayman, president of the Westchester County Medical Society, said the alleged crime "could have prevented thousands of patients from reaching their physicians in emergency situations and ... could have led to further illness, injury and even death." He said each company serves more than 1,000 physicians around the country. Pirro said one patient in California had to be rushed to an emergency room after failing to reach a doctor because of the alleged interference. She said Martin was a founder and vice president of Emergency Response Answering Service Inc. of Tarrytown. He had once worked for the company now known as Statcomm Medical Communications Inc. of White Plains but formed his new firm after an "acrimonious breakup." The district attorney said the complaint specifies that for three days in November, Martin "interfered with the ability of Statcomm to conduct business" by hacking into the computer so that patients heard either a busy signal or "groaning, moaning in a sexual nature." He also had a moving company show up at Statcomm with a phony order to pick up six boxes of Statcomm material for the state Department of Taxation and Finance, she said. In addition, he made "crank and threatening phone calls" to Statcomm employees and sent forged audit announcements to 160 Statcomm customers, Pirro said. She said Martin's actions were "childish but something that we consider to be criminal behavior." Martin was charged with computer tampering and possession of a forged instrument. The maximum prison term would be two and one-third to seven years. His attorney, Anthony Keogh, did not immediately return a call seeking comment. A woman answering a phone at Emergency Response Answering Service refused to comment and refused to give her name; messages left at other numbers were not immediately returned. -=- Copyright 2005 Newsday Inc. From isn at c4i.org Wed Jul 20 01:45:32 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 20 01:53:10 2005 Subject: [ISN] 'ICE' Cell Phone Plan Would Help Rescuers Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/07/17/AR2005071700879.html By Sam Coates Washington Post Staff Writer July 18, 2005 To its owner, the cell phone is an indispensable lifeline at times of crisis, reuniting loved ones separated by unforeseen events at the touch of a button. But for members of the emergency services making life-and-death decisions, the cell poses a conundrum: Which of the numbers stored in its electronic address book should they call to reach a casualty's next of kin? Now a simple initiative, conceived by a paramedic in Britain, has gained momentum on both sides of the Atlantic to try to solve this problem. Cell users are being urged to put the acronym ICE -- "in case of emergency" -- before the names of the people they want to designate as next of kin in their cell address book, creating entries such as "ICE -- Dad" or "ICE -- Alison." At least two police forces in the United States are considering the idea, according to the initiative's British-based promoters, who say there has been a flurry of interest since the recent bombings in London. Paramedics, police and firefighters often waste valuable time trying to figure out which name in a cell phone to call when disaster strikes, according to current and retired members of the emergency services, who said they must look through wallets for clues, or scroll through cell address books and guess. Many people identify their spouse by name in their cell, making them indistinguishable from other entries. "Sometimes dialing the number for 'Mum' or 'Dad' might not be appropriate, particularly if they are elderly, suffer from ill health or Alzheimer's," said Matthew Ware, a spokesman for the East Anglian Ambulance service, which is promoting the ICE initiative. "This would give paramedics a way of getting hold of the appropriate person in a few seconds." The idea was conceived by Bob Brotchie, a clinical team leader for the ambulance service, after years of trying to reach relatives of people he was treating. He began the ICE initiative in April, but it gained momentum only after the bombings in London, when information about the plan spread by e-mail. Ware said the East Anglian Ambulance service received 500 inquiries in six days, from South Africa, Canada, Israel, Germany, and several organizations in the United States, including a security company from Utah working on the London bombings, police departments in Florida and Texas, and a company in Ohio. Lt. Robert Stimpson, acting police chief of Madison, Conn., was one of those who contacted Ware. "I think it's a great idea. . . . It's so simple I can't believe that other people haven't thought of it before. Not only does it help emergency workers identify a responsible party when they come upon an unconscious person, it also helps identify the owners of lost cell phones," he said in a telephone interview. Several next-of-kin contact systems were set up after the Sept. 11, 2001, attacks, such as the nonprofit National Next of Kin Registry established in January 2004 that shares information provided to state agencies in the event of an emergency. The registry was set up by Mark Cerney, a disabled Marine who noted that the Centers for Disease Control and Prevention reported that in 2003, 900,000 emergency room patients could not provide contact information because they were incapacitated. Ware said that although there are such databases, some charge as much as $200 a year to register. The ICE initiative is available free to the 192 million cell users in the United States. Kathleen Montgomery, deputy press secretary for the Department of Homeland Security, said she did not have any comment on the matter because it was not the department's idea. Instead, she recommended that citizens look at the department's emergency preparedness site, Ready.Gov. The site recommends that next-of-kin details and other emergency information be kept on a "family contingency plan" sheet that can be downloaded from the site. The site offers wallet-size cards that can be distributed to family members with space for details about next of kin and additional information such as neighborhood meeting places, out-of-town contacts and other important telephone numbers. Erin McGee, spokeswoman for the Cellular Telecommunications and Internet Association, which represents the wireless industry, said her members welcome the ICE initiative. "I think it has the potential to catch on. From what I've read, it seems to be already spreading beyond Britain." Clark L. Staten, a senior analyst for the Emergency Response and Research Institute, a Chicago-based consultancy and think tank for the emergency services and military, said he thinks it sounds like a good idea, but could have a couple of pitfalls. "There may be some privacy concerns: firstly, that the next of kin or the address or phone number could be accessed by someone other than a member of the emergency service," he said. "Secondarily, the information could become out of date, and the designated next-of-kin number is disconnected or you change your next of kin altogether. The worst -- you don't want them to call the ex." From isn at c4i.org Wed Jul 20 01:45:05 2005 From: isn at c4i.org (InfoSec News) Date: Wed Jul 20 01:53:33 2005 Subject: [ISN] Write down your password today Message-ID: http://www.theregister.co.uk/2005/07/19/password_schneier/ By John Leyden 19th July 2005 Security guru Bruce Schneier has backed calls from Microsoft's Jesper Johansson urging users to write down their passwords. In years gone by scribbling down passwords on Post-It notes was often cited as a top security mistake but the sheer volume of passwords people are obliged to remember means people often use easily-guessed login details, another security faux-pas. Schneier - well known for his original thinking and ability to apply common sense to security issues - advocates a low-tech solution to the password conundrum. "People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down," Schneier writes in his latest Cryptogram newsletter. Using a password database (such as his own free PasswordSafe utility) is one option. But Schneier is also enthusiastic about a much more low-tech approach - think of difficult-to-guess passwords, write them down and keep them on a bit of paper in your wallet. "We're all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet," he writes. The technique could be modified for a little extra security. "Obscure it somehow if you want added security: write "bank" instead of the URL of your bank, transpose some of the characters, leave off your userid. This will give you a little bit of time if you lose your wallet and have to change your passwords. But even if you don't do any of this, writing down your impossible-to-memorize password is more secure than making your password easy to memorize," he concludes. ? From isn at c4i.org Thu Jul 21 03:31:38 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 21 03:37:01 2005 Subject: [ISN] Security UPDATE -- Spyware Detection and Classification -- July 20, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Map, Scan and Audit Your Network for Security Compliance http://list.windowsitpro.com/t?ctl=ED1D:4FB69 Using Security Compliance Software to Improve Business Efficiency and Reduce Costs http://list.windowsitpro.com/t?ctl=ED05:4FB69 ==================== 1. In Focus: Spyware Detection and Classification 2. Security News and Features - Recent Security Vulnerabilities - VeriSign Buys iDEFENSE - Firefox 1.0.5 Fixes a Dozen Security Problems - IIS Application Isolation 3. Instant Poll 4. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 5. New and Improved - PC Protection ==================== ==== Sponsor: Qualys ==== Map, Scan and Audit Your Network for Security Compliance Testing and improving your network security has never been easier. Requiring NO software, QualysGuard will safely and accurately audit your network and provide you with the necessary fixes to proactively guard your network. Qualys delivers the most vulnerability checks in the industry (4,000+), the highest scan engine accuracy - certified 99.997% accuracy based on more than a million scans per month and timely, up-to-date security checks and network intelligence. QualysGuard also delivers complete risk management functionality including: asset prioritization, business risk assessment, trend analysis, compliance reporting, remediation workflow, and more. Try the Free Scan today and make sure your network perimeter can withstand an attack: http://list.windowsitpro.com/t?ctl=ED1D:4FB69 ==================== ==== 1. In Focus: Spyware Detection and Classification ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You've probably heard by now that Microsoft is, or was, interested in making a deal to acquire Claria--a company known for its personal- information-tracking software. Formerly known as Gator, Claria is for the most part considered to be a propagator (no pun intended) of spyware that's bundled with many popular software packages such as the Kazaa peer-to-peer file-sharing application. Last I heard, Microsoft scrapped its plans to acquire the company, although I'm not sure if that's true. Nevertheless, Microsoft caught some additional heat last week because it downgraded the severity rating of Claria's software in Windows AntiSpyware. The severity rating of similar software from other companies, such as WhenU and 180solutions, was reported to have also been downgraded. In an open letter published at its Web site (see the URL below), Microsoft said it made no exceptions for Claria and that the company "decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors." http://list.windowsitpro.com/t?ctl=ED0D:4FB69 The letter goes on to say that "Today, anti-spyware vendors use different approaches, definitions, and types of criteria for identifying and categorizing spyware and other potentially unwanted software. This has limited the industry's ability to have a broad, coordinated impact in addressing the problem. That is a key reason Microsoft is a founding member of the Anti-Spyware Coalition, a group of technology companies and anti- spyware companies working alongside public interest groups to address key spyware issues." The Anti-Spyware Coalition (first URL below) was actually convened by the Center for Democracy and Technology earlier this year. Microsoft was one of over a dozen entities that took part in the initial meeting. The coalition recently published the first draft of its "Anti-Spyware Coalition Definitions and Supporting Documents" (second URL below), which is now open for a 30-day public comment period. http://list.windowsitpro.com/t?ctl=ED1E:4FB69 http://list.windowsitpro.com/t?ctl=ED13:4FB69 The definitions outline a number of different types of spyware and describe the underlying technology and why it might or might not be useful. Microsoft and numerous other companies undoubtedly use these definitions as part of their guidelines for classifying software in their respective antispyware solutions. So reading the documents might help you get a better understanding of what spyware is from the perspective of various vendors. Another interesting part of the documents is the outline for vendor dispute and false positive resolution. I'd guess that Claria and other vendors have used that, or a similar process, to have Microsoft review its software more closely, resulting in changes in software's severity rating in Windows AntiSpyware. If you're interested in learning more and helping shape the way coalition members handle spyware detection and classification, be sure to read the first draft and send any comments you might have to the coalition before the end of the public comment period, August 12. After that time, the coalition will work to publish a final release sometime in the fall. ==================== ==== Sponsor: BindView ==== Using Security Compliance Software to Improve Business Efficiency and Reduce Costs Learn To Sort Through Sarbanes-Oxley, HIPAA And More Legislation Quicker And Easier! In this free white paper, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance-related tasks that reduce IT efficiency. Turn these mandates into automated and cost effective solutions - Download your copy today! http://list.windowsitpro.com/t?ctl=ED05:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=ED0F:4FB69 VeriSign Buys iDEFENSE VeriSign announced that it acquired security research firm iDEFENSE for $40 million in cash. iDEFENSE provides security-related information to companies around the world. http://list.windowsitpro.com/t?ctl=ED16:4FB69 Firefox 1.0.5 Fixes a Dozen Security Problems Mozilla Foundation released Firefox 1.0.5, which fixes a dozen security problems and improves stability. While Firefox 1.0.5 does represent an improvement over previous versions, it has some known issues, so be sure to read about those for any caveats that might apply to your particular systems. http://list.windowsitpro.com/t?ctl=ED17:4FB69 IIS Application Isolation From time to time, you're probably called on to deploy a Web application that traffics sensitive information. That application might also reside on an IIS server that hosts other applications. What questions and considerations do you think about as you devise your plan for implementing the highest degree of application isolation you can manage? Brett Hill helps you think things through in this article on our Web site. http://list.windowsitpro.com/t?ctl=ED14:4FB69 ==================== ==== Resources and Events ==== Sort Through Sarbanes-Oxley, HIPAA, and More Legislation Quicker and Easier! In this free Web seminar, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance-related tasks that reduce IT efficiency. Turn these mandates into automated and cost-effective solutions. Register now! http://list.windowsitpro.com/t?ctl=ED08:4FB69 Recover Your Active Directory Get answers to all your Active Directory recovery questions here! Join industry guru Darren Mar-Elia in this free, on-demand Web seminar and discover how to use native recovery tools and methods, how to implement a lag site to delay replication, limitations to native recovery approaches, and more. Learn how you can develop an effective AD backup strategy. Register today! http://list.windowsitpro.com/t?ctl=ED06:4FB69 All High-Availability Solutions Are not Created Equal--How Does Yours Measure Up? In this free Web seminar, you'll get the tools you need to ensure your systems aren't going down. You'll discover the various categories of high-availability and disaster-recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a non-disruptive, automatic switchover to a secondary server. http://list.windowsitpro.com/t?ctl=ED09:4FB69 Antispam product not working? Many email administrators are experiencing increased frustration with their current antispam products as they battle new and more dangerous email threats. In-house software, appliances, and even some services may no longer work effectively, require too much IT staff time to update and maintain or satisfy the needs of different users. In this free Web seminar, learn how you can search for a better way to protect your email systems and users. http://list.windowsitpro.com/t?ctl=ED0A:4FB69 Integrate Fax Services with Business Applications for Big ROI In this free eBook, you'll discover all you need to know about fax technology! You'll learn how to improve business processes by minimizing manual faxing and integrating faxing into your business workflow for improved ROI. The eBook will also look at the how-to of the desktop fax client, fax automation, faxing hardware and software technologies, and the future of faxing. Let this important guide help you stay on top of fax server technology within your business environment. http://list.windowsitpro.com/t?ctl=ED0C:4FB69 Influencers 2005: Thriving In The Face Of Regulation: How to Accommodate the New Corporate Governance Regime and Achieve Optimum Financial Performance Join Arthur Levitt, former chairman of the SEC, Arnold Hanish, and Scott Mitchell as they discuss the most important management challenge facing businesses today--Wednesday, July 20 at 11:00 a.m. EDT. Register here: http://list.windowsitpro.com/t?ctl=ED07:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: Does your network firewall provide stateful application-layer inspection in addition to the traditional stateful packet inspection? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 10 votes. - 50% Yes - 50% No New Instant Poll: Do you regularly scan your external network IP addresses for open ports on your network and compare the results against a known good baseline? Go to the Security Hot Topic and submit your vote for - Yes, I regularly scan my network and compare against a baseline. - Yes, I periodically scan but merely review the results. - No, I don't scan, but I think I should. - No, I don't think scanning is useful. http://list.windowsitpro.com/t?ctl=ED18:4FB69 ==== Featured White Paper ==== Do You Know If Your Network Is At Risk Of A Trojan Attack? Discover the various methods available for controlled Internet access and how to use them to increase security and decrease legal exposure. Download your free white paper now! http://list.windowsitpro.com/t?ctl=ED0E:4FB69 ==================== ==== 4. Security Toolkit ==== Security Matters Blog: Endian Firewall--Check It Out by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=ED1B:4FB69 Endian Firewall easily turns a computer into a firewall appliance. The open-source project is based on IPCop, sports a Web-based configuration, and has OpenVPN built in for quick setup of a VPN. http://list.windowsitpro.com/t?ctl=ED12:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=ED19:4FB69 Q: How can I determine whether a Dfs root is a standalone root or a fault- tolerant root stored in Active Directory (AD)? Find the answer at http://list.windowsitpro.com/t?ctl=ED15:4FB69 Security Forum Featured Thread: Changing a Password Without Logging In A forum participant wants to know whether there is a way for users to change their passwords themselves without logging on to the domain. Join the discussion at http://list.windowsitpro.com/t?ctl=ED0B:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Check Out the New Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database (over 1900 security articles)! Order now: http://list.windowsitpro.com/t?ctl=ED11:4FB69 Vote for the Next MCP Hall of Famer Help decide who the most valuable member of the MCP community is. Take the time to reward excellence to those that deserve it and to make yourself a part of the first ever MCP Hall of Fame. Voting only takes a few seconds, so cast your vote now for Round 5. Click here: http://list.windowsitpro.com/t?ctl=ED1C:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com PC Protection Privacyware offers the Total Endpoint Protection Suite, which combines the company's Privatefirewall 4.0 and SafeEnd's USB Port Protector in a package that's currently priced at $39.99 per seat (with a 50-seat minimum). Privatefirewall is a firewall and Intrusion Detection System (IDS). You can select from versions of Privatefirewall that add Computer Associates' eTrust PestPatrol Anti-Spyware software only or that add both CA's PestPatrol and eTrust EZ Antivirus software. USB Port Protector lets only pre- authorized devices connect through a USB port. For more information, go to http://list.windowsitpro.com/t?ctl=ED20:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=ED04:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=ED1F:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=ED10:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jul 21 03:31:55 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 21 03:37:18 2005 Subject: [ISN] DHS to mount major IT security exercise Message-ID: http://www.gcn.com/vol1_no1/daily-updates/36434-1.html By Wilson P. Dizard III GCN Staff 07/20/05 The Homeland Security Department plans to conduct a major cybersecurity preparedness and response exercise to be called Cyber Storm in November, a department official said in congressional testimony yesterday. Andy Purdy, acting director of DHS' National Cyber Security Division (NCSD), described Cyber Storm as "a national exercise" during a hearing that focused largely on the work yet to be done in the cybersecurity field. He spoke during a hearing of the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information and International Security. According to written testimony Purdy presented, the division has worked with the Justice and Defense departments to help form the National Cyber Response Coordination Group (NCRCG). "The NCRCG has developed a concept of operations for national cyberincident response that will be examined in the National Cyber Exercise, Cyber Storm, to be conducted by NCSD in November 2005 with public and private-sector stakeholders." Subcommittee Chairman Tom Coburn (R-Okla.) cited Government Accountability Office criticism of the department?s cybersecurity programs. "Cybersecurity plays an important part in the protection of the critical infrastructure," Coburn said, adding that his committee planned to hold additional hearings on the topic. Coburn advocated improved organizational stability for the cybersecurity division and said, "I ask that the department build partnerships with the private sector in the cybersecurity field." Purdy's testimony focused on DHS' cybersecurity priorities, activities and plans, but questions from Coburn and other lawmakers focused on some of the gaps and remaining needs in the arena. David Powner, director of IT management issues for GAO, highlighted the shortcomings of DHS' cybersecurity programs. "Recent attacks and threats have increased the need for cyberdefense," Powner said. Noting that "DHS faces many challenges" in implementing its cybersecurity policy, Powner added, "Although DHS has exerted effort to address each of the 13 cybersecurity responsibilities it has, they are incomplete." He especially emphasized DHS' need to achieve a stable organization. The division has operated with an acting director since last fall, and faces an additional reorganization with the creation of an assistant secretary for cybersecurity and telecommunications slot. From isn at c4i.org Thu Jul 21 03:32:08 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 21 03:37:42 2005 Subject: [ISN] Hacker Mitnick preaches social engineering awareness Message-ID: http://www.computerworld.com.au/index.php/id%3B1016567243%3Bfp%3B16%3Bfpid%3B0 Rodney Gedda 21/07/2005 Properly trained staff, not technology, is the best protection against social engineering attacks on sensitive information, according to security consultant and celebrity hacker Kevin Mitnick. "People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls," Mitnick said. "Technology is critical but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics." During his keynote address at this year's Citrix iForum conference in Sydney today, Mitnick said hackers are analyzing the "bigger picture" and are looking for the weakest link, which is "people like you and me". "Why do hackers use social engineering? It's easier than exploiting a technology vulnerability," he said. "You can't go and download a Windows update for stupidity... or gullibility." Mitnick said social engineering appeals to hackers because the Internet is so widespread, it evades all intrusion detection systems, it's free or very low cost, it's low risk, it works on every operating system, leaves no audit trail, is nearly 100 percent effective, and there is a general lack of awareness of the problem. "Social engineering attacks can be simple or complex and take from minutes to years," he said, adding that surveys have revealed that nine out of 10 people will give their password in exchange for a chocolate Easter egg. Mitnick spoke of how social engineering has been used to extract millions of dollars from banks and how he used the technique to siphon source code for a mobile phone out of Motorola by posing as an employee in its own R&D department. Mitnick also mentioned how he is not immune to the social engineering scourge and was sent an e-mail 'phishing' for information from his PayPal account earlier this year. "The attacks are real and the threat is real so I encourage everyone to do something about it," he said, adding the main target is the helpdesk because "it's there to help". Pretexting, where the hacker takes on an acting role, is the heart of social engineering, Mitnick said, because people need reasonable justification to fulfill a request. Hackers establish an identity and role, build a rapport through linking or other influence tactics, and leave an "out" to avoid "burning" the source. Intelligence gathering exercises may include seeking titles of company positions so hackers know who to target, and good old "dumpster diving" where the company's garbage is screened for information. Mitnick said even large companies participate in dumpster diving as Oracle was recently caught sifting through Microsoft's garbage. When Mitnick was 17, he did some dumpster diving and found an employee directory and source code in piles of rubbish. To combat social engineering attacks, Mitnick said organizations need to build a "human firewall" and fill existing holes such as illusions of invulnerability. "It can happen to anyone," he said. "People naturally want to help people and underestimate the value of information." Mitigation techniques begin with top management buy-in and demonstrating personal vulnerability. "Establish an employee participation program," he said. "Develop simple rules to define what is sensitive information [and] build a human firewall by raising awareness." Mitnick recommends performing social engineering pen-tests, and not forgetting the periodic dumpster diving, and modifying the organization's politeness norms - "it's OK to say No! "Use technology to remove employee decision making," he said. "The big challenge is to balance productivity and sensitivity." From isn at c4i.org Thu Jul 21 03:32:25 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 21 03:38:01 2005 Subject: [ISN] AusCERT threatened by anti-cyberterrorism plans Message-ID: http://www.zdnet.com.au/news/security/soa/AusCERT_threatened_by_anti_cyberterrorism_plans/0,2000061744,39203240,00.htm By Munir Kotadia ZDNet Australia 20 July 2005 The future of the Australian Computer Emergency Response Team (AusCERT) is uncertain after the government implemented plans to create a national computer emergency readiness team (GovCERT) to deal with cyberterrorism attacks. GovCERT was set up earlier this year to prepare for an attack on Australia's critical IT infrastructure. According to the Attorney General's office in Canberra, GovCERT is designed to fill a gap between the government's internal security team and AusCERT, an independent, not-for-profit organisation which provides computer incident prevention, response and mitigation, a national alert service and an incident reporting scheme to member companies. However, Graham Ingram, director of AusCERT, has warned that GovCERT's role should be restricted to planning and coordinating actions in case of an attack and not duplicate or interfere with the functionality of AusCERT. "From what I know [GovCERT] has a focused requirement -- coordinating infrastructure response on information issues for the government, which is not what AusCERT is about or a space we wish to be in," said Ingram. Ingram said Australia lacked a plan of action to deal with a cyber-terrorism incident. "If a bomb went off, we have a national counter-terrorism plan, which is practiced and everyone's roles and functions are predetermined. We don't have a national cyber response plan -- if something happened tomorrow, nobody has a clue who does what. My personal view is that this an area where Australia is lacking and if that is where the government can put some effort or resources I would see that as a productive outcome," said Ingram. Ingram is concerned that GovCERT will drain public money by creating an organisation that will attempt to duplicate AusCERT's role. "As it stands the level of support from the government is miniscule but they want to up that. I would much prefer they put more effort into supporting AusCERT because you cannot duplicate it. If AusCERT didn't exist, the cost to the government would be estimated at somewhere between AU$5 million and AU$10 million a year They would like to offer us about AU$700,000," said Ingram. "The wise move is to support AusCERT because the costs of not doing it are enormous," added Ingram. Security experts are concerned about the GovCERT/AusCERT standoff because they believe the risk of a major 'incident' is increasing. Andy Lake, director of partners at e-mail security firm MessageLabs, warned that there have already been signs that a serious attack is on its way: "Over the last year we have seen a rise in targeted attacks but their motivations have tended to be commercial. That sort of cyberattack is definitely on the rise and we fully expect to see it in Australia, maybe this year." Neil Campbell, national security manager of IT services company Dimension Data, agreed the risks are increasing. "There have been a few instances of sabotage that you could technically call terrorism but I am not aware of us having suffered a cyber-terrorism incident -- but that doesn't mean we won't," said Campbell. Messagelabs' Lake said that if Australia suffered a cyberattack, most people would immediately look to AusCERT for advice. "We have a lot of faith in AusCERT. Up till GovCERT we would have looked to AusCERT and been confident that they could do something," said Lake. James Turner, security analyst at Frost & Sullivan Australia, said that there is a need for both an independent and government controlled CERT and there are no reasons why both cannot work together. "The government needs a body that is government controlled -- for international intelligence. How likely is it that the US will stroll into AusCERT and say they have just picked up certain information? They are not because they are going to want to give it to a government organisation,' said Turner. Turner believes that the introduction of GovCERT is a natural evolution and will help better protect Australia. "The nature of AusCERT is going to change but that is just business. There will be overlap between them but that is just part of security ? you need resiliency. If the people creating GovCERT are thinking about it, there will be quite a nice harmony," said Turner. Dimension Data's Campbell said that regardless of how the government handles the GovCERT and AusCERT saga, it will be criticised. "If you say there are not going to be any cyberterrorism incidents and there are, and you were not prepared for them, you are in trouble. If you spend too much money protecting against an unlikely threat, have you done the worst thing in the world? "Hindsight is going to be a harsh judge. You are damned if you do and damned if you don't -- I'd rather be damned for doing it," added Campbell. From isn at c4i.org Thu Jul 21 03:32:38 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 21 03:38:19 2005 Subject: [ISN] Hacker Gets Access To ISU Alumni Information Message-ID: http://www.theiowachannel.com/technology/4746729/detail.html July 20, 2005 AMES, Iowa -- The Iowa State University is sending out a warning to alumni Wednesday after a hacker had access to the alumnae association Web site. A computer at Iowa State University's Alumni Association was hacked into, allowing outside access to thousands of Social Security numbers and pages of credit card information. "It's becoming easier to attack systems with tools available on the Web," said Jim Davis of ISU's information technology department. University officials are still unsure whether the hacker accessed the computer in search of the sensitive information. But they are saying it is possible that data was accessed and has been misused. By tapping into the computer, the hacker had access to 2,031 student and volunteer Social Security numbers and 2,379 credit card numbers. Kate Bruns, of the ISU Alumni Association, updates the group's Web site, said they were able to pull up a list of everyone whose information was on the server. E-mail was sent out to members after the security breach was discovered. Those who did not receive an e-mail from the association should be OK, NewsChannel 8 reported. However, those with questions can call the association at (877) ISU-ALUM. From isn at c4i.org Fri Jul 22 14:27:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 22 14:37:15 2005 Subject: [ISN] Last Of World War II Comanche Code Talkers Dies In Tulsa Message-ID: http://www.kotv.com/main/home/stories.asp?whichpage=1&id=87138 July 22, 2005 OKLAHOMA CITY (AP) -- Charles Chibitty, the last surviving Comanche code talker from World War II, has died in Tulsa at age 83. Cathy Flynn with the Comanche Nation headquarters in Lawton says Chibitty died Wednesday at a Tulsa nursing home. Chibitty was one of 20 Comanche Indians who used their native language as a code to send messages that the Germans couldn't decipher. A group of Navajos did the same in the Pacific theater and the Choctaws served as code talkers during World War I. Chibitty was born near Medicine Park and attended high school at Haskell Indian School in Lawrence, Kansas, before joining the Army in 1941. He was assigned to the Fourth Infantry Division and was on Utah Beach during the D-Day invasion. Chibitty rose to corporal and was awarded the World War Two Victory Medal, the European Theater of Operations Victory Medal, the Europe African Middle East Campaign Medal and the Good Conduct Medal. In 1999 he received a special award from the Knowlton Award from the Army for exceptional service and outstanding intelligence work. From isn at c4i.org Fri Jul 22 14:28:17 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 22 14:37:43 2005 Subject: [ISN] Credit Data Firm Might Close Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465.html By Jonathan Krim Washington Post Staff Writer July 22, 2005 The head of a payment processing firm that was infiltrated by computer hackers, exposing as many as 40 million credit card holders to possible fraud, told Congress yesterday that his company is "facing imminent extinction" because of its disclosure of the breach and industry's reaction to it. "As a result of coming forward, we are being driven out of business," John M. Perry, chief executive of CardSystems Solutions Inc., told a House Financial Services Committee subcommittee considering data-protection legislation. He said that if his firm is forced to shut down, other financial companies will think twice about disclosing such attacks. Visa USA Inc. and American Express Co. recently announced after investigating the breach at CardSystems' Tucson, Ariz., facility that they would no longer allow the firm to process transactions made with their cards. Atlanta-based CardSystems is one of several firms that serve as a little-known hub in the nation's commerce system, transferring payments between the banks of credit card-using consumers and the banks of the merchants where purchases are made. Perry called the decisions by Visa and American Express draconian and said that unless Visa reconsiders, CardSystems would close and put 115 people out of work. CardSystems handles only a small percentage of American Express transactions, while Visa accounts for a large part of its business. Perry said closing his company could disrupt the ability of merchants to complete transactions, since it might take time for them to arrange for alternate payment processors. For that reason, Visa said it is not cutting off the company until Oct. 31. While Perry said his company is doing everything it can to ensure that such a breach never occurs again, Visa said it could not overlook that CardSystems knowingly violated contractual requirements for how long credit card data were supposed to be stored and how they were secured. Rosetta Jones, a Visa USA spokeswoman, said after the hearing that the credit card giant also has had difficulty getting sufficient information from CardSystems since the breach occurred. Nonetheless, at the urging of Rep. Rick Renzi (R-Ariz)., Visa agreed to another meeting with CardSystems before it severs ties with the firm. Neither Perry nor representatives of the major credit card companies could explain at the hearing why an audit of CardSystems in 2003 did not address its computer vulnerabilities or its practice of retaining some data for research purposes. Of the 40 million credit card numbers in CardSystems' data banks, roughly 240,000 are known to have been downloaded in May by the hackers, who implanted malicious computer code into the company's network last fall to gain access to the information. The files did not contain Social Security numbers, driver's license data or other personal information frequently targeted by identity thieves. Perry said that he knows of no purloined credit card numbers that were used fraudulently, although MasterCard -- which first announced the breach to the public last month -- said that "a small number" of card numbers were misused. Law enforcement agencies, including the FBI, are investigating the incident. Subcommittee members, while condemning the data breaches that have exposed millions of consumers to possible fraud or identity theft in the past year, disagreed on what Congress should do about it. "The CardSystems incident is a spectacular failure" of private industry to effectively secure personal data, Rep. Carolyn B. Maloney (D-N.Y.) said in urging greater regulation. "We need to provide the legal structure to fix it." In response, Rep. Tom Price (R-Ga.), admonished members against "greater regulation and greater penalties, which is oftentimes the knee-jerk reaction" to problems. With numerous House and Senate bills already introduced to address identity fraud and theft, and several more being prepared, both parties expect legislative action. Most bills would require disclosure of breaches, though the industry supports limiting notification to cases in which there is significant risk that the data could be used for fraud or identity theft. Representatives of the credit card companies yesterday also supported proposals to extend federal security requirements to payment processors, not just banks and financial institutions covered by current law. Some proposals go further and are likely to be opposed by the financial industry. A Senate Commerce Committee bill would allow consumers to "freeze" their credit, preventing anyone from getting loans or credit approval in their names without express permission. Evan Hendricks, editor of Privacy Times, who testified yesterday as a privacy expert, said he supports giving consumers the right to sue when they are damaged by breaches caused by lax security. "Some companies won't have adequate security unless they are forced to," he said. ? 2005 The Washington Post Company From isn at c4i.org Fri Jul 22 14:30:54 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 22 14:38:00 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-29 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-07-14 - 2005-07-21 This week : 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Leon Juranic has reported a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. The vendor has released an updated version, please view Secunia advisory below for additional details. Reference: http://secunia.com/SA16077 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16071] Windows Remote Desktop Protocol Denial of Service Vulnerability 2. [SA16105] Skype "skype_profile.jpg" Insecure Temporary File Creation 3. [SA16004] Microsoft Windows Color Management Module Buffer Overflow 4. [SA16043] Firefox Multiple Vulnerabilities 5. [SA16077] Winamp ID3v2 Tag Handling Buffer Overflow Vulnerability 6. [SA15998] Microsoft Word Font Parsing Buffer Overflow Vulnerability 7. [SA16065] Windows Network Connections Service Denial of Service 8. [SA16059] Mozilla Multiple Vulnerabilities 9. [SA15489] Mozilla / Firefox / Camino Dialog Origin Spoofing Vulnerability 10. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16077] Winamp ID3v2 Tag Handling Buffer Overflow Vulnerability [SA16115] Hosting Controller Multiple Vulnerabilities [SA16104] VP-ASP Shopping Cart SQL Injection Vulnerabilities [SA16098] Novell GroupWise WebAccess Script Insertion Vulnerability [SA16097] MDaemon IMAP Authentication Denial of Service Vulnerability [SA16135] Hitachi Groupmax Form and Web Workflow Server Set Denial of Service [SA16131] DVBBS "showerr.asp" Cross-Site Scripting Vulnerability [SA16124] PeanutHull Privilege Escalation Vulnerability [SA16127] Check Point VPN-1 SecuRemote / SecureClient Information Disclosure Weakness UNIX/Linux: [SA16114] Debian update for krb5 [SA16109] SGI Advanced Linux Environment Multiple Updates [SA16103] Gentoo update for php [SA16101] Gentoo update for mozilla-thunderbird [SA16095] Gentoo update for mozilla-firefox [SA16089] SUSE update for acroread [SA16086] Trustix update for multiple packages [SA16079] Conectiva update for php4 [SA16122] Debian update for affix [SA16116] Debian update for phppgadmin [SA16106] Avaya Predictive Dialing System TCP/IP Denial of Service [SA16094] Avaya telnet Two Vulnerabilities [SA16085] BitDefender for Mail Servers Malware Detection Bypass [SA16080] Slackware update for xv [SA16121] Sun Management Center Oracle Listener Vulnerabilities [SA16112] Debian update for heimdal [SA16132] Apple Airport Insecure Association Security Issue [SA16130] Gentoo update for mediawiki [SA16119] HP Tru64 UNIX TCP/IP Implementation Vulnerabilities [SA16083] Slackware update for tcpdump [SA16113] Mandriva update for nss_ldap / pam_ldap [SA16107] Gentoo update for dhcpcd [SA16088] Red Hat update for cups [SA16087] Shorewall Rules / Policies Bypass Security Issue [SA16076] Gentoo update for pam_ldap / nss_ldap [SA16133] Fedora update for kdelibs [SA16120] Debian update for ekg [SA16118] Debian update for heartbeat [SA16105] Skype "skype_profile.jpg" Insecure Temporary File Creation [SA16102] ekg Shell Command Injection and Insecure Temporary File Creation [SA16099] KDE Kate / KWrite Backup File Insecure File Permissions [SA16084] Avaya Various Products glibc Vulnerabilities Other: [SA16125] F5 Networks BIG-IP / 3-DNS Three Vulnerabilities [SA16126] Blue Coat Products ICMP Message Handling Denial of Service Cross Platform: [SA16093] MooseGallery "type" File Inclusion Vulnerability [SA16091] Race Driver Format String and Buffer Overflow Vulnerabilities [SA16090] CaLogic "CLPATH" Arbitrary File Inclusion Vulnerability [SA16134] ReviewPost PHP Pro "sort" SQL Injection Vulnerability [SA16117] e107 Nested BBcode Script Insertion Vulnerability [SA16111] PowerDNS Two Denial of Service Vulnerabilities [SA16108] Sybase EAServer WebConsole Buffer Overflow Vulnerability [SA16092] Oracle Reports / Forms Multiple Vulnerabilities [SA16082] Sophos Anti-Virus ZIP Archive Denial of Service Vulnerability [SA16078] class-1 Forum Software Cross-Site Scripting and SQL Injection [SA16129] CuteNews "selected_search_arch" Cross-Site Scripting Vulnerability [SA16123] PHP Surveyor SQL Injection Vulnerabilities [SA16110] PHPPageProtect Cross-Site Scripting Vulnerabilities [SA16096] PHP-Fusion BBcode "color" CSS Code Insertion Vulnerability [SA16081] Macromedia JRun Authentication Token Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16077] Winamp ID3v2 Tag Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-15 Leon Juranic has reported a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16077/ -- [SA16115] Hosting Controller Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-07-18 Soroush Dalili has discovered some vulnerabilities in Hosting Controller, which can be exploited by malicious users to gain knowledge of sensitive information, modify data, or conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16115/ -- [SA16104] VP-ASP Shopping Cart SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-07-18 Some vulnerabilities have been reported in VP-ASP Shopping Cart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16104/ -- [SA16098] Novell GroupWise WebAccess Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-07-19 Francisco Amato has reported a vulnerability in Novell GroupWise, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16098/ -- [SA16097] MDaemon IMAP Authentication Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-07-19 kcope has discovered a vulnerability in MDaemon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16097/ -- [SA16135] Hitachi Groupmax Form and Web Workflow Server Set Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-20 A vulnerability has been reported in Groupmax Web Workflow Server Set for (ASP) Active Server Pages and Groupmax Form for ASP, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16135/ -- [SA16131] DVBBS "showerr.asp" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-07-20 rUnViRuS has discovered a vulnerability in DVBBS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16131/ -- [SA16124] PeanutHull Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-07-20 Sowhat has discovered a vulnerability in PeanutHull, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16124/ -- [SA16127] Check Point VPN-1 SecuRemote / SecureClient Information Disclosure Weakness Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2005-07-20 Sylvain Roger has discovered a weakness in SecuRemote / SecureClient, which potentially can be exploited by malicious, local users to gain knowledge of certain information. Full Advisory: http://secunia.com/advisories/16127/ UNIX/Linux:-- [SA16114] Debian update for krb5 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-18 Debian has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16114/ -- [SA16109] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of system information, Privilege escalation, DoS, System access Released: 2005-07-18 SGI has issued a patch for SGI Advanced Linux Environment. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to potentially perform certain actions on a vulnerable system with escalated privileges, by malicious users to bypass certain security restrictions, and by malicious people to cause a DoS (Denial of Service), overwrite arbitrary files on a user's system, gain knowledge of various information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16109/ -- [SA16103] Gentoo update for php Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-18 Gentoo has issued an update for php. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16103/ -- [SA16101] Gentoo update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2005-07-18 Gentoo has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, gain knowledge of potentially sensitive information, conduct cross-site scripting attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/16101/ -- [SA16095] Gentoo update for mozilla-firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, System access Released: 2005-07-15 Gentoo has issued an update for mozilla-firefox. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct spoofing and cross-site scripting attacks, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16095/ -- [SA16089] SUSE update for acroread Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-15 SUSE has issued an update for acroread. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16089/ -- [SA16086] Trustix update for multiple packages Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-07-15 Trustix has issued various updated packages. These fix some vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges, or by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16086/ -- [SA16079] Conectiva update for php4 Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-15 Conectiva has issued an update for php4. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16079/ -- [SA16122] Debian update for affix Critical: Moderately critical Where: From remote Impact: System access Released: 2005-07-19 Debian has issued an update for affix. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16122/ -- [SA16116] Debian update for phppgadmin Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-07-18 Debian has issued an update for phppgadmin. This fixes a vulnerability, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/16116/ -- [SA16106] Avaya Predictive Dialing System TCP/IP Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-07-19 Avaya has acknowledged a vulnerability in Avaya Predictive Dialing System, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16106/ -- [SA16094] Avaya telnet Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-07-15 Avaya has acknowledged two vulnerabilities in Intuity Audix, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16094/ -- [SA16085] BitDefender for Mail Servers Malware Detection Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-07-15 Alexander Hagenah has reported a vulnerability in BitDefender for Mail Servers, which can be exploited by malware to bypass certain scanning functionality. Full Advisory: http://secunia.com/advisories/16085/ -- [SA16080] Slackware update for xv Critical: Moderately critical Where: From remote Impact: System access Released: 2005-07-15 Full Advisory: http://secunia.com/advisories/16080/ -- [SA16121] Sun Management Center Oracle Listener Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2005-07-19 Sun has acknowledged some vulnerabilities in Sun Management Center, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16121/ -- [SA16112] Debian update for heimdal Critical: Moderately critical Where: From local network Impact: System access Released: 2005-07-18 Debian has issued an update for heimdal. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16112/ -- [SA16132] Apple Airport Insecure Association Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-07-20 A security issue has been reported in Airport, which may result in a user associating to an unsecure network without warning. Full Advisory: http://secunia.com/advisories/16132/ -- [SA16130] Gentoo update for mediawiki Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-07-20 Gentoo has issued an update for mediawiki. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16130/ -- [SA16119] HP Tru64 UNIX TCP/IP Implementation Vulnerabilities Critical: Less critical Where: From remote Impact: Spoofing, DoS Released: 2005-07-19 HP has acknowledged some vulnerabilities in HP Tru64 UNIX, which can be exploited by malicious people to cause various types of DoS (Denial of Service) or spoof TCP traffic. Full Advisory: http://secunia.com/advisories/16119/ -- [SA16083] Slackware update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-15 Slackware has issued an update for tcpdump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16083/ -- [SA16113] Mandriva update for nss_ldap / pam_ldap Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-07-19 Mandriva has issued an update for nss_ldap / pam_ldap. This fixes a security issue, which can be exploit by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/16113/ -- [SA16107] Gentoo update for dhcpcd Critical: Less critical Where: From local network Impact: DoS Released: 2005-07-18 Gentoo has issued an update for dhcpcd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16107/ -- [SA16088] Red Hat update for cups Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-07-15 Red Hat has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16088/ -- [SA16087] Shorewall Rules / Policies Bypass Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-07-18 A security issue has been reported in Shorewall, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16087/ -- [SA16076] Gentoo update for pam_ldap / nss_ldap Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-07-14 Gentoo has issued an update for pam_ldap and nss_ldap. This fixes a security issue, which can be exploit by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/16076/ -- [SA16133] Fedora update for kdelibs Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-07-20 Fedora has issued an update for kdelibs. This fixes a security issue, which can be exploited by malicious, local users to gain knowledge of certain information. Full Advisory: http://secunia.com/advisories/16133/ -- [SA16120] Debian update for ekg Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-07-19 Debian has issued an update for ekg. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16120/ -- [SA16118] Debian update for heartbeat Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-07-19 Debian has issued an update for heartbeat. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16118/ -- [SA16105] Skype "skype_profile.jpg" Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-07-18 Giovanni Delvecchio has discovered a vulnerability in Skype for Linux, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16105/ -- [SA16102] ekg Shell Command Injection and Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-07-19 Marcin Owsiany and Wojtek Kaniewski have reported two vulnerabilities in ekg, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16102/ -- [SA16099] KDE Kate / KWrite Backup File Insecure File Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-07-19 bjoern has reported a security issue in Kate and KWrite, which can be exploited by malicious, local users to gain knowledge of certain information. Full Advisory: http://secunia.com/advisories/16099/ -- [SA16084] Avaya Various Products glibc Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of system information, Privilege escalation Released: 2005-07-15 Avaya has acknowledged two vulnerabilities in several products, which can be exploited by malicious, local users to gain knowledge of certain system information or conduct certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/16084/ Other:-- [SA16125] F5 Networks BIG-IP / 3-DNS Three Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-07-20 F5 Networks has acknowledged some vulnerabilities in BIG-IP and 3-DNS, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16125/ -- [SA16126] Blue Coat Products ICMP Message Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-07-20 Blue Coat Systems has acknowledged some vulnerabilities in various products, which can be exploited by malicious people to cause a DoS (Denial of Service) on an active TCP session. Full Advisory: http://secunia.com/advisories/16126/ Cross Platform:-- [SA16093] MooseGallery "type" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-15 ][GB][ has discovered a vulnerability in MooseGallery, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16093/ -- [SA16091] Race Driver Format String and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-07-19 Luigi Auriemma has reported two vulnerabilities in Race Driver, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16091/ -- [SA16090] CaLogic "CLPATH" Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-07-19 sky has discovered a vulnerability in CaLogic, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16090/ -- [SA16134] ReviewPost PHP Pro "sort" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-07-20 A vulnerability has been reported in ReviewPost, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16134/ -- [SA16117] e107 Nested BBcode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-07-20 Nick Griffin has discovered a vulnerability in e107, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16117/ -- [SA16111] PowerDNS Two Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-07-18 Two vulnerabilities have been reported in PowerDNS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16111/ -- [SA16108] Sybase EAServer WebConsole Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-07-18 SPI Dynamics has reported a vulnerability in Sybase EAServer, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16108/ -- [SA16092] Oracle Reports / Forms Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, Privilege escalation, System access Released: 2005-07-20 Alexander Kornbrust has reported some vulnerabilities in Oracle Reports and Forms, which can be exploited to gain escalated privileges, gain knowledge of certain information, overwrite arbitrary files, conduct cross-site scripting attacks, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16092/ -- [SA16082] Sophos Anti-Virus ZIP Archive Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-07-15 A vulnerability has been reported in Sophos Anti-Virus, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16082/ -- [SA16078] class-1 Forum Software Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-07-14 Lostmon has discovered some vulnerabilities in class-1 Forum Software, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16078/ -- [SA16129] CuteNews "selected_search_arch" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-07-20 rgod has discovered a vulnerability in CuteNews, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16129/ -- [SA16123] PHP Surveyor SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2005-07-20 thegreatone has discovered some vulnerabilities in PHP Surveyor, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16123/ -- [SA16110] PHPPageProtect Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-07-19 rgod has discovered some vulnerabilities in PHPPageProtect, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16110/ -- [SA16096] PHP-Fusion BBcode "color" CSS Code Insertion Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-07-20 Grindordie has discovered a vulnerability in PHP-Fusion, which can be exploited by malicious people to manipulate the view of the web site interface. Full Advisory: http://secunia.com/advisories/16096/ -- [SA16081] Macromedia JRun Authentication Token Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-07-15 A security issue has been reported in JRun, which can result in malicious users gaining access to another user's session. Full Advisory: http://secunia.com/advisories/16081/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jul 22 14:28:01 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 22 14:38:19 2005 Subject: [ISN] Wireless network hijacker found guilty Message-ID: http://management.silicon.com/government/0,39024677,39150672,00.htm By Dan Ilett 22 July 2005 A UK man has been fined ?500 and sentenced to 12 months' conditional discharge for hijacking a wireless broadband connection. On Wednesday, a jury at Islewoth court in London found Gregory Straszkiewicz, 24, guilty of dishonestly obtaining an electronic communications service and possessing equipment for fraudulent use of a communications service. Straszkiewicz was prosecuted under sections 125 and 126 of the Communications Act 2003. Police sources said Straszkiewicz was caught standing outside a building in a residential area holding a wireless-enabled laptop. The Crown Prosecution Service confirmed that Straszkiewicz was 'piggybacking' the wireless network that householders were using. He was reported to have attempted this several times before police arrested him. The case is believed to be the first of its kind in the UK. Last year, 21-year-old Brian Salcedo was sentenced to nine years in a US prison for siphoning credit card numbers over a wireless network from hardware store Lowes. From isn at c4i.org Fri Jul 22 14:31:08 2005 From: isn at c4i.org (InfoSec News) Date: Fri Jul 22 14:38:35 2005 Subject: [ISN] ChoicePoint says data theft cost it $6M Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,103384,00.html By Linda Rosencrance JULY 21, 2005 COMPUTERWORLD Credit and personal information vendor ChoicePoint Inc. took a $6 million charge in its second quarter, which ended June 30, citing costs associated with the theft of personal information on 145,000 consumers, the company said yesterday. The $6 million was used for legal expenses and other professional fees related to the data theft, Alpharetta, Ga.-based ChoicePoint said in a statement [1]. The second-quarter charge came on top of a $5.4 million charge the company had to take in the first quarter related to the same incident. That first-quarter expense included $2 million spent on communications to the affected consumers and for providing those people with credit reports and credit monitoring services. Approximately $3.4 million went for legal and professional fees, ChoicePoint said. ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to approve loans, leases and other contracts. In February, ChoicePoint said the data theft occurred when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers." (see "State officials push ChoicePoint on ID theft notifications")[2]. Information provided by ChoicePoint has since been used in about 750 identity-theft scams, according to the company. "It's becoming more expensive [to handle these security breaches], and the reason it's becoming more expensive recently is because of the new notification laws," said James Van Dyke, principal analyst at Javelin Strategy & Research, a Pleasanton, Calif., financial consulting firm. "So we have every reason to believe that data breaches like that at ChoicePoint, sadly, have actually been going on for longer than most people realize.... "It's laws such as those in the state of California and other parts of the U.S., requiring new notification, that are bringing these cases to light," Van Dyke said. "ChoicePoint happened to be the first big one after these notification laws [went into effect]. We'll see investments like that of ChoicePoint as these companies seek to avoid the kind of a death sentence CardSystems received from American Express and Visa. Companies like ChoicePoint will spend this money on public relations, procedures and on partner relations." Earlier this week, Visa U.S.A. Inc. and American Express Co. said separately that they are terminating contracts with CardSystems Solutions Inc., a credit card transaction-processing company that was hit by hacker attacks, potentially exposing 40 million card numbers to online intruders. The companies said CardSystems, in Atlanta, didn?t meet contractual requirements in providing processing services for merchants that accept the credit cards. As a result, they will no longer allow CardSystems to process their transactions after October. Those decisions come in the wake of the announcement last month from MasterCard International Inc. that 13.9 million of its credit card numbers were among the 40 million that may have been accessed by intruders who infiltrated CardSystems' network (see "Security breach may have exposed 40M credit cards")[3]. Unlike Visa and Amex, MasterCard plans for now to continue doing business with CardSystems because it has taken steps to improve security. Despite the second-quarter charge, ChoicePoint posted a second-quarter profit of $36.4 million, or 40 cents per share, compared with $36.3 million, or 40 cents per share, in the same quarter a year ago. Earnings per share for the most recent quarter included a 4-cent-per-share charge to cover the expenses related to the data theft. "I am extremely pleased with the continued revenue-growth momentum this quarter," said Derek V. Smith, chairman and CEO of ChoicePoint. "Additionally, we implemented key changes that reduced the risk of our business model and reinforced our leadership as a responsible information company." [1] http://choicepoint.com/choicepoint/news.nsf/(webhotbox)/E5DA762464E269EC8525704300749EA4?OpenDocument [2] http://www.computerworld.com/securitytopics/security/story/0,10801,99886,00.html [3] http://www.computerworld.com/databasetopics/data/story/0,10801,102631,00.html From isn at c4i.org Mon Jul 25 04:23:17 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 25 04:31:51 2005 Subject: [ISN] FOCUS - Security experts warn of Chinese cyberattacks for industrial secrets Message-ID: http://www.forbes.com/afxnewslimited/feeds/afx/2005/07/24/afx2153747.html By Rob Lever Agence France-Presse 07.24.2005 WASHINGTON (AFX) - Cyberspace is becoming a new battleground for the United States and China, amid growing concerns about Chinese industrial espionage through various types of computer worms, security experts said. At least one 'Trojan horse' program used to steal files from infected computers has been traced to servers in China, providing further evidence that US companies may be targets, analysts said. Security firms have long been concerned about various types of malicious software used to steal files or passwords. But some newer programs seem designed as a more sophisticated and targeted effort. Joe Stewart, a researcher with the US security firm Lurhq, said that by reverse-engineering a recent PC worm known as Myfip, he found a clear connection to China. 'All the e-mails we've traced back with this particular attachment came from a single address in China,' Stewart told AFP, adding that it is 'highly likely' that the program was used for espionage against US high-tech and manufacturing firms. Stewart said the program appeared to have been originally developed as a way to steal student exam papers and then expanded so that it can now copy many types of documents, including computer-assisted drawings and Microsoft Word files. Forbes magazine, which first reported the Chinese origin of Myfip, said the worm had been propagating by spam e-mails that activate the program when recipients click on attachments. Forbes said about a dozen versions of Myfip may have been in circulation and used to steal sensitive documents including mechanical designs and circuit board layouts. Analysts point out that tracking attacks or malicious software can be difficult because the origins can be disguised. But Marcus Sachs of SRI International, who also directs the industry-academic SANS Internet Storm Center that monitors cyberattacks, said the evidence against China is solid. 'I believe firmly that the Chinese are using tools like Myfip to conduct industrial espionage on the US and other industrial countries that have mature data networks,' he told AFP. Sachs said the latest types of malicious software, or 'malware,' represent a new strategy by creators of the programs. 'Most of the credit card theft, money laundering and fraud is coming from Russia or former Soviet Union countries,' Sachs said. 'The Chinese seem to be a bit more clever in covering their tracks and are more likely conducting covert raids for corporate secrets, rather than chasing money like their Russian organized crime counterparts.' But the techniques may not be limited to industrial espionage. Some analysts say similar malware may be targeting government agencies in a bid to steal other types of secrets. The online newsletter SecurityFocus said the wave of cyberattacks that hit Britain last month may have been part of an effort to obtain government documents from British and US agencies. Britain's National Infrastructure Security Coordination Centre said last month that a series of trojan-laden e-mail attacks were 'targeting UK government and companies,' in an apparent 'covert gathering and transmitting of commercially or economically valuable information.' The June 16 warning does not specifically mention China but said most of the evidence pointed to computers in 'the Far East.' rl/ejp/swp From isn at c4i.org Mon Jul 25 04:23:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 25 04:32:08 2005 Subject: [ISN] Lost a BlackBerry? Data Could Open A Security Breach Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/content/article/2005/07/24/AR2005072401135.html By Yuki Noguchi Washington Post Staff Writer July 25, 2005 The ability to carry vast amounts of data in small but easily misplaced items such as computer memory sticks and mobile e-mail devices has transformed the way Americans work, but it has also increased the risk that a forgotten BlackBerry or lost cell phone could amount to a major security breach. Worried that sensitive information could ride off in the back of a taxicab or be left in a hotel room, companies are peeling back some of the convenience of mobile devices in favor of extra layers of password protection and other restrictions. Some are installing software on their networks to make it impossible to download corporate information to a portable device or a memory stick, which is a plug-in device that holds data for use on other computers. Wireless providers are developing weapons to use against their own products, like digital "neutron bombs" that can wipe out information from long distance so one misplaced device doesn't translate into corporate disaster. It's a nightmare that individuals and corporations fret about when their mobile e-mail or handheld devices go missing or fall into the wrong hands. With the swift stroke of a keypad, someone's e-mail, corporate data and business contacts can be laid bare for others to see -- and potentially abuse. Personal devices "are carrying incredibly sensitive information," said Joel Yarmon, who, as technology director for the staff of Sen. Ted Stevens (R-Alaska), had to scramble over a weekend last month after a colleague lost one of the office's wireless messaging devices. In this case, the data included "personal phone numbers of leaders of Congress. . . . If that were to leak, that would be very embarrassing," Yarmon said. A couple of years ago, David Yach and all other workers at his Canadian company woke up to an e-mail full of expletives from an otherwise mild-mannered female employee. But it was not sent by the woman. A thief had broken into her home, commandeered her BlackBerry wireless device and sent the note, said Yach, vice president of software at Research in Motion Ltd., the company that makes the BlackBerry, a device that allows e-mail to be sent and received. "It's terrifying," said Mark Komisky, chief executive of Baltimore's Bluefire Security Technologies Inc., who recently lost his iPaq 6315 Pocket PC in a cab or at O'Hare International Airport in Chicago. The device, a small pocket phone with a miniature keyboard, contained his e-mail, details of his company's strategy, Social Security numbers of his wife and son, and phone numbers for high-level executives at companies with which Bluefire does business, such as Intel Corp. "I got off the plane in Baltimore and did the pat-down, and didn't have it," he said. "It's bad," even for the head of a firm that sells security services for companies and government agencies trying to secure their wireless devices. At 10:30 p.m., he called a technician at Bluefire, who erased the information on the iPaq remotely. Luckily, it was also locked with a password, he said. Companies are seeking to avoid becoming the latest example of compromised security. Earlier this year, a laptop computer containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen from the car of an MCI financial analyst in Colorado. In another case, a former Morgan Stanley employee sold a used BlackBerry on the online auction site eBay with confidential information still stored on the device. And in yet another incident, personal information for 665 families in Japan was recently stolen along with a handheld device belonging to a Japanese power-company employee. To combat the problem, security companies have come up with ways to install layers of password protection and automatic locks on devices. Others market the ability to erase data over the air once the device is reported lost. In Japan, cell phone carrier NTT DoCoMo Inc. started selling models that come with fingerprint scanners to biometrically unlock phones. Some companies suffer only embarrassment from such incidents. But for public companies or financial firms, a lost device could mean violation of the Sarbanes-Oxley Act, which requires strict controls over disclosure of financial information. For doctors and health care companies, the loss of customer data compromises patient confidentiality, protected by the Health Insurance Portability and Accountability Act. Potential security breaches are made scarier by the greater reliance on mobile devices. Smart phones, such as the Treo or some BlackBerry models, come with enough memory and high-speed Internet access to function as small computers. In some cases, accompanying memory cards allow users to store even more data, including client lists and contract information. "I hear less about the cost of the devices, because it really is a pittance, but I really do hear more about the potential cost of someone gaining access to corporate data," said Kenny Wyatt, a vice president for Sprint Corp., which helps some of its business customers manage the security of wayward devices. Three years ago, Wyatt lost a cell phone containing phone numbers of co-workers and clients. Sprint now can delete information by sending a signal to a phone over the air, he said, although if the device is turned off, the kill signal won't work. Without the kill service, losing his phone would be a bigger deal today than it was three years ago because the device contains so much more information, he said. "It'd be like I lost an appendage." In Chicago, 160,000 portable devices are left in taxicabs every year, according to a survey earlier this year by Pointsec Mobile Technologies, a security software firm. Fifty to 60 percent of those are reunited with their owner, according to the firm, which polled cab companies. According to another survey sponsored by software maker Symantec Corp., 37 percent of smart-phone users store confidential business data on their phones. Only 40 percent of those surveyed worked at companies that have corporate policies about wireless security. Yarmon, the staffer for Sen. Stevens, said he sends an e-mail every few months reminding colleagues to install passwords on devices. "That is my worst fear," he said, "for a user to have it fall into the hands of somebody who disseminates it or uses that information against my boss." ? 2005 The Washington Post Company *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Jul 25 04:21:23 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 25 04:32:31 2005 Subject: [ISN] Inside Windows IT Security UPDATE -- July 22, 2005 Message-ID: ======================= This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows IT Security UPDATE. Download a Free Trial of Desktop Authority http://list.windowsitpro.com/t?ctl=F23E:4FB69 Bindview: Security Management in a Multi-platform World http://list.windowsitpro.com/t?ctl=F221:4FB69 ======================= 1. What's New in the Latest Issue August 2005 Issue - Focus: Network Port Fundamentals - Feature: Keep Your Secrets Safe - Access Denied 2. New Additions to the Online Article Archive August 2004 Issue - Focus: Use Certificates to Secure Your WLAN - Features - Access Denied ==== Sponsor: Download a Free Trial of Desktop Authority ==== Looking for a way to proactively secure and manage all your desktops from one central location? Download a 30-day FREE trial of Desktop Authority at http://list.windowsitpro.com/t?ctl=F23E:4FB69 . Desktop Authority is an award-winning desktop management solution that combines the functionality of logon scripting, group policies and user profile management into a comprehensive management console. Secure your network by locking down users' desktops, configuring security policies, detecting and removing spyware, and deploying patch updates without visiting client machines! Increase security, maintain regulatory compliance, and improve productivity throughout your enterprise. Try Desktop Authority FREE today and receive a cool "C:Users\Less Often" T- shirt! http://list.windowsitpro.com/t?ctl=F23E:4FB69 ======================= Windows IT Security is a monthly, paid, print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. Nonsubscribers can access all the newsletter content in the online article archive from the premiere issue of Windows IT Security (February 2001) through the print issue released 1 year ago and featured below. In addition to receiving the monthly print newsletter, subscribers can access all the newsletter content, including the most recent issue, at the Windows IT Security Web site. http://list.windowsitpro.com/t?ctl=F23D:4FB69 Subscribe today and access all the issues online! http://list.windowsitpro.com/t?ctl=F236:4FB69 ======================= ==== 1. What's New in the Latest Issue ==== August 2005 Issue Focus: Network Port Fundamentals In this issue, we wrap up our network port fundamentals and firewall appliances series, and we provide essential information about encryption, logon rights, and a terrific little log-analysis tool called grep. The following article is available at no charge to nonsubscribers for a limited time: Feature Keep Your Secrets Safe Although encryption is about keeping information secret, there's nothing secret about the encryption process. Here are the basics of symmetric key encryption and public/private key encryption. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F22B:4FB69 Nonsubscribers now have access to the Q&As that run in every issue of Windows IT Security and are featured below. Access Denied Securing the Administrator Account Take steps to lessen the risk of attacks that use a computer's Administrator account. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F22E:4FB69 Protecting Information on XP Laptops Use offline files and EFS to ensure that laptop data is available, backed up, and secure. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F22A:4FB69 Preventing Users from Disabling a Screen Saver Use an AD or local computer GPO to hide the Screen Saver tab from users. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F227:4FB69 Running Services Under SYSTEM or Administrator Here's why you should use the least amount of privileges necessary for performing tasks on your computer. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F226:4FB69 Subscribers have access to the entire contents of the August 2005 issue. For a list of the other articles available in this issue, visit the URL below. http://list.windowsitpro.com/t?ctl=F237:4FB69 ======================= ==== Sponsor: Bindview: Security Management in a Multi-platform World ==== In this free white paper you'll learn how to reduce management overhead when dealing with multiple platforms such as Windows, UNIX, Linux and NetWare, and the costs and benefits of a centralized "holistic" approach to security management. Get the ins and outs of managing multi-platform security and how you can safely, securely, and sanely manage the security infrastructure of complex, multi-platform environments. http://list.windowsitpro.com/t?ctl=F221:4FB69 ======================= ==== Events & Resources ==== (from Windows IT Pro and its partners) Sort Through Sarbanes-Oxley, HIPAA, and More Legislation Quicker and Easier! In this free Web seminar, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance- related tasks that reduce IT efficiency. Turn these mandates into automated and cost-effective solutions. Register now! http://list.windowsitpro.com/t?ctl=F222:4FB69 All High-Availability Solutions Are not Created Equal--How Does Yours Measure Up? In this free Web seminar, you'll get the tools you need to ensure your systems aren't going down. You'll discover the various categories of high-availability and disaster-recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a non-disruptive, automatic switchover to a secondary server. http://list.windowsitpro.com/t?ctl=F223:4FB69 Antispam Product Not Working? Many email administrators are experiencing increased frustration with their current antispam products as they battle new and more dangerous email threats. In-house software, appliances, and even some services may no longer work effectively, require too much IT staff time to update and maintain or satisfy the needs of different users. In this free Web seminar, learn how you can search for a better way to protect your email systems and users. http://list.windowsitpro.com/t?ctl=F225:4FB69 Ensure High Availability with Microsoft Exchange Server Taking into account all of its capabilities, Exchange is more than just a mail server. And for many businesses, when Exchange is down, the business is down. In this free eBook, learn new ways to improve Exchange recoverability and availability by exploring Exchange Server clusters, Exchange data management, Volume Shadow Copy Service (VSS), and Exchange availability tips and tricks. Get your copy now! http://list.windowsitpro.com/t?ctl=F224:4FB69 Integrate Fax Services with Business Applications for Big ROI In this free eBook, you'll discover all you need to know about fax technology! You'll learn how to improve business processes by minimizing manual faxing and integrating faxing into your business workflow for improved ROI. The eBook will also look at the how-to of the desktop fax client, fax automation, faxing hardware and software technologies, and the future of faxing. Let this important guide help you stay on top of fax server technology within your business environment. http://list.windowsitpro.com/t?ctl=F233:4FB69 ==== Featured White Paper ==== Do You Know If Your Network Is At Risk Of A Trojan Attack? Discover the various methods available for controlled Internet access and how to use them to increase security and decrease legal exposure. Download your free white paper now! http://list.windowsitpro.com/t?ctl=F234:4FB69 ======================= ==== 2. New Additions to the Online Article Archive ==== August 2004 Issue To access this issue of Windows IT Security, go to the following URL: http://list.windowsitpro.com/t?ctl=F235:4FB69 Focus: Use Certificates to Secure Your WLAN In this issue, learn about WLAN security, digital certificate validation in Windows PKI, the basics of Windows Firewall, and more. Features Using Certificates to Secure Your WLAN Learn the simplest way to implement 802.1x and certification-based authentication on a typical network of Windows XP and Windows 2000 computers and a Win2K AD domain. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F231:4FB69 Windows Firewall Basics Learn how to configure and manage Windows XP SP2's new Windows Firewall. --Jeff Fellinge http://list.windowsitpro.com/t?ctl=F22C:4FB69 Validating Digital Certificates in Windows PKI Certificate validation is a key part of authenticating users and systems through digital certificates. Take an in-depth look at how the Windows PKI validates certificates and be better prepared to solve validation problems when they occur. --Jan De Clercq http://list.windowsitpro.com/t?ctl=F228:4FB69 Access Denied A Basic File Encryption Tool Windows provides no built-in utility for encrypting files, but two scripts in the Platform SDK use CryptoAPI to let you encrypt and decrypt text files from the command line. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F230:4FB69 Enabling Users to Access Two Domain Accounts In some cases (e.g., during a migration), you might need to let users log on to two domain accounts and access files. A freeware tool makes setting up such a scenario easy. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F229:4FB69 Requiring VPN Users to Run Certain Software Using Windows 2003's IAS, you can prevent VPN users who aren't running antivirus or other necessary software from logging on to your network. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F22D:4FB69 Using Windows Server 2003's Certificate Templates Microsoft significantly enhanced certificate templates in Windows 2003 but makes the new functionality available only in Enterprise Edition and Datacenter Edition. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F232:4FB69 Securely Administering a Remote Server Learn why remotely administering a server through Terminal Services is more secure that using MMC snap-ins. --Randy Franklin Smith http://list.windowsitpro.com/t?ctl=F22F:4FB69 ======================= ==== Announcements ==== (brought to you by Windows IT Pro) Check Out the New Windows IT Security Newsletter! Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals on building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire security article database (over 1900 security articles)! Order now: http://list.windowsitpro.com/t?ctl=F23A:4FB69 Exclusive Content for VIP Subscribers! Get inside access to all of the content and vast resources from Windows IT Pro, SQL Server Magazine, Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security, with over 26,000 articles at your fingertips. Your VIP subscription also includes a 1- year print subscription to Windows IT Pro and a VIP CD (includes entire article database). Sign up now: http://list.windowsitpro.com/t?ctl=F23B:4FB69 ==== Sponsored Link ==== Argent versus MOM 2005 Experts Pick the Best Windows Monitoring Solution http://list.windowsitpro.com/t?ctl=F220:4FB69 ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=F23F:4FB69 About product news -- products@windowsitpro.com About your subscription -- securityupdate@windowsitpro.com About sponsoring UPDATE -- emedia_opps@windowsitpro.com ======================= This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and internal users. Subscribe today! ( http://list.windowsitpro.com/t?ctl=F239:4FB69 ) View the Windows IT Pro Privacy policy at http://list.windowsitpro.com/t?ctl=F238:4FB69 Windows IT Pro is a division of Penton Media Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All Rights Reserved. From isn at c4i.org Mon Jul 25 04:22:20 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 25 04:33:18 2005 Subject: [ISN] UK police chiefs seek powers to attack terror web sites Message-ID: http://www.theregister.co.uk/2005/07/23/acpo_seeks_new_terror_powers/ By John Lettice 23rd July 2005 The Association of Chief Police Officers has asked for new legislation giving the security services "powers to attack identified websites". The proposal, along with one for a new offence covering "use of the internet to prepare, encourage, facilitate acts of terrorism" was part of the terror law 'shopping list' presented by ACPO at the Prime Minister's meeting with law enforcement agencies on Thursday. Much of ACPO's list covers territory where legislation is already planned by the Government and/or is part of broader international roadmaps being pushed by Europe's Council of Ministers and the G8. The request for a cyberwarfare capability, however, is one of several new proposals put forward by ACPO, and has wide-ranging implications. ACPO doesn't give specific details of what it envisages, but says the power "has significant benefits for counter terrorism and overlaps with other police priorities namely domestic extremism and paedophilia/child pornography." ACPO therefore clearly envisages the security services being given the power to attack a wider range of web sites than those simply associated with international terrorism. The security forces already have the capability to deal with web sites that are within UK jurisdiction, which means that the major target must be sites beyond it. "This issue goes beyond national borders and requires significant international cooperation," says ACPO: "The need for appropriate authority and warrantry is implicit." For the international cooperation to be delivered, the Government would therefore need to get legalised hacking, interdiction and denial of service moved up the EU-G8 security agenda. It's possibly worth noting that ACPO is unlikely to be alone among the UK security services in its desire to interfere with web sites from afar. This fanciful item [1] alleges among many other improbable things that the "warrants the MI5 watchers have obtained permit them to intercept Jamal.s e-mail conversations with those he is grooming, and to carry out 'portscans' on his computer. Using sophisticated software, they reach into it to search for incriminating files." Spyblog made the failed Spooks script gag [2] before we could, but it's perfectly possible that there's a security services' agenda underlying the sub-Bond PR spin. The proposed offence covering use of the internet "to prepare, encourage, facilitate acts of terrorism" is explained by ACPO as being a move to "suppress inappropriate internet usage in respect of today's global communication capability." The organisation says however that this "preventative measure" may be catered for in the "acts preparatory to terrorism" [3] legislation the Government already has planned. ACPO's interest is likely to ensure that it is. Interestingly, ACPO's general commentary on the 'acts preparatory' legislation says: " It will allow the police and intelligence agencies to intervene at an early stage early to protect the public and will go some way towards countering the negative messages we receive concerning terrorism arrests and subsequent charging/prosecution figures" (our emphasis). Government statistics on Terrorism Act arrests (which Charles Clarke has recently seemed reluctant to update in responses to parliamentary questions) show relatively few instances of charges being brought for terrorism offences, and tend to indicate that numbers of immigration and passport fraud offenders are being caught instead. This might be taken to suggest that the security forces are looking in the wrong places for terrorists. One might perhaps observe that thinking up new offences that let you count more of the people you arrest as terrorist offenders is not necessarily the appropriate response to our current difficulties. ACPO also, puzzlingly, calls for the creation of an offence "not to disclose encryption keys etc." This follows on from a call made by Met Commissioner Sir Ian Blair a few days ago, and is presented as a necessary amendment to part 3 of the Regulation of Investigatory Powers Act, making it "an offence to fail to disclose such items." Part 3 of the Regulation of Investigatory Powers Act however already includes such an offence. In 53, 5 [4] it say that a person guilty of such an offence is liable to "imprisonment for a term not exceeding two years or to a fine, or to both." There may well be some subtle nuance that escapes us which makes this the wrong kind of offence as far as ACPO is concerned, but the thought that the security services now have so much lovely new legislation that they can't keep up is treasurable, and we'll treasure it until somebody tells us different. Seriously though, ACPO's commentary says that recent investigations "have been made more complex by difficulties for investigating officers in ascertaining whereabouts of encryption keys to access computers etc." It seems likely to us that these difficulties are related to an inadequate police grasp of RIPA and of how the internet works, and that's not something new or retreaded offences will fix. More on the ACPO proposals can be found at Spyblog [5], while the full proposals can be read here [6]. ? [1] http://www.timesonline.co.uk/printFriendly/0,,1-20749-1688893,00.html [2] http://www.spy.org.uk/spyblog/archives/2005/07/why_does_the_su.html [3] http://www.theregister.co.uk/2005/07/21/clarke_counter_terror_law_plans/ [4] http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#51 [5] http://www.spy.org.uk/spyblog/archives/2005/07/association_of.html [6] http://www.acpo.police.uk/asp/news/PRDisplay.asp?PR_GUID={423FD3C2-2791-403A-B5D0-8FC6B5476B0B} From isn at c4i.org Mon Jul 25 04:22:37 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 25 04:33:37 2005 Subject: [ISN] FDIC advises banks on how to protect against spyware Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,103450,00.html By Lucas Mearian JULY 22, 2005 COMPUTERWORLD The Federal Deposit Insurance Corp. (FDIC) today issued a list of best practices for financial services firms that details how to protect against spyware, which the agency said can be used by criminals to collect customer data or hack into banking systems. "It is critical that banks stay vigilant about the risks involved with this malicious software and take appropriate action so that they and their customers do not fall victim to it," said Michael Zamorski, director of the FDIC's Division of Supervision and Consumer Protection. The guidance spells out the risks associated with spyware and recommends actions that financial institutions can take to mitigate those risks on internal computers as well as on those used by customers to connect to transactional banking Web sites. The FDIC recommends rolling out multifactor authentication to limit the ability of identity thieves to access customer accounts. Firms should also consider spyware as part of their risk-assessment analysis and bolster security against it by setting Internet-use policies for employees. The FDIC also recommends that banks advise customers on the risks of using public computers such as those in hotels, libraries or Internet cafes to connect to online banking Web sites because of the uncertainty of what spyware may have been installed on the public equipment. According to the FDIC, the risks associated with spyware include allowing attackers to eavesdrop and intercept sensitive communications, such as customer IDs and passwords; allowing unauthorized access to user accounts; permitting unauthorized access to bank systems; and increasing vulnerability to other Internet-based attacks, such as phishing. From isn at c4i.org Mon Jul 25 04:22:58 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 25 04:33:55 2005 Subject: [ISN] Offering a bounty for security bugs Message-ID: http://news.com.com/Offering+a+bounty+for+security+bugs/2100-7350_3-5802411.html By Joris Evers Staff Writer, CNET News.com July 24, 2005 Found a security bug? TippingPoint will pay you for the details. TippingPoint--part of 3Com--is soliciting hackers to report vulnerabilities in exchange for money. If a valid bug is found, TippingPoint will notify the maker of the flawed product and update its security products to protect users against exploitation of the flaw before an official patch has been released. "We want to reward and encourage independent security research, promote and ensure responsible disclosure of vulnerabilities and provide 3Com customers with the world's best security protection," David Endler, director of security research at TippingPoint, said in an interview. Austin, Texas-based TippingPoint sells intrusion prevention systems, which are designed to protect against vulnerabilities, on servers, desktops and other computers connected to an organization's network. The payments are being offered under TippingPoint's new "Zero Day Initiative." The company plans to announce the program on Monday and celebrate the launch with a party in Las Vegas on Wednesday, the first day of the annual Black Hat Briefings, an event for security professionals and enthusiasts. Few companies offer rewards for pinpointing software vulnerabilities. The rewards are almost always paid by security companies for flaws in other companies' software products. The payouts are used to gain a competitive edge over rivals by having their products recognize more vulnerabilities. Security intelligence firm iDefense, which was recently acquired by VeriSign, and the Mozilla Foundation also pay security researchers, or hackers. Mozilla offers $500 and a Mozilla T-shirt to those who find critical security flaws in its products, which include the Firefox Web browser. Money has increasingly become an incentive for hackers. Program's such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said. Bugs can be reported to TippingPoint through the Zero Day Initiative Web site. TippingPoint investigates all reports and will deal only with reputable researchers, Endler said. "We need to know exactly who we are working with," he said. "We don't want to work with black hats or illegal groups." Black hat is a term used to distinguish criminal hackers. If a flaw is found to be genuine, TippingPoint will make an offer. The amount depends on the scope of the vulnerability. A problem that lets an attacker remotely access a computer will fetch more than a bug that could only crash a system, for example. If the researcher takes the offer, the rights to the bug report are signed over to TippingPoint, Endler said. An unspecified time after protecting its own customers and before a fix is released, TippingPoint plans to share vulnerability details with other makers of intrusion prevention products. "We're making an altruistic gesture to protect a larger segment rather than just our customer base," Endler said. Those who report flaws to TippingPoint will get credit for their discovery and can keep track of the status of the bug report through the Zero Day Initiative Web site, Endler said. A special reward program makes it lucrative to contribute multiple vulnerabilities, he said. From isn at c4i.org Mon Jul 25 04:24:52 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 25 04:34:12 2005 Subject: [ISN] Trojan horse suspects to be kept in custody Message-ID: http://www.haaretz.com/hasen/spages/603309.html By Zvi Harel July 22, 2005 Nine private investigators being held on charges of industrial espionage in the Trojan horse affair will be held in custody until the end of the proceedings against them. Yesterday, Tel Aviv District Court Judge Edna Kaplan ordered that the nine men, private investigators who worked for three special investigator firms, be kept in custody while they face two separate charges connected to the Trojan horse affair, in which several companies and individuals are alleged to have infiltrated the computers of other companies through the use of spyware in order to obtain confidential information. Two of the investigators are being charged separately from the others. This is because the two, Alex Weinstein and Niv Chai, are expected to provide state witness against the other seven after their case is completed. The seven named together in the other set of charges are Eliezer Philosoff, Avraham Balali, Zvi Krochmal, Assaf Zlotobeski, Haim Zissman, Eyal Abramovitz and Roni Barhom. The charges relate to receipt of material through fraudulent means and under aggravated circumstances, infiltration of computers to commit other crimes, implanting a virus in the computers, illegal wiretapping, invasion of privacy and other offenses. In her ruling yesterday, Kaplan said that the decision to keep the nine in custody was not taken lightly. Despite their clean record and personal circumstances, she was concerned "about a danger and reasonable fear of tampering with the proceedings." From isn at c4i.org Mon Jul 25 04:21:54 2005 From: isn at c4i.org (InfoSec News) Date: Mon Jul 25 04:34:30 2005 Subject: [ISN] Credit Data Firm Might Close Message-ID: Forwarded from: security curmudgeon Everyone grab their violins.. : http://www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465.html : : By Jonathan Krim : Washington Post Staff Writer : July 22, 2005 : : The head of a payment processing firm that was infiltrated by computer : hackers, exposing as many as 40 million credit card holders to possible : fraud, told Congress yesterday that his company is "facing imminent : extinction" because of its disclosure of the breach and industry's : reaction to it. : : "As a result of coming forward, we are being driven out of business," : John M. Perry, chief executive of CardSystems Solutions Inc., told a : House Financial Services Committee subcommittee considering : data-protection legislation. He said that if his firm is forced to shut : down, other financial companies will think twice about disclosing such : attacks. Hi Mr. Perry. I'm California law. I *require* you to come forward over such a breach. You don't have a choice, you were not being altruistic, you were not being overly ethical. You were following the laws. : Perry called the decisions by Visa and American Express draconian and : said that unless Visa reconsiders, CardSystems would close and put 115 : people out of work. : While Perry said his company is doing everything it can to ensure that : such a breach never occurs again, Visa said it could not overlook that : CardSystems knowingly violated contractual requirements for how long : credit card data were supposed to be stored and how they were secured. CardSystems signed a contract with Visa saying that data would meet certain technical security specifications, and that it would adhere to a policy regarding data retention. This compromise shows that *both* failed, and Visa is not happy with CardSystems breaking said contract. This is business 101 folks. I feel bad about most of the employees that will lose their jobs, but CardSystems failed them and they are paying the price. As a Visa and AmEx card holder, I am quite happy. : Neither Perry nor representatives of the major credit card companies : could explain at the hearing why an audit of CardSystems in 2003 did not : address its computer vulnerabilities or its practice of retaining some : data for research purposes. Hope it leaks out which security firm did this audit! From isn at c4i.org Tue Jul 26 01:40:17 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 26 01:54:11 2005 Subject: [ISN] IA Roadmap Message-ID: http://www.military-information-technology.com/article.cfm?DocID=1027 By Patrick Chisholm July 25, 2005 To realize the Department of Defense's vision for the Global Information Grid (GIG), information assurance (IA) requirements include robust identity, authentication and privilege management, policy for dynamic access control, security management, and "persistence monitoring" or continual monitoring throughout the network, according to Daniel G. Wolf, the director of information assurance for the National Security Agency (NSA). Protecting information across the entire GIG is a top priority of NSA, which recently revised its IA roadmap for the GIG and continues to update it as technology advances. In doing so, NSA is working with the military services and DoD agencies to form alliances and validate the GIG IA program requirements, budget requirements and implementation strategy based on the architecture that NSA has proposed. To be sure, implementing the roadmap is a long-term project: the architectural plan for data sharing on the GIG is to be carried out over the next 15 to 20 years. The roadmap leverages the five tenets of IA: availability, integrity, authentication, confidentiality and non-repudiation. Essential components of the IA roadmap include: * Maintaining availability in an end-to-end encrypted "black core" environment that is "unforgeable" and "unspoofable." * Identity management, specifying people, objects (data and applications) and machines. * Privilege management, laying out the rights and privileges of users. * Dynamic access enforcement. * Mediated access between and among people, objects and machines based on identities and privileges. * Assured information sharing. * Underlying security management infrastructure. [...] From isn at c4i.org Tue Jul 26 01:40:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 26 01:54:34 2005 Subject: [ISN] Spam Slayer Message-ID: http://pcworld.com/news/article/0,aid,121841,00.asp Tom Spring PC World July 18, 2005 In a novel if potentially controversial effort to fight spam, a firm called Blue Security this week begins distributing the beta of a free program that, once installed on your PC, makes it part of a community that works to cripple Web sites run by spammers. "Most spam fighting tools that filter or block spam are never going to stop spammers from sending more spam," says Eran Reshef, founder and chief executive officer of Blue Security. He believes that fighting back by "inducing loss" against spammers is the only way to eventually stop spam. Hit Them Where It Hurts Here is how Blue Security's Blue Frog software and antispam initiative works: When you sign up for a Blue Frog account, you install a piece of software on your PC and get to submit up to three e-mail addresses to Blue Security's Do-Not-Intrude Registry. The company then opens up multiple e-mail accounts on your behalf--accounts you technically own, but never use. Those e-mail accounts are managed by Blue Security and are designed to attract spam. Blue Frog analyzes the spam that goes into your Blue Frog e-mail accounts (and those of other community members) and identifies messages that are not compliant with the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (known as CAN-SPAM). These include unsolicited marketing messages that don't provide an opt-out option or that have an invalid return address. Blue Security says it will attempt to warn noncompliant spammers to stop sending e-mail to the accounts it has set up for you, as well as to the real e-mail addresses you provided during registration. If Blue Security can't contact the spammer, or the spam doesn't stop, things start getting nasty. Blue Security follows the links inside the body of the spam message, which typically lead to a site that wants to sell you prescription medications, porn, a get-rich-quick scheme, or the like. It then identifies the form fields at the spammer's site (where you're asked to input credit card data, for example) and then uses the software you installed to direct your PC to insert in those fields a request to unsubscribe you from the site's mailing list. Also included in the form fields is an invitation to spammers to download a Do-Not-Intrude Registry compliance tool from Blue Security's Web site. Now, the spammer wouldn't care if only one person did this. Even if a thousand Blue Frog users followed suit, the spammer still might not care. But Blue Frog's software causes all of its connected users to submit the request/complaint simultaneously--and repeatedly--for a period of time. You would likely not notice these unsubscribe requests going out because it all happens behind the scenes on your PC. Blue Security says that each of its members' computers would likely be sending out requests a few thousand times a day. In my test of the beta program there was no perceptible impact on my computer usage or any slowing down of my Internet browsing. The influx of tens of thousands of requests exactly at the same time floods the spammers' Web site, causing it to become inoperable. And because spammers typically must pay for the bandwidth of traffic to and from their sites, the massive flood of complaints means higher bills to keep the sites running, Blue Security argues. Fair Warning Blue Security says that before it takes these drastic measures it will do everything it can to contact the people who send out the spam and those who run the Web sites those messages link to, asking them to stop spamming its Do-Not-Intrude Registry members. If that doesn't work, Blue Security will attempt to contact the Internet service provider hosting the site and warn it of the impending flood of requests. To comply with Blue Security's demands in order to stop and/or prevent the massive influx of requests, spammers must use the company's compliance tool to remove your real e-mail address and your dummy Blue e-mail accounts from their mailing lists. The Blue Security registry list is encrypted, so spammers never see your addresses: The compliance tool merely lets spammers check to make sure your real and decoy e-mail addresses aren't on their mailing list. And because Blue Security's registry list contains so many decoy e-mail addresses as well as real ones, any spammer who used Blue Security's registry to identify real e-mail addresses to spam would only be hit harder by bounced e-mail. This technique of flooding a Web site with information in order to cripple it may be effective, but it's arguably very similar to a distributed denial of service attack in which a hacker uses hundreds of zombie computers to shut down Web sites. Launching a distributed denial of service attack is illegal in the U.S. and in most European countries. Blue Security's Reshef bristles at the notion that his firm is involved with any type of DDoS attack. "We aren't trying to shut down any Web sites. We are just trying to slow these sites down so much the spammers can't earn money," Reshef says. He adds that members of the Blue Frog community have a right to complain about the spam they get. Looking for a Lawsuit? Reshef says he is going after the worst offenders, spammers who are responsible for 90 percent of unwanted e-mail that isn't CAN-SPAM compliant. Blue Security warns that this method of fighting spam won't lesson the flow of spam into your inbox in the short run. Over time, however, spammers will be forced to stop e-mailing Do-Not-Intrude registrants in order to remain in business. Once the registry hits a critical mass in size, the company believes the threat of a shutdown will intimidate spammers. Blue Security's approach is not without precedent--but judging from the precedent, the company might run into problems. In December 2004, Lycos Europe pulled a controversial antispam screen saver from its site after coming under fire from both security experts and the spammers themselves. Much like Blue Security, Lycos Europe offered to turn the tables on spammers by overwhelming their Web sites with Web page requests submitted by its "Make Love Not Spam" screen saver. The security community argued that Lycos Europe was engaging in vigilantism and had crossed a line by launching what were essentially DDoS attacks on spammers' sites. Some ISPs even blocked access to the Make Love Not Spam site, supposedly because the screen saver generated a lot of unnecessary traffic on their networks or violated their rules on DDoS attacks. Note that a DDoS attack can bring down an entire ISP--including legitimate sites that happen to use the same hosting service as a spammer's business. Blue Security will definitely raise eyebrows in the security community. But even if it survives legal scrutiny (or retaliation from angry targets), the big question is whether Blue Security can recruit enough consumers to join its army of serial complainers. From isn at c4i.org Tue Jul 26 01:43:25 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 26 01:56:34 2005 Subject: [ISN] REVIEW: "Darknet", J. D. Lasica Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKDRKNET.RVW 20050603 "Darknet", J. D. Lasica, 2005, 0-471-68334-5, U$25.95/C$33.99/UK#16.99 %A J. D. Lasica %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2005 %G 0-471-68334-5 %I John Wiley & Sons, Inc. %O U$25.95/C$33.99/UK#16.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471683345/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471683345/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471683345/robsladesin03-20 %O Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation) %P 308 p. %T "Darknet: Hollywood's War Against the Digital Generation" The introduction defines a darknet as a collective system for sharing media files, especially those involved with the removal or circumvention of copy protection technologies. As such, it is basically what is also referred to as a file sharing or peer-to-peer (in the non-technical sense) network, and later the book says that *the* "Darknet" is the merging of all such networks. Lasica also notes other possible implications of the term Darknet, such as the fear that excessive copyright and digital rights restrictions may having a chilling effect on creativity and free speech. (Neither the consistency of capitalization nor the usage of the term darknet become any more definite as the book progresses.) Chapter one provides some stories from the world of "personal media": works created by individuals. There is not much analysis of the content, although there are lots of anecdotes and quotes. Gambits, particularly by movie producers, to extend copyright protections and restrict use, are covered in chapter two. "Release groups," discussed in chapter three, break copy protection and distribute new movies over the net. Personal media gets more coverage in chapter four. Chapters five and six review various new technologies, first for compression and transmission, then for modified usage, such as systems that automatically "G-rate" restricted movies. The point of chapter six is somewhat confused, and this turmoil is even more evident in chapter seven, where accounts of people doing "good works" with pirated material seems to be intended to raise some kind of issue with respect to copyright. (Lasica has a brief mention of a new kind of fair use which he calls "digital rights," but the topic is abandoned undefined.) Chapter eight is back to personal media (with personal broadcasting), and nine has more modified use technologies such as TiVO, ad skipping, and modified pay-per-view. Music gets special attention in chapters ten and eleven, first with collections and playlists, and then with modified use. Chapter twelve provides some historical notes on early file sharing networks. Gaming, and the trading of game "content," is discussed in chapter thirteen. And there is yet one more run at "personal media" in chapter fourteen. As can be seen by the outline, the same themes and topics tend to be repeated several times. The stories are easy to read, but the social ramifications promised in the early parts of the text do not materialize. The narratives are fun, but there is nothing here that hasn't been said before in the mass of magazine articles that have been written on the subject. copyright Robert M. Slade, 2005 BKDRKNET.RVW 20050603 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu The genius of you Americans is that you never make clear-cut stupid moves, only complicated stupid moves which make us wonder at the possibility that there may be something to them we are missing. - Gamel Abdel Nasser http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Tue Jul 26 01:36:48 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 26 01:56:40 2005 Subject: [ISN] =?iso-8859-1?q?Russia=92s_Biggest_Spammer_Brutally_Murdered?= =?iso-8859-1?q?_in_Apartment?= Message-ID: http://mosnews.com/news/2005/07/25/spammerdead.shtml MosNews 25.07.2005 Vardan Kushnir, notorious for sending spam to each and every citizen of Russia who appeared to have an e-mail, was found dead in his Moscow apartment on Sunday, Interfax reported Monday. He died after suffering repeated blows to the head. Kushnir, 35, headed the English learning centers the Center for American English, the New York English Centre and the Centre for Spoken English, all known to have aggressive Internet advertising policies in which millions of e-mails were sent every day. In the past angry Internet users have targeted the American English centre by publishing the Center's telephone numbers anywhere on the Web to provoke telephone calls. The Center's telephone was advertised as a contact number for cheap sex services, or bargain real estate sales. Another attack involved hundreds of people making phone calls to the American English Center and sending it numerous e-mails back, but Vardan Kushnir remained sure of his right to spam, saying it was what e-mails were for. Under Russian law, spamming is not considered illegal, although lawmakers are working on legal projects that could protect Russian Internet users like they do in Europe and the U.S. From isn at c4i.org Tue Jul 26 01:39:02 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 26 01:56:44 2005 Subject: [ISN] Hackers prey on unguarded wireless links Message-ID: http://www.insidebayarea.com/businessnews/ci_2886879 By Erika Chavez SACRAMENTO BEE 07/24/2005 A shiny new laptop computer can be had for as little as $500, lightning-fast DSL Internet service has dropped to $14.95 a month and a wireless router costs $50 or less. Welcome to the golden age of wireless, where every day, thousands of average Joes and Janes are making that cordless leap onto the information superhighway. At least 13.2 million U.S. households will have wireless home networks by the end of 2005, up from 9.1 million in 2004, according to IDC Research, a tech analyst based in Massachusetts. And in May, notebook computer sales outpaced desktop sales at retail stores for the first time, according to San Diego-based Current Analysis. A broadband connection coupled with a wireless router allows consumers to set up a home office at the dining-room table or outside by the pool. But that cordless convenience could carry a heavy price. Roughly two out of every three wireless signals are left unencrypted, according to Internet security experts, which means anyone with a laptop and a $20 wireless card could tap into an unsecured signal to surf Web sites or check e-mail. Some might take it further. A small subset of computer-savvy hackers has the know-how and gadgets for more nefarious activities. Through an open wireless connection, a criminally minded hacker could commit virtual identity theft by accessing your computer files, sending spam, stealing your credit-card numbers, even trading child pornography. Even worse, whoever owns the wireless network could be held liable, said Sacramento County Sheriff's Lt. Bob Lozito of the Sacramento Valley Hi-Tech Crimes Task Force. "If they're doing these things under your identity, it comes back to you," Lozito said. The mobile nature of these crimes makes them hard to trace. "We suspect it's happening much more often than it's being reported," Lozito said. Convicting hackers is even more problematic, though there are exceptions. One well-known case involved a Lowe's home-improvement store in Southfield, Mich. Two young hackers parked outside, tapped into the store's unsecured wireless network and stole credit-card numbers. They were convicted on federal charges of computer intrusions, damage and fraud. Last month in Elk Grove, a high-school student faced eight felony computer-theft charges for allegedly hacking into his school's computer system and changing his grades. When police searched his home, they found aluminum-lined, cylindrical potato-chip containers that some hackers use as crude antennas to help them intercept wireless signals. Known as "cantennas," they consist of a Pringles can and some hardware worth $5 to $10 but can be used to amplify a wireless signal several miles away. "They're unsophisticated but reliable, and it's illegal to possess them," said Lozito of the Hi-Tech Crimes Task Force. It's also illegal to access wireless networks that aren't public. In other words, if you've ever been pleasantly surprised to open your laptop, pull up your browser and have Internet access, that likely means you've just intruded into someone else's unsecured network ? and really aren't allowed to be there. The solution: People should encrypt their signal, says Bret McDanel, a freelance security consultant. "Most people pull a new computer out of the box, plug it in and if it works, they're done," McDanel said. The problem: Most computer and wireless router security features are off by default, and it's up to the consumer to enable them. [...] From isn at c4i.org Tue Jul 26 01:39:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 26 01:56:51 2005 Subject: [ISN] Credit Data Firm Might Close Message-ID: Forwarded from: Adam Shostack On Mon, Jul 25, 2005 at 03:21:54AM -0500, InfoSec News wrote: | Forwarded from: security curmudgeon | | Everyone grab their violins.. | | : Neither Perry nor representatives of the major credit card companies | : could explain at the hearing why an audit of CardSystems in 2003 did not | : address its computer vulnerabilities or its practice of retaining some | : data for research purposes. | | Hope it leaks out which security firm did this audit! Cable and Wireless. http://www.emergentchaos.com/archives/001450.html From isn at c4i.org Tue Jul 26 01:40:03 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 26 01:57:00 2005 Subject: [ISN] Linux Security Week - July 25th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 25th, 2005 Volume 6, Number 31n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Interview with Fyodor of Nmap," "Open authentication initiative gaining ground," and "Linux Security, Audit and Control Guidance Featured In New Book." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH This week, advisories were released for krb5, heimdal, phpgadmin, ekg, heartbeat, affix, zlib, cacti, java, diskdumputils, radvd, bind, kdelibs, freeradius, firefox, thunderbird, ypserv, mysql, setarch, openoffice, pvm, fetchmail, mozilla, epiphany, devhelp, yelp, php, ruby, acroread, phpgroupware, dhcpd, mediawiki, cpio, shorewall, and kdenetwork. The distributors include Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/119864/150/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- Linux File & Directory Permissions Mistakes Greetings, gentle reader, and welcome to linuxsecurity.com and our new recurring series of articles on security related mistakes and how to avoid them. I'm your host, Pax Dickinson, and today we'll be reviewing basic Linux file and directory permissions and how to avoid some common pitfalls in their use, in this episode of Hacks From Pax. One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Domain Hijacking Takes ICANN Spotlight 18th, July, 2005 Web sites both big and small face the risk of having their Web addresses stolen because of flaws in the way domain names are registered, transferred and tracked, a report released this week found. http://www.linuxsecurity.com/content/view/119807 * Network monitoring with ngrep 20th, July, 2005 Constant monitoring and troubleshooting are key to maintaining a network's availability. With ngrep, you can analyze network traffic in a manner similar to that of other network sniffers. However, unlike its brethern, ngrep can match regular expressions within the network packet payloads. By using its advanced string matching capabilities, ngrep can look for packets on specified ports and assist in tracking the usernames and passwords zipping off the network, as well as all Telnet attempts to the server. http://www.linuxsecurity.com/content/view/119829 * Review: GFI LANguard Network Security Scanner 6 21st, July, 2005 This is a review of the new release of LANguard Network Security Scanner (GFI LANguard NSS) from GFI. NSS will scan computers for known vulnerabilities and common misconfigurations and other potential security issues. It produces reports that can be used to assist in the tracking and mitigation of security issues that have been identified. Furthermore, NSS provides patch management capabilities that allow you to centrally download and push out patches to systems with identified vulnerabilities. http://www.linuxsecurity.com/content/view/119840 * Interview with Fyodor of Nmap 17th, July, 2005 Nmap ("Network Mapper") is a free utility for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL. http://www.linuxsecurity.com/content/view/119797 * Mozilla Fixes Thunderbird Flaws In 1.0.5 18th, July, 2005 The Mozilla Foundation this week updated its rival to Microsoft Outlook, the Thunderbird stand-alone POP3 e-mail and news client, to plug some of the same security holes that earlier were fixed in the open-source group's popular Firefox browser. http://www.linuxsecurity.com/content/view/119806 * ISPs versus the zombies 19th, July, 2005 In the next few months, ISPs in the United States will begin receiving reports on the zombies, or PCs open to control by hackers, that lurk on their networks. The data will be sent out by the Federal Trade Commission, which said in May that zombies have become such a serious problem that more industry action is required. http://www.linuxsecurity.com/content/view/119819 * Greasemonkey Flaw Prompts Critical Uninstall Warning 20th, July, 2005 A gaping security hole in a popular Firefox browser extension could allow malicious hackers to hijack files from a user's hard drive, developers warned Tuesday. http://www.linuxsecurity.com/content/view/119827 * Open authentication initiative gaining ground 20th, July, 2005 Backers of open standards-based interoperable authentication technologies are happy to report growing membership in the authentication initiative known as OATH, which released its OATH Reference Architecture Version 1.0 specification for cross-device authentication in May. Now they're working to convince more organizations, many of which are reportedly unaware of the option, to go beyond disparate, proprietary standards or one-word passwords. http://www.linuxsecurity.com/content/view/119830 * Major Firefox release delayed 21st, July, 2005 The next version of Firefox has been delayed for a few months, the Mozilla Foundation confirmed Thursday. Earlier Mozilla stated on its Web site that the next major release of Firefox, called version 1.1, would be released in July. But on Wednesday, lead Firefox engineer Ben Goodger updated the group's roadmap to indicate that the next major release would now not be until after August. http://www.linuxsecurity.com/content/view/119851 * Hacker Mitnick preaches social engineering awareness 22nd, July, 2005 Properly trained staff, not technology, is the best protection against social engineering attacks on sensitive information, according to security consultant and celebrity hacker Kevin Mitnick. http://www.linuxsecurity.com/content/view/119863 * Linux Security, Audit and Control Guidance Featured In New Book 22nd, July, 2005 More than 10 years after its debut, Linux has matured from a student hobby to a highly respected platform used by major organizations worldwide. Because of this growing popularity and increased legislation requiring tight controls over IT, the Information Systems Audit and Control Association (ISACA) has issued a new publication with detailed guidance on security, audit and control of Linux. http://www.linuxsecurity.com/content/view/119865 * Is wireless security pointless? 21st, July, 2005 What with country singer Lee Greenwood's recorded rendition of patriot songs like "Glory, Glory, Hallelujah" and "God Bless America" playing over the sound system at 8:30 a.m. in the Commerce Department auditorium in Washington, D.C., one could have been excused for thinking the July 20 conference: "Pharmers and Spimmers, Hackers and Bluejackers: Combating Wireless Security Threats" was taking place during a national emergency. Far from it. http://www.linuxsecurity.com/content/view/119841 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jul 26 01:40:50 2005 From: isn at c4i.org (InfoSec News) Date: Tue Jul 26 01:57:05 2005 Subject: [ISN] Our high-priced security lock Message-ID: http://australianit.news.com.au/articles/0,7204,16021509%5E15382%5E%5Enbv%5E,00.html James Riley The Australian JULY 26, 2005 IF the London terrorist attacks highlight the need for improved computer security for the operation of essential services, they also served to demonstrate the potentially enormous cost large computer users will have to bear in the war on terror. But it is not yet clear how the protection of these computer systems will be paid, nor indeed who will bear the cost of that protection. For private sector technology users, the national security policies developed by government have huge implications. No-one argues that these systems should not be the focus of the Government's critical infrastructure protection programs. But the debate about who should pay for these security improvements has not yet started. The government's dollar-for-dollar funding of threat assessments is one thing. But there are much greater costs to come in implementing some of these policies. In the US there is an active discussion about giving companies responsible for the maintenance of critical infrastructure a tax concessions on the investment required to protect it. Though there has been no direct discussion within government about a similar tax concession program in Australia, it is not something that has been ruled out by the Attorney-General's department either. Telstra is a member of the Communications Sector Infrastructure Assurance Advisory Group and actively participates in the TISN for Critical Infrastructure Protection. These are national bodies governing the security of national infrastructure, with representatives from relevant industries as well as state and federal government departments and agencies. As the dominant communications company in Australia, Telstra's infrastructure is clearly critical to the well-being of the economy as well as the overall health of the society. But, through the TISN network, Telstra has been working with other communications companies to improve the network redundancy provisions available in emergency where parts of the nations communications capability is knocked over through terrorist attack. Ruddock says the Communications Group had "already been responsible for an agreement between telecommunications carriers to share different sources for their timing signals." It is two years since Attorney-General Philip Ruddock established the Trusted Information Sharing Network for Critical Infrastructure Protection (TISN), which aims to improve information sharing between public and private sector organisations about risks and how to deal with them. But it is only now that the owners of that critical infrastructure are beginning to understand the cost burden that comes with protecting it. The complicating factor for government is that, according to the Attorney General, 90 per cent of Australia's critical infrastructure is owned by the private sector. The TISN initiative was set up to improve the flow of security information between the private sector and government - in particular its police, security agencies and emergency services - as well as between private sector companies that may be competitors in the marketplace. Water utility Yarra Valley Water is one of the few organisations prepared to discuss critical infrastructure protection issues on the record. Two weeks ago, Ruddock announced dollar-for-dollar funding grants of $60,000 each for Brisbane Water and Yarra Valley Water to conduct assessments of their computer networks. The two companies are among the first to receive funding under the Attorney-General's departments $8 million Computer Network Vulnerability Assessment program. Yarra Valley Water managing director Tony Kelly says the funding will be used to assess its SCADA (supervisory control and data acquisition systems) potential against vulnerabilities. "The challenge for all businesses is being able to implement and show our customers that we have done everything necessary to protect our information assets," Kelly says. "With an increasing focus on information security, physical security and business continuity in case of unforeseen disaster, we want our customers ... to know we're working to the highest standards." . Whatever vulnerabilities are exposed by the assessment will determine how much will need to be invested in improving security arrangements. For IT departments within large organisations, that cost burden will be significant. Collectively it will certainly be measured in the tens of millions of dollars. The critical infrastructure protection program will have an impact on the operation of IT departments, as new security procedures and protocols are put in place to improve network redundancy issues. Private sector organisations are being asked to co-operate with each other to an unprecedented extent on security issues, even though they might remain fierce competitors in the open marketplace. Utilities companies, for example, are working together to assist each other disaster recovery and redundancy capabilities, and communications companies have already come to broad agreements on ways to better back-up each others network in the event of some catastrophic failure ? or targeted attack. IT departments are central to the critical infrastructure protection plans, because technology cuts across all areas of government's protection plans. "Computer network vulnerability is a very significant issue in relation to every area of critical infrastructure," Ruddock says. "This is a critical program about ensuring these computer (systems) that manage our essential assets can resist exploitation and perform appropriately under a range of challenging conditions." The TISN initiative covers nine areas considered critical to the economy and the well-being of society, from banking and finance to communications, emergency services, health, the food chain and emergency services. There won't be a large IT organisation that is left untouched by these national security plans. Information technology is as central to the nation's telecommunications network as it is to the food chain, or the delivery of electricity and water. "This means that if one source fails, they have backup," he says. Telstra is reluctant to discuss the arrangements it has already put in place as a result of critical infrastructure protection programs and won't discuss costs. But through the TISN network it is in regular contact both with other communications providers, other private sector companies responsible for critical infrastructure in other parts of the economy, as well as government security agencies. "We have a range of processes through which we regularly review our security arrangements," Telstra spokesman Warwick Ponder says. "These processes are designed to comply with both industry standards and government requirements (and) include regular communication and interaction with government and security agencies," he says. "At a time of heightened risk we have the ability to review and upgrade our security requirements as necessary." Ruddock has not publicly addressed the issue of who will pay for private sector investments in critical infrastructure protection. It is thought the Government believes the cost should be borne by the companies themselves, as security is simply a cost of doing business. The critical infrastructure protection should then be passed on to customers. But there are some who believe that, as a national security exercise, the taxpayer should pay for at least parts of the program. Two weeks ago, Ruddock said critical infrastructure protection was an evolving issue, and that the public has been "supportive of additional measures targeted at key vulnerabilities". Just as people are more understanding about the inconvenience of more stringent security when entering strategic buildings such as airports, the thinking is that the public also will be understanding of costs that are passed to customers in the interests of national security. From isn at c4i.org Thu Jul 28 13:01:05 2005 From: isn at c4i.org (InfoSec News) Date: Thu Jul 28 13:16:09 2005 Subject: [ISN] We're on vacation! Message-ID: For those of you not in Las Vegas for Black Hat or Defcon, the list still works, we're just taking a little break from things at least til' Tuesday. Have a safe week and keep your Cisco IOS updated! ;) Cheers! William Knowles wk@c4i.org