From isn at c4i.org Tue Mar 1 04:46:26 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:28 2005 Subject: [ISN] Payroll website still not secured Message-ID: http://www.boston.com/business/articles/2005/03/01/payroll_website_still_not_secured/ By Hiawatha Bray Globe Staff March 1, 2005 Boston software entrepreneur Aaron Greenspan, who revealed serious security flaws in the website of Tennessee payroll company PayMaxx Inc. last week, said yesterday that the site remains insecure. Greenspan said that a computer hacker still could use the site to obtain the Social Security numbers of hundreds of Americans. Greenspan called the management of PayMaxx ''incompetent," and urged Congress to investigate the company. ''They have no idea what they're doing," he said. Greenspan's company, Think Computer Corp., had its payrolls prepared by PayMaxx, of Franklin, Tenn., until late last year. After ending their relationship, Greenspan found that his name, address, Social Security number, and other personal data were still available on the PayMaxx website, which could be accessed by entering zeroes in the site's login windows. Greenspan also found that he could obtain the same information about other PayMaxx customers by typing random numbers into the browser's address window. He estimated that up to 100,000 files could be accessed this way. After being contacted by the Globe, PayMaxx shut down the insecure website service. But yesterday, Greenspan said he found another way into the system. This time, he demonstrated for the Globe how a data thief could obtain the Social Security numbers of people listed in the PayMaxx system. Greenspan said that PayMaxx apparently used workers' Social Security numbers to identify them to the website software. But the company's method made it easy to read those numbers by merely activating the ''view source" feature found on all Web browsers. A spokesperson for PayMaxx said that the company would shut down the site entirely until questions about its security were resolved. The spokesperson also said that there was no indication that anybody had stolen personal data from the site. Greenspan said he's contacted the office of US Senator Charles Schumer, Democrat of New York. Schumer has called for legislation to limit data-mining services that contribute to identity theft. Congressional concern over the potential privacy threat erupted in February, when ChoicePoint Inc., a Georgia firm that keeps files on millions of Americans, admitted that it mistakenly sold 140,000 files to criminals. From isn at c4i.org Tue Mar 1 04:46:55 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:30 2005 Subject: [ISN] Linux Security Week - February 28th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 28th, 2005 Volume 6, Number 9n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Linux kernel to include IPv6 firewall," "Automated Patching: An Easier Approach to Managing Your Network Security," and "Honeypot Project finds decline in Linux attacks." --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH This week, advisories were released for emacs, gftp, bidwatcher, mailman, squid, mod_python, kdeedu, gamin, pcmcia, openssh, postgresql, gimp, midnight commander, gproftpd, cyrus imap, cups, kdelibs, xpdf, uim, cpio, and vim. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118428/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Knoppix Hacks 21st, February, 2005 Many people, at least people in the techno-geek world, are familiar with Knoppix at least far enough to know it is a version of Linux. Some of those people may even know that it is a portable version of Linux that is able to boot entirely from the CD without the need for any installation. But, this book will show those people just how versatile and powerful a tool Knoppix can be- even for supporting and maintaining Windows systems. http://www.linuxsecurity.com/content/view/118393 * HITB E-Zine: Issue #36 Released 20th, February, 2005 After a nice Chinese New Year break we are pleased to bring you Issue #36 of the HITB e-zine. This is a pretty interesting issue with an exclusive article on Red Hat PIE Protection written by Zarul Shahrin as well as an article on building a simple wireless authenticated gateway using OpenBSD by Rosli Sukri (member of the HITB CTF Crew). http://www.linuxsecurity.com/content/view/118389 * Linux kernel to include IPv6 firewall 21st, February, 2005 Version 2.6.12 of the Linux kernel is likely to include packet filtering that will work with IPv6, the latest version of the Internet Protocol. Netfilter/iptables, the firewall engine that is part of the Linux kernel, already allows stateless packet filtering for versions 4 and 6 of the Internet protocol, but only allows stateful packet filtering for IPv4. Stateful packet filtering is the more secure method, since it analyses whole streams of packets, rather than only checking the headers of individual packets -- as is done in stateless packet filtering. http://www.linuxsecurity.com/content/view/118398 * Firewall Builder 2.0.6 24th, February, 2005 Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various firewall platforms. In Firewall Builder, a firewall policy is a set of rules; each rule consists of abstract objects that represent real network objects and services (hosts, routers, firewalls, networks, protocols). http://www.linuxsecurity.com/content/view/118422 * Automated Patching: An Easier Approach to Managing Your Network Security 22nd, February, 2005 Patch management is an essential administration task within today's busy IT networks with the constant threat of new security bugs. Some companies will wait for an attack before taking necessary action to protect themselves from further threat whilst others consider patching as often as possible. http://www.linuxsecurity.com/content/view/118401 * Security holes affect multiple Linux/Unix products 23rd, February, 2005 Attackers could launch malicious code by exploiting vulnerabilities in a file transferring tool used in many Linux and Unix systems, according to two security firms. http://www.linuxsecurity.com/content/view/118414 * Zen and the Art of Intrusion Detection 22nd, February, 2005 If a tree falls in a forest with no-one to hear it, does it make a sound? So goes a typical zen-like philosophical question. While it's thought-provoking, what does it have to do with Intrusion Detection Systems (IDS)? Simple if you're not there to watch the tree fall, do you need to know whether it fell or not? The same principle applies with IDS. http://www.linuxsecurity.com/content/view/118402 * Review: Linux Server Security 23rd, February, 2005 Staying on my current security theme, O'Reilly has published a second edition of Linux Server Security by Michael D. Bauer. The book, targeted toward those managing Internet-connected systems, also known as bastion hosts, packs a powerful arsenal of security design, theory and practical configuration schemes into 500 pages. http://www.linuxsecurity.com/content/view/118412 * Oracle wraps top-notch security around Linux 23rd, February, 2005 Oracle has tightened up the security of a number of its products to allow customers to use them in critical national infrastructures, including in conjunction with open source technology from Linux. Oracle has met the Common Criteria Evaluations at the EAL4 level the highest industry security level for commercial software for its Oracle Internet Directory, a middleware component of Oracle Identity Management; Oracle9i Database release 2; and the Oracle9i Label Security release 2. http://www.linuxsecurity.com/content/view/118415 * How to cut patchwork and save a cool $100m 24th, February, 2005 ccording to Gilligan, a new vulnerability is discovered nearly every day in the commercial software products the Air Force uses not just Microsoft, but also Linux, Oracle and Cisco Systems. "What we are now reaping is the unfortunate consequence of an era of software development in the 90s, when the rush to get the product to market overrode the importance of correctness in the quality of the software." http://www.linuxsecurity.com/content/view/118419 * Novell appliance takes security to the edge 22nd, February, 2005 Novell has developed a Linux-based "perimeter security" hardware appliance that protects companies against security threats such as hackers, viruses, worms, spam and network intrusions. Novell launched the Novell Security Manager at last week's RSA conference. It is aimed at small and medium-sized businesses. http://www.linuxsecurity.com/content/view/118400 * Firefox phishing flaw fixed 25th, February, 2005 A vulnerability that could allow Web addresses to be spoofed has been fixed in an updated version of the Firefox browser The Mozilla Foundation released an update to the Firefox Web browser on Thursday to fix several vulnerabilities, including one that would allow domain spoofing. http://www.linuxsecurity.com/content/view/118429 * Arkeia Network Backup Agent Remote Access (Exploit?) 21st, February, 2005 On February 18th, 2005 "John Doe" posted a remote buffer overflow exploit for the Arkeia Network Backup Client. This vulnerability affected all known versions of the software, going back as far as the 4.2 series (when the company was called Knox). The buffer overflow occurs when a large data section is sent with a packet marked as type 77. The Arkeia Network Backup Client is your typical backup agent; it runs with the highest privileges available (root or LocalSystem) and waits for a connection from the backup server. The Arkeia client and server both use TCP port 617 for communication. According to the SANS ISC, the kids are wasting no time. http://www.linuxsecurity.com/content/view/118392 * Honeypot Project finds decline in Linux attacks 24th, February, 2005 Unpatched Linux systems are lasting longer on the internet before being compromised, according to a study by the Honeynet Project, a nonprofit group of security professionals that researches online attackers' methods and motives. Data from 12 honeynets showed that the average "life expectancy" of an unpatched Linux system has increased to three months from 72 hours two years ago. http://www.linuxsecurity.com/content/view/118420 * Is variable reponse the key to secure systems? 21st, February, 2005 Intrusion detection software (IDS) first made a serious impression on the European security market in the late 1990s. As with vulnerability scanning products, how good it was depended on where it got its database from and how often it was updated. IDS then languished for a few years with little variation. Improvements in alerting, refinements in detecting false positives and more enterprise scalability were the notable developments. http://www.linuxsecurity.com/content/view/118394 * Linux For The Future 22nd, February, 2005 Red Hat spent last week trying to get customers to expect more from Linux, talking up the release of the first version of its operating system based on the 2.6 Linux kernel. Red Hat Enterprise Linux 4 adds a number of security, scalability, desktop, and management features. http://www.linuxsecurity.com/content/view/118399 * Insecure ISP Support Is No Help at All 23rd, February, 2005 Hello, this is officer support of the ISP Police Department. You say you're worried that someone might try to steal your car? OK, I'm going to try to troubleshoot this problem for you, but I need you to do two things. First, I'm going to need you to bring your car down so we can check it out. But I want you to park your car in a poorly lighted lot in a shady part of town. Trust me, we handle this kind of thing all the time. http://www.linuxsecurity.com/content/view/118413 * Feds square off with organized cyber crime 24th, February, 2005 Computer intruders are learning to play well with others, and that's bad news for the Internet, according to a panel of law enforcement officials and legal experts speaking at the RSA Conference in San Francisco last week. Christopher Painter, deputy director of the Justice Department's computer crime section, spoke almost nostalgically of the days when hackers acted "primarily out of intellectual curiosity." Today, he says, cyber outlaws and serious fraud artists are increasingly working in concert, or are one and the same. "What we've seen recently is a coming together of these two groups," said Painter. http://www.linuxsecurity.com/content/view/118421 * Entrepreneur-professor teaches students to stop hackers, viruses, has lessons for all 25th, February, 2005 Access the Internet using an unprotected personal computer and a hacker will be knocking at the door within about 45 seconds. Do that with a Web server and in less than 15 minutes, there's a 50-50 chance it's been taken over by someone who can use it to send spam e-mails all over the world that can be traced back to you. Hook up that new wireless router you bought at the consumer-electronics store, use the default settings, and someone can park outside on the street or sit next door and download porn using your broadband connection. http://www.linuxsecurity.com/content/view/118430 * Mesh Networking Soars to New Heights 19th, February, 2005 Mesh Networking and community wireless broadband reached new heights with a world first for Locustworld MeshAP PRO when a Shadow microlight aircraft flew over Lincolnshire UK and successfully tested air to ground mesh networking and voice over broadband. South Witham broadband (Lincolnshire UK) joined forces with Make Me Wireless (Australia) and using LocustWorld MeshAP PRO and Asterisk VoIP equipment, seamlessly created air to ground voice communications at 2000 feet with the 16 node South Witham community broadband network. http://www.linuxsecurity.com/content/view/118387 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 1 04:47:35 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:32 2005 Subject: [ISN] Hackers are real-time. Are you? Message-ID: http://www.s-ox.com/Feature/detail.cfm?ArticleID=623 By Phil Hollows 2005-02-28 - From a Sarbanes-Oxley Section 404 perspective, any breach in IT security represents a risk to an internal system - including those covered by the standards implicit in section 404's mandates. Since IT underlies the very business of recording and reporting all financial activity, it follows that a lack of control over IT security would imply a lack of control over the organization's financial reports, in direct violation of SOX section 404. Since any compromised IT system - or an unmanaged attack that could create a compromise - can then be used to attack, compromise and degrade the integrity of the IT systems supporting a covered firm's financial systems, section 404 of Sarbanes-Oxley carries with it the mandate to properly secure IT enterprise-wide (or, at least, to the point where the CEO, CFO and independent auditors are comfortable with the level of risk management applied to protecting corporate IT in general and financial IT systems specifically). As a result of the efforts of organizations such as the ISACA, COBIT and PCAOB, frameworks and standards such as COSO have emerged that explicitly address the role of IT security in complying with SOX compliance. Taking Strategic Control of Security with SIM Security information management (SIM) solutions are an emerging class of products that enable compliance through provable, fast threat detection, management, and containment. Affordable, easily managed real-time security monitoring and correlation solutions offer a compelling way for public companies to comply with the implicit IT security mandates of SOX. Moreover, the reporting and full logging storage capabilities of SIM products allow companies to prove that security policies are being correctly followed - even providing an integral framework to guide operators to respond to security threats and incidents in a consistent, compliant manner. Finally, in addition to enabling compliance with SOX regulation, SIM products can provide very low maintenance security management framework to reduce the workload placed on IT security in general, improve security operations effectiveness, and enhance a company's ability to proactively mitigate high-risk threats before they become successful exploits. The strategic opportunity for IT in public companies is therefore to think beyond the immediate compliance deadline and look to establish controls that ease compliance with tighter regulations over time, as well as ensuring that, if needed, the changes wrought to satisfy SOX can stand up in court. Building a defensible position against a class-action shareholder suit is one of the unfortunate situations that IT organizations need to plan for as they move forward implementing their compliance activities. As the financial scandals in the early part of the decade showed, having an auditor sign off is no guarantee that law suits can be avoided, and SOX section 302 makes it clear that CEOs and CFOs are personally liable for any material misrepresentations. Monitoring Security In terms of established OT compliance frameworks, although PCAOB's Auditing Standard No. 2 does reference IT controls, it does not specify the IT controls an organization should deploy in order to be complaint with SOX. However, COSO specifically calls out IT security monitoring as follows: "Security monitoring - Building an effective IT security infrastructure reduces the risk of unauthorized access. Improving security can reduce the risk of processing unauthorized transactions and generating inaccurate reports, and can ensure a reduction of the unavailability of key systems if applications and IT infrastructure components have been compromised." The ITGI's IT Control Objectives document, which provides specific recommendations based on COSO to guide compliance activities, specifically identifies the need for a security monitoring control: "IT security administration monitors and logs security activity, and identified security violations are reported to senior management." It's clear: to meet the SOX general IT security requirements, organizations need to deploy multiple security point solutions such as firewalls, intrusion detection systems (IDS), anti-virus systems and others. That's a given. But simply deploying point solutions on networks, servers or desktops does not, by itself, satisfy the security monitoring requirement implied in Section 404. A true monitoring solution must show that the products deployed to protect a company's critical assets are, in fact, working properly. The only way to be successful in meeting this requirement is to collect, manage and save the relevant threat data from the individual security point solutions. SIM extends the real-time monitoring of events detected by network and application security systems by enabling operators to detect and manage threats to the integrity of the company's financial systems, looking at alerts from across the entire enterprise. And SIM provides real-time, actionable information, not monthly reports that end up in an auditor's filing cabinet. Correlation: Finding the Threat Needle in the Security Haystack But identifying threats that can cause an incident from the data that enterprise security systems report quickly creates a massive challenge. With large populations of security solutions to monitor, IT security professionals need to collect disparate information from diverse sources, quickly assess its impact, and make timely decisions before major damage is done. They also need a way keep all this information in a convenient place for reporting purposes. But the data volumes are colossal - many millions to billions of log entries are recorded by an enterprise's systems every day. Threats need to be identified from this massive data stream and dealt with, and the data needs to be stored without requiring warehouses full of expensive storage area networks. And then a determination needs to be quickly made - is this threat real? How much risk does it represent? And how should it be managed? Worse yet, as we all know, IT security challenges are growing enormously as an increasing number of diverse security products are deployed to combat increasing number of threats, exploits and hackers. As technologies such as the 802.11 series of wireless protocols emerge that render notions like the secure perimeter increasingly irrelevant and porous, the number of security systems that need to be deployed and monitored will only continue to grow, day in and day out. For each class of security system, organizations are faced with many choices of firewalls (network, application and protocol-based), intrusion detection and prevention systems (IDS and IPS), anti-virus (AV) systems, virtual private networks (VPN), host-based protection and a range of dedicated network security appliances. Indeed, monitoring network systems, such as routers and switches, for suspect activity is now a fact of life since these, too, have known vulnerabilities that can be exploited. Every organization's security strategy will involve some combination of these techniques, depending on their strategic goals and acceptable degree of risk. Real-time security event correlation is the key to making this mountain of data manageable again. A typical SIM system will: * Collect log file and event data from multiple security, network and server sources. * Normalize and correlate these event in real-time to identify threats before they become security breaches. * Prioritize threats according to risk-based event weighting, target vulnerability, asset value and historical activity. * Maintain a threat database, including a taxonomy of known threats, vulnerabilities and exploits. * Provide extensive threat, attack and forensic reporting and analysis capabilities. * Enable automated and guided operator actions for consistent incident responses. The goal of a SIM, when considering existing costs and workloads of compliance implementation teams, must be to deliver these capabilities in as minimally invasive a way as possible, and as a result of the correlation, ultimately reduce the time and resources spent in incident response. Is this practical? In a recent eWeek article, one SIM user, Adam Hansen, of law firm Sonnenschein, Nath and Rosenthal, described firm's his experience recently after deploying a SIM. His SIM monitors 9 million daily security events and accurately identifies 20 or 30 events of interest. From there, the firm's administrators need to investigate only one to three events a day. "We reduced our incident response time from 24 hours to minutes," said Hansen. "We deal with an event as soon as it happens rather than look at a log." Hansen's experience is not unique. According to ComputerWorld, Scitum SA, an MSSP, recently reported an event reduction factor of 10,000 after deploying a SIM in their security operations center. Monitoring and Vulnerability Management - A Comprehensive Risk Management Strategy These examples are impressive feats, to be sure. But does that mean SIM is right for all organizations? Managers might think they don't need SIM, particularly when investing in a comprehensive, and undoubtedly expensive, set of vulnerability management products and processes. An ounce of prevention is worth a pound of cure, it's true. Many security systems and technologies have been deployed to prevent intruders from accessing high value systems. First came firewalls - then the mail worms, the web buffer overflows, and the RPC exploits marched right through the open ports to wreak havoc on their targets on the inside. IDS arrived, but didn't actually stop anything. Then IPS, and next, who knows? If there's a lesson to be learned, it is that no matter what technology is deployed, it will have a flaw, a way to be defeated, or will be so untrusted (e.g. too many false positives) to be functionally useful. Enter vulnerability management solutions. The premise is simple and seductive. If there are no vulnerabilities to exploit, there is no risk. Identify and mitigate the open vulnerabilities and risk is eliminated - there's nothing to compromise. The good guys win. Right? Not exactly IT security managers should be engaged in actively managing system vulnerabilities and nobody should counsel otherwise. However, they should do so rationally, methodically, and with understanding of the risks and rewards at each step. What is absolutely not true, however, is that every system can be patched perfectly - at least, not in a timely, cost-effective manner. An organization simply cannot patch against social engineering (i.e. persuading a human to do something for you that you can't, like resetting an administrative password). It cannot patch against a careless or corrupted employee placing a wireless access point inside your network, completely bypassing your perimeter defenses. It cannot patch a system against weak physical security. It cannot patch against someone emailing a customer list to a competitor. It cannot patch systems its unaware of, such as embedded databases or web servers. For example, if an organization's engineering group uses a product like Ghost to re-image test machines, any patches it applies could be here today and gone tomorrow. It's clear: Even with an extensive and comprehensive vulnerability and patch management program in place, it remains vital to monitor security systems. Remember, from the bad guys' perspective, there's always a workaround. There's always a signature that the system doesn't know about. There's always a new user the anomaly detector hasn't discovered. There's always a careless default installation or a system that hasn't been gotten round to yet. There's always a thoughtless user to social engineer through. There's always someone to corrupt, a system to bypass, a new trick to employ. So, one of the biggest mental hurdles to overcome when thinking about risk mitigation and prevention planning is accepting the fact that it is impossible to get 100% of vulnerabilities removed using a patching approach. It can't be done. It won't ever be done. Plan for it. Ultimately, this is how SIM complements vulnerability management. Section 404 requires monitoring security. Prudent risk management also says companies shouldn't put all their security eggs in the vulnerability management basket. A mature, compliant IT security organization will deliver strong mitigation and monitoring solutions, and also have a well-defined (and practice, practice, practice!) containment and incident response strategy - requiring all three legs of the stool. SIM: Automating Real-Time Risk Analysis for Compliance Risk - whether its acceptance, mitigation or transference - is at the heart of IT security planning and monitoring. The analysis of an attack event from a single device is relatively meaningless. There is no context within which to judge its relevance and importance. By using SIM to evaluate individual events in the context of the real-time enterprise threatscape, it is possible to assign risk values using the SIM to each individual event. Implementing a security monitoring solution without being able to manage log collection from different sources, quickly triage events using a risk-based approach, and implement response times risks failure - unless a SIM solution is in place. A good, risk-based approach will enable the SIM to determine the following criteria, and adjust the risk weight appropriately, for each event detected, and then intelligently alert based on defined risk profile. The following sample factors show how the view of an event's risk changes based on its context: * The source of an attack: Inside or outside? A new guy or a competitor? * The target: A print server or the database holding customers' social security numbers? * The exploit being used: A simple probe, or something that gives the hacker complete control? * The vulnerability of the target: Is the system vulnerable? And how old is the scan? * The user: Is someone pretending to be an administrator? * Activity: Have we seen this before? Is it a persistent pattern, or an apparent one-off? All of this analysis needs to happen in real-time so that organizations can anticipate and manage a breach immediately. Running a retrospective report is too little too late, and by no means a "monitoring solution." If so, an organization has already been compromised. Game over. Going Beyond Compliance to Better Security The ability of a SIM to accurately identify threats can yield enormous savings in terms of operational efficiency. But the potential benefits don't stop there. The ability of a SIM to be able to respond automatically to an attack can make all the difference between simply detecting a threat and actually containing it. Foiling worm attacks is a great example of how automated remediation using a SIM can help minimize the speed and scope of an infection - in effect, helping to automate a containment strategy. In order to apply process controls, for example, a SIM can be forced to take an automated action if, and only if, a threat that passes the filter criteria has reached the critical state. Its users can create many different automated responses, each with their own unique combinations of filters and actions. Automated responses to known classes of security intrusion attempts demonstrated clear, consistent and controlled risk-oriented policies towards IT security and threat management - a core item in SOX compliance evaluation. Organizations can also link SIMs to internal knowledge bases, resource links and procedure manuals based on alert and event data correlated by the SIM, create well defined management options for users, and display them as options for operators to take. As a result, organizations gain consistent response to threats from operators, using the SIM to help define, manage and ensure consistent containment processes. Real-time risk management using SIM takes the vulnerability and risk approach and applies it to IT network and security infrastructure in real-time. It properly takes into account the source of an attack in the modified risk equation, enabling much more effective internal management of launched attacks. SIM also builds off currently deployed heterogeneous security and vulnerability infrastructures, making systems significantly more effective than as standalone, isolated point solutions. SIM gives each system an enterprise-wide management context through the correlation process. This is all possible because SIM is a security management application, not a security technology. It doesn't try to sniff packets on the wires or attempt to verify whether machines are patched or not. What it does do is bring data together through a real-time correlation process that considers all these factors, as collected by all the relevant underlying technology products, to help manage the data gathered from them, and automate the threat analysis and prioritization processes. SIM for SOX! SIM and its functions are the keys to an organization's ability to prove that its network security products and practices are in compliance. SIM enables demonstrable compliance by implementing several mechanisms on any monitored sensor, device or application, including real-time log monitoring, prioritized threat alarms and escalations, audit trail and configuration versioning, threat, event and forensic reporting, and standardized threat and incident responses. It proves that the alarms are on, and someone is listening. SIM affords organizations strategic opportunity by enhancing security operations efficiency, ensuring consistent threat response and centralized full log management, archiving and analysis. But for SIM to be most strategic, it should scale beyond the short-term audit process to handle growth, mergers and acquisitions - without adding significant structural costs and extra workload to already stretched security functions. In a nutshell, if implemented well, SIM both ensures compliance with SOX section 404 and affords organizations additional compelling business benefits. -=- Phil Hollows, Vice President of Security Products, OpenService http://www.open.com Phil has more than 17 years of experience in product marketing, product management, development leadership and consulting. From isn at c4i.org Tue Mar 1 04:47:49 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:34 2005 Subject: [ISN] Known Hole Aided T-Mobile Breach Message-ID: http://www.wired.com/news/privacy/0,1848,66735,00.html By Kevin Poulsen Feb. 28, 2005 An intrusion into T-Mobile's servers that compromised customer records, sensitive government documents, private e-mail and candid celebrity photos last year occurred because the wireless giant failed to patch a known security hole in a commercial software package, Wired News has learned. In a sealed plea agreement with prosecutors, Nicolas Jacobsen, 22, pleaded guilty on February 15 in federal court in Los Angeles to a single felony charge of intentionally gaining access to a protected computer and recklessly causing damage. His cybercrime spree in T-Mobile's network began in late 2003, and didn't end until his arrest last fall. Jacobsen's victims last year included Paris Hilton, a conspicuous T-Mobile Sidekick user. But the hacker is not known to be connected to a new intrusion last week that scattered Hilton's private files across the Internet. The Justice Department and the U.S. Secret Service have handled the Jacobsen prosecution with unusual secrecy, and T-Mobile has been tight-lipped on how the hacker penetrated their systems. But two sources close to the case and a hacker friend of Jacobsen's who hosted some of his purloined files all point to the same security hole: a vulnerability discovered in early 2003 in the WebLogic application server produced by San Jose, California, company BEA Systems. Found by researchers at security vendor SPI Dynamics, the WebLogic hole took the form of an undocumented function that allows an attacker to remotely read or replace any file on a system by feeding it a specially-crafted web request. BEA produced a patch for the bug in March 2003 and issued a public advisory rating it a high-severity vulnerability. In July of that year, the hole was spotlighted in a presentation at the Black Hat Briefings convention in Las Vegas. Approximately 1,700 computer security professionals and corporate executives attended that conference, where an SPI Dynamics researcher detailed precisely how to exploit the vulnerability. The attack method is "kiddy simple," says Caleb Sima, founder and CTO of SPI Dynamics. "All you have to do is add a special header with the request, with special commands at the end of it, and that's it." Jacobsen learned of the WebLogic hole from the advisory, crafted his own 20-line exploit in Visual Basic, then began digging around the internet for potential targets who had failed to install the patch, the sources say. By October 2003, he'd hit pay dirt at T-Mobile, where he used the exploit to gain a foothold in the company's systems. He then wrote his own front-end to the customer database to which he could return at his convenience. "He eventually made his own interface," says William Genovese, a friend of Jacobsen's in the hacking community, who is currently facing unrelated charges for allegedly selling a copy of leaked source code for portions of Microsoft's Windows 2000 and Windows NT operating systems for $20. According to court records, Jacobsen continued to enjoy illicit access to T-Mobile systems until his arrest in October 2004 -- more than 18 months after the WebLogic vulnerability was first made public. The hacker had access to T-Mobile customer passwords, Social Security numbers, dates-of-birth and other information, which he offered to make available to fraudsters and identity thieves over an online web forum. Additionally, Jacobson used passwords stolen from the database to read T-Mobile customers' e-mail, including that of a U.S. Secret Service agent. Sources close to the case say the hacker also downloaded candid photos taken by Sidekick users, including images of celebrities Demi Moore, Ashton Kutcher, Nicole Richie and Paris Hilton, which until recently could be found on a webpage hosted by Genovese. A phone call to Jacobsen's lawyer went unreturned last week. T-Mobile says it has notified 400 customers that their data was leaked, and continues to investigate the case. But the company said last week it couldn't comment on its vulnerabilities or patching policies without placing customers at further risk. "We will not publicly discuss specifics of our systems, or attempts to gain access to our systems, for the protection of our customers and their data," spokesman Peter Dobrow wrote in an e-mail. Dobrow claims the company has closed the holes that Jacobsen exploited. "As part of our security efforts, safeguards are in place to prevent illegal access similar to Jacobsen's activity," he wrote. BEA failed to return repeated phone calls on the WebLogic vulnerability and its role in the T-Mobile hacks. Jacobsen's hacks were neither the first nor the last consumer privacy problem at T-Mobile. Last year, the company faced criticism for giving cell phone users a default voice mail configuration that leaves them open to Caller I.D.-spoofing snoops -- an issue that lingers today. And last week a copycat hacker penetrated Paris Hilton's T-Mobile Sidekick account a second time, posting the hotel chain heiress' electronic memo pad, address book and a new batch of private photos on the web. The company's security thus became the unlikely topic of tabloid media interest. In a press release Saturday, T-Mobile chief operating officer Sue Swenson said the company takes its customers' privacy seriously. "We are aggressively investigating the illegal dissemination of information over the internet of T-Mobile customers' personal data," said Swenson. The press release made no mention of T-Mobile's failure to secure its systems, but encouraged customers to be more careful with their passwords. From isn at c4i.org Tue Mar 1 04:48:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:36 2005 Subject: [ISN] Confessions Of A Gray-Hat Networker Message-ID: http://www.securitypipeline.com/trends/60404004 By David Strom Tom's Networking www.tomsnetworking.com February 28, 2005 It is getting harder to tell the good guys from the bad these days. Life up to about last year used to be so simple. There were white hat networkers and black hat networkers. The white hats are the ones who try to gain entry into your network with your permission, to stress test your security and pinpoint vulnerabilities. The black hats are mostly the bad guys. But now we have grey hat networks, the ones that aren't so easy to characterize as evildoers. I guess this mirrors life, where nothing is black and white anymore (at least outside the perspective of our own president, but don't get me started on that). These grey networks are becoming more common as corporate IT staffs do their best to stem the tide of peer-to-peer, instant messaging, and other incidental applications that have become mission critical to some of their users. The reason they are called grey is because while they are still far from the accepted corporate standard portfolio of "approved" applications, they are useful and in common use across the corporate network. Actually, the problem is not new. When I worked in IT departments during the 1980s, we had our standard apps and platforms and plenty of renegade users who promptly and in some cases pointedly ignored us and took their computing needs into their own hands. It was a constant battle, but back then the only real networks we had were the 3270 kind of IBM mainframes, and well, everything was pretty black and white for the mainframe guys. Of course the shoe was on the other foot when I became a user. I must confess that even as recently as last year I was a bit of a renegade user myself, wanting to run apps that weren't part of the corporate portfolio. Ask my IT people and they will tell you tales of woe. I thought about this recently when I was attending the RSA conference and was listening to one of the talks on how to stem the tide of unmonitored IM usage. Jonathan Christensen, the CTO of FaceTime was the one who coined the grey hat moniker. He even said IM is the "next generation of security threat" " well, he would, given as his company can sell you products to try to protect you against this threat. Does this mean that I am still part of the problem? Can I ever shake those renegade days completely, or am I always going to be a thorn in the side of IT? I have become a grey hat networker, I must confess. What brought me into the grey world was Skype. Since joining Tom's, I have been using Skype as the main means of communicating with my staff across Europe and the US. (Well, it IS our corporate standard.) It is a wonderful application when it works, and perplexing and annoying when it doesn't. For those of you that haven't had the opportunity to use it yet, it is an IM client and a voice communications system rolled into one. Like any good IM client, you have presence detection (you can see when someone is online and ready to talk or text chat with you). Unlike the commercial services from AOL, Microsoft, and Yahoo, the list of your "buddies" isn't maintained by the network but kept on your individual PC. This means that if you use more than one machine to communicate, you will have to Skype yourself and send your buddies list to the other PCs. But this is a minor annoyance. The voice quality is superb. For talking to people halfway across the world, they sound like they are in the next room. And it works with relative ease with my little laptop, and even on my home Mac. It doesn't interoperate with other IM networks (that is the bad news), but it does a great job of penetrating corporate firewalls and routing around network problems (good for me, bad for most network administrators who are trying to deal with it). This is why it is a grey app. Skype is the fastest growing Internet-based communications application in history. They have reached more than 70 million users in a year, when other IM products took five or more years to get to this population. "Skype me" has become a verb, I am sorry to admit. So what's the problem? Well, there are two things at work here. First, because Skype is so facile at getting through network blockades, it has become a disease vector for virus writers to use to infect corporate networks. Over the past couple of weeks, several IM-based attacks (not just using Skype, but all kinds of IM products) have wreaked havoc on various commercial networks. Second, because the user population is growing so quickly, it is becoming more useful as more people join up, making it more of an opportunity for the bad guys to exploit. What this means is that corporate IT admins are having fits trying to contain it. The problem with these attacks is that you are more likely to click on a URL coming from one of your buddies via IM than from email, because you have already authenticated their identity and established some level of trust. Yet trusting an IM screen name is somewhat misplaced. I can remember plenty of times that I started conversations with my buddies, only to find out that someone else was using their screen name. There really isn't a lot of security behind the system: all it takes is to know someone's password. So what to do? Banishment of all IM and Skype doesn't work. Blocking the app doesn't work. Setting up a Skype proxy server isn't yet technically available " there are such things for AOL and MSN. You just have to deal with it, I guess. At the RSA show, the panel offered several lukewarm suggestions (such as using their own security software that they just happen to have handy in a nearby booth), but nothing to really stem the tide. In the meantime, I do the best I can: keep my firewall and anti-virus software up to date, and hope that my grey network doesn't go completely black on me one day. This article appears courtesy of Tom's Networking. From isn at c4i.org Tue Mar 1 04:48:38 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:38 2005 Subject: [ISN] Security Firms Follow Unwritten Code When Digging Up Dirt On Each Other Message-ID: Forwarded from: security curmudgeon : http://www.informationweek.com/story/showArticle.jhtml;jsessionid=POBBDHOZK2B4AQSNDBCCKH0CJUMEKJVN?articleID=60403683 : : By Gregg Keizer : TechWeb News : Feb. 25, 2005 : : A critical vulnerability was spotted Thursday in the anti-virus engine : used by Trend Micro's entire line of client, server, and gateway : security products, the third such disclosure this month of flaws in : major security firms' software. : While vulnerabilities within security products are rare -- at least in : comparison to, say, operating systems such as Windows -- they're not : unheard of. And by one analysts' take, they're fair game. Of course there are less than an Operating System, but that doesn't make them "rare" by any means. Not only are most security products just as vulnerable as other software products, they add a false sense of security given the nature of their purpose. People purchase Anti-Virus to stop viruses. They purchase firewalls to stop bad traffic. Instead, they are often installing software that is giving attackers *another* way into their system. According to osvdb.org: Symantec: 108 vulnerabilities in their products, including Anti-Virus, Norton Utilities, Raptor Firewall, NetProwler, pcAnywhere, I-gear, Anti-Spam, Gateway, Web Security, LiveUpdate, VelociRaptor and more. Trend Micro: 59 vulnerabilities in their products, including InterScan Viruswall, ScanMail, OfficeScan, PC-Cillin, AppletTrap, VirusBuster and more. F-secure: 12 vulnerabilites in their products, including Policy Manager, Anti-Virus, Gatekeeper, Backweb and more. : Trend Micro agreed here, too. "We're actually really happy that people : are doing this. The industry needs something like this, not because we : need to stir up anything politically [between companies] but because : different people tend to look at problems different ways," said : Hansmann. Why isn't Trend Micro doing it is the real question. : But the practice of one security firm investigating another could be : considered inappropriate, said Pescatore, if abused. In the past, : various anti-virus firms took potshots at each other, not in public, but : by touting the weaknesses in rivals to analysts like Pescatore. This is standard operating procedure among many security vendors. Many product sales pitches are half touting their product, half pointing out weaknesses in competitors. : "If there's one thing I would tweak ISS about," said Pescatore, "it : would be that I'm assuming we'll never see anything like the Witty worm : in the future if ISS has the time to look for vulnerabilities in other : companies' products." : : It's not easy to dig up vulnerabilities, said Pescatore: "it takes : skill," he said. : : "You would have thought they'd been looking at their own products." There is no marketing value in that. From isn at c4i.org Tue Mar 1 04:49:18 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:40 2005 Subject: [ISN] The loss of a dear friend Message-ID: Forwarded from: priest Dear friends- It is with a heart heavy with grief that I must inform you of the loss of a dear friend to us all, Josh Cohen. On February 22 at approximately 02:00 hours PST Seattle ATC received a message from Josh who was piloting his Glasair, tail number N262WG, stating he had a visual on the Crescent City airport and was terminating radar service to switch to the local airport frequency for his final approach. The last radar contact showed him at 400 feet above ground executing a 270 degree turn. No further transmissions were received and radar contact was lost at this time. The plane was found on February 23rd in approximately 40 feet of water 100 yards off shore. The Coast Guard has declared search and rescue operations terminated and have begun salvage and recovery operations. They do not expect to find any survivors. I have known Josh since Defcon 5 and he will be sorely missed by all. For those who may not immediately remember him, he was the guy with the RTD bus and the one who was the hotel liaison. Please see the link below for more details. Please find below a link with more details, a guestbook, and photo gallery. http://darkstar.frop.org/pac-bell/ May God bless us all and watch over us in this time of grief. From isn at c4i.org Wed Mar 2 12:23:21 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:43 2005 Subject: [ISN] REVIEW: "Inside the Spam Cartel", Spammer-X Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKINSPCA.RVW 20041224 "Inside the Spam Cartel", Spammer-X, 2004, 1-932266-86-0, U$49.95/C$72.95 %A Spammer-X %C 800 Hingham Street, Rockland, MA 02370 %D 2004 %G 1-932266-86-0 %I Syngress Media, Inc. %O U$49.95/C$72.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1932266860/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1932266860/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1932266860/robsladesin03-20 %O tl a rl 1 tc 2 ta 2 tv 1 wq 2 %P 413 p. %T "Inside the Spam Cartel: Trade Secrets from the Dark Side" Chapter one is supposed to be a bio of Spammer-X, and gives us the stereotypical blackhat life story. A business model of using spam to generate referrals to porn sites is presented in chapter two. Rough ideas of spamming techniques are outlined in chapter three, although it is rather short on details. (What details are given are quite suspect: SOCKS is not a mail server, but a type of circuit-level proxy firewall.) Chapter four lists various means of harvesting addresses, but concentrates on a) buying them, and b) random address verification. (Which doesn't provide much help to users in terms of suggestions for avoiding getting on spam lists.) Advertising tricks are balanced against some anti-blacklisting tips in chapter five. Interestingly, there is some talk of botnets, but not the SMTP (Simple Mail Transfer Protocol server) carrying viruses. (More technical goofs: Rich Text Format is hardly a Microsoft only technology.) Chapter six looks at various means of payment over the Internet which, for those of paranoid mindset, has some possibly useful points to make about dangers of different forms of online commerce. Chapter seven starts to present some information that may have some general value, as it reviews various types of spam filtering (and filter evasion) techniques. A more advanced examination is in chapter eight. Scams are listed in chapter nine, with a concentration on phishing and 419/advance fee frauds. The author is rather careless with the facts: phishing is initially described as any type of scam (although the text later contradicts itself by redefining the term as related only to banks), Nigeria does have a law against advance fee fraud, and it's Lagos, not Logos. Chapter ten runs through the provisions of the US CAN-SPAM act, and notes how spam can be legal. The material on the analysis of spam, in chapter eleven, initially has some helpful tips, but the later parts of the chapter grow vague. In chapter twelve, Spammer-X points out that the estimated costs of spam are wildly inflated, but his own numbers are biased very low, not counting the costs of maintaining filters, the loss of messages, difficulties in contacting people, spam to mailing lists, and even the problem of bounced messages which is raised in the following chapter. The statistics of spam listed in chapter thirteen are generally of little use. The most interesting data, on yearly trends, is incorrectly described in the text (switching the numbers for virus and spam) and says that spam is down over the Christmas period, which is not supported by the numbers themselves. (This is rather ironic: I reviewed the book over Christmas, and can attest to the fact that there was no drop in the numbers of spam on my accounts.) Chapter fourteen makes some rather far-fetched predictions about the future of spam. The questions in chapter fifteen's FAQ (Frequently Asked Questions list) seem to be simply random rather than significant. Spammer-X closes, in chapter sixteen, by telling us that he has given us an unbiased look at spam, and that spam is good. The promotional blurb on the cover implies that you may hate Spammer-X, but still need to know what he says. It also states that this is a "Must Read" for security professionals and law enforcement personnel. Forget it. The notes on anti-blacklisting tips and techniques for harvesting email, at least those given in the book, are going to be of very little help in either avoiding spam, or in tracking down the perpetrators. It may, of course, be that not all spamming techniques are provided here, and that knowledge of some of them would help system administrators or those who want to track down spammers--but that still means the text is of extremely limited usefulness. The title is also rather misleading: the author (if, indeed, there is a single author and not a committee) presents us with one particular look at spamming activity. If there is a spam cartel "he" is definitely not in it. The work has some points of interest, but it isn't going to help anybody very much. (Including, fortunately, potential spammers.) copyright Robert M. Slade, 2004 BKINSPCA.RVW 20041224 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Doubtless you are the people, and wisdom will die with you! But I have a mind as well as you; I am not inferior to you. Who does not know all these things? - Job 12:2,3 http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Mar 2 12:23:35 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:45 2005 Subject: [ISN] An Oscar Surprise: Vulnerable Phones Message-ID: http://www.nytimes.com/2005/03/02/movies/oscars/02leak.html By JOHN MARKOFF and LAURA M. HOLSON March 2, 2005 Paris Hilton is not alone. According to a Los Angeles security consulting firm that went skulking outside the Academy Awards ceremony in Hollywood on Sunday, as many as 100 people who walked the red carpet were carrying cellphones vulnerable to the kind of privacy invasion that recently gained Ms. Hilton a new round of unwanted notoriety. Three employees of the company, Flexilis, founded two years ago by four University of Southern California students, positioned themselves in the crowd of more than 1,000 people watching celebrities arrive at the Kodak Theater. John Hering, one of the company's founders, wore a backpack in which he had placed a laptop computer with scanning software and a powerful antenna. The Flexilis researchers said they were able to detect that 50 to 100 of the attendees had smart cellphones whose contents - like those of Ms. Hilton's T-Mobile phone - could be electronically siphoned from their service providers' central computers. The contents of Ms. Hilton's phone, including other celebrities' phone numbers, ended up on the Internet. The researchers said they were uncertain about the precise number of vulnerable phones because some phones may have been detected more than once, They did not tap into any of the cellphones that were scanned - which would have been illegal - and so could not identify exactly whose phones were vulnerable. The researchers said that their stunt, which scanned the red carpet from about 30 feet away, was meant to raise awareness of a threat to privacy that is becoming more common as advanced cellphones carry a growing range of personal data, including passwords, Social Security numbers and credit card information. "Celebrities, V.I.P.'s, executives and politicians are among the most vulnerable to this kind of attack, because they are frequently the first to adopt new consumer technologies," Mr. Hering said. He also noted that despite extensive security measures at the Oscars, his company's surveillance activities went unnoticed. "We were only doing this passively, but it was possible that someone could have been standing right next to us doing this maliciously," he said. John Pavlik, director of communications for the Academy of Motion Picture Arts and Sciences, said: "We're very confident about the ability of our security to keep our guests and performers and nominees safe. The problem with the privacy issue is that it is, in fact, a growing phenomenon with these smart phones and it will get to be more and more of a problem each year. This year, we tried to address it as strenuously as we could." Flexilis has specialized in a short-range wireless data technology known as Bluetooth, which is intended to replace cables over short distances. Many cellphones now have Bluetooth wireless capability to permit synchronizing with computers, or to connect to peripherals like wireless headsets. Bluetooth is also becoming a standard technology in luxury cars to permit them to integrate easily with cellphones. And it is increasingly found in personal computers as a cable replacement for keyboards, mice and printers. The Flexilis team said their concern was not with Bluetooth itself, which contains adequate security protection, but with the way the technology has been used by many manufacturers. "We're attempting to raise the level of security in the wireless world to the same standard that is now expected in the wired world," Mr. Hering said. Mike Foley, executive director of the Bluetooth Special Interest Group, an industry association, said that his organization "takes security very seriously" and that "so far no security holes have been discovered in the Bluetooth specification itself." Actors interviewed over the Oscar weekend expressed varying degrees of concern about their vulnerability. Sandra Oh, one of the stars of "Sideways," which was directed by her husband, Alexander Payne, said she rarely used a cellphone. "Who wants to be that accessible?" she said in an interview Saturday at the Independent Spirit Awards. "People have so many lines-of-defense phone numbers so people can't reach them. Alexander has, like, four or five." Robin Williams, at the same event, pulled a phone from his inside coat pocket and deadpanned: "These phones are amazing. They have everything. Games. Phone book. A vibrator." Mr. Williams said it was unlikely that an eavesdropper would have much interest in monitoring his cellphone. "I don't have a lot of numbers in my phone book," he said. But he added: "It wouldn't be hard for a hacker to get inside one of these things. You've got to be careful." Catherine Billey and Matt Richtel contributed reporting for this article. From isn at c4i.org Wed Mar 2 12:23:55 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:52 2005 Subject: [ISN] Security through layers Message-ID: http://www.fcw.com/fcw/articles/2005/0228/web-wiresec-03-01-05.asp By Florence Olsen March 1, 2005 Wireless networks are inherently insecure, but the more layers of security they have, the less likely they are to be attacked, said Mischel Kwon, wireless security officer for the Justice Department's Management Division. Speaking today at the Wireless/RFID Conference and Exhibition in Washington, D.C., Kwon said the most secure layered approached would use the latest wireless grid technologies in combination with wireless intrusion-detection systems. Because of the insecurities inherent in wireless technologies, a lot of fear exists, said Capt. Sheila McCoy, former director of information assurance in the Navy's Office of the Chief Information Officer. "We're a rather risk-averse bunch," she said. But attitudes toward wireless networks are changing as Defense Department officials learn more about managing risk with new technologies, she added. Dan Hickey, deputy commander for computer network defense at the Marine Corps Network Operations and Security Command, prefaced his remarks by saying that "wireless technology scares me." Few agencies, he said, are using layered security or "defense in depth" correctly when deploying wireless technologies. And on the policy side, he said, agencies need to ask who has the authority to accept risk for the organization when people begin using such technologies. Wireless expert Bill Neugent, chief engineer for cybersecurity at Mitre, a nonprofit engineering organization, said that the proliferation of wireless technologies such as radio frequency identification chips and nanoscale "smart dust" will cause both privacy losses and productivity gains. According to other wireless experts who offered tips on security technologies and policies, open-source products are the most popular for auditing the security of wireless networks. Auditors in the Government Accountability Office, for example, use open-source scanners NetStumbler and Kismet to conduct wireless audits, said Dan Van Belleghem, technical director for the information assurance group at SRA International. For the most part, wireless networks become open to attack because administrators fail to properly configure wireless access points with password protection, use no encryption, have no virtual private network protection, and do not disable the infrared ports and peer-to-peer features of their wireless networks, Kwon said. The conference was sponsored by the E-Gov Institute. From isn at c4i.org Wed Mar 2 12:24:08 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:55 2005 Subject: [ISN] Payroll firm pulls Web services, citing data leak Message-ID: http://news.zdnet.com/2100-1009_22-5595316.html By Robert Lemos CNET News.com March 1, 2005 Service provider PayMaxx shuttered additional parts of its online payroll site this week, after a Web programmer continued to find holes in the system. PayMaxx's further closure of its Web services comes after a Web programmer, Aaron Greenspan, discovered that the company's initial attempt to block malicious access had fixed some flaws but left others unresolved. While still referring to the data leak as "limited in scope," the online payroll processor closed down its PayView and Instant W2 services, the company said in a statement. The services will remain down until PayMaxx has completed a thorough security analysis and redesigned the site's architecture. "We have sent all clients and key partners e-mails alerting them to the situation, and we are contacting the companies we believe may have been potentially affected by the hacking," PayMaxx said in a statement sent to CNET News.com. The dispute between PayMaxx and Greenspan, president of Web services start-up Think Computer and a former PayMaxx customer, over the security of the company's Web site continued this week. PayMaxx referred to Greenspan as a "hacker," while the Web programmer maintained that the security problem is far worse than divulged by the payroll company. The data leak comes at a time when several high-profile attacks have Congress looking into further legislation to protect people's private information. In February, data aggregator ChoicePoint warned that almost 150,000 consumer files had been compromised by scam artists who had set up fake companies to garner identity information. Last week, financial services giant Bank of America alerted government workers that backup tapes containing their information had gone missing. Greenspan said he uncovered the problem with PayMaxx's Web site about three weeks ago and tried to contact the company. He said PayMaxx did not respond, so he posted a report detailing the flaws. That prompted PayMaxx to shut down its Web service for retrieving W2 information. Greenspan continued to prod the site's security and discovered more vulnerabilities this weekend, he said. Greenspan said his attempts to find flaws in the site have been motivated by protecting his own information, from when Think Computer was a client of PayMaxx. "Think had an obvious interest in seeing that the problem would be resolved properly since its own data was stored in the affected systems," he said in an e-mail interview. PayMaxx does not agree. The Web programmer has been far too intent on poking holes in the company's systems and has "numerous inaccuracies" in his report, PayMaxx said in a statement. The company did not specify which parts of his report were incorrect. "We believe the hacker has violated federal law and we will take whatever action is necessary to protect the interests of our clients and our company," the company said. PayMaxx has contracted an outside security company to test its Web applications' security and has ordered additional hardware and software to better detect intrusions, PayMaxx said in a statement. From isn at c4i.org Wed Mar 2 12:24:23 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:57 2005 Subject: [ISN] Canadian military, U.S. agencies launch BlackBerry security project Message-ID: http://www.canada.com/national/nationalpost/news/story.html?id=a1b84641-4ddf-4db0-b462-d8ce4597e9f0 Stephen Thorne Canadian Press March 01, 2005 OTTAWA (CP) - The Canadian military and U.S. security agencies have launched a joint effort to make BlackBerry portable communications devices more secure, hoping to one day use them to exchange top secret information. Defence Research and Development Canada, the Canadian Communications Security Establishment and the U.S. National Security Agency are among those involved in the year-long trial. The two countries will develop improved security on the hand-held personal data assistant designed by Research in Motion of Waterloo, Ont. With its cell phone, e-mail, calendars and contact lists, the BlackBerry is considered a blessing and a curse by users because it never allows them peace. But it has become a must-have for business, defence and security officials alike. "This BlackBerry technology . . . allows decision-makers to have their information right in the palm of their hands and to make decisions while they're away from their offices," said the military's chief scientist for the project, Mazda Salmanian. "You can see how important that would be for (the military)." The security of such tools came under scrutiny last month when hackers accessed private files from a similar device, called a Sidekick II, owned by Paris Hilton. They obtained more than 500 celebrity phone numbers, e-mail addresses and topless photos of the hotel heiress and TV personality. It was the most publicized in a series of breaches of the wireless carrier T-Mobile, a unit of Deutsche Telekom, during which hackers stole files from a U.S. Secret Service agent who used his Sidekick to do agency work. The Canadian defence project director, Matthew Kellett, says government and corporate BlackBerrys are resistant to similar breaches because they use so-called enterprise servers - in-house, protected e-mail networks. The Sidekick II uses a commercial online server to store some information, including phone numbers. Contacted Monday through a New York-based public relations agent, Research in Motion said it was not aware of the defence security project. The primary focus of the defence project is security of transmissions. "In a crisis situation, you really don't want to have the movements of your emergency people known, especially if it's a terrorist situation," said Kellett. "We're trying to protect communications between agencies. "It's mostly towards the terrorist angle, but there's also the relative sensitivity of the information we're passing." In government circles, BlackBerrys are now cleared to Protected A, which means bureaucrats cannot exchange much beyond names and phone numbers. Some agencies can go to Protected B, which allows exchange of encrypted personal information such as addresses, salaries and employment records. But defence officials want to be able to send more secure information continent-wide by e-mail during a crisis. U.S. researchers are developing test scenarios where the two countries would interact and co-operate in public safety and emergency preparedness exercises, said Kellett. One exercise will be the mock crash of a U.S. surveillance aircraft on Canadian soil. It will involve attempts to establish whether the crash was an accident or the result of terrorism threatening national security. Would-be rescuers will e-mail data from a remote location, likely using more dependable and accessible satellites instead of traditional cells with their sometimes spotty coverage. Under other scenarios, the coast guard will transmit information about suspicious activities off the coast of North America, out of cell-phone range, and border officials would manage a terrorist bombing. "The BlackBerry will have another radio access," said Salmanian, an electrical engineer. "Right now it's on cellular networks; it will have access to the satellite networks. "That will involve new ways of integrating technology." They also hope to develop encryption enhancements that could allow more secure information to be transmitted. The project will be the first time the specific encryption technology, known as public key infrastructure, will be used, along with other technologies, in an international context, researchers said. While the trials will take about a year, the data processing and subsequent research could continue for two more, said Salmanian. Initially, researchers will look at data transfer - e-mails - but could develop voice encryption later on, he said. The priority has been placed on e-mails because written information is more verifiable, more easily subject to analysis and in emergencies is better transmitted and archived. The research results could ultimately be commercially available, with some proceeds going back to the research and development arm of defence. From isn at c4i.org Wed Mar 2 12:24:35 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:34:00 2005 Subject: [ISN] Man Charged with Passing Chip Design Information Message-ID: http://www.reuters.com/audi/newsArticle.jhtml?type=technologyNews&storyID=7766193 By Adam Tanner Mar 1, 2005 SAN FRANCISCO (Reuters) - A Taiwanese citizen living in California took computer chip design information from a San Francisco-area firm and e-mailed it to a potential rival in Taiwan, U.S. authorities charged on Monday. The U.S. Attorney for Northern California alleged that Shin-Guo Tsai, 35, took data sheets from Volterra Semiconductor Corp. and sent them over the Internet to a potential competitor on Christmas Day, 2004. Federal Bureau of Investigation agents arrested Tsai, who has permanent resident status in the United States, on Sunday night on charges of transporting stolen property abroad, a crime that could bring a maximum penalty of 10 years in prison, according to a spokesman for the U.S. Attorney for the Northern District of California. Tsai is in custody until a hearing later this week, spokesman Luke Macaulay said in a statement. Tsai worked for Volterra, which completed an initial public offering last year, from July 2002 until Feb. 15, 2005, when he announced he was returning to Taiwan to marry. The complaint, filed in U.S. federal court in San Jose, California, also alleged that Tsai had been in contact with the chairman of CMSC Inc., a Taiwanese start-up company that it said was involved in the same business as Volterra. It added that Tsai admitted to FBI agents last week that he had sent proprietary information to CMSC. The chairman of CMSC did not respond to an e-mail on Monday seeking response. The criminal complaint quoted Volterra's vice president of design engineering David Lidsky as saying the transmitted information about the firm's 1100-series products "related to the design of high-performance analog and mixed-signal power management semiconductors." Experts say theft and espionage is a headache for many Silicon Valley technology firms, although many do not turn to authorities when they discover it. "This is becoming more and more of a problem," said La Rae Quy, a former counterintelligence officer who now serves as the FBI spokeswoman. "We're working with companies to alleviate their concerns about coming forward." "This is the reaction with many companies: it is cheaper to lose the technology than it is to face negative media attention or adverse stock reaction." Fremont, California-based Volterra, which designs low-voltage power supply chips, did come forward in this case however, she said. From isn at c4i.org Wed Mar 2 12:29:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:34:02 2005 Subject: [ISN] Bank loses credit-card info of 1.2M federal workers Message-ID: Forwarded from: Dennis Kezer Based on what is in this story there was absolutely no technical protection on these tapes and anyone with the correct drive should be able to mount them and capture the data.? A corporation of this size should be using a backup application that can provide at least rudimentary security. -----Original Message----- From: InfoSec News Sent: Monday, February 28, 2005 5:37 AM To: isn@attrition.org Subject: [ISN] Bank loses credit-card info of 1.2M federal workers http://www.computerworld.com/securitytopics/security/story/0,10801,10006 1,00.html By Joanne Morrison FEBRUARY 26, 2005 REUTERS Computer tapes containing credit-card records of U.S. Senators and more than a million U.S. government employees are missing, Bank of America said yesterday, putting the customers at increased risk of identity theft. The security breach, which included data on a third of the Pentagon's staff, angered lawmakers already concerned after criminals gained access to thousands of consumer profiles in a database maintained by a data profiling company, ChoicePoint Inc. (see story) Bank of America Corp. did not release details of how the tapes were lost, but Sen. Charles Schumer, a New York Democrat, said he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers. "Whether it is identity theft, terrorism or other theft, in this new and complicated world baggage handlers should have background checks and more care should be taken for who is hired for these increasingly sensitive positions," Schumer said. Social security numbers, addresses and account numbers were on the tapes for 1.2 million account holders, of which about 900,000 belonged to Defense Department employees, Defense Department spokesman Bryan Whitman said. The tapes contained information from the accounts of dozens of U.S.? Senators and from employees of federal agencies, officials monitoring the situation said. Bank of America said the small number of computer data tapes were lost in December while being shipped to a back-up data center. [...] From isn at c4i.org Thu Mar 3 02:50:02 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:31 2005 Subject: [ISN] Security UPDATE -- Limit Your Exposure: Don't Use Administrative Accounts -- March 2, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Exclusive Online Event: Email Protection at the Perimeter! http://list.windowsitpro.com/t?ctl=3DFB:4FB69 SQL Server Magazine http://list.windowsitpro.com/t?ctl=3E0B:4FB69 ==================== 1. In Focus: Limit Your Exposure: Don't Use Administrative Accounts 2. Security News and Features - Recent Security Vulnerabilities - Numerous Security Flaws in Web Browsers Remain Unpatched - Microsoft Adds Security Guidance Center for Small Businesses 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - 256-Bit SSL Certificates ==================== ==== Sponsor: St. Bernard Software ==== Exclusive Online Event: Email Protection at the Perimeter! Learn how you can get award-winning anti-virus protection and superior spam blocking while assuring your critical business emails get through. Sign up today for this free online product demonstration and see the ePrism M500 from St. Bernard Software in action. Discover the secret behind the eGuard Analysts and how email is scoured for digital fingerprints left by spammers so you won't receive or send spam and viruses again! Sign up now! http://list.windowsitpro.com/t?ctl=3DFB:4FB69 ==================== ==== 1. In Focus: Limit Your Exposure: Don't Use Administrative Accounts ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You're probably well aware that running your desktop while logged on as an administrator can be risky. The reason of course is that administrators have full authority on the system, so any program that launches under an administrative account can perform almost any action you can think of. As you'll learn if you read the Security Matters blog item "Windows Firewall: Another Good Reason Not to Login as Administrator" ( http://list.windowsitpro.com/t?ctl=3E02:4FB69 ), spyware peddlers have already developed a way of adding their programs to the Windows Firewall's list of trusted applications. The spyware application simply adds a registry subkey that references the application under the subkey that stores trusted applications. Any trusted application is allowed to send traffic out of the computer. However, adding a subkey to the list of trusted applications works only if the user is logged on with administrative authority. So now you know one more reason why administrative accounts should be used sparingly. Mark Minasi recently wrote an interesting editorial in Windows IT Pro UPDATE--Special Edition titled "Follow-Up: Why Microsoft Can't Stop Root Kits." Minasi pointed out that the primary leverage an intruder has is a user logged on with an administrative account. http://list.windowsitpro.com/t?ctl=3E03:4FB69 In a message posted to the Bugtraq mailing list, Chris Wyposal pointed out that "The security problem that has created the spyware malaise on Windows is the default Windows installation for home users, which creates the user's named account in the Administrators group. When this account is used to browse the Internet there is no protection to prevent spyware/malware from bypassing security mechanisms, such as the XP SP2 firewall, by exploiting vulnerabilities or tricking the user." Wyposal's statement is true. The same thing goes for corporate users who use an administrative account primarily for visiting networks external to their company network. Wyposal also made the interesting prediction that due to the problem of spyware and malicious software, Microsoft will eventually change the Windows installation process so that at least two accounts are created: one for administrative use and another with limited permissions for everyday and Internet use. http://list.windowsitpro.com/t?ctl=3DFF:4FB69 Any of you who've used a Unix-based or Linux-based system know that this sort of dual-account use is standard practice. You log on with a regular user account, and when you need administrative privileges, you can use the "su" (super user) command to temporarily elevate your privileges, log out and log back in as "root" or some other administrative account, or create another logon session on your desktop. Windows also lets users elevate their privileges, but this capability isn't used nearly as often as it should be. You probably know this already, but I'll point it out in case any readers are unaware: A simple way to elevate your privileges for specific application use in Windows is to use the RunAs feature, which lets you run programs under any account context provided that you supply the corresponding account password. This feature works great even for desktop systems on which some applications might not work correctly except under an account with some level of administrative authority. If you need help figuring out how to use RunAs, then check the articles at Microsoft's Web site. http://list.windowsitpro.com/t?ctl=3E00:4FB69 ==================== ==== Sponsor: SQL Server Magazine ==== Get SQL Server Magazine and Get Answers Throughout the year in 2005, SQL Server Magazine is on target to deliver comprehensive coverage of all hot industry topics including, SQL Server 2005, performance tuning, security, Reporting Services, Integration Services, and .NET development. If you aren't already a subscriber, now is the time to sign up. You'll get unlimited online access to every article ever published in the magazine and you'll get 30% off the cover price. Don't miss out . . . sign up today: http://list.windowsitpro.com/t?ctl=3E0B:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=3DFE:4FB69 Numerous Security Flaws in Web Browsers Remain Unpatched Dozens of security-related problems remain unpatched in the Microsoft Internet Explorer (IE), Mozilla Firefox, and Opera Web browsers. According to security solution provider Secunia, which tracks vulnerabilities in more than 4000 products, some of the unpatched browser vulnerabilities are considered to be either moderately or highly critical. http://list.windowsitpro.com/t?ctl=3E06:4FB69 Microsoft Adds Security Guidance Center for Small Businesses Microsoft added a new Security Guidance Center to its Small Business Center Web site. The new content provides security information and advice to help businesses create a safer network environment. http://list.windowsitpro.com/t?ctl=3E05:4FB69 ==================== ==== Resources and Events ==== Keeping Critical Applications Running in a Distributed Environment Get up to speed fast with solid tactics you can use to fix problems you're likely to encounter as your network grows in geographic distribution and complexity, learn how to keep your network's critical applications running, and discover the best approaches for planning for future needs. Don't miss this exclusive opportunity--register now! http://list.windowsitpro.com/t?ctl=3DF9:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=3DFC:4FB69 Learn What You Can Do When Exchange Disaster Strikes Messaging administrators can't always adequately plan for or prevent some kinds of disasters. In this free Web seminar, join Exchange MVP Paul Robichaux, as he describes some operational scenarios in which "disaster recovery" takes a back seat to "business continuance." Learn how to be prepared for events that might otherwise wipe out your messaging capability. Register now! http://list.windowsitpro.com/t?ctl=3DF8:4FB69 The Must-Attend Event for Securing Your Wireless Deployments The Conference on Mobile & Wireless Security delivers on-target, need-to-know information on emerging issues and tech trends. Featuring first-class keynotes and sessions, an in-depth panel discussion, and interactive workshops, you will learn practical tactics for overcoming mobile security challenges and real-world strategies for maximizing the potential of your wireless devices. http://list.windowsitpro.com/t?ctl=3E0D:4FB69 Meet the Risks of Instant Messaging Head On in This Free Web Seminar Don't overlook Instant Messaging in your compliance planning. Attend this free Web seminar and learn how to minimize IM's authentication and auditability risks and prevent security dangers. You'll also receive a list of the top requirements to consider when choosing a secure IM solution. Sign up now! http://list.windowsitpro.com/t?ctl=3DFA:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=3E0C:4FB69 Windows Firewall: Another Good Reason Not to Login as Administrator Administrator rights are dangerous enough already. Combine them with Windows Firewall protecting a system, and somebody from outside your network might be able to bypass the firewall. http://list.windowsitpro.com/t?ctl=3E02:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=3E08:4FB69 Q. How can I configure Group Policy-based scripts to display when they're executed? Find the answer at http://list.windowsitpro.com/t?ctl=3E04:4FB69 Security Forum Featured Thread: Annoying Files That Continually Reappear A forum participant is wondering about two files on his system, wkwgww.exe and hnhihh.exe. He thinks the files are related due to the file names. He has the latest updates for his antivirus and antispyware scanners, but those tools don't detect anything suspicious about the two files. When he deletes the files, they reappear on the system. Join the discussion at http://list.windowsitpro.com/t?ctl=3DFD:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=3E07:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com 256-Bit SSL Certificates XRamp Technologies announced that it's now issuing 256-bit digital Secure Sockets Layer (SSL) certificates. The certificates work with all browsers and servers that support the 256-bit Advanced Encryption Standard (AES) and are backward-compatible for browsers and servers that can handle only 128-bit or 40-bit encryption. Microsoft hasn't yet implemented 256-bit capability into its servers and browser, but 256-bit AES encryption is available with Linux Web servers, and the free Mozilla Firefox Web browser supports 256-bit AES. A 1-year 256- bit SSL certificate from XRamp costs $128. Multiyear certificates are available at discounted prices. For more information, go to http://list.windowsitpro.com/t?ctl=3E11:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Automate Patch Management with Symantec ON iPatch http://list.windowsitpro.com/t?ctl=3E12:4FB69 Quest Software See Active Directory in a whole new light. And get a free flashlight! http://list.windowsitpro.com/t?ctl=3E13:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=3E0F:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=3E01:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Mar 3 02:50:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:33 2005 Subject: [ISN] Can you hear me now? In Senate buildings, the answer is yes Message-ID: Forwarded from: William Knowles http://www.gcn.com/vol1_no1/daily-updates/35187-1.html By Brad Grimes GCN Staff 03/02/05 The Senate this week activated an in-house cellular network that lets government employees place and receive calls from the bowels of the legislative body's various buildings. They can even check their BlackBerry devices. No sooner did the service go live Monday than Senate CIO Greg Hanson began receiving positive feedback. "I'm getting calls from my customers saying 'Greg, my cell phone works in the cafeteria of the Dirksen Building,'" Hanson said today at a wireless technology conference in Washington. The service is not yet available in all Senate buildings - the infrastructure is still being rolled out in the Capitol itself - but it does support almost all commercial cellular services. Hanson said the Senate had reached agreements with all but one cellular carrier. He declined to name the sole holdout but expected the carrier's service to be live on the Senate network by the end of the month. The cellular capabilities are part of an extensive hybrid wireless network the Senate is building with technology from MobileAccess Inc. of Vienna, Va. Not only do the Senate's wireless access points support cellular communications, they also allow wireless IEEE 802.11b/g access to various networks. Hanson said WiFi access was currently operational in approximately 40 percent of the Senate?s office space, which includes the Dirksen, Hart and Russell Senate office buildings. When deciding how to build a wireless infrastructure that supports both cellular and WiFi communications, Hanson said the Senate decided it wanted to own the infrastructure and sell the bandwidth back to commercial carriers, who in turn sell their services across the network. "How do you satisfy everyone by making [the network] carrier agnostic?" Hanson said. Senators and their staff tend to have their favorite cellular services because coverage varies from state to state. As it rolls out further, WiFi networking, which the Senate secures with hard tokens, virtual private networking and other measures, will require new policies. "Some offices didn't want to wait so they went to Best Buy and set up their own wireless networks," Hanson said. Hanson said his office is working with the Senate Rules Committee on a policy that would require Senate offices to shut down unauthorized wireless networks. For now, Hanson said, his staff does periodic "war walking" to identify rogue access points. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Mar 3 02:50:36 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:35 2005 Subject: [ISN] Hacker Tips Off B-School Applicants Message-ID: http://www.thecrimson.com/today/article506140.html By DANIEL J. T. SCHUKER Crimson Staff Writer March 03, 2005 Tipped off by an online hacker, applicants to several of the nation's top business schools, including Harvard Business School (HBS), could access internal files on the schools' websites and ascertain their admissions status a month early. The admissions websites were vulnerable for over nine hours yesterday before the hacker's instructions and the admissions letters were taken down. But during the narrow time window, according to a thread on Business Week Online's technology forum, several applicants managed to follow the hacker's directions and read the admissions office's response letter. HBS requires students to submit their applications and recommendations electronically using ApplyYourself, an online application and decision notification system. An anonymous hacker known as "brookbond," who defined himself as a male who specializes in information technology and software security, posted the instructions on Business Week Online's technology forum at 12:15 a.m., early yesterday. "I know everyone is getting more and more anxious to check [the] status of their apps to HBS," he wrote. "So I looked around on their site and found a way." Steven R. Nelson, executive director of HBS's Master of Business Administration (MBA) program, said the letters were taken off the site early yesterday. "These were just internal administrative devices," Nelson said. Len Metheny, chief executive officer of ApplyYourself told The Crimson that his company notified the half-dozen schools that were affected and put them on alert yesterday morning. "The problem has been resolved since 9:45 this morning," he said. "We made some changes to the system to prohibit access to that information." Metheny also noted that individuals could only access their own personal admissions responses - not those of other applicants. Business Week officials set out to expunge the hacker's comments from the website yesterday morning, said Kimberly Quinn, Business Week's director of communications. "As soon as we were informed of the situation, we deleted the post immediately," she said. "And any other directions that anybody else posted...we deleted those right away, too." Nelson said HBS and Business Week did not contact each other about taking the posts down. Before the online discussion on Business Week's forum was deleted, other students reported that they had also accessed admissions decisions from MIT's Sloan School of Management, the Stanford Graduate School of Business, and Duke University's Fuqua School of Business. Managing Director of MBA Admissions and Financial Aid at HBS Brit K. Dewey posted a statement on Business Week's online forum last night directed to current applicants. "HBS decision information housed within ApplyYourself is neither complete nor final until our application notification dates," she wrote. Dewey also emphasized in her online post that students' applications and recommendations have remained secure. "Such behavior is unethical and inconsistent with the behavior we expect from high-potential leaders we seek to admit to our program," she added. Nelson said that HBS has not decided how to deal with applicants who accessed the site yesterday, nor would he confirm whether HBS knew the identities of these applicants. "This is a matter we're taking very seriously," he said. HBS offers students three application rounds, with deadlines in October, January, and March. The admissions office sends out responses in January, March, and May, respectively. Applicants who could access the website using the hacker's technique expected to hear a decision from HBS on March 30. Quinn said that Business Week does not know the identity of "brookbond," who told the online forum yesterday that he had used his own techniques to find out his own admissions status at HBS. Sanford Kresiberg, a business school admissions consultant who follows developments at HBS closely, said that "this was probably not HBS's fault, but the software vendor's." Kresiberg added that the Wharton School at the University of Pennsylvania, as well as Cornell College, had experienced problems with online admissions programs in recent years. "Things could be worse," he said. - Staff writer Daniel J. T. Schuker can be reached at dschuker @ fas.harvard.edu From isn at c4i.org Thu Mar 3 02:50:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:37 2005 Subject: [ISN] U.S government to rely on Canadian cryptography Message-ID: http://www.globetechnology.com/servlet/story/RTGAM.20050302.gtcrypto0303/BNStory/Technology/ March 2, 2005 Globe and Mail Update MISSISSAUGA, Ont., March 3 - Elliptic Curve Cryptography (ECC), an efficient public key cryptosystem, will become the standard to protect U.S. government communications. The U.S. National Security Agency (NSA) presented its strategy and recommendations for securing U.S. government sensitive and unclassified communications, which included a recommended set of advanced cryptography algorithms known as Suite B for securing sensitive and unclassified data. The only public key protocols included in Suite B are Elliptic Curve Menezes-Qu-Vanstone (ECMQV) and Elliptic Curve Diffie-Hellman (ECDH) for key agreement and Elliptic Curve Digital Signature Algorithm (ECDSA) for authentication. The Advanced Encryption Standard (AES) for data encryption and SHA for hashing are also included. All of the Suite B algorithms are consistent with the National Institute of Standards and Technology (NIST) publications. ECC is a publicly available algorithm produced by Certicom, which researched and developed ECC-based implementations and security for the past 20 years. Certicom Security Architecture, a modular set of security services, software cryptographic providers (including a FIPS 140-2 Validated cryptographic module), and board support packages, enables device manufacturers and other government suppliers to easily add strong, efficient cryptography that meets the NSA recommendations and NIST publications. From isn at c4i.org Thu Mar 3 02:51:04 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:39 2005 Subject: [ISN] Are vulnerable times responsible times? Message-ID: http://software.silicon.com/security/0,39024655,39128296,00.htm By Patrick Gray March 02 2005 Security professionals say they're making computing safer, but are they doing more harm than good? Patrick Gray talks to independent security researchers, a controversial operator and Microsoft's chief security engineer to find out. The internet is one big, bad neighbourhood. Try connecting a freshly loaded Windows system - no patches - to the internet. How long would it last? 10 seconds? Maybe 20? Then imagine a nightmare scenario. Your computer, with all patches loaded, is attacked by a hacker who possesses vulnerability information not in the public domain. They know a way in and there's no way to stop them; no patch for the security hole because your software supplier doesn't know it exists. This is why software companies want security bug catchers to tell them when they find a flaw. They can write a patch and distribute it to customers before malicious hackers can attack systems through the weakness. But one such researcher, Dave Aitel, doesn't want to do that. Aitel is a man with a reputation. In private, many security researchers say he's unethical; a rogue operator placing computer users across the globe at risk. Others say he's a gun researcher, protecting his clients in an era of irresponsible security practices among large software companies. Aitel's company, Immunity Inc, raised more than a few eyebrows in January when it released details of a security vulnerability in Apple's operating system software to the public without giving the software company prior notification. The result? Apple customers were aware of a security flaw in their software, and had no way to fix it. But the very same vulnerability details were shared with Immunity's clients as far back as June, 2004. Why? Aitel explained: "Immunity's policy on vulnerability information does not include vendor notification." Aitel has a habit of answering the questions he wishes you'd asked, not the ones that you actually did. But he offers this: the way he sees it, he's providing his customers with information about vulnerabilities in greater detail than the vendors, and that's a service worth paying for. $100,000 will get you into Aitel's Vulnerability Sharing Club; $50,000 for smaller companies. Any company that joins must sign a non-disclosure agreement, so information about vulnerabilities in popular software doesn't fall into the wrong hands. Needless to say, some vendors are less than impressed. George Stathakopoulos, Microsoft's chief security engineer, wouldn't talk about any specific company, but says responsible vulnerability disclosure is vital. "Any individual or organisation that behaves in a way that potentially puts... customers at risk is a huge concern," he says. "We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities." Greg Shipley, chief technology officer of Chicago-based security outfit Neohapsis, holds back judgement but says the existence of private vulnerability sharing clubs like Aitel's raise some serious ethical questions. "When you start talking about advanced release times, publishing exploit code, and introducing a mercenary angle to what is essentially... a public quality assurance process, you start entering some really murky waters," he says. The trade in information that allows the buyer to easily penetrate computer networks is dangerous, Shipley argues. "If it simply boils down to the highest bidder, we're in for some real problems." "If anyone with a few dollars can afford to 'buy into' such an information ring and get access to tools that blow past most corporate defences, what's to stop some truly malicious folks from using that information for truly evil purposes?" Shipley asks. "Zero-day", or unpublished security vulnerabilities are becoming the "tactical nukes" of cyberspace, Shipley argues; the Holy Grail. He doesn't want to see them falling into the wrong hands. But Ken Pfeil, chief security officer at Capital IQ, a web-based provider of financial data services, isn't alarmed. Services offered by companies like Immunity are ethical, "as long as they hold the information to themselves and sign the members to a non-disclosure agreement". Still, he does acknowledge the sensitive information may "leak", but that's not Aitel's fault, he says. Vulnerability information leaks have sprung from other sources, like the Carnegie Mellon University-based research outfit CERT, which receives US government funding. "No one holds CERT accountable when a member leaks information, so why would this be any different?" Pfeil asks. Perhaps some in the security industry are merely annoyed Aitel has the gumption to turn vulnerabilities into cash in such a controversial way. Having access to vulnerability information if you're a researcher seems to be a lesser sin in the eyes of many. It's ironic, considering some prominent researchers have been known to dabble in illegal activity. Pfeil has used Aitel's services in the past, and is a satisfied customer. "I hired him to do a code review at our company last year. He did a very good job," he says. While researching any article about Immunity Inc, one thing became very clear: Aitel is popular. Even some of his biggest critics say he's funny and affable; one former colleague describes him as "hard not to like". Aitel spent six years working with the National Security Agency in the US before moving to the private sector. Ron Gula, the creator of Dragon IDS and co-founder of Tenable security in the US, also worked for the NSA. Gula, a competitor of sorts to Aitel, shies away from vulnerability research. It's expensive, time consuming and not worth the hassle, he says. But Gula has also benefited financially from finding vulnerabilities in software inadvertently, simply through the publicity. He knows finding bugs pays the bills, even when disclosure is handled differently. It's proof that the rational rules of commerce, and perhaps ethics as a knock-on effect, don't apply in the bug hunting game. "The few vulnerabilities we've inadvertently discovered got Tenable on CNN and sent a lot of business our way," Gula says. Even when a vulnerability was discovered in Dragon IDS, Gula said the negative publicity actually helped boost sales. "When Dragon first started, there was a lame exploit for it. This sent a lot of business my way... [people] conclude if it is new and worth hacking, it must be good." There is a demand for detailed information about security vulnerabilities out there, a market vacuum, and Aitel's moved to fill it. "Software customers should require vendors to provide full, current, and accurate disclosure of every security vulnerability they know about, to their customers," he says. "While the open source community generally follows this policy, closed source vendors often do not. Educated customers, particularly in the financial community, are now requiring independent third party assessments of software before they purchase it, and are beginning to push back on software vendors with regards to the information they get from them about vulnerabilities." But Microsoft's Stathakopoulos says his company doesn't want to bury vulnerability information, it just wants to slow down its release. "What worries me is the increase in releasing proof of concept code," he says. "I would like to see the industry self-regulating and delaying the release of POC for at least 90 days." Proof of concept code exploits a security vulnerability, but doesn't grant access to a vulnerable machine; it's a test. However, armed with a basic POC anyone with some basic programming skills can alter the code and turn it into a fully fledged exploit. Some see the release of POC as a way to force software vendors to produce working fixes. If millions of users have the ability to test a security patch with the POC, then the vendor had better make it a good fix. If there's one thing Stathakopoulos is getting very sick of, it's having to drop everything - including holidays or social plans - when a security researcher slaps an undisclosed vulnerability in a Microsoft product onto a public mailing list. "You have to leave whatever you doing to go to work and start the process of releasing a security update," he says. What if software vendors started paying bug-finders for information about security flaws: would this help or hinder? Shipley has doubts. "There's a fine line between fiscally compensating one for their work, and creating a framework for extortion possibilities," he says. "It's that line that I worry about." But Aitel notes it's not the "security community" that actually finds most of the bugs. "Vendors typically do pay a fee to people who find bugs in their software; they call that fee their 'salary'," he quips. "Most people finding bugs in a vendor's software are QA (Quality Assurance) engineers who work for the vendor." The public never knows about those bugs because they're fixed before the product ships. Gula agrees with Shipley. If vendors are obliged to pay for bugs, such a scheme will amount to extortion. "There are millions of unknown vulnerabilities and the software manufactures should not be forced to purchase these. How much are they worth? Who sets this value?" he asks. So who's to blame for the current state of affairs? Vendors blame irresponsible researchers, and some researchers blame the vendors. While there are bugs being found, researchers will always seek to earn money from them. They'll sell them, or use them for marketing purposes; nothing says "look at me" like a zero-day in Windows. Until that changes, the security industry will look like the Wild West for a long time to come. For now, it's the users left in the middle. From isn at c4i.org Fri Mar 4 05:08:15 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:22 2005 Subject: [ISN] bounty for errors in _Translucent Databases_ Message-ID: Forwarded from: R.A. Hettinga [ http://www.amazon.com/exec/obidos/ASIN/0967584418/c4iorg - WK] --- begin forwarded text To: R.A.Hettinga From: Peter Wayner Subject: bounty for errors in _Translucent Databases_ Date: Thu, 3 Mar 2005 16:05:44 -0500 To: All readers of Translucent Databases. I'm starting work on the second edition of _Translucent Databases_. To help eliminate errors, I'm quadrupling the bounty for error reports to $20 per error. I may also pay for suggestions for improving it, but that's harder to codify. For info on the book, see this website: http://www.wayner.org/books/td/ The only rules are designed to prevent people from using this offer to print money: only the first person to report each error gets $20. I reserve the right to relax this rule to pay multiple people who don't seem to be colluding. I get to decide what constitutes an technical error and how big an error might be. For instance, if I screwed up and listing pi=3.41592..., I get to decide that this is only one error. It's not an infinite set of errors because the first digit after the decimal point is not 4, the second digit is not 1, the third digit is not 5, etc. Also, non-technical errors don't qualify, although I'm grateful to get them. To see previously reported errors: http://www.wayner.org/books/td/errors.php I promise to try to apply these rules as generously as possible. -Peter --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From isn at c4i.org Fri Mar 4 05:08:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:25 2005 Subject: [ISN] Bellua Cyber Security Asia 2005 - 23-24 March, Jakarta Message-ID: Forwarded from: Anthony Zboralski Dear InfoSecNews readers, Bellua Cyber Security Asia 2005 early bird registrations are about to close, you can save 40% if you register this week. Event highlights: * Keynote Speakers Bpk. Abdul Rahman Saleh, Attorney General of Republic Indonesia Bpk. DR. Sofyan Djalil, Minister of Communications and Information of Republic Indonesia * 32 Top Speakers from Asia, Europe & USA * Business Track for Executives & Managers * Technical Track for Admins & Engineers * Training Workshops * Capture the Flag (Hacking Contest) * Business Matchmaking, Cocktail Reception and Door prizes Due to unforeseen circumstances, Black Hat Asia 2005 has been cancelled. Don't despair, BCS2005 in Jakarta is just one hour away from Singapore and The Grugq's Digital Forensics workshop and Sensepost's Hacking by Numbers (bootcamp & combat editions) will also be held on the 21st and 22nd March 2005 in Jakarta, Indonesia. Bellua Cyber Security Asia 2005 - http://www.bellua.net Register this Week for Early-Bird Discount! For questions regarding event registration, please call +62 811 1975 95. For general event questions, please email bcs2005@bellua.com. -- Bellua Cyber Security Asia 2005 - http://www.bellua.net 21-22 March - The Workshops - 23-24 March - The Conference bcs2005@bellua.com - Phone: +62 21 391 8330 HP: +62 818 699 084 From isn at c4i.org Fri Mar 4 05:09:19 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:28 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-9 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-02-24 - 2005-03-03 This week : 61 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: The Mozilla Foundation has released a new version of their popular Firefox browser, which corrects several vulnerabilities. Please view Secunia advisories below for additional details. References: http://secunia.com/SA13258 http://secunia.com/SA14407 http://secunia.com/SA14163 http://secunia.com/SA12712 http://secunia.com/SA13129 http://secunia.com/SA13599 http://secunia.com/SA14160 http://secunia.com/SA13786 -- Various Computer Associates products have been reported vulnerable to a buffer overflow vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Users of Computer Associates products are advised to check if their products are affected by this vulnerability. References: http://secunia.com/SA14438 -- Various products from Trend Micro have been reported vulnerable to a buffer overflow, which can be exploited by malicious people to compromise a vulnerable system. Users of Trend Micro products are advised to check if their products are affected by this vulnerability. References: http://secunia.com/SA14396 -- Two vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system. Additional details are available in reference advisory below. References: http://secunia.com/SA14456 VIRUS ALERTS: During the last week, Secunia issued 1 MEDIUM RISK virus alert. Please refer to the grouped virus profile below for more information: Bagle.BE - MEDIUM RISK Virus Alert - 2005-03-01 12:58 GMT+1 http://secunia.com/virus_information/15815/bagle.be/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla Products IDN Spoofing Security Issue 2. [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities 3. [SA14396] Trend Micro Products AntiVirus Library Buffer Overflow 4. [SA13258] Mozilla / Firefox "Save Link As" Download Dialog Spoofing 5. [SA14335] Microsoft Internet Explorer Popup Title Bar Spoofing Weakness 6. [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting 7. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 8. [SA14160] Mozilla / Firefox Three Vulnerabilities 9. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 10. [SA14382] phpMyAdmin Local File Inclusion and Cross-Site Scripting ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14456] RealPlayer WAV and SMIL File Handling Buffer Overflows [SA14453] RaidenHTTPD Buffer Overflow and PHP Source Code Disclosure [SA14405] BadBlue "mfcisapicommand" Parameter Buffer Overflow Vulnerability [SA14400] KNet HTTP Request Processing Buffer Overflow Vulnerability [SA14435] Scrapland Packet Handling Denial of Service Vulnerabilities [SA14392] CIS WebServer Directory Traversal Vulnerability [SA14454] CA Unicenter Asset Management Multiple Vulnerabilities [SA14455] Einstein Sensitive Information Disclosure [SA14389] PeerFTP_5 User Credentials Disclosure UNIX/Linux: [SA14447] Gentoo update for phpwebsite [SA14412] Debian bsmtpd Arbitrary Command Injection Vulnerability [SA14452] SUSE update for imap [SA14448] Red Hat update for firefox [SA14445] Gentoo update for phpBB [SA14440] Fedora update for Firefox [SA14439] phpCOIN Multiple Vulnerabilities [SA14437] CuteNews Script Insertion Vulnerability [SA14433] PostNuke Multiple Vulnerabilities [SA14431] SUSE update for curl [SA14430] Ubuntu update for libxml1 [SA14425] Gentoo update for unace [SA14421] Ubuntu update for curl [SA14420] Ubuntu update for cyrus21-imapd [SA14419] SUSE Updates for Multiple Packages [SA14393] SUSE update for cyrus-imapd [SA14388] Gentoo update for cyrus-imapd [SA14426] Gentoo update for mediawiki [SA14423] Ubuntu update for reportbug [SA14422] Debian reportbug Exposure of Sensitive Information [SA14411] WU-FTPD Wildcard Denial of Service Vulnerability [SA14398] mkbold-mkitalic BDF Font File Conversion Format String Vulnerability [SA14397] HP-UX ftpd Unspecified File Access Vulnerability [SA14390] Mandrake update for squid [SA14442] Gentoo Qt Insecure Library Path Searching Vulnerability [SA14432] OpenBSD Unspecified Copy Functions Vulnerability [SA14427] KDE kppp Privileged File Descriptor Leak Vulnerability [SA14424] Gentoo update for uim [SA14408] Gentoo update for cmd5checkpw [SA14404] cmd5checkpw Privilege Escalation Vulnerability [SA14402] FreeNX X Server Authentication Bypass Security Issue [SA14391] Mandrake update for uim [SA14446] Gentoo update for gaim [SA14415] Fedora update for gaim [SA14410] Ubuntu update for gaim Other: [SA14395] Cisco ACNS Network Traffic Handling Denial of Service Vulnerabilities [SA14429] Mitel 3300 ICP Web Management Interface Two Vulnerabilities [SA14428] Symantec Firewall Devices SMTP Binding Configuration Bypass Cross Platform: [SA14449] PHPNews Arbitrary File Inclusion Vulnerability [SA14399] phpWebSite Announcement Image Upload Vulnerability [SA14396] Trend Micro Products AntiVirus Library Buffer Overflow [SA14418] Forumwa Two Vulnerabilities [SA14414] MercuryBoard Two Vulnerabilities [SA14413] phpBB "autologinid" Security Bypass [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities [SA14394] PunBB Multiple Vulnerabilities [SA14438] CA License Software Multiple Buffer Overflow Vulnerabilities [SA14434] 427BB "user" Cross Site Scripting Vulnerability [SA14416] CubeCart Cross-Site Scripting Vulnerabilities [SA14409] PHP "readfile()" Denial of Service [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting [SA14417] NX Server X Server Authentication Bypass Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14456] RealPlayer WAV and SMIL File Handling Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-02 Two vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14456/ -- [SA14453] RaidenHTTPD Buffer Overflow and PHP Source Code Disclosure Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-03-02 Tan Chew Keong has reported two vulnerabilities in RaidenHTTPD, which can be exploited by malicious people to gain knowledge of potentially sensitive information or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14453/ -- [SA14405] BadBlue "mfcisapicommand" Parameter Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-28 Andres Tarasco has reported a vulnerability in BadBlue, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14405/ -- [SA14400] KNet HTTP Request Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-28 CorryL has reported a vulnerability in KNet, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14400/ -- [SA14435] Scrapland Packet Handling Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-01 Luigi Auriemma has reported some vulnerabilities in Scrapland, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14435/ -- [SA14392] CIS WebServer Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information Released: 2005-02-28 CorryL has reported a vulnerability in CIS WebServer, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14392/ -- [SA14454] CA Unicenter Asset Management Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-03-02 Three vulnerabilities have been reported in CA Unicenter Asset Management, which can be exploited to gain knowledge of sensitive information or conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14454/ -- [SA14455] Einstein Sensitive Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-03-02 Kozan has discovered a security issue in Einstein, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/14455/ -- [SA14389] PeerFTP_5 User Credentials Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-02-24 Kozan has discovered a security issue in PeerFTP_5, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/14389/ UNIX/Linux:-- [SA14447] Gentoo update for phpwebsite Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-02 Gentoo has issued an update for phpWebSite. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14447/ -- [SA14412] Debian bsmtpd Arbitrary Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-28 Bastian Blank has reported a vulnerability in bsmtpd, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14412/ -- [SA14452] SUSE update for imap Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-03-02 SUSE has issued an update for imap. This fixes a vulnerability, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14452/ -- [SA14448] Red Hat update for firefox Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, System access Released: 2005-03-02 Red Hat has issued an update for firefox. This fixes multiple vulnerabilities, which can be exploited to spoof various information, plant malware on a user's system, conduct cross-site scripting attacks, disclose and manipulate sensitive information, bypass certain security restrictions, perform certain actions on a vulnerable system with escalated privileges, and compromise a user's system. Full Advisory: http://secunia.com/advisories/14448/ -- [SA14445] Gentoo update for phpBB Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-03-02 Gentoo has issued an update for phpBB. This fixes two vulnerabilities, which can be exploited by malicious users to disclose and delete sensitive information. Full Advisory: http://secunia.com/advisories/14445/ -- [SA14440] Fedora update for Firefox Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access Released: 2005-03-01 Fedora has issued an update for Firefox. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to trick users into downloading malicious files, to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14440/ -- [SA14439] phpCOIN Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-01 Lostmon has reported multiple vulnerabilities in phpCOIN, allowing malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14439/ -- [SA14437] CuteNews Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-02 FraMe has reported a vulnerability in CuteNews, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14437/ -- [SA14433] PostNuke Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-01 Maksymilian Arciemowicz has reported multiple vulnerabilities in PostNuke, allowing malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14433/ -- [SA14431] SUSE update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-01 SUSE has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14431/ -- [SA14430] Ubuntu update for libxml1 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-01 Ubuntu has issued an update for libxml1. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14430/ -- [SA14425] Gentoo update for unace Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-01 Gentoo has issued an update for unace. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14425/ -- [SA14421] Ubuntu update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-28 Ubuntu has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14421/ -- [SA14420] Ubuntu update for cyrus21-imapd Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-28 Ubuntu has issued an update for cyrus21-imapd. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14420/ -- [SA14419] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2005-03-01 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, or by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/14419/ -- [SA14393] SUSE update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-02-25 SUSE has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14393/ -- [SA14388] Gentoo update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-24 Gentoo has issued an update for cyrus-imapd. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14388/ -- [SA14426] Gentoo update for mediawiki Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-03-01 Gentoo has issued an update for mediawiki. This fixes some vulnerabilities, which can be exploited by malicious users to delete arbitrary files, and by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14426/ -- [SA14423] Ubuntu update for reportbug Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-28 Ubuntu has issued an update for reportbug. This fixes two vulnerabilities, which may potentially expose sensitive information in bugreports or can be exploited by malicious, local users to view sensitive information. Full Advisory: http://secunia.com/advisories/14423/ -- [SA14422] Debian reportbug Exposure of Sensitive Information Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-28 Rolf Leggewie has reported two vulnerabilities in reportbug, which may potentially expose sensitive information in bugreports and can be exploited by malicious, local users to view sensitive information. Full Advisory: http://secunia.com/advisories/14422/ -- [SA14411] WU-FTPD Wildcard Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-28 Adam Zabrocki has reported a vulnerability in WU-FTPD, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14411/ -- [SA14398] mkbold-mkitalic BDF Font File Conversion Format String Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-02-25 A vulnerability has been reported in mkbold-mkitalic, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14398/ -- [SA14397] HP-UX ftpd Unspecified File Access Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-02-25 A vulnerability has been reported in HP-UX, which can be exploited by malicious users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14397/ -- [SA14390] Mandrake update for squid Critical: Less critical Where: From remote Impact: System access Released: 2005-02-25 MandrakeSoft has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14390/ -- [SA14442] Gentoo Qt Insecure Library Path Searching Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-02 Gentoo has issued an update for qt. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14442/ -- [SA14432] OpenBSD Unspecified Copy Functions Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2005-03-01 A vulnerability with an unknown impact has been reported in OpenBSD. Full Advisory: http://secunia.com/advisories/14432/ -- [SA14427] KDE kppp Privileged File Descriptor Leak Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-03-01 A vulnerability has been reported in KDE, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/14427/ -- [SA14424] Gentoo update for uim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-01 Gentoo has issued an update for uim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14424/ -- [SA14408] Gentoo update for cmd5checkpw Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-28 Gentoo has issued an update for cmd5checkpw. This fixes a vulnerability allowing malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14408/ -- [SA14404] cmd5checkpw Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-28 Florian Westphal has reported a vulnerability in cmd5checkpw, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14404/ -- [SA14402] FreeNX X Server Authentication Bypass Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-02-28 A security issue has been reported in FreeNX, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14402/ -- [SA14391] Mandrake update for uim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-25 MandrakeSoft has issued an update for uim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14391/ -- [SA14446] Gentoo update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-02 Gentoo has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14446/ -- [SA14415] Fedora update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-02-28 Fedora has issued an update for gaim. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14415/ -- [SA14410] Ubuntu update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-02-28 Ubuntu has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14410/ Other:-- [SA14395] Cisco ACNS Network Traffic Handling Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-25 Four vulnerabilities have been reported in Cisco Application and Content Networking System (ACNS), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14395/ -- [SA14429] Mitel 3300 ICP Web Management Interface Two Vulnerabilities Critical: Moderately critical Where: From local network Impact: Hijacking, DoS Released: 2005-03-01 Stephen de Vries of Corsaire has reported two vulnerabilities in Mitel 3300 Integrated Communications Platform (ICP), which can be exploited by malicious people to hijack sessions or by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14429/ -- [SA14428] Symantec Firewall Devices SMTP Binding Configuration Bypass Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-01 Arthur Hagen has reported a security issue in various Symantec firewall devices, which may disclose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/14428/ Cross Platform:-- [SA14449] PHPNews Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-02 Filip Groszynski has reported a vulnerability in PHPNews, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14449/ -- [SA14399] phpWebSite Announcement Image Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-25 nst has reported a vulnerability in phpWebSite, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14399/ -- [SA14396] Trend Micro Products AntiVirus Library Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-25 ISS X-Force has reported a vulnerability in various Trend Micro products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14396/ -- [SA14418] Forumwa Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-02 Raven has reported two vulnerabilities in Forumwa, which can be exploited by malicious people to conduct cross-site scripting attacks and malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14418/ -- [SA14414] MercuryBoard Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-02 Doctor Grim has reported two vulnerabilities in MercuryBoard, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14414/ -- [SA14413] phpBB "autologinid" Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-28 A vulnerability has been reported in phpBB, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14413/ -- [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access Released: 2005-03-01 Details have been released about several vulnerabilities in Firefox, Mozilla and Thunderbird. These can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14407/ -- [SA14394] PunBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2005-02-25 Some vulnerabilities have been reported in PunBB, which potentially can be exploited by malicious users to disclose sensitive information, and by malicious people to bypass certain security restrictions and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14394/ -- [SA14438] CA License Software Multiple Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-02 Multiple vulnerabilities have been reported in the CA License software, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14438/ -- [SA14434] 427BB "user" Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-02 Raven has reported a vulnerability in 427BB, allowing malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14434/ -- [SA14416] CubeCart Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-28 Lostmon has reported multiple vulnerabilities in CubeCart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14416/ -- [SA14409] PHP "readfile()" Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-01 A vulnerability has been reported in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14409/ -- [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-01 Paul has reported a vulnerability in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14406/ -- [SA14417] NX Server X Server Authentication Bypass Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-02-28 Two security issues have been reported in NX Server, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14417/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 4 05:09:30 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:30 2005 Subject: [ISN] Security firm trashes customer e-mails Message-ID: http://news.com.com/Security+firm+trashes+customer+e-mails/2100-7355_3-5598860.html By Dan Ilett Special to CNET News.com March 3, 2005 An e-mail security scanning company has accidentally deleted thousands of its customers' e-mails. GFI, a Microsoft "gold certified partner," is offering free upgrades to all its customers, after it trashed their e-mails by sending out incorrect update information. According to GFI, the problem occurred because of a change in BitDefender's technology, one of the products that GFI uses for its e-mail scanning. "Unfortunately, some changes had been made to BitDefender," said Angelica Micalleff-Trigona, public relations manager at GFI. "We were not aware of this, and we did not foresee this problem. We are deeply sorry for what happened. It took us by surprise." When the GFI MailSecurity update mechanism tried to install BitDefender updates on customer networks, the service started to delete all e-mails by default. BitDefender and GFI then rolled back the updates. "We've learned our lesson," a BitDefender representative said Thursday. "From now on, we'll try to give more support to our integration partners. The other companies that integrate our scanning engine did not have the same problem." A ZDNet UK reader affected by the problem said a GFI salesman told him that the update had not been tested. "We were pretty surprised this morning to find that all of the e-mail which arrived overnight had been deleted," wrote Jeremy Whiteley, chief executive officer at Promarketing Gear. "Even more troubling was the fact that, according to GFI's U.S. sales manager, they released this update without testing it! I guess they expect me and my IT staff to play the role of tester, regardless of the cost to my business...We're reconsidering our reliance on GFI going forward." GFI denied not testing the update, but apologized for the blunder and has promised all customers a free upgrade to its MailSecurity 9 product, which is available in two months' time. The company has also released a tool that can tell customers which e-mails were deleted and when. From isn at c4i.org Fri Mar 4 05:09:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:33 2005 Subject: [ISN] Paying for Flaws Pays Off for iDefense Message-ID: http://www.eweek.com/article2/0,1759,1772418,00.asp By Ryan Naraine March 3, 2005 Internet security specialist iDefense Inc. has released a reverse-engineering tool to the open-source community as part of its controversial strategy of buying the rights to information on security flaws found by underground researchers. The decision to roll out the IDA Sync tool was driven by a need to "contribute to the cycle" of making flaw-finding easier for the private individuals who participate in iDefense's VCP (Vulnerability Contributor Program). The 3-year-old VCP involves financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code to iDefense. Michael Sutton, director of iDefense Labs, said the wild success of the program has driven the company to release tools like IDA Sync, which is used to allow multiple analysts to synchronize their reverse-engineering efforts in real-time within the IDA Pro disassembler. In an interview with eWEEK.com, Sutton said groups of researchers can use the IDA Sync plug-in to connect to the disassembler and share comments and name changes. "A large group of researchers can now pick apart a program and share their findings with each other right within IDA Pro, which is the de-facto standard for disassembling within Windows," Sutton said. In addition to IDA Sync, iDefense has previously released tools such as IDA pGRAPH, a plug-in that generates control-flow graphs; IDA Function Analyzer, a IDA C++ plug-in designed to provide an abstracted layer over "chunked" functions; and the Attack Vector Test Platform, a tool that was used in the research for the paper titled "A Comparison of Buffer Overflow Prevention Implementations and Weaknesses." Flaw-finding has generated big business?and invaluable publicity?for the Reston, Va.-based iDefense. So far this year, the company is credited with the responsible disclosure of 36 security bulletins, including major flaws in products sold by Computer Associates International Inc., RealNetworks Inc. and Apple Computer Inc. Sutton said that more than 80 percent of all vulnerabilities reported by iDefense were purchased from private, sometimes anonymous, software crackers. "We'll pay for the exclusive intellectual property rights to the research, and this program works for everyone. The researchers make money for their work, the vendors get the benefit of responsible advance notices, and the end users get well-tested patches." Not everyone agrees. Firas Raouf, chief operating officer of eEye Digital Security, thinks that the business of buying rights to flaw information is a dangerous practice. "We don't believe that finding software vulnerabilities should be a for-profit business. We have a problem with paying for flaws. People should not be rewarded financially with finding flaws. Researchers should consider that finding flaws is an end in itself to make the world a more secure place," Raouf said in an interview. iDefense's Sutton, however, argued that buying the information is the only way to make flaw discovery a scaleable business. "Last year, we released more than 100 public advisories. If you were to hire a team to come up with that volume in a year, it would cost a ton of money. The VCP gives us a very flexible, scaleable business model." Sutton refused to discuss how much money is paid for the rights to a flaw discovery. When the program launched in 2002, the company was offering up to $400 per vulnerability, and eEye's Raouf believes it is now in the range of $3,000 each. "You have to remember there is a very lucrative underground market for this information. There's a lot of work being done on the organized crime side to get this information, and the prices being offered are quite high," Raouf said. Raouf supports software vendors offering financial incentives, much like the Mozilla Foundation's bounty program that pays up to $500 for any critical bug found in the open-source code base. "Finding vulnerabilities should be part of a manufacturer's QA [quality assurance] process. Microsoft, for example, is investing a lot of resources on training to help developers write secure code. It has worked quite well for Mozilla to get more professionals picking away at the code," Raouf said. "Paying for this kind of information could have some implications. You end up getting people who aren't necessarily experts in the field trying to find something and sell it to the highest bidder Once you start this, unless there's a strict process in place to manage it, you may end up with more problems for everyone," Raouf added. A spokeswoman for Microsoft said the company has never paid for information on product bugs from private individuals. "We credit finders who report vulnerabilities under responsible disclosure and, from time to time, [we have] contracted security research companies to review code for products under development," the spokeswoman said. From isn at c4i.org Fri Mar 4 05:09:56 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:40 2005 Subject: [ISN] OMB: IT systems security at highest level in three years Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35225-1.html By Jason Miller GCN Staff 03/03/05 On the heels of another poor showing in the annual congressional cybersecurity report card, the Office of Management and Budget earlier this week touted agency systems' security as being stronger than ever. In the fiscal 2004 Federal Information Security Management Act report sent to Congress, the administration said 77 percent of 8,623 systems were certified and accredited as safe, and agencies tested their management, operation and technical controls of 76 percent of their applications. These are improvements from the 2003 report, where agencies reported 62 percent of 7,998 systems as secure and found 64 percent had tested their security controls. Even with this progress, agencies still have not met OMB's goal of securing 80 percent of all systems. Last December, the administration upped the ante and required 90 percent of all systems certified and accredited by Sept. 30. "The federal government has made significant progress in identifying and addressing its security weaknesses," OMB said in the report. ?However, uneven implementation of security measures across the federal government leaves vulnerabilities to be corrected.? The House Committee on Government Reform gave governmentwide cybersecurity a D grade in its annual report card released last month [see GCN story]. [1] OMB also found agencies made progress in other security-related areas. For instance, 85 percent of agencies met OMB's goal of building security costs into the overall price of the project, and tested contingency plans for 57 percent of all applications. The administration said agencies need to improve their agencywide plans of action and milestones to improve security weaknesses and continue to develop their certification and accreditation processes. The departments of Defense, Health and Human Services, Homeland Security, Housing and Urban Development and the Small Business Administration did not have plans of actions and milestones approved by their respective inspectors general. The IGs of the departments of Commerce, Defense, Education, HHS, DHS, HUD and NASA also said the certification and accreditation processes were poor. According to OMB, agencies need to improve their accuracy, timeliness and completeness of cybersecurity incident reports filed with DHS. In 2004, agencies reported 2,058 attacks to DHS? incident response center. "Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event, e.g., the widespread propagation of an Internet worm, and thus complicates and delays appropriate response such as distributing security patches or other compensating controls," OMB noted. DHS is piloting software for automatic transmittal of incident data from agency systems. The application should improve the government?s ability to protect systems and respond to attacks, OMB said. [1] http://www.gcn.com/24_4/news/35141-1.html From isn at c4i.org Fri Mar 4 05:10:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:42 2005 Subject: [ISN] No Patches Next Week, Promises Microsoft Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=JAKJ3BMSRQX4YQSNDBCSKH0CJUMEKJVN?articleID=60405150 TechWeb News March 3, 2005 Patchers can relax: on Thursday Microsoft announced that it won't release any new fixes to its operating systems or applications Tuesday, the next regularly scheduled date for its monthly security bulletins. "On March 8th, 2005, the Microsoft Security Response Center is planning to release no new security bulletins," the Redmond, Wash.-based developer said on its Microsoft Security Bulletin Advance Notification Web site Thursday morning. The Thursday prior to the second Tuesday of each month, Microsoft gives users a heads-up by disclosing the number of scheduled security bulletins, and the severity level of the most critical. It's unusual for Microsoft not to release any security fixes; the last time that happened was December 2003, just months after the company instituted its monthly patching cycle. From isn at c4i.org Mon Mar 7 06:02:29 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:00 2005 Subject: [ISN] Hackers poison DNS Message-ID: http://www.theinquirer.net/?article=21621 By Nick Farrell 07 March 2005 HACKERS HAVE found a way of diverting interweb punters from famous websites to dodgy URL's where they plied with spy and adware. Security outfit, The Internet Storm Centre, posted a warning about "DNS cache poisoning" on its website on Friday. It said that it had reports that this particular attack was redirecting traffic from google.com, ebay.com, and weather.com. Basically the hackers are attacking a domain name server and poisoning the cache by planting counterfeit data in the cache of the name server. However, all might not be doom and gloom. Other security firms are also having a bit of difficulty confirming the attack. They spent all Friday hitting Google and ebay and can't find a poisoned DNS anywhere. It could be that the sites got better, however it is more likely that the hack is localised to an enterprise or small internet service provider. According to the Storm Centre here, the DNS cache poisoning appears to be affecting Symantec firewalls with DNS caching. Some victims have told the Centre that they applied the patch, but were still affected. So this could be a different vulnerability or the patch didn't work properly. The ABX toolbar spyware that gets loaded onto the machine when visiting the target servers. This uses an ActiveX control. Users running Windows XP SP2 or a web browser that does not support ActiveX will probably not get hit with the spyware if they visit the server. ABX is not detected yet by the normal toolset of spyware/antivirus tools. From isn at c4i.org Mon Mar 7 06:02:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:03 2005 Subject: [ISN] Limp Bizkit lead claims hackers stole his sex video Message-ID: http://www.theregister.co.uk/2005/03/04/fred_durst_suit/ By Ashlee Vance in San Francisco 4th March 2005 A lawsuit filed on behalf of Limp Bizkit lead singer Fred Durst alleges that the same people who hacked Paris Hilton's cell phone were able pull a homemade sex video off Durst's computer. The Smoking Gun has obtained part of Durst's complaint against various web sites that posted portions of Durst's sex romp with a former girlfriend. The document states that the US Secret Service has kicked off an "elaborate investigation" into the Hilton Hacking and Durst's home movie mess. The singer, and apparent amateur filmmaker, is seeking up to $80m for having his privates put on the web without consent, according to The Smoking Gun. Durst's sex clips started gaining attention shortly after the e-mails, photos and contacts from Paris Hilton's Sidekick appeared on the net. Durst's lawsuit alleges that web site operators contacted him to ask about making a deal to sell his homemade sex video online. The lawsuit goes on to say that Durst declined to make such a deal, believing he had the lone copy of the video. "The only copy of the Video was on the hard drive of Plaintiff's computer, and was subsequently stolen therefrom," the lawsuit says. Durst is looking to have the video and still photos made from it removed from the web. More information is available here [1]. [1] http://www.thesmokinggun.com/archive/0304051durst1.html From isn at c4i.org Mon Mar 7 06:03:12 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:06 2005 Subject: [ISN] CSO Mag/U.S. Secret Service/CERT Coordination Center Need Your Help Message-ID: ---------- Forwarded message ---------- Date: Fri, 04 Mar 2005 13:44:36 -0500 From: Richard Forno To: Richard Forno Subject: [infowarrior] - CSO Mag/U.S. Secret Service/CERT Coordination Center Need Your Help CSO magazine is conducting a survey in cooperation with the U.S. Secret Service and CERT Coordination Center, the 2005 e-Crime Watch.? The purpose of this project is to uncover electronic crime trends.? We respectfully request your help in completing an online survey.? Please be assured that any information you provide is confidential and your responses will be used only in combination with those of other survey respondents.? This survey should take no more than 15 minutes of your time.? Please click on the following url to begin the survey or copy and paste the url into your browser: http://www.rresults.com/062865/index.cgi?l=3 Thank you in advance for your help. Sincerely, Walter Manninen President CSO magazine ? W. Ralph Basham Director United States Secret Service Richard Pethia Director CERT Coordination Center From isn at c4i.org Mon Mar 7 06:03:37 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:08 2005 Subject: [ISN] 21th Annual Computer Security Applications Conference Call For Papers Message-ID: Forwarded from: ACSAC Announcement List PDF version at http://www.acsac.org/2005/ACSAC_CFP.pdf ------------------- Call For Papers ------------------- 21th Annual Computer Security Applications Conference December 5-9, 2005 Tucson, Arizona http://www.acsac.org Submission Acceptance Deadline Notification Technical Track May 29, 2005 Aug. 14, 2005 Tutorials June 1, 2005 Jul. 15, 2005 Workshop June 1, 2005 Jul. 15, 2005 Case Studies June 15, 2005 Aug. 15, 2005 Technology Blitz Sep. 9, 2005 Oct. 16, 2005 Works in Progress Sep. 9, 2005 Oct. 2, 2005 See http://www.acsac.org/cfp for detailed submission information! ACSAC is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. If you are developing practical solutions to problems relating to protecting commercial enterprises' or countries' information infrastructures, consider submitting your work to the Annual Computer Security Applications Conference, to be held December 2005 in Tucson, AZ. We are soliciting submissions in a number of different categories: o Technical Track: peer-reviewed papers o Technology Blitz: cutting-edge technology presentations *NEW FEATURE* o Case Studies: practical experience reports from applying security o WIP: works in progress reports o Tutorials: in depth seminars on current security topics o Workshop: on up to date hot topic We are especially interested in submissions that address the application of security technology, the implementation of systems, and lessons learned. Some example topics are: * Access control * Applied cryptography * Audit and audit reduction * Biometrics * Certification and accreditation * Database security * Denial of service protection * Defensive information warfare * Electronic commerce security * Enterprise security * Firewalls and other boundary control devices * Forensics * Identification and authentication * Information survivability * Insider threat protection * Integrity * Intellectual property rights protection * Incident response planning * Intrusion detection and event correlation * Malware * Middleware and distributed systems security * Mobile and wireless security * Modeling and simulation related to security * Operating systems security * Product evaluation criteria and compliance * Privacy * Risk/vulnerability assessment * Security engineering and management * Software assurance Important submission information: Submission Acceptance Deadline Notification Technical Track May 29, 2005 Aug. 14, 2005 Tutorials June 1, 2005 Jul. 15, 2005 Workshop June 1, 2005 Jul. 15, 2005 Case Studies June 15, 2005 Aug. 15, 2005 Technology Blitz Sep. 9, 2005 Oct. 16, 2005 Works in Progress Sep. 9, 2005 Oct. 2, 2005 See http://www.acsac.org/cfp for detailed submission information! Program Committee (program_chair@acsac.org) * Christoph Schuba, Sun Microsystems, Inc. (PC Chair) * Charles Payne, Adventium Labs (PC Co-chair) * Pierangela Samarati, University of Milan (PC Co-chair) * Terry Benzel, USC - ISI * Konstantin Beznosov, University of British Columbia * Germano Caronni, Sun Microsystems, Inc. * Ramaswamy Chandramouli, National Institute of Standards and Technology * Marc Dacier, Eurecom Institute * Ernesto Damianti, University of Milan * Gary Ellison, InterTrust Technologies Corp. * Dieter Gollmann ,Technische Universitaet Hamburg-Harburg * Steven J. Greenwald, Independent Consultant * Wesley Higaki, Symantec Corporation * Trent Jaeger, IBM T.J. Watson Research Center * Tom Keefe, Oracle Corp. * James Kempf, DoCoMo Labs USA * Carl Landwehr, University of Maryland * Peng Liu, Pennsylvania State University * Tom Longstaff, Carnegie Mellon University * Bryan Lyles, Telcordia Technologies * Patrick McDaniel, Pennsylvania State University * John McDermott, Naval Research Laboratory * Paul Van Oorschot, Carleton University (Canada) * Jong-Sou Park, Hankuk Aviation University * Vern Paxson, International Computer Science Institute * Andre dos Santos, Georgia Tech * Sami Saydjari, Cyber Defense Agency, LLC * Giovanni Vigna, University of California Santa Barbara * Simon Wiseman, QinetiQ * Diego Zamboni, IBM Zurich Research Laboratory Case Studies (casestudies_chair@acsac.org) * Steven Rome, Booz Allen Hamilton (Case Studies Chair) The Case Studies Track is a complementary part of the technical conference. It is an opportunity for professionals to share information that is current without writing a detailed technical paper. It is open to anyone in the community such as vendors, network providers, systems integrators, government civil/federal/military programs or users across the spectrum of computer security applications. Technology Blitz Committee (tbc_chair@acsac.org) * Paul Jardetzky, Devicescape Software, Inc. (TBC Chair) * Jeremy Epstein, webMethods * LouAnna Notargiacomo, Mitre Corporation * Timothy Roscoe, Intel Corporation * Pierangela Samarati, University of Milan In 2005 we are introducing a new type of session that we call the Technology Blitz session. In three parallel tracks, it will feature short talks (10 min.+ 5min Q&A) on hot, up to date topics. Works In Progress (wip_chair@acsac.org) * Mary Ellen Zurko, IBM Software Group (WiP Chair) The Works In Progress (WIP) session packs as many 5 minute presentations as it can into one fast paced and popular session. These talks highlight the most current work in both business and academia, emphasizing goals and value add, accomplishments to date, and future plans. Special consideration is given to topics that discuss real life security experience, including system implementation, deployment, and lessons learned. Tutorials (tutorial_chair@acsac.org) * Daniel Faigin, The Aerospace Corporation, USA. (Tutorials Chair) Tutorials are full (6 hour) or half (3 hour) day classes on how to apply or use a particular technology to address a security need. A typical tutorial submission includes an abstract of the tutorial, a brief (1-2 page) outline, an instructor bio, an indication of length, and notes on prerequisites and textbooks. Tutorial instructors receive an honorarium and expenses. If you would like to indicate a topic you would like to see, you may do that as well; please suggest an instructor if you can. Workshop (workshop_chair@acsac.org) * Harvey Rubinovitz, Mitre Corporation (Workshop Chair) ACSAC workshops are on up to date topics that attendees usually rate to provide a useful and exciting forum for information technology professionals (e.g., standards developers, software developers, security engineers, security officers) to exchange ideas, concerns, and opinions. --------------------------------------------------------------------------- Conferenceship Program ACSAC offers a conferenceship program to enable students to attend the Annual Computer Security Applications Conference. This program will pay for the conference and tutorial expenses, including travel, for selected students. Additional information about this program is available on the Student Awards page or you may contact the Student Papers Chair. Future Updates: To be added to the Annual Computer Security Applications Conference Mailing List, click here. --------------------------------------------------------------------------- ACSAC does not accept "speaking proposals" in the form of a biography and a one paragraph description of a topic. Depending on a proposal's technical content, it may be acceptable as a case study. If a full paper is available, it may be acceptable as a technical paper. If a presentation by a group of related speakers is contemplated, a proposal for this session may be acceptable as a panel or forum. If a proposal for a half day or full day seminar is appropriate, it may be acceptable as a tutorial. If a one or two page technical writeup is available that describes work that is not yet completed, it may be acceptable as a works in progress. Finally, if your have an interest in a full day interactive dialogue, exchanging ideas, opinions and concerns between multiple presenters and attendees, consider being a workshop presenter. For More Information see hyperlinks on http://www.acsac.org * For general conference information, see the menu at left * For refereed papers information: see our paper submission page * For technology blitz information: see our paper submission page * For case studies information: see our case studies page * For publicity information: contact the Publicity Chair * For student paper/award information: see our student awards page * For tutorial information: see our tutorial page * For works in progress information: see our works in progress page * For the issues workshop: see our issues workshop page About the Sponsor Applied Computer Security Associates (ACSA) had its genesis in the first Aerospace Computer Security Applications Conference in 1985. That conference was a success and evolved into the Annual Computer Security Applications Conference (ACSAC). Several years ago the word "Aerospace" was dropped from the name to promote a wider range of government and commercial applications. ACSA was incorporated in 1987 as a non-profit association of computer security professionals who have a common goal of improving the understanding, theory, and practice of computer security. ACSA continues to be the primary sponsor of the annual conference. In 1989, ACSA began the Distinguished Lecture Series at the annual conference. Each year, an outstanding computer security professional is invited to present a lecture of current topical interest to the security community. In 1991, ACSA began a Best-Paper by a Student Award, presented at the Annual conference. This award is intended to encourage active student participation in the annual conference. The award winning student author receives an honorarium and all expenses to the conference. ACSA continues to be committed to serving the security community by finding additional approaches for encouraging and facilitating dialogue and technical interchange. ACSA is always interested in suggestions from interested professionals and computer security professional organizations on how to achieve these goals. You are receiving this notice because you joined the ACSAC email notification list at http://www.acsac.org/join_ml.html. You can unsubscribe there if you wish. You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at the above URL. ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. From isn at c4i.org Mon Mar 7 06:03:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:11 2005 Subject: [ISN] Linux Security Rough Around The Edges, But Improving Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=60405086 By Larry Greenemeier InformationWeek March 3, 2005 The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They won over the Linux developer community with the changes. But its success depends on the adoption by U.S. companies and government agencies, something that remains very much in doubt. For more than a decade, the National Security Agency has worked on a way to use a computer's operating-systems to control where software applications and their users can access data within IT environments. The agency succeeded years ago in creating such "mandatory access control" features for specialized operating systems, but very few users had the access or inclination to deploy them. Taking a gamble in 2000 on the emerging Linux operating system, NSA started applying its security approach to the open-source code. The result is its Security Enhanced Linux technology, which it hopes can raise the nation's overall level of cybersecurity. "Quality of (software) code is crucial to the security of this nation," Dickie George, technical director of NSA's Information Assurance Directorate, said Thursday at an SELinux symposium. George added that the directorate's mission is to research and develop the technology and processes that industry can use to protect itself, and critical U.S. infrastructure, from cyberattacks. NSA's faith in Linux is being rewarded in the Linux development community, at least. SELinux's mandatory access-control capabilities were included in version 2.6 of the kernel. With the mandatory access control, a Linux system can be partitioned into separate domains that contain any damage that viruses might cause. Debian, Novell, and Red Hat, three major distributors of the Linux operating system, only have recently released their own packages built on version 2.6 that allow customers to take advantage of some SELinux features. Red Hat and Novell differ markedly, however, in their perception of SELinux's usefulness today. Red Hat is encouraging users to try SELinux capabilities, even though writing SELinux security policies in the current version is complex. Red Hat's mid-February release of Red Hat Enterprise Linux 4?based upon the SELinux-friendly version 2.6 kernel?is an attempt to marry high-level security features with the basic operating system, says Donald Fischer, senior product manager for Red Hat Enterprise Linux. Red Hat users can use the Gnome 2.8 desktop included with Red Hat Enterprise Linux 4 to do limited configuration of SELinux. Novell, however, believes SELinux is still too complicated for most users to implement. "It's not the technology itself [that's] the problem, but that it cannot be used to the full extent," says Chris Schlaeger, Novell's VP of research and development, adding that users need an easier way to describe their security needs, upon which the system could then execute. "It's a lot of work to do this today using SELinux," Schlaeger says. Schlaeger acknowledges SELinux is an advancement in operating system-level security. "Novell isn't saying that SELinux is bad, but rather that more needs to be done," he says. For one, security must take into consideration more than operating-system-level security, he says. With application-level security, for example, companies can let the apps running on their servers perform tasks while preventing them from affecting other applications. Still, support for the 2.6 Linux kernel by Linux's two most prominent providers, Red Hat and Novell, almost certainly will spread knowledge of SELinux. That will cast a spotlight on the technology's shortcomings, and likely lead to improvements that ultimately eliminate the need for companies users to seek out highly secure, highly specialized operating systems. From isn at c4i.org Mon Mar 7 06:04:02 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:15 2005 Subject: [ISN] 'Good guys' show just how easy it is to steal ID Message-ID: http://seattlepi.nwsource.com/local/214663_googlehack05.html By PAUL SHUKOVSKY SEATTLE POST-INTELLIGENCER REPORTER March 5, 2005 Teams of hackers surfed the Web at Seattle University yesterday, harvesting Social Security and credit card numbers like a farmer cutting wheat. In less than an hour, they found millions of names, birth dates and numbers -- cyberburglar tools for the crime of identity theft -- using just one, familiar Internet search engine: Google. But these were the good guys -- members of a somewhat secretive organization of computer security pros, forensic cybercops, prosecutors and federal agents called Agora. The group decided to lift the curtain of secrecy for a day to sound a warning about the dangers of "Google hacking." It turns out that the powerful search engine, in the hands of a knowledgeable cybertrekker, can ferret out all kinds of sensitive information never meant to be made public. All it takes are sophisticated search terms. The terms go beyond specifying key words to include file types. The right terms can even find information deleted from corporate or government Web sites but temporarily cached in Google's massive warehouse of data. Kirk Bailey, the city of Seattle's chief information-security officer, calls his Agora compatriots "the primary defenders of the virtual world in the Northwest." Before launching eight teams of hackers from companies such as Intel Corp. and computer-security consultants IOActive, Bailey declared that "our mission is to find answers on how to fix these problems." The hacking team members sat crunched together at round tables, each one hunched intently over a laptop. Bailey gave them the go-ahead, and fingers started flying across keyboards. "A little music to hack by," said IOActive consultant Frank Heidt, but he then turned off the audio and got down to business. "We're simulating an ID-theft ring," mumbled Heidt, who was focused on his screen as he entered a search term that, to the uninitiated, looked like nothing more than a jumble of meaningless letters. Moments later, Heidt bellowed out "Yes" as military credit card numbers filled his screen. In the next chair, Akshay Aggarwal, also with IOActive, was grinning. "A million Social Security numbers of immigrants. Tax records. Addresses. What do you want?" Around the room, hackers were compromising people's identities. They wouldn't even let the dead rest in peace. The Intel team found a Web site listing the names, birth dates, Social Security numbers, race and religion of 602 helicopter pilots who died in Vietnam. Another Intel team member came up with a Brazilian Web site that contained the names, credit card numbers, birth dates and home phone numbers of 388 Americans who appeared to have ordered pornographic movies online. Bailey called the meeting to order to announce results of the contest. An ad-hoc group of lawyers and computer-security specialists won with 190 million points by digging up death certificates with Social Security numbers. But more ominously, by searching for personnel with secret clearances, the team found, in a U.S. Navy site, personal information on an expert in virology investigations and on a responder to nuclear emergencies. Two teams found information about people on terrorist watch lists. The IOActive team was the runner-up with almost 13 million points. IOActive Chief Executive Officer Joshua Pennell pointed out that the problem is not with Google, but with corporate cultures with the attitude, "Nobody is going to find me, nobody cares what's on my computer." These companies allow Google to enter into the public portion of their networks, sometimes called the DMZ, and index all the information contained there. Toby Kohlenberg, an information-security specialist with Intel, asserted that "Google doesn't need to be fixed. Companies need to understand that they are leaving themselves exposed" by posting sensitive information in public places. "If they're performing proper security, then their intranet shouldn't be vulnerable to a Google search engine." From isn at c4i.org Mon Mar 7 06:04:26 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:18 2005 Subject: [ISN] Linux Security Week - March 7th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 7th, 2005 Volume 6, Number 10n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Firewalls' False Sense of Security," "Easy Automated Snapshot-Style Backups with Linux and Rsync," and "Why you should perform regular security audits." --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH This week, advisories were released for mod_python, bsmtpd, gaim, bind, gnucash, dhcp, at vixie-cron, lam, pvm, radvd, selinux-targeted- policy, tcsh, openoffice, gamin, cmd5checkpw, uim, UnAce, MediaWiki, phpBB, phpWebSite, xli, xloadimage, firefox, squid, kdenetwork, nvidia, curl, uw-imap, and cyrus-sasl. The distributors include Conectiva, Debian, Fedora, Gentoo, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118492/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Firewalls' False Sense of Security 1st, March, 2005 The Internet front door to almost every bank and financial services company in the world is guarded by two sets of firewalls defining a DMZ. Nearly every e-commerce site sits in a similar DMZ in what has become the de facto standard in Web security architecture. According to Sun Microsystems, "In today's tumultuous times, having a sound firewall/DMZ environment is your first line of defense against external threats." But I would argue that guarding the perimeter is lulling organizations into a false sense of security that results in ignoring the implementation of other security mechanisms in their applications and databases. http://www.linuxsecurity.com/content/view/118458 * Firewall warns dealers of physical security threat 1st, March, 2005 Specialist distributor, Firewall Systems, is warning resellers to start thinking of security as a managed service or risk losing market share to physical security providers. http://www.linuxsecurity.com/content/view/118460 * Where's the security leadership 4th, March, 2005 This year's RSA Conference was another opportunity for the security glitterati to shine. http://www.linuxsecurity.com/content/view/118496 * How secure is your computer? 28th, February, 2005 StillSecure attached six computers - loaded with different versions of the Windows, Linux and Apple's Macintosh operating systems - earlier this month to the Internet without anti-virus software. The results show the Internet is a very rough place. Over the course of a week, the machines were scanned a total of 46,255 times by computers around the world that crawl the Web looking for vulnerabilities in operating systems. http://www.linuxsecurity.com/content/view/118454 * Real Player under Attack 2nd, March, 2005 For Linux the RealPlayer 10 and the Helix Player are affected. No fixed versions are available for this. The Player for Symbian and PalmOS are not concerned by the weak spots.RealNetworks classifies the security gaps as critical and recommends all users to install the available updates. Under Windows and Mac OS the update function of the Player can be used. http://www.linuxsecurity.com/content/view/118465 * Two Sides of Vulnerability Scanning 28th, February, 2005 There are two approaches to network vulnerability scanning, active and passive. The active approach encompasses everything an organization does to foil system breaches, while the passive (or monitoring) approach entails all the ways the organization oversees system security. When making buying decisions for your organization, it's a mistake to think that you have to choose between the two types of protection. http://www.linuxsecurity.com/content/view/118455 * Realistic SELinux 2nd, March, 2005 SElinux is an impressively designed but notoriously hard-to-configure set of kernel hooks that enforce Orange Book-style security on Linux. Full support for SELinux takes effort, but when I first heard about Fedora's new targeted policies for SELinux, I was willing to tell the Red Hat folks "thanks, but no thanks." A conversation with their Dan Walsh changed my mind. http://www.linuxsecurity.com/content/view/118466 * Easy Automated Snapshot-Style Backups with Linux and Rsync 3rd, March, 2005 This document describes a method for generating automatic rotating "snapshot"-style backups on a Unix-based system, with specific examples drawn from the author's GNU/Linux experience. Snapshot backups are a feature of some high-end industrial file servers; they create the illusion of multiple, full backups per day without the space or processing overhead. All of the snapshots are read-only, and are accessible directly by users as special system directories. http://www.linuxsecurity.com/content/view/118482 * Linux Security Rough Around The Edges, But Improving 4th, March, 2005 The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They won over the Linux developer community with the changes. But its success depends on the adoption by U.S. companies and government agencies, something that remains very much in doubt. http://www.linuxsecurity.com/content/view/118494 * Opera Targets Browser Vulnerability 1st, March, 2005 Taking a cue from Firefox and others, software developer Opera is updating the latest iteration of its Web browser to combat phishing attacks that take advantage of a domain name vulnerability. To address the emerging Internationalized Domain Names (IDN) issue, the second Beta version of the Opera browser displays localized domain names from certain top level domains (TLD). It selects TLDs that have stringent policies on the domain names they register. The Norwegian firm said it will update its list of trusted TLDs on a regular basis to further protect users. http://www.linuxsecurity.com/content/view/118457 * French Ministry of Education and Research and Mandrakesoft 2nd, March, 2005 Mandrakelinux products cover needs from the desktop (with the PowerPack) to critical infrastructure functions (with the Multi Network Firewall). The Multi Network Firewall operating system is able to control access to both an organisation's private intranet and the public internet. Mandrakesoft products are part of the software library which has been selected to modernize the infrastructure of France's education system. As well as the applications themselves, Mandrakesoft will deliver technical support and training to staff. http://www.linuxsecurity.com/content/view/118471 * Computer Security 101 1st, March, 2005 This sort of basic firewall has some issues that can be exploited by hackers and malicious programmers to sneak through which is why there are more advanced firewall systems. I mentioned that with this sort of port blocking, communications in response to connections initiated by your computer would be allowed through even on ports you were blocking. Using this knowledge, a hacker can forge the packet to make it look like it is a reply rather than an initiation of a connection and the firewall will allow it through. http://www.linuxsecurity.com/content/view/118459 * Why you should perform regular security audits 2nd, March, 2005 In less than a decade, Internet security has evolved from an almost esoteric topic to become one of the more important facets of modern computing. And yet it's a rarity to find companies that actually consider information security to be an important job function for all workers--and not just the IT department's problem. http://www.linuxsecurity.com/content/view/118468 * Linux starts to take a more central IT role 3rd, March, 2005 "It's as deep as it will get for us. It's what we're betting the data center on," said Jon Fraley, a Linux administrator at Glen Raven. In December, the Glen Raven, North Carolina-based textile manufacturer finished moving mission-critical Oracle databases from an aging 24-CPU Hewlett-Packard server running Unix to four-way HP servers that are based on Intel Xeon processors and run Red Hat's Linux distribution. http://www.linuxsecurity.com/content/view/118473 * Security market "worth $5.5bn by 2008" 4th, March, 2005 The security software and appliance market rose by 30 per cent last year and is predicted to be worth $5.5billion worldwide by 2008 according to a new report. http://www.linuxsecurity.com/content/view/118495 * Managed Security Service Expands Compliance Capabilities 3rd, March, 2005 "RES' Information Security and Threat Management solution provides a perfect blend of best practices and industry standards that our enterprise customers need to comply with growing regulatory requirements," said Douglas Adams, RES vice president of sales and marketing. RES is committed to providing the most innovative managed services designed to meet the quality-of-service demands of our Fortune 500 and Fortune 1000 enterprise customers." http://www.linuxsecurity.com/content/view/118475 * Find wireless rogues without sensors 3rd, March, 2005 I finally settled on a strategy for wireless security. As wireless access points began appearing on our company's network, we configured them with Cisco's Lightweight Extensible Access Protocol (read my previous article, Migrate WLANs away from Cisco's LEAP). LEAP forces users to authenticate to the access point with their enterprise credentials - the same credentials used for virtual private network access, as well as services such as payroll and Microsoft Exchange e-mail. That's because we use a centralised directory that ties into most of our core applications and lets employees use a single password to sign on. http://www.linuxsecurity.com/content/view/118474 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 8 02:19:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:21 2005 Subject: [ISN] NSPW 2005 Call for Papers: Submission Date Changed Message-ID: Forwarded from: Abe Singer FOR IMMEDIATE RELEASE ---------- The submission and notification dates for the 2005 New Security Paradigms Workshop have been changed. The new dates are: Submission Deadline: Monday, April 18, 2005 Notification Date: Monday, June 13, 2005 The complete Call for Papers and general information about NSPW can be found at http://www.nspw.org From isn at c4i.org Tue Mar 8 02:19:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:23 2005 Subject: [ISN] Students to study Valley's vulnerability to hackers Message-ID: http://www.eastvalleytribune.com/index.php?sty=37537 EMILY BEHRENDT March 7, 2005 The Tempe-based University of Advancing Technology will be "wardriving" around Valley neighborhoods this year. Although it sounds hostile, it's actually for the benefit of Valley residents. Wardriving is a term for finding unsecured wireless access points, which are locations where an outsider could hack into a home computer system because the wireless signal extends beyond the walls of the house. Any laptop that comes in range of the signal would be able to connect to the home computers and potentially create all kinds of mischief, including identify theft or other Internet crimes. Most people who have wireless computer networks inside their homes are not even aware they are at risk, said Raymond Todd Blackwood, IT manager for the university. The school's students have begun working on a research project to find home computers that are vulnerable and try to increase awareness of the problem in the community. "What we are not doing is, we are not connecting at all," Blackwood said. "All we are doing is looking for those signals being broadcast." For the project, the Valley has been split into four grids, with Central Avenue and Camelback Road dividing the quadrants. The students are responsible for covering their assigned area within four weeks, and their data are collected monthly. Their findings are then put into a database, and the unsecured access points are plotted on a map. When the students wardrive, they use an IBM laptop running the Linux operating system, a program called Kismet and a global positioning system locator. The locator is a hand-held device that plugs into the laptop through a serial port and logs the specific coordinates. The students drive around neighborhoods, apartment complexes and business areas, and the Kismet program will tell them when a wireless frequency is present. "This would kind of be equivalent to a person walking around and checking to make sure people's front doors are locked," Blackwood said. During the first two weeks of the project, students discovered 16,000 unsecured access points, and they had only covered one third of the Valley. The students will collect the data every month for one year. Once all the data are collected and logged, the school will determine the highest concentrations of unsecured wireless access points. They will then launch a campaign in those neighborhoods to educate people about the potential risks. "We want to know how popular wireless is, and how much do people know about it." Blackwood said, "We are trying to provide clear, easy to understand information, and increase sophistication and awareness in the community." Securing a network is simple. Under the network settings, there is a button to "enable wireless encryption protocol." Simply clicking that button will encrypt the signal and secure the network, Blackwood said. The default option leaves the network unsecured. From isn at c4i.org Tue Mar 8 02:20:07 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:26 2005 Subject: [ISN] Terrorists targeted India's outsourcing industry Message-ID: http://www.nwfusion.com/news/2005/0307terrotarge.html By John Ribeiro IDG News Service 03/07/05 India's software and services outsourcing industry is a likely target for a terrorist group operating in the country, local police warned on Sunday. But Indian outsourcing and software companies said they are prepared to cope with the threat. Documents seized from three members of the Lashkar-e-Toiba (LeT) terrorist group killed in an encounter with the police on Saturday revealed that they planned to carry out suicide attacks on software companies in Bangalore, Karnal Singh, joint commissioner of police in Delhi, told reporters on Sunday. LeT is demanding independence for the Indian state of Jammu and Kashmir. The Indian government has claimed that LeT and other separatist groups are aided and abetted by neighboring Pakistan, which also occupies a part of the disputed territory of Kashmir. "The terrorists planned to hit these companies in an effort to hinder the economic development of the country," Singh said. Bangalore has a large concentration of Indian software outsourcing companies, and a number of multinational companies have software development and chip design facilities in the city. IBM, Intel, Texas Instruments, and Accenture are among those with operations in Bangalore. Two of India's largest software and IT services outsourcing companies, Wipro and Infosys Technologies, have their headquarters and large facilities in Bangalore. Bangalore also has some of India's key defense research and development organizations. Most of the technology companies in the city have already set up disaster recovery plans and special disaster recovery sites that could be used in the event of a terrorist attack, according to Kiran Karnik, president of the National Association of Software and Service Companies in Delhi. For example, Infosys has a disaster recovery site in Mauritius. Besides tight checks on physical entry into their facilities, Indian software companies have business continuity and disaster recovery plans in place to ensure that a terrorist attack does not disrupt their operations, Karnik said. Terrorism is a global problem and the threat in India is not greater than that in other countries, he said. From isn at c4i.org Tue Mar 8 02:19:53 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:29 2005 Subject: [ISN] Hidden fraud risk in Sarbanes-Oxley? Message-ID: http://news.com.com/Hidden+fraud+risk+in+Sarbanes-Oxley/2100-1002_3-5602776.html By Will Sturgeon Special to CNET News.com March 7, 2005 The complex and copious amounts of data stored on corporate networks post-Sarbanes-Oxley may be creating greater opportunities for fraud, analysts said. That's even though the law was a reaction to the corporate misdeeds that rocked Enron and WorldCom. Peter Dorrington, head of fraud solutions at SAS, said that companies are storing vast amounts of data but giving little thought to what is being stored. "There is just a lot of storage going on," Dorrington said. "But there is no interpretation of that data." That situation could make the occasional instances of fraud or anomalous data far more difficult to spot, he said. "Fraudsters are reliant upon their transaction being a tree hidden a forest," Dorrington said. The vast amounts of data being stored as part of efforts to comply with the Sarbanes-Oxley Act are simply increasing the size and density of that forest, he said. "The more data there is, the easier it is to hide," Dorrington said. "There is little thought being given to whether companies should look to understand what is going on within that data." Dorrington believes many companies believe they are playing it safe by simply keeping everything, seeing it as the easiest way to ensure they keep the right things. James Governor, an analyst at Red Monk, said: "Any company which simply stores everything is creating problems for themselves further down the line. Storing everything is just abdicating responsibility, rather than following policy and understanding what they should be storing." Governor added that it may also be in breach of corporate policies which dictate certain data may only be kept on record for six or nine months. While such policies must be adhered to, they create a no-win situation, in which they also conflict with the retention requirements of other regulation such as Sarbane-Oxley, he said. "This is going to break a lot of corporate policy," he said. Even if a fraud comes to light, the sheer volume of unnecessary data being stored in order to cover all bases means that companies are faced with the near-impossible task of wading through it all. Governor said: "If we think of finding fraud as being a hunt for a needle in a haystack then what many, many companies are now doing is comparable to pouring on a lot more hay." "This is a very significant problem," Governor added. "Rather than just spending more and more money on storage, it would make sense to invest a lot more money in working out exactly what companies need to store." Shaun Fothergill, security strategist and compliance expert at Computer Associates, believes despite problems settling in, Sarbanes-Oxley will improve matters for businesses when implemented effectively. However, he warned that compliance may start to throw up even more instances of fraud. Fothergill said: "Compliance and regulation is forcing the business of IT to do things right. So organizations will begin to measure and monitor more than they did before." "This may actually give the impression that more fraud is occurring, when in fact organizations are just monitoring what they should have monitored in the first place," he said. "As the anomalies and fraud issues are corrected, the indicators of problems will be moved from red to amber then to green." "These new indicators will initially highlight greater deficiency, when in fact the business and IT are just getting it right," Fothergill said. Such confusion may be one reason why the Sarbanes-Oxley deadline for companies based in European countries has been put back a further year this week. Originally the controversial Section 404, which outlines the requirement to archive data, was to come into effect on July 15 this year. However, Mark Strauch, chief operating officer of business alignment company Business Engine, warned: "The extension of the 404 deadline should not in any way be viewed by U.K. companies as a reason to postpone or sideline compliance projects in favor of other projects." "The long-term potential for companies to credibly improve transparency within their organizations in line with section 404 should be seen as an opportunity to produce benefits in other areas, such as reducing risk by being able to see early on where problems lie, (and) thus deal with issues more effectively," he said. Will Sturgeon of Silicon.com reported from London. From isn at c4i.org Tue Mar 8 02:20:21 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:31 2005 Subject: [ISN] HITB2004 Videos of Speeches Message-ID: Forwarded from: Anthony Zboralski Dear ISN readers, http://video.hackinthebox.org We are proud to announce the immediate availability of the Hack In The Box Security Conference 2004 videos [Pack-1 and Pack-2]. Held at The Westin Kuala Lumpur in Malaysia from October 4th till the 7th, HITBSecConf2004 saw some of the biggest names in the network security industry down to present their latest research and findings. HITBSecConf2004 was also the first time we had two keynote speakers namely Theo de Raadt, creator and project leader for OpenBSD and OpenSSH and John T. Draper infamously known as Captain Crunch. Other speakers who presented include the grugq, Shreeraj Shah, Fyodor Yarochkin, Emmanuel Gadaix, Adam Gowdiak, Jose Nazario, Meder Kydyraliev and several others. For a chance to catch up with some of the speakers who presented at last years' conference those in the Asia Pacific region can head on over to Bellua Cyber Security 2005 taking place later this month in Jakarta, Indonesia. If you're in the Middle East or Europe, there's HITBSecConf2005 - Bahrain taking place from April 10th till the 13th in Manama, Bahrain. See you guys there. -- Bellua Cyber Security Asia 2005 - http://www.bellua.net 21-22 March - The Workshops - 23-24 March - The Conference bcs2005@bellua.com - Phone: +62 21 391 8330 HP: +62 818 699 084 From isn at c4i.org Tue Mar 8 02:20:34 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:34 2005 Subject: [ISN] Scammers use Symantec, DNS holes to push adware Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100248,00.html By Paul Roberts MARCH 07, 2005 IDG NEWS SERVICE Online scam artists are manipulating the Internet's directory service and taking advantage of a hole in some Symantec Corp. products to trick Internet users into installing adware and other annoying programs on their computers, according to an Internet security monitoring organization. Customers who use older versions of Symantec's Gateway Security Appliance and Enterprise Firewall are being hit by Domain Name System (DNS) "poisoning attacks." Such attacks cause Web browsers pointed at popular Web sites such as Google.com, eBay.com and Weather.com to go to malicious Web pages that install unwanted programs, according to Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center (ISC). The attacks, which began on Thursday or Friday, may be one of the largest to use DNS poisoning, Ullrich said. Symantec issued an emergency patch for the DNS poisoning hole on Friday. The company didn't immediately respond to requests for comment today. The DNS is a global network of computers that translates requests for reader-friendly Web domains, such as www.computerworld.com, into the numeric IP addresses that machines on the Internet use to communicate. In DNS poisoning attacks, malicious hackers take advantage of a feature that allows any DNS server that receives a request about the IP address of a Web domain to return information about the address of other Web domains. For example, a DNS server could respond to a request for the address of www.yahoo.com with information on the address of www.google.com or www.amazon.com, even if information on those domains wasn't requested. The updated addresses are stored by the requesting DNS server in a temporary listing, or cache, of Internet domains and used to respond to future requests. In poisoning attacks, malicious hackers use a DNS server they control to send out erroneous addresses to other DNS servers. Internet users who rely on a poisoned DNS server to manage their Web surfing requests might find that entering the URL of a well-known Web site directs them to an unexpected or malicious Web page, Ullrich said. Some Symantec products, such as the Enterprise Security Gateway, include a proxy that can be used as a DNS server for users on the network that the product protects. That DNS proxy is vulnerable to the DNS poisoning attack, Symantec said on its Web site. Symantec's Enterprise Firewall Versions 7.04 and 8.0 for Microsoft Corp.'s Windows and Sun Microsystems Inc.'s Solaris have the DNS poisoning flaw, as do Versions 1.0 and 2.0 of the company's Gateway Security Appliance. Internet users on some networks protected by the vulnerable Symantec products had requests for Web sites directed to attack Web pages that attempted to install the ABX tool bar, a search tool bar and spyware program that displays pop-up ads, Ullrich said. The DNS poisoning attacks were easy to detect because Web sites involved in the attack don't mimic the sites that users were trying to reach, Ullrich said. However, DNS poisoning could be a potent tool for online identity thieves who could set up phishing Web sites that are identical to sites like Google.com or eBay.com but secretly capture user information, he said. Some of those customers told ISC that they installed a patch that the company issued in June to fix a DNS cache-poisoning problem in many of the same products, but they were still susceptible to the latest DNS cache-poisoning attacks, according to information on the ISC Web site. Ullrich said he doesn't believe that Symantec's customers are being targeted, just that they are susceptible to attacks that are being launched at a broad swath of DNS servers. The ISC is collecting the Internet addresses of Web sites and DNS servers used in the attack and trying to have them shut down or blacklisted, ISC said. Symantec customers using one of the affected products are advised to install the most recent hotfixes from the company, Ullrich said. From isn at c4i.org Tue Mar 8 02:23:36 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:36 2005 Subject: [ISN] Book Review: SPAM Kings (aka S*PAM _KiNgS) Message-ID: Forwarded from: Doctor Spook Title: Spam Kings: The Real Story behind the High-Rolling Hucksters... Author: Brian McWilliams Pages: 256 Publisher: O'Reilly; 1 edition (September, 2004) Reviewer: Dr. Spook ISBN: 0-596-00732-9 Buy From Amazon: http://www.amazon.com/exec/obidos/ASIN/0596007329/c4iorg This is the book for that gloomy afternoon. It is "The real story behind the high-rolling hucksters pushing PRON, PILL, and @*#?% Enlargements" (I wonder how many ISN readers will not see this review due to spam filtering). Fascinating read on the world of SPAM, both the purveyors of such, and the crusaders against it. We meet Davis Wolfgang Hawke (formerly known as Andrew Britt Greenbaum), and watch his rise from Jewish Nazi (now there's a dichotomy) to millionaire spammer. We learn of the fight by front line warriors, and their constant uphill battle to save us from the onslaught. This book is well-researched, and reads like the very best of detective fiction. Rush right out and buy a copy. Buy two, and give one to your Aunt Mabel as a gift. -=- Dr. Spook is a security researcher, currently employed in the defense industry, who prefers anonymity. The good doctor has associates in most TLAs, and in some security groups as well. When not absorbed with the latest debacles from a wide array of software and hardware vendors, Dr. Spook is amused by the interesting puzzles left in the works of such notables as Elias Ashmole and John Dee. From isn at c4i.org Wed Mar 9 07:02:23 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:06 2005 Subject: [ISN] DSW Shoe Warehouse Reports Customer Data Theft Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A17831-2005Mar8.html By Jonathan Stempel Reuters March 8, 2005 Retail Ventures Inc., Tuesday announced the theft of credit card and purchase data of customers at 103 of its 175 DSW Shoe Warehouse stores and said some fraudulent activity has been conducted since the theft. The theft is the latest reported instance in recent weeks in which customers' personal data was stolen or lost. Other companies to report such problems include Bank of America Corp. and ChoicePoint Inc., where the thefts involved thousands of individuals' data. Columbus, Ohio-based Retail Ventures said customer data was stolen mainly over the past three months, though it was unable to say how many customers were affected. It said it discovered the theft late last week. Those who provided data via DSW's Web site were unaffected, the company said. "Credit card companies have alerted us there is some fraudulent activity," said Julie Davis, the general counsel for Retail Ventures. Davis said Retail Ventures believes a "hacker" conducted the theft, and that only the stolen credit card data put customers at the risk of fraudulent activity. She said an outside computer security firm is expected to conclude its investigation of the matter within two weeks and that the U.S. Secret Service is also investigating. Customers who believe their data were stolen should call their banks, Davis told Reuters. Retail Ventures is reviewing its technology systems and working with credit card companies and issuers to address the matter. It set up a hotline for customers with questions, at 1-800-314-0224. Retail Ventures operates DSW stores in major U.S. metropolitan areas, as well as 26 Filene's Basement stores in the U.S. Northeast and 119 Value City department stores in mid-Atlantic, Midwest and Southeastern states. Filene's and Value City customers are unaffected, Davis said. Retail Ventures reported aggregate sales of about $217 million at DSW for the three months ended Feb. 26. Retail Ventures shares fell 6 cents to $7.30 on the New York Stock Exchange. It announced the theft after U.S. markets closed. From isn at c4i.org Wed Mar 9 07:02:38 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:09 2005 Subject: [ISN] Group studies infrastructure security Message-ID: http://www.fcw.com/fcw/articles/2005/0307/web-scada-03-08-05.asp By Dibya Sarkar March 08, 2005 The Institute for Information Infrastructure Protection, a consortium of two dozen cybersecurity organizations charged with coordinating a national research and development program, last week began a $8.5 million, two-year research program for securing computer-based systems that control critical infrastructures, such as dams. The federally-funded consortium, known as I3P, will support basic research to understand supervisory control and data acquisition (SCADA) systems and produce technology products to mitigate any flaws in those systems. Such systems control vital critical infrastructures, such as electrical grids, oil refining plants and pipelines, and water treatment and distribution plants. More experts are sounding an alarm that such systems are inherently vulnerable to any cyber attack and should be a top concern among public and private sector officials. The federal government in the last couple of years has increased research and development funds to find ways to protect such systems. I3P will form a 10-member research team to identify SCADA vulnerabilities and interdependencies and develop metrics and models for assessment and management. It will work closely with the federal government to improve information sharing, communications about the systems and ensure that those who operate the systems adopt new technologies. "SCADA vulnerabilities remain in deployed systems because of insecure network design and weaknesses in the host systems," said Ron Trellue, the team's leader and deputy director of the Information Systems Engineering Center at Sandia National Laboratory, in a press release. "Research will focus on addressing this problem by developing tools to make current SCADA system configurations more secure, while in tandem performing basic research to develop inherently secure designs for the SCADA systems of the future." The research team will consist of non-profit research groups such as the MITRE Corporation and SRI International; New York University; the Energy Department's Pacific Northwest National Laboratory; and several academic institutions including the University of Illinois at Urbana-Champaign, the Massachusetts Institute of Technology's Lincoln Laboratory, New York University, the University of Tulsa (Okla.), the University of Virginia, and Dartmouth College, which also manages the IP3. The consortium, which was founded in September 2001, is also actively pursuing industry partnerships to help guide research and for technology transfer opportunities. From isn at c4i.org Wed Mar 9 07:02:52 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:11 2005 Subject: [ISN] =?iso-8859-1?q?GSA_assessing_charge_card_contractors=92secu?= =?iso-8859-1?q?rity_policies_?= Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35251-1.html By Jason Miller GCN Staff 03/08/05 Under pressure from lawmakers to ensure federal charge card data is secure, the General Services Administration will review the security policies of the four other SmartPay contractors after Bank of America revealed late last month that it lost the records of 1.2 million federal employees. In a response to questions from Sen. Susan Collins, chairwoman of the Homeland Security and Governmental Affairs Committee, GSA administrator Stephen Perry said in a letter that the agency will ensure that Bank One of Wilmington, Del., Citibank of New York, Mellon Bank of Pittsburgh and US Bank of Minneapolis will "provide adequate protection for personal information of federal employees." Collins, a Maine Republican, wrote a letter to GSA and Bank of America last week asking how both organizations would ensure federal data is better protected [See GCN story] [1]. GSA and the Defense Department also will conduct a joint risk assessment to review Bank of America security procedures, Perry said. Bank of America lost more than 900,000 Defense employees' information, DOD officials said. GSA would not offer much detail on how they are conducting the review of SmartPay vendors or the joint risk assessment. "GSA is taking all appropriate steps to ensure that SmartPay contractors maintain security policies consistent with current industry standards," said MaryAlice Johnson, an agency spokeswoman. "We expect these activities to continue in the coming weeks." Johnson added that GSA still is developing the timetable to conduct the evaluations. Bank of America also told GSA it has changed its method of handling SmartPay system back-up operations. Bank spokeswoman Alexandra Trower said the company does not comment on those procedures for security reasons. "We are continually improving our processes and procedures for handling our customer's information," she said. Bank of America also provided GSA with a list of names of the affected cardholders and is sending out a second letter to cardholders explaining how to obtain a free credit report and fraud alert. [1] http://www.gcn.com/vol1_no1/daily-updates/35170-1.html From isn at c4i.org Wed Mar 9 07:03:06 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:14 2005 Subject: [ISN] MIT says it won't admit hackers Message-ID: http://www.boston.com/business/articles/2005/03/09/mit_says_it_wont_admit_hackers/ By Robert Weisman Globe Staff March 9, 2005 The dean of MIT's Sloan School of Management yesterday said Sloan will join Harvard Business School in rejecting applications from prospective students who hacked into a website last week to learn whether they had been admitted before they were formally notified. Stanford's Graduate School of Business, meanwhile, asked its own applicant-hackers to come forward and explain their actions, in a sign that the California school soon may take tougher action as well. Thirty-two applicants apparently sought an early peek at the confidential data in their admission files at Sloan, while 41 files were targeted at Stanford and 119 at Harvard. Harvard on Monday became the second victimized business school to say outright it would not admit proven hackers. The first was Carnegie Mellon's Tepper School of Business, where one admission file was violated. Those schools, along with Dartmouth's Tuck School of Business and Duke's Fuqua School of Business, all use an independent website run by ApplyYourself Inc. of Fairfax, Va., to receive applications and, in some cases, manage communications with applicants. After midnight last Wednesday, hundreds of business school admission files were targeted by computers around the globe when a hacker posted detailed instructions on a BusinessWeek Online forum. Most of the hackers saw only blank screens, though some who accessed admission files at Harvard viewed preliminary decision information. ''Students who hacked the ApplyYourself website will be denied admission to Sloan," the school's dean, Richard L. Schmalensee, said in an interview yesterday after a team from Sloan met with representatives of ApplyYourself to learn what happened. Sloan used the website only to receive applications, using a separate in-house server to handle the admissions process, he said. Schmalensee said he made his decision to reject the 32 applicants after seeing the directions posted by the hacker. ''The instructions are reasonably elaborate," he said. ''You didn't need a degree in computer science, but this clearly involved effort. You couldn't do this casually without knowing you were doing something wrong. We've always taken ethics seriously, and this is a serious matter." At the same time, Schmalensee said Sloan would allow rejected applicants to reapply in later years, though he said the hacking incident would continue to be a factor in the school's decision. ''We'll look at applicants next year," he said, ''but we'd want to see evidence that this was an aberration, that they have grown." Schmalensee said Sloan would consider appeals this year only if there were clear-cut extenuating circumstances; one example he cited was an applicant serving in Afghanistan turning over his ApplyYourself password to an irresponsible brother-in-law. As to why MIT's Sloan School waited nearly a week to take action, Schmalensee said school officials needed to confer with ApplyYourself representatives and understand the situation better. ''The fact that we took so long doesn't mean we don't take ethics seriously," he maintained. ''It means we take due process seriously as well." In Palo Alto, Calif., Stanford issued a statment from Derrick Bolton, assistant dean and director of MBA admissions, demanding explanations from the applicants whose files were targeted. ''Business schools teach students to make decisions and to be accountable for those decisions," Bolton said. ''We hope that the applicants who accessed their accounts might contact us to explain their behavior and to take ownership for their actions. We will take appropriate steps in the cases that warrant further scrutiny." ApplyYourself's software enables schools to know which files have been accessed but can't definitively identify the hacker. However, both Schmalensee and Kim B. Clark, the Harvard business dean, noted that applicants bear ultimate responsibility for their passwords even if they turned them over to third parties who did the hacking. Paul Danos, dean of Dartmouth's Tuck School, released a statement saying school officials continue to investigate and will meet on Friday to discuss their options. And at Duke's Fuqua School, where one file was hacked, associate dean James A. Gray said the applicant would be notified of a decision on March 18, the regular decision date for the school's current round of applicants. ''It would not be smart of him to be buying a Duke sweatshirt and renting an apartment in Durham," Gray said. ''It's not likely that he will need either." Robert Weisman can be reached at weisman @ globe.com. From isn at c4i.org Wed Mar 9 07:03:19 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:17 2005 Subject: [ISN] Old-School DoS Attack Can Penetrate XP SP2 Message-ID: Forwarded from: Kelley http://www.eweek.com/article2/0,1759,1773958,00.asp By Ryan Naraine March 8, 2005 Microsoft Corp.'s newest operating systems can be penetrated by an old-school-type denial-of-service attack, according to a warning from a security researcher. In a SecurityFocus advisory, researcher Dejan Levaja warned that Windows Server 2003 and XP Service Pack 2 (with Windows Firewall turned off) could lead to LAND attacks. A LAND attack is a remote denial-of-service condition caused by sending a packet to a machine with the source host/port the same as the destination host/port. The LAND attack scenario was discussed in 1997 by Carnegie Mellon's CERT Coordination Center. Using widely available reverse-engineering tools, Levaja found that a single LAND packet sent to a file server could cause Windows Explorer to freeze on all workstations connected to that server. "CPU on server goes 100% [and] network monitor on the victim server sometimes can not even sniff malicious packet," Levaja warned. He said the script could be replayed endlessly to cause a total collapse of the network. A spokeswoman for Microsoft confirmed Levaja's findings but downplayed the risk to customers. "Our initial investigation has revealed that this reported vulnerability cannot be used by an attacker to run malicious software on a computer. At this point, our analysis indicates the impact of a successful attack would be to cause the computer to perform sluggishly for a short period of time," the spokeswoman said in a statement sent to eWEEK.com. She said customers running the Windows Firewall, enabled by default on Windows XP SP2, are not impacted by this issue. Microsoft suggests that customers adopt TCP/IP hardening practices to protect against denial-of-service attacks. In the absence of a patch from Microsoft, security research outfit Secunia recommends that affected users filter traffic with the same IP address as source and destination address. http://www.inkworkswell.com "Be a scribe! Your body will be sleek, your hand will be soft. You are one who sits grandly in your house; your servants answer speedily; beer is poured copiously; all who see you rejoice in good cheer. Happy is the heart of him who writes; he is young each day." --Ptahhotep, Vizier to Isesi, Fifth Egyptian Dynasty, 2300 BC From isn at c4i.org Wed Mar 9 07:03:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:19 2005 Subject: [ISN] Public Disservice Message-ID: http://www.baselinemag.com/article2/0,1397,1773861,00.asp March 8, 2005 The Federal Bureau of Investigation has people problems. It can't find or retain the project managers and executives needed to implement one of its most important technology projects since Sept. 11, 2001. That's the upshot of FBI Director Robert Mueller's testimony before a Senate appropriations subcommittee on Feb. 3. Mueller was on Capitol Hill to explain why the FBI has blown through $170 million and still doesn't have a virtual case file system in place. The virtual case file, the third leg of a technology overhaul dubbed Trilogy, is a case management system that would allow agents to share information more easily. The FBI failed to outline requirements of the virtual case file system, inked a costly contract with Science Applications International Corp. (SAIC) in June 2001, and missed a December 2003 deadline to install the case system. At the heart of these issues: people. "We lacked skill sets in our personnel such as qualified software engineering, program management and contract management," Mueller said in his testimony. "We also experienced a high turnover in Trilogy program managers and chief information officers." At least Mueller has company. The tenure of a federal agency chief information officer averages 23 months, reports the U.S. Government Accountability Office. The FBI has had four CIOs since Sept. 11, 2001. A bevy of reasons prevent the federal government from getting.and keeping.technology executives. Federal government executives inherit budgets set years prior in political negotiations. Projects are under the microscope of the director and inspector general of the agency, the Office of Management and Budget and Congress, among other masters. Meanwhile, the CIO position is increasingly political as technology meets policy. For instance, merging information systems of the 22 agencies in the Department of Homeland Security is a direct result of a post-9/11 policy decision. President Bush appointed Steven Cooper from Corning as the CIO to do the job. "These are very hard, high-risk jobs," says John Marshall, former CIO of the U.S. Agency for International Development and now a vice president at consulting firm CGI-AMS. "You're there to transform businesses, you have to work across other groups, it's tough to manage and compensation is generally lower than in the private sector." Help Wanted: Chief Technical Officer for Information Technology, Defense Intelligence Agency. Location: US-DC, Washington, 20001. Salary range: $107,550 to $149,200. As Chief Technical Officer for Information Technology (CTO) the incumbent will play a pivotal role in providing technical and operational advice on infrastructure and intelligence community Information Technology (IT) endeavors ... May be subject to worldwide deployments to crisis situations. Source:www.usajobs.gov When that CTO is hired by the Defense Intelligence Agency, the 23-month clock will start ticking. But 23 months is hardly enough time to get anything done. According to the GAO, CIOs say they needed to stay in office three to five years to be effective. Bottom line: A multiyear project can outrun a technology executive's tenure. Take the FBI's Trilogy project. Former FBI CIO Bob Dies joined in July 2000 and left after two years. Dies signed an initial contract with SAIC, which was based on hours worked and didn't outline specifications of the virtual case file project. Darwin John took over in July 2002, upgraded the FBI's hardware and network in the first leg of the Trilogy effort, and retired a year later. Wilson Lowry, former executive assistant director for administration at the FBI, served as interim CIO. Current CIO Zalmai Azmi took over on an interim basis before being officially appointed as CIO in May 2004. It's now up to Azmi to implement the virtual case file. Mueller says Trilogy suffered as the search for John's replacement dragged. "I went on a nationwide search that took eight to 12 months," he said. "There was a gap of leadership at the CIO position. That hurt us." Help Wanted: Chief Architect for Business and Technology Modernization, U.S. Department of Housing and Urban Development. The Chief Architect for Business and Technology Modernization serves as the Department's technical expert on modernizing business processes and systems. (This ad ends 2,416 words later.) Of those 2,416 words describing the job and desired leadership characteristics and personality traits, HUD left out political skills. Alan Balutis, former Department of Commerce CIO and president of government strategies at research firm Input, says "there has been a tendency to make the CIO position more political." When Balutis left for the private sector in 1999, he focused primarily on technology management. Today, the CIO position is critical to reinventing agencies. "The CIO needs a seat at the policy table and needs the same access," Balutis points out. "If he or she is an outsider politically, will the access be there?" Simply put, it helps if the CIO has access to policy makers when they make decisions affecting information systems. And the best way to be in that club is to be appointed by President Bush. Marshall, who was appointed by Bush as CIO of USAID in 2001 and left for CGI-AMS in December 2004, says that until recently, chief information officers were "career" executives who would keep projects going as administrations changed. Now there are two types of technology executives.career managers focused on daily operations, and CIOs who are political appointees. For instance, Marshall had regular access to Andrew Natsios, administrator for USAID, to figure out how technology fits into specific Bush initiatives abroad. One key part of meeting those initiatives was a financial management and purchasing system. When Marshall arrived at USAID, the agency had spent $100 million on a homegrown financial management and acquisition system plagued by buggy code and missed deadlines. USAID, which designed the system to link 70 to 80 of its missions worldwide, scrapped the homegrown system to use packaged software from AMS to cut costs and speed up implementation. Marshall isn't sure if being a political appointee helped the project, but all those meetings with Natsios meant deputies responsible for the project day-to-day didn't have to do it. When CIOs leave, a deputy often fills the void on an interim basis. "If you're an operational guy and you have to interface with policy people, you get stretched," he says. Help Wanted: Associate Chief Information Officer for Cyber Security, Department of the Treasury. The incumbent is the head of U.S. Treasury Cyber Security Program and is fully responsible for accomplishing the cyber security program objectives. And then there's the budget process where agencies tell contractors to slow their pace to save money as Congress and the White House bicker for dollars. At the Commerce Department, Balutis could shift up to 5% of his budget in and out of projects. If the funds in question exceeded that 5% mark, Balutis had to ask a Senate appropriations committee for more money. And if all else failed, a new budget could be requested with additional legislation. During Balutis' tenure, funding for the 2000 census was in flux. Balutis had to build systems to gather population data and finish two years early for testing. Planning started in 1995, but Congress usually isn't interested in funding something five years away. "It's hard to run multiyear projects when money is doled out year to year," Balutis explains. "The biggest difficulty is that you do a plan and then all of a sudden you're $50 million short." From isn at c4i.org Thu Mar 10 04:03:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:14 2005 Subject: [ISN] Public Disservice Message-ID: Forwarded from: matthew patton > "It's hard to run multiyear projects when money is doled out year to > year," Balutis explains. "The biggest difficulty is that you do a > plan and then all of a sudden you're $50 million short." I was intimately involved in the annual DoD budgeting process as a USAF officer at the Pentagon and have to agree that maybe it's time to put the budget on a 3-year cycle instead of an annual one. Congress turns over staff every 2 years, the Prez every 4 so maybe 3 years makes sense? Obviously when things are as politicized as they are and Washington has millions of self-serving beaurocrats and contractors feeding at the gov't trough without regard for the fact that it's the people's money they are playing with, fraud and waste are ubiquitous. Almost never do the best and brightest fill gov't posts so the quality of management is always of poor quality - the ability to kiss the right asses is what makes for a successful administrator. Having to fight political wars to keep the money rolling in for a long-term project distracts from the management thereof and lowers the worker-bees' interests in doing a decent job in the first place. It's all fine and good for the FBI to lay some or a large share of the blame at the ex-CIOs' doors and indeed the FBI was grossly lacking in basic project management skill. I worked for SAIC on Virtual Case File too. Thing is, VCF was a multi-year project and it was funded as such. No, the ink wasn't technically dry on every year's congress-critter allocation but there was almost no doubt about it being funded year over year. As convenient as it is to blame the FBI for VCF's failure, the blame more squarely belongs on SAIC's shoulders. Even if the FBI had the best project managers the world has to offer, bad design, poor programming skill, and an attitude of "make-work" on the part of SAIC is why VCF was such a boondoggle. Good FBI project managers can not eliminate the problem with SAIC's failure to manage their own people. VCF didn't fail lack for specifications. I've personally read all 3+ inches of program specifications that the FBI and SAIC signed off on. Unfortunately, the people who wrote the specs on both sides and those who read and blessed them weren't very smart nor frankly very good at their jobs. Page after page of stupid and inane things were specified which would only hamper and interfere with the product. Like other naive specification documents that plague IT efforts, it frequently tried to dictate the 'how' instead of the 'what'. SAIC failed to examine and study how the field agents actually worked in real life and take into consideration how much VCF deviated from that daily practice. FBI agents aren't geeks. Yet geeks design things only geeks can love and then wonder why the rest of the world thinks they're nuts. SAIC's data-analysis team was poor too, making all kinds of mistakes in entity relationships and failing to think thru the product enough to spot some of the traps they were setting for themselves. I plastered their data-diagram with stickies pointing out their errors. When a contract operates on a cost and materials basis which is what VCF was, then it's open season on the budget and accountability goes out the window unless you've got some SERIOUSLY good managers on the gov't side. The contractor has absolutely no economic incentive to do well or act responsibly. When I was on the project SAIC had 200+ people, most of them programmers doing practically no work. There was a lot of water-cooler angst over the C programmers getting let go in favor of the Java ones because maybe management had changed their mind about which language to use. There was a whole pizza party/pep rally one day to settle the nerves. Programmers are not cheap, and idle ones less so. Yet the FBI was paying probably at least 1.5x their salary (the general DC cost multiplier) to produce nothing. And this is a full year into VCF! Given the immature status of VCF in August of 2002, the SAIC team should have been about 2 dozen people at the most. A dozen bright engineers of varying disciplines needed to get locked in a room, slide in the coke and pizza, until they figured out all or at least most of the angles before the minions are recruited to sling code as needed. SAIC didn't have 2 dozen bright engineers and they hired the minions many, many months before the project was even sketched out. Instead they were trying out different GUI's and button colors, icon screen placement and trying to get the FBI to sign off on it without having any notion of what they were supposed to accomplish. IT systems in general and in particular of the scale and varied clientel that represents the FBI, require many iterations before getting reasonably close to a workable model. Iterations are cheap when it's pretty much all on paper and only costing the salaries of 20-odd people. But those kinds of numbers don't impress superiors who are looking for profit. Superiors want to see head-count. They want to see lots of zero's in a row on the monthly invoice. Afterall, if there is 50million in the pot they damn well want every last panny. 20 guys spending weeks or months laying and relaying the groundwork isn't likely to suck up even a tenth of that. And what of the FBI who asked for 50mil and so far has only spent 10? Congress is going to come right back at them the following year and say, C: "well, you only spent 10 last year and you want 50 this year again like you asked for last year? Hell no, you get 5." F: "But we're starting implementation!" C: "Use the 40m in the bank and get lost." F: "But we're going to need the 40 and then some" C: "like we care" Congressional budgeting is a disaster and will likely remain so. Any entity that doesn't burn every last penny every year will have it's budget summarily sliced. Extenuating circumstances? One-time or recurring cost reductions? Not on your life. Gov't doesn't reward thrift or wisdom. Never has and never will. Instead it encourages waste, neigh mandates it and penalizes those who don't. Afterall, it's somebody else's money so what do they care. So why should contractors behave any different? VCF should have been a fixed cost contract with rewards for quality, thrift, and achievement but congress-critters don't tolerate that kind of discretion or innovation and they don't even begin to know how to handle agencies having money left over. Not to mention a pissed-off contractor can trivially file a law suit and try to get a court to give them what they think they deserve even if they don't. Whatever the case, the FBI desperately needs to find a project manager with some clue and hefty clout. Frankly Congress and the FBI, or better yet the GAO should fine SAIC a 100 million. Afterall, the GAO has been on SAIC's case about VCF for several years running. But when "accountability" is defined as making the statement "I am accountable" yet failing to resign or appologize, or biting a quivering lip in a TV interview and "feeling your pain" how are things going to change? Congress has never been about having the balls to do what's right. It's far more lucrative and expedient to coddle incompetence, accept donations from grateful contractors to better cement one's power and status, and perpetuate the corrupt and unaccountable system. Those of us who care either get co-opted by the system, give up and leave, soldier on and try to ignore the corruption, or get booted out the door by daring to question and confront the powers on high. The VCF trainwreck could have been halted in the fall of 2002 if anybody cared to listen to those who said it already was a mess. Competent management by both the FBI and SAIC could have backed the problem up another 6 months if not prevented it in the first place. Alas, nobody will ever learn. The faces on the congressional panel will change, the faces of the accused will change but nothing short of a free market or the elimination of free money will actually improve the situation in Washington. From isn at c4i.org Thu Mar 10 04:04:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:17 2005 Subject: [ISN] Exploit Out For CA Bugs, Eval Users Also At Risk Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=159400248 By Gregg Keizer TechWeb News March 9, 2005 Users of Computer Associates' products are now at an even greater risk, a security firm said Wednesday, because exploit code has appeared that takes advantage of vulnerabilities disclosed last week. Even more important, said Firas Raouf, the chief operating officer of eEye Digital Security, is that ex-users of CA products -- including those who only evaluated the company's security titles, but then later uninstalled them -- are vulnerable to attack. The vulnerabilities were first reported March 2 [1] by Computer Associates and a pair of security vendors, eEye and Reston, Va.-based iDefense. A bug in the licensing software used in virtually every Windows, Macintosh, Linux, and Unix title from CA could allow attackers to generate buffer overflows, and from there, run code of their choice on the machines. Computer Associates released patches that same day. "Exploits have been posted on the Internet," said Raouf, "and pretty much lay out the formula for exploiting the vulnerabilities with buffer overflows." The made-public exploits are for Windows 2000 and Windows XP, just two of the numerous operating systems that run CA's software. "It's a pretty classic example," added Raouf. "Windows just tends to be targeted more." While a worm hasn't been spotted that uses the exploit code to create an automated attacker, "it would be a trivial job to turn it into one," Raouf claimed. Also on Wednesday, the Internet Storm Center reported that it had monitored a huge spike in traffic on TCP ports 10202 and 10203, both of which are used by Computer Associate's licensing software. The number of systems scanned at port 10203, for instance, jumped from just 19 on March 2 to 4,594 on March 5. "These scans are likely due to the public release of exploit code, which was released to the public on Monday in a posting to the VulnWatch mailing list," wrote David Goldsmith on the Storm Center's analyst blog. But eEye's Raouf said it was too early to tell whether the increased activity on those ports was actually due to the exploit, or was only proof that hackers were scanning for vulnerable systems that they might target later. In a related development, Raouf also said that former users of CA titles could be in danger, including those who only evaluated the Islandia, NY-based software developer's products. "In some cases, evaluation copies install the licensing software as well, and when the evaluation software's removed, the licensing manager isn't completely uninstalled," said Raouf. eEye discovered the new problem through its own testing, said Raouf, but the Aliso Viejo, Calif.-based security vendor had not yet informed CA of its findings. "It's going to be difficult for enterprises to spot all the systems that are vulnerable," said Raouf. "While users can go to a CA console to view all the systems which have the licensing agent installed, that won't tell them about, say, consultants' machines using the network or computers where CA products have been uninstalled, but which still have pieces of the licensing software on them." Later Wednesday, he added, eEye will post a free-for-the-downloading scanning utility that will peek through the network and find all systems vulnerable to the CA exploit. As with earlier such scanners, it will be posted to the eEye Web site [2]. "CA has taken immediate action in response to the vulnerabilities discovered in a licensing component of certain CA software products, including the development and distribution of the necessary code patches," a spokesman for CA said late Wednesday. "CA worked with iDefense, eEye Digital Security and the CA Security Advisory teams to verify that the patches work properly and eliminate the reported vulnerabilities. We are continuing to work closely with our customers to make sure they are aware of these vulnerabilities and that they take appropriate corrective action. Patches have been posted to our SupportConnect web site (http://SupportConnect.ca.com), where our customers can get step-by-step instructions on how to determine if they are impacted and how to update their environment. Although there are no confirmed reports of the exploitation of these vulnerabilities, CA strongly recommends that our customers apply the patches immediately." [1] http://www.techweb.com/wire/security/60405068 [2] http://www.eeye.com/html/resources/downloads/audits/index.html From isn at c4i.org Thu Mar 10 04:04:49 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:20 2005 Subject: [ISN] Hacker derails tax site Message-ID: http://miva.sctimes.com/miva/cgi-bin/miva?Web/page.mv+1+local+798546 By Kirsti Marohn Mar. 10, 2005 A computer hacker derailed a portion of Stearns County's Web site for about 13 hours this week. Internet users who clicked on a feature that usually allows them to search for information about their property and taxes were redirected to another site. The problem began about 9:30 p.m. Tuesday and was corrected by Wednesday morning. It was the first time the county's site has been the victim of hackers, said George McClure, information services director. Like many Web sites, the county's Web server uses Microsoft software, a favorite target of hackers. The company frequently distributes patches to correct software problems. A vendor that manages a portion of the Stearns County site apparently didn't correctly install a patch, McClure said. That led to a hacker targeting government sites - those with addresses that end in "us" - to redirect visitors to a page with a picture of a Turkish flag. "It's more of a nuisance than malicious," McClure said. County workers were alerted to the problem Tuesday night via e-mail from a Sauk Centre resident. They installed the patch, changed several passwords to guarantee the site was secure and got it back online by about 10:30 a.m. Wednesday, McClure said. While this is Stearns County's first experience with hackers or a virus, they are fairly common, McClure said. Keeping up with the patches is an ongoing battle, he said. Internet users who want to pay their property taxes online needn't worry, McClure said. The payment feature is managed by a different company and is an encrypted connection, he said. No financial or credit card information is stored on the county's site. From isn at c4i.org Thu Mar 10 04:05:40 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:22 2005 Subject: [ISN] Security UPDATE -- Administrator Accounts and Root Kits -- March 9, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free util: Scan your site for system slowdowns http://list.windowsitpro.com/t?ctl=48BC:4FB69 SQL Server Magazine http://list.windowsitpro.com/t?ctl=48D0:4FB69 ==================== 1. In Focus: Administrator Accounts and Root Kits 2. Security News and Features - Recent Security Vulnerabilities - Need Information About Internet Explorer 7.0? - Deploying Junk Mail Filter Lists in Outlook 2003 - @stake LC 5 3. Security Toolkit - Security Matters Blog - Web Chat - FAQ - Security Forum Featured Thread 4. New and Improved - Prevent Unauthorized Network Access ==================== ==== Sponsor: Executive Software ==== Free util: Scan your site for system slowdowns Disk Performance Analyzer for Networks is a FREE utility that remotely checks your systems for performance bottlenecks caused by severe disk fragmentation. If not identified promptly, fragmentation builds exponentially and causes frustrating slowdowns, random crashes, even complete inability to boot. Disk Performance Analyzer for Networks zeros in on problem computers, showing you exactly how much performance and stability is being lost. Find systems that need attention now, BEFORE they become help desk calls! This is a free utility, not spyware or adware. Download Disk Performance Analyzer for Networks now! http://list.windowsitpro.com/t?ctl=48BC:4FB69 ==================== ==== 1. In Focus: Administrator Accounts and Root Kits ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about why you should try not to use administrative accounts unless you really need to. Several readers wrote to explain various scenarios and problems they've encountered while trying to use a nonadministrative account for certain tasks. Some of the problems involve using Windows Explorer, running debuggers, creating Data Source Names (DSNs), and accessing Control Panel items. Obviously, you'll need to log on as the administrator in some instances; using RunAs, even with the /netonly switch, might not always suffice. There are other possible solutions for some problems too. For example, Microsoft's OS resource kits include the su.exe tool, which can elevate privileges. Another tool, which I've mentioned before, is MakeMeAdmin, written by Aaron Margosis at Microsoft. The tool adds your account to the local Administrators group, spawns a command shell with your new elevated privileges, and then removes your account from the group. So, effectively, MakeMeAdmin gives you a command shell running with a new security token. You can perform whatever actions you need to in the shell. If you also need privileges on the network, you can initiate some kind of network access and authenticate by using whatever account you prefer. For example, you can map a drive by using the command net use and specifying an account with the required privileges. Or you could launch Windows Explorer on the desktop with elevated privileges by using its /root switch. You could also launch Control Panel applets by simply entering the applet name and extension (.cpl) as if it were any other executable program. If you run Microsoft Internet Explorer (IE) with elevated privileges, you can use Margosis's PrivBar add-on that shows which security level your browser is running under. http://list.windowsitpro.com/t?ctl=48C1:4FB69 http://list.windowsitpro.com/t?ctl=48C0:4FB69 Another reader wrote to point out that Microsoft has published a document that explains some of the problems you can encounter when you run applications on the desktop with nonadministrative accounts. The article offers tips about how developers can remedy some of those problems and offers some insight into how the next release of Windows (codenamed Longhorn) will address the matter in more effective ways. One change will be a Protected Administrator status, which, if I understand correctly, will allow a user to use an administrator account but with the fewest privileges necessary for a given task. http://list.windowsitpro.com/t?ctl=48BF:4FB69 Another topic I want to discuss this week is root kits, which as you know, can be a real problem. A Microsoft paper discusses research the company has done regarding ways to discover such nuisances. The paper mentions a related tool, Strider Ghostbuster, developed in the labs, which isn't available to the public. http://list.windowsitpro.com/t?ctl=48B9:4FB69 However, Sysinternals has a root kit discovery tool that you might find helpful. The new tool, RootkitRevealer, is still undergoing development, but you can download a copy and try it out. http://list.windowsitpro.com/t?ctl=48C4:4FB69 F-Secure will release a beta version of its new root kit detection tool, F-Secure BlackLight Rootkit Elimination Technology, this week. You can learn more about that tool in the related article on our Web site. http://list.windowsitpro.com/t?ctl=48CB:4FB69 ==================== ==== Sponsor: SQL Server Magazine ==== Get SQL Server Magazine and Get Answers Throughout the year in 2005, SQL Server Magazine is on target to deliver comprehensive coverage of all hot industry topics, including SQL Server 2005, performance tuning, security, Reporting Services, Integration Services, and .NET development. If you aren't already a subscriber, now is the time to sign up. You'll get unlimited online access to every article ever published in the magazine and you'll get 30% off the cover price. Don't miss out . . . sign up today: http://list.windowsitpro.com/t?ctl=48D0:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=48C3:4FB69 Need Information About Internet Explorer 7.0? If you need information about the upcoming Microsoft Internet Explorer (IE) 7.0, you can find some tidbits about it on IEBlog, which is operated by Microsoft's IE team. http://list.windowsitpro.com/t?ctl=48C9:4FB69 Deploying Junk Mail Filter Lists in Outlook 2003 Microsoft released a hotfix for Outlook 2003 late last month for a feature that deals with importing junk mail filter lists into Outlook 2003. This feature lets you use registry values to tell Outlook to import the Safe Senders, Safe Recipients, and Blocked Senders lists from specific locations and either overwrite the user's existing junk mail filter lists or append entries to them. The hotfix makes some important changes to the way the feature works. http://list.windowsitpro.com/t?ctl=48C8:4FB69 @stake LC 5 If you want a terrific password-auditing tool, Jeff Fellinge recommends the most recent version of L0phtCrack: @stake LC 5 (recently acquired by Symantec). New features let you remotely collect password hashes, schedule scans, score passwords, create audit reports, and speed up audits. LC 5 supports most password- cracking methods and comes in four versions (professional, administrator, site, and consultant). http://list.windowsitpro.com/t?ctl=48C7:4FB69 ==================== ==== Resources and Events ==== The Must-Attend Event for Securing Your Wireless Deployments The Conference on Mobile & Wireless Security delivers on-target, need-to-know information on emerging issues and tech trends. Featuring first-class keynotes and sessions, an in-depth panel discussion, and interactive workshops, you will learn practical tactics for overcoming mobile security challenges and real-world strategies for maximizing the potential of your wireless devices. http://list.windowsitpro.com/t?ctl=48D2:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=48BB:4FB69 Windows Connections 2005 Conference April 17-20, 2005, Hyatt Regency San Francisco. Microsoft and Windows experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Don't miss Mark Minasi's entertaining and insightful keynote presentation on "The State of Windows" and your chance to win a 7-night Caribbean cruise! http://list.windowsitpro.com/t?ctl=48D4:4FB69 The Essential Guide to Active Directory Management Migrating from NDS and/or eDirectory to AD means changes in the way you manage your network, users, and network resources. Download this Essential Guide to Active Directory Management and learn hands- on approaches that reduce management complexity, IT workload, and costs and improve security--all with minimal impact on your organization. Download this guide today. http://list.windowsitpro.com/t?ctl=48C2:4FB69 Discover, Manage, and Archive Information Within Your Exchange Enterprise Limit your legal exposure and protect corporate information. In this free Web seminar, Exchange MVP Paul Robichaux provides an overview of general retention and compliance issues, knowledge of pitfalls you may encounter when implementing your policy, insight into managing mail data for best-efforts compliance, and Exchange's built-in archiving and compliance features. Register now! http://list.windowsitpro.com/t?ctl=48BD:4FB69 emailannc ==================== ==== Hot Release ==== Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority With instant messaging virtually in all corporate environments, and expected to be as prevalent as email in the near future, it has rapidly become an indispensable business communication tool. Yet, IM growth within the enterprise brings an associated increase in security risks to both public and enterprise IM networks. In this free white paper, learn how you can take control of IM use on your network to ensure security and compliance. You'll learn how to protect yourself from Virus & worms attacks, Identity theft, Leakage of confidential information and more. Download now! http://list.windowsitpro.com/t?ctl=48BA:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=48D1:4FB69 Google Hacking: No Longer a Sure Thing for Intruders A new honeypot can trap intruders who use Google queries to find vulnerable systems. Such intruders typically use search engine queries to look for sites whose URLs contain particular words or phrases that might indicate that the site is using vulnerable applications. http://list.windowsitpro.com/t?ctl=48C6:4FB69 Security Event Log Chat Randy Franklin Smith is one of the foremost authorities on the Windows Security event log and a respected trainer who teaches Monterey Technology Group's "Security Log Secrets" course. In his article in the March issue of Windows IT Pro magazine, Randy shines a light on this dark and mysterious corner of cryptic event IDs and codes and inaccurate Microsoft documentation. Here's your chance to ask Randy your questions about the Security log and get answers Microsoft doesn't provide. Join the chat March 16 at 1:00 P.M. Pacific time. For details, visit http://list.windowsitpro.com/t?ctl=48CF:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=48CD:4FB69 Q. How can I back up and restore user profiles when deploying a new OS via the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack? Find the answer at http://list.windowsitpro.com/t?ctl=48CA:4FB69 Security Forum Featured Thread: Backup Account Permissions on Windows Server 2003 A forum participant is trying to remove service accounts from administrative groups. ARCServe by default puts its account in the Administrators and Domain Admins groups. Is there a workaround so that that particular account doesn't need to belong to those groups? Putting the account in the Backup and Server Operator groups doesn't seem to be sufficient. Can a security policy be adjusted to help? Join the discussion at http://list.windowsitpro.com/t?ctl=48BE:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=48CC:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Prevent Unauthorized Network Access MetaInfo has released SAFE DHCP as a stand-alone product. When a computer connects to the network, SAFE DHCP supplies a nonprivileged or "quarantined" IP address and checks the machine's identity before granting a privileged IP address. Several SAFE DHCP modules are available that can perform various identity and other security checks (such as checking for viruses or policy compliance). SAFE DHCP was previously available only as part of the MetaInfo Meta IP solution. For further information, visit http://list.windowsitpro.com/t?ctl=48D5:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=48D3:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=48C5:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Mar 10 04:06:45 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:25 2005 Subject: [ISN] DSW Shoe Warehouse Reports Customer Data Theft Message-ID: Forwarded from: Harlan Carvey According to this article (and I'm not assuming that it's complete or accurate), RV seems to think that a "hacker" broke in and stole data for no other reason than credit card companies are reporting fraudulant activity on customer's accounts...do others read this the same way? Do you take away the same thing from the article? If so...investigations by the outside security firm and the USSS are not complete. So how do they know? If the investigations aren't complete, why are they saying something as definitive as that? After all, the statement seems to have come from their general counsel. I guess one way to look at it is that by saying a "hacker" did it, they can claim that this "hacker" was smart enough to outwit the assembled forces within RV, and steal the data. You know...like the T-Mobile hack - the one involving the unpatched server that some manager made the business decision to leave unpatched... --- InfoSec News wrote: > http://www.washingtonpost.com/wp-dyn/articles/A17831-2005Mar8.html > > By Jonathan Stempel > Reuters > March 8, 2005 > > Retail Ventures Inc., Tuesday announced the theft of credit card and > purchase data of customers at 103 of its 175 DSW Shoe Warehouse > stores and said some fraudulent activity has been conducted since > the theft. > > The theft is the latest reported instance in recent weeks in which > customers' personal data was stolen or lost. Other companies to > report such problems include Bank of America Corp. and ChoicePoint > Inc., where the thefts involved thousands of individuals' data. > > Columbus, Ohio-based Retail Ventures said customer data was stolen > mainly over the past three months, though it was unable to say how > many customers were affected. It said it discovered the theft late > last week. From isn at c4i.org Thu Mar 10 04:07:01 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:28 2005 Subject: [ISN] France puts a damper on flaw hunting Message-ID: http://news.com.com/France+puts+a+damper+on+flaw+hunting/2100-7350_3-5606306.html By Munir Kotadia Special to CNET News.com March 9, 2005 Researchers who reverse-engineer software to discover programming flaws can no longer legally publish their findings in France, after a court fined a security expert on Tuesday. In 2001, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam International. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002. However, Tena's actions were not viewed kindly by Tegam, which initiated legal action against the researcher. That action resulted in a case being brought to trial at a court in Paris. The prosecution claimed that Tena violated article 335.2 of the code of intellectual property and asked for a four-month jail term and a fine of 6,000 euros. On Tuesday, the French court ruled that Tena should not be imprisoned but gave him a suspended fine of 5,000 euros. This means that he only has to pay the fine if he publishes more information on security vulnerabilities in software. Chaouki Bekrar, a security consultant and co-founder of French Web site K-Otik Security, which is known for regularly publishing exploit codes, said that although it is good news that Tena did not have to go to jail, the ruling is very bad news for the security research industry in France. "This seems to be a good news, but that is not the case," Bekrar said. "Publishing a security vulnerability or a proof of concept using reverse engineering or disassembly is now illegal in France. How can a researcher publish a vulnerability if he can't study the software's structure?" On his Web site, Tena argued that if independent researchers were not allowed to freely publish their findings about security software, then users would only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said. Tegam is also proceeding with a civil case against Tena, in which it is asking for 900,000 euros in damages. Munir Kotadia of ZDNet Australia reported from Sydney. From isn at c4i.org Thu Mar 10 04:07:16 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:30 2005 Subject: [ISN] Hackers breach LexisNexis, grab info on 32,000 people Message-ID: http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,100287,00.html By Paul Roberts MARCH 09, 2005 IDG NEWS SERVICE Hackers have compromised databases belonging to LexisNexis and stolen information on at least 32,000 people, according to a statement today from LexisNexis' parent company, Reed Elsevier PLC. The hackers stole passwords, names, addresses, Social Security numbers and driver's license numbers of legitimate customers of the company's Seisint division. Seisint collects data on individuals that is used by law enforcement agencies and private companies for debt recovery, fraud detection and other services. LexisNexis identified the incidents in a review of security procedures and warned that there may be more incidents of data theft, Reed Elsevier said. The incident is eerily familiar to recent revelations about similar compromises at Seisint competitor ChoicePoint Inc., which acknowledged last month that hackers had access to data on 145,000 people (see story). Reed Elsevier didn't immediately respond to requests for comment. LexisNexis, which acquired Boca Raton, Fla.-based Seisint Inc. in September for $775 million, expressed regret for the incident and said it is notifying the individuals whose information may have been accessed and will provide them with credit-monitoring services. The company also said it notified law enforcement officials and is assisting with investigations of the fraudulent account access. Like ChoicePoint, Seisint maintains a massive database of public and private information on individuals, including Social Security numbers, credit histories and criminal records. Seisint made the news in recent years as the data source behind the Multistate Anti-Terrorism Information Exchange, or MATRIX, system, a program to bring together criminal and public records from participating U.S. states. Bill Shrewsbury, a vice president at Seisint, said that identity thieves used a different approach to breach the company's database than what was used to get ChoicePoint's data. But he declined to elaborate. LexisNexis said it is taking actions to improve its ID and password administration security, as well as customer screening. The incident is the latest in a series of revelations about consumer data being leaked or lost. Those incidents include the ChoicePoint compromise and Bank of America Corp.'s disclosure last week that it lost digital tapes containing the credit card account records of 1.2 million federal employees, including 60 U.S. senators (see story). ChoicePoint, in Alpharetta, Ga., has also been the focus of intense scrutiny and criticism since it acknowledged that identity thieves posed as legitimate customers to gain access to the company's database of 19 billion public records. Some of the information stolen from ChoicePoint has since been used in about 750 identity theft scams, according to the company. The company said last week that it is discontinuing data sales to many of its customers, except when that data helps complete a consumer transaction or helps government or law enforcement. Since disclosing the security breach, ChoicePoint has been the subject of a U.S. Federal Trade Commission inquiry into its compliance with federal information security laws; a U.S. Securities and Exchange Commission investigation into possible insider stock trading violations by its CEO and chief operating officer (see story); and lawsuits alleging violations of the federal Fair Credit Reporting Act and California state law. ChoicePoint disclosed the inquiries in a filing to the SEC on March 4. From isn at c4i.org Fri Mar 11 05:05:15 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:27 2005 Subject: [ISN] Hackers Target U.S. Power Grid Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A25738-2005Mar10.html By Justin Blum Washington Post Staff Writer March 11, 2005 Hundreds of times a day, hackers try to slip past cyber-security into the computer network of Constellation Energy Group Inc., a Baltimore power company with customers around the country. "We have no discernable way of knowing who is trying to hit our system," said John R. Collins, chief risk officer for Constellation, which operates Baltimore Gas and Electric. "We just know it's being hit." Hackers have caused no serious damage to systems that feed the nation's power grid, but their untiring efforts have heightened concerns that electric companies have failed to adequately fortify defenses against a potential catastrophic strike. The fear: In a worst-case scenario, terrorists or others could engineer an attack that sets off a widespread blackout and damages power plants, prolonging an outage. Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, warned top electric company officials in a private meeting in January that they need to focus more heavily on cyber-security. Wood also has raised the issue at several public appearances. Officials will not say whether new intelligence points to a potential terrorist strike, but Wood stepped up his campaign after officials at the Energy Department's Idaho National Laboratory showed him how a skilled hacker could cause serious problems. Wood declined to comment on specifics of what he saw. But an official at the lab, Ken Watts, said the simulation showed how someone could hack into a utility's Internet-based business management system, then into a system that controls utility operations. Once inside, lab workers simulated cutting off the supply of oil to a turbine generating electricity and destroying the equipment. Describing his reaction to the demonstration, Wood said: "I wished I'd had a diaper on." Many electric industry representatives have said they are concerned about cyber-security and have been taking steps to make sure their systems are protected. But Wood and others in the industry said the companies' computer security is uneven. "A sophisticated hacker, which is probably a group of hackers . . . could probably get into each of the three U.S. North American power [networks] and could probably bring sections of it down if they knew how to do it," said Richard A. Clarke, a former counterterrorism chief in the Clinton and Bush administrations. Clarke said government simulations show that electric companies have not done enough to prevent hacking. "Every time they test, they get in," Clarke said. "It's nice that the power companies think that they've done things, and some of them have. But as long as there's a way to get into the grid, the grid is as weak as its weakest company." Some industry analysts play down the threat of a massive cyber-attack, saying it's more likely that terrorists would target the physical infrastructure such as power plants and transmission lines. James Andrew Lewis, director of technology policy at the Center for Strategic and International Studies in the District, said a coordinated attack on the grid would be technically difficult and would not provide as much "bang for the buck" as high-profile physical attacks. Lewis said the bigger vulnerability may be posed not by outside hackers but by insiders who are familiar with their company's computer networks. But in recent years, terrorists have expressed interest in a range of computer targets. Al Qaeda documents from 2002 suggest cyber-attacks on various targets, including the electrical grid and financial institutions, according to a translation by the IntelCenter, an Alexandria firm that studies terrorist groups. A government advisory panel has concluded that a foreign intelligence service or a well-supported terrorist group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation," according to a report last year by the Government Accountability Office, the investigative arm of Congress. Cyber-security specialists and government officials said that cyber-attacks are a concern across many industries but that the threat to the country's power supply is among their top fears. Hackers have gained access to U.S. utilities' electronic control systems and in a few cases have "caused an impact," said Joseph M. Weiss, a Cupertino, Calif.-based computer security specialist with Kema Inc., a consulting firm focused on the energy industry. He said computer viruses and worms also have caused problems. Weiss, a leading expert in control system security, said officials of the affected companies have described the instances at private conferences that he hosts and in confidential conversations but have not reported the intrusions publicly or to federal authorities. He said he agreed not to publicly disclose additional details and that the companies are fearful that releasing the information would hurt them financially and encourage more hacking. Weiss said that "many utilities have not addressed control system cyber-security as comprehensively as physical security or cyber-security of business networks." The vulnerability of the nation's electrical grid to computer attack has grown as power companies have transferred control of their electrical generation and distribution equipment from private, internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports. That technology has led to greater efficiency because it allows workers to operate equipment remotely. Other systems that feed information into SCADA or that operate utility equipment are vulnerable and have been largely overlooked by utilities, security consultants said. Some utilities have made hacking into their SCADA systems relatively easy by continuing to use factory-set passwords that can be found in standard documentation available on the Internet, computer security consultants said. The North American Electric Reliability Council, an industry-backed organization that sets voluntary standards for power companies, is drafting wide-ranging guidelines to replace more narrow, temporary precautions already on the books for guarding against a cyber-attack. But computer security specialists question whether those standards go far enough. Officials at several power companies said they had invested heavily in new equipment and software to protect their computers. Many would speak only in general terms, saying divulging specifics could assist hackers. "We're very concerned about it," said Margaret E. "Lyn" McDermid, senior vice president and chief information officer for Dominion Resources Inc., a Richmond-based company that operates Dominion Virginia Power and supplies electricity and natural gas in other states. "We spend a significant amount of time and effort in making sure we are doing what we ought to do." Executives at Constellation Energy view the constant hacking attempts -- which have been unsuccessful -- as a threat and monitor their systems closely. They said they assume many of the hackers are the same type seen in other businesses: people who view penetrating corporate systems as fun or a challenge. "We feel we are in pretty good shape when it comes to this," Collins said. "That doesn't mean we're bulletproof." The biggest threat to the grid, analysts said, may come from power companies using older equipment that is more susceptible to attack. Those companies many not want to invest large amounts of money in new computer equipment when the machines they are using are adequately performing all their other functions. Security consulting firms said that they have hacked into power company networks to highlight for their clients the weaknesses in their systems. "We are able to penetrate real, running, live systems," said Lori Dustin, vice president of marketing for Verano Inc., a Mansfield, Mass., company that sells products to companies to secure SCADA systems. In some cases, Dustin said, power companies lack basic equipment that would even alert them to hacking attempts. O. Sami Saydjari, chief executive of the Wisconsin Rapids, Wis.-based consulting firm Cyber Defense Agency LLC, said hackers could cause the type of blackout that knocked out electricity to about 50 million people in the Northeast, Midwest and Canada in 2003, an event attributed in part to trees interfering with power lines in Ohio. He said that if hackers destroyed generating equipment in the process, the amount of time to restore electricity could be prolonged. "I am absolutely confident that by design, someone could do at least as [much damage], if not worse" than what was experienced in 2003, said Saydjari, who was one of 54 prominent scientists and others who warned the Bush administration of the risk of computer attacks following Sept. 11, 2001. "It's just a matter of time before we have a serious event." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Mar 11 05:05:46 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:31 2005 Subject: [ISN] France puts a damper on flaw hunting Message-ID: Forwarded from: security curmudgeon : http://news.com.com/France+puts+a+damper+on+flaw+hunting/2100-7350_3-5606306.html : : By Munir Kotadia : Special to CNET News.com : March 9, 2005 : : Researchers who reverse-engineer software to discover programming flaws : can no longer legally publish their findings in France, after a court : fined a security expert on Tuesday. : : In 2001, French security researcher Guillaume Tena found a number of : vulnerabilities in the Viguard antivirus software published by Tegam : International. Tena, who at the time was known by his pseudonym : Guillermito, published his research online in March 2002. : : On Tuesday, the French court ruled that Tena should not be imprisoned : but gave him a suspended fine of 5,000 euros. This means that he only : has to pay the fine if he publishes more information on security : vulnerabilities in software. According to reports on other lists, by people who apparently read and speak French better than most American journalists, the court ruling is not about him reverse engineering software and publishing bugs so much as the fact he did it on unlicensed copies of the software. If that is the case, this ruling is more about using pirated software for security research than posting vulnerability information. Would be nice if some of the French speaking list members could translate the court ruling and help clear this up. From isn at c4i.org Fri Mar 11 05:09:25 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:39 2005 Subject: [ISN] Security Masters Dojo Message-ID: Forwarded from: Dragos Ruiu (The registration for this training is now on-line. I thought it would be of interest to readers of this list. --dr) CanSecWest Security Masters Dojo ---------------------------------------- Dates: Morning/Afternoon May 3 and Morning May 4 (Immediately preceeding CanSecWest/core05) Venue: Mariott Harbourside. Vancouver BC Canada (Off site lab equipment provided by BCIT IEL) Duration: 7 half day courses in three sessions. (each course offered twice in the three possible sessions.) Registration Maximum: 10 Students per course session. Description ----------- Advanced and intermediate security training and technology enhancement for information security professionals. To address the need for intermediate and advanced educational requirements that go beyond the introductory materials typically found in most currently existing training (which are often geared towards the novice level) for professionals who already have significant work experience, and want to further improve their skills, we have assembled a curriculum of hands-on, half day, training programs - delivered by industry renowned experts who are pre-eminent in their fields. This is information security university level training for practitioners who already have substantial knowledge and wish to broaden their boundaries. It goes beyond introductory level material to focus and delve more deeply into technical subjects that aren't addressed in other currently available training. The initial courses offered will be: Gerardo Richarte - Core Security Technologies - Assembler Language Programming: Assembly for Exploits Dave Aitel - Immunity Inc. - Your first Exploit: An accelerated class in Windows exploitation Halvar - Reverse Engineering: Rapid Bug Discovery and Input Crafting Fyodor - Insecure.Org - Network Reconnaissance with NMAP Renaud Deraison - Tenable Network Security - Vulnerability Scanning: Advanced NESSUS Usage Marty Roesch & Brian Caswell - Sourcefire - Advanced IDS deployment and Signature Creation: Learn to get the most from your SNORT deployment Laurent Oudot & Nico Fischbach - Applied network security and advanced anomaly detection using state-of-the-art honeyports and netflow/NIDS These instructors are each considered to be the world's top experts in their field. Many have been responsible for the creation of some of the most famous and useful security tools and methodologies you probably use frequently in your normal security tasks. All have given many introductory courses and are experienced instructors. They are knowledgeable in what students need to advance their skills. Many have created course material that other instructors still use. Each has taken that wisdom and knowledge of training and refined it into material to take your understanding to the next level. Our goal is to empower you to be the experts in your organization so that you can help your company be an information security powerhouse. Let our sensei transform your skill to the next degree of intensity. Our half day format is oriented towards maximum information transfer and learning retention. Research into learning retention rates has proven: Teaching Method - Knowledge Retention See/Hear - Lecture 5% Reading - 10% Audio Visual / Video - 20% Demonstration - 30% Discussion Group - 50% ***Practice by Doing*** - 75% Teaching Others - 90% ****Immediate application of learning in a real situation**** - 90% Patterned after martial arts combat training, the Security Masters Dojo will focus on real world applications of new skills which can help you advance in the field of information security. You will learn difficult to aquire skill sets from the world's top practitioners. A series of tests will challenge and verify your skills in each course area, with series of ceremonial belt colors which are awarded after successful attainment of each difficulty level in the testing challenges. The most difficult levels (black belt), are difficult to attain. But you can rest assured that if you study and persevere, by attaining and overcoming the challenges, you too will indeed become a world class expert in information security - with an exclusive skill and knowledge level few have reached. As incentives to performance, two additional rank awards will be presented to the two most exceptional students in each Dojo sitting at the belt award ceremony at the opening of the CanSecWest/core05 conference. (highest cumulative test scores per Dojo after normalization by class average) Top student: Authentic weapon grade Japanese Folded Samurai Katana Sword - Soft and hard powdered carbon steel blend, tameshigiri grade cutting sword good for iaido practitioners. It's not just decorative, this is the real thing. (We can ship it home if you think you might have any issues with airport security :-) (~USD$1200) Runner-up: Linux Zaurus SL3000 PDA with 4Gig hard drive and VGA touchscreen, only available in Japan, converted to english menus and pre-loaded with security tools and NICs. This too is not just decorative. (~USD$1200) Each class is offered in two sessions per dojo and features one or two expert intructors teaching a small group (maximum of ten people are allowed to register per session, class max 12). Courses have a strong hands-on laboratory component and prepared exercises for you to perform. Laboratory equipment for the excercises and a gigabit peering link will be provided by the BC Institue of Technology Internet Engineering Laboratory. (http://www.bcit.ca/appliedresearch/facility/iel/) To accomodate this, each class may have prerequisites for software loads and a laptop is mandatory. The individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs. The small size (10) means that space is limited, so you must book early, but you will be assured that the low student-instructor ratio will mean that you will each get specific attention to assisting your individual learning process. Our sensei masters have said "Hai!" to the challenge of improving your skills. I hope you choose to say so too and rise to the challenge of increasing your information security knowledge. More information on courses and registration will be found at: http://cansecwest.com/dojob.html cheers, --dr (a.k.a. Dojo Mama-san :-) -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Fri Mar 11 05:10:00 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:41 2005 Subject: [ISN] REVIEW: "Windows Forensics and Incident Recovery", Harlan Carvey Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKWNFOIR.RVW 20041224 "Windows Forensics and Incident Recovery", Harlan Carvey, 2005, 0-321-20098-5, U$49.99/C$71.99 %A Harlan Carvey %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2005 %G 0-321-20098-5 %I Addison-Wesley Publishing Co. %O U$49.99/C$71.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321200985/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321200985/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321200985/robsladesin03-20 %O tl a rl 1 tc 2 ta 2 tv 1 wq 2 %P 460 p. + CD-ROM %T "Windows Forensics and Incident Recovery" Chapter one is an introduction, both to the book and to the ideas behind it. For once, the author does, indeed, try to define what an incident is. The definition is broad, but so are the possibilities. The intended audience is stated to be anyone interested in the security of Microsoft Windows, but it is instructive that, in listing specific groups, forensic specialists and security professionals are *not* mentioned. Carvey notes that a great many people would like to know the information that Windows forensics can provide, since the platform is nearly ubiquitous, but few have the knowledge of system internals that is necessary to find the relevant bits. Based on the definition of an incident as an event that violates security policy, chapter two demonstrates some of the ways that policy failures, and therefore attacks, can occur. (The rationale behind the inclusion of eleven pages of Perl source for a program to detect null sessions escapes me.) Chapter three reviews a number of places to hide data, but all of these are at the user interface level, such as setting hidden file attributes, placing data in unused keys in the Registry, NTFS (NT File System) alternate data streams (ADS), and the extra information stored in data files by applications like Microsoft Word. There is no mention of the lower level caches: slack space (whether in terms of zero padding, extra space in sectors, or the timing margins on hard disks) or page files. In addition, for those locations that are mentioned, specific programs for extracting particular data are listed, but no details of structural internals (for example formats for NTFS, OLE/COM, or Word) are provided for analysis with more general utilities. This is not to say that Carvey does not do a good job of explaining what he does cover: the tutorial on NTFS ADS is clear and complete. The material in chapter four addresses the issue of preparation by suggesting various means of hardening systems and networks against attack. The content is unusual, and deals with functions and activities that are frequently left out of security texts. At the same time, it does not touch on some common suggestions for system security: this should be seen as a complement to, rather than a replacement for, other Windows security works. A wealth of utilities for deriving all manner of information from Windows systems are listed and described in chapter five. Chapter six presents suggestions for the methods and procedures to be used in responding to a potential incident, but it does so in the form of a number of fictional examples. The stories can be instructive, but it does take a long time to sort through the material to find the relevant points to use. Various indications that can be evidence of the existence of malware (particularly network-based remote access trojans) are examined in chapter seven. The author's Forensic Server Project, a tool for managing forensic data collection, is presented in chapter eight. Chapter nine describes an assortment of network scanning and data capture tools. Although a number of areas are addressed, the text will be of greatest use to those who are concerned about network malware, especially of the remote access type. The intended audience, of experienced but non-specialist Windows administrators and law enforcement professionals with some technical background, will find a number of valuable indicators that will point out whether a system will reward further scrutiny. The professional, and particularly one with experience in forensic analysis, will find some very useful information on newer operations of Windows, but may be frustrated at the lack of detail. (I'm still not sure who is going to get a lot out of all the Perl source code ...) copyright Robert M. Slade, 2004 BKWNFOIR.RVW 20041224 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu When you tell the truth, you don't have to remember anything. http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Fri Mar 11 05:10:13 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:44 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-10 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-03-03 - 2005-03-10 This week : 83 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft Windows XP and 2003 Server edition, have been reported vulnerable to a Denial of Service issue, which was first reported in 1997 and became known as LAND attacks. Currently, no patches are available from the vendor. Please read referenced Secunia advisory below for additional details. References: http://secunia.com/SA14512 VIRUS ALERTS: During the last week, Secunia issued 3 MEDIUM RISK virus alerts. Please refer to the grouped virus profile below for more information: SOBER.L - MEDIUM RISK Virus Alert - 2005-03-08 00:55 GMT+1 http://secunia.com/virus_information/16027/sober.l/ FATSO.A - MEDIUM RISK Virus Alert - 2005-03-07 16:46 GMT+1 http://secunia.com/virus_information/15999/fatso.a/ Kelvir.b - MEDIUM RISK Virus Alert - 2005-03-07 15:04 GMT+1 http://secunia.com/virus_information/15994/kelvir.b/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla Products IDN Spoofing Security Issue 2. [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting 3. [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities 4. [SA14512] Microsoft Windows LAND Attack Denial of Service 5. [SA14456] RealPlayer WAV and SMIL File Handling Buffer Overflows 6. [SA13258] Mozilla / Firefox "Save Link As" Download Dialog Spoofing 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 8. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 9. [SA14438] CA License Software Multiple Buffer Overflow Vulnerabilities 10. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14526] ArGoSoft FTP Server "DELE" Buffer Overflow Vulnerability [SA14506] Chaser Nickname Buffer Overflow Vulnerability [SA14470] Trillian Basic PNG Image Buffer Overflow Vulnerability [SA14511] Sentinel License Manager Buffer Overflow Vulnerability [SA14543] Microsoft Exchange Server 2003 Folder Handling Denial of Service [SA14522] Hosting Controller Disclosure of Information [SA14512] Microsoft Windows LAND Attack Denial of Service [SA14461] Computalynx CProxy Directory Traversal Vulnerability UNIX/Linux: [SA14541] Fedora update for libexif [SA14518] Ubuntu update for libexif [SA14513] Download Center Lite "script_root" File Inclusion Vulnerability [SA14505] Form Mail Script "script_root" File Inclusion Vulnerability [SA14504] libexif EXIF Tag Structure Validation Vulnerability [SA14494] Ubuntu update for lesstif [SA14482] Gentoo update for openmotif / lesstif [SA14481] LessTif libXpm Image Buffer Overflow Vulnerability [SA14478] Fedora update for HelixPlayer [SA14477] SUSE update for cyrys-sasl [SA14473] Open Motif libXpm Image Buffer Overflow Vulnerability [SA14472] Red Hat update for HelixPlayer / RealPlayer [SA14460] X11 libXpm XPM Image Buffer Overflow Vulnerability [SA14532] Gentoo update for mlterm [SA14517] Gentoo update for xv [SA14510] Red Hat update for mozilla [SA14509] mlterm Background Image Integer Overflow Vulnerability [SA14508] Red Hat update for mc [SA14503] Mandrake update for cyrus-imapd [SA14500] Mandrake update for curl [SA14499] SUSE update for phpMyAdmin [SA14498] SGI Advanced Linux Environment Multiple Updates [SA14496] SGI Advanced Linux Environment update for imap [SA14491] Sylpheed Message Reply Buffer Overflow Vulnerability [SA14488] Gentoo update for hashcash [SA14486] Gentoo update for imagemagick [SA14485] xv Filename Format String Vulnerability [SA14484] Astaro update for Squid [SA14476] Ubuntu update for imagemagick [SA14471] Gentoo update for mozilla-firefox [SA14469] Gentoo update for phpmyadmin [SA14466] Imagemagick Filename Handling Format String Vulnerability [SA14463] Gentoo update for xli / xloadimage [SA14459] xli Multiple Vulnerabilities [SA14523] UnixWare update for samba [SA14497] SGI Advanced Linux Environment Multiple Updates [SA14539] Conectiva update for squid [SA14536] Ubuntu update for squid [SA14515] Drupal Unspecified Cross-Site Scripting Vulnerability [SA14502] Mandrake update for gftp [SA14479] Red Hat update for squid [SA14468] Gentoo update for bidwatcher [SA14462] Xloadimage Compressed Images Filename Shell Command Injection [SA14521] UnixWare update for squid [SA14535] Debian update for kdenetwork [SA14534] Ubuntu update for perl-modules [SA14531] Perl "File::Path::rmtree" Directory Permissions Race Condition [SA14525] Gentoo update for kdelibs [SA14519] Debian update for abuse [SA14514] grsecurity Unspecified RBAC System Privilege Escalation [SA14495] Abuse-SDL Multiple Vulnerabilities [SA14490] grsecurity Unspecified Privilege Escalation Vulnerability [SA14489] PaX Unspecified Privilege Escalation Vulnerability [SA14480] Red Hat update for kdenetwork [SA14501] Mandrake update for gaim Other: [SA14544] UTStarcom iAN-02EX VoIP ATA Reset Security Bypass [SA14507] Xerox MicroServer Web Server Unauthorised Access Vulnerability Cross Platform: [SA14528] mcNews "skinfile" Arbitrary File Inclusion Vulnerability [SA14483] Ca3DE Format String and Denial of Service Vulnerabilities [SA14540] Ethereal "dissect_a11_radius()" Buffer Overflow Vulnerability [SA14538] BLOG:CMS PunBB SQL Injection Vulnerabilities [SA14533] ProjectBB Cross-Site Scripting and SQL Injection Vulnerabilities [SA14520] Xoops Avatar Upload File Extension Vulnerability [SA14487] Hashcash "From:" Format String Vulnerability [SA14474] PHP-Nuke Pabox Module Script Insertion Vulnerability [SA14465] TYPO3 CMW Linklist Extension "category_uid" SQL Injection [SA14458] auraCMS Cross-Site Scripting and SQL Injection Vulnerabilities [SA14542] Participate Enterprise Denial of Service Vulnerabilities [SA14516] phpMyFaq "username" SQL Injection Vulnerability [SA14493] phpBB Autologin Security Bypass Vulnerability [SA14492] PHP-Fusion HTML Encoded BBcode Script Insertion Vulnerability [SA14475] phpBB Signature Script Insertion Vulnerability [SA14464] D-Forum "page" Parameter Cross-Site Scripting Vulnerability [SA14527] Novell iChain Administrator Session Hijacking Vulnerability [SA14537] Novell iChain FTP Server Path Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14526] ArGoSoft FTP Server "DELE" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-09 CorryL has discovered a vulnerability in ArGoSoft FTP Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14526/ -- [SA14506] Chaser Nickname Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-07 Luigi Auriemma has reported a vulnerability in Chaser, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14506/ -- [SA14470] Trillian Basic PNG Image Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-08 Tal zeltzer has reported a vulnerability in Trillian Basic, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14470/ -- [SA14511] Sentinel License Manager Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-08 Dennis Rand has reported a vulnerability in Sentinel License Manager, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14511/ -- [SA14543] Microsoft Exchange Server 2003 Folder Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-09 A vulnerability has been reported in Microsoft Exchange Server 2003, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14543/ -- [SA14522] Hosting Controller Disclosure of Information Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-03-08 Mouse and Hamid Kashfi have reported two security issues in Hosting Controller, which can be exploited by malicious people to disclose some potentially sensitive information. Full Advisory: http://secunia.com/advisories/14522/ -- [SA14512] Microsoft Windows LAND Attack Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-07 Dejan Levaja has reported a vulnerability in Microsoft Windows, allowing malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14512/ -- [SA14461] Computalynx CProxy Directory Traversal Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2005-03-03 Kristof Philipsen has reported a vulnerability in Computalynx CProxy, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14461/ UNIX/Linux:-- [SA14541] Fedora update for libexif Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-09 Fedora has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14541/ -- [SA14518] Ubuntu update for libexif Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-08 Ubuntu has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14518/ -- [SA14513] Download Center Lite "script_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 Filip Groszynski has reported a vulnerability in Download Center Lite, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14513/ -- [SA14505] Form Mail Script "script_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 Filip Groszynski has reported a vulnerability in Form Mail Script, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14505/ -- [SA14504] libexif EXIF Tag Structure Validation Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-08 Sylvain Defresne has reported a vulnerability in libexif, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise vulnerable systems. Full Advisory: http://secunia.com/advisories/14504/ -- [SA14494] Ubuntu update for lesstif Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-08 Ubuntu has issued an update for lesstif. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14494/ -- [SA14482] Gentoo update for openmotif / lesstif Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 Gentoo has issued updates for openmotif and lesstif. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14482/ -- [SA14481] LessTif libXpm Image Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 A vulnerability has been reported in LessTif, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14481/ -- [SA14478] Fedora update for HelixPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-04 Fedora has issued an update for HelixPlayer. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14478/ -- [SA14477] SUSE update for cyrys-sasl Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-04 SUSE has issued an update for cyrus-sasl. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14477/ -- [SA14473] Open Motif libXpm Image Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 A vulnerability has been reported in Open Motif, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14473/ -- [SA14472] Red Hat update for HelixPlayer / RealPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-04 Red Hat has issued updates for HelixPlayer and RealPlayer. These fix two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14472/ -- [SA14460] X11 libXpm XPM Image Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 Chris Gilbert has reported a vulnerability in libXpm, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14460/ -- [SA14532] Gentoo update for mlterm Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-08 Gentoo has issued an update for mlterm. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14532/ -- [SA14517] Gentoo update for xv Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Gentoo has issued an update for xv. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14517/ -- [SA14510] Red Hat update for mozilla Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Red Hat has issued an update for mozilla. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14510/ -- [SA14509] mlterm Background Image Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-08 A vulnerability has been reported in mlterm, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14509/ -- [SA14508] Red Hat update for mc Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Red Hat has issued an update for mc. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14508/ -- [SA14503] Mandrake update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-07 MandrakeSoft has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14503/ -- [SA14500] Mandrake update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 MandrakeSoft has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14500/ -- [SA14499] SUSE update for phpMyAdmin Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Cross Site Scripting Released: 2005-03-07 SUSE has issued an update for phpMyAdmin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/14499/ -- [SA14498] SGI Advanced Linux Environment Multiple Updates Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-03-07 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to gain knowledge of sensitive information, cause a DoS (Denial of Service), conduct cross-site scripting attacks, conduct FTP command injection attacks, spoof the content of web sites, bypass certain security restrictions, gain escalated privileges, and compromise a user's system. Full Advisory: http://secunia.com/advisories/14498/ -- [SA14496] SGI Advanced Linux Environment update for imap Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-03-07 SGI has issued a patch for SGI Advanced Linux Environment. This fixes a vulnerability in imap, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14496/ -- [SA14491] Sylpheed Message Reply Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 A vulnerability has been reported in Sylpheed, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14491/ -- [SA14488] Gentoo update for hashcash Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Gentoo has issued an update for hashcash. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14488/ -- [SA14486] Gentoo update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Gentoo has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14486/ -- [SA14485] xv Filename Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Tavis Ormandy has reported a vulnerability in xv, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14485/ -- [SA14484] Astaro update for Squid Critical: Moderately critical Where: From remote Impact: System access, DoS, Security Bypass Released: 2005-03-04 Astaro has issued an update for squid. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), bypass certain security restrictions, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14484/ -- [SA14476] Ubuntu update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-04 Ubuntu has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14476/ -- [SA14471] Gentoo update for mozilla-firefox Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, System access Released: 2005-03-07 Gentoo has issued an update for mozilla-firefox. This fixes multiple vulnerabilities, which can be exploited to spoof various information, plant malware on a user's system, conduct cross-site scripting attacks, disclose and manipulate sensitive information, bypass certain security restrictions, perform certain actions on a vulnerable system with escalated privileges, and compromise a user's system. Full Advisory: http://secunia.com/advisories/14471/ -- [SA14469] Gentoo update for phpmyadmin Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-03-04 Gentoo has issued an update for phpmyadmin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/14469/ -- [SA14466] Imagemagick Filename Handling Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-04 Tavis Ormandy has reported a vulnerability in ImageMagick, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14466/ -- [SA14463] Gentoo update for xli / xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-03 Gentoo has issued updates for xli and xloadimage. These fix some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14463/ -- [SA14459] xli Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-03 Some vulnerabilities have been reported in xli, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14459/ -- [SA14523] UnixWare update for samba Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-03-08 SCO has issued an update for UnixWare. This fixes some vulnerabilities in samba, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14523/ -- [SA14497] SGI Advanced Linux Environment Multiple Updates Critical: Moderately critical Where: From local network Impact: System access, Privilege escalation, Exposure of sensitive information, Manipulation of data Released: 2005-03-07 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited to disclose and manipulate information, gain escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14497/ -- [SA14539] Conectiva update for squid Critical: Less critical Where: From remote Impact: DoS, Manipulation of data Released: 2005-03-09 Conectiva has issued an update for squid. This fixes some vulnerabilities, which can be exploited to pollute the cache, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14539/ -- [SA14536] Ubuntu update for squid Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-09 Ubuntu has issued an update for squid. This fixes a security issue, which may disclose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/14536/ -- [SA14515] Drupal Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-07 A vulnerability has been reported in Drupal, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14515/ -- [SA14502] Mandrake update for gftp Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-03-07 MandrakeSoft has issued an update for gftp. This fixes a vulnerability, which can be exploited by malicious people to conduct directory traversal attacks. Full Advisory: http://secunia.com/advisories/14502/ -- [SA14479] Red Hat update for squid Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-04 Red Hat has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14479/ -- [SA14468] Gentoo update for bidwatcher Critical: Less critical Where: From remote Impact: System access Released: 2005-03-04 Gentoo has issued an update for bidwatcher. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14468/ -- [SA14462] Xloadimage Compressed Images Filename Shell Command Injection Critical: Less critical Where: From remote Impact: System access Released: 2005-03-03 Tavis Ormandy has reported a vulnerability in Xloadimage, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14462/ -- [SA14521] UnixWare update for squid Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-08 SCO has issued an update for UnixWare. This fixes a vulnerability in squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14521/ -- [SA14535] Debian update for kdenetwork Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-03-09 Debian has issued an update for kdenetwork. This fixes a vulnerability, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/14535/ -- [SA14534] Ubuntu update for perl-modules Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-09 Ubuntu has issued an update for perl-modules, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14534/ -- [SA14531] Perl "File::Path::rmtree" Directory Permissions Race Condition Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-09 Paul Szabo has reported a vulnerability in Perl "File::Path::rmtree", which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14531/ -- [SA14525] Gentoo update for kdelibs Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-08 Gentoo has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/14525/ -- [SA14519] Debian update for abuse Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-08 Debian has issued an update for abuse. This fixes some vulnerabilities, which can be exploited by malicious, local users to overwrite files or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14519/ -- [SA14514] grsecurity Unspecified RBAC System Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-07 A vulnerability has been reported in grsecurity, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14514/ -- [SA14495] Abuse-SDL Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-08 Some vulnerabilities have been reported in Abuse-SDL, which can be exploited by malicious, local users to overwrite files or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14495/ -- [SA14490] grsecurity Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-07 A vulnerability has been reported in grsecurity, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14490/ -- [SA14489] PaX Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-07 A vulnerability has been reported in PaX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14489/ -- [SA14480] Red Hat update for kdenetwork Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-03-04 Red Hat has issued an update for kdenetwork. This fixes a vulnerability, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/14480/ -- [SA14501] Mandrake update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-07 MandrakeSoft has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14501/ Other:-- [SA14544] UTStarcom iAN-02EX VoIP ATA Reset Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-03-09 Atom Smasher has reported a security issue in UTStarcom iAN-02EX, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14544/ -- [SA14507] Xerox MicroServer Web Server Unauthorised Access Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-03-07 A vulnerability has been reported in Xerox MicroServer Web Server, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14507/ Cross Platform:-- [SA14528] mcNews "skinfile" Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-08 Filip Groszynski has reported a vulnerability in mcNews, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14528/ -- [SA14483] Ca3DE Format String and Denial of Service Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-04 Luigi Auriemma has reported two vulnerabilities in Ca3DE, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14483/ -- [SA14540] Ethereal "dissect_a11_radius()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-09 A vulnerability has been reported in Ethereal, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14540/ -- [SA14538] BLOG:CMS PunBB SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-09 A vulnerability has been reported in BLOG:CMS, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14538/ -- [SA14533] ProjectBB Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-09 Benjilenoob has reported two vulnerabilities in ProjectBB, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14533/ -- [SA14520] Xoops Avatar Upload File Extension Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-09 pokleyzz has reported a vulnerability in Xoops, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14520/ -- [SA14487] Hashcash "From:" Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Tavis Ormandy has reported a vulnerability in Hashcash, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14487/ -- [SA14474] PHP-Nuke Pabox Module Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-04 Rift has reported a vulnerability in the Pabox module for PHP-Nuke, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14474/ -- [SA14465] TYPO3 CMW Linklist Extension "category_uid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-04 Fabian Becker has reported a vulnerability in the CMW Linklist extension for TYPO3, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14465/ -- [SA14458] auraCMS Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-03 y3dips has reported some vulnerabilities in auraCMS, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14458/ -- [SA14542] Participate Enterprise Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-09 Altrus Wollesen has reported a vulnerability in Participate Enterprise, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14542/ -- [SA14516] phpMyFaq "username" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-03-07 Sven Michels has reported a vulnerability in phpMyFaq, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14516/ -- [SA14493] phpBB Autologin Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-03-08 "Some one" has reported a vulnerability in phpBB, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14493/ -- [SA14492] PHP-Fusion HTML Encoded BBcode Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-08 FireSt0rm has reported a vulnerability in PHP-Fusion, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14492/ -- [SA14475] phpBB Signature Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-07 Paisterist has reported a vulnerability in phpBB, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14475/ -- [SA14464] D-Forum "page" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-03 benjilenoob has reported a vulnerability in D-Forum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14464/ -- [SA14527] Novell iChain Administrator Session Hijacking Vulnerability Critical: Less critical Where: From local network Impact: Hijacking, Security Bypass Released: 2005-03-09 Francisco Amato has reported a vulnerability in iChain, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14527/ -- [SA14537] Novell iChain FTP Server Path Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-03-09 A weakness has been reported in Novell iChain, which can be exploited by malicious people to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/14537/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 11 05:10:25 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:46 2005 Subject: [ISN] UK firms haemorrhaging data to drive-by hackers Message-ID: http://www.vnunet.com/news/1161837 Robert Jaques vnunet.com 10 Mar 2005 The explosion of wireless networks is leaving global businesses wide open to 'drive-by hacking' and other security risks, experts have warned. According to research released today, more than a third of businesses worldwide with wireless networks are open to abuse from hackers and criminals in the street or a neighbouring building. The study, commissioned by RSA Security, estimated that wireless networks in Europe's financial capitals alone are growing at an annual rate of 66 per cent, and more than a third of businesses remain unprotected from this type of attack. "For a potential hacker it is almost a case of walking down the street and trying all the doors until one opens. It is almost inevitable that one will," said John Worrall, vice president of worldwide marketing at RSA Security. The research was based on studies in the business centres of New York, San Francisco, London and Frankfurt. Some 38 per cent of businesses in New York, 35 per cent in San Francisco, 36 per cent in London and 34 per cent in Frankfurt were at risk from drive-by hacking. The study also revealed that many businesses had failed to take even basic security precautions such as reconfiguring default network settings. This means that wireless network access points could still be broadcasting valuable information that could be used by potential hackers and assisting them in launching an attack. In London 26 per cent of access points still had default settings, 30 per cent in Frankfurt, 31 per cent in New York and 28 per cent in San Francisco. In addition to the business security issues, researchers also found an explosion in public access wireless hotspots; 12 per cent of all wireless network access points in London fell into this category, compared with 24 per cent in Frankfurt, 21 per cent in New York and 12 per cent in San Francisco. "These figures are another stark warning to unsecured businesses to get their act together," said Phil Cracknell, chief technology officer at NetSurity and the author of the research. "The rapid rise of wireless public access hotspots runs in parallel to the increased risk to businesses that operate wireless networks with little or no security. "Accidental or intentional connection to a corporate network can bring with it a series of security issues including loss of confidential data and installation of malicious code. "Fuelled by the availability and abundance of hotspots, mobile users now expect to find, and know how to use, a wireless network. The question is whose network will they access, and what will they do when they are there?" Worrall added: "These results reinforce why it is crucial to increase the understanding of security risks in the wired and wireless world. "This is the fourth year of our survey and the situation shows no sign of improvement. While it is clear that business are benefiting from the flexibility and ease-of-use of wireless technology, they must also ensure that the right security steps are taken to protect against exploitation." The researchers used a laptop computer and free software available from the internet to pick up information from company wireless networks simply by driving around the streets. From isn at c4i.org Fri Mar 11 05:10:39 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:48 2005 Subject: [ISN] Windows NT4 servers open to hackers Message-ID: http://www.theage.com.au/news/Breaking/Windows-NT4-servers-open-to-hackers/2005/03/11/1110417668599.html By Sam Varghese March 11, 2005 Hundreds of thousands of websites which run on Windows NT4 are vulnerable to a critical flaw in a key Windows networking protocol, the network services firm Netcraft says. The flaw, in the server message block (SMB) protocol, could allow a remote attacker to seize control of a vulnerable server. This protocol allows Windows computers to share files and printers on a network. Microsoft issued an advisory for the flaw on February 8 but patches were issued only for recent versions of Windows - 2000 Service Pack 3 and Service Pack 4, XP Service Pack 1 and Service Pack 2, XP 64-Bit Edition Service Pack 1 (Itanium), XP 64-Bit Edition Version 2003 (Itanium), Server 2003 and Server 2003 for Itanium-based Systems. Microsoft ended official support for Windows NT 4.0 on December 31 last year. Security firm eEye Digital Security raised the issue on the BugTraq vulnerability mailing list by pointing out that Microsoft would not be releasing a public Windows NT 4.0 patch for this flaw as this version of Windows had reached its end of life. "Microsoft has, however, created a private patch for customers who have paid for extended Windows NT 4.0 support," eEye's chief hacking officer Marc Maiffret wrote. He said if an organisation was unlucky enough to still have Windows NT 4.0 systems and was unable to pay for extended support then there were not many options to ensure that their systems were safe. Netcraft said that in its latest monthly survey of websites, it had found 1.1 percent of web-facing hostnames continued to run NT4. The survey found a total of over 60 million sites. Maiffret said there was a way to defend against some attacks. "One way we found to mitigate these attacks, at least some of them, is to enable SMB Signing. This does not truly mitigate the attack but instead it creates change in the SMB protocol that most attack tools I have seen do not support," he wrote. Microsoft has been asking customers to upgrade to Server 2003, citing security as a reason. From isn at c4i.org Mon Mar 14 04:41:40 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:18 2005 Subject: [ISN] Personal information taken in Nevada DMV office break-in Message-ID: http://www.lasvegassun.com/sunbin/stories/nevada/2005/mar/11/031110432.html By KEN RITTER ASSOCIATED PRESS March 11, 2005 NORTH LAS VEGAS, Nev. (AP) - Personal information from more than 8,900 people was stolen when thieves broke into a Nevada Department of Motor Vehicles office, officials said Friday. A computer taken during the break-in contained names, ages, dates of birth, Social Security numbers, photographs and signatures of southern Nevada residents who obtained driver's licenses between Nov. 25 and March 4 at the North Las Vegas office, state DMV chief Ginny Lewis said. "The state is extremely sorry that this has happened," Lewis said. "Those motorists whose data was on that computer need to know their personal information has been compromised." The DMV had previously maintained that the information on the computer stolen in Monday's break-in was encrypted, making it virtually useless to thieves. But Lewis said Friday that Digimarc Corp., the Beaverton, Ore.,-based company that provides digital driver's licenses in Nevada, told her Thursday the information was not encrypted, and was readily accessible. Miz Nakajima, Digimarc spokeswoman, said Friday she could not comment on specifics about state DMV customers or the Nevada theft. The publicly traded company provides a service Nakajima called "digital watermarking" to motor vehicle departments in 34 states and the District of Columbia. All 21 Nevada DMV licensing stations around the state were ordered by the end of the day Friday to remove personal information from computers to prevent a recurrence, Lewis said. The Nevada DMV planned to send certified letters by next week informing the 8,900 drivers who obtained licenses at the Donovan Way office in North Las Vegas that their personal information was in the hands of thieves. The licenses of each motorist will be canceled and a new license will be issued with new identification numbers, Lewis said during a news conference outside the office at the end of a remote industrial road wedged between Interstate 15 and the Union Pacific railroad tracks. Paul Masto, assistant special agent in charge of the U.S. Secret Service office in Las Vegas, said the agency was investigating. He urged those affected to take precautions against identity theft. "That's the juicy stuff - the dates of birth, the Social Security numbers," Masto said. "They have that information. There's nothing we can do about that." The Nevada DMV data theft comes after personal information was stolen from a database owned by the information broker LexisNexis and from the giant data broker ChoicePoint Inc. Another data loss affected some 1.2 million federal employees with Bank of America charge cards. North Las Vegas police were following several leads in the DMV case, department spokesman Officer Tim Bedwell said. He said the initial investigation was hampered by the lack of video surveillance. Lewis said she was seeking federal and state funds to install cameras at DMV offices throughout Nevada. Police said thieves smashed a vehicle through a back wall of the office and escaped before police arrived a half-hour later. In addition to the computer, thieves took a camera, 1,700 license blanks and laminated plastic covers bearing the embossed state seal. Authorities said the equipment could be used to manufacture licenses virtually indistinguishable from legitimate Nevada driver's licenses. The state's top homeland security adviser said he notified federal Homeland Security officials about the break-in. -=- On the Net: Nevada Department of Motor Vehicles: http://www.dmvstat.com From isn at c4i.org Mon Mar 14 04:42:03 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:21 2005 Subject: [ISN] 2001: Bush Warned of Tech Dangers Message-ID: Forwarded from: William Knowles http://www.wired.com/news/privacy/0,1848,66884,00.html Associated Press March 13, 2005 WASHINGTON -- The nation's electronic intelligence agency warned President Bush in 2001 that monitoring U.S. adversaries would require a "permanent presence" on networks that also carry Americans' messages that are protected from government eavesdropping. The warning was contained in a National Security Agency report entitled "Transition 2001," sent to Bush shortly after he took office and reflects the agency's major concerns at the time. The report was obtained under the Freedom of Information Act by the National Security Archive, a private security watchdog group at George Washington University that made the document public. The papers offer a rare glimpse into the usually publicity-shy NSA, which monitors communications involving foreign targets and does code-making and breaking. The document showed an agency making a case to the White House that information security should be a top priority. It raised questions about how new global communications technologies were challenging the Constitution's protections against unreasonable searches and seizures. "Make no mistake, NSA can and will perform its missions consistent with the Fourth Amendment and all applicable laws," the document says. But, it adds, senior leadership must understand that the NSA's mission will demand a "powerful, permanent presence" on global telecommunications networks that host both "'protected' communications of Americans" and the communications of adversaries the agency wants to target. The document also said the global nature of technology leaves government and private networks more vulnerable to penetration by enemies. The report said the agency was concerned that federal and private digital networks were now "more vulnerable to foreign intelligence operations and to compromise." The documents indicate the NSA was going on an offensive using the new modes of communication -- mostly digital and able to carry billions of bits of data. It says the agency is "prepared organizationally, intellectually and -- with sufficient investment -- technologically to exploit in an unprecedented way the explosion of global communications." NSA was also concerned about the security of its parent agency, the Defense Department. In 1999, the document says, the department experienced over 22,000 cyber attacks, most of which had little effect on operations. "During the presidential transition period, a major cyber attack is possible," the agency warned. But no significant cyber attack occurred then. In the 42-page report, the agency said it had tried to transform itself from an entity nicknamed "No Such Agency" by dispatching its director to public events and reaching out to the media. The agency said media representatives were invited inside the agency for family day in September 2000. Staffing was clearly a concern of the agency. The documents show a sharp drop in civilian personnel after the end of the cold war. In 2001, there were just over 16,000 civilians, down from 22,000 in early 2001. At the time, 19 percent of the work force was eligible for early retirement. Since the Sept. 11, 2001, attacks, intelligence agencies have gone on a hiring spree. The NSA announced last April it intended to hire 1,500 new employees a year for the next five years, focusing on people fluent in foreign languages including Arabic and Chinese, intelligence analysts and technical experts. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Mar 14 04:42:16 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:24 2005 Subject: [ISN] 140 Kaiser patients' private data put online Message-ID: http://www.siliconvalley.com/mld/siliconvalley/11110907.htm By Barbara Feder Ostrov Mercury News March 11, 2005 In a troubling episode involving medical privacy in the digital age, Kaiser Permanente is notifying 140 patients that a disgruntled former employee posted confidential information about them on her Weblog. The woman, who calls herself the ``Diva of Disgruntled,'' claims it was Kaiser Permanente that included private patient information on systems diagrams posted on the Web, and that she pointed it out. The health care giant learned of the breach from the federal Office of Civil Rights in January, said Kaiser spokesman Matthew Schiffgens. Kaiser has been investigating ever since, Schiffgens said, but it wasn't until Wednesday that it asked the Internet service provider hosting the blog to remove the information. Kaiser has not been able to verify the woman's claims that it was responsible for posting private patient information, said Schiffgens. ``If we had a role in making that available, we have a right to be criticized for that,'' Schiffgens said. ``Regardless of how it happened, her initial postings are clearly a breach of her obligation to protect member confidentiality.'' The woman, who identified herself only as "Elisa," told the Mercury News Kaiser posted patient information on an unsecured technical Web site and that she called attention to it before Kaiser took the site down. She also said that she reposted the information on another site to make the point that anyone could have gained access to this information, since it had been widely available on the Web for a year. She said she also filed a complaint with the federal Office of Civil Rights about the security breach. The information includes medical record numbers, patient names and in some cases information about, but not results of, routine lab tests. The former employee apparently reposted the information Thursday, but it was again removed, Schiffgens said. Kaiser contacted or left messages with 90 of the 140 members Thursday to alert them to the security breach, and hopes to reach the remaining members today. The patients were dispersed throughout Northern California, Schiffgens said. ``We apologize regarding this unlawful disclosure,'' he said. ``We take our members' confidential and personal information very seriously.'' Schiffgens said the woman was a low-level Web designer who worked for the Kaiser Permanente Medical Group in Oakland. She was terminated in June 2003, but Schiffgens would not say why or release her name. Kaiser will take legal action against the woman if warranted, Schiffgens said. Under federal health privacy rules known as HIPAA, the woman could face up to $250,000 in fines and 10 years in prison for unauthorized disclosure of patient information. From isn at c4i.org Mon Mar 14 04:42:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:27 2005 Subject: [ISN] AOL's Terms of Service Update for AIM Raises Eyebrows Message-ID: http://www.eweek.com/article2/0,1759,1775649,00.asp By Ryan Naraine March 12, 2005 America Online, Inc. has quietly updated the terms of service for its AIM instant messaging application, making several changes that is sure to raise the hackles of Internet privacy advocates. The revamped terms of service, which apply only to users who downloaded the free AIM software on or after Feb. 5, 2004, gives AOL the right to "reproduce, display, perform, distribute, adapt and promote" all content distributed across the chat network by users. "You waive any right to privacy. You waive any right to inspect or approve uses of the content or to be compensated for any such uses," according to the AIM terms-of-service. Although the user will retain ownership of the content passed through the AIM network, the terms give AOL ownership of "all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this [user] content. "In addition, by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium," it added. The changes could have serious ramifications for AOL's AIM@Work service which is being marketed to businesses. AIM@Work offers things like Identity Services to allow the use of corporate e-mail address as AOL screen names. It also offers premium services like voice conferencing and Web meetings. At the time of this reporting, it is not clear if the same terms of service apply to businesses who pay for the AIM@Work features. America Online executives were not available to discuss the terms of service changes. On [2] Weblogs [3] and discussion forums [4], the discovery of the updated AIM terms of service has led to intense discussions. "They're encouraging businesses to use AIM to discuss details of their business correspondence, even to sync their Outlook contact and calendar files, which, according to their TOS, AOL then has the right to publish in any way they see fit, including, among other things, providing that information to business competitors. I'd be pretty damn leery of using AIM@Work for any kind of business," said Ben Stanfield, executive editor and founder of MacSlash, Inc. [1] http://www.aim.com/tos/tos.adp [2] http://www.eweek.com/article2/0,1759,1770845,00.asp [3] http://www.benstanfield.com/thrash/2005/03/aol_eavesdrops_.html [4] http://yro.slashdot.org/article.pl?sid=05/03/11/2359226&tid=120&tid=158&tid=17 From isn at c4i.org Mon Mar 14 04:43:29 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:29 2005 Subject: [ISN] Government Agencies To Get Early Dibs On Windows Patches Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=159401297 By Eric Chabrow InformationWeek March 11, 2005 Microsoft will give the Air Force and other federal agencies software patches to test a month before the general public receives them. The arrangement is part of Microsoft's Security Update Validation Program, a "closed beta program" introduced within the past 12 months. Microsoft will begin giving prerelease software patches to the Air Force, The Wall Street Journal reported Friday. The Department of Homeland Security will give advance notice of the new vulnerabilities to other government agencies and distribute the patches to them after they've been tested by the Air Force, the newspaper reported. Advance testing will make it possible for government agencies to install the patches as soon as Microsoft releases the final versions. That's aimed at helping agencies stay ahead of hackers, who often are able to develop attacks that exploit a software hole less than a week after Microsoft discloses the vulnerability. The early-access program is also available to select business customers. The software updates are provided to program participants only for testing purposes, a Microsoft spokesman says. "Customers are specifically prohibited from deploying these security updates in a production environment," the spokesman says via E-mail. "Participants are testing prerelease software, therefore the updates are provided only to deploy in a test environment. Participants can only deploy the security updates to their entire infrastructure when they are released to the general public." The issue of providing advance access to security bulletins and software patches is a sensitive subject for Microsoft and other software vendors, who need to ensure that information and code don't find their way to hackers before final patches are available for all customers. And customers who don't receive advance notice may believe they're at a disadvantage. From isn at c4i.org Mon Mar 14 04:43:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:32 2005 Subject: [ISN] Security experts hit out at "unethical" bug finder Message-ID: http://software.silicon.com/security/0,39024655,39128621,00.htm By Will Sturgeon silicon.com March 11, 2005 Security experts have hit out at US firm Immunity Inc, which provides paid-up members with vulnerability information under non-disclosure agreements (NDA), which it subsequently keeps from vendors and the world at large. A silicon.com article last week revealed Immunity and its founder Dave Aitel have been causing a stir in the security world in recent months with a business model branded "unethical" but entirely above-board. The greatest source of growing concern appears to focus on the NDA and the potential for anybody to sign up and pay the price for notification of vulnerabilities. One rival bug finder, who operates along the more traditional lines of informing the affected vendor of the flaw in its product and working with them to patch it before releasing any details of the vulnerability, has hit out at Immunity Inc. Drew Copley, senior research engineer at eEye Digital Security, told silicon.com the situation of signing members to a non-disclosure agreement in return for information on security vulnerabilities is "extremely unethical". "What are these people missing here?" asked Copley. "Are they crazy? What prevents any organised criminal group or criminal from getting on there and signing a NDA?" "We treat security vulnerabilities that are not fixed yet by the vendor as state secrets. Selling them to anyone who would pose as a company or sign a NDA is highly unethical." Copley said even "total disclosure", whereby everybody . vendors, researchers and the general public alike - is given the information at the same time would be preferable. eEye was last week credited for working with Computer Associates to fix flaws in CA's licensing software. Simon Perry, VP security strategy at CA, told silicon.com: "Knowledge cannot be effectively controlled. NDAs in the IT community as a whole are not taken seriously and there do not appear to be adequate controls to ensure that the information does not leak to those who have an interest in creating a dangerous exploit." "The business model deliberately creates a culture of the security haves, and the security have-nots. It does not improve security overall," he added. Perry also questioned whether Aitel's customers are getting value for money. Because vendors are kept out of the loop, flaws go un-patched while Immunity's customers are given a workaround. "You're given a workaround by Immunity, but you don't have a fix . a patch from the vendor that permanently addresses the problem. The door is closed, but it's not locked shut." From isn at c4i.org Mon Mar 14 04:44:16 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:34 2005 Subject: [ISN] Computer security pioneer honored Message-ID: http://www.montereyherald.com/mld/montereyherald/news/11109598.htm By KEVIN HOWE Herald Staff Writer March. 11, 2005 First came the automobile. Then came anti-lock brakes, seat belts and air bags. The evolution of the computer has followed a similar path, said a woman who was a pioneer in the field of computer security: first the invention, then the safety devices. Dorothy Denning, professor in the Department of Defense Analysis at the Naval Postgraduate School, literally wrote the book on computer security. "Cryptography and Data Security," published by Addison-Wesley in 1982, is a classic textbook in the field. Denning previously taught at Georgetown University, where she was the Callahan Family Professor of Computer Science and director of the Georgetown Institute of Information Assurance, and at Purdue University. She came to the Navy school in 2002 because "it seemed like an interesting and challenging environment and because I have a lot of respect for what the school is doing. "It is definitely the leading edge in information security," she said. In February, Denning was honored with the prestigious 2004 Harold F. Tipton Award, which recognizes lifelong contributions to the improvement of the information security profession. One of two women| Denning was one of two women in the field when she earned her doctorate. The other was Anita Jones "who finished her Ph.D. thesis a couple of years before I did." She holds bachelor's and master's degrees in mathematics from the University of Michigan and her doctorate in computer science from Purdue University. When she first became involved with computers in the 1960s, "there were no mice, no PCs, no screens, no portable media like CDs and disks; you couldn't even get remote access. You worked in a room with the machine." When remote terminals did become available, Denning said, they were hard-wired to the computer. Data spewed out on punched tape, punch cards and magnetic tape. "Security was room security, protection of physical access" to the computer. Then came time-sharing. The security problem in those early days "was vastly simpler," she said. "There were no malicious codes, no viruses, no spam, no Internet fraud." The professional literature in the field was written by a handful of academics "and you could read all of them, be fully up on their thinking. Now the field is so vast, there is a huge number of people in academia and security professionals. You can't possibly read it all." The Internet, once the exclusive domain of scientists, academics and the military, was opened by the personal computer to people of all walks of life, including advertisers and criminals. Suddenly the world of cyberspace was vulnerable, and its inhabitants needed locks and keys to protect themselves. Fast-moving technology| When personal computers came online, technology was moving so fast and the job of building a really secure system was so hard that the computer developers were continually outpacing the security developers. "It was not a high enough priority among the buyers," she said. Buyers just wanted to get a fast operating system up and running and didn't want to spend money on security systems. "Now there's a lot more interest." Users of the Internet, Denning said, should take the same attitude they have when they go out on the street. You can be assaulted, mugged or pickpocketed in either place. "It's not possible to prevent every crime," she said. "You can't have absolute security." But, she said, she's never had any qualms about doing her shopping on the Net or conducting business over it. Users just need to apply some virtual street smarts. "When in doubt," she said, "don't provide personal information. Sites that ask for confidential information are mostly a scam." Users shouldn't fear to use credit when dealing with established companies like eBay or Amazon.com, she said. "I wouldn't advise you not to engage in e-commerce." Users should keep their computers "patched" with updates and download any fixes from their service providers, she said. And they should get one good virus protection system from a major provider, such as Symantec. You just need one, Denning said. "They all do pretty much the same thing." Such antivirus programs should also be kept up to date. Precautions can protect a user's privacy, credit and bank account. Government and industry have vital interests in securing their data systems, she said, to protect classified information and the systems that run power and transportation grids, oil and water distribution systems. Her work in the past has been developing ways of detecting hacker attacks on such systems and the problem of a terrorist onslaught against the U.S. Internet has been part of war games at the Navy school annually. The usual scenario, she said, combines a cyber attack with a physical attack against some vital installation. Denning said computer systems "have a lot of redundancy and resilience," and an attack will likely be met with "a lot of cooperation" to fend it off. Undoubtedly, she said, such cyber attacks have already been launched and squelched since the 9/11 terrorist attacks. Good place to teach| Teaching at NPS, Denning said, is a pleasure. "The students bring into the classroom very, very rich experiences" from time spent at sea or in the field as well as from their studies. "They're also extremely smart and dedicated. And they do their work on time. I've never worked where you could count on students to be on time, and they turn in superior work. I like reading their assignments." In addition to her academic work, Denning has worked at SRI International and Digital Equipment Corp. She has published 120 articles and four books, her most recent being "Information Warfare and Security," including "Is Cyber Terror Next?" in the essay collection "Understanding September 11," published by The New Press in 2002. Two other articles are awaiting publication: "Cyber Security as an Emergent Infrastructure," to appear in "IT and Global Security," published by The New Press and "Information Technology and Security" to appear in "Grave New World," Georgetown University Press. In November 2001, she was named a Time magazine innovator. Her leadership positions have included president of the International Association for Cryptologic Research and chair of the National Research Council Forum on Rights and Responsibilities of Participants in Network Communities. From isn at c4i.org Mon Mar 14 04:47:23 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:37 2005 Subject: [ISN] Inside the Ring Message-ID: http://washingtontimes.com/national/20050311-123922-9537r.htm By Bill Gertz and Rowan Scarborough THE WASHINGTON TIMES March 11, 2005 [...] China breaks code? The U.S. code-breaking community is worried about China's advances in cracking U.S. codes. Three Chinese cryptologists last month reported they had found a way to crack a U.S. government-approved information security system known as SHA-1, or Secure Hash Algorithm-1. The SHA-1 encryption is used widely within the U.S. government, including the Pentagon and U.S. intelligence community. It is currently the Federal Information Processing Standard and has been since 1994. Put simply, SHA-1 is a security authentication device that is used to verify the integrity of digital media, and to make sure that data or messages, such as secure e-mail, are not changed during transmission. Chinese researchers, Xiaoyuan Wang, Yiqun Lisa Yin and Hongbo Yu reported in a paper Feb. 13 that they had "developed new techniques that are very effective" for breaking SHA-1 code, without using time-consuming "brute force" attacks. The National Institute of Standards and Technology (NIST), which made SHA-1 a federal standard, said in a statement that it could not confirm the Chinese code-breaking but noted that the three researchers are "reputable" specialists with cryptographic expertise. NIST said the new "attack" or code-breaking "is of particular importance in digital signature applications, such as time-stamping, and notarization." But the institute sought to play down the implications of the Chinese claim, stating that the method described in the paper will be "difficult to carry out in practice." Still, the U.S. government is phasing out SHA-1 over the next five years. "Due to advances in computing power, NIST already planned to phase out SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) by 2010," the statement said. Disclosure of the code break followed China's publication of a defense white paper in December that identifies the use of information technology as a central element of Chinese military doctrine. U.S. defense officials say China's military believes its cyber-soldiers can successfully cripple the U.S. military by attacking key computer-run infrastructures and other information networks. Daniel E. Spisak, a private security engineer, said China is capable of building its own SHA-1 "cracker" using computers. "This could potentially allow them to access sensitive systems," he said. "However, from what small knowledge I do have of how secure data links get set up for some kinds of DOD projects, I think it would be very difficult to exploit the SHA-1 [code break] to their advantage." The danger, he noted in an e-mail, is that China could exploit a security lapse in U.S. government networks and systems. Mr. Spisak said as long as U.S. government computers are properly protected by multiple layers of defense and authentication mechanisms, "one can ensure it is sufficiently difficult to gain illegal access to sensitive networks and systems even with one part failing." But if proper security precautions are not taken, "then all bets could be off," he said. Bruce Schneier, a cryptography and security specialist, said the Chinese breakthrough is not alarming. But he noted that within the U.S. National Security Agency there is an old saying: "Attacks always get better; they never get worse." [...] From isn at c4i.org Tue Mar 15 02:07:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:22 2005 Subject: [ISN] Know Your Enemy: Tracking Botnets Message-ID: Forwarded from: Thorsten Holz Greetings, The Honeynet Project and Research Alliance is excited to announce the release of a new paper "KYE: Tracking Botnets". This paper is based on the extensive research by the German Honeynet Project. KYE: Tracking Botnets http://www.honeynet.org/papers/bots/ Abstract: --------- Honeypots are a well known technique for discovering the tools, tactics, and motives of attackers. In this paper we look at a special kind of threat: the individuals and organizations who run botnets. A botnet is a network of compromised machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems can be linked together), they pose a severe threat to the community. With the help of honeynets we can observe the people who run botnets - a task that is difficult using other techniques. Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. In this paper we take a closer look at botnets, common attack techniques, and the individuals involved. We start with an introduction to botnets and how they work, with examples of their uses. We then briefly analyze the three most common bot variants used. Next we discuss a technique to observe botnets, allowing us to monitor the botnet and observe all commands issued by the attacker. We present common behavior we captured, as well as statistics on the quantitative information learned through monitoring more than one hundred botnets during the last few months. We conclude with an overview of lessons learned and point out further research topics in the area of botnet-tracking, including a tool called mwcollect2 that focuses on collecting malware in an automated fashion. Thank you for your time, Thorsten Holz, on behalf of the GHP (http://www-i4.informatik.rwth-aachen.de/lufg/honeynet) From isn at c4i.org Tue Mar 15 02:07:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:25 2005 Subject: [ISN] AOL's Terms of Service Update for AIM Raises Eyebrows Message-ID: Forwarded from: security curmudgeon : http://www.eweek.com/article2/0,1759,1775649,00.asp : : By Ryan Naraine : March 12, 2005 : : America Online, Inc. has quietly updated the terms of service for its : AIM instant messaging application, making several changes that is sure : to raise the hackles of Internet privacy advocates. : : The revamped terms of service, which apply only to users who downloaded : the free AIM software on or after Feb. 5, 2004, gives AOL the right to : "reproduce, display, perform, distribute, adapt and promote" all content : distributed across the chat network by users. The article is updated: http://www.eweek.com/article2/0,1759,1775743,00.asp [..] America Online Inc. on Sunday moved to quell public criticism of the terms of service for its AIM service, insisting the controversial privacy clause does not pertain to user-to-user instant messaging communication. [..] From isn at c4i.org Tue Mar 15 02:09:20 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:27 2005 Subject: [ISN] Secrecy News -- 03/10/05 Message-ID: ---------- Forwarded message ---------- Date: Thu, 10 Mar 2005 05:06:01 -0500 From: "Aftergood, Steven" To: secrecy_news@lists.fas.org Subject: Secrecy News -- 03/10/05 SECRECY NEWS from the FAS Project on Government Secrecy Volume 2005, Issue No. 22 March 10, 2005 ** SUDAN DEMANDS CLARIFICATION OF 1962 U.S. NUCLEAR TEST ** FBIS PHOTOS OF IRAN NUCLEAR FACILITIES ** HHS INFOSEC POLICY: FOR OFFICIAL USE ONLY, OR WHATEVER ** SAYING NEY TO THE CONGRESSIONAL RESEARCH SERVICE [...] HHS INFOSEC POLICY: FOR OFFICIAL USE ONLY, OR WHATEVER The Department of Health and Human Services updated its information security policies in a December 2004 policy issuance. The 64 page document is prominently marked "for official use only." On the other hand, it states candidly on the title page, "Disclosure is not expected to cause serious harm to HHS." See "Information Security Program Policy," Department of Health and Human Services, December 15, 2004 (thanks to RT): http://www.fas.org/sgp/othergov/hhs-infosec.pdf [...] _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. To SUBSCRIBE to Secrecy News, send email to secrecy_news-request@lists.fas.org with "subscribe" in the body of the message. To UNSUBSCRIBE, send a blank email message to secrecy_news-remove@lists.fas.org OR email your request to saftergood@fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Secrecy News has an RSS feed at: http://www.fas.org/sgp/news/secrecy/index.rss _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood@fas.org voice: (202) 454-4691 From isn at c4i.org Tue Mar 15 02:09:50 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:30 2005 Subject: [ISN] Linux Security Week - March 14th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 14th, 2005 Volume 6, Number 11n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Digital encryption standard flawed," " An Illustrated Guide to Cryptographic Hashes," "Will SELinux Become More Widely Adopted?" --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH This week, advisories were released for clamav, kernel, squid, kppp, helixplayer, tzdata, libtool, firefox, ipsec-tools, dmraid, gaim, libexif, gimp, yum, grip, libXpm, xv, ImageMagick, Hashcash, mlterm, dcoidlng, curl, gftp, cyrus-imapd, unixODBC, and mc. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118550/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Researchers: Digital encryption standard flawed 9th, March, 2005 In a three-page research note, three Chinese scientists -- Xiaoyun Wang and Hongbo Yu of Shandong University and Yiqun Lisa Yin, a visiting researcher at Princeton University -- stated they have found a way to significantly reduce the time required to break a algorithm, known as the Secure Hashing Algorithm, or SHA-1, widely used for digital fingerprinting data files. Other cryptographers who have seen the document said that the results seemed to be genuine. http://www.linuxsecurity.com/content/view/118359 * Crypto suite supports Linux-based devices 7th, March, 2005 Cryptography specialist Certicom has launched a security software suite aimed at helping device makers create secure, Web-based user interfaces based on elliptic curve cryptography. The Certicom Security Architecture (CSA) for Embedded supports Linux, and includes SSL, IPSec, PKI, DRM, and Embedded Trust Services. http://www.linuxsecurity.com/content/view/118524 * IBM releases Linux 2005 Software Evaluation Kit 10th, March, 2005 This is the easiest way to get all of the fresh releases of IBM middleware for Linux. Take a look at what you get. http://www.linuxsecurity.com/content/view/118549 * An Illustrated Guide to Cryptographic Hashes 13th, March, 2005 With the recent news of weaknesses in some common security algorithms (MD4, MD5, SHA-0), many are wondering exactly what these things are: They form the underpinning of much of our electronic infrastructure, and in this Guide we'll try to give an overview of what they are and how to understand them in the context of the recent developments.But note: though we're fairly strong on security issues, we are not crypto experts. We've done our best to assemble (digest?) the best available information into this Guide, but we welcome being pointed to the errors of our ways. http://www.linuxsecurity.com/content/view/118560 * E-mail firewalls: A vital defense layer 8th, March, 2005 The exponential rise in spam and e-mail-borne viruses has pushed must-have network security layers beyond traditional firewalls and intrusion-detection appliances. E-mail firewalls have emerged as a complementary appliance for detecting and protecting against threats in the inbound e-mail stream. http://www.linuxsecurity.com/content/view/118530 * Review: Astaro Security Linux 5.1 9th, March, 2005 One of the more popular uses for Linux is as a router/firewall to secure a local area network (LAN) against intruders and share an Internet connection. Several specialized distributions have sprung up to simplify this task. These range from small, diskette-based distros like the Linux Router Project and FREESCO to larger systems requiring a hard disk installation. Among the latter is Astaro Corp.'s Astaro Security Linux (ASL) 5.1, which I recently reviewed as part of ongoing research into content filtering products. ASL is an RPM-based distribution that allows an administrator to easily turn an x86 PC or server into a router/firewall appliance. http://www.linuxsecurity.com/content/view/118539 * Informix: the good news and the bad news 9th, March, 2005 There is both good news and bad news for Informix users. The good news is that Informix Dynamic Server (IDS) 10, which represents a major new release of the database, is now available. The bad news is that future versions of SAP (with NetWeaver) will no longer be available on the Informix platform, with this support to be phased out starting with the next SAP release. http://www.linuxsecurity.com/content/view/118540 * DNS-Based Phishing Attacks on The Rise 8th, March, 2005 Phishing fraudsters are using a pair of DNS exploits to help give them the illusion of credible domains, the latest ploy to dupe people into handing over their sensitive information. http://www.linuxsecurity.com/content/view/118532 * HITBSecConf2004: Conference Videos Released 7th, March, 2005 We are proud to announce the immediate availability of the Hack In The Box Security Conference 2004 videos. http://www.linuxsecurity.com/content/view/118513 * Hosting Your Own Web Server: Things to Consider 10th, March, 2005 When being your own web host you should be technically inclined and have basic knowledge of operating systems, understand technical terms, understand how to setup a server environment (such as: DNS, IIS, Apache, etc.) have basic knowledge of scripting languages and databases (PHP, Perl, MySQL, etc.), be familiar with current technologies, and have a basic understanding of hardware and server components. http://www.linuxsecurity.com/content/view/118546 * OpenSSH 4.0 released 9th, March, 2005 OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. http://www.linuxsecurity.com/content/view/118541 * Novell's Linux desktop migration enters phase two 10th, March, 2005 The Waltham, Massachusetts-based software vendor's Linux desktop migration began in 2004 and overachieved on its phase-one goals, the company's chief information officer, Debra Anderson told ComputerWire. http://www.linuxsecurity.com/content/view/118545 * Alternative browser spyware infects IE 13th, March, 2005 Some useful citizen has created an installer that will nail IE with spyware, even if a surfer is using Firefox (or another alternative browser) or has blocked access to the malicious site in IE beforehand. The technique allows a raft of spyware to be served up to Windows users in spite of any security measures that might be in place. Christopher Boyd, a security researchers at Vitalsecurity.org, said the malware installer was capable of working on a range of browsers with native Java support. "The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there, including Firefox, Mozilla, Netscape and others. http://www.linuxsecurity.com/content/view/118566 * More-Secure Linux Still Needs To Win Users 7th, March, 2005 The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They've won over the Linux developer community with the changes. But success depends on its adoption by U.S. companies and government agencies, something that remains very much in doubt. http://www.linuxsecurity.com/content/view/118511 * Will SELinux Become More Widely Adopted? 7th, March, 2005 "The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They've won over the Linux developer community with the changes. But success depends on its adoption by U.S. companies and government agencies, something that remains very much in doubt. (ed: not to mention adoption by Joe User, who is depending on his vendor to make this thing workable) http://www.linuxsecurity.com/content/view/118525 * Nuclear cyber security debate hots up 8th, March, 2005 Two companies that make digital systems for nuclear power plants have come out against a government proposal that would attach cyber security standards to plant safety systems. http://www.linuxsecurity.com/content/view/118529 * Sensible IT Security for Small Businesses 8th, March, 2005 This is a frequent question asked by owners of small businesses concerned about growing security threats infesting the Internet. http://www.linuxsecurity.com/content/view/118531 * Exploit Out For CA Bugs, Eval Users Also At Risk 10th, March, 2005 Users of Computer Associates' products are now at an even greater risk, a security firm said Wednesday, because exploit code has appeared that takes advantage of vulnerabilities disclosed last week. http://www.linuxsecurity.com/content/view/118547 * Application protection 11th, March, 2005 Teros Gateway, developed by Teros, digs deep. In contrast to a Layer 3 or 4 firewall that may only identify problems in the primitive transport layers of the IP stack, Teros Gateway will dissect outgoing and incoming packets to examine compliance with security policies. Although a firewall may detect anomalies such as a port scan or other reconnaissance attempts, the Teros Gateway learns your critical applications' normal behavior. Based on that information, it can block any deviant behavior. http://www.linuxsecurity.com/content/view/118551 * Combating "Cardholder Not Present" Fraud 13th, March, 2005 Of the security issues facing banks everywhere, prevention of card fraud has always been a high priority, and is set to grow even further in importance. The level of card fraud has risen significantly over recent years, caused in the main, by the explosion in the number and usage of payment cards and the associated high level of organised card crime activity. For example, over the past decade, fraud losses on UK-issued plastic cards have risen from 96.8m to a staggering 402.4m a year. And these figures do not take into account the soft costs related to card fraud, such as tarnish to reputation and potential legal costs. http://www.linuxsecurity.com/content/view/118559 * Infection Vectors 13th, March, 2005 The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However... The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors. http://www.linuxsecurity.com/content/view/118561 * High Profile, Low Security 13th, March, 2005 I'll tell you a secret. If you're looking for a security consultant during the day and he's not in the office, you might find him in a neighborhood coffee shop consuming large doses of caffeine, and using a laptop with wireless net access. It's nice to people watch, catch up on the news, review technical articles and yes, even work, while enjoying that magic elixir (coffee) thanks to the wonders of WiFi. I find it a great way to take a break. You can imagine my disappointment early last week when I swung by one of my favorite haunts, grabbed a latte, opened up a terminal and watched my SSH attempt fail. Shoot -- their Internet connection must be down. http://www.linuxsecurity.com/content/view/118562 * Reliability and availability: What's the difference? 13th, March, 2005 How do you design a computing system to provide continuous service and to ensure that any failures interrupting service do not result in customer safety issues or loss of customers due to dissatisfaction? Historically, system architects have taken two approaches to answer this question: building highly reliable, fail-safe systems with low probability of failure, or building mostly reliable systems with quick automated recovery. The RAS (Reliability, Availability, Serviceability) concept for system design integrates concepts of design for reliability and for availability along with methods to quickly service systems that can't be recovered automatically. http://www.linuxsecurity.com/content/view/118564 * 'Highly critical' security bugs listed for Linux products 13th, March, 2005 Information about several vulnerabilities in Linux and Linux-based applications that are deemed to be "highly critical" were recently posted on the security Web site Secunia.com. Debian was cited as a system with operating system vulnerabilities that could be exploited. Meanwhile, users running RealNetworks' open-source Helix browser, the open-source phpWebSite manager utility, as well as users with a network backup product from Arkeia, were warned of software flaws that could leave systems potentially open to attack. http://www.linuxsecurity.com/content/view/118565 * The National Security Agency Declassified 13th, March, 2005 Internet wiretapping mixes "protected" and targeted messages, Info Age requires rethinking 4th Amendment limits and policies, National Security Agency told Bush administration "Transition 2001" report released through FOIA, Highlights collection of declassified NSA documents Posted on Web by National Security Archive, GWU National Security Archive Electronic Briefing Book No. 24 http://www.linuxsecurity.com/content/view/118563 * Hacked data boots identity theft to critical issue 11th, March, 2005 The computer breach at consumer data broker Seisint raised identity theft in the United States to crisis proportions Thursday, a day after the second major data broker disclosed that its database containing a plethora of private information on virtually every American was compromised. http://www.linuxsecurity.com/content/view/118552 * Online Banking Industry Very Vulnerable to Cross-Site Scripting Frauds 13th, March, 2005 Phishing Attacks reported by members of the Netcraft Toolbar community show that many large banks are neglecting to take sufficient care with the development and testing of their online banking facilities. http://www.linuxsecurity.com/content/view/118567 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 15 02:10:04 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:33 2005 Subject: [ISN] Louisiana man sentenced for 9-1-1 computer virus Message-ID: http://www.mercurynews.com/mld/mercurynews/news/breaking_news/11135235.htm Associated Press March 14, 2005 SAN JOSE, Calif. - David Jeansonne was sentenced Monday to six months in prison and ordered to pay Microsoft Corp. more than $27,000 after about 20 people received a virus that reprogrammed their computers to dial emergency dispatch numbers. The bogus 9-1-1 calls prompted unnecessary police responses throughout the country in July 2002. Jeansonne, 44, of Metairie, La., pleaded guilty in February to causing a threat to public safety and causing damage to computers. He could not be reached Monday in the Santa Clara County jail, where he's been since October 2004. Besides the prison sentence, U.S. District Judge Ronald M. Whyte sentenced Jeansonne to serve six months home detention as part of a two year period of supervised release. He must also pay restitution of $27,100 to Microsoft and a special assessment of $200. The 9-1-1 computer virus worked through WebTV, now known as MSN TV, which allows subscribers to connect to the Internet using their standard television. Approximately 20 subscribers of the Microsoft service, which used computer servers in Santa Clara County, received the e-mail. The e-mail said the attachment merely executed a program to change the display colors on the television screen. But it was really a "Trojan horse," a malicious computer code that purports to be helpful or harmless. The attachment contained a hidden script that reset the dial-in telephone number in the user's WebTV box to 9-1-1 so that the next time the user attempted to log in to WebTV the computer dialed the emergency number instead of the local telephone modem, said prosecutor Kyle F. Waldinger, assistant U.S. Attorney for the Computer Hacking and Intellectual Property Unit of the U.S. Attorney's Office. At least 10 WebTV users reported that the local police either called or visited their residences in response to the unnecessary calls. The case is United States vs. David Jeansonne, No. CR-04-20023-RMW. From isn at c4i.org Tue Mar 15 02:10:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:35 2005 Subject: [ISN] The Paris Hilton hacking hoax Message-ID: http://security.itworld.com/4337/050314hiltonhack/page_1.html James Gaskin ITworld.com 3/14/05 I know the mainstream media loves to report the Internet as the Wild West of lawlessness and anarchy (I think because it hides their own attempts to control content distribution over that same Internet). But why do so many mainstream reporters go brain dead when talking about Paris Hilton? To match her mental state? Setup: Paris Hilton's cell phone address book got hacked, supposedly through her provider's lax security. Private celebrity numbers spread across the Internet. They were real celebrity numbers, not fake ones, although some of the celebrities were, um, getting pretty stale. Can you say MC Hammer? Result: Do we blame her cell phone company, hackers, or roving bands of Wild West Web Hooligans? How about we blame Paris Hilton and recognize this is as the brazen publicity stunt it is? Paris Hilton may be brain dead, but her PR group overflows with genius. Let me explain, starting with some history. Eighteen months ago a "private" sex tape of Paris Hilton, at 19 years old and with a much older boyfriend, hit the Internet. She was shocked, shocked, that such a breach of privacy could occur. A month later, her show, The Simple Life, debuted on network TV. Was Paris Hilton too embarrassed to promote her show while coyly ignoring Internet porn questions? Absolutely not. Was the Fox Network too embarrassed to splash her semi-naked porn-actress look all over their network? Fox? Embarrassed? Not a bit. Athletes caught using steroids will give back their salaries before Fox TV blushes. The trick worked, and Paris Hilton wiggled and giggled The Simple Life to cult hit status. Fox ordered a second season of The Simple Life. During the long stretch between TV seasons, Paris Hilton felt ignored. Did she tutor poor children? No. Did she work in a soup kitchen? No. Did the news media go crazy looking for something so valuable I thought the original copy of the Declaration of Independence had been stolen? Absolutely. But it wasn't the Declaration or even the Hope Diamond, it was Tinkerbelle, the Chihuahua Paris carries to events. Ransom notes were expected, but a few days later Paris remembered - she left Tinkerbelle with her grandparents. Two quick asides. First, how brain dead are her grandparents that they didn't hear all the hubbub and call Paris on her famous cell phone? Second, if celebrities want to impress me by carrying dogs around, forget Chihuahuas. I'll bow to the first anorexic supermodel party girl I see brandishing a Bassett Hound. Tote a Toy Poodle? Boring. Pack a Pit Bull? Kudos. Now we're back to the present and the cell phone nonsense. The Simple Life season two includes Paris Hilton wiggling and giggling in fine half-dressed style, but nobody cares. Ratings are down. Civilization, at least as defined by People magazine, may crumble. Suddenly it's Paris Hilton, that poor hacking victim, all over the news. Ratings trend up. People magazine starts a Celebrity Hacking Victims column, including pictorials of hacked celebrities in swim suits discussing their favorite diets. The Weekly World News prints photographs proving Paris was hacked by Batboy and Bigfoot. Did anybody look at this PR ploy critically? No. Anyone else report stolen data when the provider was supposedly hacked and Paris Hilton's address book copied? Nope. Paris can't keep track of a yappy dog, and nobody asks where she leaves her cell phone during parties? Surely the reports of Paris Hilton using the name Tinkerbelle as her cell phone account password are wrong. That's a lot of letters for Paris to remember. I'm betting her password is "me" as in M-E. That seems to better fit her personality. I say forget all this PR-initiated, headline-seeking nonsense, or at least stop calling this a technology failure. It may be a failure, but that failure is civilized discourse and news coverage of important events. Let's go back to the way life was, when we hated cell phone companies because of lousy service and botched billing. You know, back to normal. And leave Paris Hilton to wander, half-dressed, around Fox TV. They deserve each other. From isn at c4i.org Tue Mar 15 02:10:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:38 2005 Subject: [ISN] Pleasant Hill man, 21, takes credit as hacker Message-ID: http://www.contracostatimes.com/mld/cctimes/news/local/crime_courts/11118974.htm By Nathaniel Hoffman CONTRA COSTA TIMES March 12, 2005 A self-taught computer hacker from Pleasant Hill took credit Friday for several high-level cyber break-ins. Robert Lyttle, 21, pleaded guilty in federal court in Oakland to five counts of hacking and defacing government computers. Lyttle admitted in a plea agreement with the government to hacking into NASA, Department of Defense and Department of Energy computers in April 2002, costing the government agencies more than $70,000 to shore up their security systems. Within days of the attacks, according to a memo provided by Lyttle's attorney, government computer operators began reinforcing their networks. "As a result of my actions, numerous Department of Defense and NASA employees spent time applying proper security measures to the DLIS, OHA, and NASA ARC computer systems and otherwise addressing the intrusions," Lyttle admitted in his plea agreement. That was the intention of the self-styled "hacktivist" all along. Lyttle was one member of the Deceptive Duo, a pair of hackers who claimed in a TechTV interview in 2002 to have broken into numerous government, airline and banking networks as part of an effort to stave off cyberterrorist attacks against the United States. Lyttle and his partner, Benjamin Stark, called their hacks Operation Inform and Operation Foreign Threat. They broke into the government computers, captured confidential information, including information on members of NASA's Astrobiology Institute and then posted that information on publicly accessible computers within the agencies. Stark pleaded guilty late last year to hacking and fraud charges and has been ordered to repay some of the cost incurred by the federal agencies. The Contra Costa County District Attorney prosecuted Lyttle in 2000, when he was still a juvenile, for tampering with computer systems, according to Lyttle's plea agreement. He was still on court probation when the Dynamic Duo launched its attacks. The U.S. Attorney's Computer Hacking and Intellectual Property Unit in San Jose prosecuted Lyttle in the latest case. Christopher Sonderby, chief of the hacking unit, said most of the computer intrusion crimes the unit deals with are former employees hacking into company networks, not government hacks. "It's obviously serious misconduct that he pled guilty to," Sonderby said. Lyttle will be sentenced in June and could face more than 26 years in prison and more than $1 million in fines. From isn at c4i.org Wed Mar 16 03:09:24 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:17 2005 Subject: [ISN] Hacking away at the hackers Message-ID: http://www.southcoasttoday.com/daily/03-05/03-15-05/l02ca072.htm By JERRI STROUD St. Louis Post-Dispatch March 15, 2005 ST. LOUIS -- Ted Flom prepares for a security audit by trying to hack into a client's network. Often, it's surprisingly easy. One Web site tipped Flom to the location of the company's servers. He and his team were able to sign onto the server using a generic password and user ID. Within a half-hour, they had access to virtually everything on the company's network. The client's executives "were shocked," said Flom, a principal with Brown Smith Wallace LLC, an accounting and business-consulting firm in Creve Coeur, Mo. "It ended up being a server that they don't normally use. Someone just forgot to take it off their network." Flom addresses corporate-information security, a hot topic now as government regulations and a litigious public push companies to prove their networks are secure. Even smaller companies could be asked to comply if they work for governments or larger companies in fields ranging from health care to banking. Some consultants say the new emphasis on information security stems from the Sarbanes-Oxley Act passed in the wake of scandals at Enron Corp. and WorldCom Inc. In addition, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act put the security onus on health-care and banking companies. But Sarbanes-Oxley doesn't actually mandate information security, said Ira Solomon, head of the accounting program at the University of Illinois at Urbana-Champaign. It does require managers to attest that they have adequate controls on systems related to financial reporting, but it doesn't specify what kinds of controls. Still, Solomon said, companies are being held to a greater level of accountability for privacy and data integrity. "Companies are collecting more and more data, so there's more and more at risk," he said. Because of that risk, accounting firms, computer consultants and major network providers, such as Savvis Communications Corp. and SBC Communications Inc., are offering security-audit services and advising clients on ways to prevent attacks from outside -- and inside -- a company. Many companies think they've protected themselves from hackers by installing a firewall or a piece of equipment with built-in security features, said William Hancock, security chief for Savvis. But they aren't secure if the company hasn't changed the factory-installed passwords, which usually are well-known to hackers. Hancock said companies need layers of security, additional hurdles behind a firewall that can slow attempts to penetrate a company's network. These can include access-control lists on routers, additional firewalls on servers, intrusion-detection systems, stronger user-authentication systems and access-filtering technology. "By using a layered defense, the chances of an intruder getting all the way to an asset, undetected and undeterred, goes way down as more layers are added," Hancock said. Equipment and computer ports that are unneeded should be turned off, and software patches should be kept up to date. The bulk of computer system vulnerabilities to attacks result from failure to install such patches. Hacking, viruses, spam and denial-of-service attacks are on the rise as more computers, cell phones and other devices are connected to the Internet, Hancock said. Still, attacks from the inside cause more damage than those from outside a company. "Amateurs hack systems; professionals hack people," said Dustin Dykes, a senior consultant at Callisma, a network-design firm owned by SBC. "I spend a half-hour on the phone, and I most likely have all the passwords I need," Dykes said. "Companies tend to test the technical systems but not the people and the processes." The most-likely perpetrators of attacks are disgruntled employees or recently fired ones who know how a company's computers are set up, said Josh Crowe, vice president in the St. Louis office of Calence Inc., a network-consulting firm based in Phoenix. Companies must confiscate identification or access cards and deactivate passwords and e-mail accounts as soon as an employee leaves the company, Crowe said. Active employees should have access only to the information and systems they need to do their jobs. Vendors and consultants should be granted access only after their computers have been scanned for viruses -- and their access should be limited to the task at hand. Even good employees can leave the company open to security breaches if they give passwords to outsiders, use unsecured home or public networks or respond to "phishing" e-mails purportedly from banks, credit-card companies or other organizations. Employees should be suspicious of any e-mails asking them to update records, especially if they don't recognize the person or company requesting the updates. Smart companies work out deals that give their employees access to antivirus software for laptops and home computers, Hancock said. He also recommends using spyware, adware and firewalls, many of them available free on the Internet. Keith Fear, infrastructure director for Oakwood Systems Group Inc., said he's been able to walk into a major company in St. Louis, sit down at a computer and start exploring its network without being challenged by a receptionist or other employees. Oakwood, a computer-consulting firm in west St. Louis County, checks for breaches of physical security as well as technical security when it conducts security audits, Fear said. Some companies still use ordinary locks on rooms housing their servers and other sensitive equipment, for example. Few have video cameras watching critical computer operations. Even high-tech systems can be compromised, Fear said. The first thing companies need to do is determine which assets and intellectual property are most critical, Fear said. Then, they need to look at the risk of compromising those assets and find out how to reduce those risks. A security audit should look at external and internal vulnerability, risks of penetration and also at policies and procedures. Audits should be redone -- or at least reviewed -- every six months. Companies also need to look at security flaws that occur because of the way applications and systems are designed, said Ray Seefeldt, director of technology risk management in the St. Louis office of Jefferson Wells, an auditing and consulting firm based in Milwaukee. A company might have 12 different groups of people who work on 12 functions, but their system is designed for just eight groups or functions. "People can't do what they need to do, and they will blame it on security," Seefeldt said. "A lot of security issues are caused not by the security tools," he said, "but because security is an afterthought, and the designers didn't get it right in the first place." Tips for safeguarding company information: 1. Keep software up-to-date and security patches installed, as appropriate. 2. Use anti-virus software on all computers -- desktops, laptops, employees' home computers and those of any vendors who connect to the company network. 3. Install firewalls and change security codes from default settings. 4. Give employees access only to the data they need to do their jobs. Use access control lists and passwords that aren't easy to guess. Passwords that combine letters and numbers are harder to hack. 5. Develop consistent, practical policies on the use of data, the Internet and e-mail -- and enforce the policies. 6. Educate employees, including executives, on the importance of security and how to work securely. Remind them of the dangers of providing information to outsiders, especially those posing as insiders. 7. Check physical security to make sure unauthorized persons can't get in to tamper with your network. 8. Turn off unused computer ports and peripherals. Make sure older equipment has the same protection as newer devices. 9. Map critical assets and understand where they are at risk. Develop plans to address their vulnerability. 10. Assess security on a regular basis, automate it where possible and review changes made since the last assessment. From isn at c4i.org Wed Mar 16 03:14:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:20 2005 Subject: [ISN] Study: European IT managers have false sense of security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100397,00.html By Scarlet Pruitt MARCH 15, 2005 IDG NEWS SERVICE Many European IT managers find their jobs extremely stressful, and even those who feel they have done as much as they can to protect their companies against emerging threats are operating under a false sense of security, according to a study released today. These conclusions were detailed in Websense Inc.'s "Stress in Security" survey of 500 IT managers across Europe. Although 91% of the managers said they believe their companies have good IT security, 70% said they leave gaps open to common Internet threats, according to the study. Many known Web-based threats are being overlooked, and a majority of respondents said they have no measures in place to protect against internal hackers or phishing attacks. Phishing, a type of Internet scam where hackers send e-mails enticing recipients to reveal passwords or credit card numbers on bogus Web sites that resemble legitimate Web sites, is an increasingly common type of Internet threat. Fifty-eight percent of the respondents said they protect against fewer than three of the seven most common Web threats identified in the survey, Websense said. "The biggest problem is that they are being reactive rather than proactive," said Websense spokeswoman Rebecca Zarkos, who worked on the report. For example, 35% of respondents said they are unable to stop spyware from sending out confidential company information to external sources, and 56% do not prevent peer-to-peer applications from being run. Finally, 8% of the European companies surveyed said they have no security measures beyond a basic firewall and an antivirus product in place, Websense said. "They think they are covered by a big umbrella, but obviously there are holes," Zarkos said. Many IT managers see mobile workers as a threat, as 71% of survey respondents said that corporate laptops used outside the office and then reconnected to the network pose the greatest security risk to their companies. Still, only 21% of the companies surveyed said they have technical restrictions in place to secure reconnected computers, according to Websense. A possible reason behind the lax security is that IT managers aren't delegating enough responsibility to end users, and too few security policies are enforced, Websense said. Individual employees are given too much freedom to visit Internet sites, which could potentially infect the network and put IT mangers' jobs at risk, the company said. And the pressure seems to show. Of the IT managers surveyed, 72% said they think their jobs might be at risk following IT security breaches, with Internet attacks being their greatest concern. Furthermore, 20% of IT managers surveyed said that the stress of protecting their companies against Internet threats is greater than starting a new job, moving to a new house, or even getting married or divorced. "Obviously they are feeling the stress and know that their jobs are on the line, so maybe the problem is that they don't understand the threats," Zarkos said. Websense advised companies to invest in the appropriate software to secure their networks and to focus on proactive security measures. From isn at c4i.org Wed Mar 16 03:14:50 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:23 2005 Subject: [ISN] DMV hopes to reassure clients about security Message-ID: http://www.lasvegassun.com/sunbin/stories/lv-other/2005/mar/15/518452271.html By David Kihara LAS VEGAS SUN March 15, 2005 Mark Saia walked into the state Department of Motor Vehicles office at 4110 Donovan Way on Monday looking for information on the possible theft of his identity. He left with only questions. "(The burglars) have my Social Security number and my date of birth -- what can they do with it?" Saia asked. "How is the DMV going to stop something like this from happening again?" Saia is just one of almost 9,000 individuals who could be victims of identity theft after burglars on March 7 crashed a vehicle into the North Las Vegas DMV branch near Craig Road and Interstate 15 and stole a computer with personal driver's license information as well as Social Security numbers of dates of birth. He went to the DMV on Donovan Way on Monday to get information on his chances of being a victim. He was given a slip of paper with the DMV Fraud hotline telephone number on it and a piece of very bad news: He could be the victim of identity theft because between Nov. 25 and March 5 he was issued a commercial instruction permit to drive a tractor-trailer. Anyone who was issued a license during that time period could be the victim of identity theft. "I was a little concerned when I heard (reports of the burglary) announced on the radio because (the burglars) have my Social Security number," Saia said, adding that he learned of the theft from media reports. The DMV on Wednesday will send out letters describing the incident and new driver's licenses with different numbers to the 8,738 people whose personal information was stored on the stolen computer, said Kevin Malone, spokesman for the DMV. The DMV could not issue the certified letters and new driver's licenses sooner than Wednesday because of the immense volume of licenses, he said. "We're doing this as quickly as we can," Malone said. He said the DMV could not inform the potential victims by telephone because the agency does not keep individual's phone numbers. To clear misconceptions, Malone said the reason the DMV on Friday reversed previous statements, saying that the information stored on the stolen computer could yield personal information, was because of the DMV's computer vendor, Digimarc. Digimarc told the DMV on Thursday that personal information on the DMV's computers that was believed to have been wiped off the North Las Vegas DMV branch's computer system at the end of the day was actually "backed up" and stored in the computer. This new information led officials to believe that the burglars have almost 9,000 identities, he said. He could not comment on whether or not Digimarc ever provided assurances to the DMV that the personal information could remain on the computer systems at the end of the day. Digimarc could not comment on the case because it has a nondisclosure agreement with the DMV, said Leslie Constans, spokeswoman for Digimarc. "We are working with the DMV to understand what happened," Constans said. The Oregon-based computer firm contracts with 32 DMVs across the country to provide digital driver's licenses computer systems, she said. Tim Bedwell, spokesman for North Las Vegas Police, said the authorities still have not arrested any suspects in the burglary. Much of this, however, still leaves some citizens like Saia with unanswered questions and anger toward the DMV. "They need to try and figure out a way to make sure this doesn't happen again," Saia said. Another individual concerned that the burglars might have have stolen his personal information during the burglary was Jeff Lamb, who also visited the Donovan Way DMV on Monday to get information relating to the crime. Lamb saw television news reports during the weekend about the incident, and he said he just wanted to "check for safety." The 64-year-old Lamb said he was slightly worried that personal information was left on the computers at night, but ultimately believed that little could be done if burglars drive a vehicle through a plate glass window to gain access, as they did in the DMV burglary. After consulting with a DMV employee, he walked away feeling a little more secure: He had been issued a driver's license several years ago and was not in danger of having his identity stolen. "I guess I'm OK," he said. From isn at c4i.org Wed Mar 16 03:15:02 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:26 2005 Subject: [ISN] AOL To Modify AIM Terms of Service Message-ID: http://www.eweek.com/article2/0,1759,1776146,00.asp By Ryan Naraine March 15, 2005 America Online Inc. plans to make three small but significant modifications to the terms of service [1] for its AIM instant messaging product to head off a firestorm of privacy-related criticisms. The tweaks to the terms of service will be made in the section titled "Content You Post" and will explicitly exclude user-to-user chat sessions from the privacy rights an AIM user gives up to AOL. "We're not making any policy changes. We're making some linguistic changes to clarify certain things and explain it a little better to our users," AOL spokesperson Andrew Weinstein told eWEEK.com. The modifications will use similar language from the AIM privacy policy to "make it clear that AOL does not read private user-to-user communications," Weinstein said. "We'll be adding that to the beginning of the section to make it clear that the privacy rights discussed in that section only refer to content posted to public areas of the AIM service." More importantly, Weinstein said a blunt and inelegant line that reads "You waive any right to privacy" will be deleted altogether. "That's a phrase that should not have been in that section in the first place. It clearly caused confusion, with good reason," Weinstein conceded. Over the last weekend, AOL representatives moved to quell public criticism [2] of the terms of service after the issue was first flagged [3] on Weblogs and discussion forums. But, the company's damage-control moves did not sit will with legal experts, who argued that AOL's stance that user-to-user IM communications were exempt did not match the language in the terms of service. Justin Uberti, chief architect for AIM, also joined the discussion, admitting the controversial section of the terms of service was "vague" and needed to be reworded. Uberti explained on his Weblog [4] that the amount of IM traffic on the AIM network "is on the order of hundreds of gigabytes a day." "It would be very costly, and we have no desire to record all IM traffic. We don't do it," Uberti wrote. For AIM users who remain distrustful, Uberti pointed out that the application offers Direct IM (aka Send IM Image) and Secure IM in all recent versions. "In other words, you can send your IMs in such a way that they never go through our servers, and/or are encrypted with industry-standard SSL and S/MIME technology. I know this since I designed these features. There are no backdoors; I would not have permitted any," Uberti said. [1] http://www.aim.com/tos/tos.adp [2] http://www.eweek.com/article2/0,1759,1775743,00.asp [3] http://www.eweek.com/article2/0,1759,1775649,00.asp [4] http://journals.aol.com/juberti/runningman/ From isn at c4i.org Wed Mar 16 03:15:15 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:29 2005 Subject: [ISN] How To Save The Internet Message-ID: http://www.cio.com/archive/031505/security.html BY SCOTT BERINATO CIO Magazine Mar. 15, 2005 Professor Hannu H. Kari of the Helsinki University of Technology is a smart guy, but most people thought he was just being provocative when he predicted, back in 2001, that the Internet would shut down by 2006. "The reason for this will be that proper users' dissatisfaction will have reached such heights by then that some other system will be needed," Kari said, "unless the Internet is improved and made reliable." Last fall, Kari bolstered his prophecy with statistics. Extrapolating from the growth rates of viruses, worms, spam, phishing and spyware, he concluded that these, combined with "bad people who want to create chaos," would cause the Internet to "collapse!".and he stuck to 2006 as the likely time. Kari holds dozens of patents. He helped invent the technology that enables cell phones to receive data. He's a former head of Mensa Finland. Still, many observers pegged him as an irresponsible doomsayer and, seeing as how he consults for security vendors, a mercenary one at that. And yet, in the past year, we've witnessed the most disturbingly effective and destructive worm yet, Witty, that not only carried a destructive payload but also proved nearly 100 percent effective at attacking the machines it targeted. Paul Stich, CEO of managed security provider Counterpane, reports that attempted attacks on his company's customers multiplied from 70,000 in 2003 to 400,000 in 2004, an increase of over 400 percent. Ed Amoroso, CISO of AT&T, says that among the 2.8 million e-mails sent to his company every day, 2.1 million, or 75 percent, are junk. The increasing clutter of online junk is driving people off the Internet. In a survey by the Pew Internet and American Life Project, 29 percent of respondents reported reducing their use of e-mail because of spam, and more than three-quarters, 77 percent, labeled the act of being online "unpleasant and annoying." Indeed, in December 2003, the Anti-Phishing Working Group reported that more than 90 unique phishing e-mails released in just two months. Less than a year later, in November 2004, there were 8,459 unique phishing e-mails linking to 1,518 sites. Kari may have overstepped by naming a specific date for the Internet's demise, but fundamentally, he's right. The trend is clear. "Look, this is war," says Allan Paller, director of research for The SANS Institute. "Most of all, we need will. You lose a war when you lose will." So far, the information security complex.vendors, researchers, developers, users, consultants, the government, you.have demonstrated remarkably little will to wage this war. Instead, we fight fires, pointing hoses at uncontrolled blazes, sometimes inventing new hoses, but never really dousing the flames and never seeking out the fire's source in order to extinguish it. That's why we concocted this exercise, trolling the infosecurity community to find Big Ideas on how to fix, or begin to fix, this problem. Our rules were simple: Suggest any Big Idea that you believe could, in a profound way, improve information security. We asked people to think outside the firewall. Some ideas are presented here as submitted; others we elaborated upon. Those who suggested technological tweaks or proposed generic truths ("educate users") were quickly dismissed. What was left was an impressive, broad and, sometimes, even fun list of Big Ideas to fix information security. Let's hope some take shape before 2006. [...] From isn at c4i.org Wed Mar 16 03:30:18 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:33 2005 Subject: [ISN] Chico State computer system attacked by hackers Message-ID: Forwarded from: William Knowles http://www.chicoer.com/Stories/0,1413,135~25088~2765075,00.html By MELISSA DAUGHERTY Staff Writer March 16, 2005 More than 59,000 people connected to Chico State University will be contacted for what officials are calling the largest computer hacking incident the college has seen. Notifications to anyone whose personal information was compromised were going out Tuesday, said Joe Wills, director of public affairs at the university. That list includes current and former Chico State faculty and staff members. But the majority are students, since the server hackers targeted held the names and Social Security numbers of current, former and prospective students. There have been previous hacking incidents at the university, but none has affected this many people, Wills said. While the exposed server contained personal information, there's no indication hackers will use it for illegal activity, he added. "It's impossible to know what their motives are," Wills said. The university was made aware of the incident about three weeks ago, after routine monitoring of its network showed that hackers illegally accessed the University Housing and Food Service server. An investigation revealed hackers installed software to store files and attempted to break into other computers. Meanwhile, university personnel have placed information about the incident online, which can be accessed through Chico State's Web site. The site provides links to credit reporting agencies that can detect fraud or identity theft at no charge. The university is also developing an alternative identification system using a new, randomly assigned nine-digit ID number for students and employees in place of Social Security numbers. Wills recalled a similar incident at San Diego State University, in which more than 120,000 people were notified. For those affected by the system breach at Chico State, notifications will be sent via the Internet for those who have current e-mail addresses and by letter to all others. University Police are investigating the incident, but Wills said he doesn't know if it's likely the hackers will be caught. At this time, there's no indication the crime took place on campus or involved university personnel. "They literally could be anywhere," he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Mar 18 02:26:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:25 2005 Subject: [ISN] Hacking raid on Sumitomo bank thwarted Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100455,00.html By Madeleine Acey MARCH 17, 2005 Security experts are praising Sumitomo Mitsui Banking Corp. for admitting that it was the target of a failed $424 million hacking attempt. According to media reports, the U.K.'s National High Tech Crime Unit (NHTCU) has issued a warning to large banks to guard against keylogging, the method adopted by the would-be thieves in an attack on the Japanese bank's London systems. The intruders tried to transfer money out of the bank via 10 accounts around the world. Keyloggers record every keystroke made on a computer and are commonly used to steal passwords. Eighteen months ago, U.S. games developer Valve had the source code to its latest version of Half-Life stolen after a virus delivered a keystroke recorder program into Valve's founder's computer. "Generally, big businesses don't like to talk about any security problems they may have," said Graham Cluley, senior technical consultant at security software company Sophos PLC. "Clearly, Sumitomo did very well, they didn't lose any money, and they involved the authorities." Arthur Barnes at security integrator Diagonal Security agreed. "I think this is very positive; it warns the rest of the community," he said. "Someone was always going to have to stand up and say this is going on. It's very brave. They've really done the right thing. Too often this sort of thing is swept under the carpet." The bank has confirmed that a probe is under way and stressed that no money was lost. But officials declined to offer further details, citing the ongoing investigation. "We have undertaken various measures in terms of security and we have not suffered any financial damage," a spokesman said. Barnes, who has worked with the NHTCU, said the publicized arrest of a man in Israel -- along with Sumitomo's confirmation of a plot -- appeared to be an effort to flush out the thieves, and suggests law enforcement officials know something about them. "It would also serve as a warning to anyone thinking of doing this kind of thing," he said. Yeron Bolondi, 32, was seized by Israeli police yesterday after an alleged attempt to transfer some of the cash into his business account. He was reportedly charged with money laundering and deception. In a statement, Israeli police said there had been an attempt to transfer $26.7 million into the account "by deception in a sophisticated manner." Cluley and Barnes said keylogging hacks are more common than thought, and they said the $423 million plot was probably the largest corporate case that had been made public. Both experts said it's unclear what kind of keylogging was used. Barnes said keyloggers have become more sophisticated, moving away from software forms to sniffer-type hardware devices. Both he and Cluley speculated that the would-be thieves may not have actually hacked into the bank's systems from outside to plant their keylogger. "They've now got little hardware loggers that are like a dongle that you place between the keyboard connection and the base unit," Barnes said. "A cleaner could come in and pop one of these things in. No one ever looks around the back [of their PC]." That type of operation would also mean that an organization's level of encryption or firewall strength could become irrelevant. He noted that hacker sites offer keylogging software for free. Keystroke recorders are also sold on seemingly legitimate Web sites, purportedly for employees to keep an eye on what staff are doing at their computers. No matter how dramatic the Sumitomo case might be, Cluley said attacks on individuals' machines are an everyday occurrence and users must remain vigilant. "[We're seeing] 15 to 20 new pieces of malware a day, and they are worms and Trojans that do keylogging. Individuals probably don't even know about it. The malware doesn't display a skull and crossbones or play 'The Blue Danube' over your speakers to announce its presence." He urged users to update antivirus software "probably several times a day and not to forget to install Microsoft patches and install a firewall." "There are constant attempts; it's staggering how much this is going on," Cluley said. From isn at c4i.org Fri Mar 18 02:27:06 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:28 2005 Subject: [ISN] BC warns its alumni of possible ID theft after computer is hacked Message-ID: http://www.boston.com/business/technology/articles/2005/03/17/bc_warns_its_alumni_of_possible_id_theft_after_computer_is_hacked/ By Hiawatha Bray Globe Staff March 17, 2005 Boston College has sent warning letters to 120,000 of its alumni, after a computer containing their addresses and Social Security numbers was hacked by an unknown intruder. College officials say they have no reason to believe the intruder was looking for personal information to steal; instead, the attacker planted a program that would enable him to use the computer to launch attacks on other machines. But the school is taking no chances, because of the sensitive information stored on the computer. ''As a precaution we have chosen to alert the entire database, which is upwards of 100,000 individuals," said Boston College spokesman Jack Dunn. The breach at the college takes place amid rising concern over identity theft, and the recent break-ins at information brokers ChoicePoint and LexisNexis. The compromised machine at Boston College was not run by the school, but by an outside contractor that Dunn did not identify. It was one of a group of computers used in the school's fund-raising activities. Boston College students use the machines to look up names and phone numbers of alumni. They telephone them and ask for donations to the college. Such phone banks are a common feature at many colleges, Dunn said. During a routine security check last week, Boston College computer security workers found that one of the computers at the phone bank had been compromised. The computer was immediately taken offline and tested in an effort to find what the attacker had been trying to do. The investigation concluded that there was no evidence of identity theft. The school also concluded that the hack wasn't an inside job. ''There's no evidence to suggest that this involved anyone from the Boston College community, but instead was an external hacker," Dunn said. But investigators couldn't be absolutely sure that the intruder hadn't also collected some personal information on alumni, such as their Social Security numbers. Dunn said that including Social Security data in the alumni files was a matter of custom. ''Every university in the United States, for decades, used Social Security numbers as identifiers from alums," he said. ''As a result of the breach, we have taken immediate actions to purge all Social Security numbers for this particular computer, and from all alumni records." The letter to alumni urges them to take precautions to protect their identities and financial accounts. They're told to contact their banks and warn them that their Social Security numbers may have been stolen. The letter suggests obtaining copies of credit reports to check for unusual activity. Alumni are also urged to ask that a ''fraud alert" be put on their credit reports. Such alerts will prevent banks and credit card companies from making new loans without double-checking with the account holder. A complete list of suggested remedies is posted on the Boston College website at www.bc.edu/alert. Dunn said the precautions made sense for anybody worried about identity theft. ''As a precaution," he said, ''people should do this on a yearly basis anyway." From isn at c4i.org Fri Mar 18 02:28:04 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:31 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-11 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-03-10 - 2005-03-17 This week : 52 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in various Symantec gateway products, which can be exploited by malicious people to poison the DNS cache. The vendor has issued patches, please review Secunia advisory below for additional details. References: http://secunia.com/SA14595 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla Products IDN Spoofing Security Issue 2. [SA14565] Firefox "Save Link As..." Status Bar Spoofing Weakness 3. [SA14512] Microsoft Windows LAND Attack Denial of Service 4. [SA14547] MySQL Two Vulnerabilities 5. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 6. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 7. [SA14568] Mozilla "Save Link Target As..." Status Bar Spoofing Weakness 8. [SA14543] Microsoft Exchange Server 2003 Folder Handling Denial of Service 9. [SA14567] Thunderbird "Save Link Target As..." Status Bar Spoofing Weakness 10. [SA14548] Linux Kernel "sys_epoll_wait()" Function Integer Overflow ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14580] aeNovo Database Disclosure of Sensitive Information [SA14553] Active Webcam Denial of Service and Local File Detection [SA14601] GoodTech Telnet Server Buffer Overflow Vulnerability [SA14564] MySQL MS-DOS Device Names Denial of Service Vulnerability UNIX/Linux: [SA14597] Mandrake update for cyrus-sasl [SA14574] Gentoo update for libexif [SA14572] Gentoo update for xorg-x11 [SA14552] SUSE update for realplayer [SA14606] Fedora update for sylpheed [SA14603] Gentoo update for ringtonetools [SA14596] Mandrake update for ethereal [SA14594] Ubuntu update for kernel [SA14587] Fedora update for ipsec-tools [SA14586] IPsec-Tools ISAKMP Header Parsing Denial of Service [SA14584] KAME Racoon ISAKMP Header Parsing Denial of Service [SA14573] Gentoo update for ethereal [SA14570] Linux Kernel PPP Server Denial of Service Vulnerability [SA14598] Mandrake update for openslp [SA14581] SUSE update for openslp [SA14561] OpenSLP Buffer Overflow Vulnerabilities [SA14593] Ubuntu update for mysql [SA14582] Debian luxman Privilege Escalation Vulnerability [SA14562] rxvt-unicode Terminal Input Buffer Overflow Vulnerability [SA14563] Conectiva update for gaim [SA14558] Red Hat update for gaim [SA14591] KDE Desktop Communication Protocol Denial of Service Vulnerability Other: [SA14557] Xerox MicroServer Web Server URL Handling Denial of Service [SA14556] Xerox Document Centre Web Server Unauthorised Access Vulnerability Cross Platform: [SA14600] PHPOpenChat "sourcedir" File Inclusion Vulnerability [SA14577] VoteBox "VoteBoxPath" File Inclusion Vulnerability [SA14566] holaCMS "vote_filename" Directory Traversal Vulnerability [SA14559] WEBInsta Limbo "absolute_path" File Inclusion Vulnerability [SA14602] ZPanel "uname" SQL Injection and Security Bypass [SA14595] Symantec Products Unspecified DNS Cache Poisoning Vulnerability [SA14590] paBox "posticon" Script Insertion Vulnerability [SA14583] SimpGB "quote" SQL Injection Vulnerability [SA14579] Spinworks Application Server Web Server Denial of Service [SA14578] UBB.threads "Number" SQL Injection Vulnerability [SA14576] PhotoPost PHP Pro Multiple Vulnerabilities [SA14555] LimeWire Gnutella Disclosure of Sensitive Information [SA14599] phpMyAdmin "_" Wildcard Permissions Security Bypass [SA14592] phpPgAds / phpAdsNew "refresh" Cross-Site Scripting Vulnerability [SA14589] WebSphere Commerce Private Information Disclosure [SA14554] Phorum Script Insertion Vulnerabilities [SA14588] Cosminexus Server Component Container Tomcat Denial of Service [SA14575] MaxDB Web Agent Denial of Service Vulnerabilities [SA14569] Apache Tomcat AJP12 Protocol Denial of Service Vulnerability [SA14607] Novell iChain miniFTP Server Brute Force Weakness [SA14568] Mozilla "Save Link Target As..." Status Bar Spoofing Weakness [SA14567] Thunderbird "Save Link Target As..." Status Bar Spoofing Weakness [SA14565] Firefox "Save Link As..." Status Bar Spoofing Weakness [SA14560] Citrix MetaFrame Password Manager Secondary Password Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14580] aeNovo Database Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-14 farhad koosha has reported a security issue in aeNovo, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14580/ -- [SA14553] Active Webcam Denial of Service and Local File Detection Critical: Moderately critical Where: From remote Impact: Exposure of system information, DoS Released: 2005-03-10 Sowhat has reported two vulnerabilities and a weakness in Active Webcam, which can be exploited by malicious people to cause a DoS (Denial of Service) and detect the presence of local files. Full Advisory: http://secunia.com/advisories/14553/ -- [SA14601] GoodTech Telnet Server Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-16 Komrade has reported a vulnerability in GoodTech Telnet Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14601/ -- [SA14564] MySQL MS-DOS Device Names Denial of Service Vulnerability Critical: Not critical Where: From local network Impact: DoS Released: 2005-03-14 Luca Ercoli has reported a vulnerability in MySQL, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14564/ UNIX/Linux:-- [SA14597] Mandrake update for cyrus-sasl Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-16 MandrakeSoft has issued an update for cyrus-sasl. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14597/ -- [SA14574] Gentoo update for libexif Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2005-03-14 Gentoo has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14574/ -- [SA14572] Gentoo update for xorg-x11 Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-14 Gentoo has issued an update for xorg-x11. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14572/ -- [SA14552] SUSE update for realplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-10 SUSE has issued an update for realplayer. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14552/ -- [SA14606] Fedora update for sylpheed Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-16 Fedora has issued an update for sylpheed. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14606/ -- [SA14603] Gentoo update for ringtonetools Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-16 Gentoo has issued an update for ringtonetools. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14603/ -- [SA14596] Mandrake update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-16 MandrakeSoft has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14596/ -- [SA14594] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-03-16 Ubuntu has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited disclose kernel memory, gain escalated privileges or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14594/ -- [SA14587] Fedora update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-15 Fedora has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14587/ -- [SA14586] IPsec-Tools ISAKMP Header Parsing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-15 A vulnerability has been reported in IPsec-Tools, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14586/ -- [SA14584] KAME Racoon ISAKMP Header Parsing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-15 Sebastian Krahmer has reported a vulnerability in KAME Racoon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14584/ -- [SA14573] Gentoo update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-14 Gentoo has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14573/ -- [SA14570] Linux Kernel PPP Server Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-16 Ben Martel and Stephen Blackheath have reported a vulnerability in the Linux kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14570/ -- [SA14598] Mandrake update for openslp Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-16 MandrakeSoft has issued an update for openslp. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14598/ -- [SA14581] SUSE update for openslp Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-15 SUSE has issued an update for openslp. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14581/ -- [SA14561] OpenSLP Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-15 SUSE Security Team has reported some vulnerabilities in OpenSLP, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14561/ -- [SA14593] Ubuntu update for mysql Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-03-16 Ubuntu has issued an update for mysql. This fixes some vulnerabilities, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14593/ -- [SA14582] Debian luxman Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-15 Debian has issued an update for luxman. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14582/ -- [SA14562] rxvt-unicode Terminal Input Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-15 A vulnerability has been reported in rxvt-unicode, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14562/ -- [SA14563] Conectiva update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-15 Conectiva has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14563/ -- [SA14558] Red Hat update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-11 Red Hat has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14558/ -- [SA14591] KDE Desktop Communication Protocol Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2005-03-16 Sebastian Krahmer has reported a vulnerability in KDE, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14591/ Other:-- [SA14557] Xerox MicroServer Web Server URL Handling Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-11 A vulnerability has been reported in Xerox Document Centre, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14557/ -- [SA14556] Xerox Document Centre Web Server Unauthorised Access Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-03-11 A vulnerability has been reported in Xerox Document Centre, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14556/ Cross Platform:-- [SA14600] PHPOpenChat "sourcedir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-16 Mafia_Boy has reported a vulnerability in PHPOpenChat, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14600/ -- [SA14577] VoteBox "VoteBoxPath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-15 SmOk3 has reported a vulnerability in VoteBox, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14577/ -- [SA14566] holaCMS "vote_filename" Directory Traversal Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-14 Virginity has reported a vulnerability in holaCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14566/ -- [SA14559] WEBInsta Limbo "absolute_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-11 Fidel Costa has discovered a vulnerability in WEBInsta Limbo, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14559/ -- [SA14602] ZPanel "uname" SQL Injection and Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-03-16 Mikhail has reported a vulnerability and a security issue in ZPanel, which can be exploited by malicious people to conduct SQL injection attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14602/ -- [SA14595] Symantec Products Unspecified DNS Cache Poisoning Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data Released: 2005-03-16 A vulnerability has been reported in various Symantec gateway products, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/14595/ -- [SA14590] paBox "posticon" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-15 Rift has discovered a vulnerability in paBox, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14590/ -- [SA14583] SimpGB "quote" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-15 Alexander M?ller has reported a vulnerability in SimpGB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14583/ -- [SA14579] Spinworks Application Server Web Server Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-14 Dr_insane has discovered a vulnerability in Spinworks Application Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14579/ -- [SA14578] UBB.threads "Number" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-14 ADZ Security Team has reported a vulnerability in UBB.threads, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14578/ -- [SA14576] PhotoPost PHP Pro Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-03-14 Igor Franchuk has reported some vulnerabilities in PhotoPost PHP Pro, which can be exploited to conduct script insertion and SQL injection attacks, bypass certain security restrictions and manipulate potentially sensitive information. Full Advisory: http://secunia.com/advisories/14576/ -- [SA14555] LimeWire Gnutella Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-15 Kevin Walsh has reported two vulnerabilities in LimeWire, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14555/ -- [SA14599] phpMyAdmin "_" Wildcard Permissions Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-03-16 A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14599/ -- [SA14592] phpPgAds / phpAdsNew "refresh" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-15 Maksymilian Arciemowicz has reported a vulnerability in phpPgAds and phpAdsNew, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14592/ -- [SA14589] WebSphere Commerce Private Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-15 A security issue has been reported in WebSphere Commerce, which may result in sensitive information being disclosed to malicious people. Full Advisory: http://secunia.com/advisories/14589/ -- [SA14554] Phorum Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-11 Jon Oberheide has reported some vulnerabilities in Phorum, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14554/ -- [SA14588] Cosminexus Server Component Container Tomcat Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-15 The vendor has acknowledged a vulnerability in Cosminexus Server Component Container and Cosminexus Server Component Container for Java, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14588/ -- [SA14575] MaxDB Web Agent Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-15 Some vulnerabilities have been reported in MaxDB, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14575/ -- [SA14569] Apache Tomcat AJP12 Protocol Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-15 Hitachi Incident Response Team has reported a vulnerability in Tomcat, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14569/ -- [SA14607] Novell iChain miniFTP Server Brute Force Weakness Critical: Not critical Where: From remote Impact: Brute force Released: 2005-03-16 Francisco Amato has reported a weakness in Novell iChain, which can be exploited by malicious people to potentially brute force a user's password. Full Advisory: http://secunia.com/advisories/14607/ -- [SA14568] Mozilla "Save Link Target As..." Status Bar Spoofing Weakness Critical: Not critical Where: From remote Impact: Spoofing Released: 2005-03-14 bitlance winter has discovered a weakness in Mozilla, which can be exploited by malicious people to trick users into saving malicious files by obfuscating URLs. Full Advisory: http://secunia.com/advisories/14568/ -- [SA14567] Thunderbird "Save Link Target As..." Status Bar Spoofing Weakness Critical: Not critical Where: From remote Impact: Spoofing Released: 2005-03-14 bitlance winter has discovered a weakness in Thunderbird, which can be exploited by malicious people to trick users into saving malicious files by obfuscating URLs. Full Advisory: http://secunia.com/advisories/14567/ -- [SA14565] Firefox "Save Link As..." Status Bar Spoofing Weakness Critical: Not critical Where: From remote Impact: Spoofing Released: 2005-03-14 bitlance winter has discovered a weakness in Firefox, which can be exploited by malicious people to trick users into saving malicious files by obfuscating URLs. Full Advisory: http://secunia.com/advisories/14565/ -- [SA14560] Citrix MetaFrame Password Manager Secondary Password Disclosure Critical: Not critical Where: From local network Impact: Security Bypass, Exposure of sensitive information Released: 2005-03-16 A security issue has been reported in MetaFrame Password Manager, which can be exploited by malicious users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14560/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 18 02:29:23 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:33 2005 Subject: [ISN] How To Save The Internet Message-ID: Forwarded from: security curmudgeon Cc: sberinato@cio.com This was certainly an interesting article. Bit naive.. bit of FUD.. bit of hypocrisy.. it had it all! All in all, I rate this piece a Big load of crap. Comments inline.. : http://www.cio.com/archive/031505/security.html : : BY SCOTT BERINATO : : Professor Hannu H. Kari of the Helsinki University of Technology is a : smart guy, but most people thought he was just being provocative when he : predicted, back in 2001, that the Internet would shut down by 2006. : "The reason for this will be that proper users' dissatisfaction will : have reached such heights by then that some other system will be : needed," I don't think I need to cover how absurd "the internet would shut down" is. Hell, people still have trouble defining it, let alone declaring "it" shut down. : Kari holds dozens of patents. He helped invent the technology that : enables cell phones to receive data. He's a former head of Mensa : Finland. Still, many observers pegged him as an irresponsible doomsayer : and, seeing as how he consults for security vendors, a mercenary one at : that. Sounds like another case of academia promoting their ideas without grounding themselves in a healthy dose of reality. Mensa and patents mean nothing really. I think he is confusing user disgust with the internet being "shut down". And for all of his stats on worms and viruses and cyberattacks and spam (and oh my!), i'd love to see his statistics showing any trend of portions of the internet "shutting down" or users giving up on the net completely due to frustration. Sure, lots of bad things continue to happen and the trend is growing.. but how about this result he predicts? Any statistics or trends to back the rest? : attacking the machines it targeted. Paul Stich, CEO of managed : security provider Counterpane, reports that attempted attacks on his : company's customers multiplied from 70,000 in 2003 to 400,000 in 2004, : an increase of over 400 percent. Ed Amoroso, CISO of AT&T, says that I think we're close to the ten year anniversary of asking journalists (and most security professionals) the following question: What exactly do you mean by 'attack'? Remember, a lot of these FUD spreaders (including .gov agencies) count a *ping* as an attack. Without qualifying what 'attack' means, any statistic that mentions said 'attacks' are *worthless fluff*. : among the 2.8 million e-mails sent to his company every day, 2.1 : million, or 75 percent, are junk. The increasing clutter of online junk : is driving people off the Internet. In a survey by the Pew Internet and : American Life Project, 29 percent of respondents reported reducing their : use of e-mail because of spam, and more than three-quarters, 77 percent, : labeled the act of being online "unpleasant and annoying." Indeed, in And how many of those people STOPPED using the net as a result? Almost everyone I know thinks that driving to and from work is "unpleasant and annoying", yet less than 0.01% stopped doing it. : Kari may have overstepped by naming a specific date for the Internet's : demise, but fundamentally, he's right. The trend is clear. The *trend* has been there for a DECADE. Why say 2006 again? : What was left was an impressive, broad and, sometimes, even fun list of : Big Ideas to fix information security. Let's hope some take shape before : 2006. : : Get All the Smart People Together and Give Them Lots of Money : The best place to start is with a Big Idea to concentrate and organize : all the other big ideasa Manhattan Project for infosecurity. Great idea, who pays the bill? Who determines the "smart people"? How long does it take for them to define the problems before developing technical solutions? Once they figure out brilliant solutions, how do you get everyone to implement them? : Hire a Czar : A surgeon general-like figure for security is not only a Big Idea; it's : a popular one. Several folks suggest creating some kind of "government : leader" or "public CIO for security," none more vocally than Paul Kurtz, : the executive director of the Cyber Security Industry Alliance. Hire a Czar, that's an original thought.. U.S. cybersecurity chief resigns http://www.infoworld.com/infoworld/article/04/10/01/HNchiefresigns_1.html Amit Yoran, director of the DHS National Cyber Security Division since September 2003 resigns. -- U.S. Cybersecurity Czar to Resign http://www.wired.com/news/politics/0,1283,57454,00.html Richard Clarke, currently the nation's top cybersecurity adviser, will resign from government. Having a "cyber security czar" is a pointless task unless his position means something, and has some real power. : Eliminate All Coding Errors Within Two Years : Mary Ann Davidson, CSO of Oracle and champion of the quality coding : movement, says she's tired of coders arguing that their jobs are too : creative to eliminate errors such as buffer overflowsthat coding's an : art, not a science. : : Davidson knows that, with billions of lines of legacy code and billions : more in development, eliminating all coding errors is quite a lofty : goal. Oh this is hands down the most amusing, ironic AND disgusting thing I have read in a while. Hey Mary, you hypocritical pop tart, YOU WORK FOR ORACLE. Your products have more vulnerabilities than features year after year! You are the *last* person/company that should EVER speak on security practices. Davidson has been with Oracle for more than 15 years and the amount of vulnerabilities in their products is getting *worse*, not better. You show the rest of the world that your idea can work at Oracle, and I am sure the rest will follow. : Pry PCs from Their Cold, Dead Hands : Guns are dangerous; therefore, we license them. We give them unique : serial numbers and control their distribution. James Whittaker says : programmable PCs are dangerous, so why not treat them like guns? According to the CDC, there were 17,638 homicides in 2002 [1]. We license guns for a reason. In 2001, there were 42,443 deaths from automobile accidents injuries [2]. We license automobile drivers for a reason. In 2001, 2002, 2003 and 2004, how many deaths were attributed to computers? According to one worldwide study, smoking was blamed for 5 million deaths in 2000 [3], and we don't even license people to purchase smoking products. Statistics and logic aside, who determines or standardizes the licensing? Who issues them? Who polices and revokes them? : Call the Cybercops : With a "Cyberpol," you could license private eyes and forensic experts : who not only would facilitate the cooperation but also would improve : response time, as there already isn't enough law enforcement for : cybercrime. And should this 'Cyberpol' follow 'Interpol'? What happens when a country doesn't participate or honor Interpol requests? What happens when a "licensed private eye" goes to a U.S. based ISP and asks for logs that require a federal supoena? It just added a layer of bureaucracy and hindered the investigation, potentially when time is critical. : Unleash the Power ofXML and Meta-Data : Several people suggest using XML and meta-data to tag websites with : safety, reputation, past performance and other security ratings to act : as signposts for dangerous cyberneighborhoods. A virtual Better Business : Bureau could manage the data so that when users visit a website, their : computers pull down the XML meta-data about that site. This has an obvious problem. Who exactly decides what sites are bad.. this new virtual BBB? Take organizations that try to do this for specific areas of the industry right now. SpamCop or other blackhole list maintainers and commercial content filter products are the first to come to mind. If these are indications of what this virtual BBB might accomplish, no thanks. Many people feel they do as much harm as they do good. My domain has sent out 0 spam in the past 5 years, yet we have been blacklisted on at least three different RBL lists including SpamCop (several times). Each time it took a small miracle to get the domain removed entirely due to THEIR process for handling such cases. Almost every single content filtering software blocks my domain .. why? Criminal activity says one.. pornography says another.. hacker material says a third. Yet every security company and federal law enforcement agency *relied* on the information we provided for several years. These designations are copletely subjective based on the audience, something no software or programmer can adequately determine and enforce. How exactly is this proposed BBB going to handle rating the 60,442,655 web sites available in March of 2005 [4]? All in all, this list of Big Ideas seem like a Big joke mostly written by Big windbags that don't understand the Big internet that they propose to drastically change. jericho attrition.org [1] http://www.cdc.gov/nchs/fastats/homicide.htm [2] http://www.wrongdiagnosis.com/a/automobile_accidents_injury/deaths.htm [3] http://my.webmd.com/content/article/97/104239.htm?z=1728_00000_1000_nd_04 [4] http://news.netcraft.com/archives/web_server_survey.html From isn at c4i.org Fri Mar 18 02:34:45 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:36 2005 Subject: [ISN] France puts a damper on flaw hunting Message-ID: Forwarded from: Kitetoa at Kitetoa.com > Forwarded from: security curmudgeon > > Would be nice if some of the French speaking list members could > translate the court ruling and help clear this up. ************************************************* The question starts to spread on the mailing-lists and the forums about computer security. Is the trial "Tegam versus Guillermito" and the resulting suspended 5000 euros fine, for counterfeiing and diffusion of a proof of concept program, a threat to the right to search for bugs? Does this judgment mean the end, in France, of the full disclosure concept? Does it create a permanent legal risk for the security experts? In other words, is there a legal risk for all the bug researchers if a company does not accept critics about its software, as it was the case for the Tegam versus Guillermito trial? Let me tell you what **I** think (what **I** think may not be true, who knows?..). Yes and No Let's get back to the verdict. This personal analysis, is not a legal analysis as i'm not a lawyer... Guillermito was found guilty of counterfeiting and publishing the result of the counterfeit stuff (which in fact were a few P.O.Cs.) This means that the court indeed estimated that Guillermito *is* guilty of counterfeiting Viguard, Tegam's software (because he didn't have a valid licence) According to the juges' ruling, he did publish the counterfeit sofware. How do you do this when you are studying how a software works (or doesn't work as it should)? Guillermito did not buy his software (he lives in the US where he could not buy it in the stores, neither online, and there were no demo version available). Later on, before publishing anything on his website, a Viguard user did send him his own software and licence number. But the court did not buy this argument. So... Guillermito worked on an unregistered version of Viguard. He wrote a few P.O.Cs (proof of concept). And he published these P.O.Cs on his web page. That is why the ruling says he did publish the ? counterfeit software ?. Keep in mind all this is about intellectual property and has nothing to do with re-creating a brand new Viguard, which he didn't. Security experts might say that because all of these details, the situation is a little bit different from what they deal with every day. There is also a big debate (the court didn't even mention this fact) because Tegam says Guillermito used decompilation which he strongly denies. Same stuff for the fact that Guillermito could not get a valid licence of Viguard as it is not sold in the US. Same for the fact that aparentlly, Tegam did include Guillermito's findings in their next software version. But judges only look at the legal part. They didn't get much into the technical side for the ruling. So... will this ruling set a legal precedent for full disclosure? Yes and no... Yes, because as far as I know this is the first time in this country that a bug hunter is sued by a software company (sir, he hadn't got a licence!). In a future case like this one, a lawyer will certainly mention this precedent. The judge will not **have to** take the same decision. Moreover, this is just a first decision. There may be an appeal. No, because in this case, Guillermito didn't own a valid licence of this software. Obviously french bug hunters will dodge this kind of problem by buying the software they want to analyze. Of course, it will be impossible to publish anything about a non-french program that cannot be bought in a store or online. This being said, this decision will produce some collateral damage on bug hunting. As we already wrote about it on kitetoa.com, french computer security mailing lists, french coputer security firms, individuals, CERTs or CERTA will take a heavy legal risk if at one point they decide to publish an advisory written by someone from another country, without knowing if the hacker had a valid licence for the software. They could probably be sued for publishing counterfeited information if there is a POC. So, we can say that France just shot herself in the foot. It is now difficult to publish and spread computer security information, because each time, people will have to verify that the work was done on a software with a valid licence. Good luck. Here are, for those who read french, some comments on this case made by a lawyer who followed the whole story and was present during most of the trial : http://maitre.eolas.free.fr/journal/index.php?2005/03/08/87-guillermito-condamne-mais-tres-legerement Finally, after reading this excellent comment by Maitre Eolas, computer specialists can wonder wonder about the amount of bytes reproduced in the POCs, which transform them into counterfeiting. Viguard is probably around several megabytes of data. For how many reproduced bytes we have a counterfeiting, if we don't have a valid licence ? And what about if we do have a valid licence ? Read also in english: http://www.eweek.com/article2/0%2C1759%2C1758513%2C00.asp http://www.theregister.co.uk/2005/03/10/tegam_ve rdict/ http://www.theregister.co.uk/2005/01/12/full_disclosure_french_trial/ http://www.zdnet.com.au/news/security/0%2C2000061744%2C39183862%2C00.htm http://www.zdnet.com.au/news/security/0,2000061744,39176657,00.htm http://www.zdnet.com.au/news/security/0,2000061744,39176920,00.htm From isn at c4i.org Fri Mar 18 02:35:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:39 2005 Subject: [ISN] Auditors Find IRS Workers Prone to Hackers Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/national/w162055S07.DTL By MARY DALRYMPLE, AP Tax Writer March 16, 2005 WASHINGTON, (AP) - More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday. The report by the Treasury Department's inspector general for tax administration reveals a human flaw in the security system that protects taxpayer data. It also comes on the heels of accounts of thieves' breaking into computer systems of private data suppliers ChoicePoint Inc. and LexisNexis. The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. "We were able to convince 35 managers and employees to provide us their username and change their password," the report said. That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords. "With an employee's user account name and password, a hacker could gain access to that employee's access privileges," the report said. "Even more significant, a disgruntled employee could use the same social engineering tactics and obtain another employee's username and password," auditors said. With some knowledge of IRS systems, such an employee could more easily get access to taxpayer data or damage the agency's computer systems. Employees gave several reasons for complying with the request, in violation with IRS rules that prohibit employees from divulging their passwords. Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical. Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate. Within two days after the test, the IRS issued an e-mail alert about the hacking technique and instructed employees to notify security officials if they get such calls. The agency also included warnings into its mandatory security training. -=- On the Net: Treasury Inspector General for Tax Administration: www.treas.gov/tigta From isn at c4i.org Fri Mar 18 02:36:09 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:41 2005 Subject: [ISN] Security Services Heading for Boom Years Message-ID: http://www.arabnews.com/?page=1§ion=0&article=60569 Javid Hassan Arab News 17th March 2005 RIYADH, 17 March 2005 - With the demand for security products and systems expected to double or even treble this year from the current level of $200 million annually, security analysts say business inquiries are streaming in from two directions - IT-related security for Saudi firms and physical security for Western expatriates working in joint ventures. "The political situation in the Middle East remains uncertain. As a result, every company with operations in the region, and especially in Saudi Arabia, recognizes the need for heightened security," said Neil Quilliam, senior analyst, Middle East, Control Risks Group, which maintains the largest presence in the Kingdom, where it supports major corporate and government clients in the oil, chemical and energy sectors. Quilliam, now in Riyadh as a member of the British Water and Environmental Technologies Mission, worked for a year in Jeddah during the late 1990s. He feels that his stay in the Kingdom has enabled him to understand the dynamics of Saudi society and, therefore, the dimensions of security in a given situation. "We are the world's leading international business risk consultancy operating in over 130 countries with more than 5,300 clients," he said, adding that their political analysts advise the client on likely developments over the medium- to long-term risk in Saudi Arabia. "Our Control Risks Information Service has helped clients stay abreast of developments and to plan journeys to meet Saudi counterparts in Riyadh and Alkhobar." According to him, demand for security services will escalate in the Kingdom as it scouts for overseas investment. From isn at c4i.org Fri Mar 18 02:36:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:44 2005 Subject: [ISN] Johnson & Johnson tackles security pain Message-ID: http://www.nwfusion.com/news/2005/031405-johnson-johnson.html By Ellen Messmer Network World 03/14/05 For Johnson & Johnson, the health-care giant with more than 200 separate companies operating in 54 countries, one of the biggest problems encountered in e-commerce was finding a way to quickly get business partners access to the network but enforce security. The problem vexed the Brunswick, N.J., maker of pharmaceuticals and medical equipment because e-commerce partners, once given access, sometimes introduced worms and viruses into the company's network. In addition, the process of reviewing business requests for network access between a J&J unit and its intended partner had become burdensome, delaying e-commerce transactions. However, IT staff at J&J said since new security procedures put in place a year ago altered the equation, it has been much faster to process network-access requests. Through the uniform monitoring and documentation processes, security has improved, with worm and virus outbreaks emanating from business partners reduced to nil. "The documentation is still a bit cumbersome, but now it's a repeatable process," says Thomas Bunt, director of worldwide information security at J&J, about the challenge of providing network access for business partners. "We're facing an increased demand for external connections, and it wasn't easy to do this." When a business manager at J&J wants to have counterparts in outside firms gain access to internal applications for e-commerce, the IT department is summoned to assess risk. First, the J&J unit and the outside firm have to fill out a detailed questionnaire about the nature of the connection request, says Denise Medd, information security senior analyst. In addition, J&J expects the intended e-commerce partner to submit to a security assessment and evaluation. This vulnerability assessment may be done by a neutral third party, but the goal is to ensure that doing business via the network connection, which is typically opened up via J&J firewall, presents no unnecessary risks. The J&J operating company, officially known as "the sponsor," is held to the same standards, Medd emphasizes. Occasionally, a request for network access is turned down, especially if the J&J side has servers lacking proper patch-update mechanisms or other shortcomings. "There is a final review, and we will not let an insecure connection go live," Medd says. The IT and security professionals at J&J worked with the legal department to craft standard procedures for requests and evaluations. J&J and its partner also must complete a contract or memo of understanding regarding the network connection to be established. "We'll look closely at what the connectivity is, and typically a limited number of people could have access," Bunt says, pointing out that J&J strives to accommodate requests for a range of VPN access methods. J&J also includes an inspection process every six months to ascertain the security of the network connection. The risk management procedure has resulted in a dramatic drop in virus and worm outbreaks. Sometimes business project managers grumble about the assessment process, but management's solid backing of it has made it a uniformly enforced process that is in effect with hundreds of outside firms, Bunt says. The IT department says it hopes to streamline the risk evaluation further by drawing up standardized interconnection security agreements and uniform set of questions to ask outside firms wanting access to J&J's internal network. "We also need to better explain to our partners why they need to do this and how they benefit by getting a good look at our security posture," Bunt says. From isn at c4i.org Fri Mar 18 02:37:59 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:46 2005 Subject: [ISN] Security UPDATE--The Future of Malware Defense? -- March 16, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. High Availability for Windows Services http://list.windowsitpro.com/t?ctl=53D5:4FB69 10 Ways to Effectively Secure Active Directory http://list.windowsitpro.com/t?ctl=53D9:4FB69 ==================== 1. In Focus: The Future of Malware Defense? 2. Security News and Features - Recent Security Vulnerabilities - New Security Patches and Updates from Microsoft - Microsoft Takes Action Against Malware 3. Instant Poll 4. Security Toolkit - Security Matters Blog - Security Chat - FAQ - Security Forum Featured Thread 5. New and Improved - Fight Phishing ==================== ==== Sponsor: The Neverfail Group ==== High Availability for Windows Services It is no stretch to say that Windows high availability must be a fundamental element in your short- and long-term strategic IT planning. This free white paper discusses the core issues surrounding Windows high availability, with a focus on business drivers and benefits. You'll learn about the current market solutions, technologies and real-world challenges including cost- benefit analyses. Plus, find out how to assess technical elements required in choosing a high availability solution, including the robustness of the technology, time-to-failover, and implementation difficulties. Download this white paper now! http://list.windowsitpro.com/t?ctl=53D5:4FB69 ==================== ==== 1. In Focus: The Future of Malware Defense? ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You're probably aware that Microsoft is working on branding its antivirus and antispyware solutions. The company has already released an antispyware solution into public beta testing and has acquired well-established GeCAD Software and Sybari Software antivirus products. Some industry analysts think that the most logical way to address spyware is to evolve antivirus solutions to incorporate that ability to prevent spyware from infecting systems in the first place. That's a reasonable approach, even though it's another step towards a single point of failure, which many security administrators try to avoid. I read some interesting comments at CNET.com, which published an interview with Bill Gates. The article implied that eventually antivirus solutions and possibly antispyware solutions will become integral parts of Windows. There's more to the story, which isn't covered in the CNET.com article. I mentioned in an earlier column that Microsoft has published a research paper on root kits and has developed a detection tool that it hasn't made available to the public. The company released another interesting research paper several months ago that offers further insight into what other kinds of security-related technology the company might offer in the future. The second paper, "Can We Contain Internet Worms?," was published in August 2004. In it, Microsoft researchers discuss how worms might become more readily containable as computers collaborate in a more automated manner. The concept, which the researchers have dubbed "Vigilante," proposes "a new host centric approach for automatic worm containment." The summary states that the technology "relies on collaborative worm detection at end hosts in the Internet but does not require hosts to trust each other. Hosts detect worms by analysing attempts to infect applications and broadcast self-certifying alerts (SCAs) when they detect a worm. SCAs are automatically generated machine-verifiable proofs of vulnerability; they can be independently and inexpensively verified by any host. Hosts can use SCAs to generate filters or patches that prevent infection." You might think of this technology as sort of like a much smarter version of Snort or other intrusion detection and prevention systems. In essence, the proposal discusses a means of having hosts monitor their own activity and automatically contain misbehaving processes. When a host detects a worm, it can generate an alert that's broadcast to other hosts. The general idea is to decentralize detection systems so that worms can't evade detection by evading a particular network point. A key to the idea is that an SCA could verify worm detection by reproducing its effects. So hosts attain a level of trust by doing their own verification, instead of depending on third parties to provide signatures to endpoint detection systems. Although the paper doesn't mention this specifically, the implications are huge. The same principles could be applied to viruses, Trojan horses, spyware, and just about any kind of application or network behavior. Such a system would become vulnerability-centric; instead of having to develop signatures for each variation of malware, the system would instead identify the vulnerability and be able to act to defend the system against it. For example, it could shut down an application, reconfigure a firewall, or generate some sort of patch. There is much more to learn about the concept in the paper, which you can download in PDF format at the Microsoft Web site. ftp://ftp.research.microsoft.com/pub/tr/TR-2004-83.pdf ==================== ==== Sponsor: NetIQ ==== 10 Ways to Effectively Secure Active Directory Active Directory is vulnerable to malicious and inadvertent security attacks, thus protecting Active Directory from internal and external threats is a constant challenge. In this free white paper, learn how to configure Active Directory to be resistant to threats, and regulate changes so data consistency is protected and security policies are enforced. Download this white paper now and learn how to ensure a secure Active Directory environment. http://list.windowsitpro.com/t?ctl=53D9:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=53DA:4FB69 New Security Patches and Updates from Microsoft Microsoft didn't release any new security bulletins in March, but the company did update previous bulletins (MS02-005 and MS02-015) to include patches for Windows 98 and Windows Me. The company also released an updated version of its Malicious Software Removal Tool. http://list.windowsitpro.com/t?ctl=53DD:4FB69 Microsoft Takes Action Against Malware Paul Thurrott examines what Microsoft is doing both this year and next to deal with spyware, adware, and similar types of electronic attacks. http://list.windowsitpro.com/t?ctl=53DE:4FB69 ==================== ==== Resources and Events ==== Plan For or Prevent Exchange Messaging Disasters In this free Web seminar, join Exchange MVP Paul Robichaux as he describes some operational scenarios in which "disaster recovery" takes a back seat to "business continuance." Learn how to be prepared for events that might otherwise wipe out your messaging capability and how you can survive them with your messaging and job intact. http://list.windowsitpro.com/t?ctl=53D4:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=53D6:4FB69 Infosecurity Europe 2005 Infosecurity Europe is Europe's number one, dedicated Information Security event held April 26-28, 2005, Grand Hall, Olympia, London. Now in its 10th year, the event continues to provide an unrivalled education program, new products & services, exhibitors and visitors from every segment of the industry. To register for FREE, please visit: http://list.windowsitpro.com/t?ctl=53E7:4FB69 Empower Users and Produce Substantial ROI Join industry expert David Chernicoff in this free Web seminar to learn how to integrate and automate fax from messaging systems such as Microsoft Exchange Server and Outlook and other various applications. And learn how to improve document handling and delivery by streamlining the integration of fax services into everyday business processes. http://list.windowsitpro.com/t?ctl=53D7:4FB69 Achieve High Availability and Disaster Recovery for Microsoft Servers Attend this free Web seminar for your chance to win a $1000 American Express Gift Check! In this Web seminar, discover what it takes to minimize the likelihood of downtime through reliability and resilience in your Microsoft server environment, including Exchange, SQL Server, File Server, IIS, and SharePoint. Sign up today! http://list.windowsitpro.com/t?ctl=53D3:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: Do you think Microsoft should offer Internet Explorer (IE) 7.0 for Windows 2000 platforms? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 44 votes. - 77% Yes - 23% No New Instant Poll: Do you consider IIS 6.0 to be a secure platform? Go to the Security Hot Topic and submit your vote for - Yes - No http://list.windowsitpro.com/t?ctl=53E1:4FB69 ==== 4. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=53E6:4FB69 Got NT? Better Have Extended Support or a Good Firewall! Windows NT systems contain a critical vulnerability for which a patch is available--if you have an extended support contract. You can also defend your NT systems with a good firewall. http://list.windowsitpro.com/t?ctl=53DF:4FB69 Security Event Log Chat Randy Franklin Smith is one of the foremost authorities on the Windows Security event log and a respected trainer who teaches Monterey Technology Group's "Security Log Secrets" course. Here's your chance to ask Randy your questions about the Security log and get answers Microsoft doesn't provide. Join the chat today at 4:00 P.M. Eastern / 1:00 P.M. Pacific time. For details, visit http://list.windowsitpro.com/t?ctl=53E4:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=53E2:4FB69 Q. Should I define a "catch-all" subnet for my Active Directory (AD) sites? Find the answer at http://list.windowsitpro.com/t?ctl=53DC:4FB69 Security Forum Featured Thread: Best Network Security Scanner A forum participant writes that he's decided to purchase software to check his network for open ports, vulnerabilities, permissive user rights, open shares, accounts with administrative rights, unapproved Instant Messaging (IM) software, and so on. He wonders what the best tool to use might be. Join the discussion at http://list.windowsitpro.com/t?ctl=53D8:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=53E0:4FB69 Get SQL Server Magazine and Get Answers Subscribe to SQL Server Magazine today and get the latest "Top SQL Server Tips" handbook (includes over 60 helpful SQL Server tips) and free online access to every article ever published in the magazine-- that's thousands of problem-solving solutions, expert tips, tricks, and the latest insider notes to help you get the most out of SQL Server. Sign up today: http://list.windowsitpro.com/t?ctl=53E5:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Fight Phishing Cyberworlds offers Swidgets Email Xray, which lets you look inside Microsoft Outlook email messages to detect phishing attempts. The program lets you view your email messages as plain text so there's no possibility of being harmed by a malicious script or link. Email Xray also reveals the email headers and source code and lets you easily email this information to your Help desk or service provider. Email Xray works with Internet email and Microsoft Exchange Server messages, can be installed across a LAN, and lets administrators modify or disable specific features. Email Xray runs under Windows XP/2000/Me/98SE and works with Outlook 2003/2002/2000. Email Xray costs $14.95 (quantity and academic discounts and 15-day free trial copy are available). For more information, go to http://list.windowsitpro.com/t?ctl=53E9:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=53E8:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=53DB:4FB69 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Sat Mar 19 02:16:14 2005 From: isn at c4i.org (InfoSec News) Date: Sat Mar 19 02:35:12 2005 Subject: [ISN] Dutch hackers sentenced for attack on government sites Message-ID: http://www.theregister.co.uk/2005/03/16/dutch_hackers_sentenced/ By Jan Libbenga 16th March 2005 Five computer hackers in the Netherlands have been handed sentences ranging from work orders to youth detention for disabling a number of websites operated by the Dutch government. A group of around 15 hackers, who called themselves '0x1fe Crew', carried out a Distributed Denial of Service (DdoS) attack last year on the government websites overheid.nl and regering.nl in a protest against recent cabinet proposals. The group claimed cabinet members were its sole targets. The websites, the central gateway to all information on cabinet policy in the Netherlands, couldn't be reached for five days. The Dutch government immediately launched legal proceedings against the group and this week five hackers were convicted. The main suspect, who was given a 38-day detention sentence, says he will appeal. The 18-year-old claims there is no technical proof of his participation in the attacks. .They sentenced me because I was the spokesman for the group,. he told news site Webwereld. It is first time in the Netherlands that anyone has been convicted for such an attack. From isn at c4i.org Sat Mar 19 02:17:00 2005 From: isn at c4i.org (InfoSec News) Date: Sat Mar 19 02:35:16 2005 Subject: [ISN] Linux Advisory Watch - March 18th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 18th, 2005 Volume 6, Number 11a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gaim, kdenetwork, squirrelmail, luxman, hwbrowser, at, bind, openoffice,ipsec-tools, sylpheed, koffice, qt, ImageMagick, ethereal, udev, libXpm, Ethereal, rmtree, curl, cyrus-sasl, gnupg, openslp, tetex, postfix, and squid. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- Information Security In today's business world there is an ever-growing reliance on information technology. Businesses and organizations rely on IT for distributed processing, the automation of tasks and electronic commerce. Processing that would have been done by hand years ago is now done completely on computers. This has evolved so much that many tasks are no longer feasible to conduct by hand. In fact, in some cases it would be impossible. Typical business objects include maximizing profit, having high sustainable growth, and keeping costs low. In information security, we are aiming to preserve the confidentiality, integrity, and availability of information from disclosure, modification, destruction or misuse. Businesses are at risk of loss of income, loss of competitive advantage, or possibly legal penalties if no compliant with regulations. Why information security? Information is an essential resource for business today. Have the right information at the right time in the hands of the right people is often the difference between profit/loss, and success/failure. We must understand that information is a key business asset and preserving confidentiality, integrity, and availability is crucial to the continued success of the business. Once again, manual processing is no longer a feasible option. In the event of a failure, the employees would loose productivity and it would be very costly to the company. Information security can help protect from confidentiality breaches. In the event of the unauthorized disclosure of schematics, a business could loose millions to a competitor and loss of R&D time and money. Ensuring data integrity is also essential. Information security is also important to detect any violations that may occur, or mitigate any consequential damagers that may occur from a breach. Also, information security practice can aid in the planning and facilitate a recovery strategy, ensuring that impact and loss in minimized. In the event of an investigation, having proper information security procedures in place can assist in the process of gather evidence. If managed properly, information security can be a business enabler. Rather than the 'badge and gun' attitude, information security professionals should approach it from a business perspective. How can information securi