From isn at c4i.org Tue Mar 1 04:46:26 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:28 2005 Subject: [ISN] Payroll website still not secured Message-ID: http://www.boston.com/business/articles/2005/03/01/payroll_website_still_not_secured/ By Hiawatha Bray Globe Staff March 1, 2005 Boston software entrepreneur Aaron Greenspan, who revealed serious security flaws in the website of Tennessee payroll company PayMaxx Inc. last week, said yesterday that the site remains insecure. Greenspan said that a computer hacker still could use the site to obtain the Social Security numbers of hundreds of Americans. Greenspan called the management of PayMaxx ''incompetent," and urged Congress to investigate the company. ''They have no idea what they're doing," he said. Greenspan's company, Think Computer Corp., had its payrolls prepared by PayMaxx, of Franklin, Tenn., until late last year. After ending their relationship, Greenspan found that his name, address, Social Security number, and other personal data were still available on the PayMaxx website, which could be accessed by entering zeroes in the site's login windows. Greenspan also found that he could obtain the same information about other PayMaxx customers by typing random numbers into the browser's address window. He estimated that up to 100,000 files could be accessed this way. After being contacted by the Globe, PayMaxx shut down the insecure website service. But yesterday, Greenspan said he found another way into the system. This time, he demonstrated for the Globe how a data thief could obtain the Social Security numbers of people listed in the PayMaxx system. Greenspan said that PayMaxx apparently used workers' Social Security numbers to identify them to the website software. But the company's method made it easy to read those numbers by merely activating the ''view source" feature found on all Web browsers. A spokesperson for PayMaxx said that the company would shut down the site entirely until questions about its security were resolved. The spokesperson also said that there was no indication that anybody had stolen personal data from the site. Greenspan said he's contacted the office of US Senator Charles Schumer, Democrat of New York. Schumer has called for legislation to limit data-mining services that contribute to identity theft. Congressional concern over the potential privacy threat erupted in February, when ChoicePoint Inc., a Georgia firm that keeps files on millions of Americans, admitted that it mistakenly sold 140,000 files to criminals. From isn at c4i.org Tue Mar 1 04:46:55 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:30 2005 Subject: [ISN] Linux Security Week - February 28th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 28th, 2005 Volume 6, Number 9n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Linux kernel to include IPv6 firewall," "Automated Patching: An Easier Approach to Managing Your Network Security," and "Honeypot Project finds decline in Linux attacks." --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH This week, advisories were released for emacs, gftp, bidwatcher, mailman, squid, mod_python, kdeedu, gamin, pcmcia, openssh, postgresql, gimp, midnight commander, gproftpd, cyrus imap, cups, kdelibs, xpdf, uim, cpio, and vim. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118428/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Knoppix Hacks 21st, February, 2005 Many people, at least people in the techno-geek world, are familiar with Knoppix at least far enough to know it is a version of Linux. Some of those people may even know that it is a portable version of Linux that is able to boot entirely from the CD without the need for any installation. But, this book will show those people just how versatile and powerful a tool Knoppix can be- even for supporting and maintaining Windows systems. http://www.linuxsecurity.com/content/view/118393 * HITB E-Zine: Issue #36 Released 20th, February, 2005 After a nice Chinese New Year break we are pleased to bring you Issue #36 of the HITB e-zine. This is a pretty interesting issue with an exclusive article on Red Hat PIE Protection written by Zarul Shahrin as well as an article on building a simple wireless authenticated gateway using OpenBSD by Rosli Sukri (member of the HITB CTF Crew). http://www.linuxsecurity.com/content/view/118389 * Linux kernel to include IPv6 firewall 21st, February, 2005 Version 2.6.12 of the Linux kernel is likely to include packet filtering that will work with IPv6, the latest version of the Internet Protocol. Netfilter/iptables, the firewall engine that is part of the Linux kernel, already allows stateless packet filtering for versions 4 and 6 of the Internet protocol, but only allows stateful packet filtering for IPv4. Stateful packet filtering is the more secure method, since it analyses whole streams of packets, rather than only checking the headers of individual packets -- as is done in stateless packet filtering. http://www.linuxsecurity.com/content/view/118398 * Firewall Builder 2.0.6 24th, February, 2005 Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various firewall platforms. In Firewall Builder, a firewall policy is a set of rules; each rule consists of abstract objects that represent real network objects and services (hosts, routers, firewalls, networks, protocols). http://www.linuxsecurity.com/content/view/118422 * Automated Patching: An Easier Approach to Managing Your Network Security 22nd, February, 2005 Patch management is an essential administration task within today's busy IT networks with the constant threat of new security bugs. Some companies will wait for an attack before taking necessary action to protect themselves from further threat whilst others consider patching as often as possible. http://www.linuxsecurity.com/content/view/118401 * Security holes affect multiple Linux/Unix products 23rd, February, 2005 Attackers could launch malicious code by exploiting vulnerabilities in a file transferring tool used in many Linux and Unix systems, according to two security firms. http://www.linuxsecurity.com/content/view/118414 * Zen and the Art of Intrusion Detection 22nd, February, 2005 If a tree falls in a forest with no-one to hear it, does it make a sound? So goes a typical zen-like philosophical question. While it's thought-provoking, what does it have to do with Intrusion Detection Systems (IDS)? Simple if you're not there to watch the tree fall, do you need to know whether it fell or not? The same principle applies with IDS. http://www.linuxsecurity.com/content/view/118402 * Review: Linux Server Security 23rd, February, 2005 Staying on my current security theme, O'Reilly has published a second edition of Linux Server Security by Michael D. Bauer. The book, targeted toward those managing Internet-connected systems, also known as bastion hosts, packs a powerful arsenal of security design, theory and practical configuration schemes into 500 pages. http://www.linuxsecurity.com/content/view/118412 * Oracle wraps top-notch security around Linux 23rd, February, 2005 Oracle has tightened up the security of a number of its products to allow customers to use them in critical national infrastructures, including in conjunction with open source technology from Linux. Oracle has met the Common Criteria Evaluations at the EAL4 level the highest industry security level for commercial software for its Oracle Internet Directory, a middleware component of Oracle Identity Management; Oracle9i Database release 2; and the Oracle9i Label Security release 2. http://www.linuxsecurity.com/content/view/118415 * How to cut patchwork and save a cool $100m 24th, February, 2005 ccording to Gilligan, a new vulnerability is discovered nearly every day in the commercial software products the Air Force uses not just Microsoft, but also Linux, Oracle and Cisco Systems. "What we are now reaping is the unfortunate consequence of an era of software development in the 90s, when the rush to get the product to market overrode the importance of correctness in the quality of the software." http://www.linuxsecurity.com/content/view/118419 * Novell appliance takes security to the edge 22nd, February, 2005 Novell has developed a Linux-based "perimeter security" hardware appliance that protects companies against security threats such as hackers, viruses, worms, spam and network intrusions. Novell launched the Novell Security Manager at last week's RSA conference. It is aimed at small and medium-sized businesses. http://www.linuxsecurity.com/content/view/118400 * Firefox phishing flaw fixed 25th, February, 2005 A vulnerability that could allow Web addresses to be spoofed has been fixed in an updated version of the Firefox browser The Mozilla Foundation released an update to the Firefox Web browser on Thursday to fix several vulnerabilities, including one that would allow domain spoofing. http://www.linuxsecurity.com/content/view/118429 * Arkeia Network Backup Agent Remote Access (Exploit?) 21st, February, 2005 On February 18th, 2005 "John Doe" posted a remote buffer overflow exploit for the Arkeia Network Backup Client. This vulnerability affected all known versions of the software, going back as far as the 4.2 series (when the company was called Knox). The buffer overflow occurs when a large data section is sent with a packet marked as type 77. The Arkeia Network Backup Client is your typical backup agent; it runs with the highest privileges available (root or LocalSystem) and waits for a connection from the backup server. The Arkeia client and server both use TCP port 617 for communication. According to the SANS ISC, the kids are wasting no time. http://www.linuxsecurity.com/content/view/118392 * Honeypot Project finds decline in Linux attacks 24th, February, 2005 Unpatched Linux systems are lasting longer on the internet before being compromised, according to a study by the Honeynet Project, a nonprofit group of security professionals that researches online attackers' methods and motives. Data from 12 honeynets showed that the average "life expectancy" of an unpatched Linux system has increased to three months from 72 hours two years ago. http://www.linuxsecurity.com/content/view/118420 * Is variable reponse the key to secure systems? 21st, February, 2005 Intrusion detection software (IDS) first made a serious impression on the European security market in the late 1990s. As with vulnerability scanning products, how good it was depended on where it got its database from and how often it was updated. IDS then languished for a few years with little variation. Improvements in alerting, refinements in detecting false positives and more enterprise scalability were the notable developments. http://www.linuxsecurity.com/content/view/118394 * Linux For The Future 22nd, February, 2005 Red Hat spent last week trying to get customers to expect more from Linux, talking up the release of the first version of its operating system based on the 2.6 Linux kernel. Red Hat Enterprise Linux 4 adds a number of security, scalability, desktop, and management features. http://www.linuxsecurity.com/content/view/118399 * Insecure ISP Support Is No Help at All 23rd, February, 2005 Hello, this is officer support of the ISP Police Department. You say you're worried that someone might try to steal your car? OK, I'm going to try to troubleshoot this problem for you, but I need you to do two things. First, I'm going to need you to bring your car down so we can check it out. But I want you to park your car in a poorly lighted lot in a shady part of town. Trust me, we handle this kind of thing all the time. http://www.linuxsecurity.com/content/view/118413 * Feds square off with organized cyber crime 24th, February, 2005 Computer intruders are learning to play well with others, and that's bad news for the Internet, according to a panel of law enforcement officials and legal experts speaking at the RSA Conference in San Francisco last week. Christopher Painter, deputy director of the Justice Department's computer crime section, spoke almost nostalgically of the days when hackers acted "primarily out of intellectual curiosity." Today, he says, cyber outlaws and serious fraud artists are increasingly working in concert, or are one and the same. "What we've seen recently is a coming together of these two groups," said Painter. http://www.linuxsecurity.com/content/view/118421 * Entrepreneur-professor teaches students to stop hackers, viruses, has lessons for all 25th, February, 2005 Access the Internet using an unprotected personal computer and a hacker will be knocking at the door within about 45 seconds. Do that with a Web server and in less than 15 minutes, there's a 50-50 chance it's been taken over by someone who can use it to send spam e-mails all over the world that can be traced back to you. Hook up that new wireless router you bought at the consumer-electronics store, use the default settings, and someone can park outside on the street or sit next door and download porn using your broadband connection. http://www.linuxsecurity.com/content/view/118430 * Mesh Networking Soars to New Heights 19th, February, 2005 Mesh Networking and community wireless broadband reached new heights with a world first for Locustworld MeshAP PRO when a Shadow microlight aircraft flew over Lincolnshire UK and successfully tested air to ground mesh networking and voice over broadband. South Witham broadband (Lincolnshire UK) joined forces with Make Me Wireless (Australia) and using LocustWorld MeshAP PRO and Asterisk VoIP equipment, seamlessly created air to ground voice communications at 2000 feet with the 16 node South Witham community broadband network. http://www.linuxsecurity.com/content/view/118387 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 1 04:47:35 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:32 2005 Subject: [ISN] Hackers are real-time. Are you? Message-ID: http://www.s-ox.com/Feature/detail.cfm?ArticleID=623 By Phil Hollows 2005-02-28 - From a Sarbanes-Oxley Section 404 perspective, any breach in IT security represents a risk to an internal system - including those covered by the standards implicit in section 404's mandates. Since IT underlies the very business of recording and reporting all financial activity, it follows that a lack of control over IT security would imply a lack of control over the organization's financial reports, in direct violation of SOX section 404. Since any compromised IT system - or an unmanaged attack that could create a compromise - can then be used to attack, compromise and degrade the integrity of the IT systems supporting a covered firm's financial systems, section 404 of Sarbanes-Oxley carries with it the mandate to properly secure IT enterprise-wide (or, at least, to the point where the CEO, CFO and independent auditors are comfortable with the level of risk management applied to protecting corporate IT in general and financial IT systems specifically). As a result of the efforts of organizations such as the ISACA, COBIT and PCAOB, frameworks and standards such as COSO have emerged that explicitly address the role of IT security in complying with SOX compliance. Taking Strategic Control of Security with SIM Security information management (SIM) solutions are an emerging class of products that enable compliance through provable, fast threat detection, management, and containment. Affordable, easily managed real-time security monitoring and correlation solutions offer a compelling way for public companies to comply with the implicit IT security mandates of SOX. Moreover, the reporting and full logging storage capabilities of SIM products allow companies to prove that security policies are being correctly followed - even providing an integral framework to guide operators to respond to security threats and incidents in a consistent, compliant manner. Finally, in addition to enabling compliance with SOX regulation, SIM products can provide very low maintenance security management framework to reduce the workload placed on IT security in general, improve security operations effectiveness, and enhance a company's ability to proactively mitigate high-risk threats before they become successful exploits. The strategic opportunity for IT in public companies is therefore to think beyond the immediate compliance deadline and look to establish controls that ease compliance with tighter regulations over time, as well as ensuring that, if needed, the changes wrought to satisfy SOX can stand up in court. Building a defensible position against a class-action shareholder suit is one of the unfortunate situations that IT organizations need to plan for as they move forward implementing their compliance activities. As the financial scandals in the early part of the decade showed, having an auditor sign off is no guarantee that law suits can be avoided, and SOX section 302 makes it clear that CEOs and CFOs are personally liable for any material misrepresentations. Monitoring Security In terms of established OT compliance frameworks, although PCAOB's Auditing Standard No. 2 does reference IT controls, it does not specify the IT controls an organization should deploy in order to be complaint with SOX. However, COSO specifically calls out IT security monitoring as follows: "Security monitoring - Building an effective IT security infrastructure reduces the risk of unauthorized access. Improving security can reduce the risk of processing unauthorized transactions and generating inaccurate reports, and can ensure a reduction of the unavailability of key systems if applications and IT infrastructure components have been compromised." The ITGI's IT Control Objectives document, which provides specific recommendations based on COSO to guide compliance activities, specifically identifies the need for a security monitoring control: "IT security administration monitors and logs security activity, and identified security violations are reported to senior management." It's clear: to meet the SOX general IT security requirements, organizations need to deploy multiple security point solutions such as firewalls, intrusion detection systems (IDS), anti-virus systems and others. That's a given. But simply deploying point solutions on networks, servers or desktops does not, by itself, satisfy the security monitoring requirement implied in Section 404. A true monitoring solution must show that the products deployed to protect a company's critical assets are, in fact, working properly. The only way to be successful in meeting this requirement is to collect, manage and save the relevant threat data from the individual security point solutions. SIM extends the real-time monitoring of events detected by network and application security systems by enabling operators to detect and manage threats to the integrity of the company's financial systems, looking at alerts from across the entire enterprise. And SIM provides real-time, actionable information, not monthly reports that end up in an auditor's filing cabinet. Correlation: Finding the Threat Needle in the Security Haystack But identifying threats that can cause an incident from the data that enterprise security systems report quickly creates a massive challenge. With large populations of security solutions to monitor, IT security professionals need to collect disparate information from diverse sources, quickly assess its impact, and make timely decisions before major damage is done. They also need a way keep all this information in a convenient place for reporting purposes. But the data volumes are colossal - many millions to billions of log entries are recorded by an enterprise's systems every day. Threats need to be identified from this massive data stream and dealt with, and the data needs to be stored without requiring warehouses full of expensive storage area networks. And then a determination needs to be quickly made - is this threat real? How much risk does it represent? And how should it be managed? Worse yet, as we all know, IT security challenges are growing enormously as an increasing number of diverse security products are deployed to combat increasing number of threats, exploits and hackers. As technologies such as the 802.11 series of wireless protocols emerge that render notions like the secure perimeter increasingly irrelevant and porous, the number of security systems that need to be deployed and monitored will only continue to grow, day in and day out. For each class of security system, organizations are faced with many choices of firewalls (network, application and protocol-based), intrusion detection and prevention systems (IDS and IPS), anti-virus (AV) systems, virtual private networks (VPN), host-based protection and a range of dedicated network security appliances. Indeed, monitoring network systems, such as routers and switches, for suspect activity is now a fact of life since these, too, have known vulnerabilities that can be exploited. Every organization's security strategy will involve some combination of these techniques, depending on their strategic goals and acceptable degree of risk. Real-time security event correlation is the key to making this mountain of data manageable again. A typical SIM system will: * Collect log file and event data from multiple security, network and server sources. * Normalize and correlate these event in real-time to identify threats before they become security breaches. * Prioritize threats according to risk-based event weighting, target vulnerability, asset value and historical activity. * Maintain a threat database, including a taxonomy of known threats, vulnerabilities and exploits. * Provide extensive threat, attack and forensic reporting and analysis capabilities. * Enable automated and guided operator actions for consistent incident responses. The goal of a SIM, when considering existing costs and workloads of compliance implementation teams, must be to deliver these capabilities in as minimally invasive a way as possible, and as a result of the correlation, ultimately reduce the time and resources spent in incident response. Is this practical? In a recent eWeek article, one SIM user, Adam Hansen, of law firm Sonnenschein, Nath and Rosenthal, described firm's his experience recently after deploying a SIM. His SIM monitors 9 million daily security events and accurately identifies 20 or 30 events of interest. From there, the firm's administrators need to investigate only one to three events a day. "We reduced our incident response time from 24 hours to minutes," said Hansen. "We deal with an event as soon as it happens rather than look at a log." Hansen's experience is not unique. According to ComputerWorld, Scitum SA, an MSSP, recently reported an event reduction factor of 10,000 after deploying a SIM in their security operations center. Monitoring and Vulnerability Management - A Comprehensive Risk Management Strategy These examples are impressive feats, to be sure. But does that mean SIM is right for all organizations? Managers might think they don't need SIM, particularly when investing in a comprehensive, and undoubtedly expensive, set of vulnerability management products and processes. An ounce of prevention is worth a pound of cure, it's true. Many security systems and technologies have been deployed to prevent intruders from accessing high value systems. First came firewalls - then the mail worms, the web buffer overflows, and the RPC exploits marched right through the open ports to wreak havoc on their targets on the inside. IDS arrived, but didn't actually stop anything. Then IPS, and next, who knows? If there's a lesson to be learned, it is that no matter what technology is deployed, it will have a flaw, a way to be defeated, or will be so untrusted (e.g. too many false positives) to be functionally useful. Enter vulnerability management solutions. The premise is simple and seductive. If there are no vulnerabilities to exploit, there is no risk. Identify and mitigate the open vulnerabilities and risk is eliminated - there's nothing to compromise. The good guys win. Right? Not exactly IT security managers should be engaged in actively managing system vulnerabilities and nobody should counsel otherwise. However, they should do so rationally, methodically, and with understanding of the risks and rewards at each step. What is absolutely not true, however, is that every system can be patched perfectly - at least, not in a timely, cost-effective manner. An organization simply cannot patch against social engineering (i.e. persuading a human to do something for you that you can't, like resetting an administrative password). It cannot patch against a careless or corrupted employee placing a wireless access point inside your network, completely bypassing your perimeter defenses. It cannot patch a system against weak physical security. It cannot patch against someone emailing a customer list to a competitor. It cannot patch systems its unaware of, such as embedded databases or web servers. For example, if an organization's engineering group uses a product like Ghost to re-image test machines, any patches it applies could be here today and gone tomorrow. It's clear: Even with an extensive and comprehensive vulnerability and patch management program in place, it remains vital to monitor security systems. Remember, from the bad guys' perspective, there's always a workaround. There's always a signature that the system doesn't know about. There's always a new user the anomaly detector hasn't discovered. There's always a careless default installation or a system that hasn't been gotten round to yet. There's always a thoughtless user to social engineer through. There's always someone to corrupt, a system to bypass, a new trick to employ. So, one of the biggest mental hurdles to overcome when thinking about risk mitigation and prevention planning is accepting the fact that it is impossible to get 100% of vulnerabilities removed using a patching approach. It can't be done. It won't ever be done. Plan for it. Ultimately, this is how SIM complements vulnerability management. Section 404 requires monitoring security. Prudent risk management also says companies shouldn't put all their security eggs in the vulnerability management basket. A mature, compliant IT security organization will deliver strong mitigation and monitoring solutions, and also have a well-defined (and practice, practice, practice!) containment and incident response strategy - requiring all three legs of the stool. SIM: Automating Real-Time Risk Analysis for Compliance Risk - whether its acceptance, mitigation or transference - is at the heart of IT security planning and monitoring. The analysis of an attack event from a single device is relatively meaningless. There is no context within which to judge its relevance and importance. By using SIM to evaluate individual events in the context of the real-time enterprise threatscape, it is possible to assign risk values using the SIM to each individual event. Implementing a security monitoring solution without being able to manage log collection from different sources, quickly triage events using a risk-based approach, and implement response times risks failure - unless a SIM solution is in place. A good, risk-based approach will enable the SIM to determine the following criteria, and adjust the risk weight appropriately, for each event detected, and then intelligently alert based on defined risk profile. The following sample factors show how the view of an event's risk changes based on its context: * The source of an attack: Inside or outside? A new guy or a competitor? * The target: A print server or the database holding customers' social security numbers? * The exploit being used: A simple probe, or something that gives the hacker complete control? * The vulnerability of the target: Is the system vulnerable? And how old is the scan? * The user: Is someone pretending to be an administrator? * Activity: Have we seen this before? Is it a persistent pattern, or an apparent one-off? All of this analysis needs to happen in real-time so that organizations can anticipate and manage a breach immediately. Running a retrospective report is too little too late, and by no means a "monitoring solution." If so, an organization has already been compromised. Game over. Going Beyond Compliance to Better Security The ability of a SIM to accurately identify threats can yield enormous savings in terms of operational efficiency. But the potential benefits don't stop there. The ability of a SIM to be able to respond automatically to an attack can make all the difference between simply detecting a threat and actually containing it. Foiling worm attacks is a great example of how automated remediation using a SIM can help minimize the speed and scope of an infection - in effect, helping to automate a containment strategy. In order to apply process controls, for example, a SIM can be forced to take an automated action if, and only if, a threat that passes the filter criteria has reached the critical state. Its users can create many different automated responses, each with their own unique combinations of filters and actions. Automated responses to known classes of security intrusion attempts demonstrated clear, consistent and controlled risk-oriented policies towards IT security and threat management - a core item in SOX compliance evaluation. Organizations can also link SIMs to internal knowledge bases, resource links and procedure manuals based on alert and event data correlated by the SIM, create well defined management options for users, and display them as options for operators to take. As a result, organizations gain consistent response to threats from operators, using the SIM to help define, manage and ensure consistent containment processes. Real-time risk management using SIM takes the vulnerability and risk approach and applies it to IT network and security infrastructure in real-time. It properly takes into account the source of an attack in the modified risk equation, enabling much more effective internal management of launched attacks. SIM also builds off currently deployed heterogeneous security and vulnerability infrastructures, making systems significantly more effective than as standalone, isolated point solutions. SIM gives each system an enterprise-wide management context through the correlation process. This is all possible because SIM is a security management application, not a security technology. It doesn't try to sniff packets on the wires or attempt to verify whether machines are patched or not. What it does do is bring data together through a real-time correlation process that considers all these factors, as collected by all the relevant underlying technology products, to help manage the data gathered from them, and automate the threat analysis and prioritization processes. SIM for SOX! SIM and its functions are the keys to an organization's ability to prove that its network security products and practices are in compliance. SIM enables demonstrable compliance by implementing several mechanisms on any monitored sensor, device or application, including real-time log monitoring, prioritized threat alarms and escalations, audit trail and configuration versioning, threat, event and forensic reporting, and standardized threat and incident responses. It proves that the alarms are on, and someone is listening. SIM affords organizations strategic opportunity by enhancing security operations efficiency, ensuring consistent threat response and centralized full log management, archiving and analysis. But for SIM to be most strategic, it should scale beyond the short-term audit process to handle growth, mergers and acquisitions - without adding significant structural costs and extra workload to already stretched security functions. In a nutshell, if implemented well, SIM both ensures compliance with SOX section 404 and affords organizations additional compelling business benefits. -=- Phil Hollows, Vice President of Security Products, OpenService http://www.open.com Phil has more than 17 years of experience in product marketing, product management, development leadership and consulting. From isn at c4i.org Tue Mar 1 04:47:49 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:34 2005 Subject: [ISN] Known Hole Aided T-Mobile Breach Message-ID: http://www.wired.com/news/privacy/0,1848,66735,00.html By Kevin Poulsen Feb. 28, 2005 An intrusion into T-Mobile's servers that compromised customer records, sensitive government documents, private e-mail and candid celebrity photos last year occurred because the wireless giant failed to patch a known security hole in a commercial software package, Wired News has learned. In a sealed plea agreement with prosecutors, Nicolas Jacobsen, 22, pleaded guilty on February 15 in federal court in Los Angeles to a single felony charge of intentionally gaining access to a protected computer and recklessly causing damage. His cybercrime spree in T-Mobile's network began in late 2003, and didn't end until his arrest last fall. Jacobsen's victims last year included Paris Hilton, a conspicuous T-Mobile Sidekick user. But the hacker is not known to be connected to a new intrusion last week that scattered Hilton's private files across the Internet. The Justice Department and the U.S. Secret Service have handled the Jacobsen prosecution with unusual secrecy, and T-Mobile has been tight-lipped on how the hacker penetrated their systems. But two sources close to the case and a hacker friend of Jacobsen's who hosted some of his purloined files all point to the same security hole: a vulnerability discovered in early 2003 in the WebLogic application server produced by San Jose, California, company BEA Systems. Found by researchers at security vendor SPI Dynamics, the WebLogic hole took the form of an undocumented function that allows an attacker to remotely read or replace any file on a system by feeding it a specially-crafted web request. BEA produced a patch for the bug in March 2003 and issued a public advisory rating it a high-severity vulnerability. In July of that year, the hole was spotlighted in a presentation at the Black Hat Briefings convention in Las Vegas. Approximately 1,700 computer security professionals and corporate executives attended that conference, where an SPI Dynamics researcher detailed precisely how to exploit the vulnerability. The attack method is "kiddy simple," says Caleb Sima, founder and CTO of SPI Dynamics. "All you have to do is add a special header with the request, with special commands at the end of it, and that's it." Jacobsen learned of the WebLogic hole from the advisory, crafted his own 20-line exploit in Visual Basic, then began digging around the internet for potential targets who had failed to install the patch, the sources say. By October 2003, he'd hit pay dirt at T-Mobile, where he used the exploit to gain a foothold in the company's systems. He then wrote his own front-end to the customer database to which he could return at his convenience. "He eventually made his own interface," says William Genovese, a friend of Jacobsen's in the hacking community, who is currently facing unrelated charges for allegedly selling a copy of leaked source code for portions of Microsoft's Windows 2000 and Windows NT operating systems for $20. According to court records, Jacobsen continued to enjoy illicit access to T-Mobile systems until his arrest in October 2004 -- more than 18 months after the WebLogic vulnerability was first made public. The hacker had access to T-Mobile customer passwords, Social Security numbers, dates-of-birth and other information, which he offered to make available to fraudsters and identity thieves over an online web forum. Additionally, Jacobson used passwords stolen from the database to read T-Mobile customers' e-mail, including that of a U.S. Secret Service agent. Sources close to the case say the hacker also downloaded candid photos taken by Sidekick users, including images of celebrities Demi Moore, Ashton Kutcher, Nicole Richie and Paris Hilton, which until recently could be found on a webpage hosted by Genovese. A phone call to Jacobsen's lawyer went unreturned last week. T-Mobile says it has notified 400 customers that their data was leaked, and continues to investigate the case. But the company said last week it couldn't comment on its vulnerabilities or patching policies without placing customers at further risk. "We will not publicly discuss specifics of our systems, or attempts to gain access to our systems, for the protection of our customers and their data," spokesman Peter Dobrow wrote in an e-mail. Dobrow claims the company has closed the holes that Jacobsen exploited. "As part of our security efforts, safeguards are in place to prevent illegal access similar to Jacobsen's activity," he wrote. BEA failed to return repeated phone calls on the WebLogic vulnerability and its role in the T-Mobile hacks. Jacobsen's hacks were neither the first nor the last consumer privacy problem at T-Mobile. Last year, the company faced criticism for giving cell phone users a default voice mail configuration that leaves them open to Caller I.D.-spoofing snoops -- an issue that lingers today. And last week a copycat hacker penetrated Paris Hilton's T-Mobile Sidekick account a second time, posting the hotel chain heiress' electronic memo pad, address book and a new batch of private photos on the web. The company's security thus became the unlikely topic of tabloid media interest. In a press release Saturday, T-Mobile chief operating officer Sue Swenson said the company takes its customers' privacy seriously. "We are aggressively investigating the illegal dissemination of information over the internet of T-Mobile customers' personal data," said Swenson. The press release made no mention of T-Mobile's failure to secure its systems, but encouraged customers to be more careful with their passwords. From isn at c4i.org Tue Mar 1 04:48:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:36 2005 Subject: [ISN] Confessions Of A Gray-Hat Networker Message-ID: http://www.securitypipeline.com/trends/60404004 By David Strom Tom's Networking www.tomsnetworking.com February 28, 2005 It is getting harder to tell the good guys from the bad these days. Life up to about last year used to be so simple. There were white hat networkers and black hat networkers. The white hats are the ones who try to gain entry into your network with your permission, to stress test your security and pinpoint vulnerabilities. The black hats are mostly the bad guys. But now we have grey hat networks, the ones that aren't so easy to characterize as evildoers. I guess this mirrors life, where nothing is black and white anymore (at least outside the perspective of our own president, but don't get me started on that). These grey networks are becoming more common as corporate IT staffs do their best to stem the tide of peer-to-peer, instant messaging, and other incidental applications that have become mission critical to some of their users. The reason they are called grey is because while they are still far from the accepted corporate standard portfolio of "approved" applications, they are useful and in common use across the corporate network. Actually, the problem is not new. When I worked in IT departments during the 1980s, we had our standard apps and platforms and plenty of renegade users who promptly and in some cases pointedly ignored us and took their computing needs into their own hands. It was a constant battle, but back then the only real networks we had were the 3270 kind of IBM mainframes, and well, everything was pretty black and white for the mainframe guys. Of course the shoe was on the other foot when I became a user. I must confess that even as recently as last year I was a bit of a renegade user myself, wanting to run apps that weren't part of the corporate portfolio. Ask my IT people and they will tell you tales of woe. I thought about this recently when I was attending the RSA conference and was listening to one of the talks on how to stem the tide of unmonitored IM usage. Jonathan Christensen, the CTO of FaceTime was the one who coined the grey hat moniker. He even said IM is the "next generation of security threat" " well, he would, given as his company can sell you products to try to protect you against this threat. Does this mean that I am still part of the problem? Can I ever shake those renegade days completely, or am I always going to be a thorn in the side of IT? I have become a grey hat networker, I must confess. What brought me into the grey world was Skype. Since joining Tom's, I have been using Skype as the main means of communicating with my staff across Europe and the US. (Well, it IS our corporate standard.) It is a wonderful application when it works, and perplexing and annoying when it doesn't. For those of you that haven't had the opportunity to use it yet, it is an IM client and a voice communications system rolled into one. Like any good IM client, you have presence detection (you can see when someone is online and ready to talk or text chat with you). Unlike the commercial services from AOL, Microsoft, and Yahoo, the list of your "buddies" isn't maintained by the network but kept on your individual PC. This means that if you use more than one machine to communicate, you will have to Skype yourself and send your buddies list to the other PCs. But this is a minor annoyance. The voice quality is superb. For talking to people halfway across the world, they sound like they are in the next room. And it works with relative ease with my little laptop, and even on my home Mac. It doesn't interoperate with other IM networks (that is the bad news), but it does a great job of penetrating corporate firewalls and routing around network problems (good for me, bad for most network administrators who are trying to deal with it). This is why it is a grey app. Skype is the fastest growing Internet-based communications application in history. They have reached more than 70 million users in a year, when other IM products took five or more years to get to this population. "Skype me" has become a verb, I am sorry to admit. So what's the problem? Well, there are two things at work here. First, because Skype is so facile at getting through network blockades, it has become a disease vector for virus writers to use to infect corporate networks. Over the past couple of weeks, several IM-based attacks (not just using Skype, but all kinds of IM products) have wreaked havoc on various commercial networks. Second, because the user population is growing so quickly, it is becoming more useful as more people join up, making it more of an opportunity for the bad guys to exploit. What this means is that corporate IT admins are having fits trying to contain it. The problem with these attacks is that you are more likely to click on a URL coming from one of your buddies via IM than from email, because you have already authenticated their identity and established some level of trust. Yet trusting an IM screen name is somewhat misplaced. I can remember plenty of times that I started conversations with my buddies, only to find out that someone else was using their screen name. There really isn't a lot of security behind the system: all it takes is to know someone's password. So what to do? Banishment of all IM and Skype doesn't work. Blocking the app doesn't work. Setting up a Skype proxy server isn't yet technically available " there are such things for AOL and MSN. You just have to deal with it, I guess. At the RSA show, the panel offered several lukewarm suggestions (such as using their own security software that they just happen to have handy in a nearby booth), but nothing to really stem the tide. In the meantime, I do the best I can: keep my firewall and anti-virus software up to date, and hope that my grey network doesn't go completely black on me one day. This article appears courtesy of Tom's Networking. From isn at c4i.org Tue Mar 1 04:48:38 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:38 2005 Subject: [ISN] Security Firms Follow Unwritten Code When Digging Up Dirt On Each Other Message-ID: Forwarded from: security curmudgeon : http://www.informationweek.com/story/showArticle.jhtml;jsessionid=POBBDHOZK2B4AQSNDBCCKH0CJUMEKJVN?articleID=60403683 : : By Gregg Keizer : TechWeb News : Feb. 25, 2005 : : A critical vulnerability was spotted Thursday in the anti-virus engine : used by Trend Micro's entire line of client, server, and gateway : security products, the third such disclosure this month of flaws in : major security firms' software. : While vulnerabilities within security products are rare -- at least in : comparison to, say, operating systems such as Windows -- they're not : unheard of. And by one analysts' take, they're fair game. Of course there are less than an Operating System, but that doesn't make them "rare" by any means. Not only are most security products just as vulnerable as other software products, they add a false sense of security given the nature of their purpose. People purchase Anti-Virus to stop viruses. They purchase firewalls to stop bad traffic. Instead, they are often installing software that is giving attackers *another* way into their system. According to osvdb.org: Symantec: 108 vulnerabilities in their products, including Anti-Virus, Norton Utilities, Raptor Firewall, NetProwler, pcAnywhere, I-gear, Anti-Spam, Gateway, Web Security, LiveUpdate, VelociRaptor and more. Trend Micro: 59 vulnerabilities in their products, including InterScan Viruswall, ScanMail, OfficeScan, PC-Cillin, AppletTrap, VirusBuster and more. F-secure: 12 vulnerabilites in their products, including Policy Manager, Anti-Virus, Gatekeeper, Backweb and more. : Trend Micro agreed here, too. "We're actually really happy that people : are doing this. The industry needs something like this, not because we : need to stir up anything politically [between companies] but because : different people tend to look at problems different ways," said : Hansmann. Why isn't Trend Micro doing it is the real question. : But the practice of one security firm investigating another could be : considered inappropriate, said Pescatore, if abused. In the past, : various anti-virus firms took potshots at each other, not in public, but : by touting the weaknesses in rivals to analysts like Pescatore. This is standard operating procedure among many security vendors. Many product sales pitches are half touting their product, half pointing out weaknesses in competitors. : "If there's one thing I would tweak ISS about," said Pescatore, "it : would be that I'm assuming we'll never see anything like the Witty worm : in the future if ISS has the time to look for vulnerabilities in other : companies' products." : : It's not easy to dig up vulnerabilities, said Pescatore: "it takes : skill," he said. : : "You would have thought they'd been looking at their own products." There is no marketing value in that. From isn at c4i.org Tue Mar 1 04:49:18 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 1 04:54:40 2005 Subject: [ISN] The loss of a dear friend Message-ID: Forwarded from: priest Dear friends- It is with a heart heavy with grief that I must inform you of the loss of a dear friend to us all, Josh Cohen. On February 22 at approximately 02:00 hours PST Seattle ATC received a message from Josh who was piloting his Glasair, tail number N262WG, stating he had a visual on the Crescent City airport and was terminating radar service to switch to the local airport frequency for his final approach. The last radar contact showed him at 400 feet above ground executing a 270 degree turn. No further transmissions were received and radar contact was lost at this time. The plane was found on February 23rd in approximately 40 feet of water 100 yards off shore. The Coast Guard has declared search and rescue operations terminated and have begun salvage and recovery operations. They do not expect to find any survivors. I have known Josh since Defcon 5 and he will be sorely missed by all. For those who may not immediately remember him, he was the guy with the RTD bus and the one who was the hotel liaison. Please see the link below for more details. Please find below a link with more details, a guestbook, and photo gallery. http://darkstar.frop.org/pac-bell/ May God bless us all and watch over us in this time of grief. From isn at c4i.org Wed Mar 2 12:23:21 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:43 2005 Subject: [ISN] REVIEW: "Inside the Spam Cartel", Spammer-X Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKINSPCA.RVW 20041224 "Inside the Spam Cartel", Spammer-X, 2004, 1-932266-86-0, U$49.95/C$72.95 %A Spammer-X %C 800 Hingham Street, Rockland, MA 02370 %D 2004 %G 1-932266-86-0 %I Syngress Media, Inc. %O U$49.95/C$72.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1932266860/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1932266860/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1932266860/robsladesin03-20 %O tl a rl 1 tc 2 ta 2 tv 1 wq 2 %P 413 p. %T "Inside the Spam Cartel: Trade Secrets from the Dark Side" Chapter one is supposed to be a bio of Spammer-X, and gives us the stereotypical blackhat life story. A business model of using spam to generate referrals to porn sites is presented in chapter two. Rough ideas of spamming techniques are outlined in chapter three, although it is rather short on details. (What details are given are quite suspect: SOCKS is not a mail server, but a type of circuit-level proxy firewall.) Chapter four lists various means of harvesting addresses, but concentrates on a) buying them, and b) random address verification. (Which doesn't provide much help to users in terms of suggestions for avoiding getting on spam lists.) Advertising tricks are balanced against some anti-blacklisting tips in chapter five. Interestingly, there is some talk of botnets, but not the SMTP (Simple Mail Transfer Protocol server) carrying viruses. (More technical goofs: Rich Text Format is hardly a Microsoft only technology.) Chapter six looks at various means of payment over the Internet which, for those of paranoid mindset, has some possibly useful points to make about dangers of different forms of online commerce. Chapter seven starts to present some information that may have some general value, as it reviews various types of spam filtering (and filter evasion) techniques. A more advanced examination is in chapter eight. Scams are listed in chapter nine, with a concentration on phishing and 419/advance fee frauds. The author is rather careless with the facts: phishing is initially described as any type of scam (although the text later contradicts itself by redefining the term as related only to banks), Nigeria does have a law against advance fee fraud, and it's Lagos, not Logos. Chapter ten runs through the provisions of the US CAN-SPAM act, and notes how spam can be legal. The material on the analysis of spam, in chapter eleven, initially has some helpful tips, but the later parts of the chapter grow vague. In chapter twelve, Spammer-X points out that the estimated costs of spam are wildly inflated, but his own numbers are biased very low, not counting the costs of maintaining filters, the loss of messages, difficulties in contacting people, spam to mailing lists, and even the problem of bounced messages which is raised in the following chapter. The statistics of spam listed in chapter thirteen are generally of little use. The most interesting data, on yearly trends, is incorrectly described in the text (switching the numbers for virus and spam) and says that spam is down over the Christmas period, which is not supported by the numbers themselves. (This is rather ironic: I reviewed the book over Christmas, and can attest to the fact that there was no drop in the numbers of spam on my accounts.) Chapter fourteen makes some rather far-fetched predictions about the future of spam. The questions in chapter fifteen's FAQ (Frequently Asked Questions list) seem to be simply random rather than significant. Spammer-X closes, in chapter sixteen, by telling us that he has given us an unbiased look at spam, and that spam is good. The promotional blurb on the cover implies that you may hate Spammer-X, but still need to know what he says. It also states that this is a "Must Read" for security professionals and law enforcement personnel. Forget it. The notes on anti-blacklisting tips and techniques for harvesting email, at least those given in the book, are going to be of very little help in either avoiding spam, or in tracking down the perpetrators. It may, of course, be that not all spamming techniques are provided here, and that knowledge of some of them would help system administrators or those who want to track down spammers--but that still means the text is of extremely limited usefulness. The title is also rather misleading: the author (if, indeed, there is a single author and not a committee) presents us with one particular look at spamming activity. If there is a spam cartel "he" is definitely not in it. The work has some points of interest, but it isn't going to help anybody very much. (Including, fortunately, potential spammers.) copyright Robert M. Slade, 2004 BKINSPCA.RVW 20041224 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Doubtless you are the people, and wisdom will die with you! But I have a mind as well as you; I am not inferior to you. Who does not know all these things? - Job 12:2,3 http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Mar 2 12:23:35 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:45 2005 Subject: [ISN] An Oscar Surprise: Vulnerable Phones Message-ID: http://www.nytimes.com/2005/03/02/movies/oscars/02leak.html By JOHN MARKOFF and LAURA M. HOLSON March 2, 2005 Paris Hilton is not alone. According to a Los Angeles security consulting firm that went skulking outside the Academy Awards ceremony in Hollywood on Sunday, as many as 100 people who walked the red carpet were carrying cellphones vulnerable to the kind of privacy invasion that recently gained Ms. Hilton a new round of unwanted notoriety. Three employees of the company, Flexilis, founded two years ago by four University of Southern California students, positioned themselves in the crowd of more than 1,000 people watching celebrities arrive at the Kodak Theater. John Hering, one of the company's founders, wore a backpack in which he had placed a laptop computer with scanning software and a powerful antenna. The Flexilis researchers said they were able to detect that 50 to 100 of the attendees had smart cellphones whose contents - like those of Ms. Hilton's T-Mobile phone - could be electronically siphoned from their service providers' central computers. The contents of Ms. Hilton's phone, including other celebrities' phone numbers, ended up on the Internet. The researchers said they were uncertain about the precise number of vulnerable phones because some phones may have been detected more than once, They did not tap into any of the cellphones that were scanned - which would have been illegal - and so could not identify exactly whose phones were vulnerable. The researchers said that their stunt, which scanned the red carpet from about 30 feet away, was meant to raise awareness of a threat to privacy that is becoming more common as advanced cellphones carry a growing range of personal data, including passwords, Social Security numbers and credit card information. "Celebrities, V.I.P.'s, executives and politicians are among the most vulnerable to this kind of attack, because they are frequently the first to adopt new consumer technologies," Mr. Hering said. He also noted that despite extensive security measures at the Oscars, his company's surveillance activities went unnoticed. "We were only doing this passively, but it was possible that someone could have been standing right next to us doing this maliciously," he said. John Pavlik, director of communications for the Academy of Motion Picture Arts and Sciences, said: "We're very confident about the ability of our security to keep our guests and performers and nominees safe. The problem with the privacy issue is that it is, in fact, a growing phenomenon with these smart phones and it will get to be more and more of a problem each year. This year, we tried to address it as strenuously as we could." Flexilis has specialized in a short-range wireless data technology known as Bluetooth, which is intended to replace cables over short distances. Many cellphones now have Bluetooth wireless capability to permit synchronizing with computers, or to connect to peripherals like wireless headsets. Bluetooth is also becoming a standard technology in luxury cars to permit them to integrate easily with cellphones. And it is increasingly found in personal computers as a cable replacement for keyboards, mice and printers. The Flexilis team said their concern was not with Bluetooth itself, which contains adequate security protection, but with the way the technology has been used by many manufacturers. "We're attempting to raise the level of security in the wireless world to the same standard that is now expected in the wired world," Mr. Hering said. Mike Foley, executive director of the Bluetooth Special Interest Group, an industry association, said that his organization "takes security very seriously" and that "so far no security holes have been discovered in the Bluetooth specification itself." Actors interviewed over the Oscar weekend expressed varying degrees of concern about their vulnerability. Sandra Oh, one of the stars of "Sideways," which was directed by her husband, Alexander Payne, said she rarely used a cellphone. "Who wants to be that accessible?" she said in an interview Saturday at the Independent Spirit Awards. "People have so many lines-of-defense phone numbers so people can't reach them. Alexander has, like, four or five." Robin Williams, at the same event, pulled a phone from his inside coat pocket and deadpanned: "These phones are amazing. They have everything. Games. Phone book. A vibrator." Mr. Williams said it was unlikely that an eavesdropper would have much interest in monitoring his cellphone. "I don't have a lot of numbers in my phone book," he said. But he added: "It wouldn't be hard for a hacker to get inside one of these things. You've got to be careful." Catherine Billey and Matt Richtel contributed reporting for this article. From isn at c4i.org Wed Mar 2 12:23:55 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:52 2005 Subject: [ISN] Security through layers Message-ID: http://www.fcw.com/fcw/articles/2005/0228/web-wiresec-03-01-05.asp By Florence Olsen March 1, 2005 Wireless networks are inherently insecure, but the more layers of security they have, the less likely they are to be attacked, said Mischel Kwon, wireless security officer for the Justice Department's Management Division. Speaking today at the Wireless/RFID Conference and Exhibition in Washington, D.C., Kwon said the most secure layered approached would use the latest wireless grid technologies in combination with wireless intrusion-detection systems. Because of the insecurities inherent in wireless technologies, a lot of fear exists, said Capt. Sheila McCoy, former director of information assurance in the Navy's Office of the Chief Information Officer. "We're a rather risk-averse bunch," she said. But attitudes toward wireless networks are changing as Defense Department officials learn more about managing risk with new technologies, she added. Dan Hickey, deputy commander for computer network defense at the Marine Corps Network Operations and Security Command, prefaced his remarks by saying that "wireless technology scares me." Few agencies, he said, are using layered security or "defense in depth" correctly when deploying wireless technologies. And on the policy side, he said, agencies need to ask who has the authority to accept risk for the organization when people begin using such technologies. Wireless expert Bill Neugent, chief engineer for cybersecurity at Mitre, a nonprofit engineering organization, said that the proliferation of wireless technologies such as radio frequency identification chips and nanoscale "smart dust" will cause both privacy losses and productivity gains. According to other wireless experts who offered tips on security technologies and policies, open-source products are the most popular for auditing the security of wireless networks. Auditors in the Government Accountability Office, for example, use open-source scanners NetStumbler and Kismet to conduct wireless audits, said Dan Van Belleghem, technical director for the information assurance group at SRA International. For the most part, wireless networks become open to attack because administrators fail to properly configure wireless access points with password protection, use no encryption, have no virtual private network protection, and do not disable the infrared ports and peer-to-peer features of their wireless networks, Kwon said. The conference was sponsored by the E-Gov Institute. From isn at c4i.org Wed Mar 2 12:24:08 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:55 2005 Subject: [ISN] Payroll firm pulls Web services, citing data leak Message-ID: http://news.zdnet.com/2100-1009_22-5595316.html By Robert Lemos CNET News.com March 1, 2005 Service provider PayMaxx shuttered additional parts of its online payroll site this week, after a Web programmer continued to find holes in the system. PayMaxx's further closure of its Web services comes after a Web programmer, Aaron Greenspan, discovered that the company's initial attempt to block malicious access had fixed some flaws but left others unresolved. While still referring to the data leak as "limited in scope," the online payroll processor closed down its PayView and Instant W2 services, the company said in a statement. The services will remain down until PayMaxx has completed a thorough security analysis and redesigned the site's architecture. "We have sent all clients and key partners e-mails alerting them to the situation, and we are contacting the companies we believe may have been potentially affected by the hacking," PayMaxx said in a statement sent to CNET News.com. The dispute between PayMaxx and Greenspan, president of Web services start-up Think Computer and a former PayMaxx customer, over the security of the company's Web site continued this week. PayMaxx referred to Greenspan as a "hacker," while the Web programmer maintained that the security problem is far worse than divulged by the payroll company. The data leak comes at a time when several high-profile attacks have Congress looking into further legislation to protect people's private information. In February, data aggregator ChoicePoint warned that almost 150,000 consumer files had been compromised by scam artists who had set up fake companies to garner identity information. Last week, financial services giant Bank of America alerted government workers that backup tapes containing their information had gone missing. Greenspan said he uncovered the problem with PayMaxx's Web site about three weeks ago and tried to contact the company. He said PayMaxx did not respond, so he posted a report detailing the flaws. That prompted PayMaxx to shut down its Web service for retrieving W2 information. Greenspan continued to prod the site's security and discovered more vulnerabilities this weekend, he said. Greenspan said his attempts to find flaws in the site have been motivated by protecting his own information, from when Think Computer was a client of PayMaxx. "Think had an obvious interest in seeing that the problem would be resolved properly since its own data was stored in the affected systems," he said in an e-mail interview. PayMaxx does not agree. The Web programmer has been far too intent on poking holes in the company's systems and has "numerous inaccuracies" in his report, PayMaxx said in a statement. The company did not specify which parts of his report were incorrect. "We believe the hacker has violated federal law and we will take whatever action is necessary to protect the interests of our clients and our company," the company said. PayMaxx has contracted an outside security company to test its Web applications' security and has ordered additional hardware and software to better detect intrusions, PayMaxx said in a statement. From isn at c4i.org Wed Mar 2 12:24:23 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:33:57 2005 Subject: [ISN] Canadian military, U.S. agencies launch BlackBerry security project Message-ID: http://www.canada.com/national/nationalpost/news/story.html?id=a1b84641-4ddf-4db0-b462-d8ce4597e9f0 Stephen Thorne Canadian Press March 01, 2005 OTTAWA (CP) - The Canadian military and U.S. security agencies have launched a joint effort to make BlackBerry portable communications devices more secure, hoping to one day use them to exchange top secret information. Defence Research and Development Canada, the Canadian Communications Security Establishment and the U.S. National Security Agency are among those involved in the year-long trial. The two countries will develop improved security on the hand-held personal data assistant designed by Research in Motion of Waterloo, Ont. With its cell phone, e-mail, calendars and contact lists, the BlackBerry is considered a blessing and a curse by users because it never allows them peace. But it has become a must-have for business, defence and security officials alike. "This BlackBerry technology . . . allows decision-makers to have their information right in the palm of their hands and to make decisions while they're away from their offices," said the military's chief scientist for the project, Mazda Salmanian. "You can see how important that would be for (the military)." The security of such tools came under scrutiny last month when hackers accessed private files from a similar device, called a Sidekick II, owned by Paris Hilton. They obtained more than 500 celebrity phone numbers, e-mail addresses and topless photos of the hotel heiress and TV personality. It was the most publicized in a series of breaches of the wireless carrier T-Mobile, a unit of Deutsche Telekom, during which hackers stole files from a U.S. Secret Service agent who used his Sidekick to do agency work. The Canadian defence project director, Matthew Kellett, says government and corporate BlackBerrys are resistant to similar breaches because they use so-called enterprise servers - in-house, protected e-mail networks. The Sidekick II uses a commercial online server to store some information, including phone numbers. Contacted Monday through a New York-based public relations agent, Research in Motion said it was not aware of the defence security project. The primary focus of the defence project is security of transmissions. "In a crisis situation, you really don't want to have the movements of your emergency people known, especially if it's a terrorist situation," said Kellett. "We're trying to protect communications between agencies. "It's mostly towards the terrorist angle, but there's also the relative sensitivity of the information we're passing." In government circles, BlackBerrys are now cleared to Protected A, which means bureaucrats cannot exchange much beyond names and phone numbers. Some agencies can go to Protected B, which allows exchange of encrypted personal information such as addresses, salaries and employment records. But defence officials want to be able to send more secure information continent-wide by e-mail during a crisis. U.S. researchers are developing test scenarios where the two countries would interact and co-operate in public safety and emergency preparedness exercises, said Kellett. One exercise will be the mock crash of a U.S. surveillance aircraft on Canadian soil. It will involve attempts to establish whether the crash was an accident or the result of terrorism threatening national security. Would-be rescuers will e-mail data from a remote location, likely using more dependable and accessible satellites instead of traditional cells with their sometimes spotty coverage. Under other scenarios, the coast guard will transmit information about suspicious activities off the coast of North America, out of cell-phone range, and border officials would manage a terrorist bombing. "The BlackBerry will have another radio access," said Salmanian, an electrical engineer. "Right now it's on cellular networks; it will have access to the satellite networks. "That will involve new ways of integrating technology." They also hope to develop encryption enhancements that could allow more secure information to be transmitted. The project will be the first time the specific encryption technology, known as public key infrastructure, will be used, along with other technologies, in an international context, researchers said. While the trials will take about a year, the data processing and subsequent research could continue for two more, said Salmanian. Initially, researchers will look at data transfer - e-mails - but could develop voice encryption later on, he said. The priority has been placed on e-mails because written information is more verifiable, more easily subject to analysis and in emergencies is better transmitted and archived. The research results could ultimately be commercially available, with some proceeds going back to the research and development arm of defence. From isn at c4i.org Wed Mar 2 12:24:35 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:34:00 2005 Subject: [ISN] Man Charged with Passing Chip Design Information Message-ID: http://www.reuters.com/audi/newsArticle.jhtml?type=technologyNews&storyID=7766193 By Adam Tanner Mar 1, 2005 SAN FRANCISCO (Reuters) - A Taiwanese citizen living in California took computer chip design information from a San Francisco-area firm and e-mailed it to a potential rival in Taiwan, U.S. authorities charged on Monday. The U.S. Attorney for Northern California alleged that Shin-Guo Tsai, 35, took data sheets from Volterra Semiconductor Corp. and sent them over the Internet to a potential competitor on Christmas Day, 2004. Federal Bureau of Investigation agents arrested Tsai, who has permanent resident status in the United States, on Sunday night on charges of transporting stolen property abroad, a crime that could bring a maximum penalty of 10 years in prison, according to a spokesman for the U.S. Attorney for the Northern District of California. Tsai is in custody until a hearing later this week, spokesman Luke Macaulay said in a statement. Tsai worked for Volterra, which completed an initial public offering last year, from July 2002 until Feb. 15, 2005, when he announced he was returning to Taiwan to marry. The complaint, filed in U.S. federal court in San Jose, California, also alleged that Tsai had been in contact with the chairman of CMSC Inc., a Taiwanese start-up company that it said was involved in the same business as Volterra. It added that Tsai admitted to FBI agents last week that he had sent proprietary information to CMSC. The chairman of CMSC did not respond to an e-mail on Monday seeking response. The criminal complaint quoted Volterra's vice president of design engineering David Lidsky as saying the transmitted information about the firm's 1100-series products "related to the design of high-performance analog and mixed-signal power management semiconductors." Experts say theft and espionage is a headache for many Silicon Valley technology firms, although many do not turn to authorities when they discover it. "This is becoming more and more of a problem," said La Rae Quy, a former counterintelligence officer who now serves as the FBI spokeswoman. "We're working with companies to alleviate their concerns about coming forward." "This is the reaction with many companies: it is cheaper to lose the technology than it is to face negative media attention or adverse stock reaction." Fremont, California-based Volterra, which designs low-voltage power supply chips, did come forward in this case however, she said. From isn at c4i.org Wed Mar 2 12:29:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 2 12:34:02 2005 Subject: [ISN] Bank loses credit-card info of 1.2M federal workers Message-ID: Forwarded from: Dennis Kezer Based on what is in this story there was absolutely no technical protection on these tapes and anyone with the correct drive should be able to mount them and capture the data.? A corporation of this size should be using a backup application that can provide at least rudimentary security. -----Original Message----- From: InfoSec News Sent: Monday, February 28, 2005 5:37 AM To: isn@attrition.org Subject: [ISN] Bank loses credit-card info of 1.2M federal workers http://www.computerworld.com/securitytopics/security/story/0,10801,10006 1,00.html By Joanne Morrison FEBRUARY 26, 2005 REUTERS Computer tapes containing credit-card records of U.S. Senators and more than a million U.S. government employees are missing, Bank of America said yesterday, putting the customers at increased risk of identity theft. The security breach, which included data on a third of the Pentagon's staff, angered lawmakers already concerned after criminals gained access to thousands of consumer profiles in a database maintained by a data profiling company, ChoicePoint Inc. (see story) Bank of America Corp. did not release details of how the tapes were lost, but Sen. Charles Schumer, a New York Democrat, said he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers. "Whether it is identity theft, terrorism or other theft, in this new and complicated world baggage handlers should have background checks and more care should be taken for who is hired for these increasingly sensitive positions," Schumer said. Social security numbers, addresses and account numbers were on the tapes for 1.2 million account holders, of which about 900,000 belonged to Defense Department employees, Defense Department spokesman Bryan Whitman said. The tapes contained information from the accounts of dozens of U.S.? Senators and from employees of federal agencies, officials monitoring the situation said. Bank of America said the small number of computer data tapes were lost in December while being shipped to a back-up data center. [...] From isn at c4i.org Thu Mar 3 02:50:02 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:31 2005 Subject: [ISN] Security UPDATE -- Limit Your Exposure: Don't Use Administrative Accounts -- March 2, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Exclusive Online Event: Email Protection at the Perimeter! http://list.windowsitpro.com/t?ctl=3DFB:4FB69 SQL Server Magazine http://list.windowsitpro.com/t?ctl=3E0B:4FB69 ==================== 1. In Focus: Limit Your Exposure: Don't Use Administrative Accounts 2. Security News and Features - Recent Security Vulnerabilities - Numerous Security Flaws in Web Browsers Remain Unpatched - Microsoft Adds Security Guidance Center for Small Businesses 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - 256-Bit SSL Certificates ==================== ==== Sponsor: St. Bernard Software ==== Exclusive Online Event: Email Protection at the Perimeter! Learn how you can get award-winning anti-virus protection and superior spam blocking while assuring your critical business emails get through. Sign up today for this free online product demonstration and see the ePrism M500 from St. Bernard Software in action. Discover the secret behind the eGuard Analysts and how email is scoured for digital fingerprints left by spammers so you won't receive or send spam and viruses again! Sign up now! http://list.windowsitpro.com/t?ctl=3DFB:4FB69 ==================== ==== 1. In Focus: Limit Your Exposure: Don't Use Administrative Accounts ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You're probably well aware that running your desktop while logged on as an administrator can be risky. The reason of course is that administrators have full authority on the system, so any program that launches under an administrative account can perform almost any action you can think of. As you'll learn if you read the Security Matters blog item "Windows Firewall: Another Good Reason Not to Login as Administrator" ( http://list.windowsitpro.com/t?ctl=3E02:4FB69 ), spyware peddlers have already developed a way of adding their programs to the Windows Firewall's list of trusted applications. The spyware application simply adds a registry subkey that references the application under the subkey that stores trusted applications. Any trusted application is allowed to send traffic out of the computer. However, adding a subkey to the list of trusted applications works only if the user is logged on with administrative authority. So now you know one more reason why administrative accounts should be used sparingly. Mark Minasi recently wrote an interesting editorial in Windows IT Pro UPDATE--Special Edition titled "Follow-Up: Why Microsoft Can't Stop Root Kits." Minasi pointed out that the primary leverage an intruder has is a user logged on with an administrative account. http://list.windowsitpro.com/t?ctl=3E03:4FB69 In a message posted to the Bugtraq mailing list, Chris Wyposal pointed out that "The security problem that has created the spyware malaise on Windows is the default Windows installation for home users, which creates the user's named account in the Administrators group. When this account is used to browse the Internet there is no protection to prevent spyware/malware from bypassing security mechanisms, such as the XP SP2 firewall, by exploiting vulnerabilities or tricking the user." Wyposal's statement is true. The same thing goes for corporate users who use an administrative account primarily for visiting networks external to their company network. Wyposal also made the interesting prediction that due to the problem of spyware and malicious software, Microsoft will eventually change the Windows installation process so that at least two accounts are created: one for administrative use and another with limited permissions for everyday and Internet use. http://list.windowsitpro.com/t?ctl=3DFF:4FB69 Any of you who've used a Unix-based or Linux-based system know that this sort of dual-account use is standard practice. You log on with a regular user account, and when you need administrative privileges, you can use the "su" (super user) command to temporarily elevate your privileges, log out and log back in as "root" or some other administrative account, or create another logon session on your desktop. Windows also lets users elevate their privileges, but this capability isn't used nearly as often as it should be. You probably know this already, but I'll point it out in case any readers are unaware: A simple way to elevate your privileges for specific application use in Windows is to use the RunAs feature, which lets you run programs under any account context provided that you supply the corresponding account password. This feature works great even for desktop systems on which some applications might not work correctly except under an account with some level of administrative authority. If you need help figuring out how to use RunAs, then check the articles at Microsoft's Web site. http://list.windowsitpro.com/t?ctl=3E00:4FB69 ==================== ==== Sponsor: SQL Server Magazine ==== Get SQL Server Magazine and Get Answers Throughout the year in 2005, SQL Server Magazine is on target to deliver comprehensive coverage of all hot industry topics including, SQL Server 2005, performance tuning, security, Reporting Services, Integration Services, and .NET development. If you aren't already a subscriber, now is the time to sign up. You'll get unlimited online access to every article ever published in the magazine and you'll get 30% off the cover price. Don't miss out . . . sign up today: http://list.windowsitpro.com/t?ctl=3E0B:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=3DFE:4FB69 Numerous Security Flaws in Web Browsers Remain Unpatched Dozens of security-related problems remain unpatched in the Microsoft Internet Explorer (IE), Mozilla Firefox, and Opera Web browsers. According to security solution provider Secunia, which tracks vulnerabilities in more than 4000 products, some of the unpatched browser vulnerabilities are considered to be either moderately or highly critical. http://list.windowsitpro.com/t?ctl=3E06:4FB69 Microsoft Adds Security Guidance Center for Small Businesses Microsoft added a new Security Guidance Center to its Small Business Center Web site. The new content provides security information and advice to help businesses create a safer network environment. http://list.windowsitpro.com/t?ctl=3E05:4FB69 ==================== ==== Resources and Events ==== Keeping Critical Applications Running in a Distributed Environment Get up to speed fast with solid tactics you can use to fix problems you're likely to encounter as your network grows in geographic distribution and complexity, learn how to keep your network's critical applications running, and discover the best approaches for planning for future needs. Don't miss this exclusive opportunity--register now! http://list.windowsitpro.com/t?ctl=3DF9:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=3DFC:4FB69 Learn What You Can Do When Exchange Disaster Strikes Messaging administrators can't always adequately plan for or prevent some kinds of disasters. In this free Web seminar, join Exchange MVP Paul Robichaux, as he describes some operational scenarios in which "disaster recovery" takes a back seat to "business continuance." Learn how to be prepared for events that might otherwise wipe out your messaging capability. Register now! http://list.windowsitpro.com/t?ctl=3DF8:4FB69 The Must-Attend Event for Securing Your Wireless Deployments The Conference on Mobile & Wireless Security delivers on-target, need-to-know information on emerging issues and tech trends. Featuring first-class keynotes and sessions, an in-depth panel discussion, and interactive workshops, you will learn practical tactics for overcoming mobile security challenges and real-world strategies for maximizing the potential of your wireless devices. http://list.windowsitpro.com/t?ctl=3E0D:4FB69 Meet the Risks of Instant Messaging Head On in This Free Web Seminar Don't overlook Instant Messaging in your compliance planning. Attend this free Web seminar and learn how to minimize IM's authentication and auditability risks and prevent security dangers. You'll also receive a list of the top requirements to consider when choosing a secure IM solution. Sign up now! http://list.windowsitpro.com/t?ctl=3DFA:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=3E0C:4FB69 Windows Firewall: Another Good Reason Not to Login as Administrator Administrator rights are dangerous enough already. Combine them with Windows Firewall protecting a system, and somebody from outside your network might be able to bypass the firewall. http://list.windowsitpro.com/t?ctl=3E02:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=3E08:4FB69 Q. How can I configure Group Policy-based scripts to display when they're executed? Find the answer at http://list.windowsitpro.com/t?ctl=3E04:4FB69 Security Forum Featured Thread: Annoying Files That Continually Reappear A forum participant is wondering about two files on his system, wkwgww.exe and hnhihh.exe. He thinks the files are related due to the file names. He has the latest updates for his antivirus and antispyware scanners, but those tools don't detect anything suspicious about the two files. When he deletes the files, they reappear on the system. Join the discussion at http://list.windowsitpro.com/t?ctl=3DFD:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=3E07:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com 256-Bit SSL Certificates XRamp Technologies announced that it's now issuing 256-bit digital Secure Sockets Layer (SSL) certificates. The certificates work with all browsers and servers that support the 256-bit Advanced Encryption Standard (AES) and are backward-compatible for browsers and servers that can handle only 128-bit or 40-bit encryption. Microsoft hasn't yet implemented 256-bit capability into its servers and browser, but 256-bit AES encryption is available with Linux Web servers, and the free Mozilla Firefox Web browser supports 256-bit AES. A 1-year 256- bit SSL certificate from XRamp costs $128. Multiyear certificates are available at discounted prices. For more information, go to http://list.windowsitpro.com/t?ctl=3E11:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Automate Patch Management with Symantec ON iPatch http://list.windowsitpro.com/t?ctl=3E12:4FB69 Quest Software See Active Directory in a whole new light. And get a free flashlight! http://list.windowsitpro.com/t?ctl=3E13:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=3E0F:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=3E01:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Mar 3 02:50:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:33 2005 Subject: [ISN] Can you hear me now? In Senate buildings, the answer is yes Message-ID: Forwarded from: William Knowles http://www.gcn.com/vol1_no1/daily-updates/35187-1.html By Brad Grimes GCN Staff 03/02/05 The Senate this week activated an in-house cellular network that lets government employees place and receive calls from the bowels of the legislative body's various buildings. They can even check their BlackBerry devices. No sooner did the service go live Monday than Senate CIO Greg Hanson began receiving positive feedback. "I'm getting calls from my customers saying 'Greg, my cell phone works in the cafeteria of the Dirksen Building,'" Hanson said today at a wireless technology conference in Washington. The service is not yet available in all Senate buildings - the infrastructure is still being rolled out in the Capitol itself - but it does support almost all commercial cellular services. Hanson said the Senate had reached agreements with all but one cellular carrier. He declined to name the sole holdout but expected the carrier's service to be live on the Senate network by the end of the month. The cellular capabilities are part of an extensive hybrid wireless network the Senate is building with technology from MobileAccess Inc. of Vienna, Va. Not only do the Senate's wireless access points support cellular communications, they also allow wireless IEEE 802.11b/g access to various networks. Hanson said WiFi access was currently operational in approximately 40 percent of the Senate?s office space, which includes the Dirksen, Hart and Russell Senate office buildings. When deciding how to build a wireless infrastructure that supports both cellular and WiFi communications, Hanson said the Senate decided it wanted to own the infrastructure and sell the bandwidth back to commercial carriers, who in turn sell their services across the network. "How do you satisfy everyone by making [the network] carrier agnostic?" Hanson said. Senators and their staff tend to have their favorite cellular services because coverage varies from state to state. As it rolls out further, WiFi networking, which the Senate secures with hard tokens, virtual private networking and other measures, will require new policies. "Some offices didn't want to wait so they went to Best Buy and set up their own wireless networks," Hanson said. Hanson said his office is working with the Senate Rules Committee on a policy that would require Senate offices to shut down unauthorized wireless networks. For now, Hanson said, his staff does periodic "war walking" to identify rogue access points. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Mar 3 02:50:36 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:35 2005 Subject: [ISN] Hacker Tips Off B-School Applicants Message-ID: http://www.thecrimson.com/today/article506140.html By DANIEL J. T. SCHUKER Crimson Staff Writer March 03, 2005 Tipped off by an online hacker, applicants to several of the nation's top business schools, including Harvard Business School (HBS), could access internal files on the schools' websites and ascertain their admissions status a month early. The admissions websites were vulnerable for over nine hours yesterday before the hacker's instructions and the admissions letters were taken down. But during the narrow time window, according to a thread on Business Week Online's technology forum, several applicants managed to follow the hacker's directions and read the admissions office's response letter. HBS requires students to submit their applications and recommendations electronically using ApplyYourself, an online application and decision notification system. An anonymous hacker known as "brookbond," who defined himself as a male who specializes in information technology and software security, posted the instructions on Business Week Online's technology forum at 12:15 a.m., early yesterday. "I know everyone is getting more and more anxious to check [the] status of their apps to HBS," he wrote. "So I looked around on their site and found a way." Steven R. Nelson, executive director of HBS's Master of Business Administration (MBA) program, said the letters were taken off the site early yesterday. "These were just internal administrative devices," Nelson said. Len Metheny, chief executive officer of ApplyYourself told The Crimson that his company notified the half-dozen schools that were affected and put them on alert yesterday morning. "The problem has been resolved since 9:45 this morning," he said. "We made some changes to the system to prohibit access to that information." Metheny also noted that individuals could only access their own personal admissions responses - not those of other applicants. Business Week officials set out to expunge the hacker's comments from the website yesterday morning, said Kimberly Quinn, Business Week's director of communications. "As soon as we were informed of the situation, we deleted the post immediately," she said. "And any other directions that anybody else posted...we deleted those right away, too." Nelson said HBS and Business Week did not contact each other about taking the posts down. Before the online discussion on Business Week's forum was deleted, other students reported that they had also accessed admissions decisions from MIT's Sloan School of Management, the Stanford Graduate School of Business, and Duke University's Fuqua School of Business. Managing Director of MBA Admissions and Financial Aid at HBS Brit K. Dewey posted a statement on Business Week's online forum last night directed to current applicants. "HBS decision information housed within ApplyYourself is neither complete nor final until our application notification dates," she wrote. Dewey also emphasized in her online post that students' applications and recommendations have remained secure. "Such behavior is unethical and inconsistent with the behavior we expect from high-potential leaders we seek to admit to our program," she added. Nelson said that HBS has not decided how to deal with applicants who accessed the site yesterday, nor would he confirm whether HBS knew the identities of these applicants. "This is a matter we're taking very seriously," he said. HBS offers students three application rounds, with deadlines in October, January, and March. The admissions office sends out responses in January, March, and May, respectively. Applicants who could access the website using the hacker's technique expected to hear a decision from HBS on March 30. Quinn said that Business Week does not know the identity of "brookbond," who told the online forum yesterday that he had used his own techniques to find out his own admissions status at HBS. Sanford Kresiberg, a business school admissions consultant who follows developments at HBS closely, said that "this was probably not HBS's fault, but the software vendor's." Kresiberg added that the Wharton School at the University of Pennsylvania, as well as Cornell College, had experienced problems with online admissions programs in recent years. "Things could be worse," he said. - Staff writer Daniel J. T. Schuker can be reached at dschuker @ fas.harvard.edu From isn at c4i.org Thu Mar 3 02:50:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:37 2005 Subject: [ISN] U.S government to rely on Canadian cryptography Message-ID: http://www.globetechnology.com/servlet/story/RTGAM.20050302.gtcrypto0303/BNStory/Technology/ March 2, 2005 Globe and Mail Update MISSISSAUGA, Ont., March 3 - Elliptic Curve Cryptography (ECC), an efficient public key cryptosystem, will become the standard to protect U.S. government communications. The U.S. National Security Agency (NSA) presented its strategy and recommendations for securing U.S. government sensitive and unclassified communications, which included a recommended set of advanced cryptography algorithms known as Suite B for securing sensitive and unclassified data. The only public key protocols included in Suite B are Elliptic Curve Menezes-Qu-Vanstone (ECMQV) and Elliptic Curve Diffie-Hellman (ECDH) for key agreement and Elliptic Curve Digital Signature Algorithm (ECDSA) for authentication. The Advanced Encryption Standard (AES) for data encryption and SHA for hashing are also included. All of the Suite B algorithms are consistent with the National Institute of Standards and Technology (NIST) publications. ECC is a publicly available algorithm produced by Certicom, which researched and developed ECC-based implementations and security for the past 20 years. Certicom Security Architecture, a modular set of security services, software cryptographic providers (including a FIPS 140-2 Validated cryptographic module), and board support packages, enables device manufacturers and other government suppliers to easily add strong, efficient cryptography that meets the NSA recommendations and NIST publications. From isn at c4i.org Thu Mar 3 02:51:04 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 3 02:55:39 2005 Subject: [ISN] Are vulnerable times responsible times? Message-ID: http://software.silicon.com/security/0,39024655,39128296,00.htm By Patrick Gray March 02 2005 Security professionals say they're making computing safer, but are they doing more harm than good? Patrick Gray talks to independent security researchers, a controversial operator and Microsoft's chief security engineer to find out. The internet is one big, bad neighbourhood. Try connecting a freshly loaded Windows system - no patches - to the internet. How long would it last? 10 seconds? Maybe 20? Then imagine a nightmare scenario. Your computer, with all patches loaded, is attacked by a hacker who possesses vulnerability information not in the public domain. They know a way in and there's no way to stop them; no patch for the security hole because your software supplier doesn't know it exists. This is why software companies want security bug catchers to tell them when they find a flaw. They can write a patch and distribute it to customers before malicious hackers can attack systems through the weakness. But one such researcher, Dave Aitel, doesn't want to do that. Aitel is a man with a reputation. In private, many security researchers say he's unethical; a rogue operator placing computer users across the globe at risk. Others say he's a gun researcher, protecting his clients in an era of irresponsible security practices among large software companies. Aitel's company, Immunity Inc, raised more than a few eyebrows in January when it released details of a security vulnerability in Apple's operating system software to the public without giving the software company prior notification. The result? Apple customers were aware of a security flaw in their software, and had no way to fix it. But the very same vulnerability details were shared with Immunity's clients as far back as June, 2004. Why? Aitel explained: "Immunity's policy on vulnerability information does not include vendor notification." Aitel has a habit of answering the questions he wishes you'd asked, not the ones that you actually did. But he offers this: the way he sees it, he's providing his customers with information about vulnerabilities in greater detail than the vendors, and that's a service worth paying for. $100,000 will get you into Aitel's Vulnerability Sharing Club; $50,000 for smaller companies. Any company that joins must sign a non-disclosure agreement, so information about vulnerabilities in popular software doesn't fall into the wrong hands. Needless to say, some vendors are less than impressed. George Stathakopoulos, Microsoft's chief security engineer, wouldn't talk about any specific company, but says responsible vulnerability disclosure is vital. "Any individual or organisation that behaves in a way that potentially puts... customers at risk is a huge concern," he says. "We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities." Greg Shipley, chief technology officer of Chicago-based security outfit Neohapsis, holds back judgement but says the existence of private vulnerability sharing clubs like Aitel's raise some serious ethical questions. "When you start talking about advanced release times, publishing exploit code, and introducing a mercenary angle to what is essentially... a public quality assurance process, you start entering some really murky waters," he says. The trade in information that allows the buyer to easily penetrate computer networks is dangerous, Shipley argues. "If it simply boils down to the highest bidder, we're in for some real problems." "If anyone with a few dollars can afford to 'buy into' such an information ring and get access to tools that blow past most corporate defences, what's to stop some truly malicious folks from using that information for truly evil purposes?" Shipley asks. "Zero-day", or unpublished security vulnerabilities are becoming the "tactical nukes" of cyberspace, Shipley argues; the Holy Grail. He doesn't want to see them falling into the wrong hands. But Ken Pfeil, chief security officer at Capital IQ, a web-based provider of financial data services, isn't alarmed. Services offered by companies like Immunity are ethical, "as long as they hold the information to themselves and sign the members to a non-disclosure agreement". Still, he does acknowledge the sensitive information may "leak", but that's not Aitel's fault, he says. Vulnerability information leaks have sprung from other sources, like the Carnegie Mellon University-based research outfit CERT, which receives US government funding. "No one holds CERT accountable when a member leaks information, so why would this be any different?" Pfeil asks. Perhaps some in the security industry are merely annoyed Aitel has the gumption to turn vulnerabilities into cash in such a controversial way. Having access to vulnerability information if you're a researcher seems to be a lesser sin in the eyes of many. It's ironic, considering some prominent researchers have been known to dabble in illegal activity. Pfeil has used Aitel's services in the past, and is a satisfied customer. "I hired him to do a code review at our company last year. He did a very good job," he says. While researching any article about Immunity Inc, one thing became very clear: Aitel is popular. Even some of his biggest critics say he's funny and affable; one former colleague describes him as "hard not to like". Aitel spent six years working with the National Security Agency in the US before moving to the private sector. Ron Gula, the creator of Dragon IDS and co-founder of Tenable security in the US, also worked for the NSA. Gula, a competitor of sorts to Aitel, shies away from vulnerability research. It's expensive, time consuming and not worth the hassle, he says. But Gula has also benefited financially from finding vulnerabilities in software inadvertently, simply through the publicity. He knows finding bugs pays the bills, even when disclosure is handled differently. It's proof that the rational rules of commerce, and perhaps ethics as a knock-on effect, don't apply in the bug hunting game. "The few vulnerabilities we've inadvertently discovered got Tenable on CNN and sent a lot of business our way," Gula says. Even when a vulnerability was discovered in Dragon IDS, Gula said the negative publicity actually helped boost sales. "When Dragon first started, there was a lame exploit for it. This sent a lot of business my way... [people] conclude if it is new and worth hacking, it must be good." There is a demand for detailed information about security vulnerabilities out there, a market vacuum, and Aitel's moved to fill it. "Software customers should require vendors to provide full, current, and accurate disclosure of every security vulnerability they know about, to their customers," he says. "While the open source community generally follows this policy, closed source vendors often do not. Educated customers, particularly in the financial community, are now requiring independent third party assessments of software before they purchase it, and are beginning to push back on software vendors with regards to the information they get from them about vulnerabilities." But Microsoft's Stathakopoulos says his company doesn't want to bury vulnerability information, it just wants to slow down its release. "What worries me is the increase in releasing proof of concept code," he says. "I would like to see the industry self-regulating and delaying the release of POC for at least 90 days." Proof of concept code exploits a security vulnerability, but doesn't grant access to a vulnerable machine; it's a test. However, armed with a basic POC anyone with some basic programming skills can alter the code and turn it into a fully fledged exploit. Some see the release of POC as a way to force software vendors to produce working fixes. If millions of users have the ability to test a security patch with the POC, then the vendor had better make it a good fix. If there's one thing Stathakopoulos is getting very sick of, it's having to drop everything - including holidays or social plans - when a security researcher slaps an undisclosed vulnerability in a Microsoft product onto a public mailing list. "You have to leave whatever you doing to go to work and start the process of releasing a security update," he says. What if software vendors started paying bug-finders for information about security flaws: would this help or hinder? Shipley has doubts. "There's a fine line between fiscally compensating one for their work, and creating a framework for extortion possibilities," he says. "It's that line that I worry about." But Aitel notes it's not the "security community" that actually finds most of the bugs. "Vendors typically do pay a fee to people who find bugs in their software; they call that fee their 'salary'," he quips. "Most people finding bugs in a vendor's software are QA (Quality Assurance) engineers who work for the vendor." The public never knows about those bugs because they're fixed before the product ships. Gula agrees with Shipley. If vendors are obliged to pay for bugs, such a scheme will amount to extortion. "There are millions of unknown vulnerabilities and the software manufactures should not be forced to purchase these. How much are they worth? Who sets this value?" he asks. So who's to blame for the current state of affairs? Vendors blame irresponsible researchers, and some researchers blame the vendors. While there are bugs being found, researchers will always seek to earn money from them. They'll sell them, or use them for marketing purposes; nothing says "look at me" like a zero-day in Windows. Until that changes, the security industry will look like the Wild West for a long time to come. For now, it's the users left in the middle. From isn at c4i.org Fri Mar 4 05:08:15 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:22 2005 Subject: [ISN] bounty for errors in _Translucent Databases_ Message-ID: Forwarded from: R.A. Hettinga [ http://www.amazon.com/exec/obidos/ASIN/0967584418/c4iorg - WK] --- begin forwarded text To: R.A.Hettinga From: Peter Wayner Subject: bounty for errors in _Translucent Databases_ Date: Thu, 3 Mar 2005 16:05:44 -0500 To: All readers of Translucent Databases. I'm starting work on the second edition of _Translucent Databases_. To help eliminate errors, I'm quadrupling the bounty for error reports to $20 per error. I may also pay for suggestions for improving it, but that's harder to codify. For info on the book, see this website: http://www.wayner.org/books/td/ The only rules are designed to prevent people from using this offer to print money: only the first person to report each error gets $20. I reserve the right to relax this rule to pay multiple people who don't seem to be colluding. I get to decide what constitutes an technical error and how big an error might be. For instance, if I screwed up and listing pi=3.41592..., I get to decide that this is only one error. It's not an infinite set of errors because the first digit after the decimal point is not 4, the second digit is not 1, the third digit is not 5, etc. Also, non-technical errors don't qualify, although I'm grateful to get them. To see previously reported errors: http://www.wayner.org/books/td/errors.php I promise to try to apply these rules as generously as possible. -Peter --- end forwarded text -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' From isn at c4i.org Fri Mar 4 05:08:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:25 2005 Subject: [ISN] Bellua Cyber Security Asia 2005 - 23-24 March, Jakarta Message-ID: Forwarded from: Anthony Zboralski Dear InfoSecNews readers, Bellua Cyber Security Asia 2005 early bird registrations are about to close, you can save 40% if you register this week. Event highlights: * Keynote Speakers Bpk. Abdul Rahman Saleh, Attorney General of Republic Indonesia Bpk. DR. Sofyan Djalil, Minister of Communications and Information of Republic Indonesia * 32 Top Speakers from Asia, Europe & USA * Business Track for Executives & Managers * Technical Track for Admins & Engineers * Training Workshops * Capture the Flag (Hacking Contest) * Business Matchmaking, Cocktail Reception and Door prizes Due to unforeseen circumstances, Black Hat Asia 2005 has been cancelled. Don't despair, BCS2005 in Jakarta is just one hour away from Singapore and The Grugq's Digital Forensics workshop and Sensepost's Hacking by Numbers (bootcamp & combat editions) will also be held on the 21st and 22nd March 2005 in Jakarta, Indonesia. Bellua Cyber Security Asia 2005 - http://www.bellua.net Register this Week for Early-Bird Discount! For questions regarding event registration, please call +62 811 1975 95. For general event questions, please email bcs2005@bellua.com. -- Bellua Cyber Security Asia 2005 - http://www.bellua.net 21-22 March - The Workshops - 23-24 March - The Conference bcs2005@bellua.com - Phone: +62 21 391 8330 HP: +62 818 699 084 From isn at c4i.org Fri Mar 4 05:09:19 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:28 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-9 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-02-24 - 2005-03-03 This week : 61 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: The Mozilla Foundation has released a new version of their popular Firefox browser, which corrects several vulnerabilities. Please view Secunia advisories below for additional details. References: http://secunia.com/SA13258 http://secunia.com/SA14407 http://secunia.com/SA14163 http://secunia.com/SA12712 http://secunia.com/SA13129 http://secunia.com/SA13599 http://secunia.com/SA14160 http://secunia.com/SA13786 -- Various Computer Associates products have been reported vulnerable to a buffer overflow vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Users of Computer Associates products are advised to check if their products are affected by this vulnerability. References: http://secunia.com/SA14438 -- Various products from Trend Micro have been reported vulnerable to a buffer overflow, which can be exploited by malicious people to compromise a vulnerable system. Users of Trend Micro products are advised to check if their products are affected by this vulnerability. References: http://secunia.com/SA14396 -- Two vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system. Additional details are available in reference advisory below. References: http://secunia.com/SA14456 VIRUS ALERTS: During the last week, Secunia issued 1 MEDIUM RISK virus alert. Please refer to the grouped virus profile below for more information: Bagle.BE - MEDIUM RISK Virus Alert - 2005-03-01 12:58 GMT+1 http://secunia.com/virus_information/15815/bagle.be/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla Products IDN Spoofing Security Issue 2. [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities 3. [SA14396] Trend Micro Products AntiVirus Library Buffer Overflow 4. [SA13258] Mozilla / Firefox "Save Link As" Download Dialog Spoofing 5. [SA14335] Microsoft Internet Explorer Popup Title Bar Spoofing Weakness 6. [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting 7. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability 8. [SA14160] Mozilla / Firefox Three Vulnerabilities 9. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 10. [SA14382] phpMyAdmin Local File Inclusion and Cross-Site Scripting ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14456] RealPlayer WAV and SMIL File Handling Buffer Overflows [SA14453] RaidenHTTPD Buffer Overflow and PHP Source Code Disclosure [SA14405] BadBlue "mfcisapicommand" Parameter Buffer Overflow Vulnerability [SA14400] KNet HTTP Request Processing Buffer Overflow Vulnerability [SA14435] Scrapland Packet Handling Denial of Service Vulnerabilities [SA14392] CIS WebServer Directory Traversal Vulnerability [SA14454] CA Unicenter Asset Management Multiple Vulnerabilities [SA14455] Einstein Sensitive Information Disclosure [SA14389] PeerFTP_5 User Credentials Disclosure UNIX/Linux: [SA14447] Gentoo update for phpwebsite [SA14412] Debian bsmtpd Arbitrary Command Injection Vulnerability [SA14452] SUSE update for imap [SA14448] Red Hat update for firefox [SA14445] Gentoo update for phpBB [SA14440] Fedora update for Firefox [SA14439] phpCOIN Multiple Vulnerabilities [SA14437] CuteNews Script Insertion Vulnerability [SA14433] PostNuke Multiple Vulnerabilities [SA14431] SUSE update for curl [SA14430] Ubuntu update for libxml1 [SA14425] Gentoo update for unace [SA14421] Ubuntu update for curl [SA14420] Ubuntu update for cyrus21-imapd [SA14419] SUSE Updates for Multiple Packages [SA14393] SUSE update for cyrus-imapd [SA14388] Gentoo update for cyrus-imapd [SA14426] Gentoo update for mediawiki [SA14423] Ubuntu update for reportbug [SA14422] Debian reportbug Exposure of Sensitive Information [SA14411] WU-FTPD Wildcard Denial of Service Vulnerability [SA14398] mkbold-mkitalic BDF Font File Conversion Format String Vulnerability [SA14397] HP-UX ftpd Unspecified File Access Vulnerability [SA14390] Mandrake update for squid [SA14442] Gentoo Qt Insecure Library Path Searching Vulnerability [SA14432] OpenBSD Unspecified Copy Functions Vulnerability [SA14427] KDE kppp Privileged File Descriptor Leak Vulnerability [SA14424] Gentoo update for uim [SA14408] Gentoo update for cmd5checkpw [SA14404] cmd5checkpw Privilege Escalation Vulnerability [SA14402] FreeNX X Server Authentication Bypass Security Issue [SA14391] Mandrake update for uim [SA14446] Gentoo update for gaim [SA14415] Fedora update for gaim [SA14410] Ubuntu update for gaim Other: [SA14395] Cisco ACNS Network Traffic Handling Denial of Service Vulnerabilities [SA14429] Mitel 3300 ICP Web Management Interface Two Vulnerabilities [SA14428] Symantec Firewall Devices SMTP Binding Configuration Bypass Cross Platform: [SA14449] PHPNews Arbitrary File Inclusion Vulnerability [SA14399] phpWebSite Announcement Image Upload Vulnerability [SA14396] Trend Micro Products AntiVirus Library Buffer Overflow [SA14418] Forumwa Two Vulnerabilities [SA14414] MercuryBoard Two Vulnerabilities [SA14413] phpBB "autologinid" Security Bypass [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities [SA14394] PunBB Multiple Vulnerabilities [SA14438] CA License Software Multiple Buffer Overflow Vulnerabilities [SA14434] 427BB "user" Cross Site Scripting Vulnerability [SA14416] CubeCart Cross-Site Scripting Vulnerabilities [SA14409] PHP "readfile()" Denial of Service [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting [SA14417] NX Server X Server Authentication Bypass Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14456] RealPlayer WAV and SMIL File Handling Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-02 Two vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14456/ -- [SA14453] RaidenHTTPD Buffer Overflow and PHP Source Code Disclosure Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-03-02 Tan Chew Keong has reported two vulnerabilities in RaidenHTTPD, which can be exploited by malicious people to gain knowledge of potentially sensitive information or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14453/ -- [SA14405] BadBlue "mfcisapicommand" Parameter Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-28 Andres Tarasco has reported a vulnerability in BadBlue, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14405/ -- [SA14400] KNet HTTP Request Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-28 CorryL has reported a vulnerability in KNet, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14400/ -- [SA14435] Scrapland Packet Handling Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-01 Luigi Auriemma has reported some vulnerabilities in Scrapland, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14435/ -- [SA14392] CIS WebServer Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information Released: 2005-02-28 CorryL has reported a vulnerability in CIS WebServer, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14392/ -- [SA14454] CA Unicenter Asset Management Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-03-02 Three vulnerabilities have been reported in CA Unicenter Asset Management, which can be exploited to gain knowledge of sensitive information or conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14454/ -- [SA14455] Einstein Sensitive Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-03-02 Kozan has discovered a security issue in Einstein, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/14455/ -- [SA14389] PeerFTP_5 User Credentials Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-02-24 Kozan has discovered a security issue in PeerFTP_5, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/14389/ UNIX/Linux:-- [SA14447] Gentoo update for phpwebsite Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-02 Gentoo has issued an update for phpWebSite. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14447/ -- [SA14412] Debian bsmtpd Arbitrary Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-28 Bastian Blank has reported a vulnerability in bsmtpd, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14412/ -- [SA14452] SUSE update for imap Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-03-02 SUSE has issued an update for imap. This fixes a vulnerability, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14452/ -- [SA14448] Red Hat update for firefox Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, System access Released: 2005-03-02 Red Hat has issued an update for firefox. This fixes multiple vulnerabilities, which can be exploited to spoof various information, plant malware on a user's system, conduct cross-site scripting attacks, disclose and manipulate sensitive information, bypass certain security restrictions, perform certain actions on a vulnerable system with escalated privileges, and compromise a user's system. Full Advisory: http://secunia.com/advisories/14448/ -- [SA14445] Gentoo update for phpBB Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-03-02 Gentoo has issued an update for phpBB. This fixes two vulnerabilities, which can be exploited by malicious users to disclose and delete sensitive information. Full Advisory: http://secunia.com/advisories/14445/ -- [SA14440] Fedora update for Firefox Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access Released: 2005-03-01 Fedora has issued an update for Firefox. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to trick users into downloading malicious files, to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14440/ -- [SA14439] phpCOIN Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-01 Lostmon has reported multiple vulnerabilities in phpCOIN, allowing malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14439/ -- [SA14437] CuteNews Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-02 FraMe has reported a vulnerability in CuteNews, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14437/ -- [SA14433] PostNuke Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-01 Maksymilian Arciemowicz has reported multiple vulnerabilities in PostNuke, allowing malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14433/ -- [SA14431] SUSE update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-01 SUSE has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14431/ -- [SA14430] Ubuntu update for libxml1 Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-01 Ubuntu has issued an update for libxml1. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14430/ -- [SA14425] Gentoo update for unace Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-01 Gentoo has issued an update for unace. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14425/ -- [SA14421] Ubuntu update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-28 Ubuntu has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14421/ -- [SA14420] Ubuntu update for cyrus21-imapd Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-28 Ubuntu has issued an update for cyrus21-imapd. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14420/ -- [SA14419] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2005-03-01 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, or by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/14419/ -- [SA14393] SUSE update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-02-25 SUSE has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14393/ -- [SA14388] Gentoo update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: System access Released: 2005-02-24 Gentoo has issued an update for cyrus-imapd. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14388/ -- [SA14426] Gentoo update for mediawiki Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-03-01 Gentoo has issued an update for mediawiki. This fixes some vulnerabilities, which can be exploited by malicious users to delete arbitrary files, and by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14426/ -- [SA14423] Ubuntu update for reportbug Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-28 Ubuntu has issued an update for reportbug. This fixes two vulnerabilities, which may potentially expose sensitive information in bugreports or can be exploited by malicious, local users to view sensitive information. Full Advisory: http://secunia.com/advisories/14423/ -- [SA14422] Debian reportbug Exposure of Sensitive Information Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-02-28 Rolf Leggewie has reported two vulnerabilities in reportbug, which may potentially expose sensitive information in bugreports and can be exploited by malicious, local users to view sensitive information. Full Advisory: http://secunia.com/advisories/14422/ -- [SA14411] WU-FTPD Wildcard Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-02-28 Adam Zabrocki has reported a vulnerability in WU-FTPD, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14411/ -- [SA14398] mkbold-mkitalic BDF Font File Conversion Format String Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-02-25 A vulnerability has been reported in mkbold-mkitalic, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14398/ -- [SA14397] HP-UX ftpd Unspecified File Access Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-02-25 A vulnerability has been reported in HP-UX, which can be exploited by malicious users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14397/ -- [SA14390] Mandrake update for squid Critical: Less critical Where: From remote Impact: System access Released: 2005-02-25 MandrakeSoft has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14390/ -- [SA14442] Gentoo Qt Insecure Library Path Searching Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-02 Gentoo has issued an update for qt. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14442/ -- [SA14432] OpenBSD Unspecified Copy Functions Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2005-03-01 A vulnerability with an unknown impact has been reported in OpenBSD. Full Advisory: http://secunia.com/advisories/14432/ -- [SA14427] KDE kppp Privileged File Descriptor Leak Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-03-01 A vulnerability has been reported in KDE, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/14427/ -- [SA14424] Gentoo update for uim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-01 Gentoo has issued an update for uim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14424/ -- [SA14408] Gentoo update for cmd5checkpw Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-28 Gentoo has issued an update for cmd5checkpw. This fixes a vulnerability allowing malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14408/ -- [SA14404] cmd5checkpw Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-28 Florian Westphal has reported a vulnerability in cmd5checkpw, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14404/ -- [SA14402] FreeNX X Server Authentication Bypass Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-02-28 A security issue has been reported in FreeNX, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14402/ -- [SA14391] Mandrake update for uim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-02-25 MandrakeSoft has issued an update for uim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14391/ -- [SA14446] Gentoo update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-02 Gentoo has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14446/ -- [SA14415] Fedora update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-02-28 Fedora has issued an update for gaim. This fixes a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14415/ -- [SA14410] Ubuntu update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-02-28 Ubuntu has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14410/ Other:-- [SA14395] Cisco ACNS Network Traffic Handling Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-02-25 Four vulnerabilities have been reported in Cisco Application and Content Networking System (ACNS), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14395/ -- [SA14429] Mitel 3300 ICP Web Management Interface Two Vulnerabilities Critical: Moderately critical Where: From local network Impact: Hijacking, DoS Released: 2005-03-01 Stephen de Vries of Corsaire has reported two vulnerabilities in Mitel 3300 Integrated Communications Platform (ICP), which can be exploited by malicious people to hijack sessions or by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14429/ -- [SA14428] Symantec Firewall Devices SMTP Binding Configuration Bypass Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-01 Arthur Hagen has reported a security issue in various Symantec firewall devices, which may disclose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/14428/ Cross Platform:-- [SA14449] PHPNews Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-02 Filip Groszynski has reported a vulnerability in PHPNews, allowing malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14449/ -- [SA14399] phpWebSite Announcement Image Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-25 nst has reported a vulnerability in phpWebSite, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14399/ -- [SA14396] Trend Micro Products AntiVirus Library Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-02-25 ISS X-Force has reported a vulnerability in various Trend Micro products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14396/ -- [SA14418] Forumwa Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-02 Raven has reported two vulnerabilities in Forumwa, which can be exploited by malicious people to conduct cross-site scripting attacks and malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14418/ -- [SA14414] MercuryBoard Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-02 Doctor Grim has reported two vulnerabilities in MercuryBoard, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14414/ -- [SA14413] phpBB "autologinid" Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-02-28 A vulnerability has been reported in phpBB, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14413/ -- [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access Released: 2005-03-01 Details have been released about several vulnerabilities in Firefox, Mozilla and Thunderbird. These can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14407/ -- [SA14394] PunBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2005-02-25 Some vulnerabilities have been reported in PunBB, which potentially can be exploited by malicious users to disclose sensitive information, and by malicious people to bypass certain security restrictions and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14394/ -- [SA14438] CA License Software Multiple Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-02 Multiple vulnerabilities have been reported in the CA License software, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14438/ -- [SA14434] 427BB "user" Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-02 Raven has reported a vulnerability in 427BB, allowing malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14434/ -- [SA14416] CubeCart Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-02-28 Lostmon has reported multiple vulnerabilities in CubeCart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14416/ -- [SA14409] PHP "readfile()" Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-01 A vulnerability has been reported in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14409/ -- [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-01 Paul has reported a vulnerability in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14406/ -- [SA14417] NX Server X Server Authentication Bypass Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2005-02-28 Two security issues have been reported in NX Server, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14417/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 4 05:09:30 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:30 2005 Subject: [ISN] Security firm trashes customer e-mails Message-ID: http://news.com.com/Security+firm+trashes+customer+e-mails/2100-7355_3-5598860.html By Dan Ilett Special to CNET News.com March 3, 2005 An e-mail security scanning company has accidentally deleted thousands of its customers' e-mails. GFI, a Microsoft "gold certified partner," is offering free upgrades to all its customers, after it trashed their e-mails by sending out incorrect update information. According to GFI, the problem occurred because of a change in BitDefender's technology, one of the products that GFI uses for its e-mail scanning. "Unfortunately, some changes had been made to BitDefender," said Angelica Micalleff-Trigona, public relations manager at GFI. "We were not aware of this, and we did not foresee this problem. We are deeply sorry for what happened. It took us by surprise." When the GFI MailSecurity update mechanism tried to install BitDefender updates on customer networks, the service started to delete all e-mails by default. BitDefender and GFI then rolled back the updates. "We've learned our lesson," a BitDefender representative said Thursday. "From now on, we'll try to give more support to our integration partners. The other companies that integrate our scanning engine did not have the same problem." A ZDNet UK reader affected by the problem said a GFI salesman told him that the update had not been tested. "We were pretty surprised this morning to find that all of the e-mail which arrived overnight had been deleted," wrote Jeremy Whiteley, chief executive officer at Promarketing Gear. "Even more troubling was the fact that, according to GFI's U.S. sales manager, they released this update without testing it! I guess they expect me and my IT staff to play the role of tester, regardless of the cost to my business...We're reconsidering our reliance on GFI going forward." GFI denied not testing the update, but apologized for the blunder and has promised all customers a free upgrade to its MailSecurity 9 product, which is available in two months' time. The company has also released a tool that can tell customers which e-mails were deleted and when. From isn at c4i.org Fri Mar 4 05:09:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:33 2005 Subject: [ISN] Paying for Flaws Pays Off for iDefense Message-ID: http://www.eweek.com/article2/0,1759,1772418,00.asp By Ryan Naraine March 3, 2005 Internet security specialist iDefense Inc. has released a reverse-engineering tool to the open-source community as part of its controversial strategy of buying the rights to information on security flaws found by underground researchers. The decision to roll out the IDA Sync tool was driven by a need to "contribute to the cycle" of making flaw-finding easier for the private individuals who participate in iDefense's VCP (Vulnerability Contributor Program). The 3-year-old VCP involves financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code to iDefense. Michael Sutton, director of iDefense Labs, said the wild success of the program has driven the company to release tools like IDA Sync, which is used to allow multiple analysts to synchronize their reverse-engineering efforts in real-time within the IDA Pro disassembler. In an interview with eWEEK.com, Sutton said groups of researchers can use the IDA Sync plug-in to connect to the disassembler and share comments and name changes. "A large group of researchers can now pick apart a program and share their findings with each other right within IDA Pro, which is the de-facto standard for disassembling within Windows," Sutton said. In addition to IDA Sync, iDefense has previously released tools such as IDA pGRAPH, a plug-in that generates control-flow graphs; IDA Function Analyzer, a IDA C++ plug-in designed to provide an abstracted layer over "chunked" functions; and the Attack Vector Test Platform, a tool that was used in the research for the paper titled "A Comparison of Buffer Overflow Prevention Implementations and Weaknesses." Flaw-finding has generated big business?and invaluable publicity?for the Reston, Va.-based iDefense. So far this year, the company is credited with the responsible disclosure of 36 security bulletins, including major flaws in products sold by Computer Associates International Inc., RealNetworks Inc. and Apple Computer Inc. Sutton said that more than 80 percent of all vulnerabilities reported by iDefense were purchased from private, sometimes anonymous, software crackers. "We'll pay for the exclusive intellectual property rights to the research, and this program works for everyone. The researchers make money for their work, the vendors get the benefit of responsible advance notices, and the end users get well-tested patches." Not everyone agrees. Firas Raouf, chief operating officer of eEye Digital Security, thinks that the business of buying rights to flaw information is a dangerous practice. "We don't believe that finding software vulnerabilities should be a for-profit business. We have a problem with paying for flaws. People should not be rewarded financially with finding flaws. Researchers should consider that finding flaws is an end in itself to make the world a more secure place," Raouf said in an interview. iDefense's Sutton, however, argued that buying the information is the only way to make flaw discovery a scaleable business. "Last year, we released more than 100 public advisories. If you were to hire a team to come up with that volume in a year, it would cost a ton of money. The VCP gives us a very flexible, scaleable business model." Sutton refused to discuss how much money is paid for the rights to a flaw discovery. When the program launched in 2002, the company was offering up to $400 per vulnerability, and eEye's Raouf believes it is now in the range of $3,000 each. "You have to remember there is a very lucrative underground market for this information. There's a lot of work being done on the organized crime side to get this information, and the prices being offered are quite high," Raouf said. Raouf supports software vendors offering financial incentives, much like the Mozilla Foundation's bounty program that pays up to $500 for any critical bug found in the open-source code base. "Finding vulnerabilities should be part of a manufacturer's QA [quality assurance] process. Microsoft, for example, is investing a lot of resources on training to help developers write secure code. It has worked quite well for Mozilla to get more professionals picking away at the code," Raouf said. "Paying for this kind of information could have some implications. You end up getting people who aren't necessarily experts in the field trying to find something and sell it to the highest bidder Once you start this, unless there's a strict process in place to manage it, you may end up with more problems for everyone," Raouf added. A spokeswoman for Microsoft said the company has never paid for information on product bugs from private individuals. "We credit finders who report vulnerabilities under responsible disclosure and, from time to time, [we have] contracted security research companies to review code for products under development," the spokeswoman said. From isn at c4i.org Fri Mar 4 05:09:56 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:40 2005 Subject: [ISN] OMB: IT systems security at highest level in three years Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35225-1.html By Jason Miller GCN Staff 03/03/05 On the heels of another poor showing in the annual congressional cybersecurity report card, the Office of Management and Budget earlier this week touted agency systems' security as being stronger than ever. In the fiscal 2004 Federal Information Security Management Act report sent to Congress, the administration said 77 percent of 8,623 systems were certified and accredited as safe, and agencies tested their management, operation and technical controls of 76 percent of their applications. These are improvements from the 2003 report, where agencies reported 62 percent of 7,998 systems as secure and found 64 percent had tested their security controls. Even with this progress, agencies still have not met OMB's goal of securing 80 percent of all systems. Last December, the administration upped the ante and required 90 percent of all systems certified and accredited by Sept. 30. "The federal government has made significant progress in identifying and addressing its security weaknesses," OMB said in the report. ?However, uneven implementation of security measures across the federal government leaves vulnerabilities to be corrected.? The House Committee on Government Reform gave governmentwide cybersecurity a D grade in its annual report card released last month [see GCN story]. [1] OMB also found agencies made progress in other security-related areas. For instance, 85 percent of agencies met OMB's goal of building security costs into the overall price of the project, and tested contingency plans for 57 percent of all applications. The administration said agencies need to improve their agencywide plans of action and milestones to improve security weaknesses and continue to develop their certification and accreditation processes. The departments of Defense, Health and Human Services, Homeland Security, Housing and Urban Development and the Small Business Administration did not have plans of actions and milestones approved by their respective inspectors general. The IGs of the departments of Commerce, Defense, Education, HHS, DHS, HUD and NASA also said the certification and accreditation processes were poor. According to OMB, agencies need to improve their accuracy, timeliness and completeness of cybersecurity incident reports filed with DHS. In 2004, agencies reported 2,058 attacks to DHS? incident response center. "Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event, e.g., the widespread propagation of an Internet worm, and thus complicates and delays appropriate response such as distributing security patches or other compensating controls," OMB noted. DHS is piloting software for automatic transmittal of incident data from agency systems. The application should improve the government?s ability to protect systems and respond to attacks, OMB said. [1] http://www.gcn.com/24_4/news/35141-1.html From isn at c4i.org Fri Mar 4 05:10:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 4 05:17:42 2005 Subject: [ISN] No Patches Next Week, Promises Microsoft Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=JAKJ3BMSRQX4YQSNDBCSKH0CJUMEKJVN?articleID=60405150 TechWeb News March 3, 2005 Patchers can relax: on Thursday Microsoft announced that it won't release any new fixes to its operating systems or applications Tuesday, the next regularly scheduled date for its monthly security bulletins. "On March 8th, 2005, the Microsoft Security Response Center is planning to release no new security bulletins," the Redmond, Wash.-based developer said on its Microsoft Security Bulletin Advance Notification Web site Thursday morning. The Thursday prior to the second Tuesday of each month, Microsoft gives users a heads-up by disclosing the number of scheduled security bulletins, and the severity level of the most critical. It's unusual for Microsoft not to release any security fixes; the last time that happened was December 2003, just months after the company instituted its monthly patching cycle. From isn at c4i.org Mon Mar 7 06:02:29 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:00 2005 Subject: [ISN] Hackers poison DNS Message-ID: http://www.theinquirer.net/?article=21621 By Nick Farrell 07 March 2005 HACKERS HAVE found a way of diverting interweb punters from famous websites to dodgy URL's where they plied with spy and adware. Security outfit, The Internet Storm Centre, posted a warning about "DNS cache poisoning" on its website on Friday. It said that it had reports that this particular attack was redirecting traffic from google.com, ebay.com, and weather.com. Basically the hackers are attacking a domain name server and poisoning the cache by planting counterfeit data in the cache of the name server. However, all might not be doom and gloom. Other security firms are also having a bit of difficulty confirming the attack. They spent all Friday hitting Google and ebay and can't find a poisoned DNS anywhere. It could be that the sites got better, however it is more likely that the hack is localised to an enterprise or small internet service provider. According to the Storm Centre here, the DNS cache poisoning appears to be affecting Symantec firewalls with DNS caching. Some victims have told the Centre that they applied the patch, but were still affected. So this could be a different vulnerability or the patch didn't work properly. The ABX toolbar spyware that gets loaded onto the machine when visiting the target servers. This uses an ActiveX control. Users running Windows XP SP2 or a web browser that does not support ActiveX will probably not get hit with the spyware if they visit the server. ABX is not detected yet by the normal toolset of spyware/antivirus tools. From isn at c4i.org Mon Mar 7 06:02:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:03 2005 Subject: [ISN] Limp Bizkit lead claims hackers stole his sex video Message-ID: http://www.theregister.co.uk/2005/03/04/fred_durst_suit/ By Ashlee Vance in San Francisco 4th March 2005 A lawsuit filed on behalf of Limp Bizkit lead singer Fred Durst alleges that the same people who hacked Paris Hilton's cell phone were able pull a homemade sex video off Durst's computer. The Smoking Gun has obtained part of Durst's complaint against various web sites that posted portions of Durst's sex romp with a former girlfriend. The document states that the US Secret Service has kicked off an "elaborate investigation" into the Hilton Hacking and Durst's home movie mess. The singer, and apparent amateur filmmaker, is seeking up to $80m for having his privates put on the web without consent, according to The Smoking Gun. Durst's sex clips started gaining attention shortly after the e-mails, photos and contacts from Paris Hilton's Sidekick appeared on the net. Durst's lawsuit alleges that web site operators contacted him to ask about making a deal to sell his homemade sex video online. The lawsuit goes on to say that Durst declined to make such a deal, believing he had the lone copy of the video. "The only copy of the Video was on the hard drive of Plaintiff's computer, and was subsequently stolen therefrom," the lawsuit says. Durst is looking to have the video and still photos made from it removed from the web. More information is available here [1]. [1] http://www.thesmokinggun.com/archive/0304051durst1.html From isn at c4i.org Mon Mar 7 06:03:12 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:06 2005 Subject: [ISN] CSO Mag/U.S. Secret Service/CERT Coordination Center Need Your Help Message-ID: ---------- Forwarded message ---------- Date: Fri, 04 Mar 2005 13:44:36 -0500 From: Richard Forno To: Richard Forno Subject: [infowarrior] - CSO Mag/U.S. Secret Service/CERT Coordination Center Need Your Help CSO magazine is conducting a survey in cooperation with the U.S. Secret Service and CERT Coordination Center, the 2005 e-Crime Watch.? The purpose of this project is to uncover electronic crime trends.? We respectfully request your help in completing an online survey.? Please be assured that any information you provide is confidential and your responses will be used only in combination with those of other survey respondents.? This survey should take no more than 15 minutes of your time.? Please click on the following url to begin the survey or copy and paste the url into your browser: http://www.rresults.com/062865/index.cgi?l=3 Thank you in advance for your help. Sincerely, Walter Manninen President CSO magazine ? W. Ralph Basham Director United States Secret Service Richard Pethia Director CERT Coordination Center From isn at c4i.org Mon Mar 7 06:03:37 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:08 2005 Subject: [ISN] 21th Annual Computer Security Applications Conference Call For Papers Message-ID: Forwarded from: ACSAC Announcement List PDF version at http://www.acsac.org/2005/ACSAC_CFP.pdf ------------------- Call For Papers ------------------- 21th Annual Computer Security Applications Conference December 5-9, 2005 Tucson, Arizona http://www.acsac.org Submission Acceptance Deadline Notification Technical Track May 29, 2005 Aug. 14, 2005 Tutorials June 1, 2005 Jul. 15, 2005 Workshop June 1, 2005 Jul. 15, 2005 Case Studies June 15, 2005 Aug. 15, 2005 Technology Blitz Sep. 9, 2005 Oct. 16, 2005 Works in Progress Sep. 9, 2005 Oct. 2, 2005 See http://www.acsac.org/cfp for detailed submission information! ACSAC is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. If you are developing practical solutions to problems relating to protecting commercial enterprises' or countries' information infrastructures, consider submitting your work to the Annual Computer Security Applications Conference, to be held December 2005 in Tucson, AZ. We are soliciting submissions in a number of different categories: o Technical Track: peer-reviewed papers o Technology Blitz: cutting-edge technology presentations *NEW FEATURE* o Case Studies: practical experience reports from applying security o WIP: works in progress reports o Tutorials: in depth seminars on current security topics o Workshop: on up to date hot topic We are especially interested in submissions that address the application of security technology, the implementation of systems, and lessons learned. Some example topics are: * Access control * Applied cryptography * Audit and audit reduction * Biometrics * Certification and accreditation * Database security * Denial of service protection * Defensive information warfare * Electronic commerce security * Enterprise security * Firewalls and other boundary control devices * Forensics * Identification and authentication * Information survivability * Insider threat protection * Integrity * Intellectual property rights protection * Incident response planning * Intrusion detection and event correlation * Malware * Middleware and distributed systems security * Mobile and wireless security * Modeling and simulation related to security * Operating systems security * Product evaluation criteria and compliance * Privacy * Risk/vulnerability assessment * Security engineering and management * Software assurance Important submission information: Submission Acceptance Deadline Notification Technical Track May 29, 2005 Aug. 14, 2005 Tutorials June 1, 2005 Jul. 15, 2005 Workshop June 1, 2005 Jul. 15, 2005 Case Studies June 15, 2005 Aug. 15, 2005 Technology Blitz Sep. 9, 2005 Oct. 16, 2005 Works in Progress Sep. 9, 2005 Oct. 2, 2005 See http://www.acsac.org/cfp for detailed submission information! Program Committee (program_chair@acsac.org) * Christoph Schuba, Sun Microsystems, Inc. (PC Chair) * Charles Payne, Adventium Labs (PC Co-chair) * Pierangela Samarati, University of Milan (PC Co-chair) * Terry Benzel, USC - ISI * Konstantin Beznosov, University of British Columbia * Germano Caronni, Sun Microsystems, Inc. * Ramaswamy Chandramouli, National Institute of Standards and Technology * Marc Dacier, Eurecom Institute * Ernesto Damianti, University of Milan * Gary Ellison, InterTrust Technologies Corp. * Dieter Gollmann ,Technische Universitaet Hamburg-Harburg * Steven J. Greenwald, Independent Consultant * Wesley Higaki, Symantec Corporation * Trent Jaeger, IBM T.J. Watson Research Center * Tom Keefe, Oracle Corp. * James Kempf, DoCoMo Labs USA * Carl Landwehr, University of Maryland * Peng Liu, Pennsylvania State University * Tom Longstaff, Carnegie Mellon University * Bryan Lyles, Telcordia Technologies * Patrick McDaniel, Pennsylvania State University * John McDermott, Naval Research Laboratory * Paul Van Oorschot, Carleton University (Canada) * Jong-Sou Park, Hankuk Aviation University * Vern Paxson, International Computer Science Institute * Andre dos Santos, Georgia Tech * Sami Saydjari, Cyber Defense Agency, LLC * Giovanni Vigna, University of California Santa Barbara * Simon Wiseman, QinetiQ * Diego Zamboni, IBM Zurich Research Laboratory Case Studies (casestudies_chair@acsac.org) * Steven Rome, Booz Allen Hamilton (Case Studies Chair) The Case Studies Track is a complementary part of the technical conference. It is an opportunity for professionals to share information that is current without writing a detailed technical paper. It is open to anyone in the community such as vendors, network providers, systems integrators, government civil/federal/military programs or users across the spectrum of computer security applications. Technology Blitz Committee (tbc_chair@acsac.org) * Paul Jardetzky, Devicescape Software, Inc. (TBC Chair) * Jeremy Epstein, webMethods * LouAnna Notargiacomo, Mitre Corporation * Timothy Roscoe, Intel Corporation * Pierangela Samarati, University of Milan In 2005 we are introducing a new type of session that we call the Technology Blitz session. In three parallel tracks, it will feature short talks (10 min.+ 5min Q&A) on hot, up to date topics. Works In Progress (wip_chair@acsac.org) * Mary Ellen Zurko, IBM Software Group (WiP Chair) The Works In Progress (WIP) session packs as many 5 minute presentations as it can into one fast paced and popular session. These talks highlight the most current work in both business and academia, emphasizing goals and value add, accomplishments to date, and future plans. Special consideration is given to topics that discuss real life security experience, including system implementation, deployment, and lessons learned. Tutorials (tutorial_chair@acsac.org) * Daniel Faigin, The Aerospace Corporation, USA. (Tutorials Chair) Tutorials are full (6 hour) or half (3 hour) day classes on how to apply or use a particular technology to address a security need. A typical tutorial submission includes an abstract of the tutorial, a brief (1-2 page) outline, an instructor bio, an indication of length, and notes on prerequisites and textbooks. Tutorial instructors receive an honorarium and expenses. If you would like to indicate a topic you would like to see, you may do that as well; please suggest an instructor if you can. Workshop (workshop_chair@acsac.org) * Harvey Rubinovitz, Mitre Corporation (Workshop Chair) ACSAC workshops are on up to date topics that attendees usually rate to provide a useful and exciting forum for information technology professionals (e.g., standards developers, software developers, security engineers, security officers) to exchange ideas, concerns, and opinions. --------------------------------------------------------------------------- Conferenceship Program ACSAC offers a conferenceship program to enable students to attend the Annual Computer Security Applications Conference. This program will pay for the conference and tutorial expenses, including travel, for selected students. Additional information about this program is available on the Student Awards page or you may contact the Student Papers Chair. Future Updates: To be added to the Annual Computer Security Applications Conference Mailing List, click here. --------------------------------------------------------------------------- ACSAC does not accept "speaking proposals" in the form of a biography and a one paragraph description of a topic. Depending on a proposal's technical content, it may be acceptable as a case study. If a full paper is available, it may be acceptable as a technical paper. If a presentation by a group of related speakers is contemplated, a proposal for this session may be acceptable as a panel or forum. If a proposal for a half day or full day seminar is appropriate, it may be acceptable as a tutorial. If a one or two page technical writeup is available that describes work that is not yet completed, it may be acceptable as a works in progress. Finally, if your have an interest in a full day interactive dialogue, exchanging ideas, opinions and concerns between multiple presenters and attendees, consider being a workshop presenter. For More Information see hyperlinks on http://www.acsac.org * For general conference information, see the menu at left * For refereed papers information: see our paper submission page * For technology blitz information: see our paper submission page * For case studies information: see our case studies page * For publicity information: contact the Publicity Chair * For student paper/award information: see our student awards page * For tutorial information: see our tutorial page * For works in progress information: see our works in progress page * For the issues workshop: see our issues workshop page About the Sponsor Applied Computer Security Associates (ACSA) had its genesis in the first Aerospace Computer Security Applications Conference in 1985. That conference was a success and evolved into the Annual Computer Security Applications Conference (ACSAC). Several years ago the word "Aerospace" was dropped from the name to promote a wider range of government and commercial applications. ACSA was incorporated in 1987 as a non-profit association of computer security professionals who have a common goal of improving the understanding, theory, and practice of computer security. ACSA continues to be the primary sponsor of the annual conference. In 1989, ACSA began the Distinguished Lecture Series at the annual conference. Each year, an outstanding computer security professional is invited to present a lecture of current topical interest to the security community. In 1991, ACSA began a Best-Paper by a Student Award, presented at the Annual conference. This award is intended to encourage active student participation in the annual conference. The award winning student author receives an honorarium and all expenses to the conference. ACSA continues to be committed to serving the security community by finding additional approaches for encouraging and facilitating dialogue and technical interchange. ACSA is always interested in suggestions from interested professionals and computer security professional organizations on how to achieve these goals. You are receiving this notice because you joined the ACSAC email notification list at http://www.acsac.org/join_ml.html. You can unsubscribe there if you wish. You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at the above URL. ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. From isn at c4i.org Mon Mar 7 06:03:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:11 2005 Subject: [ISN] Linux Security Rough Around The Edges, But Improving Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=60405086 By Larry Greenemeier InformationWeek March 3, 2005 The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They won over the Linux developer community with the changes. But its success depends on the adoption by U.S. companies and government agencies, something that remains very much in doubt. For more than a decade, the National Security Agency has worked on a way to use a computer's operating-systems to control where software applications and their users can access data within IT environments. The agency succeeded years ago in creating such "mandatory access control" features for specialized operating systems, but very few users had the access or inclination to deploy them. Taking a gamble in 2000 on the emerging Linux operating system, NSA started applying its security approach to the open-source code. The result is its Security Enhanced Linux technology, which it hopes can raise the nation's overall level of cybersecurity. "Quality of (software) code is crucial to the security of this nation," Dickie George, technical director of NSA's Information Assurance Directorate, said Thursday at an SELinux symposium. George added that the directorate's mission is to research and develop the technology and processes that industry can use to protect itself, and critical U.S. infrastructure, from cyberattacks. NSA's faith in Linux is being rewarded in the Linux development community, at least. SELinux's mandatory access-control capabilities were included in version 2.6 of the kernel. With the mandatory access control, a Linux system can be partitioned into separate domains that contain any damage that viruses might cause. Debian, Novell, and Red Hat, three major distributors of the Linux operating system, only have recently released their own packages built on version 2.6 that allow customers to take advantage of some SELinux features. Red Hat and Novell differ markedly, however, in their perception of SELinux's usefulness today. Red Hat is encouraging users to try SELinux capabilities, even though writing SELinux security policies in the current version is complex. Red Hat's mid-February release of Red Hat Enterprise Linux 4?based upon the SELinux-friendly version 2.6 kernel?is an attempt to marry high-level security features with the basic operating system, says Donald Fischer, senior product manager for Red Hat Enterprise Linux. Red Hat users can use the Gnome 2.8 desktop included with Red Hat Enterprise Linux 4 to do limited configuration of SELinux. Novell, however, believes SELinux is still too complicated for most users to implement. "It's not the technology itself [that's] the problem, but that it cannot be used to the full extent," says Chris Schlaeger, Novell's VP of research and development, adding that users need an easier way to describe their security needs, upon which the system could then execute. "It's a lot of work to do this today using SELinux," Schlaeger says. Schlaeger acknowledges SELinux is an advancement in operating system-level security. "Novell isn't saying that SELinux is bad, but rather that more needs to be done," he says. For one, security must take into consideration more than operating-system-level security, he says. With application-level security, for example, companies can let the apps running on their servers perform tasks while preventing them from affecting other applications. Still, support for the 2.6 Linux kernel by Linux's two most prominent providers, Red Hat and Novell, almost certainly will spread knowledge of SELinux. That will cast a spotlight on the technology's shortcomings, and likely lead to improvements that ultimately eliminate the need for companies users to seek out highly secure, highly specialized operating systems. From isn at c4i.org Mon Mar 7 06:04:02 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:15 2005 Subject: [ISN] 'Good guys' show just how easy it is to steal ID Message-ID: http://seattlepi.nwsource.com/local/214663_googlehack05.html By PAUL SHUKOVSKY SEATTLE POST-INTELLIGENCER REPORTER March 5, 2005 Teams of hackers surfed the Web at Seattle University yesterday, harvesting Social Security and credit card numbers like a farmer cutting wheat. In less than an hour, they found millions of names, birth dates and numbers -- cyberburglar tools for the crime of identity theft -- using just one, familiar Internet search engine: Google. But these were the good guys -- members of a somewhat secretive organization of computer security pros, forensic cybercops, prosecutors and federal agents called Agora. The group decided to lift the curtain of secrecy for a day to sound a warning about the dangers of "Google hacking." It turns out that the powerful search engine, in the hands of a knowledgeable cybertrekker, can ferret out all kinds of sensitive information never meant to be made public. All it takes are sophisticated search terms. The terms go beyond specifying key words to include file types. The right terms can even find information deleted from corporate or government Web sites but temporarily cached in Google's massive warehouse of data. Kirk Bailey, the city of Seattle's chief information-security officer, calls his Agora compatriots "the primary defenders of the virtual world in the Northwest." Before launching eight teams of hackers from companies such as Intel Corp. and computer-security consultants IOActive, Bailey declared that "our mission is to find answers on how to fix these problems." The hacking team members sat crunched together at round tables, each one hunched intently over a laptop. Bailey gave them the go-ahead, and fingers started flying across keyboards. "A little music to hack by," said IOActive consultant Frank Heidt, but he then turned off the audio and got down to business. "We're simulating an ID-theft ring," mumbled Heidt, who was focused on his screen as he entered a search term that, to the uninitiated, looked like nothing more than a jumble of meaningless letters. Moments later, Heidt bellowed out "Yes" as military credit card numbers filled his screen. In the next chair, Akshay Aggarwal, also with IOActive, was grinning. "A million Social Security numbers of immigrants. Tax records. Addresses. What do you want?" Around the room, hackers were compromising people's identities. They wouldn't even let the dead rest in peace. The Intel team found a Web site listing the names, birth dates, Social Security numbers, race and religion of 602 helicopter pilots who died in Vietnam. Another Intel team member came up with a Brazilian Web site that contained the names, credit card numbers, birth dates and home phone numbers of 388 Americans who appeared to have ordered pornographic movies online. Bailey called the meeting to order to announce results of the contest. An ad-hoc group of lawyers and computer-security specialists won with 190 million points by digging up death certificates with Social Security numbers. But more ominously, by searching for personnel with secret clearances, the team found, in a U.S. Navy site, personal information on an expert in virology investigations and on a responder to nuclear emergencies. Two teams found information about people on terrorist watch lists. The IOActive team was the runner-up with almost 13 million points. IOActive Chief Executive Officer Joshua Pennell pointed out that the problem is not with Google, but with corporate cultures with the attitude, "Nobody is going to find me, nobody cares what's on my computer." These companies allow Google to enter into the public portion of their networks, sometimes called the DMZ, and index all the information contained there. Toby Kohlenberg, an information-security specialist with Intel, asserted that "Google doesn't need to be fixed. Companies need to understand that they are leaving themselves exposed" by posting sensitive information in public places. "If they're performing proper security, then their intranet shouldn't be vulnerable to a Google search engine." From isn at c4i.org Mon Mar 7 06:04:26 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 7 06:11:18 2005 Subject: [ISN] Linux Security Week - March 7th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 7th, 2005 Volume 6, Number 10n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Firewalls' False Sense of Security," "Easy Automated Snapshot-Style Backups with Linux and Rsync," and "Why you should perform regular security audits." --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH This week, advisories were released for mod_python, bsmtpd, gaim, bind, gnucash, dhcp, at vixie-cron, lam, pvm, radvd, selinux-targeted- policy, tcsh, openoffice, gamin, cmd5checkpw, uim, UnAce, MediaWiki, phpBB, phpWebSite, xli, xloadimage, firefox, squid, kdenetwork, nvidia, curl, uw-imap, and cyrus-sasl. The distributors include Conectiva, Debian, Fedora, Gentoo, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118492/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Firewalls' False Sense of Security 1st, March, 2005 The Internet front door to almost every bank and financial services company in the world is guarded by two sets of firewalls defining a DMZ. Nearly every e-commerce site sits in a similar DMZ in what has become the de facto standard in Web security architecture. According to Sun Microsystems, "In today's tumultuous times, having a sound firewall/DMZ environment is your first line of defense against external threats." But I would argue that guarding the perimeter is lulling organizations into a false sense of security that results in ignoring the implementation of other security mechanisms in their applications and databases. http://www.linuxsecurity.com/content/view/118458 * Firewall warns dealers of physical security threat 1st, March, 2005 Specialist distributor, Firewall Systems, is warning resellers to start thinking of security as a managed service or risk losing market share to physical security providers. http://www.linuxsecurity.com/content/view/118460 * Where's the security leadership 4th, March, 2005 This year's RSA Conference was another opportunity for the security glitterati to shine. http://www.linuxsecurity.com/content/view/118496 * How secure is your computer? 28th, February, 2005 StillSecure attached six computers - loaded with different versions of the Windows, Linux and Apple's Macintosh operating systems - earlier this month to the Internet without anti-virus software. The results show the Internet is a very rough place. Over the course of a week, the machines were scanned a total of 46,255 times by computers around the world that crawl the Web looking for vulnerabilities in operating systems. http://www.linuxsecurity.com/content/view/118454 * Real Player under Attack 2nd, March, 2005 For Linux the RealPlayer 10 and the Helix Player are affected. No fixed versions are available for this. The Player for Symbian and PalmOS are not concerned by the weak spots.RealNetworks classifies the security gaps as critical and recommends all users to install the available updates. Under Windows and Mac OS the update function of the Player can be used. http://www.linuxsecurity.com/content/view/118465 * Two Sides of Vulnerability Scanning 28th, February, 2005 There are two approaches to network vulnerability scanning, active and passive. The active approach encompasses everything an organization does to foil system breaches, while the passive (or monitoring) approach entails all the ways the organization oversees system security. When making buying decisions for your organization, it's a mistake to think that you have to choose between the two types of protection. http://www.linuxsecurity.com/content/view/118455 * Realistic SELinux 2nd, March, 2005 SElinux is an impressively designed but notoriously hard-to-configure set of kernel hooks that enforce Orange Book-style security on Linux. Full support for SELinux takes effort, but when I first heard about Fedora's new targeted policies for SELinux, I was willing to tell the Red Hat folks "thanks, but no thanks." A conversation with their Dan Walsh changed my mind. http://www.linuxsecurity.com/content/view/118466 * Easy Automated Snapshot-Style Backups with Linux and Rsync 3rd, March, 2005 This document describes a method for generating automatic rotating "snapshot"-style backups on a Unix-based system, with specific examples drawn from the author's GNU/Linux experience. Snapshot backups are a feature of some high-end industrial file servers; they create the illusion of multiple, full backups per day without the space or processing overhead. All of the snapshots are read-only, and are accessible directly by users as special system directories. http://www.linuxsecurity.com/content/view/118482 * Linux Security Rough Around The Edges, But Improving 4th, March, 2005 The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They won over the Linux developer community with the changes. But its success depends on the adoption by U.S. companies and government agencies, something that remains very much in doubt. http://www.linuxsecurity.com/content/view/118494 * Opera Targets Browser Vulnerability 1st, March, 2005 Taking a cue from Firefox and others, software developer Opera is updating the latest iteration of its Web browser to combat phishing attacks that take advantage of a domain name vulnerability. To address the emerging Internationalized Domain Names (IDN) issue, the second Beta version of the Opera browser displays localized domain names from certain top level domains (TLD). It selects TLDs that have stringent policies on the domain names they register. The Norwegian firm said it will update its list of trusted TLDs on a regular basis to further protect users. http://www.linuxsecurity.com/content/view/118457 * French Ministry of Education and Research and Mandrakesoft 2nd, March, 2005 Mandrakelinux products cover needs from the desktop (with the PowerPack) to critical infrastructure functions (with the Multi Network Firewall). The Multi Network Firewall operating system is able to control access to both an organisation's private intranet and the public internet. Mandrakesoft products are part of the software library which has been selected to modernize the infrastructure of France's education system. As well as the applications themselves, Mandrakesoft will deliver technical support and training to staff. http://www.linuxsecurity.com/content/view/118471 * Computer Security 101 1st, March, 2005 This sort of basic firewall has some issues that can be exploited by hackers and malicious programmers to sneak through which is why there are more advanced firewall systems. I mentioned that with this sort of port blocking, communications in response to connections initiated by your computer would be allowed through even on ports you were blocking. Using this knowledge, a hacker can forge the packet to make it look like it is a reply rather than an initiation of a connection and the firewall will allow it through. http://www.linuxsecurity.com/content/view/118459 * Why you should perform regular security audits 2nd, March, 2005 In less than a decade, Internet security has evolved from an almost esoteric topic to become one of the more important facets of modern computing. And yet it's a rarity to find companies that actually consider information security to be an important job function for all workers--and not just the IT department's problem. http://www.linuxsecurity.com/content/view/118468 * Linux starts to take a more central IT role 3rd, March, 2005 "It's as deep as it will get for us. It's what we're betting the data center on," said Jon Fraley, a Linux administrator at Glen Raven. In December, the Glen Raven, North Carolina-based textile manufacturer finished moving mission-critical Oracle databases from an aging 24-CPU Hewlett-Packard server running Unix to four-way HP servers that are based on Intel Xeon processors and run Red Hat's Linux distribution. http://www.linuxsecurity.com/content/view/118473 * Security market "worth $5.5bn by 2008" 4th, March, 2005 The security software and appliance market rose by 30 per cent last year and is predicted to be worth $5.5billion worldwide by 2008 according to a new report. http://www.linuxsecurity.com/content/view/118495 * Managed Security Service Expands Compliance Capabilities 3rd, March, 2005 "RES' Information Security and Threat Management solution provides a perfect blend of best practices and industry standards that our enterprise customers need to comply with growing regulatory requirements," said Douglas Adams, RES vice president of sales and marketing. RES is committed to providing the most innovative managed services designed to meet the quality-of-service demands of our Fortune 500 and Fortune 1000 enterprise customers." http://www.linuxsecurity.com/content/view/118475 * Find wireless rogues without sensors 3rd, March, 2005 I finally settled on a strategy for wireless security. As wireless access points began appearing on our company's network, we configured them with Cisco's Lightweight Extensible Access Protocol (read my previous article, Migrate WLANs away from Cisco's LEAP). LEAP forces users to authenticate to the access point with their enterprise credentials - the same credentials used for virtual private network access, as well as services such as payroll and Microsoft Exchange e-mail. That's because we use a centralised directory that ties into most of our core applications and lets employees use a single password to sign on. http://www.linuxsecurity.com/content/view/118474 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 8 02:19:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:21 2005 Subject: [ISN] NSPW 2005 Call for Papers: Submission Date Changed Message-ID: Forwarded from: Abe Singer FOR IMMEDIATE RELEASE ---------- The submission and notification dates for the 2005 New Security Paradigms Workshop have been changed. The new dates are: Submission Deadline: Monday, April 18, 2005 Notification Date: Monday, June 13, 2005 The complete Call for Papers and general information about NSPW can be found at http://www.nspw.org From isn at c4i.org Tue Mar 8 02:19:31 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:23 2005 Subject: [ISN] Students to study Valley's vulnerability to hackers Message-ID: http://www.eastvalleytribune.com/index.php?sty=37537 EMILY BEHRENDT March 7, 2005 The Tempe-based University of Advancing Technology will be "wardriving" around Valley neighborhoods this year. Although it sounds hostile, it's actually for the benefit of Valley residents. Wardriving is a term for finding unsecured wireless access points, which are locations where an outsider could hack into a home computer system because the wireless signal extends beyond the walls of the house. Any laptop that comes in range of the signal would be able to connect to the home computers and potentially create all kinds of mischief, including identify theft or other Internet crimes. Most people who have wireless computer networks inside their homes are not even aware they are at risk, said Raymond Todd Blackwood, IT manager for the university. The school's students have begun working on a research project to find home computers that are vulnerable and try to increase awareness of the problem in the community. "What we are not doing is, we are not connecting at all," Blackwood said. "All we are doing is looking for those signals being broadcast." For the project, the Valley has been split into four grids, with Central Avenue and Camelback Road dividing the quadrants. The students are responsible for covering their assigned area within four weeks, and their data are collected monthly. Their findings are then put into a database, and the unsecured access points are plotted on a map. When the students wardrive, they use an IBM laptop running the Linux operating system, a program called Kismet and a global positioning system locator. The locator is a hand-held device that plugs into the laptop through a serial port and logs the specific coordinates. The students drive around neighborhoods, apartment complexes and business areas, and the Kismet program will tell them when a wireless frequency is present. "This would kind of be equivalent to a person walking around and checking to make sure people's front doors are locked," Blackwood said. During the first two weeks of the project, students discovered 16,000 unsecured access points, and they had only covered one third of the Valley. The students will collect the data every month for one year. Once all the data are collected and logged, the school will determine the highest concentrations of unsecured wireless access points. They will then launch a campaign in those neighborhoods to educate people about the potential risks. "We want to know how popular wireless is, and how much do people know about it." Blackwood said, "We are trying to provide clear, easy to understand information, and increase sophistication and awareness in the community." Securing a network is simple. Under the network settings, there is a button to "enable wireless encryption protocol." Simply clicking that button will encrypt the signal and secure the network, Blackwood said. The default option leaves the network unsecured. From isn at c4i.org Tue Mar 8 02:20:07 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:26 2005 Subject: [ISN] Terrorists targeted India's outsourcing industry Message-ID: http://www.nwfusion.com/news/2005/0307terrotarge.html By John Ribeiro IDG News Service 03/07/05 India's software and services outsourcing industry is a likely target for a terrorist group operating in the country, local police warned on Sunday. But Indian outsourcing and software companies said they are prepared to cope with the threat. Documents seized from three members of the Lashkar-e-Toiba (LeT) terrorist group killed in an encounter with the police on Saturday revealed that they planned to carry out suicide attacks on software companies in Bangalore, Karnal Singh, joint commissioner of police in Delhi, told reporters on Sunday. LeT is demanding independence for the Indian state of Jammu and Kashmir. The Indian government has claimed that LeT and other separatist groups are aided and abetted by neighboring Pakistan, which also occupies a part of the disputed territory of Kashmir. "The terrorists planned to hit these companies in an effort to hinder the economic development of the country," Singh said. Bangalore has a large concentration of Indian software outsourcing companies, and a number of multinational companies have software development and chip design facilities in the city. IBM, Intel, Texas Instruments, and Accenture are among those with operations in Bangalore. Two of India's largest software and IT services outsourcing companies, Wipro and Infosys Technologies, have their headquarters and large facilities in Bangalore. Bangalore also has some of India's key defense research and development organizations. Most of the technology companies in the city have already set up disaster recovery plans and special disaster recovery sites that could be used in the event of a terrorist attack, according to Kiran Karnik, president of the National Association of Software and Service Companies in Delhi. For example, Infosys has a disaster recovery site in Mauritius. Besides tight checks on physical entry into their facilities, Indian software companies have business continuity and disaster recovery plans in place to ensure that a terrorist attack does not disrupt their operations, Karnik said. Terrorism is a global problem and the threat in India is not greater than that in other countries, he said. From isn at c4i.org Tue Mar 8 02:19:53 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:29 2005 Subject: [ISN] Hidden fraud risk in Sarbanes-Oxley? Message-ID: http://news.com.com/Hidden+fraud+risk+in+Sarbanes-Oxley/2100-1002_3-5602776.html By Will Sturgeon Special to CNET News.com March 7, 2005 The complex and copious amounts of data stored on corporate networks post-Sarbanes-Oxley may be creating greater opportunities for fraud, analysts said. That's even though the law was a reaction to the corporate misdeeds that rocked Enron and WorldCom. Peter Dorrington, head of fraud solutions at SAS, said that companies are storing vast amounts of data but giving little thought to what is being stored. "There is just a lot of storage going on," Dorrington said. "But there is no interpretation of that data." That situation could make the occasional instances of fraud or anomalous data far more difficult to spot, he said. "Fraudsters are reliant upon their transaction being a tree hidden a forest," Dorrington said. The vast amounts of data being stored as part of efforts to comply with the Sarbanes-Oxley Act are simply increasing the size and density of that forest, he said. "The more data there is, the easier it is to hide," Dorrington said. "There is little thought being given to whether companies should look to understand what is going on within that data." Dorrington believes many companies believe they are playing it safe by simply keeping everything, seeing it as the easiest way to ensure they keep the right things. James Governor, an analyst at Red Monk, said: "Any company which simply stores everything is creating problems for themselves further down the line. Storing everything is just abdicating responsibility, rather than following policy and understanding what they should be storing." Governor added that it may also be in breach of corporate policies which dictate certain data may only be kept on record for six or nine months. While such policies must be adhered to, they create a no-win situation, in which they also conflict with the retention requirements of other regulation such as Sarbane-Oxley, he said. "This is going to break a lot of corporate policy," he said. Even if a fraud comes to light, the sheer volume of unnecessary data being stored in order to cover all bases means that companies are faced with the near-impossible task of wading through it all. Governor said: "If we think of finding fraud as being a hunt for a needle in a haystack then what many, many companies are now doing is comparable to pouring on a lot more hay." "This is a very significant problem," Governor added. "Rather than just spending more and more money on storage, it would make sense to invest a lot more money in working out exactly what companies need to store." Shaun Fothergill, security strategist and compliance expert at Computer Associates, believes despite problems settling in, Sarbanes-Oxley will improve matters for businesses when implemented effectively. However, he warned that compliance may start to throw up even more instances of fraud. Fothergill said: "Compliance and regulation is forcing the business of IT to do things right. So organizations will begin to measure and monitor more than they did before." "This may actually give the impression that more fraud is occurring, when in fact organizations are just monitoring what they should have monitored in the first place," he said. "As the anomalies and fraud issues are corrected, the indicators of problems will be moved from red to amber then to green." "These new indicators will initially highlight greater deficiency, when in fact the business and IT are just getting it right," Fothergill said. Such confusion may be one reason why the Sarbanes-Oxley deadline for companies based in European countries has been put back a further year this week. Originally the controversial Section 404, which outlines the requirement to archive data, was to come into effect on July 15 this year. However, Mark Strauch, chief operating officer of business alignment company Business Engine, warned: "The extension of the 404 deadline should not in any way be viewed by U.K. companies as a reason to postpone or sideline compliance projects in favor of other projects." "The long-term potential for companies to credibly improve transparency within their organizations in line with section 404 should be seen as an opportunity to produce benefits in other areas, such as reducing risk by being able to see early on where problems lie, (and) thus deal with issues more effectively," he said. Will Sturgeon of Silicon.com reported from London. From isn at c4i.org Tue Mar 8 02:20:21 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:31 2005 Subject: [ISN] HITB2004 Videos of Speeches Message-ID: Forwarded from: Anthony Zboralski Dear ISN readers, http://video.hackinthebox.org We are proud to announce the immediate availability of the Hack In The Box Security Conference 2004 videos [Pack-1 and Pack-2]. Held at The Westin Kuala Lumpur in Malaysia from October 4th till the 7th, HITBSecConf2004 saw some of the biggest names in the network security industry down to present their latest research and findings. HITBSecConf2004 was also the first time we had two keynote speakers namely Theo de Raadt, creator and project leader for OpenBSD and OpenSSH and John T. Draper infamously known as Captain Crunch. Other speakers who presented include the grugq, Shreeraj Shah, Fyodor Yarochkin, Emmanuel Gadaix, Adam Gowdiak, Jose Nazario, Meder Kydyraliev and several others. For a chance to catch up with some of the speakers who presented at last years' conference those in the Asia Pacific region can head on over to Bellua Cyber Security 2005 taking place later this month in Jakarta, Indonesia. If you're in the Middle East or Europe, there's HITBSecConf2005 - Bahrain taking place from April 10th till the 13th in Manama, Bahrain. See you guys there. -- Bellua Cyber Security Asia 2005 - http://www.bellua.net 21-22 March - The Workshops - 23-24 March - The Conference bcs2005@bellua.com - Phone: +62 21 391 8330 HP: +62 818 699 084 From isn at c4i.org Tue Mar 8 02:20:34 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:34 2005 Subject: [ISN] Scammers use Symantec, DNS holes to push adware Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100248,00.html By Paul Roberts MARCH 07, 2005 IDG NEWS SERVICE Online scam artists are manipulating the Internet's directory service and taking advantage of a hole in some Symantec Corp. products to trick Internet users into installing adware and other annoying programs on their computers, according to an Internet security monitoring organization. Customers who use older versions of Symantec's Gateway Security Appliance and Enterprise Firewall are being hit by Domain Name System (DNS) "poisoning attacks." Such attacks cause Web browsers pointed at popular Web sites such as Google.com, eBay.com and Weather.com to go to malicious Web pages that install unwanted programs, according to Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center (ISC). The attacks, which began on Thursday or Friday, may be one of the largest to use DNS poisoning, Ullrich said. Symantec issued an emergency patch for the DNS poisoning hole on Friday. The company didn't immediately respond to requests for comment today. The DNS is a global network of computers that translates requests for reader-friendly Web domains, such as www.computerworld.com, into the numeric IP addresses that machines on the Internet use to communicate. In DNS poisoning attacks, malicious hackers take advantage of a feature that allows any DNS server that receives a request about the IP address of a Web domain to return information about the address of other Web domains. For example, a DNS server could respond to a request for the address of www.yahoo.com with information on the address of www.google.com or www.amazon.com, even if information on those domains wasn't requested. The updated addresses are stored by the requesting DNS server in a temporary listing, or cache, of Internet domains and used to respond to future requests. In poisoning attacks, malicious hackers use a DNS server they control to send out erroneous addresses to other DNS servers. Internet users who rely on a poisoned DNS server to manage their Web surfing requests might find that entering the URL of a well-known Web site directs them to an unexpected or malicious Web page, Ullrich said. Some Symantec products, such as the Enterprise Security Gateway, include a proxy that can be used as a DNS server for users on the network that the product protects. That DNS proxy is vulnerable to the DNS poisoning attack, Symantec said on its Web site. Symantec's Enterprise Firewall Versions 7.04 and 8.0 for Microsoft Corp.'s Windows and Sun Microsystems Inc.'s Solaris have the DNS poisoning flaw, as do Versions 1.0 and 2.0 of the company's Gateway Security Appliance. Internet users on some networks protected by the vulnerable Symantec products had requests for Web sites directed to attack Web pages that attempted to install the ABX tool bar, a search tool bar and spyware program that displays pop-up ads, Ullrich said. The DNS poisoning attacks were easy to detect because Web sites involved in the attack don't mimic the sites that users were trying to reach, Ullrich said. However, DNS poisoning could be a potent tool for online identity thieves who could set up phishing Web sites that are identical to sites like Google.com or eBay.com but secretly capture user information, he said. Some of those customers told ISC that they installed a patch that the company issued in June to fix a DNS cache-poisoning problem in many of the same products, but they were still susceptible to the latest DNS cache-poisoning attacks, according to information on the ISC Web site. Ullrich said he doesn't believe that Symantec's customers are being targeted, just that they are susceptible to attacks that are being launched at a broad swath of DNS servers. The ISC is collecting the Internet addresses of Web sites and DNS servers used in the attack and trying to have them shut down or blacklisted, ISC said. Symantec customers using one of the affected products are advised to install the most recent hotfixes from the company, Ullrich said. From isn at c4i.org Tue Mar 8 02:23:36 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 8 02:28:36 2005 Subject: [ISN] Book Review: SPAM Kings (aka S*PAM _KiNgS) Message-ID: Forwarded from: Doctor Spook Title: Spam Kings: The Real Story behind the High-Rolling Hucksters... Author: Brian McWilliams Pages: 256 Publisher: O'Reilly; 1 edition (September, 2004) Reviewer: Dr. Spook ISBN: 0-596-00732-9 Buy From Amazon: http://www.amazon.com/exec/obidos/ASIN/0596007329/c4iorg This is the book for that gloomy afternoon. It is "The real story behind the high-rolling hucksters pushing PRON, PILL, and @*#?% Enlargements" (I wonder how many ISN readers will not see this review due to spam filtering). Fascinating read on the world of SPAM, both the purveyors of such, and the crusaders against it. We meet Davis Wolfgang Hawke (formerly known as Andrew Britt Greenbaum), and watch his rise from Jewish Nazi (now there's a dichotomy) to millionaire spammer. We learn of the fight by front line warriors, and their constant uphill battle to save us from the onslaught. This book is well-researched, and reads like the very best of detective fiction. Rush right out and buy a copy. Buy two, and give one to your Aunt Mabel as a gift. -=- Dr. Spook is a security researcher, currently employed in the defense industry, who prefers anonymity. The good doctor has associates in most TLAs, and in some security groups as well. When not absorbed with the latest debacles from a wide array of software and hardware vendors, Dr. Spook is amused by the interesting puzzles left in the works of such notables as Elias Ashmole and John Dee. From isn at c4i.org Wed Mar 9 07:02:23 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:06 2005 Subject: [ISN] DSW Shoe Warehouse Reports Customer Data Theft Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A17831-2005Mar8.html By Jonathan Stempel Reuters March 8, 2005 Retail Ventures Inc., Tuesday announced the theft of credit card and purchase data of customers at 103 of its 175 DSW Shoe Warehouse stores and said some fraudulent activity has been conducted since the theft. The theft is the latest reported instance in recent weeks in which customers' personal data was stolen or lost. Other companies to report such problems include Bank of America Corp. and ChoicePoint Inc., where the thefts involved thousands of individuals' data. Columbus, Ohio-based Retail Ventures said customer data was stolen mainly over the past three months, though it was unable to say how many customers were affected. It said it discovered the theft late last week. Those who provided data via DSW's Web site were unaffected, the company said. "Credit card companies have alerted us there is some fraudulent activity," said Julie Davis, the general counsel for Retail Ventures. Davis said Retail Ventures believes a "hacker" conducted the theft, and that only the stolen credit card data put customers at the risk of fraudulent activity. She said an outside computer security firm is expected to conclude its investigation of the matter within two weeks and that the U.S. Secret Service is also investigating. Customers who believe their data were stolen should call their banks, Davis told Reuters. Retail Ventures is reviewing its technology systems and working with credit card companies and issuers to address the matter. It set up a hotline for customers with questions, at 1-800-314-0224. Retail Ventures operates DSW stores in major U.S. metropolitan areas, as well as 26 Filene's Basement stores in the U.S. Northeast and 119 Value City department stores in mid-Atlantic, Midwest and Southeastern states. Filene's and Value City customers are unaffected, Davis said. Retail Ventures reported aggregate sales of about $217 million at DSW for the three months ended Feb. 26. Retail Ventures shares fell 6 cents to $7.30 on the New York Stock Exchange. It announced the theft after U.S. markets closed. From isn at c4i.org Wed Mar 9 07:02:38 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:09 2005 Subject: [ISN] Group studies infrastructure security Message-ID: http://www.fcw.com/fcw/articles/2005/0307/web-scada-03-08-05.asp By Dibya Sarkar March 08, 2005 The Institute for Information Infrastructure Protection, a consortium of two dozen cybersecurity organizations charged with coordinating a national research and development program, last week began a $8.5 million, two-year research program for securing computer-based systems that control critical infrastructures, such as dams. The federally-funded consortium, known as I3P, will support basic research to understand supervisory control and data acquisition (SCADA) systems and produce technology products to mitigate any flaws in those systems. Such systems control vital critical infrastructures, such as electrical grids, oil refining plants and pipelines, and water treatment and distribution plants. More experts are sounding an alarm that such systems are inherently vulnerable to any cyber attack and should be a top concern among public and private sector officials. The federal government in the last couple of years has increased research and development funds to find ways to protect such systems. I3P will form a 10-member research team to identify SCADA vulnerabilities and interdependencies and develop metrics and models for assessment and management. It will work closely with the federal government to improve information sharing, communications about the systems and ensure that those who operate the systems adopt new technologies. "SCADA vulnerabilities remain in deployed systems because of insecure network design and weaknesses in the host systems," said Ron Trellue, the team's leader and deputy director of the Information Systems Engineering Center at Sandia National Laboratory, in a press release. "Research will focus on addressing this problem by developing tools to make current SCADA system configurations more secure, while in tandem performing basic research to develop inherently secure designs for the SCADA systems of the future." The research team will consist of non-profit research groups such as the MITRE Corporation and SRI International; New York University; the Energy Department's Pacific Northwest National Laboratory; and several academic institutions including the University of Illinois at Urbana-Champaign, the Massachusetts Institute of Technology's Lincoln Laboratory, New York University, the University of Tulsa (Okla.), the University of Virginia, and Dartmouth College, which also manages the IP3. The consortium, which was founded in September 2001, is also actively pursuing industry partnerships to help guide research and for technology transfer opportunities. From isn at c4i.org Wed Mar 9 07:02:52 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:11 2005 Subject: [ISN] =?iso-8859-1?q?GSA_assessing_charge_card_contractors=92secu?= =?iso-8859-1?q?rity_policies_?= Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35251-1.html By Jason Miller GCN Staff 03/08/05 Under pressure from lawmakers to ensure federal charge card data is secure, the General Services Administration will review the security policies of the four other SmartPay contractors after Bank of America revealed late last month that it lost the records of 1.2 million federal employees. In a response to questions from Sen. Susan Collins, chairwoman of the Homeland Security and Governmental Affairs Committee, GSA administrator Stephen Perry said in a letter that the agency will ensure that Bank One of Wilmington, Del., Citibank of New York, Mellon Bank of Pittsburgh and US Bank of Minneapolis will "provide adequate protection for personal information of federal employees." Collins, a Maine Republican, wrote a letter to GSA and Bank of America last week asking how both organizations would ensure federal data is better protected [See GCN story] [1]. GSA and the Defense Department also will conduct a joint risk assessment to review Bank of America security procedures, Perry said. Bank of America lost more than 900,000 Defense employees' information, DOD officials said. GSA would not offer much detail on how they are conducting the review of SmartPay vendors or the joint risk assessment. "GSA is taking all appropriate steps to ensure that SmartPay contractors maintain security policies consistent with current industry standards," said MaryAlice Johnson, an agency spokeswoman. "We expect these activities to continue in the coming weeks." Johnson added that GSA still is developing the timetable to conduct the evaluations. Bank of America also told GSA it has changed its method of handling SmartPay system back-up operations. Bank spokeswoman Alexandra Trower said the company does not comment on those procedures for security reasons. "We are continually improving our processes and procedures for handling our customer's information," she said. Bank of America also provided GSA with a list of names of the affected cardholders and is sending out a second letter to cardholders explaining how to obtain a free credit report and fraud alert. [1] http://www.gcn.com/vol1_no1/daily-updates/35170-1.html From isn at c4i.org Wed Mar 9 07:03:06 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:14 2005 Subject: [ISN] MIT says it won't admit hackers Message-ID: http://www.boston.com/business/articles/2005/03/09/mit_says_it_wont_admit_hackers/ By Robert Weisman Globe Staff March 9, 2005 The dean of MIT's Sloan School of Management yesterday said Sloan will join Harvard Business School in rejecting applications from prospective students who hacked into a website last week to learn whether they had been admitted before they were formally notified. Stanford's Graduate School of Business, meanwhile, asked its own applicant-hackers to come forward and explain their actions, in a sign that the California school soon may take tougher action as well. Thirty-two applicants apparently sought an early peek at the confidential data in their admission files at Sloan, while 41 files were targeted at Stanford and 119 at Harvard. Harvard on Monday became the second victimized business school to say outright it would not admit proven hackers. The first was Carnegie Mellon's Tepper School of Business, where one admission file was violated. Those schools, along with Dartmouth's Tuck School of Business and Duke's Fuqua School of Business, all use an independent website run by ApplyYourself Inc. of Fairfax, Va., to receive applications and, in some cases, manage communications with applicants. After midnight last Wednesday, hundreds of business school admission files were targeted by computers around the globe when a hacker posted detailed instructions on a BusinessWeek Online forum. Most of the hackers saw only blank screens, though some who accessed admission files at Harvard viewed preliminary decision information. ''Students who hacked the ApplyYourself website will be denied admission to Sloan," the school's dean, Richard L. Schmalensee, said in an interview yesterday after a team from Sloan met with representatives of ApplyYourself to learn what happened. Sloan used the website only to receive applications, using a separate in-house server to handle the admissions process, he said. Schmalensee said he made his decision to reject the 32 applicants after seeing the directions posted by the hacker. ''The instructions are reasonably elaborate," he said. ''You didn't need a degree in computer science, but this clearly involved effort. You couldn't do this casually without knowing you were doing something wrong. We've always taken ethics seriously, and this is a serious matter." At the same time, Schmalensee said Sloan would allow rejected applicants to reapply in later years, though he said the hacking incident would continue to be a factor in the school's decision. ''We'll look at applicants next year," he said, ''but we'd want to see evidence that this was an aberration, that they have grown." Schmalensee said Sloan would consider appeals this year only if there were clear-cut extenuating circumstances; one example he cited was an applicant serving in Afghanistan turning over his ApplyYourself password to an irresponsible brother-in-law. As to why MIT's Sloan School waited nearly a week to take action, Schmalensee said school officials needed to confer with ApplyYourself representatives and understand the situation better. ''The fact that we took so long doesn't mean we don't take ethics seriously," he maintained. ''It means we take due process seriously as well." In Palo Alto, Calif., Stanford issued a statment from Derrick Bolton, assistant dean and director of MBA admissions, demanding explanations from the applicants whose files were targeted. ''Business schools teach students to make decisions and to be accountable for those decisions," Bolton said. ''We hope that the applicants who accessed their accounts might contact us to explain their behavior and to take ownership for their actions. We will take appropriate steps in the cases that warrant further scrutiny." ApplyYourself's software enables schools to know which files have been accessed but can't definitively identify the hacker. However, both Schmalensee and Kim B. Clark, the Harvard business dean, noted that applicants bear ultimate responsibility for their passwords even if they turned them over to third parties who did the hacking. Paul Danos, dean of Dartmouth's Tuck School, released a statement saying school officials continue to investigate and will meet on Friday to discuss their options. And at Duke's Fuqua School, where one file was hacked, associate dean James A. Gray said the applicant would be notified of a decision on March 18, the regular decision date for the school's current round of applicants. ''It would not be smart of him to be buying a Duke sweatshirt and renting an apartment in Durham," Gray said. ''It's not likely that he will need either." Robert Weisman can be reached at weisman @ globe.com. From isn at c4i.org Wed Mar 9 07:03:19 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:17 2005 Subject: [ISN] Old-School DoS Attack Can Penetrate XP SP2 Message-ID: Forwarded from: Kelley http://www.eweek.com/article2/0,1759,1773958,00.asp By Ryan Naraine March 8, 2005 Microsoft Corp.'s newest operating systems can be penetrated by an old-school-type denial-of-service attack, according to a warning from a security researcher. In a SecurityFocus advisory, researcher Dejan Levaja warned that Windows Server 2003 and XP Service Pack 2 (with Windows Firewall turned off) could lead to LAND attacks. A LAND attack is a remote denial-of-service condition caused by sending a packet to a machine with the source host/port the same as the destination host/port. The LAND attack scenario was discussed in 1997 by Carnegie Mellon's CERT Coordination Center. Using widely available reverse-engineering tools, Levaja found that a single LAND packet sent to a file server could cause Windows Explorer to freeze on all workstations connected to that server. "CPU on server goes 100% [and] network monitor on the victim server sometimes can not even sniff malicious packet," Levaja warned. He said the script could be replayed endlessly to cause a total collapse of the network. A spokeswoman for Microsoft confirmed Levaja's findings but downplayed the risk to customers. "Our initial investigation has revealed that this reported vulnerability cannot be used by an attacker to run malicious software on a computer. At this point, our analysis indicates the impact of a successful attack would be to cause the computer to perform sluggishly for a short period of time," the spokeswoman said in a statement sent to eWEEK.com. She said customers running the Windows Firewall, enabled by default on Windows XP SP2, are not impacted by this issue. Microsoft suggests that customers adopt TCP/IP hardening practices to protect against denial-of-service attacks. In the absence of a patch from Microsoft, security research outfit Secunia recommends that affected users filter traffic with the same IP address as source and destination address. http://www.inkworkswell.com "Be a scribe! Your body will be sleek, your hand will be soft. You are one who sits grandly in your house; your servants answer speedily; beer is poured copiously; all who see you rejoice in good cheer. Happy is the heart of him who writes; he is young each day." --Ptahhotep, Vizier to Isesi, Fifth Egyptian Dynasty, 2300 BC From isn at c4i.org Wed Mar 9 07:03:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 9 07:10:19 2005 Subject: [ISN] Public Disservice Message-ID: http://www.baselinemag.com/article2/0,1397,1773861,00.asp March 8, 2005 The Federal Bureau of Investigation has people problems. It can't find or retain the project managers and executives needed to implement one of its most important technology projects since Sept. 11, 2001. That's the upshot of FBI Director Robert Mueller's testimony before a Senate appropriations subcommittee on Feb. 3. Mueller was on Capitol Hill to explain why the FBI has blown through $170 million and still doesn't have a virtual case file system in place. The virtual case file, the third leg of a technology overhaul dubbed Trilogy, is a case management system that would allow agents to share information more easily. The FBI failed to outline requirements of the virtual case file system, inked a costly contract with Science Applications International Corp. (SAIC) in June 2001, and missed a December 2003 deadline to install the case system. At the heart of these issues: people. "We lacked skill sets in our personnel such as qualified software engineering, program management and contract management," Mueller said in his testimony. "We also experienced a high turnover in Trilogy program managers and chief information officers." At least Mueller has company. The tenure of a federal agency chief information officer averages 23 months, reports the U.S. Government Accountability Office. The FBI has had four CIOs since Sept. 11, 2001. A bevy of reasons prevent the federal government from getting.and keeping.technology executives. Federal government executives inherit budgets set years prior in political negotiations. Projects are under the microscope of the director and inspector general of the agency, the Office of Management and Budget and Congress, among other masters. Meanwhile, the CIO position is increasingly political as technology meets policy. For instance, merging information systems of the 22 agencies in the Department of Homeland Security is a direct result of a post-9/11 policy decision. President Bush appointed Steven Cooper from Corning as the CIO to do the job. "These are very hard, high-risk jobs," says John Marshall, former CIO of the U.S. Agency for International Development and now a vice president at consulting firm CGI-AMS. "You're there to transform businesses, you have to work across other groups, it's tough to manage and compensation is generally lower than in the private sector." Help Wanted: Chief Technical Officer for Information Technology, Defense Intelligence Agency. Location: US-DC, Washington, 20001. Salary range: $107,550 to $149,200. As Chief Technical Officer for Information Technology (CTO) the incumbent will play a pivotal role in providing technical and operational advice on infrastructure and intelligence community Information Technology (IT) endeavors ... May be subject to worldwide deployments to crisis situations. Source:www.usajobs.gov When that CTO is hired by the Defense Intelligence Agency, the 23-month clock will start ticking. But 23 months is hardly enough time to get anything done. According to the GAO, CIOs say they needed to stay in office three to five years to be effective. Bottom line: A multiyear project can outrun a technology executive's tenure. Take the FBI's Trilogy project. Former FBI CIO Bob Dies joined in July 2000 and left after two years. Dies signed an initial contract with SAIC, which was based on hours worked and didn't outline specifications of the virtual case file project. Darwin John took over in July 2002, upgraded the FBI's hardware and network in the first leg of the Trilogy effort, and retired a year later. Wilson Lowry, former executive assistant director for administration at the FBI, served as interim CIO. Current CIO Zalmai Azmi took over on an interim basis before being officially appointed as CIO in May 2004. It's now up to Azmi to implement the virtual case file. Mueller says Trilogy suffered as the search for John's replacement dragged. "I went on a nationwide search that took eight to 12 months," he said. "There was a gap of leadership at the CIO position. That hurt us." Help Wanted: Chief Architect for Business and Technology Modernization, U.S. Department of Housing and Urban Development. The Chief Architect for Business and Technology Modernization serves as the Department's technical expert on modernizing business processes and systems. (This ad ends 2,416 words later.) Of those 2,416 words describing the job and desired leadership characteristics and personality traits, HUD left out political skills. Alan Balutis, former Department of Commerce CIO and president of government strategies at research firm Input, says "there has been a tendency to make the CIO position more political." When Balutis left for the private sector in 1999, he focused primarily on technology management. Today, the CIO position is critical to reinventing agencies. "The CIO needs a seat at the policy table and needs the same access," Balutis points out. "If he or she is an outsider politically, will the access be there?" Simply put, it helps if the CIO has access to policy makers when they make decisions affecting information systems. And the best way to be in that club is to be appointed by President Bush. Marshall, who was appointed by Bush as CIO of USAID in 2001 and left for CGI-AMS in December 2004, says that until recently, chief information officers were "career" executives who would keep projects going as administrations changed. Now there are two types of technology executives.career managers focused on daily operations, and CIOs who are political appointees. For instance, Marshall had regular access to Andrew Natsios, administrator for USAID, to figure out how technology fits into specific Bush initiatives abroad. One key part of meeting those initiatives was a financial management and purchasing system. When Marshall arrived at USAID, the agency had spent $100 million on a homegrown financial management and acquisition system plagued by buggy code and missed deadlines. USAID, which designed the system to link 70 to 80 of its missions worldwide, scrapped the homegrown system to use packaged software from AMS to cut costs and speed up implementation. Marshall isn't sure if being a political appointee helped the project, but all those meetings with Natsios meant deputies responsible for the project day-to-day didn't have to do it. When CIOs leave, a deputy often fills the void on an interim basis. "If you're an operational guy and you have to interface with policy people, you get stretched," he says. Help Wanted: Associate Chief Information Officer for Cyber Security, Department of the Treasury. The incumbent is the head of U.S. Treasury Cyber Security Program and is fully responsible for accomplishing the cyber security program objectives. And then there's the budget process where agencies tell contractors to slow their pace to save money as Congress and the White House bicker for dollars. At the Commerce Department, Balutis could shift up to 5% of his budget in and out of projects. If the funds in question exceeded that 5% mark, Balutis had to ask a Senate appropriations committee for more money. And if all else failed, a new budget could be requested with additional legislation. During Balutis' tenure, funding for the 2000 census was in flux. Balutis had to build systems to gather population data and finish two years early for testing. Planning started in 1995, but Congress usually isn't interested in funding something five years away. "It's hard to run multiyear projects when money is doled out year to year," Balutis explains. "The biggest difficulty is that you do a plan and then all of a sudden you're $50 million short." From isn at c4i.org Thu Mar 10 04:03:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:14 2005 Subject: [ISN] Public Disservice Message-ID: Forwarded from: matthew patton > "It's hard to run multiyear projects when money is doled out year to > year," Balutis explains. "The biggest difficulty is that you do a > plan and then all of a sudden you're $50 million short." I was intimately involved in the annual DoD budgeting process as a USAF officer at the Pentagon and have to agree that maybe it's time to put the budget on a 3-year cycle instead of an annual one. Congress turns over staff every 2 years, the Prez every 4 so maybe 3 years makes sense? Obviously when things are as politicized as they are and Washington has millions of self-serving beaurocrats and contractors feeding at the gov't trough without regard for the fact that it's the people's money they are playing with, fraud and waste are ubiquitous. Almost never do the best and brightest fill gov't posts so the quality of management is always of poor quality - the ability to kiss the right asses is what makes for a successful administrator. Having to fight political wars to keep the money rolling in for a long-term project distracts from the management thereof and lowers the worker-bees' interests in doing a decent job in the first place. It's all fine and good for the FBI to lay some or a large share of the blame at the ex-CIOs' doors and indeed the FBI was grossly lacking in basic project management skill. I worked for SAIC on Virtual Case File too. Thing is, VCF was a multi-year project and it was funded as such. No, the ink wasn't technically dry on every year's congress-critter allocation but there was almost no doubt about it being funded year over year. As convenient as it is to blame the FBI for VCF's failure, the blame more squarely belongs on SAIC's shoulders. Even if the FBI had the best project managers the world has to offer, bad design, poor programming skill, and an attitude of "make-work" on the part of SAIC is why VCF was such a boondoggle. Good FBI project managers can not eliminate the problem with SAIC's failure to manage their own people. VCF didn't fail lack for specifications. I've personally read all 3+ inches of program specifications that the FBI and SAIC signed off on. Unfortunately, the people who wrote the specs on both sides and those who read and blessed them weren't very smart nor frankly very good at their jobs. Page after page of stupid and inane things were specified which would only hamper and interfere with the product. Like other naive specification documents that plague IT efforts, it frequently tried to dictate the 'how' instead of the 'what'. SAIC failed to examine and study how the field agents actually worked in real life and take into consideration how much VCF deviated from that daily practice. FBI agents aren't geeks. Yet geeks design things only geeks can love and then wonder why the rest of the world thinks they're nuts. SAIC's data-analysis team was poor too, making all kinds of mistakes in entity relationships and failing to think thru the product enough to spot some of the traps they were setting for themselves. I plastered their data-diagram with stickies pointing out their errors. When a contract operates on a cost and materials basis which is what VCF was, then it's open season on the budget and accountability goes out the window unless you've got some SERIOUSLY good managers on the gov't side. The contractor has absolutely no economic incentive to do well or act responsibly. When I was on the project SAIC had 200+ people, most of them programmers doing practically no work. There was a lot of water-cooler angst over the C programmers getting let go in favor of the Java ones because maybe management had changed their mind about which language to use. There was a whole pizza party/pep rally one day to settle the nerves. Programmers are not cheap, and idle ones less so. Yet the FBI was paying probably at least 1.5x their salary (the general DC cost multiplier) to produce nothing. And this is a full year into VCF! Given the immature status of VCF in August of 2002, the SAIC team should have been about 2 dozen people at the most. A dozen bright engineers of varying disciplines needed to get locked in a room, slide in the coke and pizza, until they figured out all or at least most of the angles before the minions are recruited to sling code as needed. SAIC didn't have 2 dozen bright engineers and they hired the minions many, many months before the project was even sketched out. Instead they were trying out different GUI's and button colors, icon screen placement and trying to get the FBI to sign off on it without having any notion of what they were supposed to accomplish. IT systems in general and in particular of the scale and varied clientel that represents the FBI, require many iterations before getting reasonably close to a workable model. Iterations are cheap when it's pretty much all on paper and only costing the salaries of 20-odd people. But those kinds of numbers don't impress superiors who are looking for profit. Superiors want to see head-count. They want to see lots of zero's in a row on the monthly invoice. Afterall, if there is 50million in the pot they damn well want every last panny. 20 guys spending weeks or months laying and relaying the groundwork isn't likely to suck up even a tenth of that. And what of the FBI who asked for 50mil and so far has only spent 10? Congress is going to come right back at them the following year and say, C: "well, you only spent 10 last year and you want 50 this year again like you asked for last year? Hell no, you get 5." F: "But we're starting implementation!" C: "Use the 40m in the bank and get lost." F: "But we're going to need the 40 and then some" C: "like we care" Congressional budgeting is a disaster and will likely remain so. Any entity that doesn't burn every last penny every year will have it's budget summarily sliced. Extenuating circumstances? One-time or recurring cost reductions? Not on your life. Gov't doesn't reward thrift or wisdom. Never has and never will. Instead it encourages waste, neigh mandates it and penalizes those who don't. Afterall, it's somebody else's money so what do they care. So why should contractors behave any different? VCF should have been a fixed cost contract with rewards for quality, thrift, and achievement but congress-critters don't tolerate that kind of discretion or innovation and they don't even begin to know how to handle agencies having money left over. Not to mention a pissed-off contractor can trivially file a law suit and try to get a court to give them what they think they deserve even if they don't. Whatever the case, the FBI desperately needs to find a project manager with some clue and hefty clout. Frankly Congress and the FBI, or better yet the GAO should fine SAIC a 100 million. Afterall, the GAO has been on SAIC's case about VCF for several years running. But when "accountability" is defined as making the statement "I am accountable" yet failing to resign or appologize, or biting a quivering lip in a TV interview and "feeling your pain" how are things going to change? Congress has never been about having the balls to do what's right. It's far more lucrative and expedient to coddle incompetence, accept donations from grateful contractors to better cement one's power and status, and perpetuate the corrupt and unaccountable system. Those of us who care either get co-opted by the system, give up and leave, soldier on and try to ignore the corruption, or get booted out the door by daring to question and confront the powers on high. The VCF trainwreck could have been halted in the fall of 2002 if anybody cared to listen to those who said it already was a mess. Competent management by both the FBI and SAIC could have backed the problem up another 6 months if not prevented it in the first place. Alas, nobody will ever learn. The faces on the congressional panel will change, the faces of the accused will change but nothing short of a free market or the elimination of free money will actually improve the situation in Washington. From isn at c4i.org Thu Mar 10 04:04:12 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:17 2005 Subject: [ISN] Exploit Out For CA Bugs, Eval Users Also At Risk Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=159400248 By Gregg Keizer TechWeb News March 9, 2005 Users of Computer Associates' products are now at an even greater risk, a security firm said Wednesday, because exploit code has appeared that takes advantage of vulnerabilities disclosed last week. Even more important, said Firas Raouf, the chief operating officer of eEye Digital Security, is that ex-users of CA products -- including those who only evaluated the company's security titles, but then later uninstalled them -- are vulnerable to attack. The vulnerabilities were first reported March 2 [1] by Computer Associates and a pair of security vendors, eEye and Reston, Va.-based iDefense. A bug in the licensing software used in virtually every Windows, Macintosh, Linux, and Unix title from CA could allow attackers to generate buffer overflows, and from there, run code of their choice on the machines. Computer Associates released patches that same day. "Exploits have been posted on the Internet," said Raouf, "and pretty much lay out the formula for exploiting the vulnerabilities with buffer overflows." The made-public exploits are for Windows 2000 and Windows XP, just two of the numerous operating systems that run CA's software. "It's a pretty classic example," added Raouf. "Windows just tends to be targeted more." While a worm hasn't been spotted that uses the exploit code to create an automated attacker, "it would be a trivial job to turn it into one," Raouf claimed. Also on Wednesday, the Internet Storm Center reported that it had monitored a huge spike in traffic on TCP ports 10202 and 10203, both of which are used by Computer Associate's licensing software. The number of systems scanned at port 10203, for instance, jumped from just 19 on March 2 to 4,594 on March 5. "These scans are likely due to the public release of exploit code, which was released to the public on Monday in a posting to the VulnWatch mailing list," wrote David Goldsmith on the Storm Center's analyst blog. But eEye's Raouf said it was too early to tell whether the increased activity on those ports was actually due to the exploit, or was only proof that hackers were scanning for vulnerable systems that they might target later. In a related development, Raouf also said that former users of CA titles could be in danger, including those who only evaluated the Islandia, NY-based software developer's products. "In some cases, evaluation copies install the licensing software as well, and when the evaluation software's removed, the licensing manager isn't completely uninstalled," said Raouf. eEye discovered the new problem through its own testing, said Raouf, but the Aliso Viejo, Calif.-based security vendor had not yet informed CA of its findings. "It's going to be difficult for enterprises to spot all the systems that are vulnerable," said Raouf. "While users can go to a CA console to view all the systems which have the licensing agent installed, that won't tell them about, say, consultants' machines using the network or computers where CA products have been uninstalled, but which still have pieces of the licensing software on them." Later Wednesday, he added, eEye will post a free-for-the-downloading scanning utility that will peek through the network and find all systems vulnerable to the CA exploit. As with earlier such scanners, it will be posted to the eEye Web site [2]. "CA has taken immediate action in response to the vulnerabilities discovered in a licensing component of certain CA software products, including the development and distribution of the necessary code patches," a spokesman for CA said late Wednesday. "CA worked with iDefense, eEye Digital Security and the CA Security Advisory teams to verify that the patches work properly and eliminate the reported vulnerabilities. We are continuing to work closely with our customers to make sure they are aware of these vulnerabilities and that they take appropriate corrective action. Patches have been posted to our SupportConnect web site (http://SupportConnect.ca.com), where our customers can get step-by-step instructions on how to determine if they are impacted and how to update their environment. Although there are no confirmed reports of the exploitation of these vulnerabilities, CA strongly recommends that our customers apply the patches immediately." [1] http://www.techweb.com/wire/security/60405068 [2] http://www.eeye.com/html/resources/downloads/audits/index.html From isn at c4i.org Thu Mar 10 04:04:49 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:20 2005 Subject: [ISN] Hacker derails tax site Message-ID: http://miva.sctimes.com/miva/cgi-bin/miva?Web/page.mv+1+local+798546 By Kirsti Marohn Mar. 10, 2005 A computer hacker derailed a portion of Stearns County's Web site for about 13 hours this week. Internet users who clicked on a feature that usually allows them to search for information about their property and taxes were redirected to another site. The problem began about 9:30 p.m. Tuesday and was corrected by Wednesday morning. It was the first time the county's site has been the victim of hackers, said George McClure, information services director. Like many Web sites, the county's Web server uses Microsoft software, a favorite target of hackers. The company frequently distributes patches to correct software problems. A vendor that manages a portion of the Stearns County site apparently didn't correctly install a patch, McClure said. That led to a hacker targeting government sites - those with addresses that end in "us" - to redirect visitors to a page with a picture of a Turkish flag. "It's more of a nuisance than malicious," McClure said. County workers were alerted to the problem Tuesday night via e-mail from a Sauk Centre resident. They installed the patch, changed several passwords to guarantee the site was secure and got it back online by about 10:30 a.m. Wednesday, McClure said. While this is Stearns County's first experience with hackers or a virus, they are fairly common, McClure said. Keeping up with the patches is an ongoing battle, he said. Internet users who want to pay their property taxes online needn't worry, McClure said. The payment feature is managed by a different company and is an encrypted connection, he said. No financial or credit card information is stored on the county's site. From isn at c4i.org Thu Mar 10 04:05:40 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:22 2005 Subject: [ISN] Security UPDATE -- Administrator Accounts and Root Kits -- March 9, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free util: Scan your site for system slowdowns http://list.windowsitpro.com/t?ctl=48BC:4FB69 SQL Server Magazine http://list.windowsitpro.com/t?ctl=48D0:4FB69 ==================== 1. In Focus: Administrator Accounts and Root Kits 2. Security News and Features - Recent Security Vulnerabilities - Need Information About Internet Explorer 7.0? - Deploying Junk Mail Filter Lists in Outlook 2003 - @stake LC 5 3. Security Toolkit - Security Matters Blog - Web Chat - FAQ - Security Forum Featured Thread 4. New and Improved - Prevent Unauthorized Network Access ==================== ==== Sponsor: Executive Software ==== Free util: Scan your site for system slowdowns Disk Performance Analyzer for Networks is a FREE utility that remotely checks your systems for performance bottlenecks caused by severe disk fragmentation. If not identified promptly, fragmentation builds exponentially and causes frustrating slowdowns, random crashes, even complete inability to boot. Disk Performance Analyzer for Networks zeros in on problem computers, showing you exactly how much performance and stability is being lost. Find systems that need attention now, BEFORE they become help desk calls! This is a free utility, not spyware or adware. Download Disk Performance Analyzer for Networks now! http://list.windowsitpro.com/t?ctl=48BC:4FB69 ==================== ==== 1. In Focus: Administrator Accounts and Root Kits ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about why you should try not to use administrative accounts unless you really need to. Several readers wrote to explain various scenarios and problems they've encountered while trying to use a nonadministrative account for certain tasks. Some of the problems involve using Windows Explorer, running debuggers, creating Data Source Names (DSNs), and accessing Control Panel items. Obviously, you'll need to log on as the administrator in some instances; using RunAs, even with the /netonly switch, might not always suffice. There are other possible solutions for some problems too. For example, Microsoft's OS resource kits include the su.exe tool, which can elevate privileges. Another tool, which I've mentioned before, is MakeMeAdmin, written by Aaron Margosis at Microsoft. The tool adds your account to the local Administrators group, spawns a command shell with your new elevated privileges, and then removes your account from the group. So, effectively, MakeMeAdmin gives you a command shell running with a new security token. You can perform whatever actions you need to in the shell. If you also need privileges on the network, you can initiate some kind of network access and authenticate by using whatever account you prefer. For example, you can map a drive by using the command net use and specifying an account with the required privileges. Or you could launch Windows Explorer on the desktop with elevated privileges by using its /root switch. You could also launch Control Panel applets by simply entering the applet name and extension (.cpl) as if it were any other executable program. If you run Microsoft Internet Explorer (IE) with elevated privileges, you can use Margosis's PrivBar add-on that shows which security level your browser is running under. http://list.windowsitpro.com/t?ctl=48C1:4FB69 http://list.windowsitpro.com/t?ctl=48C0:4FB69 Another reader wrote to point out that Microsoft has published a document that explains some of the problems you can encounter when you run applications on the desktop with nonadministrative accounts. The article offers tips about how developers can remedy some of those problems and offers some insight into how the next release of Windows (codenamed Longhorn) will address the matter in more effective ways. One change will be a Protected Administrator status, which, if I understand correctly, will allow a user to use an administrator account but with the fewest privileges necessary for a given task. http://list.windowsitpro.com/t?ctl=48BF:4FB69 Another topic I want to discuss this week is root kits, which as you know, can be a real problem. A Microsoft paper discusses research the company has done regarding ways to discover such nuisances. The paper mentions a related tool, Strider Ghostbuster, developed in the labs, which isn't available to the public. http://list.windowsitpro.com/t?ctl=48B9:4FB69 However, Sysinternals has a root kit discovery tool that you might find helpful. The new tool, RootkitRevealer, is still undergoing development, but you can download a copy and try it out. http://list.windowsitpro.com/t?ctl=48C4:4FB69 F-Secure will release a beta version of its new root kit detection tool, F-Secure BlackLight Rootkit Elimination Technology, this week. You can learn more about that tool in the related article on our Web site. http://list.windowsitpro.com/t?ctl=48CB:4FB69 ==================== ==== Sponsor: SQL Server Magazine ==== Get SQL Server Magazine and Get Answers Throughout the year in 2005, SQL Server Magazine is on target to deliver comprehensive coverage of all hot industry topics, including SQL Server 2005, performance tuning, security, Reporting Services, Integration Services, and .NET development. If you aren't already a subscriber, now is the time to sign up. You'll get unlimited online access to every article ever published in the magazine and you'll get 30% off the cover price. Don't miss out . . . sign up today: http://list.windowsitpro.com/t?ctl=48D0:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=48C3:4FB69 Need Information About Internet Explorer 7.0? If you need information about the upcoming Microsoft Internet Explorer (IE) 7.0, you can find some tidbits about it on IEBlog, which is operated by Microsoft's IE team. http://list.windowsitpro.com/t?ctl=48C9:4FB69 Deploying Junk Mail Filter Lists in Outlook 2003 Microsoft released a hotfix for Outlook 2003 late last month for a feature that deals with importing junk mail filter lists into Outlook 2003. This feature lets you use registry values to tell Outlook to import the Safe Senders, Safe Recipients, and Blocked Senders lists from specific locations and either overwrite the user's existing junk mail filter lists or append entries to them. The hotfix makes some important changes to the way the feature works. http://list.windowsitpro.com/t?ctl=48C8:4FB69 @stake LC 5 If you want a terrific password-auditing tool, Jeff Fellinge recommends the most recent version of L0phtCrack: @stake LC 5 (recently acquired by Symantec). New features let you remotely collect password hashes, schedule scans, score passwords, create audit reports, and speed up audits. LC 5 supports most password- cracking methods and comes in four versions (professional, administrator, site, and consultant). http://list.windowsitpro.com/t?ctl=48C7:4FB69 ==================== ==== Resources and Events ==== The Must-Attend Event for Securing Your Wireless Deployments The Conference on Mobile & Wireless Security delivers on-target, need-to-know information on emerging issues and tech trends. Featuring first-class keynotes and sessions, an in-depth panel discussion, and interactive workshops, you will learn practical tactics for overcoming mobile security challenges and real-world strategies for maximizing the potential of your wireless devices. http://list.windowsitpro.com/t?ctl=48D2:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=48BB:4FB69 Windows Connections 2005 Conference April 17-20, 2005, Hyatt Regency San Francisco. Microsoft and Windows experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Don't miss Mark Minasi's entertaining and insightful keynote presentation on "The State of Windows" and your chance to win a 7-night Caribbean cruise! http://list.windowsitpro.com/t?ctl=48D4:4FB69 The Essential Guide to Active Directory Management Migrating from NDS and/or eDirectory to AD means changes in the way you manage your network, users, and network resources. Download this Essential Guide to Active Directory Management and learn hands- on approaches that reduce management complexity, IT workload, and costs and improve security--all with minimal impact on your organization. Download this guide today. http://list.windowsitpro.com/t?ctl=48C2:4FB69 Discover, Manage, and Archive Information Within Your Exchange Enterprise Limit your legal exposure and protect corporate information. In this free Web seminar, Exchange MVP Paul Robichaux provides an overview of general retention and compliance issues, knowledge of pitfalls you may encounter when implementing your policy, insight into managing mail data for best-efforts compliance, and Exchange's built-in archiving and compliance features. Register now! http://list.windowsitpro.com/t?ctl=48BD:4FB69 emailannc ==================== ==== Hot Release ==== Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority With instant messaging virtually in all corporate environments, and expected to be as prevalent as email in the near future, it has rapidly become an indispensable business communication tool. Yet, IM growth within the enterprise brings an associated increase in security risks to both public and enterprise IM networks. In this free white paper, learn how you can take control of IM use on your network to ensure security and compliance. You'll learn how to protect yourself from Virus & worms attacks, Identity theft, Leakage of confidential information and more. Download now! http://list.windowsitpro.com/t?ctl=48BA:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=48D1:4FB69 Google Hacking: No Longer a Sure Thing for Intruders A new honeypot can trap intruders who use Google queries to find vulnerable systems. Such intruders typically use search engine queries to look for sites whose URLs contain particular words or phrases that might indicate that the site is using vulnerable applications. http://list.windowsitpro.com/t?ctl=48C6:4FB69 Security Event Log Chat Randy Franklin Smith is one of the foremost authorities on the Windows Security event log and a respected trainer who teaches Monterey Technology Group's "Security Log Secrets" course. In his article in the March issue of Windows IT Pro magazine, Randy shines a light on this dark and mysterious corner of cryptic event IDs and codes and inaccurate Microsoft documentation. Here's your chance to ask Randy your questions about the Security log and get answers Microsoft doesn't provide. Join the chat March 16 at 1:00 P.M. Pacific time. For details, visit http://list.windowsitpro.com/t?ctl=48CF:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=48CD:4FB69 Q. How can I back up and restore user profiles when deploying a new OS via the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack? Find the answer at http://list.windowsitpro.com/t?ctl=48CA:4FB69 Security Forum Featured Thread: Backup Account Permissions on Windows Server 2003 A forum participant is trying to remove service accounts from administrative groups. ARCServe by default puts its account in the Administrators and Domain Admins groups. Is there a workaround so that that particular account doesn't need to belong to those groups? Putting the account in the Backup and Server Operator groups doesn't seem to be sufficient. Can a security policy be adjusted to help? Join the discussion at http://list.windowsitpro.com/t?ctl=48BE:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=48CC:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Prevent Unauthorized Network Access MetaInfo has released SAFE DHCP as a stand-alone product. When a computer connects to the network, SAFE DHCP supplies a nonprivileged or "quarantined" IP address and checks the machine's identity before granting a privileged IP address. Several SAFE DHCP modules are available that can perform various identity and other security checks (such as checking for viruses or policy compliance). SAFE DHCP was previously available only as part of the MetaInfo Meta IP solution. For further information, visit http://list.windowsitpro.com/t?ctl=48D5:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=48D3:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=48C5:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Mar 10 04:06:45 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:25 2005 Subject: [ISN] DSW Shoe Warehouse Reports Customer Data Theft Message-ID: Forwarded from: Harlan Carvey According to this article (and I'm not assuming that it's complete or accurate), RV seems to think that a "hacker" broke in and stole data for no other reason than credit card companies are reporting fraudulant activity on customer's accounts...do others read this the same way? Do you take away the same thing from the article? If so...investigations by the outside security firm and the USSS are not complete. So how do they know? If the investigations aren't complete, why are they saying something as definitive as that? After all, the statement seems to have come from their general counsel. I guess one way to look at it is that by saying a "hacker" did it, they can claim that this "hacker" was smart enough to outwit the assembled forces within RV, and steal the data. You know...like the T-Mobile hack - the one involving the unpatched server that some manager made the business decision to leave unpatched... --- InfoSec News wrote: > http://www.washingtonpost.com/wp-dyn/articles/A17831-2005Mar8.html > > By Jonathan Stempel > Reuters > March 8, 2005 > > Retail Ventures Inc., Tuesday announced the theft of credit card and > purchase data of customers at 103 of its 175 DSW Shoe Warehouse > stores and said some fraudulent activity has been conducted since > the theft. > > The theft is the latest reported instance in recent weeks in which > customers' personal data was stolen or lost. Other companies to > report such problems include Bank of America Corp. and ChoicePoint > Inc., where the thefts involved thousands of individuals' data. > > Columbus, Ohio-based Retail Ventures said customer data was stolen > mainly over the past three months, though it was unable to say how > many customers were affected. It said it discovered the theft late > last week. From isn at c4i.org Thu Mar 10 04:07:01 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:28 2005 Subject: [ISN] France puts a damper on flaw hunting Message-ID: http://news.com.com/France+puts+a+damper+on+flaw+hunting/2100-7350_3-5606306.html By Munir Kotadia Special to CNET News.com March 9, 2005 Researchers who reverse-engineer software to discover programming flaws can no longer legally publish their findings in France, after a court fined a security expert on Tuesday. In 2001, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam International. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002. However, Tena's actions were not viewed kindly by Tegam, which initiated legal action against the researcher. That action resulted in a case being brought to trial at a court in Paris. The prosecution claimed that Tena violated article 335.2 of the code of intellectual property and asked for a four-month jail term and a fine of 6,000 euros. On Tuesday, the French court ruled that Tena should not be imprisoned but gave him a suspended fine of 5,000 euros. This means that he only has to pay the fine if he publishes more information on security vulnerabilities in software. Chaouki Bekrar, a security consultant and co-founder of French Web site K-Otik Security, which is known for regularly publishing exploit codes, said that although it is good news that Tena did not have to go to jail, the ruling is very bad news for the security research industry in France. "This seems to be a good news, but that is not the case," Bekrar said. "Publishing a security vulnerability or a proof of concept using reverse engineering or disassembly is now illegal in France. How can a researcher publish a vulnerability if he can't study the software's structure?" On his Web site, Tena argued that if independent researchers were not allowed to freely publish their findings about security software, then users would only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said. Tegam is also proceeding with a civil case against Tena, in which it is asking for 900,000 euros in damages. Munir Kotadia of ZDNet Australia reported from Sydney. From isn at c4i.org Thu Mar 10 04:07:16 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 10 04:25:30 2005 Subject: [ISN] Hackers breach LexisNexis, grab info on 32,000 people Message-ID: http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,100287,00.html By Paul Roberts MARCH 09, 2005 IDG NEWS SERVICE Hackers have compromised databases belonging to LexisNexis and stolen information on at least 32,000 people, according to a statement today from LexisNexis' parent company, Reed Elsevier PLC. The hackers stole passwords, names, addresses, Social Security numbers and driver's license numbers of legitimate customers of the company's Seisint division. Seisint collects data on individuals that is used by law enforcement agencies and private companies for debt recovery, fraud detection and other services. LexisNexis identified the incidents in a review of security procedures and warned that there may be more incidents of data theft, Reed Elsevier said. The incident is eerily familiar to recent revelations about similar compromises at Seisint competitor ChoicePoint Inc., which acknowledged last month that hackers had access to data on 145,000 people (see story). Reed Elsevier didn't immediately respond to requests for comment. LexisNexis, which acquired Boca Raton, Fla.-based Seisint Inc. in September for $775 million, expressed regret for the incident and said it is notifying the individuals whose information may have been accessed and will provide them with credit-monitoring services. The company also said it notified law enforcement officials and is assisting with investigations of the fraudulent account access. Like ChoicePoint, Seisint maintains a massive database of public and private information on individuals, including Social Security numbers, credit histories and criminal records. Seisint made the news in recent years as the data source behind the Multistate Anti-Terrorism Information Exchange, or MATRIX, system, a program to bring together criminal and public records from participating U.S. states. Bill Shrewsbury, a vice president at Seisint, said that identity thieves used a different approach to breach the company's database than what was used to get ChoicePoint's data. But he declined to elaborate. LexisNexis said it is taking actions to improve its ID and password administration security, as well as customer screening. The incident is the latest in a series of revelations about consumer data being leaked or lost. Those incidents include the ChoicePoint compromise and Bank of America Corp.'s disclosure last week that it lost digital tapes containing the credit card account records of 1.2 million federal employees, including 60 U.S. senators (see story). ChoicePoint, in Alpharetta, Ga., has also been the focus of intense scrutiny and criticism since it acknowledged that identity thieves posed as legitimate customers to gain access to the company's database of 19 billion public records. Some of the information stolen from ChoicePoint has since been used in about 750 identity theft scams, according to the company. The company said last week that it is discontinuing data sales to many of its customers, except when that data helps complete a consumer transaction or helps government or law enforcement. Since disclosing the security breach, ChoicePoint has been the subject of a U.S. Federal Trade Commission inquiry into its compliance with federal information security laws; a U.S. Securities and Exchange Commission investigation into possible insider stock trading violations by its CEO and chief operating officer (see story); and lawsuits alleging violations of the federal Fair Credit Reporting Act and California state law. ChoicePoint disclosed the inquiries in a filing to the SEC on March 4. From isn at c4i.org Fri Mar 11 05:05:15 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:27 2005 Subject: [ISN] Hackers Target U.S. Power Grid Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A25738-2005Mar10.html By Justin Blum Washington Post Staff Writer March 11, 2005 Hundreds of times a day, hackers try to slip past cyber-security into the computer network of Constellation Energy Group Inc., a Baltimore power company with customers around the country. "We have no discernable way of knowing who is trying to hit our system," said John R. Collins, chief risk officer for Constellation, which operates Baltimore Gas and Electric. "We just know it's being hit." Hackers have caused no serious damage to systems that feed the nation's power grid, but their untiring efforts have heightened concerns that electric companies have failed to adequately fortify defenses against a potential catastrophic strike. The fear: In a worst-case scenario, terrorists or others could engineer an attack that sets off a widespread blackout and damages power plants, prolonging an outage. Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, warned top electric company officials in a private meeting in January that they need to focus more heavily on cyber-security. Wood also has raised the issue at several public appearances. Officials will not say whether new intelligence points to a potential terrorist strike, but Wood stepped up his campaign after officials at the Energy Department's Idaho National Laboratory showed him how a skilled hacker could cause serious problems. Wood declined to comment on specifics of what he saw. But an official at the lab, Ken Watts, said the simulation showed how someone could hack into a utility's Internet-based business management system, then into a system that controls utility operations. Once inside, lab workers simulated cutting off the supply of oil to a turbine generating electricity and destroying the equipment. Describing his reaction to the demonstration, Wood said: "I wished I'd had a diaper on." Many electric industry representatives have said they are concerned about cyber-security and have been taking steps to make sure their systems are protected. But Wood and others in the industry said the companies' computer security is uneven. "A sophisticated hacker, which is probably a group of hackers . . . could probably get into each of the three U.S. North American power [networks] and could probably bring sections of it down if they knew how to do it," said Richard A. Clarke, a former counterterrorism chief in the Clinton and Bush administrations. Clarke said government simulations show that electric companies have not done enough to prevent hacking. "Every time they test, they get in," Clarke said. "It's nice that the power companies think that they've done things, and some of them have. But as long as there's a way to get into the grid, the grid is as weak as its weakest company." Some industry analysts play down the threat of a massive cyber-attack, saying it's more likely that terrorists would target the physical infrastructure such as power plants and transmission lines. James Andrew Lewis, director of technology policy at the Center for Strategic and International Studies in the District, said a coordinated attack on the grid would be technically difficult and would not provide as much "bang for the buck" as high-profile physical attacks. Lewis said the bigger vulnerability may be posed not by outside hackers but by insiders who are familiar with their company's computer networks. But in recent years, terrorists have expressed interest in a range of computer targets. Al Qaeda documents from 2002 suggest cyber-attacks on various targets, including the electrical grid and financial institutions, according to a translation by the IntelCenter, an Alexandria firm that studies terrorist groups. A government advisory panel has concluded that a foreign intelligence service or a well-supported terrorist group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation," according to a report last year by the Government Accountability Office, the investigative arm of Congress. Cyber-security specialists and government officials said that cyber-attacks are a concern across many industries but that the threat to the country's power supply is among their top fears. Hackers have gained access to U.S. utilities' electronic control systems and in a few cases have "caused an impact," said Joseph M. Weiss, a Cupertino, Calif.-based computer security specialist with Kema Inc., a consulting firm focused on the energy industry. He said computer viruses and worms also have caused problems. Weiss, a leading expert in control system security, said officials of the affected companies have described the instances at private conferences that he hosts and in confidential conversations but have not reported the intrusions publicly or to federal authorities. He said he agreed not to publicly disclose additional details and that the companies are fearful that releasing the information would hurt them financially and encourage more hacking. Weiss said that "many utilities have not addressed control system cyber-security as comprehensively as physical security or cyber-security of business networks." The vulnerability of the nation's electrical grid to computer attack has grown as power companies have transferred control of their electrical generation and distribution equipment from private, internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports. That technology has led to greater efficiency because it allows workers to operate equipment remotely. Other systems that feed information into SCADA or that operate utility equipment are vulnerable and have been largely overlooked by utilities, security consultants said. Some utilities have made hacking into their SCADA systems relatively easy by continuing to use factory-set passwords that can be found in standard documentation available on the Internet, computer security consultants said. The North American Electric Reliability Council, an industry-backed organization that sets voluntary standards for power companies, is drafting wide-ranging guidelines to replace more narrow, temporary precautions already on the books for guarding against a cyber-attack. But computer security specialists question whether those standards go far enough. Officials at several power companies said they had invested heavily in new equipment and software to protect their computers. Many would speak only in general terms, saying divulging specifics could assist hackers. "We're very concerned about it," said Margaret E. "Lyn" McDermid, senior vice president and chief information officer for Dominion Resources Inc., a Richmond-based company that operates Dominion Virginia Power and supplies electricity and natural gas in other states. "We spend a significant amount of time and effort in making sure we are doing what we ought to do." Executives at Constellation Energy view the constant hacking attempts -- which have been unsuccessful -- as a threat and monitor their systems closely. They said they assume many of the hackers are the same type seen in other businesses: people who view penetrating corporate systems as fun or a challenge. "We feel we are in pretty good shape when it comes to this," Collins said. "That doesn't mean we're bulletproof." The biggest threat to the grid, analysts said, may come from power companies using older equipment that is more susceptible to attack. Those companies many not want to invest large amounts of money in new computer equipment when the machines they are using are adequately performing all their other functions. Security consulting firms said that they have hacked into power company networks to highlight for their clients the weaknesses in their systems. "We are able to penetrate real, running, live systems," said Lori Dustin, vice president of marketing for Verano Inc., a Mansfield, Mass., company that sells products to companies to secure SCADA systems. In some cases, Dustin said, power companies lack basic equipment that would even alert them to hacking attempts. O. Sami Saydjari, chief executive of the Wisconsin Rapids, Wis.-based consulting firm Cyber Defense Agency LLC, said hackers could cause the type of blackout that knocked out electricity to about 50 million people in the Northeast, Midwest and Canada in 2003, an event attributed in part to trees interfering with power lines in Ohio. He said that if hackers destroyed generating equipment in the process, the amount of time to restore electricity could be prolonged. "I am absolutely confident that by design, someone could do at least as [much damage], if not worse" than what was experienced in 2003, said Saydjari, who was one of 54 prominent scientists and others who warned the Bush administration of the risk of computer attacks following Sept. 11, 2001. "It's just a matter of time before we have a serious event." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Mar 11 05:05:46 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:31 2005 Subject: [ISN] France puts a damper on flaw hunting Message-ID: Forwarded from: security curmudgeon : http://news.com.com/France+puts+a+damper+on+flaw+hunting/2100-7350_3-5606306.html : : By Munir Kotadia : Special to CNET News.com : March 9, 2005 : : Researchers who reverse-engineer software to discover programming flaws : can no longer legally publish their findings in France, after a court : fined a security expert on Tuesday. : : In 2001, French security researcher Guillaume Tena found a number of : vulnerabilities in the Viguard antivirus software published by Tegam : International. Tena, who at the time was known by his pseudonym : Guillermito, published his research online in March 2002. : : On Tuesday, the French court ruled that Tena should not be imprisoned : but gave him a suspended fine of 5,000 euros. This means that he only : has to pay the fine if he publishes more information on security : vulnerabilities in software. According to reports on other lists, by people who apparently read and speak French better than most American journalists, the court ruling is not about him reverse engineering software and publishing bugs so much as the fact he did it on unlicensed copies of the software. If that is the case, this ruling is more about using pirated software for security research than posting vulnerability information. Would be nice if some of the French speaking list members could translate the court ruling and help clear this up. From isn at c4i.org Fri Mar 11 05:09:25 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:39 2005 Subject: [ISN] Security Masters Dojo Message-ID: Forwarded from: Dragos Ruiu (The registration for this training is now on-line. I thought it would be of interest to readers of this list. --dr) CanSecWest Security Masters Dojo ---------------------------------------- Dates: Morning/Afternoon May 3 and Morning May 4 (Immediately preceeding CanSecWest/core05) Venue: Mariott Harbourside. Vancouver BC Canada (Off site lab equipment provided by BCIT IEL) Duration: 7 half day courses in three sessions. (each course offered twice in the three possible sessions.) Registration Maximum: 10 Students per course session. Description ----------- Advanced and intermediate security training and technology enhancement for information security professionals. To address the need for intermediate and advanced educational requirements that go beyond the introductory materials typically found in most currently existing training (which are often geared towards the novice level) for professionals who already have significant work experience, and want to further improve their skills, we have assembled a curriculum of hands-on, half day, training programs - delivered by industry renowned experts who are pre-eminent in their fields. This is information security university level training for practitioners who already have substantial knowledge and wish to broaden their boundaries. It goes beyond introductory level material to focus and delve more deeply into technical subjects that aren't addressed in other currently available training. The initial courses offered will be: Gerardo Richarte - Core Security Technologies - Assembler Language Programming: Assembly for Exploits Dave Aitel - Immunity Inc. - Your first Exploit: An accelerated class in Windows exploitation Halvar - Reverse Engineering: Rapid Bug Discovery and Input Crafting Fyodor - Insecure.Org - Network Reconnaissance with NMAP Renaud Deraison - Tenable Network Security - Vulnerability Scanning: Advanced NESSUS Usage Marty Roesch & Brian Caswell - Sourcefire - Advanced IDS deployment and Signature Creation: Learn to get the most from your SNORT deployment Laurent Oudot & Nico Fischbach - Applied network security and advanced anomaly detection using state-of-the-art honeyports and netflow/NIDS These instructors are each considered to be the world's top experts in their field. Many have been responsible for the creation of some of the most famous and useful security tools and methodologies you probably use frequently in your normal security tasks. All have given many introductory courses and are experienced instructors. They are knowledgeable in what students need to advance their skills. Many have created course material that other instructors still use. Each has taken that wisdom and knowledge of training and refined it into material to take your understanding to the next level. Our goal is to empower you to be the experts in your organization so that you can help your company be an information security powerhouse. Let our sensei transform your skill to the next degree of intensity. Our half day format is oriented towards maximum information transfer and learning retention. Research into learning retention rates has proven: Teaching Method - Knowledge Retention See/Hear - Lecture 5% Reading - 10% Audio Visual / Video - 20% Demonstration - 30% Discussion Group - 50% ***Practice by Doing*** - 75% Teaching Others - 90% ****Immediate application of learning in a real situation**** - 90% Patterned after martial arts combat training, the Security Masters Dojo will focus on real world applications of new skills which can help you advance in the field of information security. You will learn difficult to aquire skill sets from the world's top practitioners. A series of tests will challenge and verify your skills in each course area, with series of ceremonial belt colors which are awarded after successful attainment of each difficulty level in the testing challenges. The most difficult levels (black belt), are difficult to attain. But you can rest assured that if you study and persevere, by attaining and overcoming the challenges, you too will indeed become a world class expert in information security - with an exclusive skill and knowledge level few have reached. As incentives to performance, two additional rank awards will be presented to the two most exceptional students in each Dojo sitting at the belt award ceremony at the opening of the CanSecWest/core05 conference. (highest cumulative test scores per Dojo after normalization by class average) Top student: Authentic weapon grade Japanese Folded Samurai Katana Sword - Soft and hard powdered carbon steel blend, tameshigiri grade cutting sword good for iaido practitioners. It's not just decorative, this is the real thing. (We can ship it home if you think you might have any issues with airport security :-) (~USD$1200) Runner-up: Linux Zaurus SL3000 PDA with 4Gig hard drive and VGA touchscreen, only available in Japan, converted to english menus and pre-loaded with security tools and NICs. This too is not just decorative. (~USD$1200) Each class is offered in two sessions per dojo and features one or two expert intructors teaching a small group (maximum of ten people are allowed to register per session, class max 12). Courses have a strong hands-on laboratory component and prepared exercises for you to perform. Laboratory equipment for the excercises and a gigabit peering link will be provided by the BC Institue of Technology Internet Engineering Laboratory. (http://www.bcit.ca/appliedresearch/facility/iel/) To accomodate this, each class may have prerequisites for software loads and a laptop is mandatory. The individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs. The small size (10) means that space is limited, so you must book early, but you will be assured that the low student-instructor ratio will mean that you will each get specific attention to assisting your individual learning process. Our sensei masters have said "Hai!" to the challenge of improving your skills. I hope you choose to say so too and rise to the challenge of increasing your information security knowledge. More information on courses and registration will be found at: http://cansecwest.com/dojob.html cheers, --dr (a.k.a. Dojo Mama-san :-) -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Fri Mar 11 05:10:00 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:41 2005 Subject: [ISN] REVIEW: "Windows Forensics and Incident Recovery", Harlan Carvey Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKWNFOIR.RVW 20041224 "Windows Forensics and Incident Recovery", Harlan Carvey, 2005, 0-321-20098-5, U$49.99/C$71.99 %A Harlan Carvey %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2005 %G 0-321-20098-5 %I Addison-Wesley Publishing Co. %O U$49.99/C$71.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321200985/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321200985/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321200985/robsladesin03-20 %O tl a rl 1 tc 2 ta 2 tv 1 wq 2 %P 460 p. + CD-ROM %T "Windows Forensics and Incident Recovery" Chapter one is an introduction, both to the book and to the ideas behind it. For once, the author does, indeed, try to define what an incident is. The definition is broad, but so are the possibilities. The intended audience is stated to be anyone interested in the security of Microsoft Windows, but it is instructive that, in listing specific groups, forensic specialists and security professionals are *not* mentioned. Carvey notes that a great many people would like to know the information that Windows forensics can provide, since the platform is nearly ubiquitous, but few have the knowledge of system internals that is necessary to find the relevant bits. Based on the definition of an incident as an event that violates security policy, chapter two demonstrates some of the ways that policy failures, and therefore attacks, can occur. (The rationale behind the inclusion of eleven pages of Perl source for a program to detect null sessions escapes me.) Chapter three reviews a number of places to hide data, but all of these are at the user interface level, such as setting hidden file attributes, placing data in unused keys in the Registry, NTFS (NT File System) alternate data streams (ADS), and the extra information stored in data files by applications like Microsoft Word. There is no mention of the lower level caches: slack space (whether in terms of zero padding, extra space in sectors, or the timing margins on hard disks) or page files. In addition, for those locations that are mentioned, specific programs for extracting particular data are listed, but no details of structural internals (for example formats for NTFS, OLE/COM, or Word) are provided for analysis with more general utilities. This is not to say that Carvey does not do a good job of explaining what he does cover: the tutorial on NTFS ADS is clear and complete. The material in chapter four addresses the issue of preparation by suggesting various means of hardening systems and networks against attack. The content is unusual, and deals with functions and activities that are frequently left out of security texts. At the same time, it does not touch on some common suggestions for system security: this should be seen as a complement to, rather than a replacement for, other Windows security works. A wealth of utilities for deriving all manner of information from Windows systems are listed and described in chapter five. Chapter six presents suggestions for the methods and procedures to be used in responding to a potential incident, but it does so in the form of a number of fictional examples. The stories can be instructive, but it does take a long time to sort through the material to find the relevant points to use. Various indications that can be evidence of the existence of malware (particularly network-based remote access trojans) are examined in chapter seven. The author's Forensic Server Project, a tool for managing forensic data collection, is presented in chapter eight. Chapter nine describes an assortment of network scanning and data capture tools. Although a number of areas are addressed, the text will be of greatest use to those who are concerned about network malware, especially of the remote access type. The intended audience, of experienced but non-specialist Windows administrators and law enforcement professionals with some technical background, will find a number of valuable indicators that will point out whether a system will reward further scrutiny. The professional, and particularly one with experience in forensic analysis, will find some very useful information on newer operations of Windows, but may be frustrated at the lack of detail. (I'm still not sure who is going to get a lot out of all the Perl source code ...) copyright Robert M. Slade, 2004 BKWNFOIR.RVW 20041224 ====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu When you tell the truth, you don't have to remember anything. http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Fri Mar 11 05:10:13 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:44 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-10 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-03-03 - 2005-03-10 This week : 83 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft Windows XP and 2003 Server edition, have been reported vulnerable to a Denial of Service issue, which was first reported in 1997 and became known as LAND attacks. Currently, no patches are available from the vendor. Please read referenced Secunia advisory below for additional details. References: http://secunia.com/SA14512 VIRUS ALERTS: During the last week, Secunia issued 3 MEDIUM RISK virus alerts. Please refer to the grouped virus profile below for more information: SOBER.L - MEDIUM RISK Virus Alert - 2005-03-08 00:55 GMT+1 http://secunia.com/virus_information/16027/sober.l/ FATSO.A - MEDIUM RISK Virus Alert - 2005-03-07 16:46 GMT+1 http://secunia.com/virus_information/15999/fatso.a/ Kelvir.b - MEDIUM RISK Virus Alert - 2005-03-07 15:04 GMT+1 http://secunia.com/virus_information/15994/kelvir.b/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla Products IDN Spoofing Security Issue 2. [SA14406] Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting 3. [SA14407] Mozilla / Firefox / Thunderbird Multiple Vulnerabilities 4. [SA14512] Microsoft Windows LAND Attack Denial of Service 5. [SA14456] RealPlayer WAV and SMIL File Handling Buffer Overflows 6. [SA13258] Mozilla / Firefox "Save Link As" Download Dialog Spoofing 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 8. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 9. [SA14438] CA License Software Multiple Buffer Overflow Vulnerabilities 10. [SA13129] Mozilla / Mozilla Firefox Window Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14526] ArGoSoft FTP Server "DELE" Buffer Overflow Vulnerability [SA14506] Chaser Nickname Buffer Overflow Vulnerability [SA14470] Trillian Basic PNG Image Buffer Overflow Vulnerability [SA14511] Sentinel License Manager Buffer Overflow Vulnerability [SA14543] Microsoft Exchange Server 2003 Folder Handling Denial of Service [SA14522] Hosting Controller Disclosure of Information [SA14512] Microsoft Windows LAND Attack Denial of Service [SA14461] Computalynx CProxy Directory Traversal Vulnerability UNIX/Linux: [SA14541] Fedora update for libexif [SA14518] Ubuntu update for libexif [SA14513] Download Center Lite "script_root" File Inclusion Vulnerability [SA14505] Form Mail Script "script_root" File Inclusion Vulnerability [SA14504] libexif EXIF Tag Structure Validation Vulnerability [SA14494] Ubuntu update for lesstif [SA14482] Gentoo update for openmotif / lesstif [SA14481] LessTif libXpm Image Buffer Overflow Vulnerability [SA14478] Fedora update for HelixPlayer [SA14477] SUSE update for cyrys-sasl [SA14473] Open Motif libXpm Image Buffer Overflow Vulnerability [SA14472] Red Hat update for HelixPlayer / RealPlayer [SA14460] X11 libXpm XPM Image Buffer Overflow Vulnerability [SA14532] Gentoo update for mlterm [SA14517] Gentoo update for xv [SA14510] Red Hat update for mozilla [SA14509] mlterm Background Image Integer Overflow Vulnerability [SA14508] Red Hat update for mc [SA14503] Mandrake update for cyrus-imapd [SA14500] Mandrake update for curl [SA14499] SUSE update for phpMyAdmin [SA14498] SGI Advanced Linux Environment Multiple Updates [SA14496] SGI Advanced Linux Environment update for imap [SA14491] Sylpheed Message Reply Buffer Overflow Vulnerability [SA14488] Gentoo update for hashcash [SA14486] Gentoo update for imagemagick [SA14485] xv Filename Format String Vulnerability [SA14484] Astaro update for Squid [SA14476] Ubuntu update for imagemagick [SA14471] Gentoo update for mozilla-firefox [SA14469] Gentoo update for phpmyadmin [SA14466] Imagemagick Filename Handling Format String Vulnerability [SA14463] Gentoo update for xli / xloadimage [SA14459] xli Multiple Vulnerabilities [SA14523] UnixWare update for samba [SA14497] SGI Advanced Linux Environment Multiple Updates [SA14539] Conectiva update for squid [SA14536] Ubuntu update for squid [SA14515] Drupal Unspecified Cross-Site Scripting Vulnerability [SA14502] Mandrake update for gftp [SA14479] Red Hat update for squid [SA14468] Gentoo update for bidwatcher [SA14462] Xloadimage Compressed Images Filename Shell Command Injection [SA14521] UnixWare update for squid [SA14535] Debian update for kdenetwork [SA14534] Ubuntu update for perl-modules [SA14531] Perl "File::Path::rmtree" Directory Permissions Race Condition [SA14525] Gentoo update for kdelibs [SA14519] Debian update for abuse [SA14514] grsecurity Unspecified RBAC System Privilege Escalation [SA14495] Abuse-SDL Multiple Vulnerabilities [SA14490] grsecurity Unspecified Privilege Escalation Vulnerability [SA14489] PaX Unspecified Privilege Escalation Vulnerability [SA14480] Red Hat update for kdenetwork [SA14501] Mandrake update for gaim Other: [SA14544] UTStarcom iAN-02EX VoIP ATA Reset Security Bypass [SA14507] Xerox MicroServer Web Server Unauthorised Access Vulnerability Cross Platform: [SA14528] mcNews "skinfile" Arbitrary File Inclusion Vulnerability [SA14483] Ca3DE Format String and Denial of Service Vulnerabilities [SA14540] Ethereal "dissect_a11_radius()" Buffer Overflow Vulnerability [SA14538] BLOG:CMS PunBB SQL Injection Vulnerabilities [SA14533] ProjectBB Cross-Site Scripting and SQL Injection Vulnerabilities [SA14520] Xoops Avatar Upload File Extension Vulnerability [SA14487] Hashcash "From:" Format String Vulnerability [SA14474] PHP-Nuke Pabox Module Script Insertion Vulnerability [SA14465] TYPO3 CMW Linklist Extension "category_uid" SQL Injection [SA14458] auraCMS Cross-Site Scripting and SQL Injection Vulnerabilities [SA14542] Participate Enterprise Denial of Service Vulnerabilities [SA14516] phpMyFaq "username" SQL Injection Vulnerability [SA14493] phpBB Autologin Security Bypass Vulnerability [SA14492] PHP-Fusion HTML Encoded BBcode Script Insertion Vulnerability [SA14475] phpBB Signature Script Insertion Vulnerability [SA14464] D-Forum "page" Parameter Cross-Site Scripting Vulnerability [SA14527] Novell iChain Administrator Session Hijacking Vulnerability [SA14537] Novell iChain FTP Server Path Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14526] ArGoSoft FTP Server "DELE" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-09 CorryL has discovered a vulnerability in ArGoSoft FTP Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14526/ -- [SA14506] Chaser Nickname Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-07 Luigi Auriemma has reported a vulnerability in Chaser, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14506/ -- [SA14470] Trillian Basic PNG Image Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-08 Tal zeltzer has reported a vulnerability in Trillian Basic, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14470/ -- [SA14511] Sentinel License Manager Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-08 Dennis Rand has reported a vulnerability in Sentinel License Manager, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14511/ -- [SA14543] Microsoft Exchange Server 2003 Folder Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-09 A vulnerability has been reported in Microsoft Exchange Server 2003, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14543/ -- [SA14522] Hosting Controller Disclosure of Information Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-03-08 Mouse and Hamid Kashfi have reported two security issues in Hosting Controller, which can be exploited by malicious people to disclose some potentially sensitive information. Full Advisory: http://secunia.com/advisories/14522/ -- [SA14512] Microsoft Windows LAND Attack Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-07 Dejan Levaja has reported a vulnerability in Microsoft Windows, allowing malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14512/ -- [SA14461] Computalynx CProxy Directory Traversal Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2005-03-03 Kristof Philipsen has reported a vulnerability in Computalynx CProxy, which can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14461/ UNIX/Linux:-- [SA14541] Fedora update for libexif Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-09 Fedora has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14541/ -- [SA14518] Ubuntu update for libexif Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-08 Ubuntu has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14518/ -- [SA14513] Download Center Lite "script_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 Filip Groszynski has reported a vulnerability in Download Center Lite, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14513/ -- [SA14505] Form Mail Script "script_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 Filip Groszynski has reported a vulnerability in Form Mail Script, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14505/ -- [SA14504] libexif EXIF Tag Structure Validation Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-08 Sylvain Defresne has reported a vulnerability in libexif, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise vulnerable systems. Full Advisory: http://secunia.com/advisories/14504/ -- [SA14494] Ubuntu update for lesstif Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-08 Ubuntu has issued an update for lesstif. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14494/ -- [SA14482] Gentoo update for openmotif / lesstif Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 Gentoo has issued updates for openmotif and lesstif. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14482/ -- [SA14481] LessTif libXpm Image Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 A vulnerability has been reported in LessTif, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14481/ -- [SA14478] Fedora update for HelixPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-04 Fedora has issued an update for HelixPlayer. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14478/ -- [SA14477] SUSE update for cyrys-sasl Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-04 SUSE has issued an update for cyrus-sasl. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14477/ -- [SA14473] Open Motif libXpm Image Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 A vulnerability has been reported in Open Motif, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14473/ -- [SA14472] Red Hat update for HelixPlayer / RealPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-04 Red Hat has issued updates for HelixPlayer and RealPlayer. These fix two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14472/ -- [SA14460] X11 libXpm XPM Image Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-07 Chris Gilbert has reported a vulnerability in libXpm, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14460/ -- [SA14532] Gentoo update for mlterm Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-08 Gentoo has issued an update for mlterm. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14532/ -- [SA14517] Gentoo update for xv Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Gentoo has issued an update for xv. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14517/ -- [SA14510] Red Hat update for mozilla Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Red Hat has issued an update for mozilla. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14510/ -- [SA14509] mlterm Background Image Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-08 A vulnerability has been reported in mlterm, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14509/ -- [SA14508] Red Hat update for mc Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Red Hat has issued an update for mc. This fixes multiple vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14508/ -- [SA14503] Mandrake update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-07 MandrakeSoft has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14503/ -- [SA14500] Mandrake update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 MandrakeSoft has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14500/ -- [SA14499] SUSE update for phpMyAdmin Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Cross Site Scripting Released: 2005-03-07 SUSE has issued an update for phpMyAdmin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/14499/ -- [SA14498] SGI Advanced Linux Environment Multiple Updates Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-03-07 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to gain knowledge of sensitive information, cause a DoS (Denial of Service), conduct cross-site scripting attacks, conduct FTP command injection attacks, spoof the content of web sites, bypass certain security restrictions, gain escalated privileges, and compromise a user's system. Full Advisory: http://secunia.com/advisories/14498/ -- [SA14496] SGI Advanced Linux Environment update for imap Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-03-07 SGI has issued a patch for SGI Advanced Linux Environment. This fixes a vulnerability in imap, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14496/ -- [SA14491] Sylpheed Message Reply Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 A vulnerability has been reported in Sylpheed, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14491/ -- [SA14488] Gentoo update for hashcash Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Gentoo has issued an update for hashcash. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14488/ -- [SA14486] Gentoo update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Gentoo has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14486/ -- [SA14485] xv Filename Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Tavis Ormandy has reported a vulnerability in xv, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14485/ -- [SA14484] Astaro update for Squid Critical: Moderately critical Where: From remote Impact: System access, DoS, Security Bypass Released: 2005-03-04 Astaro has issued an update for squid. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), bypass certain security restrictions, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14484/ -- [SA14476] Ubuntu update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-04 Ubuntu has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14476/ -- [SA14471] Gentoo update for mozilla-firefox Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, System access Released: 2005-03-07 Gentoo has issued an update for mozilla-firefox. This fixes multiple vulnerabilities, which can be exploited to spoof various information, plant malware on a user's system, conduct cross-site scripting attacks, disclose and manipulate sensitive information, bypass certain security restrictions, perform certain actions on a vulnerable system with escalated privileges, and compromise a user's system. Full Advisory: http://secunia.com/advisories/14471/ -- [SA14469] Gentoo update for phpmyadmin Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-03-04 Gentoo has issued an update for phpmyadmin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/14469/ -- [SA14466] Imagemagick Filename Handling Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-04 Tavis Ormandy has reported a vulnerability in ImageMagick, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14466/ -- [SA14463] Gentoo update for xli / xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-03 Gentoo has issued updates for xli and xloadimage. These fix some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14463/ -- [SA14459] xli Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-03 Some vulnerabilities have been reported in xli, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14459/ -- [SA14523] UnixWare update for samba Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-03-08 SCO has issued an update for UnixWare. This fixes some vulnerabilities in samba, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14523/ -- [SA14497] SGI Advanced Linux Environment Multiple Updates Critical: Moderately critical Where: From local network Impact: System access, Privilege escalation, Exposure of sensitive information, Manipulation of data Released: 2005-03-07 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited to disclose and manipulate information, gain escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14497/ -- [SA14539] Conectiva update for squid Critical: Less critical Where: From remote Impact: DoS, Manipulation of data Released: 2005-03-09 Conectiva has issued an update for squid. This fixes some vulnerabilities, which can be exploited to pollute the cache, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14539/ -- [SA14536] Ubuntu update for squid Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-09 Ubuntu has issued an update for squid. This fixes a security issue, which may disclose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/14536/ -- [SA14515] Drupal Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-07 A vulnerability has been reported in Drupal, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14515/ -- [SA14502] Mandrake update for gftp Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-03-07 MandrakeSoft has issued an update for gftp. This fixes a vulnerability, which can be exploited by malicious people to conduct directory traversal attacks. Full Advisory: http://secunia.com/advisories/14502/ -- [SA14479] Red Hat update for squid Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-04 Red Hat has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14479/ -- [SA14468] Gentoo update for bidwatcher Critical: Less critical Where: From remote Impact: System access Released: 2005-03-04 Gentoo has issued an update for bidwatcher. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14468/ -- [SA14462] Xloadimage Compressed Images Filename Shell Command Injection Critical: Less critical Where: From remote Impact: System access Released: 2005-03-03 Tavis Ormandy has reported a vulnerability in Xloadimage, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14462/ -- [SA14521] UnixWare update for squid Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-08 SCO has issued an update for UnixWare. This fixes a vulnerability in squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14521/ -- [SA14535] Debian update for kdenetwork Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-03-09 Debian has issued an update for kdenetwork. This fixes a vulnerability, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/14535/ -- [SA14534] Ubuntu update for perl-modules Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-09 Ubuntu has issued an update for perl-modules, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14534/ -- [SA14531] Perl "File::Path::rmtree" Directory Permissions Race Condition Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-09 Paul Szabo has reported a vulnerability in Perl "File::Path::rmtree", which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14531/ -- [SA14525] Gentoo update for kdelibs Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-08 Gentoo has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/14525/ -- [SA14519] Debian update for abuse Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-08 Debian has issued an update for abuse. This fixes some vulnerabilities, which can be exploited by malicious, local users to overwrite files or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14519/ -- [SA14514] grsecurity Unspecified RBAC System Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-07 A vulnerability has been reported in grsecurity, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14514/ -- [SA14495] Abuse-SDL Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-08 Some vulnerabilities have been reported in Abuse-SDL, which can be exploited by malicious, local users to overwrite files or gain escalated privileges. Full Advisory: http://secunia.com/advisories/14495/ -- [SA14490] grsecurity Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-07 A vulnerability has been reported in grsecurity, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14490/ -- [SA14489] PaX Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-07 A vulnerability has been reported in PaX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14489/ -- [SA14480] Red Hat update for kdenetwork Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-03-04 Red Hat has issued an update for kdenetwork. This fixes a vulnerability, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/14480/ -- [SA14501] Mandrake update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-07 MandrakeSoft has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14501/ Other:-- [SA14544] UTStarcom iAN-02EX VoIP ATA Reset Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-03-09 Atom Smasher has reported a security issue in UTStarcom iAN-02EX, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14544/ -- [SA14507] Xerox MicroServer Web Server Unauthorised Access Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-03-07 A vulnerability has been reported in Xerox MicroServer Web Server, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14507/ Cross Platform:-- [SA14528] mcNews "skinfile" Arbitrary File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-08 Filip Groszynski has reported a vulnerability in mcNews, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14528/ -- [SA14483] Ca3DE Format String and Denial of Service Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-04 Luigi Auriemma has reported two vulnerabilities in Ca3DE, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14483/ -- [SA14540] Ethereal "dissect_a11_radius()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-09 A vulnerability has been reported in Ethereal, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14540/ -- [SA14538] BLOG:CMS PunBB SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-09 A vulnerability has been reported in BLOG:CMS, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14538/ -- [SA14533] ProjectBB Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-09 Benjilenoob has reported two vulnerabilities in ProjectBB, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14533/ -- [SA14520] Xoops Avatar Upload File Extension Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-09 pokleyzz has reported a vulnerability in Xoops, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14520/ -- [SA14487] Hashcash "From:" Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-07 Tavis Ormandy has reported a vulnerability in Hashcash, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14487/ -- [SA14474] PHP-Nuke Pabox Module Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-04 Rift has reported a vulnerability in the Pabox module for PHP-Nuke, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14474/ -- [SA14465] TYPO3 CMW Linklist Extension "category_uid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-04 Fabian Becker has reported a vulnerability in the CMW Linklist extension for TYPO3, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14465/ -- [SA14458] auraCMS Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-03-03 y3dips has reported some vulnerabilities in auraCMS, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/14458/ -- [SA14542] Participate Enterprise Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-09 Altrus Wollesen has reported a vulnerability in Participate Enterprise, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14542/ -- [SA14516] phpMyFaq "username" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-03-07 Sven Michels has reported a vulnerability in phpMyFaq, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14516/ -- [SA14493] phpBB Autologin Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-03-08 "Some one" has reported a vulnerability in phpBB, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14493/ -- [SA14492] PHP-Fusion HTML Encoded BBcode Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-08 FireSt0rm has reported a vulnerability in PHP-Fusion, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14492/ -- [SA14475] phpBB Signature Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-07 Paisterist has reported a vulnerability in phpBB, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14475/ -- [SA14464] D-Forum "page" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-03 benjilenoob has reported a vulnerability in D-Forum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14464/ -- [SA14527] Novell iChain Administrator Session Hijacking Vulnerability Critical: Less critical Where: From local network Impact: Hijacking, Security Bypass Released: 2005-03-09 Francisco Amato has reported a vulnerability in iChain, which can be exploited by malicious people to bypass the user authentication. Full Advisory: http://secunia.com/advisories/14527/ -- [SA14537] Novell iChain FTP Server Path Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2005-03-09 A weakness has been reported in Novell iChain, which can be exploited by malicious people to gain knowledge of certain system information. Full Advisory: http://secunia.com/advisories/14537/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 11 05:10:25 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:46 2005 Subject: [ISN] UK firms haemorrhaging data to drive-by hackers Message-ID: http://www.vnunet.com/news/1161837 Robert Jaques vnunet.com 10 Mar 2005 The explosion of wireless networks is leaving global businesses wide open to 'drive-by hacking' and other security risks, experts have warned. According to research released today, more than a third of businesses worldwide with wireless networks are open to abuse from hackers and criminals in the street or a neighbouring building. The study, commissioned by RSA Security, estimated that wireless networks in Europe's financial capitals alone are growing at an annual rate of 66 per cent, and more than a third of businesses remain unprotected from this type of attack. "For a potential hacker it is almost a case of walking down the street and trying all the doors until one opens. It is almost inevitable that one will," said John Worrall, vice president of worldwide marketing at RSA Security. The research was based on studies in the business centres of New York, San Francisco, London and Frankfurt. Some 38 per cent of businesses in New York, 35 per cent in San Francisco, 36 per cent in London and 34 per cent in Frankfurt were at risk from drive-by hacking. The study also revealed that many businesses had failed to take even basic security precautions such as reconfiguring default network settings. This means that wireless network access points could still be broadcasting valuable information that could be used by potential hackers and assisting them in launching an attack. In London 26 per cent of access points still had default settings, 30 per cent in Frankfurt, 31 per cent in New York and 28 per cent in San Francisco. In addition to the business security issues, researchers also found an explosion in public access wireless hotspots; 12 per cent of all wireless network access points in London fell into this category, compared with 24 per cent in Frankfurt, 21 per cent in New York and 12 per cent in San Francisco. "These figures are another stark warning to unsecured businesses to get their act together," said Phil Cracknell, chief technology officer at NetSurity and the author of the research. "The rapid rise of wireless public access hotspots runs in parallel to the increased risk to businesses that operate wireless networks with little or no security. "Accidental or intentional connection to a corporate network can bring with it a series of security issues including loss of confidential data and installation of malicious code. "Fuelled by the availability and abundance of hotspots, mobile users now expect to find, and know how to use, a wireless network. The question is whose network will they access, and what will they do when they are there?" Worrall added: "These results reinforce why it is crucial to increase the understanding of security risks in the wired and wireless world. "This is the fourth year of our survey and the situation shows no sign of improvement. While it is clear that business are benefiting from the flexibility and ease-of-use of wireless technology, they must also ensure that the right security steps are taken to protect against exploitation." The researchers used a laptop computer and free software available from the internet to pick up information from company wireless networks simply by driving around the streets. From isn at c4i.org Fri Mar 11 05:10:39 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 11 05:15:48 2005 Subject: [ISN] Windows NT4 servers open to hackers Message-ID: http://www.theage.com.au/news/Breaking/Windows-NT4-servers-open-to-hackers/2005/03/11/1110417668599.html By Sam Varghese March 11, 2005 Hundreds of thousands of websites which run on Windows NT4 are vulnerable to a critical flaw in a key Windows networking protocol, the network services firm Netcraft says. The flaw, in the server message block (SMB) protocol, could allow a remote attacker to seize control of a vulnerable server. This protocol allows Windows computers to share files and printers on a network. Microsoft issued an advisory for the flaw on February 8 but patches were issued only for recent versions of Windows - 2000 Service Pack 3 and Service Pack 4, XP Service Pack 1 and Service Pack 2, XP 64-Bit Edition Service Pack 1 (Itanium), XP 64-Bit Edition Version 2003 (Itanium), Server 2003 and Server 2003 for Itanium-based Systems. Microsoft ended official support for Windows NT 4.0 on December 31 last year. Security firm eEye Digital Security raised the issue on the BugTraq vulnerability mailing list by pointing out that Microsoft would not be releasing a public Windows NT 4.0 patch for this flaw as this version of Windows had reached its end of life. "Microsoft has, however, created a private patch for customers who have paid for extended Windows NT 4.0 support," eEye's chief hacking officer Marc Maiffret wrote. He said if an organisation was unlucky enough to still have Windows NT 4.0 systems and was unable to pay for extended support then there were not many options to ensure that their systems were safe. Netcraft said that in its latest monthly survey of websites, it had found 1.1 percent of web-facing hostnames continued to run NT4. The survey found a total of over 60 million sites. Maiffret said there was a way to defend against some attacks. "One way we found to mitigate these attacks, at least some of them, is to enable SMB Signing. This does not truly mitigate the attack but instead it creates change in the SMB protocol that most attack tools I have seen do not support," he wrote. Microsoft has been asking customers to upgrade to Server 2003, citing security as a reason. From isn at c4i.org Mon Mar 14 04:41:40 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:18 2005 Subject: [ISN] Personal information taken in Nevada DMV office break-in Message-ID: http://www.lasvegassun.com/sunbin/stories/nevada/2005/mar/11/031110432.html By KEN RITTER ASSOCIATED PRESS March 11, 2005 NORTH LAS VEGAS, Nev. (AP) - Personal information from more than 8,900 people was stolen when thieves broke into a Nevada Department of Motor Vehicles office, officials said Friday. A computer taken during the break-in contained names, ages, dates of birth, Social Security numbers, photographs and signatures of southern Nevada residents who obtained driver's licenses between Nov. 25 and March 4 at the North Las Vegas office, state DMV chief Ginny Lewis said. "The state is extremely sorry that this has happened," Lewis said. "Those motorists whose data was on that computer need to know their personal information has been compromised." The DMV had previously maintained that the information on the computer stolen in Monday's break-in was encrypted, making it virtually useless to thieves. But Lewis said Friday that Digimarc Corp., the Beaverton, Ore.,-based company that provides digital driver's licenses in Nevada, told her Thursday the information was not encrypted, and was readily accessible. Miz Nakajima, Digimarc spokeswoman, said Friday she could not comment on specifics about state DMV customers or the Nevada theft. The publicly traded company provides a service Nakajima called "digital watermarking" to motor vehicle departments in 34 states and the District of Columbia. All 21 Nevada DMV licensing stations around the state were ordered by the end of the day Friday to remove personal information from computers to prevent a recurrence, Lewis said. The Nevada DMV planned to send certified letters by next week informing the 8,900 drivers who obtained licenses at the Donovan Way office in North Las Vegas that their personal information was in the hands of thieves. The licenses of each motorist will be canceled and a new license will be issued with new identification numbers, Lewis said during a news conference outside the office at the end of a remote industrial road wedged between Interstate 15 and the Union Pacific railroad tracks. Paul Masto, assistant special agent in charge of the U.S. Secret Service office in Las Vegas, said the agency was investigating. He urged those affected to take precautions against identity theft. "That's the juicy stuff - the dates of birth, the Social Security numbers," Masto said. "They have that information. There's nothing we can do about that." The Nevada DMV data theft comes after personal information was stolen from a database owned by the information broker LexisNexis and from the giant data broker ChoicePoint Inc. Another data loss affected some 1.2 million federal employees with Bank of America charge cards. North Las Vegas police were following several leads in the DMV case, department spokesman Officer Tim Bedwell said. He said the initial investigation was hampered by the lack of video surveillance. Lewis said she was seeking federal and state funds to install cameras at DMV offices throughout Nevada. Police said thieves smashed a vehicle through a back wall of the office and escaped before police arrived a half-hour later. In addition to the computer, thieves took a camera, 1,700 license blanks and laminated plastic covers bearing the embossed state seal. Authorities said the equipment could be used to manufacture licenses virtually indistinguishable from legitimate Nevada driver's licenses. The state's top homeland security adviser said he notified federal Homeland Security officials about the break-in. -=- On the Net: Nevada Department of Motor Vehicles: http://www.dmvstat.com From isn at c4i.org Mon Mar 14 04:42:03 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:21 2005 Subject: [ISN] 2001: Bush Warned of Tech Dangers Message-ID: Forwarded from: William Knowles http://www.wired.com/news/privacy/0,1848,66884,00.html Associated Press March 13, 2005 WASHINGTON -- The nation's electronic intelligence agency warned President Bush in 2001 that monitoring U.S. adversaries would require a "permanent presence" on networks that also carry Americans' messages that are protected from government eavesdropping. The warning was contained in a National Security Agency report entitled "Transition 2001," sent to Bush shortly after he took office and reflects the agency's major concerns at the time. The report was obtained under the Freedom of Information Act by the National Security Archive, a private security watchdog group at George Washington University that made the document public. The papers offer a rare glimpse into the usually publicity-shy NSA, which monitors communications involving foreign targets and does code-making and breaking. The document showed an agency making a case to the White House that information security should be a top priority. It raised questions about how new global communications technologies were challenging the Constitution's protections against unreasonable searches and seizures. "Make no mistake, NSA can and will perform its missions consistent with the Fourth Amendment and all applicable laws," the document says. But, it adds, senior leadership must understand that the NSA's mission will demand a "powerful, permanent presence" on global telecommunications networks that host both "'protected' communications of Americans" and the communications of adversaries the agency wants to target. The document also said the global nature of technology leaves government and private networks more vulnerable to penetration by enemies. The report said the agency was concerned that federal and private digital networks were now "more vulnerable to foreign intelligence operations and to compromise." The documents indicate the NSA was going on an offensive using the new modes of communication -- mostly digital and able to carry billions of bits of data. It says the agency is "prepared organizationally, intellectually and -- with sufficient investment -- technologically to exploit in an unprecedented way the explosion of global communications." NSA was also concerned about the security of its parent agency, the Defense Department. In 1999, the document says, the department experienced over 22,000 cyber attacks, most of which had little effect on operations. "During the presidential transition period, a major cyber attack is possible," the agency warned. But no significant cyber attack occurred then. In the 42-page report, the agency said it had tried to transform itself from an entity nicknamed "No Such Agency" by dispatching its director to public events and reaching out to the media. The agency said media representatives were invited inside the agency for family day in September 2000. Staffing was clearly a concern of the agency. The documents show a sharp drop in civilian personnel after the end of the cold war. In 2001, there were just over 16,000 civilians, down from 22,000 in early 2001. At the time, 19 percent of the work force was eligible for early retirement. Since the Sept. 11, 2001, attacks, intelligence agencies have gone on a hiring spree. The NSA announced last April it intended to hire 1,500 new employees a year for the next five years, focusing on people fluent in foreign languages including Arabic and Chinese, intelligence analysts and technical experts. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Mar 14 04:42:16 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:24 2005 Subject: [ISN] 140 Kaiser patients' private data put online Message-ID: http://www.siliconvalley.com/mld/siliconvalley/11110907.htm By Barbara Feder Ostrov Mercury News March 11, 2005 In a troubling episode involving medical privacy in the digital age, Kaiser Permanente is notifying 140 patients that a disgruntled former employee posted confidential information about them on her Weblog. The woman, who calls herself the ``Diva of Disgruntled,'' claims it was Kaiser Permanente that included private patient information on systems diagrams posted on the Web, and that she pointed it out. The health care giant learned of the breach from the federal Office of Civil Rights in January, said Kaiser spokesman Matthew Schiffgens. Kaiser has been investigating ever since, Schiffgens said, but it wasn't until Wednesday that it asked the Internet service provider hosting the blog to remove the information. Kaiser has not been able to verify the woman's claims that it was responsible for posting private patient information, said Schiffgens. ``If we had a role in making that available, we have a right to be criticized for that,'' Schiffgens said. ``Regardless of how it happened, her initial postings are clearly a breach of her obligation to protect member confidentiality.'' The woman, who identified herself only as "Elisa," told the Mercury News Kaiser posted patient information on an unsecured technical Web site and that she called attention to it before Kaiser took the site down. She also said that she reposted the information on another site to make the point that anyone could have gained access to this information, since it had been widely available on the Web for a year. She said she also filed a complaint with the federal Office of Civil Rights about the security breach. The information includes medical record numbers, patient names and in some cases information about, but not results of, routine lab tests. The former employee apparently reposted the information Thursday, but it was again removed, Schiffgens said. Kaiser contacted or left messages with 90 of the 140 members Thursday to alert them to the security breach, and hopes to reach the remaining members today. The patients were dispersed throughout Northern California, Schiffgens said. ``We apologize regarding this unlawful disclosure,'' he said. ``We take our members' confidential and personal information very seriously.'' Schiffgens said the woman was a low-level Web designer who worked for the Kaiser Permanente Medical Group in Oakland. She was terminated in June 2003, but Schiffgens would not say why or release her name. Kaiser will take legal action against the woman if warranted, Schiffgens said. Under federal health privacy rules known as HIPAA, the woman could face up to $250,000 in fines and 10 years in prison for unauthorized disclosure of patient information. From isn at c4i.org Mon Mar 14 04:42:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:27 2005 Subject: [ISN] AOL's Terms of Service Update for AIM Raises Eyebrows Message-ID: http://www.eweek.com/article2/0,1759,1775649,00.asp By Ryan Naraine March 12, 2005 America Online, Inc. has quietly updated the terms of service for its AIM instant messaging application, making several changes that is sure to raise the hackles of Internet privacy advocates. The revamped terms of service, which apply only to users who downloaded the free AIM software on or after Feb. 5, 2004, gives AOL the right to "reproduce, display, perform, distribute, adapt and promote" all content distributed across the chat network by users. "You waive any right to privacy. You waive any right to inspect or approve uses of the content or to be compensated for any such uses," according to the AIM terms-of-service. Although the user will retain ownership of the content passed through the AIM network, the terms give AOL ownership of "all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this [user] content. "In addition, by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium," it added. The changes could have serious ramifications for AOL's AIM@Work service which is being marketed to businesses. AIM@Work offers things like Identity Services to allow the use of corporate e-mail address as AOL screen names. It also offers premium services like voice conferencing and Web meetings. At the time of this reporting, it is not clear if the same terms of service apply to businesses who pay for the AIM@Work features. America Online executives were not available to discuss the terms of service changes. On [2] Weblogs [3] and discussion forums [4], the discovery of the updated AIM terms of service has led to intense discussions. "They're encouraging businesses to use AIM to discuss details of their business correspondence, even to sync their Outlook contact and calendar files, which, according to their TOS, AOL then has the right to publish in any way they see fit, including, among other things, providing that information to business competitors. I'd be pretty damn leery of using AIM@Work for any kind of business," said Ben Stanfield, executive editor and founder of MacSlash, Inc. [1] http://www.aim.com/tos/tos.adp [2] http://www.eweek.com/article2/0,1759,1770845,00.asp [3] http://www.benstanfield.com/thrash/2005/03/aol_eavesdrops_.html [4] http://yro.slashdot.org/article.pl?sid=05/03/11/2359226&tid=120&tid=158&tid=17 From isn at c4i.org Mon Mar 14 04:43:29 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:29 2005 Subject: [ISN] Government Agencies To Get Early Dibs On Windows Patches Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=159401297 By Eric Chabrow InformationWeek March 11, 2005 Microsoft will give the Air Force and other federal agencies software patches to test a month before the general public receives them. The arrangement is part of Microsoft's Security Update Validation Program, a "closed beta program" introduced within the past 12 months. Microsoft will begin giving prerelease software patches to the Air Force, The Wall Street Journal reported Friday. The Department of Homeland Security will give advance notice of the new vulnerabilities to other government agencies and distribute the patches to them after they've been tested by the Air Force, the newspaper reported. Advance testing will make it possible for government agencies to install the patches as soon as Microsoft releases the final versions. That's aimed at helping agencies stay ahead of hackers, who often are able to develop attacks that exploit a software hole less than a week after Microsoft discloses the vulnerability. The early-access program is also available to select business customers. The software updates are provided to program participants only for testing purposes, a Microsoft spokesman says. "Customers are specifically prohibited from deploying these security updates in a production environment," the spokesman says via E-mail. "Participants are testing prerelease software, therefore the updates are provided only to deploy in a test environment. Participants can only deploy the security updates to their entire infrastructure when they are released to the general public." The issue of providing advance access to security bulletins and software patches is a sensitive subject for Microsoft and other software vendors, who need to ensure that information and code don't find their way to hackers before final patches are available for all customers. And customers who don't receive advance notice may believe they're at a disadvantage. From isn at c4i.org Mon Mar 14 04:43:43 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:32 2005 Subject: [ISN] Security experts hit out at "unethical" bug finder Message-ID: http://software.silicon.com/security/0,39024655,39128621,00.htm By Will Sturgeon silicon.com March 11, 2005 Security experts have hit out at US firm Immunity Inc, which provides paid-up members with vulnerability information under non-disclosure agreements (NDA), which it subsequently keeps from vendors and the world at large. A silicon.com article last week revealed Immunity and its founder Dave Aitel have been causing a stir in the security world in recent months with a business model branded "unethical" but entirely above-board. The greatest source of growing concern appears to focus on the NDA and the potential for anybody to sign up and pay the price for notification of vulnerabilities. One rival bug finder, who operates along the more traditional lines of informing the affected vendor of the flaw in its product and working with them to patch it before releasing any details of the vulnerability, has hit out at Immunity Inc. Drew Copley, senior research engineer at eEye Digital Security, told silicon.com the situation of signing members to a non-disclosure agreement in return for information on security vulnerabilities is "extremely unethical". "What are these people missing here?" asked Copley. "Are they crazy? What prevents any organised criminal group or criminal from getting on there and signing a NDA?" "We treat security vulnerabilities that are not fixed yet by the vendor as state secrets. Selling them to anyone who would pose as a company or sign a NDA is highly unethical." Copley said even "total disclosure", whereby everybody . vendors, researchers and the general public alike - is given the information at the same time would be preferable. eEye was last week credited for working with Computer Associates to fix flaws in CA's licensing software. Simon Perry, VP security strategy at CA, told silicon.com: "Knowledge cannot be effectively controlled. NDAs in the IT community as a whole are not taken seriously and there do not appear to be adequate controls to ensure that the information does not leak to those who have an interest in creating a dangerous exploit." "The business model deliberately creates a culture of the security haves, and the security have-nots. It does not improve security overall," he added. Perry also questioned whether Aitel's customers are getting value for money. Because vendors are kept out of the loop, flaws go un-patched while Immunity's customers are given a workaround. "You're given a workaround by Immunity, but you don't have a fix . a patch from the vendor that permanently addresses the problem. The door is closed, but it's not locked shut." From isn at c4i.org Mon Mar 14 04:44:16 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:34 2005 Subject: [ISN] Computer security pioneer honored Message-ID: http://www.montereyherald.com/mld/montereyherald/news/11109598.htm By KEVIN HOWE Herald Staff Writer March. 11, 2005 First came the automobile. Then came anti-lock brakes, seat belts and air bags. The evolution of the computer has followed a similar path, said a woman who was a pioneer in the field of computer security: first the invention, then the safety devices. Dorothy Denning, professor in the Department of Defense Analysis at the Naval Postgraduate School, literally wrote the book on computer security. "Cryptography and Data Security," published by Addison-Wesley in 1982, is a classic textbook in the field. Denning previously taught at Georgetown University, where she was the Callahan Family Professor of Computer Science and director of the Georgetown Institute of Information Assurance, and at Purdue University. She came to the Navy school in 2002 because "it seemed like an interesting and challenging environment and because I have a lot of respect for what the school is doing. "It is definitely the leading edge in information security," she said. In February, Denning was honored with the prestigious 2004 Harold F. Tipton Award, which recognizes lifelong contributions to the improvement of the information security profession. One of two women| Denning was one of two women in the field when she earned her doctorate. The other was Anita Jones "who finished her Ph.D. thesis a couple of years before I did." She holds bachelor's and master's degrees in mathematics from the University of Michigan and her doctorate in computer science from Purdue University. When she first became involved with computers in the 1960s, "there were no mice, no PCs, no screens, no portable media like CDs and disks; you couldn't even get remote access. You worked in a room with the machine." When remote terminals did become available, Denning said, they were hard-wired to the computer. Data spewed out on punched tape, punch cards and magnetic tape. "Security was room security, protection of physical access" to the computer. Then came time-sharing. The security problem in those early days "was vastly simpler," she said. "There were no malicious codes, no viruses, no spam, no Internet fraud." The professional literature in the field was written by a handful of academics "and you could read all of them, be fully up on their thinking. Now the field is so vast, there is a huge number of people in academia and security professionals. You can't possibly read it all." The Internet, once the exclusive domain of scientists, academics and the military, was opened by the personal computer to people of all walks of life, including advertisers and criminals. Suddenly the world of cyberspace was vulnerable, and its inhabitants needed locks and keys to protect themselves. Fast-moving technology| When personal computers came online, technology was moving so fast and the job of building a really secure system was so hard that the computer developers were continually outpacing the security developers. "It was not a high enough priority among the buyers," she said. Buyers just wanted to get a fast operating system up and running and didn't want to spend money on security systems. "Now there's a lot more interest." Users of the Internet, Denning said, should take the same attitude they have when they go out on the street. You can be assaulted, mugged or pickpocketed in either place. "It's not possible to prevent every crime," she said. "You can't have absolute security." But, she said, she's never had any qualms about doing her shopping on the Net or conducting business over it. Users just need to apply some virtual street smarts. "When in doubt," she said, "don't provide personal information. Sites that ask for confidential information are mostly a scam." Users shouldn't fear to use credit when dealing with established companies like eBay or Amazon.com, she said. "I wouldn't advise you not to engage in e-commerce." Users should keep their computers "patched" with updates and download any fixes from their service providers, she said. And they should get one good virus protection system from a major provider, such as Symantec. You just need one, Denning said. "They all do pretty much the same thing." Such antivirus programs should also be kept up to date. Precautions can protect a user's privacy, credit and bank account. Government and industry have vital interests in securing their data systems, she said, to protect classified information and the systems that run power and transportation grids, oil and water distribution systems. Her work in the past has been developing ways of detecting hacker attacks on such systems and the problem of a terrorist onslaught against the U.S. Internet has been part of war games at the Navy school annually. The usual scenario, she said, combines a cyber attack with a physical attack against some vital installation. Denning said computer systems "have a lot of redundancy and resilience," and an attack will likely be met with "a lot of cooperation" to fend it off. Undoubtedly, she said, such cyber attacks have already been launched and squelched since the 9/11 terrorist attacks. Good place to teach| Teaching at NPS, Denning said, is a pleasure. "The students bring into the classroom very, very rich experiences" from time spent at sea or in the field as well as from their studies. "They're also extremely smart and dedicated. And they do their work on time. I've never worked where you could count on students to be on time, and they turn in superior work. I like reading their assignments." In addition to her academic work, Denning has worked at SRI International and Digital Equipment Corp. She has published 120 articles and four books, her most recent being "Information Warfare and Security," including "Is Cyber Terror Next?" in the essay collection "Understanding September 11," published by The New Press in 2002. Two other articles are awaiting publication: "Cyber Security as an Emergent Infrastructure," to appear in "IT and Global Security," published by The New Press and "Information Technology and Security" to appear in "Grave New World," Georgetown University Press. In November 2001, she was named a Time magazine innovator. Her leadership positions have included president of the International Association for Cryptologic Research and chair of the National Research Council Forum on Rights and Responsibilities of Participants in Network Communities. From isn at c4i.org Mon Mar 14 04:47:23 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 14 04:54:37 2005 Subject: [ISN] Inside the Ring Message-ID: http://washingtontimes.com/national/20050311-123922-9537r.htm By Bill Gertz and Rowan Scarborough THE WASHINGTON TIMES March 11, 2005 [...] China breaks code? The U.S. code-breaking community is worried about China's advances in cracking U.S. codes. Three Chinese cryptologists last month reported they had found a way to crack a U.S. government-approved information security system known as SHA-1, or Secure Hash Algorithm-1. The SHA-1 encryption is used widely within the U.S. government, including the Pentagon and U.S. intelligence community. It is currently the Federal Information Processing Standard and has been since 1994. Put simply, SHA-1 is a security authentication device that is used to verify the integrity of digital media, and to make sure that data or messages, such as secure e-mail, are not changed during transmission. Chinese researchers, Xiaoyuan Wang, Yiqun Lisa Yin and Hongbo Yu reported in a paper Feb. 13 that they had "developed new techniques that are very effective" for breaking SHA-1 code, without using time-consuming "brute force" attacks. The National Institute of Standards and Technology (NIST), which made SHA-1 a federal standard, said in a statement that it could not confirm the Chinese code-breaking but noted that the three researchers are "reputable" specialists with cryptographic expertise. NIST said the new "attack" or code-breaking "is of particular importance in digital signature applications, such as time-stamping, and notarization." But the institute sought to play down the implications of the Chinese claim, stating that the method described in the paper will be "difficult to carry out in practice." Still, the U.S. government is phasing out SHA-1 over the next five years. "Due to advances in computing power, NIST already planned to phase out SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) by 2010," the statement said. Disclosure of the code break followed China's publication of a defense white paper in December that identifies the use of information technology as a central element of Chinese military doctrine. U.S. defense officials say China's military believes its cyber-soldiers can successfully cripple the U.S. military by attacking key computer-run infrastructures and other information networks. Daniel E. Spisak, a private security engineer, said China is capable of building its own SHA-1 "cracker" using computers. "This could potentially allow them to access sensitive systems," he said. "However, from what small knowledge I do have of how secure data links get set up for some kinds of DOD projects, I think it would be very difficult to exploit the SHA-1 [code break] to their advantage." The danger, he noted in an e-mail, is that China could exploit a security lapse in U.S. government networks and systems. Mr. Spisak said as long as U.S. government computers are properly protected by multiple layers of defense and authentication mechanisms, "one can ensure it is sufficiently difficult to gain illegal access to sensitive networks and systems even with one part failing." But if proper security precautions are not taken, "then all bets could be off," he said. Bruce Schneier, a cryptography and security specialist, said the Chinese breakthrough is not alarming. But he noted that within the U.S. National Security Agency there is an old saying: "Attacks always get better; they never get worse." [...] From isn at c4i.org Tue Mar 15 02:07:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:22 2005 Subject: [ISN] Know Your Enemy: Tracking Botnets Message-ID: Forwarded from: Thorsten Holz Greetings, The Honeynet Project and Research Alliance is excited to announce the release of a new paper "KYE: Tracking Botnets". This paper is based on the extensive research by the German Honeynet Project. KYE: Tracking Botnets http://www.honeynet.org/papers/bots/ Abstract: --------- Honeypots are a well known technique for discovering the tools, tactics, and motives of attackers. In this paper we look at a special kind of threat: the individuals and organizations who run botnets. A botnet is a network of compromised machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems can be linked together), they pose a severe threat to the community. With the help of honeynets we can observe the people who run botnets - a task that is difficult using other techniques. Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. In this paper we take a closer look at botnets, common attack techniques, and the individuals involved. We start with an introduction to botnets and how they work, with examples of their uses. We then briefly analyze the three most common bot variants used. Next we discuss a technique to observe botnets, allowing us to monitor the botnet and observe all commands issued by the attacker. We present common behavior we captured, as well as statistics on the quantitative information learned through monitoring more than one hundred botnets during the last few months. We conclude with an overview of lessons learned and point out further research topics in the area of botnet-tracking, including a tool called mwcollect2 that focuses on collecting malware in an automated fashion. Thank you for your time, Thorsten Holz, on behalf of the GHP (http://www-i4.informatik.rwth-aachen.de/lufg/honeynet) From isn at c4i.org Tue Mar 15 02:07:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:25 2005 Subject: [ISN] AOL's Terms of Service Update for AIM Raises Eyebrows Message-ID: Forwarded from: security curmudgeon : http://www.eweek.com/article2/0,1759,1775649,00.asp : : By Ryan Naraine : March 12, 2005 : : America Online, Inc. has quietly updated the terms of service for its : AIM instant messaging application, making several changes that is sure : to raise the hackles of Internet privacy advocates. : : The revamped terms of service, which apply only to users who downloaded : the free AIM software on or after Feb. 5, 2004, gives AOL the right to : "reproduce, display, perform, distribute, adapt and promote" all content : distributed across the chat network by users. The article is updated: http://www.eweek.com/article2/0,1759,1775743,00.asp [..] America Online Inc. on Sunday moved to quell public criticism of the terms of service for its AIM service, insisting the controversial privacy clause does not pertain to user-to-user instant messaging communication. [..] From isn at c4i.org Tue Mar 15 02:09:20 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:27 2005 Subject: [ISN] Secrecy News -- 03/10/05 Message-ID: ---------- Forwarded message ---------- Date: Thu, 10 Mar 2005 05:06:01 -0500 From: "Aftergood, Steven" To: secrecy_news@lists.fas.org Subject: Secrecy News -- 03/10/05 SECRECY NEWS from the FAS Project on Government Secrecy Volume 2005, Issue No. 22 March 10, 2005 ** SUDAN DEMANDS CLARIFICATION OF 1962 U.S. NUCLEAR TEST ** FBIS PHOTOS OF IRAN NUCLEAR FACILITIES ** HHS INFOSEC POLICY: FOR OFFICIAL USE ONLY, OR WHATEVER ** SAYING NEY TO THE CONGRESSIONAL RESEARCH SERVICE [...] HHS INFOSEC POLICY: FOR OFFICIAL USE ONLY, OR WHATEVER The Department of Health and Human Services updated its information security policies in a December 2004 policy issuance. The 64 page document is prominently marked "for official use only." On the other hand, it states candidly on the title page, "Disclosure is not expected to cause serious harm to HHS." See "Information Security Program Policy," Department of Health and Human Services, December 15, 2004 (thanks to RT): http://www.fas.org/sgp/othergov/hhs-infosec.pdf [...] _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. To SUBSCRIBE to Secrecy News, send email to secrecy_news-request@lists.fas.org with "subscribe" in the body of the message. To UNSUBSCRIBE, send a blank email message to secrecy_news-remove@lists.fas.org OR email your request to saftergood@fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Secrecy News has an RSS feed at: http://www.fas.org/sgp/news/secrecy/index.rss _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood@fas.org voice: (202) 454-4691 From isn at c4i.org Tue Mar 15 02:09:50 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:30 2005 Subject: [ISN] Linux Security Week - March 14th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 14th, 2005 Volume 6, Number 11n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Digital encryption standard flawed," " An Illustrated Guide to Cryptographic Hashes," "Will SELinux Become More Widely Adopted?" --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH This week, advisories were released for clamav, kernel, squid, kppp, helixplayer, tzdata, libtool, firefox, ipsec-tools, dmraid, gaim, libexif, gimp, yum, grip, libXpm, xv, ImageMagick, Hashcash, mlterm, dcoidlng, curl, gftp, cyrus-imapd, unixODBC, and mc. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118550/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Researchers: Digital encryption standard flawed 9th, March, 2005 In a three-page research note, three Chinese scientists -- Xiaoyun Wang and Hongbo Yu of Shandong University and Yiqun Lisa Yin, a visiting researcher at Princeton University -- stated they have found a way to significantly reduce the time required to break a algorithm, known as the Secure Hashing Algorithm, or SHA-1, widely used for digital fingerprinting data files. Other cryptographers who have seen the document said that the results seemed to be genuine. http://www.linuxsecurity.com/content/view/118359 * Crypto suite supports Linux-based devices 7th, March, 2005 Cryptography specialist Certicom has launched a security software suite aimed at helping device makers create secure, Web-based user interfaces based on elliptic curve cryptography. The Certicom Security Architecture (CSA) for Embedded supports Linux, and includes SSL, IPSec, PKI, DRM, and Embedded Trust Services. http://www.linuxsecurity.com/content/view/118524 * IBM releases Linux 2005 Software Evaluation Kit 10th, March, 2005 This is the easiest way to get all of the fresh releases of IBM middleware for Linux. Take a look at what you get. http://www.linuxsecurity.com/content/view/118549 * An Illustrated Guide to Cryptographic Hashes 13th, March, 2005 With the recent news of weaknesses in some common security algorithms (MD4, MD5, SHA-0), many are wondering exactly what these things are: They form the underpinning of much of our electronic infrastructure, and in this Guide we'll try to give an overview of what they are and how to understand them in the context of the recent developments.But note: though we're fairly strong on security issues, we are not crypto experts. We've done our best to assemble (digest?) the best available information into this Guide, but we welcome being pointed to the errors of our ways. http://www.linuxsecurity.com/content/view/118560 * E-mail firewalls: A vital defense layer 8th, March, 2005 The exponential rise in spam and e-mail-borne viruses has pushed must-have network security layers beyond traditional firewalls and intrusion-detection appliances. E-mail firewalls have emerged as a complementary appliance for detecting and protecting against threats in the inbound e-mail stream. http://www.linuxsecurity.com/content/view/118530 * Review: Astaro Security Linux 5.1 9th, March, 2005 One of the more popular uses for Linux is as a router/firewall to secure a local area network (LAN) against intruders and share an Internet connection. Several specialized distributions have sprung up to simplify this task. These range from small, diskette-based distros like the Linux Router Project and FREESCO to larger systems requiring a hard disk installation. Among the latter is Astaro Corp.'s Astaro Security Linux (ASL) 5.1, which I recently reviewed as part of ongoing research into content filtering products. ASL is an RPM-based distribution that allows an administrator to easily turn an x86 PC or server into a router/firewall appliance. http://www.linuxsecurity.com/content/view/118539 * Informix: the good news and the bad news 9th, March, 2005 There is both good news and bad news for Informix users. The good news is that Informix Dynamic Server (IDS) 10, which represents a major new release of the database, is now available. The bad news is that future versions of SAP (with NetWeaver) will no longer be available on the Informix platform, with this support to be phased out starting with the next SAP release. http://www.linuxsecurity.com/content/view/118540 * DNS-Based Phishing Attacks on The Rise 8th, March, 2005 Phishing fraudsters are using a pair of DNS exploits to help give them the illusion of credible domains, the latest ploy to dupe people into handing over their sensitive information. http://www.linuxsecurity.com/content/view/118532 * HITBSecConf2004: Conference Videos Released 7th, March, 2005 We are proud to announce the immediate availability of the Hack In The Box Security Conference 2004 videos. http://www.linuxsecurity.com/content/view/118513 * Hosting Your Own Web Server: Things to Consider 10th, March, 2005 When being your own web host you should be technically inclined and have basic knowledge of operating systems, understand technical terms, understand how to setup a server environment (such as: DNS, IIS, Apache, etc.) have basic knowledge of scripting languages and databases (PHP, Perl, MySQL, etc.), be familiar with current technologies, and have a basic understanding of hardware and server components. http://www.linuxsecurity.com/content/view/118546 * OpenSSH 4.0 released 9th, March, 2005 OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. http://www.linuxsecurity.com/content/view/118541 * Novell's Linux desktop migration enters phase two 10th, March, 2005 The Waltham, Massachusetts-based software vendor's Linux desktop migration began in 2004 and overachieved on its phase-one goals, the company's chief information officer, Debra Anderson told ComputerWire. http://www.linuxsecurity.com/content/view/118545 * Alternative browser spyware infects IE 13th, March, 2005 Some useful citizen has created an installer that will nail IE with spyware, even if a surfer is using Firefox (or another alternative browser) or has blocked access to the malicious site in IE beforehand. The technique allows a raft of spyware to be served up to Windows users in spite of any security measures that might be in place. Christopher Boyd, a security researchers at Vitalsecurity.org, said the malware installer was capable of working on a range of browsers with native Java support. "The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there, including Firefox, Mozilla, Netscape and others. http://www.linuxsecurity.com/content/view/118566 * More-Secure Linux Still Needs To Win Users 7th, March, 2005 The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They've won over the Linux developer community with the changes. But success depends on its adoption by U.S. companies and government agencies, something that remains very much in doubt. http://www.linuxsecurity.com/content/view/118511 * Will SELinux Become More Widely Adopted? 7th, March, 2005 "The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They've won over the Linux developer community with the changes. But success depends on its adoption by U.S. companies and government agencies, something that remains very much in doubt. (ed: not to mention adoption by Joe User, who is depending on his vendor to make this thing workable) http://www.linuxsecurity.com/content/view/118525 * Nuclear cyber security debate hots up 8th, March, 2005 Two companies that make digital systems for nuclear power plants have come out against a government proposal that would attach cyber security standards to plant safety systems. http://www.linuxsecurity.com/content/view/118529 * Sensible IT Security for Small Businesses 8th, March, 2005 This is a frequent question asked by owners of small businesses concerned about growing security threats infesting the Internet. http://www.linuxsecurity.com/content/view/118531 * Exploit Out For CA Bugs, Eval Users Also At Risk 10th, March, 2005 Users of Computer Associates' products are now at an even greater risk, a security firm said Wednesday, because exploit code has appeared that takes advantage of vulnerabilities disclosed last week. http://www.linuxsecurity.com/content/view/118547 * Application protection 11th, March, 2005 Teros Gateway, developed by Teros, digs deep. In contrast to a Layer 3 or 4 firewall that may only identify problems in the primitive transport layers of the IP stack, Teros Gateway will dissect outgoing and incoming packets to examine compliance with security policies. Although a firewall may detect anomalies such as a port scan or other reconnaissance attempts, the Teros Gateway learns your critical applications' normal behavior. Based on that information, it can block any deviant behavior. http://www.linuxsecurity.com/content/view/118551 * Combating "Cardholder Not Present" Fraud 13th, March, 2005 Of the security issues facing banks everywhere, prevention of card fraud has always been a high priority, and is set to grow even further in importance. The level of card fraud has risen significantly over recent years, caused in the main, by the explosion in the number and usage of payment cards and the associated high level of organised card crime activity. For example, over the past decade, fraud losses on UK-issued plastic cards have risen from 96.8m to a staggering 402.4m a year. And these figures do not take into account the soft costs related to card fraud, such as tarnish to reputation and potential legal costs. http://www.linuxsecurity.com/content/view/118559 * Infection Vectors 13th, March, 2005 The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However... The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors. http://www.linuxsecurity.com/content/view/118561 * High Profile, Low Security 13th, March, 2005 I'll tell you a secret. If you're looking for a security consultant during the day and he's not in the office, you might find him in a neighborhood coffee shop consuming large doses of caffeine, and using a laptop with wireless net access. It's nice to people watch, catch up on the news, review technical articles and yes, even work, while enjoying that magic elixir (coffee) thanks to the wonders of WiFi. I find it a great way to take a break. You can imagine my disappointment early last week when I swung by one of my favorite haunts, grabbed a latte, opened up a terminal and watched my SSH attempt fail. Shoot -- their Internet connection must be down. http://www.linuxsecurity.com/content/view/118562 * Reliability and availability: What's the difference? 13th, March, 2005 How do you design a computing system to provide continuous service and to ensure that any failures interrupting service do not result in customer safety issues or loss of customers due to dissatisfaction? Historically, system architects have taken two approaches to answer this question: building highly reliable, fail-safe systems with low probability of failure, or building mostly reliable systems with quick automated recovery. The RAS (Reliability, Availability, Serviceability) concept for system design integrates concepts of design for reliability and for availability along with methods to quickly service systems that can't be recovered automatically. http://www.linuxsecurity.com/content/view/118564 * 'Highly critical' security bugs listed for Linux products 13th, March, 2005 Information about several vulnerabilities in Linux and Linux-based applications that are deemed to be "highly critical" were recently posted on the security Web site Secunia.com. Debian was cited as a system with operating system vulnerabilities that could be exploited. Meanwhile, users running RealNetworks' open-source Helix browser, the open-source phpWebSite manager utility, as well as users with a network backup product from Arkeia, were warned of software flaws that could leave systems potentially open to attack. http://www.linuxsecurity.com/content/view/118565 * The National Security Agency Declassified 13th, March, 2005 Internet wiretapping mixes "protected" and targeted messages, Info Age requires rethinking 4th Amendment limits and policies, National Security Agency told Bush administration "Transition 2001" report released through FOIA, Highlights collection of declassified NSA documents Posted on Web by National Security Archive, GWU National Security Archive Electronic Briefing Book No. 24 http://www.linuxsecurity.com/content/view/118563 * Hacked data boots identity theft to critical issue 11th, March, 2005 The computer breach at consumer data broker Seisint raised identity theft in the United States to crisis proportions Thursday, a day after the second major data broker disclosed that its database containing a plethora of private information on virtually every American was compromised. http://www.linuxsecurity.com/content/view/118552 * Online Banking Industry Very Vulnerable to Cross-Site Scripting Frauds 13th, March, 2005 Phishing Attacks reported by members of the Netcraft Toolbar community show that many large banks are neglecting to take sufficient care with the development and testing of their online banking facilities. http://www.linuxsecurity.com/content/view/118567 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 15 02:10:04 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:33 2005 Subject: [ISN] Louisiana man sentenced for 9-1-1 computer virus Message-ID: http://www.mercurynews.com/mld/mercurynews/news/breaking_news/11135235.htm Associated Press March 14, 2005 SAN JOSE, Calif. - David Jeansonne was sentenced Monday to six months in prison and ordered to pay Microsoft Corp. more than $27,000 after about 20 people received a virus that reprogrammed their computers to dial emergency dispatch numbers. The bogus 9-1-1 calls prompted unnecessary police responses throughout the country in July 2002. Jeansonne, 44, of Metairie, La., pleaded guilty in February to causing a threat to public safety and causing damage to computers. He could not be reached Monday in the Santa Clara County jail, where he's been since October 2004. Besides the prison sentence, U.S. District Judge Ronald M. Whyte sentenced Jeansonne to serve six months home detention as part of a two year period of supervised release. He must also pay restitution of $27,100 to Microsoft and a special assessment of $200. The 9-1-1 computer virus worked through WebTV, now known as MSN TV, which allows subscribers to connect to the Internet using their standard television. Approximately 20 subscribers of the Microsoft service, which used computer servers in Santa Clara County, received the e-mail. The e-mail said the attachment merely executed a program to change the display colors on the television screen. But it was really a "Trojan horse," a malicious computer code that purports to be helpful or harmless. The attachment contained a hidden script that reset the dial-in telephone number in the user's WebTV box to 9-1-1 so that the next time the user attempted to log in to WebTV the computer dialed the emergency number instead of the local telephone modem, said prosecutor Kyle F. Waldinger, assistant U.S. Attorney for the Computer Hacking and Intellectual Property Unit of the U.S. Attorney's Office. At least 10 WebTV users reported that the local police either called or visited their residences in response to the unnecessary calls. The case is United States vs. David Jeansonne, No. CR-04-20023-RMW. From isn at c4i.org Tue Mar 15 02:10:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:35 2005 Subject: [ISN] The Paris Hilton hacking hoax Message-ID: http://security.itworld.com/4337/050314hiltonhack/page_1.html James Gaskin ITworld.com 3/14/05 I know the mainstream media loves to report the Internet as the Wild West of lawlessness and anarchy (I think because it hides their own attempts to control content distribution over that same Internet). But why do so many mainstream reporters go brain dead when talking about Paris Hilton? To match her mental state? Setup: Paris Hilton's cell phone address book got hacked, supposedly through her provider's lax security. Private celebrity numbers spread across the Internet. They were real celebrity numbers, not fake ones, although some of the celebrities were, um, getting pretty stale. Can you say MC Hammer? Result: Do we blame her cell phone company, hackers, or roving bands of Wild West Web Hooligans? How about we blame Paris Hilton and recognize this is as the brazen publicity stunt it is? Paris Hilton may be brain dead, but her PR group overflows with genius. Let me explain, starting with some history. Eighteen months ago a "private" sex tape of Paris Hilton, at 19 years old and with a much older boyfriend, hit the Internet. She was shocked, shocked, that such a breach of privacy could occur. A month later, her show, The Simple Life, debuted on network TV. Was Paris Hilton too embarrassed to promote her show while coyly ignoring Internet porn questions? Absolutely not. Was the Fox Network too embarrassed to splash her semi-naked porn-actress look all over their network? Fox? Embarrassed? Not a bit. Athletes caught using steroids will give back their salaries before Fox TV blushes. The trick worked, and Paris Hilton wiggled and giggled The Simple Life to cult hit status. Fox ordered a second season of The Simple Life. During the long stretch between TV seasons, Paris Hilton felt ignored. Did she tutor poor children? No. Did she work in a soup kitchen? No. Did the news media go crazy looking for something so valuable I thought the original copy of the Declaration of Independence had been stolen? Absolutely. But it wasn't the Declaration or even the Hope Diamond, it was Tinkerbelle, the Chihuahua Paris carries to events. Ransom notes were expected, but a few days later Paris remembered - she left Tinkerbelle with her grandparents. Two quick asides. First, how brain dead are her grandparents that they didn't hear all the hubbub and call Paris on her famous cell phone? Second, if celebrities want to impress me by carrying dogs around, forget Chihuahuas. I'll bow to the first anorexic supermodel party girl I see brandishing a Bassett Hound. Tote a Toy Poodle? Boring. Pack a Pit Bull? Kudos. Now we're back to the present and the cell phone nonsense. The Simple Life season two includes Paris Hilton wiggling and giggling in fine half-dressed style, but nobody cares. Ratings are down. Civilization, at least as defined by People magazine, may crumble. Suddenly it's Paris Hilton, that poor hacking victim, all over the news. Ratings trend up. People magazine starts a Celebrity Hacking Victims column, including pictorials of hacked celebrities in swim suits discussing their favorite diets. The Weekly World News prints photographs proving Paris was hacked by Batboy and Bigfoot. Did anybody look at this PR ploy critically? No. Anyone else report stolen data when the provider was supposedly hacked and Paris Hilton's address book copied? Nope. Paris can't keep track of a yappy dog, and nobody asks where she leaves her cell phone during parties? Surely the reports of Paris Hilton using the name Tinkerbelle as her cell phone account password are wrong. That's a lot of letters for Paris to remember. I'm betting her password is "me" as in M-E. That seems to better fit her personality. I say forget all this PR-initiated, headline-seeking nonsense, or at least stop calling this a technology failure. It may be a failure, but that failure is civilized discourse and news coverage of important events. Let's go back to the way life was, when we hated cell phone companies because of lousy service and botched billing. You know, back to normal. And leave Paris Hilton to wander, half-dressed, around Fox TV. They deserve each other. From isn at c4i.org Tue Mar 15 02:10:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 15 02:17:38 2005 Subject: [ISN] Pleasant Hill man, 21, takes credit as hacker Message-ID: http://www.contracostatimes.com/mld/cctimes/news/local/crime_courts/11118974.htm By Nathaniel Hoffman CONTRA COSTA TIMES March 12, 2005 A self-taught computer hacker from Pleasant Hill took credit Friday for several high-level cyber break-ins. Robert Lyttle, 21, pleaded guilty in federal court in Oakland to five counts of hacking and defacing government computers. Lyttle admitted in a plea agreement with the government to hacking into NASA, Department of Defense and Department of Energy computers in April 2002, costing the government agencies more than $70,000 to shore up their security systems. Within days of the attacks, according to a memo provided by Lyttle's attorney, government computer operators began reinforcing their networks. "As a result of my actions, numerous Department of Defense and NASA employees spent time applying proper security measures to the DLIS, OHA, and NASA ARC computer systems and otherwise addressing the intrusions," Lyttle admitted in his plea agreement. That was the intention of the self-styled "hacktivist" all along. Lyttle was one member of the Deceptive Duo, a pair of hackers who claimed in a TechTV interview in 2002 to have broken into numerous government, airline and banking networks as part of an effort to stave off cyberterrorist attacks against the United States. Lyttle and his partner, Benjamin Stark, called their hacks Operation Inform and Operation Foreign Threat. They broke into the government computers, captured confidential information, including information on members of NASA's Astrobiology Institute and then posted that information on publicly accessible computers within the agencies. Stark pleaded guilty late last year to hacking and fraud charges and has been ordered to repay some of the cost incurred by the federal agencies. The Contra Costa County District Attorney prosecuted Lyttle in 2000, when he was still a juvenile, for tampering with computer systems, according to Lyttle's plea agreement. He was still on court probation when the Dynamic Duo launched its attacks. The U.S. Attorney's Computer Hacking and Intellectual Property Unit in San Jose prosecuted Lyttle in the latest case. Christopher Sonderby, chief of the hacking unit, said most of the computer intrusion crimes the unit deals with are former employees hacking into company networks, not government hacks. "It's obviously serious misconduct that he pled guilty to," Sonderby said. Lyttle will be sentenced in June and could face more than 26 years in prison and more than $1 million in fines. From isn at c4i.org Wed Mar 16 03:09:24 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:17 2005 Subject: [ISN] Hacking away at the hackers Message-ID: http://www.southcoasttoday.com/daily/03-05/03-15-05/l02ca072.htm By JERRI STROUD St. Louis Post-Dispatch March 15, 2005 ST. LOUIS -- Ted Flom prepares for a security audit by trying to hack into a client's network. Often, it's surprisingly easy. One Web site tipped Flom to the location of the company's servers. He and his team were able to sign onto the server using a generic password and user ID. Within a half-hour, they had access to virtually everything on the company's network. The client's executives "were shocked," said Flom, a principal with Brown Smith Wallace LLC, an accounting and business-consulting firm in Creve Coeur, Mo. "It ended up being a server that they don't normally use. Someone just forgot to take it off their network." Flom addresses corporate-information security, a hot topic now as government regulations and a litigious public push companies to prove their networks are secure. Even smaller companies could be asked to comply if they work for governments or larger companies in fields ranging from health care to banking. Some consultants say the new emphasis on information security stems from the Sarbanes-Oxley Act passed in the wake of scandals at Enron Corp. and WorldCom Inc. In addition, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act put the security onus on health-care and banking companies. But Sarbanes-Oxley doesn't actually mandate information security, said Ira Solomon, head of the accounting program at the University of Illinois at Urbana-Champaign. It does require managers to attest that they have adequate controls on systems related to financial reporting, but it doesn't specify what kinds of controls. Still, Solomon said, companies are being held to a greater level of accountability for privacy and data integrity. "Companies are collecting more and more data, so there's more and more at risk," he said. Because of that risk, accounting firms, computer consultants and major network providers, such as Savvis Communications Corp. and SBC Communications Inc., are offering security-audit services and advising clients on ways to prevent attacks from outside -- and inside -- a company. Many companies think they've protected themselves from hackers by installing a firewall or a piece of equipment with built-in security features, said William Hancock, security chief for Savvis. But they aren't secure if the company hasn't changed the factory-installed passwords, which usually are well-known to hackers. Hancock said companies need layers of security, additional hurdles behind a firewall that can slow attempts to penetrate a company's network. These can include access-control lists on routers, additional firewalls on servers, intrusion-detection systems, stronger user-authentication systems and access-filtering technology. "By using a layered defense, the chances of an intruder getting all the way to an asset, undetected and undeterred, goes way down as more layers are added," Hancock said. Equipment and computer ports that are unneeded should be turned off, and software patches should be kept up to date. The bulk of computer system vulnerabilities to attacks result from failure to install such patches. Hacking, viruses, spam and denial-of-service attacks are on the rise as more computers, cell phones and other devices are connected to the Internet, Hancock said. Still, attacks from the inside cause more damage than those from outside a company. "Amateurs hack systems; professionals hack people," said Dustin Dykes, a senior consultant at Callisma, a network-design firm owned by SBC. "I spend a half-hour on the phone, and I most likely have all the passwords I need," Dykes said. "Companies tend to test the technical systems but not the people and the processes." The most-likely perpetrators of attacks are disgruntled employees or recently fired ones who know how a company's computers are set up, said Josh Crowe, vice president in the St. Louis office of Calence Inc., a network-consulting firm based in Phoenix. Companies must confiscate identification or access cards and deactivate passwords and e-mail accounts as soon as an employee leaves the company, Crowe said. Active employees should have access only to the information and systems they need to do their jobs. Vendors and consultants should be granted access only after their computers have been scanned for viruses -- and their access should be limited to the task at hand. Even good employees can leave the company open to security breaches if they give passwords to outsiders, use unsecured home or public networks or respond to "phishing" e-mails purportedly from banks, credit-card companies or other organizations. Employees should be suspicious of any e-mails asking them to update records, especially if they don't recognize the person or company requesting the updates. Smart companies work out deals that give their employees access to antivirus software for laptops and home computers, Hancock said. He also recommends using spyware, adware and firewalls, many of them available free on the Internet. Keith Fear, infrastructure director for Oakwood Systems Group Inc., said he's been able to walk into a major company in St. Louis, sit down at a computer and start exploring its network without being challenged by a receptionist or other employees. Oakwood, a computer-consulting firm in west St. Louis County, checks for breaches of physical security as well as technical security when it conducts security audits, Fear said. Some companies still use ordinary locks on rooms housing their servers and other sensitive equipment, for example. Few have video cameras watching critical computer operations. Even high-tech systems can be compromised, Fear said. The first thing companies need to do is determine which assets and intellectual property are most critical, Fear said. Then, they need to look at the risk of compromising those assets and find out how to reduce those risks. A security audit should look at external and internal vulnerability, risks of penetration and also at policies and procedures. Audits should be redone -- or at least reviewed -- every six months. Companies also need to look at security flaws that occur because of the way applications and systems are designed, said Ray Seefeldt, director of technology risk management in the St. Louis office of Jefferson Wells, an auditing and consulting firm based in Milwaukee. A company might have 12 different groups of people who work on 12 functions, but their system is designed for just eight groups or functions. "People can't do what they need to do, and they will blame it on security," Seefeldt said. "A lot of security issues are caused not by the security tools," he said, "but because security is an afterthought, and the designers didn't get it right in the first place." Tips for safeguarding company information: 1. Keep software up-to-date and security patches installed, as appropriate. 2. Use anti-virus software on all computers -- desktops, laptops, employees' home computers and those of any vendors who connect to the company network. 3. Install firewalls and change security codes from default settings. 4. Give employees access only to the data they need to do their jobs. Use access control lists and passwords that aren't easy to guess. Passwords that combine letters and numbers are harder to hack. 5. Develop consistent, practical policies on the use of data, the Internet and e-mail -- and enforce the policies. 6. Educate employees, including executives, on the importance of security and how to work securely. Remind them of the dangers of providing information to outsiders, especially those posing as insiders. 7. Check physical security to make sure unauthorized persons can't get in to tamper with your network. 8. Turn off unused computer ports and peripherals. Make sure older equipment has the same protection as newer devices. 9. Map critical assets and understand where they are at risk. Develop plans to address their vulnerability. 10. Assess security on a regular basis, automate it where possible and review changes made since the last assessment. From isn at c4i.org Wed Mar 16 03:14:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:20 2005 Subject: [ISN] Study: European IT managers have false sense of security Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100397,00.html By Scarlet Pruitt MARCH 15, 2005 IDG NEWS SERVICE Many European IT managers find their jobs extremely stressful, and even those who feel they have done as much as they can to protect their companies against emerging threats are operating under a false sense of security, according to a study released today. These conclusions were detailed in Websense Inc.'s "Stress in Security" survey of 500 IT managers across Europe. Although 91% of the managers said they believe their companies have good IT security, 70% said they leave gaps open to common Internet threats, according to the study. Many known Web-based threats are being overlooked, and a majority of respondents said they have no measures in place to protect against internal hackers or phishing attacks. Phishing, a type of Internet scam where hackers send e-mails enticing recipients to reveal passwords or credit card numbers on bogus Web sites that resemble legitimate Web sites, is an increasingly common type of Internet threat. Fifty-eight percent of the respondents said they protect against fewer than three of the seven most common Web threats identified in the survey, Websense said. "The biggest problem is that they are being reactive rather than proactive," said Websense spokeswoman Rebecca Zarkos, who worked on the report. For example, 35% of respondents said they are unable to stop spyware from sending out confidential company information to external sources, and 56% do not prevent peer-to-peer applications from being run. Finally, 8% of the European companies surveyed said they have no security measures beyond a basic firewall and an antivirus product in place, Websense said. "They think they are covered by a big umbrella, but obviously there are holes," Zarkos said. Many IT managers see mobile workers as a threat, as 71% of survey respondents said that corporate laptops used outside the office and then reconnected to the network pose the greatest security risk to their companies. Still, only 21% of the companies surveyed said they have technical restrictions in place to secure reconnected computers, according to Websense. A possible reason behind the lax security is that IT managers aren't delegating enough responsibility to end users, and too few security policies are enforced, Websense said. Individual employees are given too much freedom to visit Internet sites, which could potentially infect the network and put IT mangers' jobs at risk, the company said. And the pressure seems to show. Of the IT managers surveyed, 72% said they think their jobs might be at risk following IT security breaches, with Internet attacks being their greatest concern. Furthermore, 20% of IT managers surveyed said that the stress of protecting their companies against Internet threats is greater than starting a new job, moving to a new house, or even getting married or divorced. "Obviously they are feeling the stress and know that their jobs are on the line, so maybe the problem is that they don't understand the threats," Zarkos said. Websense advised companies to invest in the appropriate software to secure their networks and to focus on proactive security measures. From isn at c4i.org Wed Mar 16 03:14:50 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:23 2005 Subject: [ISN] DMV hopes to reassure clients about security Message-ID: http://www.lasvegassun.com/sunbin/stories/lv-other/2005/mar/15/518452271.html By David Kihara LAS VEGAS SUN March 15, 2005 Mark Saia walked into the state Department of Motor Vehicles office at 4110 Donovan Way on Monday looking for information on the possible theft of his identity. He left with only questions. "(The burglars) have my Social Security number and my date of birth -- what can they do with it?" Saia asked. "How is the DMV going to stop something like this from happening again?" Saia is just one of almost 9,000 individuals who could be victims of identity theft after burglars on March 7 crashed a vehicle into the North Las Vegas DMV branch near Craig Road and Interstate 15 and stole a computer with personal driver's license information as well as Social Security numbers of dates of birth. He went to the DMV on Donovan Way on Monday to get information on his chances of being a victim. He was given a slip of paper with the DMV Fraud hotline telephone number on it and a piece of very bad news: He could be the victim of identity theft because between Nov. 25 and March 5 he was issued a commercial instruction permit to drive a tractor-trailer. Anyone who was issued a license during that time period could be the victim of identity theft. "I was a little concerned when I heard (reports of the burglary) announced on the radio because (the burglars) have my Social Security number," Saia said, adding that he learned of the theft from media reports. The DMV on Wednesday will send out letters describing the incident and new driver's licenses with different numbers to the 8,738 people whose personal information was stored on the stolen computer, said Kevin Malone, spokesman for the DMV. The DMV could not issue the certified letters and new driver's licenses sooner than Wednesday because of the immense volume of licenses, he said. "We're doing this as quickly as we can," Malone said. He said the DMV could not inform the potential victims by telephone because the agency does not keep individual's phone numbers. To clear misconceptions, Malone said the reason the DMV on Friday reversed previous statements, saying that the information stored on the stolen computer could yield personal information, was because of the DMV's computer vendor, Digimarc. Digimarc told the DMV on Thursday that personal information on the DMV's computers that was believed to have been wiped off the North Las Vegas DMV branch's computer system at the end of the day was actually "backed up" and stored in the computer. This new information led officials to believe that the burglars have almost 9,000 identities, he said. He could not comment on whether or not Digimarc ever provided assurances to the DMV that the personal information could remain on the computer systems at the end of the day. Digimarc could not comment on the case because it has a nondisclosure agreement with the DMV, said Leslie Constans, spokeswoman for Digimarc. "We are working with the DMV to understand what happened," Constans said. The Oregon-based computer firm contracts with 32 DMVs across the country to provide digital driver's licenses computer systems, she said. Tim Bedwell, spokesman for North Las Vegas Police, said the authorities still have not arrested any suspects in the burglary. Much of this, however, still leaves some citizens like Saia with unanswered questions and anger toward the DMV. "They need to try and figure out a way to make sure this doesn't happen again," Saia said. Another individual concerned that the burglars might have have stolen his personal information during the burglary was Jeff Lamb, who also visited the Donovan Way DMV on Monday to get information relating to the crime. Lamb saw television news reports during the weekend about the incident, and he said he just wanted to "check for safety." The 64-year-old Lamb said he was slightly worried that personal information was left on the computers at night, but ultimately believed that little could be done if burglars drive a vehicle through a plate glass window to gain access, as they did in the DMV burglary. After consulting with a DMV employee, he walked away feeling a little more secure: He had been issued a driver's license several years ago and was not in danger of having his identity stolen. "I guess I'm OK," he said. From isn at c4i.org Wed Mar 16 03:15:02 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:26 2005 Subject: [ISN] AOL To Modify AIM Terms of Service Message-ID: http://www.eweek.com/article2/0,1759,1776146,00.asp By Ryan Naraine March 15, 2005 America Online Inc. plans to make three small but significant modifications to the terms of service [1] for its AIM instant messaging product to head off a firestorm of privacy-related criticisms. The tweaks to the terms of service will be made in the section titled "Content You Post" and will explicitly exclude user-to-user chat sessions from the privacy rights an AIM user gives up to AOL. "We're not making any policy changes. We're making some linguistic changes to clarify certain things and explain it a little better to our users," AOL spokesperson Andrew Weinstein told eWEEK.com. The modifications will use similar language from the AIM privacy policy to "make it clear that AOL does not read private user-to-user communications," Weinstein said. "We'll be adding that to the beginning of the section to make it clear that the privacy rights discussed in that section only refer to content posted to public areas of the AIM service." More importantly, Weinstein said a blunt and inelegant line that reads "You waive any right to privacy" will be deleted altogether. "That's a phrase that should not have been in that section in the first place. It clearly caused confusion, with good reason," Weinstein conceded. Over the last weekend, AOL representatives moved to quell public criticism [2] of the terms of service after the issue was first flagged [3] on Weblogs and discussion forums. But, the company's damage-control moves did not sit will with legal experts, who argued that AOL's stance that user-to-user IM communications were exempt did not match the language in the terms of service. Justin Uberti, chief architect for AIM, also joined the discussion, admitting the controversial section of the terms of service was "vague" and needed to be reworded. Uberti explained on his Weblog [4] that the amount of IM traffic on the AIM network "is on the order of hundreds of gigabytes a day." "It would be very costly, and we have no desire to record all IM traffic. We don't do it," Uberti wrote. For AIM users who remain distrustful, Uberti pointed out that the application offers Direct IM (aka Send IM Image) and Secure IM in all recent versions. "In other words, you can send your IMs in such a way that they never go through our servers, and/or are encrypted with industry-standard SSL and S/MIME technology. I know this since I designed these features. There are no backdoors; I would not have permitted any," Uberti said. [1] http://www.aim.com/tos/tos.adp [2] http://www.eweek.com/article2/0,1759,1775743,00.asp [3] http://www.eweek.com/article2/0,1759,1775649,00.asp [4] http://journals.aol.com/juberti/runningman/ From isn at c4i.org Wed Mar 16 03:15:15 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:29 2005 Subject: [ISN] How To Save The Internet Message-ID: http://www.cio.com/archive/031505/security.html BY SCOTT BERINATO CIO Magazine Mar. 15, 2005 Professor Hannu H. Kari of the Helsinki University of Technology is a smart guy, but most people thought he was just being provocative when he predicted, back in 2001, that the Internet would shut down by 2006. "The reason for this will be that proper users' dissatisfaction will have reached such heights by then that some other system will be needed," Kari said, "unless the Internet is improved and made reliable." Last fall, Kari bolstered his prophecy with statistics. Extrapolating from the growth rates of viruses, worms, spam, phishing and spyware, he concluded that these, combined with "bad people who want to create chaos," would cause the Internet to "collapse!".and he stuck to 2006 as the likely time. Kari holds dozens of patents. He helped invent the technology that enables cell phones to receive data. He's a former head of Mensa Finland. Still, many observers pegged him as an irresponsible doomsayer and, seeing as how he consults for security vendors, a mercenary one at that. And yet, in the past year, we've witnessed the most disturbingly effective and destructive worm yet, Witty, that not only carried a destructive payload but also proved nearly 100 percent effective at attacking the machines it targeted. Paul Stich, CEO of managed security provider Counterpane, reports that attempted attacks on his company's customers multiplied from 70,000 in 2003 to 400,000 in 2004, an increase of over 400 percent. Ed Amoroso, CISO of AT&T, says that among the 2.8 million e-mails sent to his company every day, 2.1 million, or 75 percent, are junk. The increasing clutter of online junk is driving people off the Internet. In a survey by the Pew Internet and American Life Project, 29 percent of respondents reported reducing their use of e-mail because of spam, and more than three-quarters, 77 percent, labeled the act of being online "unpleasant and annoying." Indeed, in December 2003, the Anti-Phishing Working Group reported that more than 90 unique phishing e-mails released in just two months. Less than a year later, in November 2004, there were 8,459 unique phishing e-mails linking to 1,518 sites. Kari may have overstepped by naming a specific date for the Internet's demise, but fundamentally, he's right. The trend is clear. "Look, this is war," says Allan Paller, director of research for The SANS Institute. "Most of all, we need will. You lose a war when you lose will." So far, the information security complex.vendors, researchers, developers, users, consultants, the government, you.have demonstrated remarkably little will to wage this war. Instead, we fight fires, pointing hoses at uncontrolled blazes, sometimes inventing new hoses, but never really dousing the flames and never seeking out the fire's source in order to extinguish it. That's why we concocted this exercise, trolling the infosecurity community to find Big Ideas on how to fix, or begin to fix, this problem. Our rules were simple: Suggest any Big Idea that you believe could, in a profound way, improve information security. We asked people to think outside the firewall. Some ideas are presented here as submitted; others we elaborated upon. Those who suggested technological tweaks or proposed generic truths ("educate users") were quickly dismissed. What was left was an impressive, broad and, sometimes, even fun list of Big Ideas to fix information security. Let's hope some take shape before 2006. [...] From isn at c4i.org Wed Mar 16 03:30:18 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 16 03:42:33 2005 Subject: [ISN] Chico State computer system attacked by hackers Message-ID: Forwarded from: William Knowles http://www.chicoer.com/Stories/0,1413,135~25088~2765075,00.html By MELISSA DAUGHERTY Staff Writer March 16, 2005 More than 59,000 people connected to Chico State University will be contacted for what officials are calling the largest computer hacking incident the college has seen. Notifications to anyone whose personal information was compromised were going out Tuesday, said Joe Wills, director of public affairs at the university. That list includes current and former Chico State faculty and staff members. But the majority are students, since the server hackers targeted held the names and Social Security numbers of current, former and prospective students. There have been previous hacking incidents at the university, but none has affected this many people, Wills said. While the exposed server contained personal information, there's no indication hackers will use it for illegal activity, he added. "It's impossible to know what their motives are," Wills said. The university was made aware of the incident about three weeks ago, after routine monitoring of its network showed that hackers illegally accessed the University Housing and Food Service server. An investigation revealed hackers installed software to store files and attempted to break into other computers. Meanwhile, university personnel have placed information about the incident online, which can be accessed through Chico State's Web site. The site provides links to credit reporting agencies that can detect fraud or identity theft at no charge. The university is also developing an alternative identification system using a new, randomly assigned nine-digit ID number for students and employees in place of Social Security numbers. Wills recalled a similar incident at San Diego State University, in which more than 120,000 people were notified. For those affected by the system breach at Chico State, notifications will be sent via the Internet for those who have current e-mail addresses and by letter to all others. University Police are investigating the incident, but Wills said he doesn't know if it's likely the hackers will be caught. At this time, there's no indication the crime took place on campus or involved university personnel. "They literally could be anywhere," he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Mar 18 02:26:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:25 2005 Subject: [ISN] Hacking raid on Sumitomo bank thwarted Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100455,00.html By Madeleine Acey MARCH 17, 2005 Security experts are praising Sumitomo Mitsui Banking Corp. for admitting that it was the target of a failed $424 million hacking attempt. According to media reports, the U.K.'s National High Tech Crime Unit (NHTCU) has issued a warning to large banks to guard against keylogging, the method adopted by the would-be thieves in an attack on the Japanese bank's London systems. The intruders tried to transfer money out of the bank via 10 accounts around the world. Keyloggers record every keystroke made on a computer and are commonly used to steal passwords. Eighteen months ago, U.S. games developer Valve had the source code to its latest version of Half-Life stolen after a virus delivered a keystroke recorder program into Valve's founder's computer. "Generally, big businesses don't like to talk about any security problems they may have," said Graham Cluley, senior technical consultant at security software company Sophos PLC. "Clearly, Sumitomo did very well, they didn't lose any money, and they involved the authorities." Arthur Barnes at security integrator Diagonal Security agreed. "I think this is very positive; it warns the rest of the community," he said. "Someone was always going to have to stand up and say this is going on. It's very brave. They've really done the right thing. Too often this sort of thing is swept under the carpet." The bank has confirmed that a probe is under way and stressed that no money was lost. But officials declined to offer further details, citing the ongoing investigation. "We have undertaken various measures in terms of security and we have not suffered any financial damage," a spokesman said. Barnes, who has worked with the NHTCU, said the publicized arrest of a man in Israel -- along with Sumitomo's confirmation of a plot -- appeared to be an effort to flush out the thieves, and suggests law enforcement officials know something about them. "It would also serve as a warning to anyone thinking of doing this kind of thing," he said. Yeron Bolondi, 32, was seized by Israeli police yesterday after an alleged attempt to transfer some of the cash into his business account. He was reportedly charged with money laundering and deception. In a statement, Israeli police said there had been an attempt to transfer $26.7 million into the account "by deception in a sophisticated manner." Cluley and Barnes said keylogging hacks are more common than thought, and they said the $423 million plot was probably the largest corporate case that had been made public. Both experts said it's unclear what kind of keylogging was used. Barnes said keyloggers have become more sophisticated, moving away from software forms to sniffer-type hardware devices. Both he and Cluley speculated that the would-be thieves may not have actually hacked into the bank's systems from outside to plant their keylogger. "They've now got little hardware loggers that are like a dongle that you place between the keyboard connection and the base unit," Barnes said. "A cleaner could come in and pop one of these things in. No one ever looks around the back [of their PC]." That type of operation would also mean that an organization's level of encryption or firewall strength could become irrelevant. He noted that hacker sites offer keylogging software for free. Keystroke recorders are also sold on seemingly legitimate Web sites, purportedly for employees to keep an eye on what staff are doing at their computers. No matter how dramatic the Sumitomo case might be, Cluley said attacks on individuals' machines are an everyday occurrence and users must remain vigilant. "[We're seeing] 15 to 20 new pieces of malware a day, and they are worms and Trojans that do keylogging. Individuals probably don't even know about it. The malware doesn't display a skull and crossbones or play 'The Blue Danube' over your speakers to announce its presence." He urged users to update antivirus software "probably several times a day and not to forget to install Microsoft patches and install a firewall." "There are constant attempts; it's staggering how much this is going on," Cluley said. From isn at c4i.org Fri Mar 18 02:27:06 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:28 2005 Subject: [ISN] BC warns its alumni of possible ID theft after computer is hacked Message-ID: http://www.boston.com/business/technology/articles/2005/03/17/bc_warns_its_alumni_of_possible_id_theft_after_computer_is_hacked/ By Hiawatha Bray Globe Staff March 17, 2005 Boston College has sent warning letters to 120,000 of its alumni, after a computer containing their addresses and Social Security numbers was hacked by an unknown intruder. College officials say they have no reason to believe the intruder was looking for personal information to steal; instead, the attacker planted a program that would enable him to use the computer to launch attacks on other machines. But the school is taking no chances, because of the sensitive information stored on the computer. ''As a precaution we have chosen to alert the entire database, which is upwards of 100,000 individuals," said Boston College spokesman Jack Dunn. The breach at the college takes place amid rising concern over identity theft, and the recent break-ins at information brokers ChoicePoint and LexisNexis. The compromised machine at Boston College was not run by the school, but by an outside contractor that Dunn did not identify. It was one of a group of computers used in the school's fund-raising activities. Boston College students use the machines to look up names and phone numbers of alumni. They telephone them and ask for donations to the college. Such phone banks are a common feature at many colleges, Dunn said. During a routine security check last week, Boston College computer security workers found that one of the computers at the phone bank had been compromised. The computer was immediately taken offline and tested in an effort to find what the attacker had been trying to do. The investigation concluded that there was no evidence of identity theft. The school also concluded that the hack wasn't an inside job. ''There's no evidence to suggest that this involved anyone from the Boston College community, but instead was an external hacker," Dunn said. But investigators couldn't be absolutely sure that the intruder hadn't also collected some personal information on alumni, such as their Social Security numbers. Dunn said that including Social Security data in the alumni files was a matter of custom. ''Every university in the United States, for decades, used Social Security numbers as identifiers from alums," he said. ''As a result of the breach, we have taken immediate actions to purge all Social Security numbers for this particular computer, and from all alumni records." The letter to alumni urges them to take precautions to protect their identities and financial accounts. They're told to contact their banks and warn them that their Social Security numbers may have been stolen. The letter suggests obtaining copies of credit reports to check for unusual activity. Alumni are also urged to ask that a ''fraud alert" be put on their credit reports. Such alerts will prevent banks and credit card companies from making new loans without double-checking with the account holder. A complete list of suggested remedies is posted on the Boston College website at www.bc.edu/alert. Dunn said the precautions made sense for anybody worried about identity theft. ''As a precaution," he said, ''people should do this on a yearly basis anyway." From isn at c4i.org Fri Mar 18 02:28:04 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:31 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-11 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-03-10 - 2005-03-17 This week : 52 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: A vulnerability has been reported in various Symantec gateway products, which can be exploited by malicious people to poison the DNS cache. The vendor has issued patches, please review Secunia advisory below for additional details. References: http://secunia.com/SA14595 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14163] Mozilla Products IDN Spoofing Security Issue 2. [SA14565] Firefox "Save Link As..." Status Bar Spoofing Weakness 3. [SA14512] Microsoft Windows LAND Attack Denial of Service 4. [SA14547] MySQL Two Vulnerabilities 5. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 6. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 7. [SA14568] Mozilla "Save Link Target As..." Status Bar Spoofing Weakness 8. [SA14543] Microsoft Exchange Server 2003 Folder Handling Denial of Service 9. [SA14567] Thunderbird "Save Link Target As..." Status Bar Spoofing Weakness 10. [SA14548] Linux Kernel "sys_epoll_wait()" Function Integer Overflow ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14580] aeNovo Database Disclosure of Sensitive Information [SA14553] Active Webcam Denial of Service and Local File Detection [SA14601] GoodTech Telnet Server Buffer Overflow Vulnerability [SA14564] MySQL MS-DOS Device Names Denial of Service Vulnerability UNIX/Linux: [SA14597] Mandrake update for cyrus-sasl [SA14574] Gentoo update for libexif [SA14572] Gentoo update for xorg-x11 [SA14552] SUSE update for realplayer [SA14606] Fedora update for sylpheed [SA14603] Gentoo update for ringtonetools [SA14596] Mandrake update for ethereal [SA14594] Ubuntu update for kernel [SA14587] Fedora update for ipsec-tools [SA14586] IPsec-Tools ISAKMP Header Parsing Denial of Service [SA14584] KAME Racoon ISAKMP Header Parsing Denial of Service [SA14573] Gentoo update for ethereal [SA14570] Linux Kernel PPP Server Denial of Service Vulnerability [SA14598] Mandrake update for openslp [SA14581] SUSE update for openslp [SA14561] OpenSLP Buffer Overflow Vulnerabilities [SA14593] Ubuntu update for mysql [SA14582] Debian luxman Privilege Escalation Vulnerability [SA14562] rxvt-unicode Terminal Input Buffer Overflow Vulnerability [SA14563] Conectiva update for gaim [SA14558] Red Hat update for gaim [SA14591] KDE Desktop Communication Protocol Denial of Service Vulnerability Other: [SA14557] Xerox MicroServer Web Server URL Handling Denial of Service [SA14556] Xerox Document Centre Web Server Unauthorised Access Vulnerability Cross Platform: [SA14600] PHPOpenChat "sourcedir" File Inclusion Vulnerability [SA14577] VoteBox "VoteBoxPath" File Inclusion Vulnerability [SA14566] holaCMS "vote_filename" Directory Traversal Vulnerability [SA14559] WEBInsta Limbo "absolute_path" File Inclusion Vulnerability [SA14602] ZPanel "uname" SQL Injection and Security Bypass [SA14595] Symantec Products Unspecified DNS Cache Poisoning Vulnerability [SA14590] paBox "posticon" Script Insertion Vulnerability [SA14583] SimpGB "quote" SQL Injection Vulnerability [SA14579] Spinworks Application Server Web Server Denial of Service [SA14578] UBB.threads "Number" SQL Injection Vulnerability [SA14576] PhotoPost PHP Pro Multiple Vulnerabilities [SA14555] LimeWire Gnutella Disclosure of Sensitive Information [SA14599] phpMyAdmin "_" Wildcard Permissions Security Bypass [SA14592] phpPgAds / phpAdsNew "refresh" Cross-Site Scripting Vulnerability [SA14589] WebSphere Commerce Private Information Disclosure [SA14554] Phorum Script Insertion Vulnerabilities [SA14588] Cosminexus Server Component Container Tomcat Denial of Service [SA14575] MaxDB Web Agent Denial of Service Vulnerabilities [SA14569] Apache Tomcat AJP12 Protocol Denial of Service Vulnerability [SA14607] Novell iChain miniFTP Server Brute Force Weakness [SA14568] Mozilla "Save Link Target As..." Status Bar Spoofing Weakness [SA14567] Thunderbird "Save Link Target As..." Status Bar Spoofing Weakness [SA14565] Firefox "Save Link As..." Status Bar Spoofing Weakness [SA14560] Citrix MetaFrame Password Manager Secondary Password Disclosure ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14580] aeNovo Database Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-14 farhad koosha has reported a security issue in aeNovo, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14580/ -- [SA14553] Active Webcam Denial of Service and Local File Detection Critical: Moderately critical Where: From remote Impact: Exposure of system information, DoS Released: 2005-03-10 Sowhat has reported two vulnerabilities and a weakness in Active Webcam, which can be exploited by malicious people to cause a DoS (Denial of Service) and detect the presence of local files. Full Advisory: http://secunia.com/advisories/14553/ -- [SA14601] GoodTech Telnet Server Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-16 Komrade has reported a vulnerability in GoodTech Telnet Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14601/ -- [SA14564] MySQL MS-DOS Device Names Denial of Service Vulnerability Critical: Not critical Where: From local network Impact: DoS Released: 2005-03-14 Luca Ercoli has reported a vulnerability in MySQL, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14564/ UNIX/Linux:-- [SA14597] Mandrake update for cyrus-sasl Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-16 MandrakeSoft has issued an update for cyrus-sasl. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14597/ -- [SA14574] Gentoo update for libexif Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2005-03-14 Gentoo has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14574/ -- [SA14572] Gentoo update for xorg-x11 Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-14 Gentoo has issued an update for xorg-x11. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14572/ -- [SA14552] SUSE update for realplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-10 SUSE has issued an update for realplayer. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14552/ -- [SA14606] Fedora update for sylpheed Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-16 Fedora has issued an update for sylpheed. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14606/ -- [SA14603] Gentoo update for ringtonetools Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-16 Gentoo has issued an update for ringtonetools. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14603/ -- [SA14596] Mandrake update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-16 MandrakeSoft has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14596/ -- [SA14594] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-03-16 Ubuntu has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited disclose kernel memory, gain escalated privileges or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14594/ -- [SA14587] Fedora update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-15 Fedora has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14587/ -- [SA14586] IPsec-Tools ISAKMP Header Parsing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-15 A vulnerability has been reported in IPsec-Tools, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14586/ -- [SA14584] KAME Racoon ISAKMP Header Parsing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-15 Sebastian Krahmer has reported a vulnerability in KAME Racoon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14584/ -- [SA14573] Gentoo update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-14 Gentoo has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14573/ -- [SA14570] Linux Kernel PPP Server Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-16 Ben Martel and Stephen Blackheath have reported a vulnerability in the Linux kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14570/ -- [SA14598] Mandrake update for openslp Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-16 MandrakeSoft has issued an update for openslp. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14598/ -- [SA14581] SUSE update for openslp Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-15 SUSE has issued an update for openslp. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14581/ -- [SA14561] OpenSLP Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-15 SUSE Security Team has reported some vulnerabilities in OpenSLP, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14561/ -- [SA14593] Ubuntu update for mysql Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-03-16 Ubuntu has issued an update for mysql. This fixes some vulnerabilities, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14593/ -- [SA14582] Debian luxman Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-15 Debian has issued an update for luxman. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14582/ -- [SA14562] rxvt-unicode Terminal Input Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-15 A vulnerability has been reported in rxvt-unicode, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14562/ -- [SA14563] Conectiva update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-15 Conectiva has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14563/ -- [SA14558] Red Hat update for gaim Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-11 Red Hat has issued an update for gaim. This fixes three weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14558/ -- [SA14591] KDE Desktop Communication Protocol Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2005-03-16 Sebastian Krahmer has reported a vulnerability in KDE, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14591/ Other:-- [SA14557] Xerox MicroServer Web Server URL Handling Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-11 A vulnerability has been reported in Xerox Document Centre, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14557/ -- [SA14556] Xerox Document Centre Web Server Unauthorised Access Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-03-11 A vulnerability has been reported in Xerox Document Centre, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14556/ Cross Platform:-- [SA14600] PHPOpenChat "sourcedir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-16 Mafia_Boy has reported a vulnerability in PHPOpenChat, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14600/ -- [SA14577] VoteBox "VoteBoxPath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-15 SmOk3 has reported a vulnerability in VoteBox, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14577/ -- [SA14566] holaCMS "vote_filename" Directory Traversal Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-14 Virginity has reported a vulnerability in holaCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14566/ -- [SA14559] WEBInsta Limbo "absolute_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-11 Fidel Costa has discovered a vulnerability in WEBInsta Limbo, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14559/ -- [SA14602] ZPanel "uname" SQL Injection and Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-03-16 Mikhail has reported a vulnerability and a security issue in ZPanel, which can be exploited by malicious people to conduct SQL injection attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14602/ -- [SA14595] Symantec Products Unspecified DNS Cache Poisoning Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data Released: 2005-03-16 A vulnerability has been reported in various Symantec gateway products, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/14595/ -- [SA14590] paBox "posticon" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-15 Rift has discovered a vulnerability in paBox, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14590/ -- [SA14583] SimpGB "quote" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-15 Alexander M?ller has reported a vulnerability in SimpGB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14583/ -- [SA14579] Spinworks Application Server Web Server Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-14 Dr_insane has discovered a vulnerability in Spinworks Application Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14579/ -- [SA14578] UBB.threads "Number" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-14 ADZ Security Team has reported a vulnerability in UBB.threads, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14578/ -- [SA14576] PhotoPost PHP Pro Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2005-03-14 Igor Franchuk has reported some vulnerabilities in PhotoPost PHP Pro, which can be exploited to conduct script insertion and SQL injection attacks, bypass certain security restrictions and manipulate potentially sensitive information. Full Advisory: http://secunia.com/advisories/14576/ -- [SA14555] LimeWire Gnutella Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-15 Kevin Walsh has reported two vulnerabilities in LimeWire, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14555/ -- [SA14599] phpMyAdmin "_" Wildcard Permissions Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-03-16 A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14599/ -- [SA14592] phpPgAds / phpAdsNew "refresh" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-15 Maksymilian Arciemowicz has reported a vulnerability in phpPgAds and phpAdsNew, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14592/ -- [SA14589] WebSphere Commerce Private Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-15 A security issue has been reported in WebSphere Commerce, which may result in sensitive information being disclosed to malicious people. Full Advisory: http://secunia.com/advisories/14589/ -- [SA14554] Phorum Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-11 Jon Oberheide has reported some vulnerabilities in Phorum, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14554/ -- [SA14588] Cosminexus Server Component Container Tomcat Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-15 The vendor has acknowledged a vulnerability in Cosminexus Server Component Container and Cosminexus Server Component Container for Java, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14588/ -- [SA14575] MaxDB Web Agent Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-15 Some vulnerabilities have been reported in MaxDB, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14575/ -- [SA14569] Apache Tomcat AJP12 Protocol Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2005-03-15 Hitachi Incident Response Team has reported a vulnerability in Tomcat, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14569/ -- [SA14607] Novell iChain miniFTP Server Brute Force Weakness Critical: Not critical Where: From remote Impact: Brute force Released: 2005-03-16 Francisco Amato has reported a weakness in Novell iChain, which can be exploited by malicious people to potentially brute force a user's password. Full Advisory: http://secunia.com/advisories/14607/ -- [SA14568] Mozilla "Save Link Target As..." Status Bar Spoofing Weakness Critical: Not critical Where: From remote Impact: Spoofing Released: 2005-03-14 bitlance winter has discovered a weakness in Mozilla, which can be exploited by malicious people to trick users into saving malicious files by obfuscating URLs. Full Advisory: http://secunia.com/advisories/14568/ -- [SA14567] Thunderbird "Save Link Target As..." Status Bar Spoofing Weakness Critical: Not critical Where: From remote Impact: Spoofing Released: 2005-03-14 bitlance winter has discovered a weakness in Thunderbird, which can be exploited by malicious people to trick users into saving malicious files by obfuscating URLs. Full Advisory: http://secunia.com/advisories/14567/ -- [SA14565] Firefox "Save Link As..." Status Bar Spoofing Weakness Critical: Not critical Where: From remote Impact: Spoofing Released: 2005-03-14 bitlance winter has discovered a weakness in Firefox, which can be exploited by malicious people to trick users into saving malicious files by obfuscating URLs. Full Advisory: http://secunia.com/advisories/14565/ -- [SA14560] Citrix MetaFrame Password Manager Secondary Password Disclosure Critical: Not critical Where: From local network Impact: Security Bypass, Exposure of sensitive information Released: 2005-03-16 A security issue has been reported in MetaFrame Password Manager, which can be exploited by malicious users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/14560/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 18 02:29:23 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:33 2005 Subject: [ISN] How To Save The Internet Message-ID: Forwarded from: security curmudgeon Cc: sberinato@cio.com This was certainly an interesting article. Bit naive.. bit of FUD.. bit of hypocrisy.. it had it all! All in all, I rate this piece a Big load of crap. Comments inline.. : http://www.cio.com/archive/031505/security.html : : BY SCOTT BERINATO : : Professor Hannu H. Kari of the Helsinki University of Technology is a : smart guy, but most people thought he was just being provocative when he : predicted, back in 2001, that the Internet would shut down by 2006. : "The reason for this will be that proper users' dissatisfaction will : have reached such heights by then that some other system will be : needed," I don't think I need to cover how absurd "the internet would shut down" is. Hell, people still have trouble defining it, let alone declaring "it" shut down. : Kari holds dozens of patents. He helped invent the technology that : enables cell phones to receive data. He's a former head of Mensa : Finland. Still, many observers pegged him as an irresponsible doomsayer : and, seeing as how he consults for security vendors, a mercenary one at : that. Sounds like another case of academia promoting their ideas without grounding themselves in a healthy dose of reality. Mensa and patents mean nothing really. I think he is confusing user disgust with the internet being "shut down". And for all of his stats on worms and viruses and cyberattacks and spam (and oh my!), i'd love to see his statistics showing any trend of portions of the internet "shutting down" or users giving up on the net completely due to frustration. Sure, lots of bad things continue to happen and the trend is growing.. but how about this result he predicts? Any statistics or trends to back the rest? : attacking the machines it targeted. Paul Stich, CEO of managed : security provider Counterpane, reports that attempted attacks on his : company's customers multiplied from 70,000 in 2003 to 400,000 in 2004, : an increase of over 400 percent. Ed Amoroso, CISO of AT&T, says that I think we're close to the ten year anniversary of asking journalists (and most security professionals) the following question: What exactly do you mean by 'attack'? Remember, a lot of these FUD spreaders (including .gov agencies) count a *ping* as an attack. Without qualifying what 'attack' means, any statistic that mentions said 'attacks' are *worthless fluff*. : among the 2.8 million e-mails sent to his company every day, 2.1 : million, or 75 percent, are junk. The increasing clutter of online junk : is driving people off the Internet. In a survey by the Pew Internet and : American Life Project, 29 percent of respondents reported reducing their : use of e-mail because of spam, and more than three-quarters, 77 percent, : labeled the act of being online "unpleasant and annoying." Indeed, in And how many of those people STOPPED using the net as a result? Almost everyone I know thinks that driving to and from work is "unpleasant and annoying", yet less than 0.01% stopped doing it. : Kari may have overstepped by naming a specific date for the Internet's : demise, but fundamentally, he's right. The trend is clear. The *trend* has been there for a DECADE. Why say 2006 again? : What was left was an impressive, broad and, sometimes, even fun list of : Big Ideas to fix information security. Let's hope some take shape before : 2006. : : Get All the Smart People Together and Give Them Lots of Money : The best place to start is with a Big Idea to concentrate and organize : all the other big ideasa Manhattan Project for infosecurity. Great idea, who pays the bill? Who determines the "smart people"? How long does it take for them to define the problems before developing technical solutions? Once they figure out brilliant solutions, how do you get everyone to implement them? : Hire a Czar : A surgeon general-like figure for security is not only a Big Idea; it's : a popular one. Several folks suggest creating some kind of "government : leader" or "public CIO for security," none more vocally than Paul Kurtz, : the executive director of the Cyber Security Industry Alliance. Hire a Czar, that's an original thought.. U.S. cybersecurity chief resigns http://www.infoworld.com/infoworld/article/04/10/01/HNchiefresigns_1.html Amit Yoran, director of the DHS National Cyber Security Division since September 2003 resigns. -- U.S. Cybersecurity Czar to Resign http://www.wired.com/news/politics/0,1283,57454,00.html Richard Clarke, currently the nation's top cybersecurity adviser, will resign from government. Having a "cyber security czar" is a pointless task unless his position means something, and has some real power. : Eliminate All Coding Errors Within Two Years : Mary Ann Davidson, CSO of Oracle and champion of the quality coding : movement, says she's tired of coders arguing that their jobs are too : creative to eliminate errors such as buffer overflowsthat coding's an : art, not a science. : : Davidson knows that, with billions of lines of legacy code and billions : more in development, eliminating all coding errors is quite a lofty : goal. Oh this is hands down the most amusing, ironic AND disgusting thing I have read in a while. Hey Mary, you hypocritical pop tart, YOU WORK FOR ORACLE. Your products have more vulnerabilities than features year after year! You are the *last* person/company that should EVER speak on security practices. Davidson has been with Oracle for more than 15 years and the amount of vulnerabilities in their products is getting *worse*, not better. You show the rest of the world that your idea can work at Oracle, and I am sure the rest will follow. : Pry PCs from Their Cold, Dead Hands : Guns are dangerous; therefore, we license them. We give them unique : serial numbers and control their distribution. James Whittaker says : programmable PCs are dangerous, so why not treat them like guns? According to the CDC, there were 17,638 homicides in 2002 [1]. We license guns for a reason. In 2001, there were 42,443 deaths from automobile accidents injuries [2]. We license automobile drivers for a reason. In 2001, 2002, 2003 and 2004, how many deaths were attributed to computers? According to one worldwide study, smoking was blamed for 5 million deaths in 2000 [3], and we don't even license people to purchase smoking products. Statistics and logic aside, who determines or standardizes the licensing? Who issues them? Who polices and revokes them? : Call the Cybercops : With a "Cyberpol," you could license private eyes and forensic experts : who not only would facilitate the cooperation but also would improve : response time, as there already isn't enough law enforcement for : cybercrime. And should this 'Cyberpol' follow 'Interpol'? What happens when a country doesn't participate or honor Interpol requests? What happens when a "licensed private eye" goes to a U.S. based ISP and asks for logs that require a federal supoena? It just added a layer of bureaucracy and hindered the investigation, potentially when time is critical. : Unleash the Power ofXML and Meta-Data : Several people suggest using XML and meta-data to tag websites with : safety, reputation, past performance and other security ratings to act : as signposts for dangerous cyberneighborhoods. A virtual Better Business : Bureau could manage the data so that when users visit a website, their : computers pull down the XML meta-data about that site. This has an obvious problem. Who exactly decides what sites are bad.. this new virtual BBB? Take organizations that try to do this for specific areas of the industry right now. SpamCop or other blackhole list maintainers and commercial content filter products are the first to come to mind. If these are indications of what this virtual BBB might accomplish, no thanks. Many people feel they do as much harm as they do good. My domain has sent out 0 spam in the past 5 years, yet we have been blacklisted on at least three different RBL lists including SpamCop (several times). Each time it took a small miracle to get the domain removed entirely due to THEIR process for handling such cases. Almost every single content filtering software blocks my domain .. why? Criminal activity says one.. pornography says another.. hacker material says a third. Yet every security company and federal law enforcement agency *relied* on the information we provided for several years. These designations are copletely subjective based on the audience, something no software or programmer can adequately determine and enforce. How exactly is this proposed BBB going to handle rating the 60,442,655 web sites available in March of 2005 [4]? All in all, this list of Big Ideas seem like a Big joke mostly written by Big windbags that don't understand the Big internet that they propose to drastically change. jericho attrition.org [1] http://www.cdc.gov/nchs/fastats/homicide.htm [2] http://www.wrongdiagnosis.com/a/automobile_accidents_injury/deaths.htm [3] http://my.webmd.com/content/article/97/104239.htm?z=1728_00000_1000_nd_04 [4] http://news.netcraft.com/archives/web_server_survey.html From isn at c4i.org Fri Mar 18 02:34:45 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:36 2005 Subject: [ISN] France puts a damper on flaw hunting Message-ID: Forwarded from: Kitetoa at Kitetoa.com > Forwarded from: security curmudgeon > > Would be nice if some of the French speaking list members could > translate the court ruling and help clear this up. ************************************************* The question starts to spread on the mailing-lists and the forums about computer security. Is the trial "Tegam versus Guillermito" and the resulting suspended 5000 euros fine, for counterfeiing and diffusion of a proof of concept program, a threat to the right to search for bugs? Does this judgment mean the end, in France, of the full disclosure concept? Does it create a permanent legal risk for the security experts? In other words, is there a legal risk for all the bug researchers if a company does not accept critics about its software, as it was the case for the Tegam versus Guillermito trial? Let me tell you what **I** think (what **I** think may not be true, who knows?..). Yes and No Let's get back to the verdict. This personal analysis, is not a legal analysis as i'm not a lawyer... Guillermito was found guilty of counterfeiting and publishing the result of the counterfeit stuff (which in fact were a few P.O.Cs.) This means that the court indeed estimated that Guillermito *is* guilty of counterfeiting Viguard, Tegam's software (because he didn't have a valid licence) According to the juges' ruling, he did publish the counterfeit sofware. How do you do this when you are studying how a software works (or doesn't work as it should)? Guillermito did not buy his software (he lives in the US where he could not buy it in the stores, neither online, and there were no demo version available). Later on, before publishing anything on his website, a Viguard user did send him his own software and licence number. But the court did not buy this argument. So... Guillermito worked on an unregistered version of Viguard. He wrote a few P.O.Cs (proof of concept). And he published these P.O.Cs on his web page. That is why the ruling says he did publish the ? counterfeit software ?. Keep in mind all this is about intellectual property and has nothing to do with re-creating a brand new Viguard, which he didn't. Security experts might say that because all of these details, the situation is a little bit different from what they deal with every day. There is also a big debate (the court didn't even mention this fact) because Tegam says Guillermito used decompilation which he strongly denies. Same stuff for the fact that Guillermito could not get a valid licence of Viguard as it is not sold in the US. Same for the fact that aparentlly, Tegam did include Guillermito's findings in their next software version. But judges only look at the legal part. They didn't get much into the technical side for the ruling. So... will this ruling set a legal precedent for full disclosure? Yes and no... Yes, because as far as I know this is the first time in this country that a bug hunter is sued by a software company (sir, he hadn't got a licence!). In a future case like this one, a lawyer will certainly mention this precedent. The judge will not **have to** take the same decision. Moreover, this is just a first decision. There may be an appeal. No, because in this case, Guillermito didn't own a valid licence of this software. Obviously french bug hunters will dodge this kind of problem by buying the software they want to analyze. Of course, it will be impossible to publish anything about a non-french program that cannot be bought in a store or online. This being said, this decision will produce some collateral damage on bug hunting. As we already wrote about it on kitetoa.com, french computer security mailing lists, french coputer security firms, individuals, CERTs or CERTA will take a heavy legal risk if at one point they decide to publish an advisory written by someone from another country, without knowing if the hacker had a valid licence for the software. They could probably be sued for publishing counterfeited information if there is a POC. So, we can say that France just shot herself in the foot. It is now difficult to publish and spread computer security information, because each time, people will have to verify that the work was done on a software with a valid licence. Good luck. Here are, for those who read french, some comments on this case made by a lawyer who followed the whole story and was present during most of the trial : http://maitre.eolas.free.fr/journal/index.php?2005/03/08/87-guillermito-condamne-mais-tres-legerement Finally, after reading this excellent comment by Maitre Eolas, computer specialists can wonder wonder about the amount of bytes reproduced in the POCs, which transform them into counterfeiting. Viguard is probably around several megabytes of data. For how many reproduced bytes we have a counterfeiting, if we don't have a valid licence ? And what about if we do have a valid licence ? Read also in english: http://www.eweek.com/article2/0%2C1759%2C1758513%2C00.asp http://www.theregister.co.uk/2005/03/10/tegam_ve rdict/ http://www.theregister.co.uk/2005/01/12/full_disclosure_french_trial/ http://www.zdnet.com.au/news/security/0%2C2000061744%2C39183862%2C00.htm http://www.zdnet.com.au/news/security/0,2000061744,39176657,00.htm http://www.zdnet.com.au/news/security/0,2000061744,39176920,00.htm From isn at c4i.org Fri Mar 18 02:35:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:39 2005 Subject: [ISN] Auditors Find IRS Workers Prone to Hackers Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/national/w162055S07.DTL By MARY DALRYMPLE, AP Tax Writer March 16, 2005 WASHINGTON, (AP) - More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday. The report by the Treasury Department's inspector general for tax administration reveals a human flaw in the security system that protects taxpayer data. It also comes on the heels of accounts of thieves' breaking into computer systems of private data suppliers ChoicePoint Inc. and LexisNexis. The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. "We were able to convince 35 managers and employees to provide us their username and change their password," the report said. That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords. "With an employee's user account name and password, a hacker could gain access to that employee's access privileges," the report said. "Even more significant, a disgruntled employee could use the same social engineering tactics and obtain another employee's username and password," auditors said. With some knowledge of IRS systems, such an employee could more easily get access to taxpayer data or damage the agency's computer systems. Employees gave several reasons for complying with the request, in violation with IRS rules that prohibit employees from divulging their passwords. Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical. Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate. Within two days after the test, the IRS issued an e-mail alert about the hacking technique and instructed employees to notify security officials if they get such calls. The agency also included warnings into its mandatory security training. -=- On the Net: Treasury Inspector General for Tax Administration: www.treas.gov/tigta From isn at c4i.org Fri Mar 18 02:36:09 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:41 2005 Subject: [ISN] Security Services Heading for Boom Years Message-ID: http://www.arabnews.com/?page=1§ion=0&article=60569 Javid Hassan Arab News 17th March 2005 RIYADH, 17 March 2005 - With the demand for security products and systems expected to double or even treble this year from the current level of $200 million annually, security analysts say business inquiries are streaming in from two directions - IT-related security for Saudi firms and physical security for Western expatriates working in joint ventures. "The political situation in the Middle East remains uncertain. As a result, every company with operations in the region, and especially in Saudi Arabia, recognizes the need for heightened security," said Neil Quilliam, senior analyst, Middle East, Control Risks Group, which maintains the largest presence in the Kingdom, where it supports major corporate and government clients in the oil, chemical and energy sectors. Quilliam, now in Riyadh as a member of the British Water and Environmental Technologies Mission, worked for a year in Jeddah during the late 1990s. He feels that his stay in the Kingdom has enabled him to understand the dynamics of Saudi society and, therefore, the dimensions of security in a given situation. "We are the world's leading international business risk consultancy operating in over 130 countries with more than 5,300 clients," he said, adding that their political analysts advise the client on likely developments over the medium- to long-term risk in Saudi Arabia. "Our Control Risks Information Service has helped clients stay abreast of developments and to plan journeys to meet Saudi counterparts in Riyadh and Alkhobar." According to him, demand for security services will escalate in the Kingdom as it scouts for overseas investment. From isn at c4i.org Fri Mar 18 02:36:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:44 2005 Subject: [ISN] Johnson & Johnson tackles security pain Message-ID: http://www.nwfusion.com/news/2005/031405-johnson-johnson.html By Ellen Messmer Network World 03/14/05 For Johnson & Johnson, the health-care giant with more than 200 separate companies operating in 54 countries, one of the biggest problems encountered in e-commerce was finding a way to quickly get business partners access to the network but enforce security. The problem vexed the Brunswick, N.J., maker of pharmaceuticals and medical equipment because e-commerce partners, once given access, sometimes introduced worms and viruses into the company's network. In addition, the process of reviewing business requests for network access between a J&J unit and its intended partner had become burdensome, delaying e-commerce transactions. However, IT staff at J&J said since new security procedures put in place a year ago altered the equation, it has been much faster to process network-access requests. Through the uniform monitoring and documentation processes, security has improved, with worm and virus outbreaks emanating from business partners reduced to nil. "The documentation is still a bit cumbersome, but now it's a repeatable process," says Thomas Bunt, director of worldwide information security at J&J, about the challenge of providing network access for business partners. "We're facing an increased demand for external connections, and it wasn't easy to do this." When a business manager at J&J wants to have counterparts in outside firms gain access to internal applications for e-commerce, the IT department is summoned to assess risk. First, the J&J unit and the outside firm have to fill out a detailed questionnaire about the nature of the connection request, says Denise Medd, information security senior analyst. In addition, J&J expects the intended e-commerce partner to submit to a security assessment and evaluation. This vulnerability assessment may be done by a neutral third party, but the goal is to ensure that doing business via the network connection, which is typically opened up via J&J firewall, presents no unnecessary risks. The J&J operating company, officially known as "the sponsor," is held to the same standards, Medd emphasizes. Occasionally, a request for network access is turned down, especially if the J&J side has servers lacking proper patch-update mechanisms or other shortcomings. "There is a final review, and we will not let an insecure connection go live," Medd says. The IT and security professionals at J&J worked with the legal department to craft standard procedures for requests and evaluations. J&J and its partner also must complete a contract or memo of understanding regarding the network connection to be established. "We'll look closely at what the connectivity is, and typically a limited number of people could have access," Bunt says, pointing out that J&J strives to accommodate requests for a range of VPN access methods. J&J also includes an inspection process every six months to ascertain the security of the network connection. The risk management procedure has resulted in a dramatic drop in virus and worm outbreaks. Sometimes business project managers grumble about the assessment process, but management's solid backing of it has made it a uniformly enforced process that is in effect with hundreds of outside firms, Bunt says. The IT department says it hopes to streamline the risk evaluation further by drawing up standardized interconnection security agreements and uniform set of questions to ask outside firms wanting access to J&J's internal network. "We also need to better explain to our partners why they need to do this and how they benefit by getting a good look at our security posture," Bunt says. From isn at c4i.org Fri Mar 18 02:37:59 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 18 02:45:46 2005 Subject: [ISN] Security UPDATE--The Future of Malware Defense? -- March 16, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. High Availability for Windows Services http://list.windowsitpro.com/t?ctl=53D5:4FB69 10 Ways to Effectively Secure Active Directory http://list.windowsitpro.com/t?ctl=53D9:4FB69 ==================== 1. In Focus: The Future of Malware Defense? 2. Security News and Features - Recent Security Vulnerabilities - New Security Patches and Updates from Microsoft - Microsoft Takes Action Against Malware 3. Instant Poll 4. Security Toolkit - Security Matters Blog - Security Chat - FAQ - Security Forum Featured Thread 5. New and Improved - Fight Phishing ==================== ==== Sponsor: The Neverfail Group ==== High Availability for Windows Services It is no stretch to say that Windows high availability must be a fundamental element in your short- and long-term strategic IT planning. This free white paper discusses the core issues surrounding Windows high availability, with a focus on business drivers and benefits. You'll learn about the current market solutions, technologies and real-world challenges including cost- benefit analyses. Plus, find out how to assess technical elements required in choosing a high availability solution, including the robustness of the technology, time-to-failover, and implementation difficulties. Download this white paper now! http://list.windowsitpro.com/t?ctl=53D5:4FB69 ==================== ==== 1. In Focus: The Future of Malware Defense? ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You're probably aware that Microsoft is working on branding its antivirus and antispyware solutions. The company has already released an antispyware solution into public beta testing and has acquired well-established GeCAD Software and Sybari Software antivirus products. Some industry analysts think that the most logical way to address spyware is to evolve antivirus solutions to incorporate that ability to prevent spyware from infecting systems in the first place. That's a reasonable approach, even though it's another step towards a single point of failure, which many security administrators try to avoid. I read some interesting comments at CNET.com, which published an interview with Bill Gates. The article implied that eventually antivirus solutions and possibly antispyware solutions will become integral parts of Windows. There's more to the story, which isn't covered in the CNET.com article. I mentioned in an earlier column that Microsoft has published a research paper on root kits and has developed a detection tool that it hasn't made available to the public. The company released another interesting research paper several months ago that offers further insight into what other kinds of security-related technology the company might offer in the future. The second paper, "Can We Contain Internet Worms?," was published in August 2004. In it, Microsoft researchers discuss how worms might become more readily containable as computers collaborate in a more automated manner. The concept, which the researchers have dubbed "Vigilante," proposes "a new host centric approach for automatic worm containment." The summary states that the technology "relies on collaborative worm detection at end hosts in the Internet but does not require hosts to trust each other. Hosts detect worms by analysing attempts to infect applications and broadcast self-certifying alerts (SCAs) when they detect a worm. SCAs are automatically generated machine-verifiable proofs of vulnerability; they can be independently and inexpensively verified by any host. Hosts can use SCAs to generate filters or patches that prevent infection." You might think of this technology as sort of like a much smarter version of Snort or other intrusion detection and prevention systems. In essence, the proposal discusses a means of having hosts monitor their own activity and automatically contain misbehaving processes. When a host detects a worm, it can generate an alert that's broadcast to other hosts. The general idea is to decentralize detection systems so that worms can't evade detection by evading a particular network point. A key to the idea is that an SCA could verify worm detection by reproducing its effects. So hosts attain a level of trust by doing their own verification, instead of depending on third parties to provide signatures to endpoint detection systems. Although the paper doesn't mention this specifically, the implications are huge. The same principles could be applied to viruses, Trojan horses, spyware, and just about any kind of application or network behavior. Such a system would become vulnerability-centric; instead of having to develop signatures for each variation of malware, the system would instead identify the vulnerability and be able to act to defend the system against it. For example, it could shut down an application, reconfigure a firewall, or generate some sort of patch. There is much more to learn about the concept in the paper, which you can download in PDF format at the Microsoft Web site. ftp://ftp.research.microsoft.com/pub/tr/TR-2004-83.pdf ==================== ==== Sponsor: NetIQ ==== 10 Ways to Effectively Secure Active Directory Active Directory is vulnerable to malicious and inadvertent security attacks, thus protecting Active Directory from internal and external threats is a constant challenge. In this free white paper, learn how to configure Active Directory to be resistant to threats, and regulate changes so data consistency is protected and security policies are enforced. Download this white paper now and learn how to ensure a secure Active Directory environment. http://list.windowsitpro.com/t?ctl=53D9:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=53DA:4FB69 New Security Patches and Updates from Microsoft Microsoft didn't release any new security bulletins in March, but the company did update previous bulletins (MS02-005 and MS02-015) to include patches for Windows 98 and Windows Me. The company also released an updated version of its Malicious Software Removal Tool. http://list.windowsitpro.com/t?ctl=53DD:4FB69 Microsoft Takes Action Against Malware Paul Thurrott examines what Microsoft is doing both this year and next to deal with spyware, adware, and similar types of electronic attacks. http://list.windowsitpro.com/t?ctl=53DE:4FB69 ==================== ==== Resources and Events ==== Plan For or Prevent Exchange Messaging Disasters In this free Web seminar, join Exchange MVP Paul Robichaux as he describes some operational scenarios in which "disaster recovery" takes a back seat to "business continuance." Learn how to be prepared for events that might otherwise wipe out your messaging capability and how you can survive them with your messaging and job intact. http://list.windowsitpro.com/t?ctl=53D4:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=53D6:4FB69 Infosecurity Europe 2005 Infosecurity Europe is Europe's number one, dedicated Information Security event held April 26-28, 2005, Grand Hall, Olympia, London. Now in its 10th year, the event continues to provide an unrivalled education program, new products & services, exhibitors and visitors from every segment of the industry. To register for FREE, please visit: http://list.windowsitpro.com/t?ctl=53E7:4FB69 Empower Users and Produce Substantial ROI Join industry expert David Chernicoff in this free Web seminar to learn how to integrate and automate fax from messaging systems such as Microsoft Exchange Server and Outlook and other various applications. And learn how to improve document handling and delivery by streamlining the integration of fax services into everyday business processes. http://list.windowsitpro.com/t?ctl=53D7:4FB69 Achieve High Availability and Disaster Recovery for Microsoft Servers Attend this free Web seminar for your chance to win a $1000 American Express Gift Check! In this Web seminar, discover what it takes to minimize the likelihood of downtime through reliability and resilience in your Microsoft server environment, including Exchange, SQL Server, File Server, IIS, and SharePoint. Sign up today! http://list.windowsitpro.com/t?ctl=53D3:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: Do you think Microsoft should offer Internet Explorer (IE) 7.0 for Windows 2000 platforms? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 44 votes. - 77% Yes - 23% No New Instant Poll: Do you consider IIS 6.0 to be a secure platform? Go to the Security Hot Topic and submit your vote for - Yes - No http://list.windowsitpro.com/t?ctl=53E1:4FB69 ==== 4. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=53E6:4FB69 Got NT? Better Have Extended Support or a Good Firewall! Windows NT systems contain a critical vulnerability for which a patch is available--if you have an extended support contract. You can also defend your NT systems with a good firewall. http://list.windowsitpro.com/t?ctl=53DF:4FB69 Security Event Log Chat Randy Franklin Smith is one of the foremost authorities on the Windows Security event log and a respected trainer who teaches Monterey Technology Group's "Security Log Secrets" course. Here's your chance to ask Randy your questions about the Security log and get answers Microsoft doesn't provide. Join the chat today at 4:00 P.M. Eastern / 1:00 P.M. Pacific time. For details, visit http://list.windowsitpro.com/t?ctl=53E4:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=53E2:4FB69 Q. Should I define a "catch-all" subnet for my Active Directory (AD) sites? Find the answer at http://list.windowsitpro.com/t?ctl=53DC:4FB69 Security Forum Featured Thread: Best Network Security Scanner A forum participant writes that he's decided to purchase software to check his network for open ports, vulnerabilities, permissive user rights, open shares, accounts with administrative rights, unapproved Instant Messaging (IM) software, and so on. He wonders what the best tool to use might be. Join the discussion at http://list.windowsitpro.com/t?ctl=53D8:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=53E0:4FB69 Get SQL Server Magazine and Get Answers Subscribe to SQL Server Magazine today and get the latest "Top SQL Server Tips" handbook (includes over 60 helpful SQL Server tips) and free online access to every article ever published in the magazine-- that's thousands of problem-solving solutions, expert tips, tricks, and the latest insider notes to help you get the most out of SQL Server. Sign up today: http://list.windowsitpro.com/t?ctl=53E5:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Fight Phishing Cyberworlds offers Swidgets Email Xray, which lets you look inside Microsoft Outlook email messages to detect phishing attempts. The program lets you view your email messages as plain text so there's no possibility of being harmed by a malicious script or link. Email Xray also reveals the email headers and source code and lets you easily email this information to your Help desk or service provider. Email Xray works with Internet email and Microsoft Exchange Server messages, can be installed across a LAN, and lets administrators modify or disable specific features. Email Xray runs under Windows XP/2000/Me/98SE and works with Outlook 2003/2002/2000. Email Xray costs $14.95 (quantity and academic discounts and 15-day free trial copy are available). For more information, go to http://list.windowsitpro.com/t?ctl=53E9:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rsecadmin@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=53E8:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=53DB:4FB69 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Sat Mar 19 02:16:14 2005 From: isn at c4i.org (InfoSec News) Date: Sat Mar 19 02:35:12 2005 Subject: [ISN] Dutch hackers sentenced for attack on government sites Message-ID: http://www.theregister.co.uk/2005/03/16/dutch_hackers_sentenced/ By Jan Libbenga 16th March 2005 Five computer hackers in the Netherlands have been handed sentences ranging from work orders to youth detention for disabling a number of websites operated by the Dutch government. A group of around 15 hackers, who called themselves '0x1fe Crew', carried out a Distributed Denial of Service (DdoS) attack last year on the government websites overheid.nl and regering.nl in a protest against recent cabinet proposals. The group claimed cabinet members were its sole targets. The websites, the central gateway to all information on cabinet policy in the Netherlands, couldn't be reached for five days. The Dutch government immediately launched legal proceedings against the group and this week five hackers were convicted. The main suspect, who was given a 38-day detention sentence, says he will appeal. The 18-year-old claims there is no technical proof of his participation in the attacks. .They sentenced me because I was the spokesman for the group,. he told news site Webwereld. It is first time in the Netherlands that anyone has been convicted for such an attack. From isn at c4i.org Sat Mar 19 02:17:00 2005 From: isn at c4i.org (InfoSec News) Date: Sat Mar 19 02:35:16 2005 Subject: [ISN] Linux Advisory Watch - March 18th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 18th, 2005 Volume 6, Number 11a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gaim, kdenetwork, squirrelmail, luxman, hwbrowser, at, bind, openoffice,ipsec-tools, sylpheed, koffice, qt, ImageMagick, ethereal, udev, libXpm, Ethereal, rmtree, curl, cyrus-sasl, gnupg, openslp, tetex, postfix, and squid. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- Information Security In today's business world there is an ever-growing reliance on information technology. Businesses and organizations rely on IT for distributed processing, the automation of tasks and electronic commerce. Processing that would have been done by hand years ago is now done completely on computers. This has evolved so much that many tasks are no longer feasible to conduct by hand. In fact, in some cases it would be impossible. Typical business objects include maximizing profit, having high sustainable growth, and keeping costs low. In information security, we are aiming to preserve the confidentiality, integrity, and availability of information from disclosure, modification, destruction or misuse. Businesses are at risk of loss of income, loss of competitive advantage, or possibly legal penalties if no compliant with regulations. Why information security? Information is an essential resource for business today. Have the right information at the right time in the hands of the right people is often the difference between profit/loss, and success/failure. We must understand that information is a key business asset and preserving confidentiality, integrity, and availability is crucial to the continued success of the business. Once again, manual processing is no longer a feasible option. In the event of a failure, the employees would loose productivity and it would be very costly to the company. Information security can help protect from confidentiality breaches. In the event of the unauthorized disclosure of schematics, a business could loose millions to a competitor and loss of R&D time and money. Ensuring data integrity is also essential. Information security is also important to detect any violations that may occur, or mitigate any consequential damagers that may occur from a breach. Also, information security practice can aid in the planning and facilitate a recovery strategy, ensuring that impact and loss in minimized. In the event of an investigation, having proper information security procedures in place can assist in the process of gather evidence. If managed properly, information security can be a business enabler. Rather than the 'badge and gun' attitude, information security professionals should approach it from a business perspective. How can information security save the organization money? How can it increase customer loyalty, etc. If information security does not seem to help an organization, and only restrict, it will not be a priority for executive management. Gaining top management support is crucial to creating a security environment. The recommended approach for information security management includes setting a security policy, conducting a risk analysis, managing those risks, setting appropriate policies and procedures, monitoring, and developing a secure awareness and training program. The traditional information security mechanisms include: access control, encipherment, authentication, policies, procedures, and training. Information security is important, but why management? As security professionals, we must realize that technology is only part of the solution. Security is mostly a people problem, and people need managing. Policies, procedures, and creating an information security centered culture in an organization can often go much farther than technology alone can provide. Security is only as strong as the weakest link in the system. Often, the weakest link is management. Information security management provides managers with the appropriate information to make decisions based on knowledge and facts, rather than feelings. Managers no longer should make decisions based on fear, uncertainty, and doubt, but make decisions which apply appropriate controls for the information at risk. Appropriate means a balance between controls/convinience, and costs of control/potential loss. Information security should not be only a set of restrictive controls, it should be a business enabler. Management activities such as risk analysis, ownership, policy creation/enforcement, procedures, should all be part of an overall information security program. Often, the best way to approach management is using well thought-out standards and methodologies such as ISO-17799 and the ISF Standards. Information security exists in business, only to support business. We should realize that. Benjamin D. Thomas ben@linuxsecurity.com ---------------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: gaim Fixes for gaim's vulnerabilities 14th, March, 2005 Gaim[1] is a multi-protocol instant messaging (IM) client. This announcement fixes three denial of service vulnerabilities that were encountered in Gaim. http://www.linuxsecurity.com/content/view/118571 * Conectiva: kdenetwork Fix for kppp vulnerability 16th, March, 2005 kppp[1] is the KDE[2] internet dialer. This announcement fixes a privileged file descriptors leak vulnerability[3,4] which could allow local attackers to hijack a system's domain name resolution function. http://www.linuxsecurity.com/content/view/118617 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New squirrelmail package fixes regression 14th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118572 * Debian: New luxman packages fix local root exploit 14th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118574 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: hwbrowser-0.20-0.fc3.1 11th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118553 * Fedora Core 3 Update: at-3.1.8-68_FC3 11th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118554 * Fedora Core 3 Update: bind-9.2.5-1 11th, March, 2005 Upgraded to ISC BIND 9.2.5 (final release) o Added libbind man-pages (see 'man libbind-resolver', 'man libbind-irs.conf') o Fixed libbind h_errno handling (bug 150288) http://www.linuxsecurity.com/content/view/118555 * Fedora Core 2 Update: openoffice.org-1.1.3-9.4.0.fc2 14th, March, 2005 This update makes the Fedora Core 2 version of OpenOffice.org equivalent to the version in Fedora Core 3. http://www.linuxsecurity.com/content/view/118575 * Fedora Core 3 Update: openoffice.org-1.1.3-9.5.0.fc3 14th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118576 * Fedora Core 3 Update: NetworkManager-0.3.4-1.1.0.fc3 14th, March, 2005 Many fixes. Check the changelog for details. http://www.linuxsecurity.com/content/view/118577 * Fedora Core 3 Update: at-3.1.8-68_FC3 14th, March, 2005 Added check in at(1) to verify if atd PAM authentication will succeed; Job submission will be denied if atd PAM authentication fails. http://www.linuxsecurity.com/content/view/118578 * Fedora Core 2 Update: ipsec-tools-0.5-2.fc2 14th, March, 2005 This update fixes a potential DoS in parsing ISAKMP headers in racoon. (CAN-2005-0398) http://www.linuxsecurity.com/content/view/118585 * Fedora Core 3 Update: ipsec-tools-0.5-2.fc3 14th, March, 2005 This update fixes a potential DoS in parsing ISAKMP headers in racoon. (CAN-2005-0398) http://www.linuxsecurity.com/content/view/118586 * Fedora Core 3 Update: sylpheed-1.0.3-0.FC3 15th, March, 2005 Updated pacakge. http://www.linuxsecurity.com/content/view/118593 * Fedora Core 3 Update: koffice-1.3.5-0.FC3.2 15th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118594 * Fedora Core 3 Update: qt-3.3.4-0.fc3.0 15th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118595 * Fedora Core 3 Update: ImageMagick-6.0.7.1-5.fc3 15th, March, 2005 The updated packages fix a bug which could cause segfaults when writing TIFF images to the standard output. http://www.linuxsecurity.com/content/view/118598 * Fedora Core 3 Update: ethereal-0.10.10-1.FC3.1 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118612 * Fedora Core 2 Update: ethereal-0.10.10-1.FC2.1 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118613 * Fedora Core 3 Update: system-config-samba-1.2.28-0.fc3.1 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118614 * Fedora Core 3 Update: kdenetwork-3.3.1-3 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118615 * Fedora Core 3 Update: udev-039-10.FC3.7 16th, March, 2005 Fixed DRI permissions and SCSI hotplug replay in start_udev. http://www.linuxsecurity.com/content/view/118616 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: X.org libXpm vulnerability 12th, March, 2005 A new vulnerability has been discovered in libXpm, which is included in X.org, that can potentially lead to remote code execution. http://www.linuxsecurity.com/content/view/118556 * Gentoo: Ethereal Multiple vulnerabilities 12th, March, 2005 Multiple vulnerabilities exist in Ethereal, which may allow an attacker to run arbitrary code or crash the program. http://www.linuxsecurity.com/content/view/118557 * Gentoo: libexif Buffer overflow vulnerability 12th, March, 2005 libexif fails to validate certain inputs, making it vulnerable to buffer overflows. http://www.linuxsecurity.com/content/view/118558 * Gentoo: Ringtone Tools Buffer overflow vulnerability 15th, March, 2005 The Ringtone Tools utilities contain a buffer overflow vulnerability, potentially leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118591 * Gentoo: Perl rmtree and DBI tmpfile vulnerabilities 15th, March, 2005 The rmtree race conditions were only partly fixed in the original GLSA. New versions of dev-lang/perl have been released to address the remaining issues (CAN-2005-0448). The updated sections appear below. http://www.linuxsecurity.com/content/view/118592 * Gentoo: Ringtone Tools Buffer overflow vulnerability 15th, March, 2005 The Ringtone Tools utilities contain a buffer overflow vulnerability, potentially leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118597 * Gentoo: MySQL Multiple vulnerabilities 16th, March, 2005 MySQL contains several vulnerabilities potentially leading to the overwriting of local files or to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118610 * Gentoo: curl NTLM response buffer overflow 16th, March, 2005 curl is vulnerable to a buffer overflow which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118611 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: Updated lvm2 packages fix 14th, March, 2005 A bug in the lvm2 packages caused it to recurse symlinked directories indefinitely which caused lvm commands to be really slow or timeout. A patch has been applied to correct this problem. http://www.linuxsecurity.com/content/view/118587 * Mandrake: Updated cyrus-sasl packages 15th, March, 2005 A buffer overflow was discovered in cyrus-sasl's digestmd5 code. This could lead to a remote attacker executing code in the context of the service using SASL authentication. This vulnerability was fixed upstream in version 2.1.19. The updated packages are patched to deal with this issue. http://www.linuxsecurity.com/content/view/118599 * Mandrake: Updated gnupg packages fix 15th, March, 2005 The OpenPGP protocol is vulnerable to a timing-attack in order to gain plain text from cipher text. The timing difference appears as a side effect of the so-called "quick scan" and is only exploitable on systems that accept an arbitrary amount of cipher text for automatic decryption. http://www.linuxsecurity.com/content/view/118600 * Mandrake: Updated ethereal packages 15th, March, 2005 A number of issues were discovered in Ethereal versions prior to 0.10.10, which is provided by this update. http://www.linuxsecurity.com/content/view/118601 * Mandrake: Updated openslp packages fix 15th, March, 2005 An audit by the SUSE Security Team of critical parts of the OpenSLP package revealed various buffer overflow and out of bounds memory access issues. These problems can be triggered by remote attackers by sending malformed SLP packets. The packages have been patched to prevent these problems. http://www.linuxsecurity.com/content/view/118602 * Mandrake: Updated evolution packages 16th, March, 2005 It was discovered that certain types of messages could be used to crash the Evolution mail client. Fixes have been applied to correct this behaviour. http://www.linuxsecurity.com/content/view/118618 * Mandrake: Updated kdelibs packages fix 16th, March, 2005 A vulnerability in dcopserver was discovered by Sebastian Krahmer of the SUSE security team. A local user can lock up the dcopserver of other users on the same machine by stalling the DCOP authentication process, causing a local Denial of Service. http://www.linuxsecurity.com/content/view/118619 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: gaim security update 10th, March, 2005 An updated gaim package that fixes various security issues as well as a number of bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118548 * RedHat: Moderate: tetex security update 16th, March, 2005 Updated tetex packages that resolve security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118607 * RedHat: Low: postfix security update 16th, March, 2005 Updated postfix packages that include a security fix and two other bug fixes are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team http://www.linuxsecurity.com/content/view/118608 * RedHat: Moderate: squid security update 16th, March, 2005 An updated squid package that fixes a denial of service issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118609 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: openslp (SUSE-SA:2005:015) 14th, March, 2005 The SUSE Security Team reviewed critical parts of the OpenSLP package, an open source implementation of the Service Location Protocol (SLP). http://www.linuxsecurity.com/content/view/118573 * SuSE: multiple Mozilla Firefox 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118606 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Sat Mar 19 02:17:27 2005 From: isn at c4i.org (InfoSec News) Date: Sat Mar 19 02:35:19 2005 Subject: [ISN] PITAC Report on Cybersecurity Priorities Message-ID: ---------- Forwarded message ---------- Date: Fri, 18 Mar 2005 14:18:15 -0500 From: Richard Forno To: Blaster Subject: [infowarrior] - PITAC Report on Cybersecurity Priorities http://www.nitrd.gov/pubs/ PRESIDENT'S INFORMATION TECHNOLOGY ADVISORY COMMITTEE RELEASES NEW REPORT: CYBER SECURITY: A CRISIS OF PRIORITIZATION Vital to the Nation's security and everyday life, the information technology (IT) infrastructure of the United States is highly vulnerable to disruptive domestic and international attacks, the President's Information Technology Advisory Committee (PITAC) argues in a new report. While existing technologies can address some IT security vulnerabilities, fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure. In Cyber Security: A Crisis of Prioritization, PITAC presents four key findings and recommendations on how the Federal government can foster new architectures and technologies to secure the Nation's IT infrastructure. PITAC urges the Government to significantly increase support for fundamental research in civilian cyber security in 10 priority areas; intensify Federal efforts to promote the recruitment and retention of cyber security researchers and students at research universities; increase support for the rapid transfer of Federally developed cyber security technologies to the private sector; and strengthen the coordination of Federal cyber security R&D activities. http://www.nitrd.gov/pubs/ From isn at c4i.org Sat Mar 19 02:18:18 2005 From: isn at c4i.org (InfoSec News) Date: Sat Mar 19 02:35:22 2005 Subject: [ISN] Web to have 'terror watch' team Message-ID: http://news.bbc.co.uk/1/hi/technology/4360727.stm 18 March, 2005 Five European governments are setting up a hi-tech team to monitor how terrorists and criminals use the net. The group will make recommendations on shutting down websites that break terrorism laws. The plans for the initiative came out of a meeting of the G5 interior ministers in Spain that discussed ways to tackle these threats. The five countries also agreed to make it easier to swap data about terror suspects and thefts of explosives. The interior ministers of Spain, Britain, France, Germany and Italy - the G5 - met in Granada this week for an anti-terrorism summit. Easy sharing To combat terrorism the ministers agreed to make it easier for police forces in their respective states to share data about suspects connected to international terror groups. Information shared could also involve intelligence about money laundering, the forgery of identity papers, stolen cars, DNA data, missing persons and unidentified corpses. Part of this anti-terror work will involve the creation of the technical team that will keep an eye on how organised crime groups and terrorists make of the web. Many criminals have moved many well-known crimes to the web because the returns are so good and the chance of being detected is still relatively low. The group is also likely to make recommendations on shutting down websites that contravene laws on inciting acts of terror. Although the meeting of the G5 is informal and any decisions they make are not binding, the summits do tend to set the tone for future policy decisions. From isn at c4i.org Sat Mar 19 02:27:36 2005 From: isn at c4i.org (InfoSec News) Date: Sat Mar 19 02:35:25 2005 Subject: [ISN] Audit: State voter system left information vulnerable Message-ID: http://www.freep.com/news/statewire/sw113179_20050318.htm March 18, 2005 LANSING, Mich. (AP) -- State databases with confidential information from registered voters and driver's licenses in Michigan were not adequately secure and were vulnerable to computer hackers, state auditors said in a report released Friday. The state elections and technology departments agreed that the systems were vulnerable, but they told the Office of the Auditor General they are not aware of any time information in the Digital Driver's License System and the Qualified Voter File was compromised. State auditors said the departments of state and information technology did not ensure that an outside contractor effectively secured the Digital Driver's License System, which may lead to identity theft. The system included information from about 7.2 million driver's licenses and 1 million personal identification cards in January 2004. Auditors had similar security concerns with the Qualified Voter File, according to the report that covers records from Sept. 30, 1997 to June 30, 2004. The Qualified Voter File was one of the first systems in the country to compile accurate, up-to-date voter information. It ties 468 local jurisdictions and 83 counties in Michigan to a database that has the names and addresses of about 6.8 million registered voters. "We identified numerous and, in some cases, very significant vulnerabilities in the configuration of the QVF operating system and database that preclude management from preventing or detecting unauthorized access," auditors said in their report. Auditors said similar security problems with the Qualified Voter File were discovered in an October 2002 assessment by a private contractor at the request of the Department of State. State strategies and the federal Help America Vote Act of 2002 call for a secure confidential voter information database, but the state and technology departments were concerned that more security measures would hurt the performance and function of the system, auditors said. The state audit was released as lawmakers are trying to clamp down on the sale of Social Security numbers by private companies after a few large information brokers reported security breaches that resulted in scores of stolen identities. The departments told auditors they have developed a security plan and have corrected significant areas of vulnerability. Kelly Chesney, spokeswoman for Secretary of State Terri Lynn Land, said most of the security issues raised in the audit were addressed before the report was released. The Department of State has limited access to the Qualified Voter File to only those individuals who need it, Chesney said. It is not available online and information is encrypted when it is transmitted, she said. "It's not like this is available online. It's a closed system," Chesney said. "This system is considered one of the best in the nation. Michigan was used as a model in the Help America Vote Act." A telephone message seeking additional comment on the audit was left Friday afternoon with Kurt Weiss, spokesman for the Department of Information Technology. -=- On the Net: Michigan Office of the Auditor General, http://audgen.michigan.gov From isn at c4i.org Mon Mar 21 06:13:20 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 21 06:22:37 2005 Subject: [ISN] Alta privacy office: Hi-tech fax machines a security risk Message-ID: http://cnews.canoe.ca/CNEWS/Canada/2005/03/20/967337-cp.html By JUDY MONCHUK March 20, 2005 CALGARY (CP) - In the realm of high-tech dangers, few would consider the lowly fax machine or photocopier a security risk. That would be naive, says Tim Chander, research manager of Alberta's Office of Information and Privacy. "It's not your grandfather's printer anymore - these things are computers with hard drives that can be connected to the Internet," said Chander. "Anything you're photocopying (is) copied and stored on the hard drives unless they are overwritten." Chander said most businesses, government offices and health authorities lease their office equipment without considering the security ramifications. "We haven't had a complaint come to our office. We just want organizations to be aware that anyone photocopying personal, business or health information to realize that when your lease is up, your information is going out the door," he said. The government of Alberta recently put together a policy stipulating that any leased machine with a hard drive must have its memory wiped clean when its lease is up. Departments also have the option of purchasing the hard drive - a cost of about $300. Josh Ryder, manager of computer security at the University of Alberta in Edmonton says few people think of printers as a security threat. "If you explain that every document you've ever photocopied on this machine is walking out the door when this machine walks out, that's probably plain enough that most people would sit up and pay attention," said Ryder. "But I don't think it's being explained that way." Most office equipment with digital technology now has multi-tasking capabilities and memory to queue up jobs from a number of computers as well as taking information from outside sources. "Now the fax machine is essentially a printer," said Ryder. And while most companies have firewalls set up to protect their computer networks from hackers or viruses, Ryder noted that printers or fax machines generally sit outside that layer of protection. "The issue is that these devices are not secure. Generally, you can't say 'only allow these computers to listen to you.' " Unauthorized access or disclosure of personal information is a breach of privacy legislation. Alberta's privacy commission's office notes that both the organization that puts the information on the machine and the vendor are responsible for the information on it. "Some of these older machines get refurbished and sold again," said Chander. "Some companies we've spoken with wipe the data themselves. But those are the large companies like Xerox and Hewlett Packard." Chander suggests that anyone handling sensitive information stipulate in leasing agreements that the memory must be wiped clean or that they have the option of purchasing the hard drive to destroy it themselves. Federally, the Department of National Defence has a policy where they retain the hard drive of any fax machine or photocopier when a lease is up. So could someone hack into a fax or photocopier and hijack a networked computer system? Both Ryder and Chander say it's technologically possible. "It's a logical conclusion," said Chander. "We haven't heard of it, but I'm not ruling it out." Although hard drives and the information they hold are not easily accessible on most machines, Chander says it's important to be vigilant. From isn at c4i.org Mon Mar 21 06:13:35 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 21 06:22:40 2005 Subject: [ISN] Southfield teenager accused in computer attacks Message-ID: http://www.theoaklandpress.com/stories/031905/loc_20050319015.shtml March 19, 2005 A Southfield teen was arrested Friday and accused of orchestrating computer attacks to cripple Web sites operated by competitors to his online sportswear business. Jason Saleh Arabo, 18, of Southfield was arrested by FBI agents in Detroit and charged with conspiring to transmit a program to damage a computer, federal prosecutors said. Also arrested was a New Jersey teen, who federal and state authorities said carried out the attacks. Damage from the attacks reverberated beyond the targets, eventually causing $1.2 million to $2 million in damage to about 100 Web sites, said John Hagerty, a spokesman for the state Division of Criminal Justice. FBI Special Agent Tim Nestor put the cost even higher, at $2.5 million, calculated on lost business as well as the cost to repair computers. "It was a fairly large attack," said Nestor, supervisor of the FBI cybercrime squad in New Jersey, adding that on one day over the summer it knocked out a "backbone provider" of Internet service in eastern Pennsylvania for 12 hours. "This was a malicious attack that had widespread practical and financial consequences. The damage literally rolled across the country and beyond," U.S. Attorney Christopher J. Christie said in a statement. A 17-year-old boy in Edison, N.J., was arrested Friday by New Jersey State Police and charged with one count of computer theft by denial of service, Lt. Kevin Rehmann said. The teen, whose name was not released because of his age, was held at the Middlesex County juvenile detention center. Authorities did not immediately know who Arabo or the 17-year-old had retained as lawyers. Arabo was released on $50,000 bond. A message seeking comment was left at his home Friday afternoon. The pair met online in June in a chat room "where computer-savvy people can communicate with each other," Assistant U.S. Attorney Eric H. Jaso said. Arabo operated two companies that sold sports clothing, www.customleader.com and www.jerseydomain.com, from his home. He recruited the teen to conduct the attacks in return for some of the historic uniform reproductions he sold, along with high-end sneakers and a watch, Jaso said. In July, the teen launched "distributed denial of service" attacks aimed at computer servers supporting the Web sites of his competitors, including a New Jersey company, according to a complaint filed by the FBI. This was accomplished by secretly infecting thousands of computers with copies of a program known as a "bot," short for robot. The teen then ordered the bots to access the targeted Web site at the same time, overloading the site's server and causing it to crash, the complaint said. Authorities seized Arabo's home computer in January, Jaso said. The New Jersey company, identified in the FBI complaint only as "JJ," notified the FBI on July 7 that its Web site had been attacked five days earlier, leaving it unable to do business. The attacks continued into December. The charge against Arabo carries up to five years in prison and a fine of up to twice the loss to victims. The charge against the teen could carry prison time, depending on how the case is prosecuted. From isn at c4i.org Mon Mar 21 06:13:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 21 06:22:42 2005 Subject: [ISN] INTERNATIONAL STUDENT FILES: UNLV server accessed Message-ID: Forwarded from: William Knowles http://www.reviewjournal.com/lvrj_home/2005/Mar-19-Sat-2005/news/26110200.html By K.C. HOWARD REVIEW-JOURNAL March 19, 2005 A hacker has invaded a UNLV server containing thousands of records with foreign students' information, UNLV officials announced Friday. University of Nevada, Las Vegas computer analysts were conducting a routine security check on network activity when they found a hacker accessing the Student and Exchange Visitor Information System, also known as SEVIS. "We're not sure that he got very far with it. We caught him in the middle of it and took the server off-line, so we're not sure if he got much and how much it is," said Johnie Sullivan, UNLV information security officer and a former FBI computer security specialist. University officials declined to detail specifics about the attack such as when it happened. But they said the hacker could have accessed the records of as many as 5,000 former and current UNLV international students. The FBI is investigating the incident. Analysts have determined the suspect is not a university student or employee. Sullivan said this is the first major hack UNLV has experienced on a student data server, Sullivan said. They're treating the incident as a possible identity theft case, he said. The office of International Students and Scholars on campus sent an e-mail to all students and scholars in the database to refer them to identity theft protection Web sites. Those who believe they might be a victim can contact the Federal Trade Commission at www.consumer.gov/idtheft or call 1-877-ID-THEFT. UNLV staff also is working with students face to face, said Rebecca Mills, vice president of student life. The U.S. Citizenship and Immigration Services uses SEVIS, an Internet-based system, to maintain current information on nonimmigrant students, exchange visitors and their dependents. The program, which is part of the Department of Homeland Security, tracks information such as foreign student enrollments, visa status, course load, address and name changes, and off-campus employment. After Sept. 11, 2001, universities, colleges and flight schools have been required to use SEVIS to help prevent terrorists from entering the country as students. Sullivan said the hacker was storing potentially stolen data from somewhere else on the UNLV server and attempting to download university data when he was caught. The old server went to the FBI crime lab and a new server is up and running, he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Mar 21 06:13:59 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 21 06:22:45 2005 Subject: [ISN] Former hacker turns over new leaf Message-ID: http://www.thejakartapost.com/detailfeatures.asp?fileid=20050321.S06&irec=5 M. Taufiqurrahman The Jakarta Post March 21, 2005 A statement that says "computer hacking is stupid and equivalent to throwing stones at the windows of jewelry shops" sounds hollow if made by cyberpolice whose designated job is to curb the offense. However, the remark rings true and carries a serious moral when it is cited by a former big-time hacker who once broke into the Federal Bureau of Investigation's (FBI)'s communications system, compromised the system for his own use and cost the top U.S. security agency dearly. The hacker's (mis)conduct in 1994 and the subsequent legal proceedings were so famous they became a case study for social engineering in his country, France. Eleven years on, the man, Anthony Zboralski, has not looked back and painstakingly engages in a campaign to combat the very offense he committed in his youth. He now ardently advises companies to better manage their information security systems. Zboralski is the current principal of Bellua Asia Pacific, a Jakarta-based Information Security consulting company whose clients include a number of the country's top banks and government agencies. His previous clients included numerous Fortune 500 companies like Air France, Aerospatiale, Allianz, AXA and Total Fina. "After the problem with the FBI, I thought that people would blame me and would not really appreciate my company. But as soon as it was in the press, I got invited to all the conferences for security and information warfare and people started to offer me jobs," said Zboralski, recalling how he first plunged into the information security consulting business. He said that among his first clients were French companies in aerospace and defense. "At the beginning, I was doing mostly technical work, but after a while, I started realizing that if you just fixed only technical issues it is not going to solve problems, because there are also the human factors," he told The Jakarta Post. The emphasis on human factors also led him to embark on a campaign to "convert" active hackers into doing more constructive work. "We look for young hackers who have the potential and skills and put them in the right direction. We give them the opportunity to carry out security research and have them as interns," he said. To further pursue his crusade in promoting the cause, in 1998 Zboralski founded a nonprofit organization, Hacker Emergency Response Team (HERT), to provide analysis and expertise on information security, attack and defense in an information warfare setting and reverse engineering with membership in more than 24 countries. In 2000, he took part in a project in the Philippines and in Indonesia that would lead to the establishment of Bellua. "Unlike in Europe where the system is already there, we found the project in Asia very interesting as there is much new infrastructure to be built and we can engage from planning to action. It was a lot more interesting," he said. Backed by security experts, practitioners and researchers, Zboralski founded Bellua to help companies comply with organizational security policies and standards. Among numerous services offered by his company, the most famous is the one that Zboralski was taught to do from experience -- a penetration test, also known as ethical hacking. "We test the security of our clients from the outsiders' point of view like offensive hackers or rival companies." The involvement with Bellua also exposed him to the laxity in information security management systems among companies operating in the country and the dire consequences it would bring. "There is a lot of fraud here. For instance, while we were doing a security review for a company, we found that there was someone trying to erase or change interest rates. That kind of problem happens all the time," he said. But such an incident would not appear in the press and the public is exposed only to petty cyber crimes, he said. "You will not often hear about a multimillion dollar case as that would panic everyone." He said companies tended to protect only the data center, but leave all infrastructure around it unguarded. "It is like spending a million dollars on the front door but leaving all the windows open." Zboralski's predilection for computer science and information security was inspired by the 1983 film War Games, starring John Badham and Matthew Broderick. The film is about a child who hacks into the North American Aerospace Defense Command (NORAD) computer system and starts a war. "Kids of my generation started to think that it was something that they would like to do -- something that was more realistic that James Bond or Superman movies," he said. He said the movie sparked a deep passion in him for computers and gave him the urge to start hacking. "However, we view it more as a tool than a goal. Hacking is just a tool for creating projects," he said. Against the widely held notion that most hackers commit the crime purely for fun, Zboralski said the activity was sometimes far from enjoyable and, in reality, too risky. "People do that for power. It is like a king, when one can do something no one else can," he said. From isn at c4i.org Mon Mar 21 06:14:15 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 21 06:22:48 2005 Subject: [ISN] Growth of Wireless Internet Opens New Path for Thieves Message-ID: http://www.nytimes.com/2005/03/19/technology/19wifi.html By SETH SCHIESEL March 19, 2005 The spread of the wireless data technology known as Wi-Fi has reshaped the way millions of Americans go online, letting them tap into high-speed Internet connections effortlessly at home and in many public places. But every convenience has its cost. Federal and state law enforcement officials say sophisticated criminals have begun to use the unsecured Wi-Fi networks of unsuspecting consumers and businesses to help cover their tracks in cyberspace. In the wired world, it was often difficult for lawbreakers to make themselves untraceable on the Internet. In the wireless world, with scores of open Wi-Fi networks in some neighborhoods, it could hardly be easier. Law enforcement officials warn that such connections are being commandeered for child pornography, fraud, death threats and identity and credit card theft. "We have known for a long time that the criminal use of the Internet was progressing at a greater rate than law enforcement had the knowledge or ability to catch up," said Jan H. Gilhooly, who retired last month as special agent in charge of the Secret Service field office in Newark and now helps coordinate New Jersey operations for the Department of Homeland Security. "Now it's the same with the wireless technologies." In 2003, the Secret Service office in Newark began an investigation that infiltrated the Web sites and computer networks of suspected professional data thieves. Since October, more than 30 people around the world have been arrested in connection with the operation and accused of trafficking in hundreds of thousands of stolen credit card numbers online. Of those suspects, half regularly used the open Wi-Fi connections of unsuspecting neighbors. Four suspects, in Canada, California and Florida, were logged in to neighbors' Wi-Fi networks at the moment law enforcement agents, having tracked them by other means, entered their homes and arrested them, Secret Service agents involved in the case said. More than 10 million homes in the United States now have a Wi-Fi base station providing a wireless Internet connection, according to ABI, a technology research firm in Oyster Bay, N.Y. There were essentially none as recently as 2000, the firm said. Those base stations, or routers, allow several computers to share a high-speed Internet connection and let users maintain that connection as they move about with laptops or other mobile devices. The routers are also used to connect computers with printers and other devices. Experts say most of those households never turn on any of the features, available in almost all Wi-Fi routers, that change the system's default settings, conceal the connection from others and encrypt the data sent over it. Failure to secure the network in those ways can allow anyone with a Wi-Fi-enabled computer within about 200 feet to tap into the base station's Internet connection, typically a digital subscriber line or a cable modem. Wi-Fi connections are also popping up in retail locations across the country. But while national chains like Starbucks take steps to protect their networks, independent coffee shops that offer Wi-Fi often leave their connections wide open, law enforcement officials say. In addition, many universities are now blanketing campuses with open Wi-Fi networks, and dozens of cities and towns are creating wireless grids. While some locations charge a fee or otherwise force users to register, others leave the network open. All that is needed to tap in is a Wi-Fi card, typically costing $30 or less, for the user's PC or laptop. (Wi-Fi cards contain an identification code that is potentially traceable, but that information is not retained by most consumer routers, and the cards can in any case be readily removed and thrown away.) When criminals operate online through a Wi-Fi network, law enforcement agents can track their activity to the numeric Internet Protocol address corresponding to that connection. But from there the trail may go cold, in the case of a public network, or lead to an innocent owner of a wireless home network. "We had this whole network set up to identify these guys, but the one thing we had to take into consideration was Wi-Fi," Mr. Gilhooly said. "If I get to an Internet address and I send a subpoena to the Internet provider and it gets me a name and physical address, how do I know that that person isn't actually bouncing in from next door?" Mr. Gilhooly said the possibility of crashing into an innocent person's home forced his team to spend additional time conducting in-person surveillance before making arrests. He said the suspects tracked in his investigation would regularly advise one another on the best ways to gain access to unsecured Wi-Fi systems. "We intercepted their private conversations, and they would talk and brag about, 'Oh yeah, I just got a new amplifier and a new antenna and I can reach a quarter of a mile,' " he said. "Hotels are wide open. Universities, wide open." Sometimes, suspected criminals using Wi-Fi do not get out of their car. At 5 a.m. one day in November 2003, the Toronto police spotted a wrong-way driver "with a laptop on the passenger seat showing a child pornography movie that he had downloaded using the wireless connection in a nearby house," said Detective Sgt. Paul Gillespie, an officer in the police sex crimes unit. The suspect was charged with child pornography violations in addition to theft of telecommunications services; the case is pending. "The No. 1 challenge is that people are committing all sorts of criminal activity over the Internet using wireless, and it could trace back to somebody else," Sergeant Gillespie said. Holly L. Hubert, the supervisory special agent in charge of the Cyber Task Force at the F.B.I. field office in Buffalo, said the use of Wi-Fi was making it much more difficult to track down online criminals. "This happens all the time, and it's definitely a challenge for us," she said. "We'll track something to a particular Internet Protocol address and it could be an unsuspecting business or home network that's been invaded. Oftentimes these are a dead end for us." Ms. Hubert says one group of hackers she has been tracking has regularly frequented a local chain of Wi-Fi-equipped tea and coffee shops to help cover its tracks. Many times the suspects can find a choice of unsecured wireless networks right from home. Special Agent Bob Breeden, supervisor of the computer crime division for the Florida Department of Law Enforcement, said a fraud investigation led in December to the arrest of a Tallahassee man who had used two Wi-Fi networks set up by residents in his apartment complex. Over those Internet connections, the suspect used the electronic routing information for a local college's bank account to pay for online pornography and to order sex-related products, Mr. Breeden said. The man was caught because he had the products delivered to his actual address, Mr. Breeden said. When officers went to arrest him, they found his computer set up to connect to a neighbor's wireless network. Mr. Breeden said the suspect, Abdul G. Wattley, pleaded guilty to charges of theft and unauthorized use of a communications network and was sentenced to two years' probation. In another recent case, the principal of a Tallahassee high school had received death threats by e-mail, Mr. Breeden said. When authorities traced the messages to a certain Internet Protocol address and went to the household it corresponded to, Mr. Breeden said, "Dad has his laptop sitting on a table and Mom has another laptop, and of course they have Wi-Fi, and they clearly didn't know anything about the threats." Cybercrime has been known to flourish even without Wi-Fi's cloak of anonymity; no such link has been found, for example, in recent data thefts from ChoicePoint, Lexis/Nexis and other database companies. But unsecured wireless networks are nonetheless being looked at by the authorities as a potential tool for furtive activities of many sorts, including terrorism. Two federal law enforcement officials said on condition of anonymity that while they were not aware of specific cases, they believed that sophisticated terrorists might also be starting to exploit unsecured Wi-Fi connections. In the end, prevention is largely in the hands of the buyers and sellers of Wi-Fi equipment. Michael Coe, a spokesman for SBC, the nation's No. 1 provider of digital subscriber line connections, said the company had provided about one million Wi-Fi routers to its customers with encryption turned on by default. But experts say most consumers who spend the $60 to $80 for a Wi-Fi router are just happy to make it work at all, and never turn on encryption. "To some degree, most consumers are intimidated by the technology," said Roberta Wiggins, a wireless analyst at the Yankee Group, a technology research firm in Boston. "There is a behavior that they don't want to further complicate their options." That attitude makes life easier for tech-savvy criminals and tougher for those who pursue them. "The public needs to realize that all they're doing is making it harder on me to go find the bad guys," said Mr. Gilhooly, the former Secret Service agent. "How would you feel if you're sitting at home and meanwhile someone is using your Wi-Fi to hack a bank or hack a company and downloads a million credit card numbers, which happens all the time? I come to you and knock on your door, and all you can say is, 'Oops.' " From isn at c4i.org Tue Mar 22 03:11:14 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 22 03:18:33 2005 Subject: [ISN] Securing public infrastructure Message-ID: http://www.thejakartapost.com/detailfeatures.asp?fileid=20050321.P03&irec=2 Jim Geovedi Contributor March 22, 2005 A cyberwar between Indonesia and Malaysia was sparked by the dispute over the Ambalat oil fields in the Sulawesi Sea, and, possibly, the impact of the ending of the amnesty for illegal Indonesian workers. On March 5, 2005, Kuala Lumpur protested what it said was intrusion into its territory by an Indonesian naval vessel, while President Susilo Bambang Yudhoyono ordered the Indonesian military to make its presence felt in the disputed waters. The next day, the website of Universiti Sains Malaysia (USM) was hacked and plastered with hostile Indonesian-sounding, anti-Malaysian messages; messages reminiscent of 1963's Konfrontasi and the Gerakan Ganyang Malaysia (Crush Malaysia Movement). What followed sent companies and organizations on both sides of the straits scrambling to patch up their security systems and to temporarily shut down websites deemed a security risk. Cyberwar is not real war Declaring war is a privilege reserved for recognized leaders of nations, not a bunch of unelected kids, even they believe they are acting on behalf of their nation. By definition, a cyberwar is a coordinated, systematic attack on computers, communications networks, databases and media. Other related terms are cyberterrorism, cybercrime, strategic information warfare, electronic warfare. Information systems are complex and interconnected infrastructures upon which many nations are now heavily dependent. They rest on insecure foundations -- the ability to network has far outpaced the ability to protect networks. With this dependency comes vulnerability to attack from virtually anyone, anywhere with a computer and a connection to the Internet. Today, information technology -- and the ability to use it -- is more widely available than ever. Widespread, easy access to the Internet, combined with the ability to become anonymous, presents a completely new spectrum of threats to national security. Not only can a government, group, or individual utilize information technology to disrupt the infrastructure of whole nations, but, often, attacks are not even noticeable until the damage has been done. Malicious hackers find weaknesses Malicious hackers hit whoever they can, and target any website that has any kind of weakness. They use scanning tools to broadcast a search for security holes in domains that are hosted in Indonesia or Malaysia. And they often pay little attention to the nature of the website. Many websites will remain vulnerable to malicious hacker attacks until network and system administrators tighten up the security of their servers. Most hacker attacks, including website defacements, are made through a chain of passive servers that act as springboards. But all malicious hackers represent threats to organizations for their ability to gain unauthorized access to sensitive information. Future expectations Cyber tools and technologies are now on the way for both offense and defense. Networks -- and their vulnerability -- are evolving so rapidly that new tools for network mapping, scanning and probing will become increasingly critical to both attackers and defenders. Deployment of new or improved security tools will help protect against both remote and inside threats. New and better technologies could provide defenders with improved capabilities for detecting and attributing subtle malicious activity, and enable computer networks to respond to attacks automatically. However, defense responses will remain at a disadvantage until more fundamental changes to computer and network architectures are made -- changes for which improved security has equal billing with increased functionality. For attackers, viruses and worms are likely to become more controllable, precise, and predictable -- making them more suitable for weaponization. In addition, tools for distributed hacking or denial of service -- the coordinated use of multiple, compromised computers or of independent and mobile software agents -- will mature as network connectivity and bandwidth increase. They could provide attackers with planning aids to develop optimal strategies against potential targets and to more accurately predict effects. Attackers and defenders alike, it seems, better be ready at all times and must never let down their guard in anticipating the future. The author is an information security consultant at PT Bellua Asia Pacific, Indonesia. Jim is scheduled to speak at the Bellua Cyber Security Conference in Jakarta on March 23 and 24 (www.bellua.net). He is also a contributor to the OpenBSD and FreeBSD projects, and an active member of HERT, the Hacker Emergency Response Team. From isn at c4i.org Tue Mar 22 03:11:29 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 22 03:18:36 2005 Subject: [ISN] No easy fix for DOD security issues Message-ID: http://www.fcw.com/article88354-03-21-05 By Bob Brewin & Frank Tiboni March 20, 2005 A panel of industry experts formed by the National Security Agency reviewed the information assurance requirements of the Defense Department's Global Information Grid, (GIG) last December and concluded that providing security for it depends on "technologies that do not exist and may not be feasible." The assessment was based on a preliminary draft of the information assurance strategy for the grid, but "does not, and never has represented NSA's view of the GIG," an NSA spokeswoman said. "NSA believes that the current draft of the GIG [information assurance] strategy will help ensure DOD is able to deploy a robust, survivable GIG well into the future." But "in order for the GIG to move forward, new capabilities will need to be developed that address the security challenges inherent in any enterprise architecture as complex as the GIG," she said. The grid essentially forms the backbone of the Pentagon's concept of network-centric operations, where data is made readily available to the people who need it. Deputy Defense Secretary Paul Wolfowitz defined the grid in September 2002 as DOD's enterprise-level architecture to provide computer and communications services to commands worldwide. Former DOD chief information officer John Stenbit has said that if such data is posted on networks, information security becomes even more critical. The grid includes the GIG-Bandwidth Expansion, designed to provide gigabit-speed networks worldwide, the Joint Tactical Radio System and satellites for last-mile connectivity, top DOD officials have said. The NSA spokeswoman added that securing the grid "will require significant investments by the community in [information assurance] solutions. However, NSA has capabilities in place and under development to address some of these challenges." Warren Suss, president of Suss Consulting, said providing information assurance for the grid "is a leading-edge challenge because the GIG is something that has never been done before." Besides protecting data transmitted via GIG-BE fiber-optic networks, NSA and DOD also have to develop gear to protect information that flows to and from battlefield systems, such as unmanned aerial vehicles transmitting live video feeds, Suss said. Despite the challenges, Suss said he believes officials in the Pentagon's CIO office and at NSA "are working hard to resolve the problems." GIG-BE's wideband, gigabit circuits required development of a new class of gigabit Ethernet encryptor devices that comply with federal High Assurance IP Encryption standards for GIG-BE. A Congressional Budget Office report released last month said that development of high-speed encryption devices is essential to take advantage of GIG-BE's broadband capabilities. "GIG-BE's capability to transport classified data is [based] on the speed of high-assurance IP encryptor devices available," the report said. The Defense Information Systems Network, which uses GIG-BE for transport, currently has 16 nodes that can operate at rates of up to 10 gigabits/sec and eight nodes that operate at 2.5 gigabits/sec, the CBO report states. The NSA spokeswoman said development of an information assurance strategy for the grid is a long-term project that has undergone a great deal of change since the agency completed its first draft. Developing an information assurance architecture is so complex that NSA has already completed a 2,000-page draft document for the grid, Federal Computer Week has learned. "DOD is expected to approve the GIG [information assurance] architecture documents in the near future," said Michael Johnson, chief of NSA's information assurance architecture office. "Once approved, this work will be integrated into existing DOD compliance documents, processes, policies and regulations." For example, plans are under way to integrate the architecture strategy into the GIG Architecture, Net-Centric Operations and Warfare Reference Model, Net-Centric Key Performance Parameter and Net-Centric Checklist, Johnson said. From isn at c4i.org Tue Mar 22 03:11:47 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 22 03:18:39 2005 Subject: [ISN] Can 9 Million Skype Users Be Wrong? Message-ID: http://www.csoonline.com/read/030105/machine.html By Simson Garfinkel March 2005 CSO Magazine Skype is a high-quality encrypted Internet telephony system that allows for the exchange of files, interconnects with the public switched telephone system and easily tunnels through firewalls. You may not have heard of Skype, but there are 9 million Skype users, so chances are some of your employees have. Skype provides a cheap way to communicate, but CSOs should know that the system's security is impossible to audit, and the vendor refuses to disclose details on security features. If secure communications are important to your business, read on. Depending on your organization, Skype is either a wonderful tool for communication or a problem technology that must be policed, controlled and, if possible, eliminated from your systems. Skype was released last year by the creators of Kazaa, the popular file-trading system. Like Kazaa, Skype is based on fire- wall-busting peer-to-peer technology. When you first start running Skype, it scans the Internet looking for a Skype "supernode." Supernodes are other people running the Skype program who aren't screened by firewalls. These users can consequently both receive and initiate connections across the Net. An unknown number of supernodes link to other supernodes; eventually, the chain reaches back to the Skype servers, wherever they happen to be. Supernodes also facilitate connections back to Skype users who are behind firewalls and Network Address Translation boxes. But despite their similarities, Skype does not come with Kazaa's baggage. Unlike Kazaa, Skype is not advertiser-supported and does not come with adware or spyware. Instead, Skype's creators make money by operating the bridge between the Skype network and the other telephone networks. With the SkypeOut service, a Skype user can place calls to ordinary landlines or cell phones throughout the world for just a few pennies per minute from their computers. SkypeIn, a corresponding service that will be released this summer, will allow Skype users to receive phone calls from the telephone network. Every Skype user has a unique Skype user name and password. You provide the user name and password when you log in; the network then verifies that your password matches the password that you provided when you signed up. Once you've logged in, you can initiate a call through your desktop to any other Skype user. You don't need to know where he is; he just has to be logged in to Skype somewhere on the Internet. Unlike AOL Instant Messenger, there's no problem with being logged in to Skype in more than one location. Each location will ring if someone tries to call you. Thus, Skype is a lot friendlier to people like me who work from multiple computers. And while it's primarily designed for voice communications, Skype will also let you send instant text messages and files. Most people I know who use Skype keep a very short contact list of other Skype users and block incoming voice and text messages from everyone else. Unlike Vonage and other voice-over-IP systems, Skype is not based on session-initiated protocol or any other Internet standard. Skype uses a protocol that's both proprietary and secret. The company claims that all Skype communications are encrypted with a 256-bit advanced encryption standard and that keys are exchanged using the RSA encryption algorithm. I've looked at Skype's packets, and I can verify that they are in fact encrypted, but there's really no way to know how secure it is without considerable documentation and cooperation from the company. These facts combine to make Skype an emerging problem for many CSOs. For organizations?such as investment companies?that are required by law to monitor communications between their employees and their customers, Skype is an untappable voice gateway. It's also largely unstoppable, because Skype can tunnel through, over or around most kinds of firewalls. And for organizations?such as hospitals?that are required by law to provide for secure communications between employees and customers, Skype gives the appearance of a secure communications channel, but it might not provide any security at all. On the other hand, if neither monitoring nor secrecy of voice communications is a legal requirement for your organization, another perfectly reasonable approach is to embrace Skype and its peer-to-peer voice technology. Skype is certainly more secure than most cell phones, which have their encryption disabled, or landlines that don't have any encryption at all. Sure, there is a chance that your Skype conversation is going through another person's computer, and there's a chance that they've managed to crack Skype's algorithm and are listening in on everything you say. Even though there is certainly the potential for abuse, in most cases the actual chance of abuse is small. Another important aspect of security is availability?that is, making sure that systems and backup systems are always available to serve your users' needs. And availability is where Skype really shines. No matter where you are, if you have some kind of connectivity to the Internet, you can use Skype to communicate with others. This is a huge benefit to the mobile worker, because you can just sit down in some cybercaf? anywhere in the world, take out your laptop, and?wham!?you are in direct communication. (On the other hand, if Skype's creators decide to pull the plug on the company's servers, every Skype user on the planet will be suddenly dead in the water?unless, of course, an enterprising hacker can figure out how to patch the Skype executable so that it uses a different set of servers on the Internet.) Because it's peer-to-peer, you can use Skype to exchange large files without worrying about any server-based restrictions. Although the protocol doesn't seem to recover gracefully from interrupted transmissions (it restarts the transfer in the middle of the file), it's completely reasonable to use Skype to send 100MB files from one end of the planet to the other. Skype's servers will do the user name/ password authentication, but the data packets will go directly from one user's computer to the other's?possibly passing through a Skype user or two. The fact that Skype's user name/password combinations are validated by central servers gives Skype another big advantage over e-mail: authentication. The vast majority of e-mail on the Internet is sent without authentication. As a result, when you get a piece of e-mail, you never can be sure that the address listed on the message is where it was really sent from. But since every Skype user is validated before being allowed to join the network, you can have reasonable trust in the identities that flash through the Skype application. Such authentication helps build the business justification for Skype. Two negatives are operating against Skype. The first is the fact that the Skype client running on your computer can and will relay calls between other network users without your knowledge. That can pose a problem on networks that have only a little bit of Internet connectivity. It makes sense that Skype would detect how much bandwidth you have for this kind of third-party altruism. But alas, the algorithm that Skype uses to determine how much of this relaying it is allowed to engage in is proprietary, so we can't know for sure. The other drawback is that bad guys can, of course, use Skype to send worms and viruses. Obviously, the first thing to do is to block files transmitted by anyone you don't know. A better approach would be to integrate Skype with your computer's antivirus system so that all incoming files are automatically scanned. That's not currently a Skype feature, but it might be by the time you read this. Probably the most important thing about Skype, however, is not the program's functionality today, but something much deeper about the whole Skype process. One year after Skype launched, it had more than 9.5 million users worldwide, with more than 1.5 million connections per day and, on average, 500,000 people connected at any given time. The software is available for Windows, Mac OS X, Linux and Pocket PC. The software has the capability of automatically updating and upgrading itself, allowing it to acquire new features at any time?potentially without the permission of the user. The software uses a secret protocol; all communications are encrypted. And Skype Technologies does its engineering in Tallinn, Estonia, has some business operations in London and registers its website in Amsterdam. If I were going to write an information warfare thriller with a theme based on Invasion of the Body Snatchers, this is certainly where I would start. Simson Garfinkel, CISSP, is a technology writer based in the Boston area. He can be reached via e-mail at machineshop@cxo.com. From isn at c4i.org Tue Mar 22 03:12:06 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 22 03:18:42 2005 Subject: [ISN] Hacking Tools Can Strengthen Security Message-ID: http://www.eweek.com/article2/0,1759,1776613,00.asp By Cameron Sturdevant March 21, 2005 To avoid getting hacked, you've got to think like a hacker - and that means knowing the tools and tricks of the hacking trade. IT managers must understand the types of hacking tools available - including the vulnerabilities they target and the damage they can cause - to keep business data private, prevent information theft and maintain data availability while enabling a high level of business productivity. It's tempting to rely on commercial vulnerability assessment tools and patch management systems to keep network infrastructure devices, servers and desktop systems in top defensive form. However, IT organizations should not depend on these products and services as the sole source of expertise in combating attacks on enterprise resources. Hacking tools most often originate in the realm of advanced coders. And recent news stories have tied these coders to underworld backers. Many of these hacking tools are a few clicks away on the Internet, but some tools can be difficult to find unless you move in certain circles. In the frequent case that a hacking tool cannot be accessed directly, there are several resources on the Web that will provide the kind of information IT managers need to assess network security tools' ability to thwart it. Before doing any kind of assessment of hacking tools, IT administrators should first perform a risk analysis to see which of their organization's IT resources are most vulnerable to attack and what kinds of attacks they're most liable to suffer. Administrators should then attempt to download, test and become proficient with at least one of the hacking tools that are most threatening to the organization's vital IT assets. Root kits One hack that should be high on IT organizations' most-wanted list comes by way of root kits. In fact, based on detailed information provided to eWEEK Labs and verified in our testing, Windows shops should immediately take steps to understand root kits, a type of hack that is widely known in the Unix community but that now appears to be headed straight for Windows desktop and server systems. Although root kits may be a new problem - to the Windows world, anyway - the overarching concern should be variations on hacks known to exist in every operating system in use in the network today. Click here to read about one IT manager's experience as a victim of a root-kit attack in which 500GB of e-mail data was rendered inaccessible. Buffer overflows One of the most commonly exploited vulnerabilities is the buffer overflow. Buffer overflows occur when too much information can be written to a predefined memory buffer, causing a program to fail. There are many tools that let hackers exploit this vulnerability, and knowing them will help you learn how to prevent their successful use on your systems. One such tool is Digital Monkey's Buffer Syringe, a relatively simple, minimally documented tool that lets hackers exploit buffer overflows. In fact, Buffer Syringe includes several usage examples that make implementation of the tool a snap. Understanding how Buffer Syringe and tools like it work should give IT managers much more confidence when evaluating, for example, a Windows vulnerability assessment tool or patch management system because it will reveal the ins and outs of how the buffer overflow is constructed. With this information, IT managers can then exact much more specific and telling information from vendors of commercial vulnerability assessment tools as to how their tools detect such weaknesses. Thus armed, it will be much easier to evaluate, select, implement and use such tools over time. A format-string vulnerability occurs when user-supplied data is handled incorrectly - usually in the C language - and is passed by a program directly as a format string. A talented attacker can then craft a string that overwrites memory locations with the attacker's input. Most IT managers likely will not have time to practice with this hack because it requires extensive tinkering to work correctly. If that's the case, a good way to get familiar with the hack is to use eWEEK Labs' favorite open-source vulnerability assessment tool - used by people wearing both white and black hats - Nessus (nessus.org). As with all the categories of hacking tools described in this article (and as with many esoteric hacking tools that are not discussed here), the Nessus tool has several plug-ins that can reveal format-string and other vulnerabilities. By becoming familiar with Nessus' format-string plug-in, IT managers can get a very good feel for how a format-string attack will look and act. In fact, it's well worth any IT manager's time to poke around at the Nessus site, paying close attention to the plug-in library. We recommend installing Nessus in the organization's test network and subscribing to the Nessus plug-in feed, which can be the only way to get the latest additions to the Nessus tool. Spending even a short amount of time reading about the purpose and use of a Nessus plug-in will provide valuable insight into the operation of many hacking tools - and certainly the vulnerabilities that these tools seek to exploit. This is also a good way to understand directory traversal hacks, which, like buffer overflows and format-string attacks, use custom code to cause a program malfunction to gain escalated user privilege. Defaults, back doors and misconfiguration There is a whole class of hacking "tools" that are nothing more than expert knowledge of a particular application or operating system combined with poor security practices by the IT implementer. Early in the methodical stalking of an IT resource, hackers will enumerate and identify systems in a network, looking for something of interest. After identifying an interesting target, smart hackers will gently test to see if any part of a system was left in a default configuration. Such a configuration provides easy back-door entry into what might look from the front like an impregnable fortress. To avoid leaving these back doors open, or even ajar, eWEEK Labs recommends that IT managers add a section to any RFP (request for proposal) that requires vendors to supply instructions and tools for hardening their respective products. Vendors that are unable to provide this kind of assistance?at no extra cost or at a nominal fee for custom work - should be passed over in favor of suppliers that can help IT lock out hacking tools. We also recommend training users early and often about how to avoid social hacks such as e-mail phishing and the dreaded Post-It Note attack. Web resources: Hacking tools For Windows systems, start with sysinternals.com, where you'll find a host of useful no-cost and commercial diagnostic tools. - http://sysinternals.com/ Go to nessus.org to become familiar with one of the most widely used vulnerability assessment tools available. Nessus can probe a wide range of server and desktop operating systems and is frequently updated. - http://nessus.org/ Wikipedia provides useful information about root kits, with pointers to articles about other hacking tools. - http://en.wikipedia.org/wiki/Rootkit From isn at c4i.org Tue Mar 22 03:12:18 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 22 03:18:48 2005 Subject: [ISN] Worms whack half of businesses Message-ID: http://news.com.com/Worms+whack+half+of+businesses/2100-7355_3-5628715.html By Robert Lemos Staff Writer, CNET News.com March 21, 2005 Almost half of businesses have had a worm outbreak in the last year, despite increases in security spending on compliance efforts, according to a recent survey. The survey, released Monday by security company Mazu Networks and the Enterprise Strategy Group, found that almost 75 percent of companies boosted security spending in 2004 to comply with regulations set by the Sarbanes-Oxley Act. Despite those efforts, only 14 percent of respondents said they were "very confident" that their networks would repel all threats this year. "I think this is a bit of a wake-up call," said Tom Corn, vice president of marketing for Mazu Networks. "Not a lot of folks have confidence that they have mechanisms and processes in place to protect themselves." The survey, which polled 229 information technology professionals about their corporate networks, came as another report suggested that virus writers and online attackers are becoming more focused on using their skills to earn cash from fraud and identity theft. The polled IT professionals had a similar story to tell, according to Corn. "We are starting to see a lot of these threats less for bragging rights and more about creating armies of system zombies and bots--there is a strong financial model for that," he said. About 47 percent of all respondents had a worm infect a company network in the past year, the Mazu survey found. An eighth of those businesses had more than 25 percent of their network compromised during the incident. However, the worry of worms has not helped close some major vulnerabilities at the companies, the survey indicated. Almost 25 percent of all companies had an internal breach in 2004, and 40 percent of those incidents interrupted a critical service. Almost half of the IT professionals surveyed found active accounts belonging to ex-employees, and a third found rogue wireless access points in their network. Companies involved in the survey were required to have at least 1,000 employees. They represented more than 18 different industries. From isn at c4i.org Tue Mar 22 03:12:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 22 03:18:54 2005 Subject: [ISN] Offsite security complicates compliance Message-ID: http://www.nwfusion.com/news/2005/0318offsite.html By Ann Bednarz Network World Fusion 03/18/05 Offsite security conditions are always a factor to consider when a company enters an outsourcing deal, but regulatory initiatives are raising the stakes. IT executives need to ensure service providers have proper system controls in place before and after they enter into sourcing and hosting arrangements, analysts say. It's not only a good business practice, it's also increasingly required by law. One law putting a spotlight on outsourcing deals is the Sarbanes-Oxley (SOX) Act of 2002, which Congress passed in the wake of accounting scandals at firms such as Enron and WorldCom. SOX has IT and finance departments working closely to review and modernize companies' financial reporting systems to comply with its regulations. Of particular concern is Section 404 of the legislation, which calls for company executives and third-party auditors to certify the effectiveness of internal controls - technologies and processes put in place to preserve the integrity of financial reports. Doing due diligence to Section 404 means looking into conditions at outsourcing and hosting providers' sites, where sensitive corporate data might be accessible, processed or stored. That's where Statement on Auditing Standards (SAS) 70 comes in. SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants for service organizations. It prescribes a method for an auditor to examine control activities at a service organization or outsourcing firm. There are two types of SAS 70 audits. A Type 1 audit focuses on general controls at a single point in time and doesn't include testing by auditors. A Type 2 audit is more intensive - and more appropriate for SOX compliance. It looks at conditions over a prolonged period of time, and auditors perform testing to verify the effectiveness of controls at service organizations. SOX compliance efforts have elevated interest in the auditing standard, which has been around since 1992. "We are doing a lot more SAS 70s lately," says Ed Byers, a principal at Deloitte & Touche. Outsourcers agree that users are beginning to ask for SAS 70 audits. "It was something our customers were looking for," says John Engates, CTO at Rackspace Managed Hosting. Ernst & Young recently concluded an SAS 70 Type 2 audit for the San Antonio managed hosting provider. The audit covered controls related to service delivery and operations, infrastructure maintenance, change management, back-up processes, and logical and physical data center access, Engates says. Rackspace underwent the audit at the request of some of its largest customers, which are facing SOX Section 404 deadlines, Engates says. Section 404 says companies must prepare reports - to accompany their annual reports filed with the Securities and Exchange Commission - assessing the effectiveness of their internal control structures and financial reporting procedures. Section 404 deadlines are staggered and begin this spring. "They really need some assurance that the controls that are in place outside of the walls of their companies are as effective as the controls inside their companies," he says. At the same time, Rackspace benefits from having gone through a formal process to analyze and document its internal controls. "It put a spotlight on our documentation and the formalization of our policies and processes," Engates says. Securing SAS 70 certification requires a commitment - of personnel and budgets - on the outsourcing providers' part. At Rackspace, the certification process took almost one year, from the early stages of defining the scope of the audit to the full-blown testing of controls. Sierra Atlantic will spend about $25,000 to achieve SAS 70 certification this year, says Marc Hebert, executive vice president at the Fremont, Calif., company, which offers a range of offshore application services. Sierra Atlantic is in the process of securing SAS 70 Type 2 certification. Like Rackspace, Sierra Atlantic decided to pursue SAS 70 certification because of customer demand, Hebert says. In general, there's a tendency for companies to secure more SAS 70 certifications from outsourcers than are needed, Byers says. "Companies are so scared about Sarbanes-Oxley they want to audit everything," he says. There's confusion over when an SAS 70 audit is required and when it isn't - particularly when it comes to smaller service providers that might not have the necessary controls in place, Byers says. The most common scenario that would require a company to secure an SAS 70 audit from its service provider is when the company outsources application processing such as payroll. "If you outsource a transaction process like payroll, then you probably want an SAS 70 - because the control is at the service provider," Byers says. But not every outsourcing arrangement necessitates an SAS 70. For example, a company that uses contract employees from an IT service provider to help manage its applications probably doesn't need an SAS 70 from the service provider because control over the systems remains internal. Likewise, if a company uses an outsourcer for certain application development activities but retains control over application testing and change control, an SAS 70 might not be required. "If management is providing all the control, you don't need to have an audit of the service provider," Byers says. Some arrangements are particularly cloudy about SAS 70 requirements. In a hosting arrangement, it's important to determine who has control over updates to an application, Byers says. Additionally, even if a company retains control over application testing and updates, an SAS 70 audit might be required to assess physical and environmental controls at the service provider's site, Byers says. Even if an SAS 70 audit has been completed, it might not be adequate for SOX compliance, Meta Group says. The SAS 70 standard was developed long before SOX regulations and doesn't necessarily focus on the type of controls that SOX requires, according to the research firm. There's no standard prescription for what is covered in an SAS 70 audit, Byers agrees. A service provider typically defines the control objectives and activities covered in an SAS 70 audit of its operations. "An SAS 70 can include as much or as little as a service provider wants. It's not a standardized audit report," Byers says. Because the comprehensiveness of SAS 70 audits varies, it's up to the contracting company and its auditors to assess a service provider's SAS 70 for completeness and adequacy. "Since the SAS 70 isn't standardized, you need to assess its completeness," Byers says. "Does it cover all your general computer controls? Does it cover applicable business process controls via the application controls?" In theory, a service provider could exclude areas from an SAS 70 audit where it knows it's vulnerable. But that's not typical, Byers says. In general, SAS 70 audits have become more comprehensive in light of SOX, he says. From isn at c4i.org Tue Mar 22 03:12:45 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 22 03:19:00 2005 Subject: [ISN] The good and bad of Linux LiveCDs Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100535,00.html By Neil McAllister MARCH 21, 2005 INFOWORLD If you're an IT manager, introducing Linux into your enterprise is a tough decision. Choosing to take the plunge at all is one thing, but facing the myriad choices is another. At last count, the database at DistroWatch.com racked some 345 actively maintained Linux and BSD distributions. Although most enterprises are likely to consider only a fraction of that catalog, the number of decision points it represents is potentially much larger. Each Linux distribution is configured differently. Each ships with its own kernel, modules and associated tools. Some use the Gnome desktop environment, others KDE, and still others ship as bare-bones command-line systems. Some provide lots of applications and services for maximum flexibility, whereas others have been pared to the minimum and locked down for security. In the past, taking any of these distributions for a test-drive could be a tedious process. It meant cleaning out drive space on a spare machine, going through a potentially irksome installation process (depending on the distribution), creating accounts, and then experimenting with the operating system before deciding whether it was worth a full-blown install. Today's answer? LiveCDs -- complete, functional, binary Linux distributions booted from a CD, DVD, USB keychain drive or other portable media. Want to know if Mepis ships with the right libraries to support your applications, or if the Ubuntu desktop is just the right shade of chocolate brown to suit you? Burn a copy of the LiveCD version, boot it up, and take it for a spin -- no need to install it to a hard drive. Macintosh fans are probably slapping their foreheads and saying, "Duh." As far back as Mac OS 7 it was easy for Mac users to include a working System Folder in a disk image to create a fully bootable CD-ROM. But it wasn't always so easy with Linux (or Mac OS X, for that matter). Since those days, however, open-source operating systems have developed the most sophisticated LiveCDs around. Compressed filesystems pack as much as 2GB onto a single CD-ROM image, and some distributions -- such as Puppy Linux -- even ship LiveCDs that use multisession burning to allow users to save data back to the same CD they booted from. Whereas many LiveCDs are trial versions of full-blown distributions, others have been designed with more specific purposes in mind. For example, Knoppix comes packed with data-recovery and security tools. Hikarunix on the other hand, is a complete, bootable, Linux-based OS dedicated solely to the ancient game of Go and is small enough to fit on a pocket-size mini CD. These last examples bring up an important point that I'd be remiss to neglect. A PC booted from a Linux LiveCD is transformed. It no longer has any of the user accounts, logging and security controls of its original host operating system. It has become a Linux system, completely under the control of the end-user and loaded with an arbitrary selection of open source software -- yet it still has access to the same hard drives, network, servers and other resources as before. The security threat this poses is obvious. Choosing a Linux distribution for your enterprise environment is a difficult decision, but it should be IT's decision. If your corporate desktops and notebooks are distributed with the ability to boot from CD-ROM enabled in the BIOS, ask yourself this: Do you know what your users' favorite Linux distributions are? From isn at c4i.org Wed Mar 23 02:19:39 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 23 02:28:35 2005 Subject: [ISN] Offsite security complicates compliance Message-ID: Forwarded from: Mark Bernard Dear Associates, Here in Canada the Chartered Accountants of Canada are in the process of making our IT Audit standards, CICA 5900, compliant with SOX and SAS 70. We are also anticipating newly crafted Financial Securities legislation this year currently under review in Ontario also known as Bill 198. It's very likely that each of the Canadian provinces will adopt Bill 198 provisions since our stock exchange is located in Toronto - Ontario. The current target release date for CICA 5900 is July 1st, 2005. The answer to complying with all of this new legislation is to implement a best practice framework such as ISO17799 or ISACA's COBiT. I would personally recommend ISACA's COBiT because its a world wide standard that IT Auditors and Financial professionals recognize. A hybrid strategy using both ISO 17799 and COBiT is that much better since both IT professionals and Financial Professionals can relate to each. Furthermore, it's very likely that your annual audits will be conducted by IT Auditors with Financial backgrounds, so its the only logical approach. Why should IT be concerned about the Finance Department? Well, if you're an IT Professional and been in business long enough than you already know how important it is to work closely with Finance and ensure that such projects and capital expenditures are clearly understood. This way they'll have a chance to stay in the annual budget and not get cut during the annual rollback on capital expenses. Here's a link for more information about CICA 5900; http://www.cica.ca/index.cfm/ci_id/19365/la_id/1.htm Here's a link for COBiT; http://www.isaca.org/Template.cfm?Section=COBIT_Online&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15633 Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by John Quincy Adams: "If your actions inspire others to dream more, learn more, do more and become more, you are a leader." [...snip] > http://www.nwfusion.com/news/2005/0318offsite.html > > By Ann Bednarz > Network World Fusion > 03/18/05 > > Offsite security conditions are always a factor to consider when a > company enters an outsourcing deal, but regulatory initiatives are > raising the stakes. > > IT executives need to ensure service providers have proper system > controls in place before and after they enter into sourcing and > hosting arrangements, analysts say. It's not only a good business > practice, it's also increasingly required by law. > > One law putting a spotlight on outsourcing deals is the Sarbanes-Oxley > (SOX) Act of 2002, which Congress passed in the wake of accounting > scandals at firms such as Enron and WorldCom. > > SOX has IT and finance departments working closely to review and > modernize companies' financial reporting systems to comply with its > regulations. Of particular concern is Section 404 of the legislation, > which calls for company executives and third-party auditors to certify > the effectiveness of internal controls - technologies and processes > put in place to preserve the integrity of financial reports. > > Doing due diligence to Section 404 means looking into conditions at > outsourcing and hosting providers' sites, where sensitive corporate > data might be accessible, processed or stored. That's where Statement > on Auditing Standards (SAS) 70 comes in. [...] From isn at c4i.org Wed Mar 23 02:20:03 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 23 02:28:39 2005 Subject: [ISN] Terror plot to cripple UK in cyber attack Message-ID: http://news.scotsman.com/uk.cfm?id=305582005 JAMES KIRKUP POLITICAL CORRESPONDENT 22 Mar 2005 INTERNATIONAL terrorists are training to launch cyber-terror attacks on Britain which could cripple vital economic, medical and transport networks, the government's counter-terrorism co-ordinator said yesterday. Sir David Omand said surveillance of suspected al-Qaeda affiliates suggests they are working to use the internet and other electronic communications systems to cause harm. Sir David, a former head of GCHQ and one of the most senior members of the British intelligence community, yesterday appeared at a conference of security experts and business leaders at Chatham House in London to discuss Britain's defences. To illustrate the point that even entirely civilian industries and networks can be vital to national security, the conference was reminded of an MI5 assessment that "Britain is four meals away from anarchy." British security officials are normally extremely reluctant to discuss potential threats even semi-publicly, but the need for increased action from the private sector is driving a newfound openness. Intelligence officials say that no matter how much the state does to prepare for cyber-terrorism, a great deal will rest on the willingness of businesses to "harden" their systems against attack Sir David confessed to his audience that he had doubts about commenting publicly on security threats, not least for fear of sparking undue panic. He insisted that his remarks constituted an attempt to "inform" or to "alert", but stopped short of being a "warning". Britain has not yet experienced genuine acts of cyber-terrorism, but Sir David said intelligence chiefs are in little doubt that the country must be ready for such an attack. While the mandarin did not name al-Qaeda or its affiliates, he left little doubt that the followers of Osama bin Laden are developing their electronic warfare capabilities. "Many of those who have been arrested or about whom we know have a very high level of technological awareness," Sir David said. A combination of the terrorists' increasing technological sophistication and Britain's growing dependence on electronic networks means this is considered "a threat which will rise in silence". Cybernetic attacks can take many forms. At the most basic level, programmers can set computers to bombard websites and email servers with thousands of messages which cause them to jam. More sophisticated and dangerous attacks would entail penetrating an organisation's internal communication and management systems, either distorting messages or blocking them altogether. The most sensitive government systems, such as those used by the military and intelligence services, are entirely closed to the outside world. Instead, the authorities' greatest fears about electronic attacks relate to the more exposed networks that make up what is known as "critical national infrastructure", many of which are in civilian hands. Central and local government systems, financial markets, the National Health Service, the emergency services, transport and energy networks, and even the food and drink industry are all deemed vital to Britain's ability to resist potential attack or, should an attempt succeed, to minimise the harm caused. Yesterday's call for greater resilience away from the "core" targets of central government and financial targets echoes similar assessments in recent weeks. Earlier this year, an authoritative study by St Andrew's University security experts warned that counter-terrorism preparations in areas outwith London need much more work. But Britain is not alone in worrying about non-physical terrorist attacks on infrastructure. US intelligence agencies are known to be particularly concerned that terrorists could combine electronic and physical attacks to devastating effect, for example disrupting emergency service networks at the same time as mounting a bomb attack. And electronic attacks on electricity grids or the floodgates of hydro-electric dams are also under active consideration by US agencies. Other scenarios are less spectacular, but could entail significant economic harm to Britain, even as the result of events far beyond the UK's borders. The global nature of the internet means the threat from cyber-attacks is equally international, forcing British agents to work closely with nations they say they would often regard with suspicion or even hostility. One British counter-terrorism official yesterday raised the prospect of a electronic attack on the Russian gas industry. "Given that Britain is now a net importer of gas and that gas is shipped through pipelines controlled by electronic technology, this sort of thing has to be considered a potential economic threat," the official said. Toby Harris, the former chairman of the Metropolitan Police Authority, told the delegates yesterday that there remains "significant vulnerability in the systems we all rely on." Lord Harris insisted the threat was not exaggerated, citing the example of HM Coastguard, which was last year almost paralysed by a computer virus. "What happens were there to be a serious attack that severely damaged the critical national infrastructure?" he asked, calling for urgent work by public and private sector managers to devise contingency plans. Otherwise, he said, "Britain could be quickly reduced to large-scale disorder, including looting and rioting, in the event of a serious disruption of critical national infrastructure". From isn at c4i.org Wed Mar 23 02:20:15 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 23 02:28:42 2005 Subject: [ISN] IBM offers "strikeback" service to counter spammers Message-ID: Forwarded from: Richard Forno http://money.cnn.com/2005/03/22/technology/ibm_spam/index.htm?cnn=yes March 22, 2005 NEW YORK (CNN/Money) - IBM unveiled a service Tuesday that sends unwanted e-mails back to the spammers who sent them. The new IBM (Research) service, known as FairUCE, essentially uses a giant database to identify computers that are sending spam. E-mails coming from a computer on the spam database are sent directly back to the computer, not just the e-mail account, that sent them. "Spam has become a high priority security issue for businesses today," Stuart McIrvine, IBM's director of corporate security strategy, said in a prepared statement. "By creating a multi-layered defense that proactively repels spam at its source, companies can get ahead of spammers and malicious hackers who are always looking for new ways of penetrating IT systems through e-mail." IBM said the new solution effectively minimizes the growing threats of "phishing and spoofing -- tactics used to trick people into disclosing information that can lead to identity theft." The company said its FairUCE spam technology will allow customers to identify incoming spam before it gums up their systems. Also, IBM said its anti-spam technology will alleviate the need for content filtering, which heavily taxes IT systems, siphoning off bandwidth otherwise used for business purposes. IBM has previously offered anti-spam filter technology, but this is the first time the company has developed technology to "send spam back to the spammer," according to IBM spokeswoman Kelli Gail. IBM is not concerned about liability, even in cases where innocent senders might be misidentified as spammers, because all the technology does is bounce back the e-mails, said Gail. IBM said in a separate report that, in February, 76 percent of all e-mails were spam, down 7 percent from the January level. Also, 2 percent of all e-mails carried a virus or some other "malicious content," according to the report. IBM stock edged higher in midday trading on the New York Stock Exchange. From isn at c4i.org Wed Mar 23 02:20:27 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 23 02:28:44 2005 Subject: [ISN] Re: IBM offers "strikeback" service to counter spammers Message-ID: Forwarded from: security curmudgeon : http://money.cnn.com/2005/03/22/technology/ibm_spam/index.htm?cnn=yes : : March 22, 2005: 12:22 PM EST : : NEW YORK (CNN/Money) - IBM unveiled a service Tuesday that sends : unwanted e-mails back to the spammers who sent them. Jeez, not only is IBM years behind the bandwagon as usual, they are jumping on a broken bandwagon full of dangerous moving parts. : The new IBM (Research) service, known as FairUCE, essentially uses a : giant database to identify computers that are sending spam. E-mails : coming from a computer on the spam database are sent directly back to : the computer, not just the e-mail account, that sent them. This is entirely worthless as a paragraph and explanation for what IBM plans to do. Most machines that are sending spam are Joe User's home computer that has been compromised by a spammer, trojan or worm. Most of these computers don't run a SMTP server to receive e-mail. Most of these machines have nothing to do with the person truly sending the spam. Most of these computers have no tie to the "e-mail account" of the person sending them. All this will do is shove a lot of unwanted mail to victims of computer crime, not the perpetrator of the spam. Most of this mail will not be delivered and cause more bounces back to IBM causing more headache. : "By creating a multi-layered defense that proactively repels spam at its : source, companies can get ahead of spammers and malicious hackers who : are always looking for new ways of penetrating IT systems through : e-mail." Uh hello IBM, sending spam back at people isn't "defense", that is "offense". : IBM said the new solution effectively minimizes the growing threats of : "phishing and spoofing -- tactics used to trick people into disclosing : information that can lead to identity theft." Sending spam back at the source of the spam hitting your network does not reduce any threats. Spam, phising and spoofed mails still come in from a ton of other sources, possibly even the same hosts IBM is 'spamming' back. : IBM has previously offered anti-spam filter technology, but this is the : first time the company has developed technology to "send spam back to : the spammer," according to IBM spokeswoman Kelli Gail. IBM is not : concerned about liability, even in cases where innocent senders might be : misidentified as spammers, because all the technology does is bounce : back the e-mails, said Gail. This is a dangerous game to play in this day and age of spoofed emails. I do not send spam to anyone, yet every day I receive bounces suggesting that my email address is used as the 'from' line of hundreds, maybe thousands of mail. If IBM decides to send me these mails back instead of deleting them, they will be originating a denial of service style attack on me, when I wasn't the perpetrator or the innocent *sender*. IBM can count on thousands of admins blocking all of the IBM domain/IP space to avoid this headache. I hope their customers understand this when they start to have problems reaching the rest of the internet. From isn at c4i.org Wed Mar 23 02:20:47 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 23 02:28:47 2005 Subject: [ISN] Bellua Cyber Security Asia 2005 Message-ID: Forwarded from: Anthony Zboralski JAKARTA, - 20 March, 2005- The largest ethical hacking and information security conference in Asia will take place in Jakarta, Indonesia at the Hotel?Borobudur from 23rd to 24th March 2005.?The conference is arranged by PT Bellua Asia Pacific and supported by PT Excelcomindo Pratama (XL), one of Indonesia's largest GSM operators and infrastructure providers. The main goal of the event is to increase security awareness and information sharing?both in the public as well as the corporate and government sector to the many security relate issues that could potentially affect their business. "XL, the Official Major Sponsor of Bellua Cyber Security Asia 2005, is proud to be able to deliver this very unique event. We hope it will increase the awareness and understanding of critical information infrastructure security and encourage active engagement and interest" said Rudiantara, XL Director of Corporate Affairs. "The increasing complexity of telecommunication infrastructure with the advent of Internet, GPRS, 3G, VoIP and VAS applications leads to many further opportunities for attackers. The Banks and Telcos used to be "closed environments", it isn't really the case anymore.", says one of the speakers, Emmanuel Gadaix, founder and leader of the Telecom Security Task Force. For the first time in Indonesia, the conference will put together various number of internationally recognized experts in the security community as well as leading members of the Indonesian technology and security industry. The conference is also expected to add depth and understanding of security issues in the public sector: technical challenges facing the public authorities as well as providing a secure public infrastructure. The event will open with the Attorney General of Indonesia, Bpk. Abdul Rahman Saleh as well as the?Minister of Communications and Information, Bpk. DR. Sofyan Djalil, delivering their keynote speech. Between 400 to 600 delegates and visitors are expected to attend the conference, with coverage from a large number of media outlets from the region. Over 40 speakers from numerous disciplines will join Bellua Cyber Security Asia 2005 to discuss present and future information security issues through an intensive series of workshops, presentations, technical sessions and demonstrations. "BCS is all about knowledge transfer and information sharing, our speakers aren't coming to Jakarta to sell products!" The conference will be spread across 2 concurrent tracks focusing on the business and technical aspects of information security. The business tracks will be the meeting of minds to discuss the challenges of securing an organization from a process approach.? The technical track in the conference will present current technologies, bleeding-edge techniques as well as experience sharing among the international speakers. In addition, the conference will also unveil in Jakarta some new attacks and vulnerabilities (and how to defend from them). Among the speakers, Fabrice Marie, a senior security consultant working for one of the "Big 4" will showcase well known internet banking attacks and provide guidelines on how to prevent them. Fetri Miftach will explain how to build security from planning to action using British Standard 7799. Dave McKay (ex-Google, ex-US DoD & ex-Microsoft) will deliver a speech on one of the most human aspect of information security, "Social Engineering". Dave explains:?"In today's world, confidence scams present quite possibly one of the highest threats to security within the business world. Control of information, withholding and leaking, can lead to massive failures and losses depending on how skilled the attacker may be. In combination with disinformation and propaganda, social engineering can as fatal as or even lead to loss of customer and shareholder confidence." ? Microsoft Security Business Services is flying in from Redmond, WA, several of its security experts to Jakarta including David Steeve and John Howie? who will talk about securing online transactions and compliance management. Ethical hacking & security contests will let novices develop their?skills and challenge experts in their favorite arenas, allowing all a chance to win prizes. Bellua Cyber Security 2005 is brought to you by Excelcomindo Pratama (XL) & Bellua Asia Pacific, Kabelvision, Mynet, Bispro, M-Sistems, Cisco, Multipolar, Microsoft, Unipro, Scan Nusantara, Network Security Solutions, KPMG, Esgulf,?TSTF, The Jakarta Post, SWA, Detik, KCM, ISACA, Infolinux, Phrack Magazine, HERT, InfoSecNews, Zone-H, Hack in The Box, The Hacker's Choice, Packet Storm, eBizzAsia, ... About XL PT EXCELCOMINDO PRATAMA (XL)?commenced commercial operations in October 1996, providing GSM cellular network service in Indonesia by using a GSM 900 technology base which was subsequently complemented with a 1800 technology base. Since then XL was the first privately owned mobile telephone service provider in Indonesia. XL is a joint venture resulted from the collaboration between several local companies and foreign companies, all of which are well-respected companies having experiences in the telecommunication industry. Thus, XL benefits from the synergy of its shareholder's skills and technical specialties. Our business primarily consists of providing voice, data and other value-added cellular telecommunications services. We operate our network pursuant to a GSM license from the Minister of Communications which has allocated two bands of spectrum for us to operate our GSM 900 and GSM 1900 networks. For more information please visit www.xl.co.id ****? PT Bellua Asia Pacific is a consortium of independent consultants and consulting firms specialising in information security & business process engineering. Our clients benefit from our extensive network of consultants which covers more?than 24 countries including: Argentina, Austria, Australia, Belgium, China, England, Finland, France, Germany, Greece, Indonesia, Malaysia, Norway, Netherlands, Poland, Romania, Russia, Sri Lanka, Thailand and the United States. We are vendor neutral and our information security consultants have many years of information security experience that include performing penetration testing, security assessments?for some of the largest Asian banks and over a dozen Fortune 500 companies. For more information please visit www.bellua.net For general event questions, please email bcs2005@bellua.com. For questions regarding event registration, please call +62 21 391 8330 Fax +62 211 391 8328 or SMS 0817 018 1770. Press Contacts:?? Anthony Zboralski PT Bellua Asia Pacific Bumi Daya Plaza, 18th Fl., Jl. Imam Bonjol No. 61, Jakarta 10310 Indonesia +62 818 699 084?? anthony.zboralski@bellua.com The Keynote Speakers: ?* Bpk. Abdul Rahman Saleh, Attorney General of Republic Indonesia ?* Bpk. DR. Sofyan Djalil, Minister of Communications and Information?of Republic Indonesia ?* Onno Purbo (Indonesia) ?The Business Track: ?* John Grygorcewicz - The Importance of Security in Business Processes (Australia) ?*?Fetri Miftach - Building Security into Treasury Systems using BS7799 (Indonesia) ?*?Dave McKay - Social Engineering Fundamentals (Italy - USA) ?*?Emmanuel Gadaix - Carrier-grade security: A primer for telecommunications operators (France) ?*?Fabrice Marie - Hacking Internet Banking Applications (France) ?*?Philip Victor - Converging Security Awareness into the Organisation's Culture (Malaysia) ?*?Jim Geovedi - Day to Day Security for Managers, Users and SMEs (Indonesia) ?*?Iwan Atmawidjaja & Peter McNally - Business Continuity Management - Asia Perspective (Indonesia & Australia) ?*?John Howie - Compliance Management: Is Patch Management Dead? (United States) ?*?Phil Leifermann - Enterprise Security Management (Australia) ?*?Roberto Preatoni & Fabio Ghioni - Cyber Terrorism and Cyber War (Italy) ?*?David Steeves - Securing Online Transactions (USA) ?*?Jagdeep Kairon - Enterprise Security Demystified (Malaysia) Panel Discussion: Cyber Crime & Cyber Law ?* Bpk Halius Hosen, SH, Chief of Planning Bureau ? Attorney General's Office of Republic Indonesia * Bpk DR. Moedjiono, M.Sc Deputy Minister for ICT. Ministry of Communication and Information of Republic Indonesia ?* Ibrahim Assegas - Hukum Online (Indonesia) ?* Convicted Hacker Dani Firmansyah "xnuxer" (Indonesia) Panel Discussion: Building a Safe Internet ?*?Basuki Suhardiman - Institute of Technology Bandung (Indonesia) ?*?Budi Raharjo - Indocisc (Indonesia) ?*?Johar Alam - IDC Indonesia (Indonesia) ?*?Eko Indrajit (Indonesia) ?*?Hasan Yahya (Moderator) (Indonesia) The Technical Track: ?* The Grugq - Digital Forensics and the Art of Anti-Forensics (United Kingdom) ?*?Ryan McBride - Robust Firewalls with OpenBSD and PF (Canada) ?*?David Maynor - DMA: The Unknown Attack Vector?(United States) ?*?Cesar Cerrudo - Windows IPC Exploitation (Argentina) ?*?Assessing Server Security - State of the Art - Charl Van Der Walt (South Africa) ?*?Don Bailey "North" - Once a Thief, Kernel Rootkit (United States) ?*?S.K. Chong - Windows Local Kernel Exploitation (Malaysia) ?*?Fyodor Yarochkin & Meder Kydyraliev - Advanced Intrusion Data Normalisation and Correlation (Kyrgyzstan) ?*?Julien Vanegue & Sebastien Soudan - Distributed Binary Manipulation (France) ?*?Marc Schonefeld - Java & Secure Programming (Germany) ?*?Shreeraj Shah - Web Application Kung-Fu, The Art of Defense (India) ?*?Himanshu Dwivedi - Attacking and Protecting Storage Area Networks (USA) ? Panel Discussion: Honeypot & Honeynet ?* Ralph K. Logan - The Honeynet Project (United States) ?*?Kamal Hilmi Othman - Honeypot and Internet Background Noise (Malaysia) ?*?Marek Bialoglowy - Deploying Custom Honeypot to catch Insider Hackers (Poland) Panel Discussion: The Security and Hacking Community ?* Skyper - Ralf Kaiser?- Editor in Chief of Phrack Magazine ?* Onno Purbo - Internet For Every One (Indonesia) ?*?Ariesto Kosasih - NSFocus & XFocus (Indonesia) ?*?Roberto Preatoni - Zone-H, a defacement/cybercrime archive (Italy) -- Bellua Cyber Security Asia 2005 - http://www.bellua.net 21-22 March - The Workshops - 23-24 March - The Conference bcs2005@bellua.com - Phone: +62 21 391 8330 HP: +62 818 699 084 From isn at c4i.org Wed Mar 23 02:21:05 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 23 02:28:50 2005 Subject: [ISN] Outrage at Symantec's OS X claims Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39192260,00.htm Dan Ilett ZDNet UK March 22, 2005 Symantec has sparked outrage by claiming on Monday that the operating system OS X was set to come under increased hacking and malware attacks. In its Internet Security Threat Report, Symantec said that Apple's userbase was more likely to come under attack, citing Apple's growing market share and the 37 vulnerabilities that were found in OS X last year - a trend it hinted would continue. But ZDNet UK readers have rebutted Symantec's claims in a series of angry responses, saying the security company was using marketing tactics of fear, uncertainty and doubt (FUD) to fuel its sales. "What a load of FUD," said one anonymous IT manager. "Anyone with the smallest sense of knowledge about any of these operating systems knows that the biggest issue with Windows security is the basic design flaws that it keeps dragging on from its past eras, to ensure compatibility." Another furious reader, an anonymous editor, argued that OS X was already a secure operating system. "Total nonsense," he said. "Yes, of course, as OS X grows market share it will come under more attack. It hardly takes a rocket scientist to see that. But any idiot can see that an OS which requires [a] root password before installing any software is inherently going to stop more viruses than an OS like Windows which doesn't. Grow up and quit whining." Analyst group Frost & Sullivan and security company Trend Micro both agreed with Symantec's argument that OSX will become a more tempting target to hackers as its market share increases. But Laird Popkin, a chief technical officer, accuses ZDNet of supporting scare tactics by reporting these views. "[I]t's somewhat pathetic that ZDNet bothered to 'print' this 'story' since it's clearly self-serving fearmongering [sic] from Symantec," wrote Popkin. "If they were journalists rather than a marketing channel, they'd put this FUD in context." But Symantec insists its claims are valid. In an emailed response, a Symantec spokesperson wrote: "We've found that one of the recent emerging security concerns is around Mac OS X. No Internet user, regardless of which operating system they use, is 100 percent immune from attack. People should not be scared, but they should make sure they are secure." Apple, though, did not respond to requests for comment. Symantec's made its controversial comments in its Internet Security Threat Report, which was released yesterday. From isn at c4i.org Thu Mar 24 04:43:18 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 24 04:56:00 2005 Subject: [ISN] Security UPDATE -- In Focus: Yet Another Linux vs. Windows Report -- March 23, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free Info Kit on Automating Patch Management http://list.windowsitpro.com/t?ctl=5BCD:4FB69 Security on All Workstations Compromised in Minutes http://list.windowsitpro.com/t?ctl=5BC0:4FB69 ==================== 1. In Focus: Yet Another Linux vs. Windows Report 2. Security News and Features - Recent Security Vulnerabilities - Help Writing an Incident Response Plan - CyberGuard Acquires Zix Security Assets 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Fine-Tuning Permissions ==================== ==== Sponsor: PatchLink ==== Free Info Kit on Automating Patch Management Now, in a free information kit, learn how easily you can identify, deploy, and maintain patches critical to the security and availability of your network. You'll also discover how you can maintain bulletproof security -- against a range of threats -- at every network endpoint. This information-packed kit, from the pros at PatchLink, also shows you how to reduce IT workload by automating the installation of critical patches while being confident that all installed patches are pre-tested ? without having to do the testing. Click here to get your Free "Automating Patch Management" Kit now, and learn how to ease one of your biggest IT burdens. Download your Free Kit at: http://list.windowsitpro.com/t?ctl=5BCD:4FB69 ==================== ==== 1. In Focus: Yet Another Linux vs. Windows Report ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net How many reports and related news stories have you read that allege they will reveal that Linux is more secure than Windows or vice versa? Get set for yet another one. A recent news story, "Controversial Report Finds Windows More Secure than Linux," discusses a soon-to-be released report by a research professor at Florida Institute of Technology's College of Engineering and a director of research at a security technology provider. The report will compare Windows 2003 Server and Red Hat Enterprise Linux ES 3.0. As you might expect, the report is causing a stir of debate even before its release. There are problems with these kinds of comparison reports and their related news stories. One problem is that the media often generalize to the point that they propagate misinformation to the unknowing. For example, some people might not know that there are multiple versions of Linux, just as there are multiple versions of Windows. Dozens of entities produce their own unique brands of Linux, updating these brands with new versions over time. A statement such as "Windows is more secure than Linux" is broad to the point of being meaningless. Another problem with the comparative reports is that they lack adequate context. The researchers often seem somewhat blind to other factors that play a key role in the risk in using any OS or application. According to the news story, the research report covers (among other information) statistics about the vulnerabilities that were found in each platform during 2004. Certainly that kind of information helps determine the overall security of an OS, but other data is necessary to put such reports in context. Among the data should be the answers to such questions as: How many security researchers were looking for security bugs and in what time frame? In which OS version were they looking? How much time did they spend on such efforts? What were their capabilities and what tools did they have at their disposal? Obviously, if less collective time is spent looking for security problems in a platform, then the probability is high that fewer problems will be found in that platform. Likewise, if more time is spent looking for problems in a platform, then the probability of discovering more problems in that platform increases. Applications also play a key role in the security of a platform. So data could be gathered about application vulnerabilities and how they've affected overall security. Equally as important, if not even more important, is the question of what motivates intruders and the makers of malware. How did these people spend their time? What OSs did they target most often and why? Another set of interesting questions relate to how many of the cited vulnerabilities can be mitigated using configuration changes or defenses that are (or should) already be in place. For example, could a simple configuration change or a border or desktop firewall or Intrusion Prevention System (IPS) adequately defend against a particular vulnerability? None of this type of data is offered in any comparative reports that I know of. Yet all these questions should come into play when researching for security comparison purposes because this data would provide a much more complete picture of how much risk is involved in using a particular piece of software, whether it be an OS, a related service, or an application. Without this kind of data to offer a larger context, these comparative reports are far less useful than their production and associated media coverage imply. If you know of a report that includes this sort of context, please let me know about it. I'd surely like to read it. ==================== ==== Sponsor: Lieberman Software ==== Security on All Workstations Compromised in Minutes In just a few minutes any of your domain users could become the administrator of ALL your machines without your knowledge. A quick search of Google.com for password crackers is all it takes. There is a solution. Download our guide to plugging the DISTRIBUTED CREDENTIALS FLAW in Windows. Our Random Password Generator + (New) Web Based Delegated Password Recovery Console automatically solve the common administrator account/password flaw that your workstations suffer from. We have a wide range of tools to beef up your workstation and server security. Contact us for a free demo. http://list.windowsitpro.com/t?ctl=5BCE:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=5BC3:4FB69 Help Writing an Incident Response Plan Do you have a plan in place for responding to security incidents? If not, a newly published outline can help you get started writing such a plan for your business. http://list.windowsitpro.com/t?ctl=5BC7:4FB69 CyberGuard Acquires Zix Security Assets CyberGuard announced that it has acquired Zix's antispam, antivirus, and URL filtering assets for approximately $4 million in cash. CyberGuard will integrate Zix's technology into its Webwasher business and hopes to gain new customers through cross-selling to users of Zix products. http://list.windowsitpro.com/t?ctl=5BC8:4FB69 ==================== ==== Resources and Events ==== Improve Service Levels and Maximize IT Staff Efficiency Keeping your IT infrastructure on course can be a challenge given the complexity of servers, infrastructure, and application software. In this free Web seminar, learn practical techniques to monitor and manage your infrastructure applications, such as Active Directory and Exchange. http://list.windowsitpro.com/t?ctl=5BBC:4FB69 Get Ready for SQL Server 2005 Roadshow in a City Near You Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best- practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=5BBF:4FB69 Don't Miss Out--SQL Server Administration for Oracle DBAs On-Demand Web Seminar Sign up now for this free Web seminar and get a quick start in mapping Oracle database-management skills, knowledge, and experience to SQL Server database management. Learn about the varying similarities and differences between Oracle and SQL Server and get a preview of real-world tips and techniques for managing these associated technologies. Register now! http://list.windowsitpro.com/t?ctl=5BBA:4FB69 Exchange, Retention, and Regulatory Compliance The advent of Sarbanes-Oxley, Gramm-Leach-Bliley, and assorted market-specific regulations means that you may be legally required to have an email compliance and retention policy. In this free Web seminar, Exchange MVP Paul Robichaux will teach you to discover, manage, and archive information within your Exchange enterprise to successfully limit your legal exposure and protect your corporate information. Sign up today! http://list.windowsitpro.com/t?ctl=5BBE:4FB69 New eBook--Windows Certification and Public Keys PKI services are increasingly important in today's IT environment. PKI offers strong security services to internal and external users, computers, and applications. In this free eBook, you'll discover a starting point for understanding the PKI and certificate services available in Windows Server 2003. Download it now and learn about trust relationships, validating digital certificates, and more. http://list.windowsitpro.com/t?ctl=5BBB:4FB69 ==================== ==== Hot Release ==== Try it Free ? New NetOp Remote Control v8.0 ? Faster, more secure, remote access & support, PC inventory, file transfers and scripting. New Remote Management Console and security options to help you meet today's auditing and compliancy requirements. NetOp - Nothing comes remotely close. Try it today. http://list.windowsitpro.com/t?ctl=5BB9:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=5BCC:4FB69 Is Your Mail Server on a Blacklist? Ever wonder if your mail server somehow wound up on a blacklist? I've found a tool that checks dozens of blacklist service databases for a server's IP address in one fell swoop. http://list.windowsitpro.com/t?ctl=5BC5:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=5BCA:4FB69 Q: Under which user accounts do the various Group Policy scripts run? Find the answer at http://list.windowsitpro.com/t?ctl=5BC6:4FB69 Security Forum Featured Thread A forum participant is having trouble installing OpenSSH on Windows 2003 Server. He's reasonably sure that he's set all NTFS permissions correctly (allowing read and write on working folders and read and execute on program folders). But he can't connect to an OpenSSH Secure FTP (SFTP) server using known SFTP clients (such as FileZilla or PuTTY SFTP--PSFTP). He can clearly see in the Application log that OpenSSH recognizes the user and authenticates the session by confirming that the right password has been used, but the logon attempt fails anyway. Join the discussion at http://list.windowsitpro.com/t?ctl=5BC1:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=5BC9:4FB69 Vote for the Next MCP Hall of Famer Help decide who the most valuable member of the MCP community is. Take the time to reward excellence to those that deserve it and to make yourself a part of the first-ever MCP Hall of Fame. Voting only takes a few seconds, so cast your vote now for Round 2. Click here: http://list.windowsitpro.com/t?ctl=5BC2:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Fine-Tuning Permissions DesktopStandard (formerly AutoProf) offers PolicyMaker Application Security (PMAS), a Group Policy Management Console (GPMC) add-on that lets network administrators enforce the "least privilege" security principle on Windows desktops. PMAS makes it possible to reduce or elevate permissions on a per-application or per-task basis. Pricing starts at $25 per seat for enterprises with up to 500 computers; volume discounts are available for larger organizations. PolicyMaker supports Windows 2003 Server/XP/2000, Windows Terminal Services, Citrix MetaFrame, and all versions of Microsoft Outlook, Microsoft Office, and Microsoft Internet Explorer (IE). For more information, go to http://list.windowsitpro.com/t?ctl=5BD0:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Exclusive Online Event: Email Protection at the Perimeter! Sign up today for this free online product demonstration and see the ePrism M500 from St. Bernard Software in action. http://list.windowsitpro.com/t?ctl=5BBD:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=5BCF:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=5BC4:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Mar 24 04:43:32 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 24 04:56:04 2005 Subject: [ISN] NIS Thwarted 100 Industrial Spies Since '98' Message-ID: http://english.chosun.com/w21data/html/news/200503/200503230043.html March 23, 2005 Korean intelligence foiled 96 cases of attempted industrial espionage between 1998 and 2004, preventing losses of W58.2 trillion (US$58 billion), the service said Wednesday. An official from the National Intelligence Service (NIS)??s Industrial Secrets Protection Center made the claim during a seminar at the Federation of Korean Industries?? conference center on preventing leaks of industrial technology secrets. He said most of the cases of attempted technology theft involved current and former employees who sold out, with 40 cases involving former employees and 16 current. Most involved IT technology like semiconductors, cell phones and LCDs. By year, 2002 witnessed five foiled attempts and 2003 six, but 2004 saw a frenzy of attempts with 26. An NIS official said the service began a full-scale crackdown on industrial espionage after the Roh administration took office in 2003 and the number of cases uncovered increased. But he said foiled attempts barely scratched the surface. He added the focus of the crackdown was leaks of technological secrets to China. From isn at c4i.org Thu Mar 24 04:43:52 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 24 04:56:07 2005 Subject: [ISN] Black Hat Briefings & Trainings: Registration now open! Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Info Sec News readers, I would like to make some brief announcements regarding upcoming Black Hat events. Our European show is coming to Amsterdam, March 31-April 1. Our on-line registration will be closing this Thursday, March 24. If you wish to register after March 24, you must register on-site. http://www.blackhat.com/html/bh-europe-05/bh-eu-05-index.html Second, we are excited to announce our first stand-alone training in Seattle WA, May 23-24. Among the many classes we are offering are Joe Grand?s ?Hands On Hardware Hacking And Defense Techniques? and the ever popular ?Infrastructure Attacktecs & Defentecs ? ?Hacking Cisco Networks?? by Stephen Dugan. http://www.blackhat.com/html/training-seattle-05/train-bh-sea-05-index.html Registration for USA Black Hat Briefings in Las Vegas has opened. An early bird registration rate is currently available until May 15 ? register early and save. http://www.blackhat.com/html/bh-registration/bh-registration.html#us This year marks a dramatic increase in our training offerings ? there are over twenty separate training sessions to choose from. Seven of our training offerings are new for 2005. Our new instructors include NGS Consulting, Special Ops, Joe Grand, the Grugq, Dominique Brezinski, Thorsten Holz with Maximillian Dornseif and Adam Laurie. Our class sizes are limited and many classes consistently sell out, so register early to ensure a place. http://www.blackhat.com/html/bh-usa-05/train-bh-usa-05-index.html Finally I would like to remind you that our Black Hat USA CFP closes May 1. This year we are having an early round of selections ? the earlier you submit, the better your chances to be selected. Thank you. Jeff Moss Black Hat, Inc. If you wish to be removed from this list, please just reply asking to be removed. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBQkIsq0qsDNqTZ/G1AQKKAQf+MmxLcXilpRNY4jPoyBv56IVW4/nbxFJr aMQoHR9yizTb3177/qv5Ce+qGddVsIjYL2ns+W+Kb5diJ9zQAF6zNPhw54Ajxzl6 C74VadQS4wXLQN5qjKJeMlQs79KT8JL0Pv3tQQT+VCYzx3TyVAQaGZmVgpEQcR16 NJ10qH9ozpRotBsW24d+g43NFbFktTHkgQb/HmQcLTCIoys+768wwY2mp9L2buTh lWlUXxp2RD6NzEj+V4rjfvRdB+wRWq0EMz0XabWaCItJGDafXgHSwmPAhxFYYkhr RwwRo8Po8EVKfZNp5C3TdCfU1P86FzRuHOEq2A2PZnHzljpi3MCiRA== =/kpY -----END PGP SIGNATURE----- From isn at c4i.org Thu Mar 24 04:44:27 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 24 04:56:10 2005 Subject: [ISN] A screensaver that costs 100,000 dollars? Message-ID: http://www.net4nowt.com/isp_news/news_article.asp?News_ID=2789 23 March 2005 United Kingdom By Net 4 Nowt Hardly seems possible, but they do exist, and they're all free. Computer Networking and Support company AnswersThatWork.com were recently called urgently on a Monday morning by one of their clients, a large international law firm with offices in several countries, who were suffering from a number of serious network problems ranging from constant disconnections and Internet Access problems to a total inability to logon to their network. Since AnswersThatWork had only just completed a major weekend upgrade of their communications infrastructure, AnswersThatWork's first thought was that despite all the dry runs and thorough checks, there was probably something in the weekend upgrade which, in a Live situation, and with all users connected, was creating a major communications bottleneck. So, when called upon in emergency, their first task was to re-run all the weekend tests. This took the best part of a day given the scale of work that had been done. The task was also made that much more difficult by the random nature of these network communications problems. Meanwhile no-one was able to use the network productively because of the problems. When the tests on the weekend upgrades were found to be working properly, the question remained as to why the network was still, effectively, unusable. When the focus of their investigations moved away from the weekend's upgrades, some of the network tests started to point to specific PCs on the network. On checking the PCs in question it became instantly clear that they were infected with a new unknown virus! Instant emergency meeting. After consultation with the in-house IT support team it was decided that the only way to thoroughly clean the system of this paralysing threat was to shut down the entire network and clean every single PC one by one with AnswersThatWork's troubleshooting tools. This took four hours. Meanwhile no one could access the network. What eventually transpired during the process of cleaning the network, was that on that morning a user had received an email about a "great place for free screensavers". That user had clicked on the link and downloaded what looked like a very cool screensaver. The user then forwarded the email to a number of other users who also downloaded the same funky screensaver. By mid-morning 16 PCs had the new "brilliant" screensaver installed, with more users about to install it! However, unbeknown to those users, on installation the screensaver was releasing a brand new virus as yet unknown by the major antivirus companies. This virus belonged to a new trend of viruses which perform DoS attacks (Denial of Service) in short bursts only (to escape easy detection) with the result that you can have a network which works perfectly for an hour or more but which then suffers untold disruption for a 5 15 minute period, only to again work properly until the next random attack. The upshot? A full day's worth of billable time was lost by all the fee earners of this law practice; two days of in-house PC support were used up, plus two days of AnswersThatWork's time, involving two technicians. Costs, as per the internal memo sent by the firm's partners: a cool $100,000. This happened in a firm that, because of it's very nature, only employs very bright, highly educated people. They have a company policy which prohibits anything being loaded onto end-users PCs without permission from the IT department, and which carries strong, well-worded advice about Internet usage. It still happened. As AnswersThatWork's Product Manager, Maurice McElroy, said, "These are sensible people who wouldn't cross the road without looking to see if any cars were coming; wouldn't think of walking down a dark alleyway on their way home, and would definitely not walk into an unknown bar offering to take on anyone in the house. Yet, once they get on the Internet they do all that and more!" He went on to say that if a company has an Internet usage policy then it must make sure that the policy is implemented, revised at least twice a year, and employees reminded of the main do's and dont's in regular internal bulletins. "In 2005", Maurice continued," there are very few companies and organizations where full Internet access is not needed. I'd go even further in saying that lack of full Internet access is a serious commercial disadvantage in today's business world. So you've got to have the Internet. However, you do need to be careful out there. It's like our road system - drive a car with no driving lessons at all and where you end up is unlikely to be where you intended to be, it may not even be on this planet ! Take the driving lessons, follow the guidelines, and you'll be safe most of the time. That's the Internet!". From isn at c4i.org Thu Mar 24 04:44:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 24 04:56:13 2005 Subject: [ISN] Computer Hacker Sentenced to Nearly Four Years Message-ID: http://ap.tbo.com/ap/breaking/MGBPTMMGO6E.html The Associated Press March 23, 2005 CINCINNATI (AP) - A man who pleaded guilty to hacking into an Arkansas data company's computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison. Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August. Baas was a systems administrator for Market Intelligence Group, which had an agreement to analyze data for Acxiom Corp., of Little Rock, Ark., when he exceeded his authorized access and downloaded encrypted password files, prosecutors said. In a plea agreement, Baas admitted that he stole the data between January 2001 and January 2003 and stored it on computer disks at his home, prosecutors said. On Wednesday, U.S. District Judge Susan Dlott sentenced Baas to 45 months in prison. Acxiom's clients include credit card issuers, banks, auto manufacturers, telecommunications companies and retailers. Baas bragged to other hackers that he had the files, but didn't share them with anyone, prosecutors said. Acxiom said Baas' intrusion and theft of about 300 computer passwords and files cost the company $5.8 million, prosecutors said. That includes employees' time and travel expenses, payments for security audits and encryption software, and the amount that Baas would have been charged had he obtained the information legitimately as an Acxiom customer, the company said. From isn at c4i.org Thu Mar 24 04:45:01 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 24 04:56:16 2005 Subject: [ISN] Make security a business issue Message-ID: http://www.fcw.com/article88378-03-23-05-Web By Florence Olsen March 23, 2005 Chief information security officers (CISOs) who learn to speak the language of the executive suite can look forward to lifetime careers, but those who know only "geek speak" will find themselves left behind. That view held sway among the information technology security officials gathered this week in Bethesda, Md., at the annual conference of the Federal Information Systems Security Educators' Association's (FISSEA). To have an effective information security program, agencies need a CISO "who can communicate well in business terms," said James Golden, IT governance executive at the U.S. Postal Service. He added that a CISO's position within an organizational chart is less important than whether the person can communicate comfortably and effectively with senior officials. Under federal law, CISOs report to agencies' chief information officers, which has meant that many federal CISOs have an IT background, said Jane Norris, senior information security official at the State Department. But a trend now seen in business could influence how the federal CISO's position evolves, Norris said, citing a Forrester Research estimate that 75 percent of the largest companies will have a chief risk officer by 2007. Norris said other security experts believe that a legal background and professional certification, in addition to IT experience, may become prerequisites for chief security officials. The profession is changing rapidly, she said, "so where we are going is open at this point." FISSEA is a national group that promotes awareness, training and education in IT systems security. Since November 2004, it has conducted free security education and awareness workshops for more than 100 federal employees and contractors. From isn at c4i.org Thu Mar 24 04:45:22 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 24 04:56:18 2005 Subject: [ISN] random comments on the Symantec vulnerability report Message-ID: Forwarded from: security curmudgeon Some interesting stuff in the Symantec report that is being talked about in various news articles: http://www.zdnet.com.au/news/security/0,2000061744,39185387,00.htm http://uk.news.yahoo.com/050322/152/ferr7.html http://continuitycentral.com/news01804.htm http://www.macobserver.com/article/2005/03/23.4.shtml [..] The original Symantec release for this report: http://enterprisesecurity.symantec.com/content.cfm?articleid=1539 Symantec Internet Security Threat Report Trends for July 04 - December 04 Volume VII, Published March 2005 Unfortunately, to download a copy Symantec would like a lot of information about you. After filling out a page long form, then you may receive it. --- While reading through the report, I found some things of interest. By the end of it, I wondered how anyone can see value in the conclusions regarding vulnerabilities (the only thing I was really interested in). Apologies for the length of some quotes, but I didn't want them to lose context. Indented material is from the report. Between July 1 and December 31, 2004, Symantec documented 1,403 new vulnerabilities. This is an increase of 13% over the 1,237 vulnerabilities disclosed in the first six months of 2004. During the second half of 2004 nearly 97% of all reported vulnerabilities were rated as moderate or high severity, which could result in the complete or partial compromise of a system. In addition, over 70% of all the vulnerabilities reported during this period were easy to exploit. This means that no exploit code was needed or that exploit code was readily available, making the compromise of systems relatively easy. Compounding this problem is that nearly 80% of all the documented vulnerabilities in this reporting period are remotely exploitable, which can increase the number of possible attackers. 97% of 1403 vulnerabilities in a six month period are moderate or high severity? The first thing that comes to mind of the 1403 is cross site scripting. These are probably the most popular and prevalent vulnerabilities discovered in the last year. Many people argue that XSS attacks are low severity.. if you agree, then this claim is obviously false. If you argue that XSS is moderate severity, then the 97% may still be arguable. Failing that, what about path disclosure? What about the dozens of vulnerabilities that require administrative authenticated access to conduct a XSS or path disclosure attack? What about the hundreds of DoS attacks against low priority software such as network games, guestbooks and other packages that are extremely low distribution and likely not found on any business site of any kind? Add all that up and it has to be more than 42 vulnerabilities that would be classified as 'low severity'. Later in the report, they define the severity levels: Low severity - Vulnerabilities that constitute a minor threat. Attackers cannot exploit the vulnerability across a network. As well, successful exploitation of the vulnerability would not result in a complete compromise of the information stored or transmitted on the system. Moderate severity - Vulnerabilities that result in a partial compromise of the affected system, such as those by which an attacker gains elevated privileges but does not gain complete control of the target system. High severity - Vulnerabilities that result in a compromise of the entire system if exploited. In almost all cases, successful exploitation can result in a complete loss of confidentiality, integrity, and availability of data stored on or transmitted across the system. Interesting that 'low' includes "cannot exploit the vulnerability across a network" which explains how they could lump a path disclosure vulnerability into 'moderate'. Personally, I think that is flat out wrong to do. To add to the confusion, they also say: Over the last six months of 2004, Symantec documented 201 vulnerabilities for which associated exploit code was widely available (figure 18). Because of the availability of exploit code, these vulnerabilities are considered easy to exploit. The percentage of the total volume of vulnerabilities with exploit code, 14%, is slightly higher than what was observed between January 1 and June 30, 2004 (13%). Cross site scripting and basically every path disclosure vulnerability published had proof of concept (because they are typically so trivial). According to this, saying 201 vulns had exploit code widely available really doesn't make much sense in the context of the rest of the report. Add a bit more confusion: Between July 1 and December 31, 2004, Symantec catalogued 670 vulnerabilities affecting Web applications, nearly half (48%) of the total vulnerabilities disclosed during this reporting period (figure 21). As noted in the ease of exploitation discussion, vulnerabilities targeting Web applications are often classified as easily exploitable, and their increase has contributed significantly to the high number of easily exploitable vulnerabilities. So 670 web based vulns, they are "often" classified as easily exploitable, but only 201 of the 1403 had exploit code? These numbers simply do not jibe. If you skip to the end of the report, Appendix C has information on how they achieved these numbers, how scores are calculated, etc. One thing to note is they say they use the BID VDB with over 9,000 distinct entries. Sure, distinct entries but that really means nothing as they are not consistant on adding vulnerabilities. Some entries are "multiple" vulnerabilities, others are broken out to two or more entries. After extensive work on OSVDb and hitting the other VDBs on a near daily basis, I haven't seen Symantec keep any standards for how they add entries to their database. Between July 1 and December 31, 2004, Symantec documented 13 vulnerabilities affecting Microsoft Internet Explorer. Earlier in the report, in the summary/overview: Symantec has established some of the most comprehensive sources of Internet threat data in the world. [...] In addition, Symantec maintains one of the worlds most comprehensive databases of security vulnerabilities, covering over 11,000 vulnerabilities affecting more than 20,000 technologies from over 2,000 vendors. So running Bugtraq (something else they highlight, not quoted here) and the BID Vulnerability Database, they say 13 vulnerabilities for MSIE between Jul 1 and Dec 31 2004. According to OSVDB, I see 51 vulnerabilities for MSIE. If Symantec is working off data that inaccurate, how can we trust any of this report? The report goes on to say there were 21 vulnerabilities affecting Mozilla browsers, 6 in Opera and 0 in Safari. Again, checking OSVDB for these browsers and that time frame: MSIE: 51 Mozilla: 53 Opera: 13 Safari: 4 So, there are still more vulnerabilities in Mozilla than MSIE published according to OSVDB, but the disparity is nothing close to what the Symantec report would have you believe. This data indicates that the attention of researchers may be shifting. In the rush to find more secure alternatives to Microsofts Internet Explorer, organizations and end users should be cautious about choosing an alternative, as all browsers appear to be susceptible to vulnerabilities. I understand that this report is about vulnerabilities in the past six months, but I think it a bit irresponsible for them not to mention two things. First, six months or not, MSIE has had a lot longer history of vulnerabilities, and typically more severe due to the integration of IE into the operating system. Second, they don't address the speed of which these vulnerabilities were patched or mention that if security is that important, they can grab a copy of the latest build with more bugfixes. Over the last six months of 2004, there were no vendor-confirmed Safari vulnerabilities. Checking OSVDB 13183, one of the external references is http://docs.info.apple.com/article.html?artnum=300770. This update is listed as 2005-001 but covers vulnerabilities in the last quarter of 2004. One of the entries on this page: Safari Available for: Mac OS X v10.3.7, Mac OS X Server v10.3.7, Mac OS X v10.2.8, Mac OS X Server v10.2.8 CVE-ID: CAN-2004-1314 Impact: When Safari's "Block Pop-Up Windows" feature is not enabled, a malicious pop-up window could appear as being from a trusted site Checking some of the other vulnerabilities in that time frame, another: http://docs.info.apple.com/article.html?artnum=300667 Safari Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8 CVE-ID: CAN-2004-1121 Impact: Specially crafted HTML can display a misleading URI the Safari status bar. Safari Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8 CVE-ID: CAN-2004-1122 Impact: With multiple browser windows active Safari users could be mislead about which window activated a pop-up window. It is clear that there are vendor confirmed Safari vulnerabilities in the time frame covered by the Symantec report. Is this a simple oversight? Or did the authors not even attempt to research the vulnerabilities they write about if they didn't appear in the BID database? But wait.. even more confusing: http://www.securityfocus.com/bid/keyword/ search for "safari": 15-12-2004: Apple Safari Web Browser HTML Form Status Bar Misrepresentation 08-12-2004: Apple Safari Remote Window Hijacking Vulnerability 25-11-2004: Apple Safari Web Browser Infinite Array Sort Denial Of Service 01-11-2004: Apple Safari Web Browser TABLE Status Bar URI Obfuscation 20-10-2004: Apple Safari Cross-Domain Dialog Box Spoofing Vulnerability 07-09-2004: Apple Safari Cross-Domain Frame Loading Vulnerability 23-08-2004: Safari/WebCore HTTP Content Filtering Bypass Vulnerability So the Symantec owned and operated BID Vulnerability database shows *seven vulnerabilities* in Apple Safari between Jul 1 2004 and Dec 31 2004, yet their report states there were 0 Safari vulnerabilities. At what point does a report like this lose all value when their conclusions contradict their data source 100%? Can anyone at Symantec give insight? From isn at c4i.org Fri Mar 25 04:33:19 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 25 04:43:56 2005 Subject: [ISN] Lax IT Security Threatens Theft Of Personal And Other Sensitive Data From Government Systems Message-ID: http://informationweek.com/story/showArticle.jhtml?articleID=159905569 By Eric Chabrow InformationWeek March 24, 2005 Personal data held in a government database is at increased risk of unauthorized disclosure, modification, or loss--possibly without anyone knowing, government auditors reported Thursday. The Government Accountability Office, the investigative arm of Congress, contends the Securities and Exchange Commission hasn't effectively implemented IT controls to protect the integrity, confidentiality, and availability of its financial and sensitive data. Specifically, the GAO says in a 29-page report--addressed to SEC chairman William Donaldson--that the SEC hadn't consistently implemented effective electronic access controls, including user accounts and passwords, access rights and permissions, network security, and audit and monitoring of security-relevant events to prevent, limit, and detect access to its critical financial and sensitive systems. In addition, the report says, weaknesses in other information system controls, including physical security, segregation of computer functions, application change controls, and service continuity, further increase risk to the SEC's information systems. "As a result, sensitive data--including payroll and financial transactions, personnel data, regulatory, and other mission-critical information--were at increased risk of unauthorized disclosure, modification, or loss, possibly without detection," Gregory Wilshusen, the GAO's director of information security issues, wrote in the report. A major factor for the SEC's IT control weaknesses is that the commission hasn't fully developed and implemented a comprehensive agency information security program to provide reasonable assurance that effective controls are established and maintained and that information security receives sufficient management attention, Wilshusen says. Although the SEC has taken some actions to improve security management, including establishing a central security-management function and appointing a senior information security officer to manage the program, it had not clearly defined roles and responsibilities for security personnel. In addition, the GAO says, the SEC had not fully assessed its risks, established or implemented security policies, promoted security awareness, and tested and evaluated the effectiveness of its information system controls. The commission doesn't have a solid foundation for resolving existing information system control weaknesses and continuously managing information security risks, Wilshusen says. In response, the SEC agreed with the GAO recommendations that the commission's, CIO Corey Booth, move to fully develop and implement an effective, agencywide information security program. In a letter to Wilshusen, Booth assured the GAO that the SEC already is addressing the problems raised by congressional auditors. From isn at c4i.org Fri Mar 25 04:33:37 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 25 04:44:00 2005 Subject: [ISN] Feds tells companies: Report those intrusions Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100598,00.html By Thomas Hoffman MARCH 24, 2005 COMPUTERWORLD NEW YORK -- Corporate executives are often reluctant to report network intrusions for fear of having those security breaches made public and drag down stock prices. But state and federal law enforcement officials who spoke on an information security panel here yesterday said such reports can sometimes provide an important missing link in larger cybersecurity investigations. "It may be a critical piece of information you're submitting to us -- you never know where that fits into the pie," said Ron Layton, section chief of the cyber coordination branch for the U.S. Department of Homeland Security in Ballston, Va. Layton was one of several law enforcement officials who spoke at the final stop of a four-city information security conference sponsored by Kings Park, N.Y.-based AIT Global Inc. and InfoWorld Media Group, a sister company to Computerworld. Simply put, if corporate managers fail to report network breaches, state and federal authorities have a much tougher time catching hackers and other cyberpunks. "If we're not getting the [reports], we're not getting a good gauge of what's happening out there," said Mike Levin, assistant to the special agent in charge for the U.S. Secret Service Electronic Crimes Task Forces in Washington. Levin conceded that the Secret Service can't respond to every security report filed. "But if someone has penetrated your network, or certainly if there is a financial loss, then you should call us." Network intrusion reports don't necessarily have to fall within the statutory $5,000 minimum loss for federal authorities to investigate them, said Kent McCarthy, a special agent for the U.S. Secret Service in New York. He pointed to one recent network intrusion investigation at a multibillion-dollar company in New York where there was no dollar loss. The investigation traced the intrusion to a former employee who is now in jail, and the Secret Service worked with the company to try to prevent future IT security breaches. McCarthy said the Secret Service does its best to protect the anonymity of corporations that report network intrusions. "We're not looking for a press release," he said. Levin said that the older the crime is, the less interested the media tends to be about reporting on it "because it's not fresh anymore." Besides, it can backfire on law enforcement agencies to make such disclosures. Said Layton, "If we imprudently disclose [an organization's identity], we've closed that conduit to a trusted source." From isn at c4i.org Fri Mar 25 04:34:03 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 25 04:44:03 2005 Subject: [ISN] ITL Bulletin for March 2005 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR MARCH 2005 PERSONAL IDENTITY VERIFICATION (PIV) OF FEDERAL EMPLOYEES AND CONTRACTORS: FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 201 APPROVED BY THE SECRETARY OF COMMERCE Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce A new Federal Information Processing Standard (FIPS) for a governmentwide personal identity verification (PIV) system was approved by Carlos M. Gutierrez, the U.S. Secretary of Commerce, on February 25, 2005. The system is based on the use of smart cards, which will be issued by all federal government departments and agencies to their employees and contractors who require access to federal facilities and information systems. Homeland Security Presidential Directive (HSPD) 12, issued by President Bush on August 27, 2004, cited the wide variations in the quality and security of the forms of identification used to gain access to federal and other facilities, and called for the development of a mandatory standard for secure and reliable forms of identification to be used throughout the federal government. The directive stated the government's requirements for a common governmentwide identification system that would enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) developed the standard, working in conjunction with private industry and with other federal agencies, including the Office of Management and Budget (OMB), the Office of Science and Technology Policy, and the Departments of Defense, State, Justice, and Homeland Security. How the Standard Was Developed HSPD 12 stated that the secure and reliable forms of identification should be: * Based on sound criteria for verifying an individual's identity; * Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; * Rapidly authenticated electronically; and * Issued only by providers whose reliability has been established by an official accreditation process. NIST, the Department of Commerce (DoC), and the Office of Management and Budget (OMB) held public meetings in October and November 2004 to discuss the technical and policy issues related to developing the needed standard. NIST drafted the FIPS and announced it in the Federal Register for public review and comment in November. NIST also issued drafts of two supporting technical documents in December. Another public meeting was held in January 2005 to address privacy and security issues that might affect individuals to whom PIV cards are issued. The comments received in the open forums and from more than 80 organizations and individuals during the formal review process were carefully considered and helped to shape the final standard. In addition, the Federal Identity Credentialing Committee and the Smart Card Interagency Advisory Board made many valuable contributions to the technical framework of the standard. The standard does not apply to identification systems for national security systems and facilities. Technical and Operational Requirements FIPS 201 specifies the technical and operational requirements for interoperable PIV systems that issue smart cards as identification credentials and that use the cards to authenticate an individual's identity. Authentication of an individual's identity is an essential component of secure access control to facilities and to information systems. In the past, hand-held credentials such as driver's licenses and badges have been used to control access to facilities, and passwords have been widely employed for access to information systems. More recently, cryptographic and biometric technologies have been employed to replace the older methods. FIPS 201 has been issued in two parts to allow for a smooth migration to a secure, reliable personal identification process. The first part of FIPS 201 (PIV I) describes the minimum requirements needed to meet the control and security objectives of HSPD 12, including the process to prove an individual's identity. Agencies may issue credentials only to applicants whose identity has been established and who have had a background investigation. Agencies must inspect at least two identity source documents submitted by an applicant for the PIV credential. At least one of the documents presented by the applicant must be a valid state- or federal government-issued picture identification (ID). Applicants for credentials must be examined through an Office of Personnel Management (OPM) background investigation process, the National Agency Check with Written Inquiries (NACI), to establish assurance of identity. While the National Agency Check has been a requirement for federal government employees since the 1950s, it may be a new requirement for some contractors. The initial phase of the NACI must be completed before the new ID card is issued. When the written inquiries part of the NACI is completed, the agency reviews the results and takes appropriate action if negative results are received. These are current practices for most agencies. The PIV Card HSPD 12 stated that the standard should include graduated criteria, from least secure to most secure, to give agencies flexibility in selecting the appropriate level of security for each application. Agencies will continue to have full flexibility in determining who is allowed to have access to their systems and facilities. The PIV card is the primary component of the system. The size of a credit card, the PIV card will use cryptographic and biometric technologies to support the required graduated levels of security for agency applications. Cards will contain a Personal Identification Number (PIN); this is the data used to authenticate the cardholder to the card, as a PIN is used with an ATM card. The PIN never leaves the card, and it cannot be read from the card. The card will also have a Cardholder Unique Identifier (CHUID), which identifies the individual within the PIV system. There will also be two electronic fingerprints, which will be securely stored and protected on integrated circuit chips. Public Key Infrastructure (PKI)-based cryptography will be used to protect the integrity of information that will be stored on the card. No other personal information, such as Social Security number, address, or telephone number, is required by FIPS 201 to be stored on the card. The release of biometric information required to be stored on the card by FIPS 201 and use of the private key takes place only after the cardholder provides the correct PIN. Only the CHUID will be available through a wireless interface. Fingerprints were chosen as the biometric information to be stored on the cards because fingerprints are the least invasive and most cost-effective, reliable, repeatable, and accurate means of verification available using public available technology. Two fingerprints will be stored on the cards. An electronic facial image is not required, but may be used. A printed photograph of the cardholder is required to be printed on the card for visual inspection and verification. Also the cardholder's name and the expiration date of the card will be printed on the card. Agencies may include other optional information such as their agency seals and the issue date of the card if they wish to do so. PIV II Requirements The second part (PIV II) of FIPS 201 explains the many components and processes that will support a smart-card-based platform, including the PIV card and card and biometric readers. The specifications for PIV components support interoperability between components in systems and among the different department and agency systems. An operational system contains three subsystems: * PIV Front-End Subsystem - PIV card, card and biometric readers, and personal identification (PIN) input device. * PIV Card Issuance and Management Subsystem - components responsible for identity proofing and registration, card and key issuance and management, and repositories and services such as the public key infrastructure (PKI directory). * Access Control Subsystem - physical and logical access control systems, the protected resources, and the authorization data. PIV II also describes a means to collect, store, and maintain information and documentation needed to authenticate and assure an individual's identity. Schedule for Implementation of FIPS 201 By June 27, 2005, agencies must establish a program to ensure that the identification forms issued by their organizations meets the PIV standard. By August 27, 2005, they are required to identify any additional applications, beyond the scope of the standard, for which the standard should be used, and report them to the Assistant to the President for Homeland Security and to OMB. By October 27, 2005, agencies must have procedures in place for verifying employees' identities and for issuing smart cards that meet the requirements of PIV I. To operate and maintain PIV systems, agencies will have to obtain the services of an accredited PIV card issuer, and adopt procedures for PIV card applicants to provide acceptable identity source documents. Agencies also will need to acquire services for capturing biometric information, as well as PIV card readers and PKI services. With the October 27th implementation of PIV I by all federal agencies, there will be a basis for trust among agencies and for the mutual recognition of their employee and contractor credentials. PIV II, which will take longer to implement because of the many electronic credential systems now in place, focuses on the common technical interoperability requirements of HSPD 12. When this part is implemented, a card from one agency will be electronically recognized by any other agency so that a decision about granting access to the cardholder can be made. NIST Supporting Activities NIST is developing three key companion documents that will support the implementation of FIPS 201 by vendors and users. The first publication, Interfaces for Personal Identity Verification, to be issued as NIST Special Publication 800-73, will specify interface requirements for retrieving and using data from the PIV card. SP 800-73 provides the PIV data elements, identifiers, structure, and format, and describes the Application Programming Interface (API) and the card interface requirements that will enable PIV identity credentials to be used interchangeably throughout federal agencies. SP 800-73 includes two specifications to help agencies make the transition to conformance with FIPS 201: a transitional card specification that is derived from the Government Smart Card Interoperability Specification and that agencies already invested in smart card implementations might want to consider using; and a FIPS 201 PIV II card specification for agencies choosing to move directly to the PIV II target architecture. The second publication, Biometric Data Specification for Personal Identity Verification, by Charles Wilson, Patrick Grother, and Ramaswamy Chandramouli, will be issued as NIST Special Publication 800-76 and will specify technical acquisition and formatting requirements for the biometric credentials of the PIV system. Designed to ease agency implementation of FIPS 201 by facilitating interoperability and ensuring performance of PIV systems, the specification selects options from published biometric standards. It includes specifications for the fingerprints used in the PIV systems, facial image optional specifications, the format for all PIV biometric data representation, and the requirements for biometric devices. The third publication, Cryptographic Algorithms and Key Sizes, will be issued as NIST Special Publication 800-78 and will specify cryptographic algorithms and key sizes that will be authorized for use in PIV systems in current and future time frames. Draft versions of NIST Special Publications 800-73 and 800-76 have been made available for public review and comment. See the "For More Information" section below for details about accessing these two draft documents. Insofar as its resources permit, NIST also plans to investigate other technical issues that will help support the use of the standard. Some of these requirements include: reference implementations and conformance tests to enable testing of implementations for conformance with the standard; measures to protect privacy of users of PIV systems; ways to authenticate identity source documents; and methods to incorporate data needed by different agencies while assuring appropriate levels of security and providing for interoperability among federal PIV systems. Other Federal Agency Support Activities OMB is responsible for overseeing agency implementation of HSPD 12 and will develop implementation guidance for federal agencies, including privacy and implementation guidelines to federal agencies. OMB will determine the timeline for agencies to comply with the second part of the standard. The General Services Administration (GSA) is responsible for assisting agencies in procuring and operating PIV subsystems such as card and biometric readers. OPM is responsible for assisting agencies in authenticating and vetting applicants for the PIV card. Protecting Privacy Privacy is an issue of special concern and a basic obligation established by the presidential directive. The standard requires federal department and agencies to ensure the privacy of applicants for identity credentials. Some of the requirements include: * Assigning an individual to the role of senior agency official for privacy; * Conducting a comprehensive Privacy Impact Assessment (PIA) on systems containing personal information in identifiable form for the purpose of implementing PIV; * Writing, publishing, and maintaining a clear and comprehensive document listing the types of information that will be collected about individuals, the purpose of collection, what information may be disclosed to whom during the life of the credential, how the information will be protected, and the complete set of uses of the credential and related information at the department or agency; * Assuring that systems containing personal information adhere to fair information practices; * Maintaining appeals procedures for those who are denied a credential or whose credentials are revoked; * Auditing compliance of PIV systems with stated privacy policies and practices governing the collection, use, and distribution of information; and * Limiting access for information in PIV systems to those persons with a legitimate need for the information. FIPS 201 does not require that the federal government establish a central database to track movement of employees and contractors or the systems that they access. Personally identifiable information stored on the card is minimal, and the information stored on the PIV card, such as electronic fingerprints, will be protected since the cardholder must enter a PIN to release the information. The technology on the card does not allow for tracking movement of contractors and employees while moving throughout a building. Because the information on the PIV card may be read by a wireless device, there has been some concern that data can be inadvertently or maliciously captured. To alleviate this concern, employees will be required to keep the card in an electronically opaque sleeve when not in use to minimize the risk of unauthorized reading of data from the card without the consent of the cardholder. For More Information FIPS 201 is available on the NIST website http://csrc.nist.gov/publications/fips/index.html. Draft NIST Special Publications 800-73 and 800-76 are available on the NIST website http://csrc.nist.gov/publications/nistpubs/index.html. The NIST website http://csrc.nist.gov/piv-project/index.html provides links to other information about the PIV project, including workshops held in 2004 and 2005, and HSPD 12. Also available on the web pages are answers to frequently asked questions about the PIV standard and contact information. The comments received by NIST concerning the draft FIPS 201 are also available. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Fri Mar 25 04:35:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 25 04:44:14 2005 Subject: [ISN] Canadian IT Audit Standard set to change Message-ID: Forwarded from: Mark Bernard Dear Associates, Here in Canada the Chartered Accountants of Canada are in the process of making amendments to our Canadian IT Audit standards, CICA 5025, 5310 & 5900. These amendments will bring our Canadian Financial Management controls into compliance with the United States SOX and SAS 70 standards. There will also be a new Canadian standard titled CICA 70 created to address everything that the previous amendments won't. As you may already be aware SAS 70 and SOX standards have been identified as a potential solution to the protection of private information. If nothing else the heightened awareness of information security will benefit the protection of private information. In addition, we are anticipating newly crafted Financial Securities legislation this year currently under review in Ontario known as Bill 198. It's very likely that each of the Canadian provinces will adopt Bill 198 provisions within current provincial legislation for securities trading and management. The current target release date for CICA amendments is mid April 2005 while SAS 70 and SOX deadline has been extended to mid November 2005. Compliance with CICA standards is scheduled for November, just in time for 2006 IT Audits. The answer to complying with all of this new legislation is to implement a best practice framework such as ISO 17799 or ISACA's COBiT. I would personally recommend ISACA's COBiT because its a world wide standard that IT Auditors and Financial professionals recognize. A hybrid strategy using both ISO 17799 and COBiT is really that much better since both IT professionals and Financial Professionals can relate to each standard. Since it's very likely that your annual audits will be conducted by IT Auditors with Financial backgrounds it truly is the only logical solution. Why should IT be concerned about the Finance Department? Well, if you're an IT Professional who's worked long enough in the corporate world than you already know how important it is to work closely with the Finance Department in your organization. Its imperative that projects like this and capital expenditures are clearly understood, so that they get approved for the annual budget and not get cut during the annual rollback on capital expenses. After all this project will be mutually beneficial to both groups. Here's a link for more information about CICA 5900; http://www.cica.ca/index.cfm/ci_id/19365/la_id/1.htm Here's a link for COBiT; http://www.isaca.org/Template.cfm?Section=COBIT_Online&Template=/ContentManagement/ContentDisplay.cfm&ContentID=15633 Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by John Quincy Adams: "If your actions inspire others to dream more, learn more, do more and become more, you are a leader." From isn at c4i.org Fri Mar 25 04:34:23 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 25 04:44:20 2005 Subject: [ISN] Microsoft-sponsored report slams Linux security Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=3372 By John E. Dunn Techworld 23 March 2005 An "independent" report that claims Linux security vulnerabilities are more numerous and severe than in Windows has been confirmed as having been funded by Microsoft. The Role Comparison Report report by Richard Ford of the Florida Institute of Technology's College of Engineering, and Herbert Thompson of security company Security Innovation, was originally previewed in draft form at the RSA conference in February, where it attracted inevitable criticism for its methodology and claimed bias. The study set out to compare Windows Server 2003 and Red Hat Enterprise Linux ES3, running a range of applications atop the operating systems to check their ability to secure a web server setup. The team then compared the number of known vulnerabilities for the two, finding 52 for Windows, 174 for a default Linux server install, and 132 for a bare-bones Linux setup. The team found that Windows also beat Linux using the "days of risk" measurement - how long it took a vendor to issue a fix for a vulnerability after it had become publicly disclosed - with an average of 31.3 days against Linux's 71.4, or 69.6 for the minimal install. After each of these vulnerabilities had been accorded a severity rating, Linux again scored poorly. During 2004, Windows Server 2003 had 1,145 of these rated as "high severity", while even the minimal version of Red Hat Linux had almost double this number, at 2,124. The published report (pdf) [1] now confirms that its funding did indeed come from Microsoft, which is bound to undermine its credibility in the eyes of some. The authors counter this, noting, "We have full editorial control over all research and analysis presented in this report. We stand behind out methodology and execution of that methodology to determine objective results that will be useful to customers and security practitioners." The report has already been criticised by Mark J. Cox of Red Hat, who comments on it in his blog [2] of this week, saying "Red Hat was not given an opportunity to examine the Role Comparison Report or its data in advance of publication and we believe there to be inaccuracies in the published "days of risk" metrics. These metrics are significantly different from our own findings based on data sets made publicly available by our Security Response Team. Last year, a report from Forrester came up with similar conclusions [3] to those of the Role Comparison Report, finding that between 1 June 2002 and 31 May 2003, Windows was vulnerable for fewer days than Red Hat, Debian, MandrakeSoft and SUSE Linux distributions. What no report can do, however, is compare the risks faced by companies running the rival systems in real-world conditions. That would mean taking account not only of noted vulnerabilities and patching cycles but the likelihood of an attacker successfully targeting any one of them during the window of vulnerability. There is no evidence that one server operating system is more likely to be targeted than an other, so much of the "days of risk" hypothesis remains just that. And with the industry and its appointees now turning out reports the independence of which is increasingly being questioned, even valuable information now risks getting lost amidst accusation and counter-accusation. [1] http://www.securityinnovation.com/pdf/windows_linux_final_study.pdf [2] http://blogs.redhat.com/people/archive/000201.html [3] http://www.techworld.com/security/news/index.cfm?NewsID=1329 From isn at c4i.org Fri Mar 25 04:36:48 2005 From: isn at c4i.org (InfoSec News) Date: Fri Mar 25 04:44:22 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-12 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-03-17 - 2005-03-24 This week : 88 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: Apple has released a new security update for Mac OS X, which corrects several vulnerabilities, including the famous IDN Spoofing Vulnerability. A complete listing of the vulnerabilities can be found in Secunia advisory SA14655. Additional details about the IDN Spoofing vulnerability can be found in SA14164. References: http://secunia.com/SA14655 http://secunia.com/SA14164 -- ISS X-Force has reported a vulnerability in various McAfee products, which can be exploited to compromise a vulnerable system. Please view Secunia advisory below for at complete listing of products affected by this vulnerability. References: http://secunia.com/SA14628 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA14628] McAfee Multiple Products LHA File Handling Buffer Overflow 2. [SA14163] Mozilla Products IDN Spoofing Security Issue 3. [SA14585] Linux Kernel Multiple Vulnerabilities 4. [SA14631] Microsoft Windows EMF File Denial of Service Vulnerability 5. [SA14565] Firefox "Save Link As..." Status Bar Spoofing Weakness 6. [SA14595] Symantec Products Unspecified DNS Cache Poisoning Vulnerability 7. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerability 9. [SA14640] Java Web Start JNLP File Command Line Argument Injection Vulnerability 10. [SA14555] LimeWire Gnutella Disclosure of Sensitive Information ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA14630] Cain & Abel IKE-PSK / HTTP Sniffer Buffer Overflow Vulnerabilities [SA14627] MailEnable Standard SMTP Format String Vulnerability [SA14668] betaparticle blog Exposure of Sensitive Information and Security Bypass [SA14664] FileZilla Server Denial of Service Vulnerabilities [SA14638] FUN labs Various Games Denial of Service Vulnerabilities [SA14617] NotifyLink Enterprise Server Multiple Vulnerabilities [SA14671] Mozilla Thunderbird Drag and Drop Vulnerability [SA14662] Ocean FTP Server Multiple Connections Denial of Service [SA14660] Proview Disassembler Filename Handling Buffer Overflow [SA14625] ACS Blog "search" Cross-Site Scripting Vulnerability [SA14629] iPool / iSnooker Sensitive Information Disclosure [SA14616] Servers Alive Privilege Escalation Vulnerability [SA14631] Microsoft Windows EMF File Denial of Service Vulnerability [SA14610] IDA Pro Debugger Dynamic Link Library Loading Vulnerability UNIX/Linux: [SA14709] Red Hat update for Mozilla [SA14706] Red Hat update for Thunderbird [SA14705] Fedora update for Firefox [SA14699] Fedora update for Thunderbird [SA14698] Fedora update for mozilla [SA14687] Red Hat update for imagemagick [SA14655] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA14653] Ubuntu update for php4 [SA14650] SUSE Updates for Multiple Packages [SA14623] Red Hat update for tetex [SA14621] Ubuntu update for libxpm4/libxpm4-dbg [SA14704] Fedora update for kdelibs [SA14700] SUSE update for imagemagick [SA14686] Red Hat update for ipsec-tools [SA14683] Debian update for xloadimage [SA14682] Red Hat update for kdelibs [SA14681] Red Hat update for imagemagick [SA14675] IPsec-Tools ISAKMP Header Parsing Denial of Service [SA14666] Red Hat update for libexif [SA14665] Red Hat update for realplayer [SA14661] Debian update for xli [SA14656] Trustix update for mysql / kernel [SA14637] Gentoo update for sylpheed/sylpheed-claws [SA14634] Gentoo update for rxvt-unicode [SA14633] Red Hat update for sylpheed [SA14632] Red Hat update for ethereal [SA14624] Red Hat Postfix IPv6 Relaying Security Issue [SA14622] Sylpheed-Claws Message Reply Buffer Overflow Vulnerability [SA14620] Fedora update for ethereal [SA14619] Gentoo update for curl [SA14614] SUSE update for MozillaFirefox [SA14612] Conectiva update for cyrus-imapd [SA14636] Gentoo update for openslp [SA14708] Interspire ArticleLive 2005 "ArticleId" Cross-Site Scripting Vulnerability [SA14678] Fedora update for mailman [SA14677] Sun Java System Application Server Cross-Site Scripting [SA14674] HP-UX Apache Security Bypass and Denial of Service [SA14673] Gentoo dyndnsupdate Multiple Buffer Overflows [SA14667] Red Hat update for mailman [SA14663] Xzabite dyndnsupdate Multiple Buffer Overflows [SA14646] AnswerBook2 Documentation Server Two Vulnerabilities [SA14643] Fedora update for xloadimage [SA14615] Gentoo update for grip [SA14657] Mandrake update for mysql [SA14618] Gentoo update for mysql [SA14672] Debian update for perl [SA14645] Sun Solaris newgrp Privilege Escalation Vulnerability [SA14639] Gentoo update for ltris [SA14635] LTris Highscore List Buffer Overflow Vulnerability [SA14613] Conectiva update for kdenetwork [SA14626] Gentoo update for kdelibs Other: Cross Platform: [SA14707] Vortex Portal "act" File Inclusion Vulnerability [SA14688] Double Choco Latte Cross-Site Scripting and PHP Code Execution [SA14685] Mozilla Thunderbird GIF Image Processing Buffer Overflow Vulnerability [SA14684] Mozilla Security Bypass and Buffer Overflow Vulnerabilities [SA14670] CzarNews "tpath" File Inclusion Vulnerability [SA14669] TRG News Script "dir" File Inclusion Vulnerability [SA14654] Mozilla Firefox Three Vulnerabilities [SA14649] DeleGate Multiple Unspecified Buffer Overflow Vulnerabilities [SA14640] Java Web Start JNLP File Command Line Argument Injection Vulnerability [SA14628] McAfee Multiple Products LHA File Handling Buffer Overflow [SA14676] BirdBlog "userid" and "userpw" SQL Injection Vulnerability [SA14652] Subdreamer Light Global Variables SQL Injection Vulnerability [SA14648] exoops "file" Exposure of Sensitive Information [SA14647] Runcms "file" Exposure of Sensitive Information [SA14642] phpmyfamily SQL Injection Vulnerabilities [SA14641] ciamos "file" Exposure of Sensitive Information [SA14690] phpSysInfo Cross-Site Scripting Vulnerabilities [SA14680] phorum "body" Parameter HTTP Response Splitting [SA14679] MercuryBoard "title" Script Insertion Vulnerability [SA14658] SurgeMail Three Vulnerabilities [SA14651] PHPOpenChat Cross-Site Scripting Vulnerabilities [SA14644] Icecast XSL Stylesheet Source Exposure [SA14611] Novell Netware Xsession Security Bypass ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA14630] Cain & Abel IKE-PSK / HTTP Sniffer Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-18 Two vulnerabilities have been reported in Cain & Abel. One has an unknown impact and the other can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14630/ -- [SA14627] MailEnable Standard SMTP Format String Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-18 Mati Aharoni has discovered a vulnerability in MailEnable Standard, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14627/ -- [SA14668] betaparticle blog Exposure of Sensitive Information and Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2005-03-22 farhad koosha has reported a vulnerability and a security issue in betaparticle blog, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/14668/ -- [SA14664] FileZilla Server Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-22 Two vulnerabilities have been reported in FileZilla Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14664/ -- [SA14638] FUN labs Various Games Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-22 Luigi Auriemma has reported two vulnerabilities in various FUN labs games, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14638/ -- [SA14617] NotifyLink Enterprise Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2005-03-18 NOAA NCIRT Lab has reported some vulnerabilities in NotifyLink Enterprise Server, which can be exploited to disclose sensitive information, bypass certain security restrictions, and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14617/ -- [SA14671] Mozilla Thunderbird Drag and Drop Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-03-22 A vulnerability has been reported in Thunderbird, which can be exploited by malicious people to plant malware on a user's system. Full Advisory: http://secunia.com/advisories/14671/ -- [SA14662] Ocean FTP Server Multiple Connections Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-03-22 GSS-IT has reported a vulnerability in Ocean FTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14662/ -- [SA14660] Proview Disassembler Filename Handling Buffer Overflow Critical: Less critical Where: From remote Impact: System access Released: 2005-03-22 HaCkZaTaN has discovered a vulnerability in Proview Disassembler, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14660/ -- [SA14625] ACS Blog "search" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-18 farhad koosha has reported a vulnerability in ACS Blog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14625/ -- [SA14629] iPool / iSnooker Sensitive Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-03-18 Kozan has discovered a security issue in iPool and iSnooker, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14629/ -- [SA14616] Servers Alive Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-17 Michael Starks has discovered a vulnerability in Servers Alive, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14616/ -- [SA14631] Microsoft Windows EMF File Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2005-03-18 Hongzhen Zhou has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14631/ -- [SA14610] IDA Pro Debugger Dynamic Link Library Loading Vulnerability Critical: Not critical Where: From remote Impact: System access Released: 2005-03-17 Piotr Bania has reported a vulnerability in IDA Pro, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14610/ UNIX/Linux:-- [SA14709] Red Hat update for Mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, System access Released: 2005-03-24 Red Hat has issued an update for Mozilla. This fixes several vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, conduct spoofing attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/14709/ -- [SA14706] Red Hat update for Thunderbird Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-24 Red Hat has issued an update for Thunderbird. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14706/ -- [SA14705] Fedora update for Firefox Critical: Highly critical Where: From remote Impact: Security Bypass Released: 2005-03-24 Fedora has issued an update for Firefox. This fixes three vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system. Full Advisory: http://secunia.com/advisories/14705/ -- [SA14699] Fedora update for Thunderbird Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-24 Fedora has issued an update for Thunderbird. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14699/ -- [SA14698] Fedora update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, System access Released: 2005-03-24 Fedora has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited to bypass certain security restrictions, conduct spoofing and script insertion attacks, disclose various information, or compromise a user's system. Full Advisory: http://secunia.com/advisories/14698/ -- [SA14687] Red Hat update for imagemagick Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-23 Red Hat has issued an update for imagemagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14687/ -- [SA14655] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-03-22 Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/14655/ -- [SA14653] Ubuntu update for php4 Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2005-03-21 Ubuntu has issued an update for php4. This fixes some vulnerabilities, which can be exploited to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14653/ -- [SA14650] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-03-21 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14650/ -- [SA14623] Red Hat update for tetex Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-17 Red Hat has issued an update for tetex. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14623/ -- [SA14621] Ubuntu update for libxpm4/libxpm4-dbg Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-17 Ubuntu has issued updates for libxpm4 and libxpm4-dbg. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14621/ -- [SA14704] Fedora update for kdelibs Critical: Moderately critical Where: From remote Impact: DoS, Privilege escalation, Spoofing Released: 2005-03-24 Fedora has issued an update for kdelibs. This fixes two vulnerabilities and a security issue, which can be exploited by malicious, local users to cause a DoS (Denial of Service), perform certain actions with escalated privileges on a vulnerable system, and by a malicious web site to spoof the URL displayed in the address bar and status bar. Full Advisory: http://secunia.com/advisories/14704/ -- [SA14700] SUSE update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-24 SUSE has issued an update for imagemagick. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14700/ -- [SA14686] Red Hat update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-23 Red Hat has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14686/ -- [SA14683] Debian update for xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-23 Debian has issued an update for xloadimage. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14683/ -- [SA14682] Red Hat update for kdelibs Critical: Moderately critical Where: From remote Impact: Spoofing, Privilege escalation, DoS Released: 2005-03-23 Red Hat has issued an update for kdelibs. This fixes two vulnerabilities and a security issue, which can be exploited by malicious, local users to cause a DoS (Denial of Service), perform certain actions with escalated privileges on a vulnerable system, and by a malicious web site to spoof the URL displayed in the address bar and status bar. Full Advisory: http://secunia.com/advisories/14682/ -- [SA14681] Red Hat update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-23 Red Hat has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14681/ -- [SA14675] IPsec-Tools ISAKMP Header Parsing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-03-23 A vulnerability has been reported in IPsec-Tools, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14675/ -- [SA14666] Red Hat update for libexif Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-22 Red Hat has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14666/ -- [SA14665] Red Hat update for realplayer Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-03-22 Full Advisory: http://secunia.com/advisories/14665/ -- [SA14661] Debian update for xli Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-22 Debian has issued an update for xli. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14661/ -- [SA14656] Trustix update for mysql / kernel Critical: Moderately critical Where: From remote Impact: System access, DoS, Privilege escalation Released: 2005-03-22 Trustix has issued updates for mysql and the kernel. These fix various vulnerabilities, which can be exploited to cause a DoS (Denial of Service), perform certain actions with escalated privileges, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14656/ -- [SA14637] Gentoo update for sylpheed/sylpheed-claws Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-21 Gentoo has issued updates for sylpheed and sylpheed-claws. These fix a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14637/ -- [SA14634] Gentoo update for rxvt-unicode Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-21 Gentoo has issued an update for rxvt-unicode. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14634/ -- [SA14633] Red Hat update for sylpheed Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-18 Red Hat has issued an update for sylpheed. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14633/ -- [SA14632] Red Hat update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-18 Red Hat has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14632/ -- [SA14624] Red Hat Postfix IPv6 Relaying Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-03-17 Red Hat has issued an update for postfix. This fixes a security issue, which can be exploited by malicious people to use a vulnerable system as an open relay. Full Advisory: http://secunia.com/advisories/14624/ -- [SA14622] Sylpheed-Claws Message Reply Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-21 A vulnerability has been reported in Sylpheed-Claws, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14622/ -- [SA14620] Fedora update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-17 Fedora has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14620/ -- [SA14619] Gentoo update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-03-17 Gentoo has issued an update for curl. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14619/ -- [SA14614] SUSE update for MozillaFirefox Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, System access Released: 2005-03-17 SUSE has issued an update for MozillaFirefox. This fixes some vulnerabilities, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/14614/ -- [SA14612] Conectiva update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-03-18 Conectiva has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14612/ -- [SA14636] Gentoo update for openslp Critical: Moderately critical Where: From local network Impact: System access Released: 2005-03-21 Gentoo has issued an update for openslp. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14636/ -- [SA14708] Interspire ArticleLive 2005 "ArticleId" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-24 mircia has reported a vulnerability in Interspire ArticleLive 2005, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14708/ -- [SA14678] Fedora update for mailman Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-23 Fedora has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14678/ -- [SA14677] Sun Java System Application Server Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-23 Eric Hobbs has reported a vulnerability in Sun Java System Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14677/ -- [SA14674] HP-UX Apache Security Bypass and Denial of Service Critical: Less critical Where: From remote Impact: Security Bypass, DoS Released: 2005-03-22 HP has acknowledged some vulnerabilities in HP-UX Apache, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14674/ -- [SA14673] Gentoo dyndnsupdate Multiple Buffer Overflows Critical: Less critical Where: From remote Impact: System access Released: 2005-03-22 Gentoo has acknowledged some vulnerabilities in dyndnsupdate, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14673/ -- [SA14667] Red Hat update for mailman Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-22 Red Hat has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14667/ -- [SA14663] Xzabite dyndnsupdate Multiple Buffer Overflows Critical: Less critical Where: From remote Impact: System access Released: 2005-03-22 Toby Dickenson has reported multiple vulnerabilities in Xzabite dyndnsupdate, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14663/ -- [SA14646] AnswerBook2 Documentation Server Two Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-21 Thomas Liam Romanis has reported two vulnerabilities in AnswerBook2 Documentation Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14646/ -- [SA14643] Fedora update for xloadimage Critical: Less critical Where: From remote Impact: System access Released: 2005-03-21 Fedora has issued an update for xloadimage. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14643/ -- [SA14615] Gentoo update for grip Critical: Less critical Where: From remote Impact: System access Released: 2005-03-18 Gentoo has issued an update for grip. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14615/ -- [SA14657] Mandrake update for mysql Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-03-22 MandrakeSoft has issued an update for mysql. This fixes some vulnerabilities, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14657/ -- [SA14618] Gentoo update for mysql Critical: Less critical Where: From local network Impact: Privilege escalation, System access Released: 2005-03-17 Gentoo has issued an update for mysql. This fixes some vulnerabilities, which potentially can be exploited by malicious users to compromise a vulnerable system and by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/14618/ -- [SA14672] Debian update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-22 Debian has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14672/ -- [SA14645] Sun Solaris newgrp Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-21 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14645/ -- [SA14639] Gentoo update for ltris Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-21 Gentoo has issued an update for ltris. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14639/ -- [SA14635] LTris Highscore List Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-03-21 A vulnerability has been reported in LTris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/14635/ -- [SA14613] Conectiva update for kdenetwork Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-03-17 Conectiva has issued an update for kdenetwork. This fixes a vulnerability, which can be exploited by malicious, local users to manipulate the contents of certain files. Full Advisory: http://secunia.com/advisories/14613/ -- [SA14626] Gentoo update for kdelibs Critical: Not critical Where: Local system Impact: DoS Released: 2005-03-21 Gentoo has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/14626/ Other: Cross Platform:-- [SA14707] Vortex Portal "act" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-24 Francisco Alisson has reported a vulnerability in Vortex Portal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14707/ -- [SA14688] Double Choco Latte Cross-Site Scripting and PHP Code Execution Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-03-24 James Bercegay has reported two vulnerabilities in Double Choco Latte, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14688/ -- [SA14685] Mozilla Thunderbird GIF Image Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-24 Mark Dowd has reported a vulnerability in Thunderbird, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14685/ -- [SA14684] Mozilla Security Bypass and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2005-03-24 Two vulnerabilities have been reported in Mozilla, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system. Full Advisory: http://secunia.com/advisories/14684/ -- [SA14670] CzarNews "tpath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-22 Frank "brOmstar" Reissner has reported a vulnerability in CzarNews, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14670/ -- [SA14669] TRG News Script "dir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-22 Frank "brOmstar" Reissner has reported a vulnerability in TRG News Script, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14669/ -- [SA14654] Mozilla Firefox Three Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2005-03-24 Three vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system. Full Advisory: http://secunia.com/advisories/14654/ -- [SA14649] DeleGate Multiple Unspecified Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-22 Some vulnerabilities have been reported in DeleGate, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14649/ -- [SA14640] Java Web Start JNLP File Command Line Argument Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-21 Jouko Pynn?nen has reported a vulnerability in Java Web Start, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/14640/ -- [SA14628] McAfee Multiple Products LHA File Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-03-18 ISS X-Force has reported a vulnerability in multiple McAfee products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/14628/ -- [SA14676] BirdBlog "userid" and "userpw" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-23 A vulnerability has been reported in BirdBlog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14676/ -- [SA14652] Subdreamer Light Global Variables SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-21 GHC team has reported a vulnerability in Subdreamer Light, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14652/ -- [SA14648] exoops "file" Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-21 NT has reported a vulnerability in exoops, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14648/ -- [SA14647] Runcms "file" Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-21 NT has reported a vulnerability in Runcms, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14647/ -- [SA14642] phpmyfamily SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-03-22 ADZ Security Team has reported some vulnerabilities in phpmyfamily, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/14642/ -- [SA14641] ciamos "file" Exposure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-21 NT has reported a vulnerability in ciamos, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/14641/ -- [SA14690] phpSysInfo Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-03-24 Maksymilian Arciemowicz has reported some vulnerabilities in phpSysInfo, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14690/ -- [SA14680] phorum "body" Parameter HTTP Response Splitting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-23 Positive Technologies has reported a vulnerability in phorum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14680/ -- [SA14679] MercuryBoard "title" Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-23 Secunia Research has discovered a vulnerability in MercuryBoard, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/14679/ -- [SA14658] SurgeMail Three Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2005-03-22 Tan Chew Keong has reported three vulnerabilities in SurgeMail, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users to conduct script insertion attacks, bypass certain security restrictions, and gain knowledge of various information. Full Advisory: http://secunia.com/advisories/14658/ -- [SA14651] PHPOpenChat Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-03-22 Pi3cH has reported some vulnerabilities in PHPOpenChat, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/14651/ -- [SA14644] Icecast XSL Stylesheet Source Exposure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-03-21 Patrick has discovered a vulnerability in Icecast, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/14644/ -- [SA14611] Novell Netware Xsession Security Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-03-17 A vulnerability has been reported in Novell Netware, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/14611/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Mar 28 04:57:56 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 28 05:06:07 2005 Subject: [ISN] GAO: SEC systems vulnerable to attack Message-ID: http://www.fcw.com/article88406-03-25-05-Web By David Perera March 25, 2005 Computer networks at the Securities and Exchange Commission remain vulnerable to hacking, a Government Accountability Office report finds. Data at risk includes regulatory information, SEC financial transactions and internal payroll and personnel information, the report states. Security is getting more attention these days because of high-profile cases involving Bank of America, information gatherers ChoicePoint and LexisNexis, where unauthorized people were able to access personal data. During the period of GAO's review, from April though November 2004, the commission's network intrusion-detection system was not fully implemented and "there was no capability to target unusual or suspicious network events for review as they occurred," the report states. Network services and devices were vulnerable, outdated, and/or misconfigured, the report also states. During one examination of SEC security controls, GAO auditors found an internal SEC network-connected computer located inside a public area. Some former employees also retained network access, including one former employee who could still log onto SEC systems for eight months after departing the commission. The congressional watchdog also found that some SEC network users could bypass security and audit controls altogether. A key reason for the commission's security weaknesses is its lack of a comprehensive information security program, the report states. Although the agency has established a central security group and appointed a senior information security officer, SEC officials have yet to complete a comprehensive risk assessment and develop adequate policies, the report states. Each year, the SEC processes more than 600,000 financial documents and collects more than $1 billion in filing fees, penalties and disgorgements in fulfilling its mission to oversee U.S. security markets. GAO auditors are not alone in noting SEC security weaknesses; a fiscal 2004 SEC inspector general audit found the commission substantially out of compliance with the Federal Information Security Management Act of 2002. SEC officials said the commission recognizes the need to further its existing programs and will complete the corrective actions identified by GAO auditors by June 2006. Significant progress is already underway, adds the official commission response to the GAO findings. From isn at c4i.org Mon Mar 28 04:58:42 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 28 05:06:10 2005 Subject: [ISN] Linux Advisory Watch - March 25th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 25th, 2005 Volume 6, Number 12a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for cyrus-imapd, curl, xloadimage, xli, PERL, slypheed, libgal2, libsoup, evolution, gimp, procps, lsof, lockdev, xloadimage, mailman, boost, kdelibs, firefox, thunderbird, mozilla, devhelp, epiphany, rxvt, LTris, MySQL, ethereal, ipsec-tools, and ImageMagick. The distributors include Conectiva, Debian, Fedora, Genotoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- Authentication: Passwords For most, the subject of passwords is novel. However, it is important to take a step back and analyze their strengths, weaknesses, and alternatives. Using only passwords as a method of authentication is often insufficient for critical data because they fundamentally have weaknesses. Several of those include: users pick easy to guess words, users often voluntarily give them away in order to make work easier, and passwords are often easily intercepted. Many applications/protocols that are still in use send passwords in cleartext. A weak password is the equivalent of a faulty lock on a safe. Passwords do not guarantee security, only increase the time required to access data or information. System administrators can improve password security for users in several ways. First, a limit on log-in attempts should be set. For example, user ids should be locked after a number of failed login attempts. Next, passwords should have strength requirements set. For example, passwords should have a minimum length, special characters and capitalizations should be required, and they should be checked against a dictionary file. Password security can also be improved if there are expiration dates set and passwords are not reused consecutively. Biometrics and other forms of authentication in addition to passwords can dramatically increase security. Having a second line of defense is critical. For example, ssh security can be improved by using key-authentication and IP based access controls. Passwords are slowly becoming obsolete with improvements in technology, but will remain in use for many years. Next week, I'll discuss how using single sign-on mechanisms can improve password security and management for users. Until next time, cheers! Benjamin D. Thomas ---------------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: cyrus-imapd Fix for multiple cyrus-imapd 17th, March, 2005 cyrus-imapd[1] is an IMAP and POP3 mail server with several advanced features such as SASL authentication, server-side mail filtering, mailbox ACLs and others. http://www.linuxsecurity.com/content/view/118624 * Conectiva: curl Fix for cURL vulnerability 21st, March, 2005 cURL[1] is a client to get/put files from/to servers, using any of the supported protocols. http://www.linuxsecurity.com/content/view/118655 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New xloadimage packages fix several vulnerabilities 21st, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118650 * Debian: New xli packages fix several vulnerabilities 21st, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118656 * Debian: New perl packages fix privilege escalation 22nd, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118663 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 2 Update: sylpheed-1.0.3-0.FC2 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118626 * Fedora Core 3 Update: libgal2-2.2.5-1 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118627 * Fedora Core 3 Update: libsoup-2.2.2-1.FC3 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118628 * Fedora Core 3 Update: evolution-data-server-1.0.4-3 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118629 * Fedora Core 3 Update: evolution-2.0.4-1 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118630 * Fedora Core 3 Update: evolution-connector-2.0.4-1 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118631 * Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.89 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118632 * Fedora Core 3 Update: policycoreutils-1.18.1-2.10 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118633 * Fedora Core 3 Update: gimp-2.2.4-0.fc3.3 18th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118640 * Fedora Core 3 Update: procps-3.2.3-5.2 18th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118641 * Fedora Core 3 Update: lsof-4.72-2.1 18th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118642 * Fedora Core 3 Update: lockdev-1.0.1-4.1 18th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118643 * Fedora Core 2 Update: xloadimage-4.1-34.FC2 18th, March, 2005 This update fixes CAN-2005-0638, a problem in the parsing of shell metacharacters in filenames. It also fixes bugs in handling of malformed TIFF and PBM/PNM/PPM issues. http://www.linuxsecurity.com/content/view/118644 * Fedora Core 3 Update: xloadimage-4.1-34.FC3 18th, March, 2005 This update fixes CAN-2005-0638, a problem in the parsing of shell metacharacters in filenames. It also fixes bugs in handling of malformed TIFF and PBM/PNM/PPM issues. http://www.linuxsecurity.com/content/view/118645 * Fedora Core 2 Update: mailman-2.1.5-10.fc2 22nd, March, 2005 A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. http://www.linuxsecurity.com/content/view/118667 * Fedora Core 3 Update: mailman-2.1.5-32.fc3 22nd, March, 2005 A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities. http://www.linuxsecurity.com/content/view/118668 * Fedora Core 3 Update: boost-1.32.0-5.fc3 22nd, March, 2005 This is a bugfix release. http://www.linuxsecurity.com/content/view/118669 * Fedora Core 2 Update: kdelibs-3.2.2-14.FC2 23rd, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118683 * Fedora Core 3 Update: firefox-1.0.2-1.3.1 23rd, March, 2005 A buffer overflow bug was found in the way Firefox processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. http://www.linuxsecurity.com/content/view/118684 * Fedora Core 3 Update: kdelibs-3.3.1-2.9.FC3 23rd, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118685 * Fedora Core 3 Update: thunderbird-1.0.2-1.3.1 23rd, March, 2005 A buffer overflow bug was found in the way Thunderbird processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. http://www.linuxsecurity.com/content/view/118686 * Fedora Core 3 Update: mozilla-1.7.6-1.3.2 23rd, March, 2005 A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. http://www.linuxsecurity.com/content/view/118687 * Fedora Core 3 Update: devhelp-0.9.2-2.3.1 23rd, March, 2005 There were several security flaws found in the mozilla package, which devhelp depends on. Users of devhelp are advised to upgrade to this updated package which has been rebuilt against a later version of mozilla which is not vulnerable to these flaws. http://www.linuxsecurity.com/content/view/118688 * Fedora Core 3 Update: epiphany-1.4.4-4.3.1 23rd, March, 2005 There were several security flaws found in the mozilla package, which epiphany depends on. Users of epiphany are advised to upgrade to this updated package which has been rebuilt against a later version of mozilla which is not vulnerable to these flaws. http://www.linuxsecurity.com/content/view/118689 * Fedora Core 3 Update: evolution-2.0.4-2 23rd, March, 2005 There were several security flaws found in the mozilla package, which evolution depends on. Users of evolution are advised to upgrade to this updated package which has been rebuilt against a later version of mozilla which is not vulnerable to these flaws. http://www.linuxsecurity.com/content/view/118690 * Gentoo: Grip CDDB response overflow 17th, March, 2005 Grip contains a buffer overflow that can be triggered by a large CDDB response, potentially allowing the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118625 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: KDE Local Denial of Service 19th, March, 2005 KDE is vulnerable to a local Denial of Service attack. http://www.linuxsecurity.com/content/view/118646 * Gentoo: rxvt-unicode Buffer overflow 20th, March, 2005 rxvt-unicode is vulnerable to a buffer overflow that could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118647 * Gentoo: LTris Buffer overflow 20th, March, 2005 LTris is vulnerable to a buffer overflow which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118648 * Gentoo: Sylpheed, Sylpheed-claws Message reply overflow 20th, March, 2005 Sylpheed and Sylpheed-claws contain a vulnerability that can be triggered when replying to specially crafted messages. http://www.linuxsecurity.com/content/view/118649 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: Updated KDE packages address 21st, March, 2005 New KDE packages are available to address various bugs. The details are as follows. http://www.linuxsecurity.com/content/view/118661 * Mandrake: Updated MySQL packages fix 21st, March, 2005 If an authenticated user had INSERT privileges on the 'mysql' database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the user running the database server (mysql) (CAN-2005-0709). http://www.linuxsecurity.com/content/view/118662 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: ethereal security update 18th, March, 2005 Updated Ethereal packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118636 * RedHat: Important: sylpheed security update 18th, March, 2005 An updated sylpheed package that fixes a buffer overflow issue is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118635 * RedHat: Important: mailman security update 21st, March, 2005 An updated mailman package that corrects a cross-site scripting flaw is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118658 * RedHat: Important: realplayer security update 21st, March, 2005 Updated realplayer packages that fix a number of security issues are now available for Red Hat Enterprise Linux 3 Extras. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118659 * RedHat: Low: libexif security update 21st, March, 2005 Updated libexif packages that fix a buffer overflow issue are now available. This update has been rated as having low security impact by the RedHat Security Response Team. http://www.linuxsecurity.com/content/view/118660 * RedHat: Moderate: ImageMagick security update 23rd, March, 2005 Updated ImageMagick packages that fix a heap based buffer overflow are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118670 * RedHat: Moderate: ipsec-tools security update 23rd, March, 2005 An updated ipsec-tools package that fixes a bug in parsing of ISAKMP headers is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118671 * RedHat: Moderate: ImageMagick security update 23rd, March, 2005 Updated ImageMagick packages that fix a format string bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118672 * RedHat: Important: kdelibs security update 23rd, March, 2005 Updated kdelibs packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118673 * RedHat: Critical: mozilla security update 23rd, March, 2005 Updated mozilla packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118679 * RedHat: Critical: mozilla security update 23rd, March, 2005 Updated mozilla packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118680 * RedHat: Critical: firefox security update 23rd, March, 2005 Updated firefox packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118681 * RedHat: Critical: thunderbird security update 23rd, March, 2005 Updated thunderbird packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118682 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: ImageMagick problems 23rd, March, 2005 A format string vulnerability was found in the display program which could lead to a remote attacker being to able to execute code as the user running display by providing handcrafted filenames of images. This is tracked by the Mitre CVE ID CAN-2005-0397. http://www.linuxsecurity.com/content/view/118678 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Mar 28 04:59:07 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 28 05:06:13 2005 Subject: [ISN] RUXCON 2005 Call for Papers Message-ID: Fowarded from: RUXCON Call for Papers Call For Papers RUXCON would like to announce the call for papers for the third annual RUXCON conference. Breaking from the RUXCON tradition of having the conference in winter months, this year the conference will be ran during the 1st and 2nd of October. As with previous years, RUXCON will be held at the University of Technology, Sydney, Australia. The dead line for submissions is the 31st of August. What is RUXCON? RUXCON is a conference organised by and for the computer security community. It is an attempt to bring together the individual talents of the security community through live presentations, activities and demonstrations. The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst expanding their knowledge of security. Live presentations, activities and workshops will cover a full range of defensive and offensive security topics, varying from unpublished research to required reading for the public security community. Presentation Information Presentations are set to run for 50 minutes, and will be of a formal nature, with slides and a speech. Workshops are slightly shorter, between 30-40 minutes in length in a less formal format, more of a general or introductory skill level. Presentation Submissions RUXCON would like to invite people who are interested in security to submit a presentation or workshop. Topics of interest include, but are not limited to: * Code analysis * Exploitation techniques * Network scanning and analysis * Cryptography * Malware Analysis * Reverse engineering * Forensics and Anti-forensics * Social engineering * Web application security * Legal aspects of computer security and surrounding issues * Law enforcement activities * Telecommunications security (mobile, GSM, fraud issues, etc.) Submissions should thoroughly outline your desired presentation or workshop subject. Accompanying your submission should be the slides you intend to use or a detailed paper explaining your subject. If you have any enquiries about submissions, or would like to make a submission, please send an e-mail to presentations ruxcon org au. The deadline for submissions is the 31st of August. If approved we will additionally require: * A brief personal biography (between 2-5 paragraphs in length), including: skill set, experience, and credentials. * A description on your presentation or workshop (between 2-5 paragraphs in length). Selection Criteria Presentation selection will be based on technical merit. Presentations discussion new, previously undisclosed, defensive or offensive security related material will receive first priority. Contact Details Presentation Submissions: presentations ruxcon org au General Enquiries: ruxcon ruxcon org au From isn at c4i.org Mon Mar 28 04:59:37 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 28 05:06:16 2005 Subject: [ISN] Legal threat stops flaw info release Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100637,00.html By Jaikumar Vijayan MARCH 25, 2005 COMPUTERWORLD A threat by Sybase Inc. to sue a U.K.-based security research firm if it publicly discloses the details of eight holes it found in Sybase's database software last year is evoking sharp criticism from some IT managers but sympathetic comments from others. Blocking the release of vulnerability information "would set a bad precedent" for the software industry, said Tim Powers, senior network administrator at Southwire Co., a Carrollton, Ga.-based maker of electrical wires and cables. Responsible disclosure of software flaws by vulnerability researchers has "significantly improved" the security of products, Powers said. "Preventing disclosure through the threat of legal action can only hurt security," he said. But Kim Milford, information security manager at the University of Rochester in New York, said she thinks most IT support workers would contact their software vendors directly if security patches weren't effective or couldn't be applied to systems. In such cases, "hackers tend to benefit the most from the release of technical details" about security vulnerabilities, she said. Dublin, Calif.-based Sybase this week sent a letter to Next Generation Security Software Ltd. warning of legal consequences if it went ahead with plans to release information about the flaws it discovered in Version 12.5.3 of Sybase's Adaptive Server Enterprise (ASE) software. Surrey, England-based NGS initially disclosed the existence of the flaws only to Sybase, which released a fully patched and updated version of the affected software last month. In line with its stated practice of first waiting for vendors to issue patches, NGS had said it would publicly release details of the flaws on Monday. It decided not to after receiving Sybase's letter. "We were quite shocked," David Litchfield, one of the founders of NGS, said via e-mail. "They claim that looking for security bugs comes under the banner of database performance testing and benchmarking." Litchfield noted that the license agreement for the development edition of ASE prohibits publication of performance testing and benchmarking results without Sybase's permission. In an e-mailed statement, a Sybase spokeswoman defended the company's action and said it was motivated by concern for the security of its users. "Sybase does not object to publication of the existence of [security] issues discovered in its products," the statement read. "However, the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers." The case highlights the need for more cooperation between software vendors and vulnerability researchers, said Eric Beasley, senior network manager at Baker Hill Corp., a Carmel, Ind.-based provider of application services to the banking industry. "I think it's a very bad idea to try and squash vulnerability research because then, obviously, most [vendors] are not going to endeavor to make safer software," Beasley said. "Security through obscurity just does not work." At the same time, though, security researchers need to work with vendors and ensure that information is disclosed only in a responsible and safe manner, Beasley said. "The two sides need to be looking at such problems together and not get into such an adversarial relationship." Sybase's action is "abhorrent," said Russ Cooper, editor of the NTBugtraq mailing list and a senior scientist at Cybertrust Inc. in Herndon, Va. "It's equivalent to suing a whistle-blower and should not be tolerated," he said. "No extortion occurred. They were told upfront when details would be published." Sybase's warning, though rare, isn't entirely unprecedented, said Michael Sutton, director of vulnerability research at iDefense Inc. in Reston, Va. In the past, iDefense has been threatened with similar actions by software vendors, though none has yet gone to the extent of sending a formal legal notice like Sybase did, Sutton said. Bruce Schneier, chief technology officer at Counterpane Internet Security Inc. and a longtime advocate of public vulnerability disclosures, said the notion that bug hunters only increase security risks by unearthing and disclosing well-hidden software problems is just plain wrong. "That is just naive," Schneier said. "Don't shoot the messenger. Just fix the problems in your software." But Bob Bagamery, a systems support specialist at a large Canadian utility that he asked not to be named, said the threat of disclosing detailed information about vulnerabilities should be used by security researchers only "when not enough effort is being made to correct the flaw, or when the software manufacturer is trying to blow off" the issue. "The whole concept of bug-finding simply to find bugs is fundamentally flawed," said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "Litchfield and all the other bug hunters are profiting by making the entire enterprise world miserable. It's about time someone took action to at least make them justify what they are doing." From isn at c4i.org Mon Mar 28 04:59:55 2005 From: isn at c4i.org (InfoSec News) Date: Mon Mar 28 05:06:19 2005 Subject: [ISN] Crackdown begins on Bluetooth bandits Message-ID: http://ww1.mid-day.com/news/city/2005/march/106245.htm By: Binoo Nair March 25, 2005 If a camera phone can catch you with your pants down, one with Bluetooth can do the same - albeit figuratively - to your company. Following the ban on camera phones in hotel lobbies, a crackdown has begun on people who misuse the wireless technology called Bluetooth to steal sensitive information from their employers and pass it on to competitors. The Digital Due Diligence (DDD), a group of computer technologists formed by the Federation of Indian Chambers of Commerce and Industry (FICCI), has recommended that companies ban employees from using Bluetooth-enabled cell phones, as they can be used to leak confidential information to competitors. The DDD will submit a white paper on the dangers of these smart phones to companies across the country next week. FICCI formed the DDD after auction portal baazee.com took the rap when the infamous Delhi Public School MMS clip turned up for sale on its site. Bluetooth, an essential component of today's hi-end 'smart phones', is used to transfer information between devices without the use of wires. While this makes it extremely convenient, it also leaves scope for misuse. You could, for example, use it to access information (such as your boss's email) on a computer remotely, and transfer sensitive files from a PC to your phone. And since the technology is still new, little can be done to prevent this. "We have found that these smart phones are being used by employees to carry out vital information from companies. And, so far, it is not possible to track this sort of data theft," said Chirag Unadkat, director of the DDD. Explaining the risks of Bluetooth, Web security expert Vijay Mukhi said, "An employee can access data on any computer, transfer it to a smart phone and pass it on. He can steal information from his boss's computer with almost no physical contact. "Some phones can communicate with other Bluetooth devices from 100 metres away. This can leave companies wide open to industrial espionage," added Mukhi, who is co-writing the white paper with Unadkat. The threat is augmented by the fact that most companies, according to Mukhi, are not even aware of the dangers of smart phones. Both experts say that while it is not possible to ban smart phones altogether, companies can bar them from vital facilities like the server rooms. Another option, they say, is disabling the Bluetooth and infrared compatibility of the company's computers. White paper proposals * Be aware of the problem * Password-protect your computer so that others can't fiddle with it while you're away * Banning smart phones in areas like server rooms and conference rooms * Disable Bluetooth and infrared on your company's computers * Install software that can keep a log of wireless transfers made from your computer. (There is, however, no commercially available product that can do this.) From isn at c4i.org Tue Mar 29 07:53:14 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 29 08:01:35 2005 Subject: [ISN] Problem Confirmed In January Patch For Windows 98, Me Message-ID: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=KKGCUIBVK1FYKQSNDBGCKH0CJUMEKJVN?articleID=159907226 TechWeb News March 28, 2005 Microsoft posted a message late Friday night to the support discussion groups for Windows 98, Windows 98 SE, and Windows Me acknowledging a problem for users of those OSes who installed a January 2005 patch. "Microsoft has received reports about issues with KB891711 on Windows 98, Windows 98 SE and Windows ME," wrote Jerry Bryant for the Microsoft Security Response Center (MCSE). "At this point, we have been able to confirm these reports and are currently working on a resolution." According to other posters on the discussion groups, the problem is one of long standing, involves Internet Explorer, and can cause the machine to hang or dramatically slow down after the patch is applied. While Microsoft didn't explicitly tell users to roll back the patch [1], the message did continue with, "Please note that by uninstalling the current update, the machine will return to a vulnerable state. At this point, we are currently not aware of customers being exploited by way of the vulnerability fixed in MS05-002 on Windows 98, Windows 98 SE and Windows ME." Users who need additional assistance can call Microsoft at 866-727-2338 -- the company's PCSAFETY line -- for free help with any security update. [1] http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx From isn at c4i.org Tue Mar 29 07:54:15 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 29 08:01:38 2005 Subject: [ISN] NIST offers HIPAA security guidance Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35364-1.html By Mary Mosquera GCN Staff 03/28/05 The National Institute of Standards and Technology has issued a new guide on securing health information. The guide, Special Publication 800-66 [1], recommends the type of systems that are needed to meet the Health Insurance Portability and Accountability Act security mandates that take effect April 20. The publication, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule, details the minimum requirements to secure health information and systems. NIST identifies resources relevant to the specific security standards included in the HIPAA security rule and provides implementation examples for each. Under the rule, doctors and hospitals must secure and protect patient information from unauthorized use, such as hackers, while also keeping it available for legitimate use. The rule also applies to agencies that transmit health information in electronic form. The guide also lays out similarities between the HIPAA security rule and the Federal Information Security Management Act of 2002, which all agencies must fulfill. [1] http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf From isn at c4i.org Tue Mar 29 07:54:30 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 29 08:01:42 2005 Subject: [ISN] Stolen UC Berkeley Laptop Exposes Personal Data of Nearly 100, 000 Message-ID: http://www.washingtonpost.com/wp-dyn/articles/A7653-2005Mar28.html By MICHAEL LIEDTKE AP Business Writer March 28, 2005 SAN FRANCISCO (AP) -- A thief has stolen a computer laptop containing personal information about nearly 100,000 University of California, Berkeley alumni, graduate students and past applicants, continuing a recent outbreak of security breakdowns that has illustrated society's growing vulnerability to identity theft. University officials announced the March 11 theft on Monday under a state law requiring that consumers be notified whenever their Social Security numbers or other sensitive information has been breached. Notifying all of the 98,369 people affected by the UC Berkeley laptop theft could prove difficult because some of the students received their doctorate degrees nearly 30 years ago, university officials said. The laptop -- stolen from a restricted area of a campus office -- contained the Social Security numbers of UC Berkeley students who received their doctorates from 1976 through 1999, graduate students enrolled at the university between fall 1989 and fall 2003 and graduate school applicants between fall 2001 and spring 2004. Some graduate students in other years also were affected. The stolen computer files also included the birth dates and addresses of about one-third of the affected people. University police suspect the thief was more interested in swiping a computer than people's identities, UC Berkeley spokeswoman Maria Felde said. She said there been no evidence so far that the stolen information has been used for identify theft. Scam artists often use the data to borrow money by posing as someone else. The UC Berkeley theft follows several other high profile instances in which businesses and colleges have lost control of personal information that they kept in computer databases. Recent breaches have occurred at ChoicePoint Inc., a consumer data firm duped into distributing personal information about 145,000 people; Lexis-Nexis, where computer hackers obtained access to the personal information of 32,000 people; and Chico State University, where a computer hacking job exposed 59,000 people to potential identity theft. From isn at c4i.org Tue Mar 29 07:54:47 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 29 08:01:45 2005 Subject: [ISN] Hacker arrested for manipulating 100,000 computers Message-ID: http://news.xinhuanet.com/english/2005-03/25/content_2743999.htm [Seems a little high... - WK] GUILIN, March 25 (Xinhuanet) -- A man who hacked into 100,000 computers to launch group attacks has been arrested in Tangshan, north China's Hebei Province, according to the Ministry of Public Security Friday. The ministry's Public Information and Internet Security Supervision Bureau determined that many attacks came from a large group of computers embedded with virus programs. These computers were maneuvered by one hacker via several servers both at home andabroad. More than 60,000 of the 100,000 computers were within China, and some of them were owned by government departments and other important sectors, said an official with the bureau. They formed a so-called "corpse network," an attack tool popular among Internet hackers, which can prevent other computers from regular Internet service or send out mass junk e-mails on thehacker's orders, the official said. A hacker could also steal and use users' information stored in the computers, the official said, but didn't disclose the name of the arrested suspect. The number of crimes taking advantage of network technologies is climbing in China. Online pornography, gambling and fraud are focal points in the country's extensive crackdowns. The official pointed out that China should speed up legislationon Internet crimes, including enacting laws to standardize identification of network data, evidence collection and investigation. Enditem From isn at c4i.org Tue Mar 29 07:55:06 2005 From: isn at c4i.org (InfoSec News) Date: Tue Mar 29 08:01:48 2005 Subject: [ISN] ISPs, telecoms join to 'fingerprint' Internet attacks Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100695,00.html By Paul Roberts MARCH 28, 2005 IDG NEWS SERVICE Leading global telecommunications companies, Internet service providers and network operators will begin sharing information on Internet attacks as members of a new group called the Fingerprint Sharing Alliance, according to a published statement from the new group. The companies, including EarthLink Inc., Asia Netcom, British Telecommunications PLC and MCI Inc., will share detailed profile information on attacks launched against their networks. Information to be shared will include the sources of attacks. The alliance will make it easier for service providers and network operators to crack down on global Internet attacks more quickly, according to Tom Schuster, president of Lexington, Mass.-based Arbor Networks Inc., which launched the new alliance. The Fingerprint Sharing Alliance uses technology from Arbor called Peakflow to spot network attacks and automatically generate a profile, or "fingerprint," of the attack in a standard data file format called PCAP. That fingerprint information is passed along to other service providers closer to the source of the attack, which can then block the source of the traffic, Schuster said. Arbor wrapped features that support the Fingerprint Sharing Alliance into the last release of Peakflow, which came out earlier this year. Alliance members have been using Peakflow to share attack fingerprints since then, Schuster said. The alliance replaces an ad hoc system of e-mail messages and phone calls that operators of large networks have used to coordinate their response to attacks and threats, Arbor said. Because communication has been cumbersome, ISPs and network owners have had no incentive to share attack information. The alliance will make it easier for them to cooperate and will lower the threshold that attacks must surpass to get the attention of ISPs. Even attacks on small ISP customers will prompt a response from large infrastructure providers. Peakflow also scrubs the data in fingerprints so alliance members can't use them to sniff sensitive information on competitors, according to Schuster. "People are realizing that the world is a connected place. We have to empower service providers at the point of origin to have zero tolerance," he said. Cracking down on those behind even small attacks may also improve the overall health of the Internet and quell raging problems such as "botnets" of zombie computers that are used in large-scale attacks, according to Schuster. Membership in the alliance is not limited to Arbor customers or Peakflow users. Network owners that are not Arbor customers can generate their own fingerprints and accept PCAP-format fingerprints generated by Alliance members. However, Arbor's technology "speeds up the process considerably" by automatically creating and distributing the fingerprints. All current members of the alliance are Peakflow customers, and the company's roster of global ISPs gives the program bite, Schuster said. The alliance is a first step in addressing the problem of Internet attacks. Arbor hopes that the participation of leading service providers will compel competitors, as well as smaller network owners, to take part as well. From isn at c4i.org Wed Mar 30 01:35:12 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 30 01:50:26 2005 Subject: [ISN] Re: France puts a damper on flaw hunting (Part II) Message-ID: Forwarded from: Kitetoa at Kitetoa.com (Part I of Kitetoa translation on this ruling is at: http://www.attrition.org/pipermail/isn/2005-March/001312.html - WK] How many bytes do have to copy to counterfeit a software in France and stop being a bug hunter...? The computer expert report, which was heavily used by the judges to condamn Guillermito, clearly indicates that he "disassembled, then reassembled some parts of Viguard software". The court condamned Guillermito for counterfeiting and publishing counterfeit data. In my precedent post, about possible consequences of this legal precedent on bug hunting and full disclosure, I ended by a question : \u201eFinally, after reading this excellent comment by Maitre Eolas, we can - as computer specialists - wonder about the amount of bytes reproduced in the POCs, which transform them into counterfeiting. Viguard is probably around several megabytes of data. For how many reproduced bytes we have a counterfeiting, if we don't have a valid licence ? And what about if we do have a valid licence ?\u201c Let's try to answer this question, by simply looking a little bit closer to Guillermito's analysis of Viguard software. The computer expert report clearly mentions an "utilisation and adaptation of the source of Viguard" Let's see how many lines of source code Guillermito used or adapted. According to the bug hunter, not a single one. He says he never decompiled the software, and never published any source code. Neither did he published any disassembled listing. So what did he actually publish ? A few signatures used in boot virus detection, the precise boot verification routine but without any code, a few keywords considered as dangerous that Viguard detects inside scripts, all from memory. During the justice investigation, it seems that all the attention focused on a Proof of Concept named VGNaked. This program takes care of database files, called certify.bvd, created in each directory by Viguard, which store some information about each programs on this directory. If you run it, you will get two new files : certify.dec which is in the same binary format except that it is now decrypted, and certify.dmp, which is a dump, a sort of human readable version of the content of the original database file. Guillermito needed to know the content of these database files to find some vulnerabilities. For example, because Viguard only stored the first 16 bytes of code in the executable section of a Windows PE file, any virus which was going to modify more than these 16 bytes couldn't possibly be repaired by Viguard. He needed to show the proof of this affirmation, hence his Proof of Concept program. These certify.bvd database files created by Viguard are encrypted by a fixed XOR key, obviously found in the memory when Viguard is run. Guillermito got these keys from the memory and used it to decrypt these databases as said above. This knowledge, in turn, was used later to find subsequent vulnerabilities (for example, a trojan could create on the fly a tailored database file for himself and immediately become certified and so, not detected by the anti-virus). In the assembler source of his program, "VGNaked.asm", you can see all the code. Including, close to the beginning, in the data area, the infamous XOR key (so important that actually, in the next versions of Viguard, these keys are no more used and the database files aren't encrypted anymore). It looks like that (obviously, the exact values of bytes were changed, I would not like Tegam to accuse me of publishing anything counterfeit ;)): stupid_xor: db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0 stupid_xor_for_docs: db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0, 0, 0, 0, 0, 0 db 0, 0, 0 There are two keys. One for executables, and one for documents. 35 and 30 bytes (plus 15 bytes in another key in another PoC). And that's it. All of what Guillermito "stole" from Viguard. 80 bytes from the memory, not even executed code. More or less, Viguard weighting around 8 Mb, Guillermito cited 1/100.000 th of this program. Ten millionths. Isn't that a beautiful example of counterfeiting ? Computer experts who may be reading us now know that very often their own research could now be considered as "counterfeiting" in France, and they can be sued for 80 bytes. You can check what is written above by reading yourself the archived version of Guillermito's analysis page which detailed his research. You can check what is written above by reading yourself the archived version of Guillermito's analysis page which detailed his research. Tegam filed a complaint on june 6th 2002. Here is Guillermito's page as archived on june 1st. http://web.archive.org/web/20020601124224/http://www.pipo.com/guillermito/viguard/index.html You can also play to "The Game of Counterfeiting" by clicking here, to have some fun (find the red X which is **the** ten millionths cited above. http://www.kitetoa.com/Pages/Textes/Textes/25012005-Tegam_versus_Guillermito/Documentation/17032005-contrefacon-le-jeu.shtm From isn at c4i.org Wed Mar 30 01:35:32 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 30 01:50:30 2005 Subject: [ISN] Symantec's Anti-Virus Vulnerable To Crashes Message-ID: http://www.techweb.com/wire/security/159907804 [Symantec users better patch quickly! http://news.com.com/Mytob+e-mail+worm+proliferating+quickly/2100-7349_3-5644978.html or maybe not... http://www.itnews.com.au/newsstory.aspx?CIaNCID=35&CIaNID=18367 - WK] By TechWeb News March 29, 2005 Symantec's Norton AntiVirus line has a pair of vulnerabilities that hackers could exploit to crash or hang a targeted PC, Symantec announced Monday. The Cupertino, Calif.-based security company's consumer AntiVirus 2004 and AntiVirus 2005 series are at risk, said Symantec, as well as the Internet Security and SystemWorks lines, which bundle AntiVirus with other security or PC maintenance tools. Errors can be forced, said Symantec, by attackers feeding specific file types to a machine protected by AntiVirus' Auto-Protect module, or by renaming a file on a network share that's then scanned by Auto-Protect. (Auto-Protect is Symantec's name for the real-time scanner that sniffs through files as they're opened or downloaded.) The errors can cause the PC to either slow down to the point of being unusable, then crash, or hang, forcing its user to reboot. Symantec has issued patches for the vulnerabilities and has already fed them to AntiVirus users who have Automatic LiveUpdate enabled. Others should run LiveUpdate immediately from within their copies of Norton AntiVirus. Symantec posted a security alert on its Web site [1] with more details. [1] http://securityresponse.symantec.com/avcenter/security/Content/2005.03.28.html From isn at c4i.org Wed Mar 30 01:36:35 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 30 01:50:33 2005 Subject: [ISN] Stolen UC Berkeley Laptop Exposes Personal Data of Nearly 100,000 Message-ID: Forwarded from: Mark Bernard Dear Associates, I'm sorry but Universities and Colleges aren't very good gages on the growth of identity theft. The incident is more likely to be a measure of stupidity. These institutions are high risk for attacks because they need to be open to share information, so I wouldn't even consider it a good measure of some student hacker's skills. I hope that whoever perpetrated this crime doesn't think that s/he's accomplished something. What I would like to see is students take more responsibility and control over their private information. I know the thought that the words 'student' and 'responsibility' are in the same sentence doesn't make sense to some of us. I also think that student bodies need to step up to the plate here and show some leadership by helping their constituency protect themselves. Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by John Quincy Adams: "If your actions inspire others to dream more, learn more, do more and become more, you are a leader." ----- Original Message ----- From: "InfoSec News" To: Sent: Tuesday, March 29, 2005 8:54 AM Subject: [ISN] Stolen UC Berkeley Laptop Exposes Personal Data of Nearly 100,000 > http://www.washingtonpost.com/wp-dyn/articles/A7653-2005Mar28.html > > By MICHAEL LIEDTKE > AP Business Writer > March 28, 2005 > > SAN FRANCISCO (AP) -- A thief has stolen a computer laptop > containing personal information about nearly 100,000 University of > California, Berkeley alumni, graduate students and past applicants, > continuing a recent outbreak of security breakdowns that has > illustrated society's growing vulnerability to identity theft. > > University officials announced the March 11 theft on Monday under a > state law requiring that consumers be notified whenever their Social > Security numbers or other sensitive information has been breached. > > Notifying all of the 98,369 people affected by the UC Berkeley > laptop theft could prove difficult because some of the students > received their doctorate degrees nearly 30 years ago, university > officials said. > > The laptop -- stolen from a restricted area of a campus office -- > contained the Social Security numbers of UC Berkeley students who > received their doctorates from 1976 through 1999, graduate students > enrolled at the university between fall 1989 and fall 2003 and > graduate school applicants between fall 2001 and spring 2004. Some > graduate students in other years also were affected. > > The stolen computer files also included the birth dates and > addresses of about one-third of the affected people. From isn at c4i.org Wed Mar 30 01:36:54 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 30 01:50:36 2005 Subject: [ISN] Telecom Fraud, Cost Of Doing Nothing Just Went Up Message-ID: http://www.biosmagazine.co.uk/op.php?id=238 Craig Pollard Head of Security Solutions Siemens Communications 29.03.05 In today's business environment, IT network security is vitally important, with security breaches across voice and data networks growing by the day. Emotive terms such as 'cyber attack' and 'cyber-terrorism' are always certain to generate plenty of media excitement, with science-fiction visions of malevolent hackers creating vicious computer viruses to rampage through cyberspace, doing unseen and untold damage to the infrastructures that support our way of life. However, while the reality of IT security is far more mundane than such science-fiction ideas, the threat to a network from malicious attack remains real and the consequences just as frightening. Every business is dependent upon information technology, which brings with it inevitable vulnerability. Dark rumours of underground hacker networks and conferences give rise to the belief in a vast and growing number of aggressive, deliberately destructive hackers. Significantly, the methods these hackers adopt to gain unauthorised access to corporate resources are now also extending to embrace telecommunications systems. The hacker phenomenon has a serious and far-reaching influence. Were communications on two continents ever disrupted by moving telecommunications satellites? Have computing resources belonging to government agencies ever been hacked? Have environmental controls in a shopping centre ever been altered via modem? The answer to all of these questions is yes. But, unlike other crime groups who receive high profile coverage in the media, the individuals responsible for these incidents are rarely caught. As if that is not enough, unauthorised use of telecommunications facilities is the preferred methodology for people who sympathise or support terrorist organisations, and want their activities to remain invisible. The French authorities studying the Madrid train bombings in March 2004, for example, are investigating whether the bombers hacked into the telephone exchange of a bank near Paris as they were planning their attack. The telephone calls involved were made by phreaking - a practice similar to hacking that bypasses the charging system. The PBX is among the most susceptible areas to telecommunications fraud. Typical methods of fraudulent abuse involve the misuse of common PBX functions such as DISA (Direct Inward System Access), looping, call forwarding, voicemail and auto attendant features. Another area popular for frequent fraudulent exploitation is the maintenance port of PBXs. Hackers often use the dial-up modem attached to such ports to assist in remote maintenance activities. When a PBX is linked to an organisation's IT network - as is increasingly the case with call centres, for instance - a poorly protected maintenance port can offer hackers an open and undefended 'back door' into such critical assets as customer databases and business applications. It is clearly important to balance the cost of securing your voice infrastructure from attack against the cost of doing nothing. The consequences from inaction can include direct financial loss through fraudulent call misuse (internal or external), missed cost saving opportunities through identification on surplus circuits, adverse publicity, damage to reputation and loss of customer confidence, litigation and consequential financial loss, loss of service and inability todispense contractualobligations, as well as regulatory fines or increased regulatory supervision. As is the trend with hacking data networks, the threat to PBXs comes primarily from within. For example, an employee, a contractor, or even a cleaner could forward an extension in a seldom-used meeting room to an overseas number and make international calls by calling a local rate number in the office. The perpetrator could likewise be the beneficiary of a premium rate telephone number in this country or abroad and continue to leave phones off the hook or on a redirect to that number netting thousands of pounds in illicit gains in a weekend. And, of course, let's not forget about the new telecommunications technologies which are based around open communications via the Internet. These include IP-driven PBXs supported by all the adjunct devices, the deployment of CTS (Computerised Telephone Systems), CTI (Computer Telephony Integration) and Voice-over-IP. The introduction of these technologies means IT and telecoms managers need now to become even more alert to prevent new and existing threats that are typically associated with data networks, now impacting upon voice networks. Without diligent attention, telecoms systems are in grave danger of becoming the weak link in the network and utterly defenceless against targeted attacks by hackers. So what practical measures can telecom or IT managers take to help prevent becoming a victim of telecom fraud? One of the most effective approaches to improving the security of telephony systems includes conducting regular audits of: station privileges and restrictions, voice and data calling patterns, public and private network routing access, automatic route selection, software defined networks, private switched and tandem networks, and system management and maintenance capabilities. You should also audit auto attendant and voicemail systems, direct inward system access (DISA), call centre services (ACD), station message detail reporting, adjunct system privileges, remote maintenance protection, and primary cable terminations and physical security of the site and equipment rooms. Other measures include reviewing the configuration of your PBX against known hacking techniques, comparing configuration details against best practice and any regulatory requirements that may pertain to your industry sector. Ensure default voicemail and maintenance passwords are changed and introduce a policy to prevent easily guessable passwords being used. Make sure that the policy demands regular password changes and take steps to ensure the policy is enforced. Installing a call logging solution, to provide notification of suspicious activity on your PBX, is a useful measure and one that can often give valuable early warning of an attack. In addition, review existing PBX control functions that might be at risk or which could allow errors to occur. Be aware that many voice systems now have an IP address and are therefore connected to your data network. You therefore must assess what provisions you have to segment both networks. Security exposures can also result from the way multiple PBX platforms are connected across a corporate network or from interconnectivity with existing applications. Research and investigate operating system weaknesses, including analytical findings, manufacturer recommendations, prioritisation and mitigation or closure needs - and implement a regular schedule of reviewing server service packs, patches, hot-fixes and anti-virus software. Finally, formalise and instigate a regular testing plan that includes prioritisation of the elements and components to be assessed, and supplement this by conducting a series of probing exercises to confirm the effectiveness of the security controls used. From isn at c4i.org Wed Mar 30 01:37:09 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 30 01:50:38 2005 Subject: [ISN] Phone hackers tap into hospital Message-ID: http://finance.news.com.au/story/0,10166,12699755-31037,00.html By Paul Osborne March 30, 2005 CYBER criminals have hacked into a private hospital's telephone system, racking up almost $5000 in international calls in an attack experts warn is becoming increasingly common. Hackers believed to be operating from overseas tapped into the PABX system at Canberra's John James Hospital. They then made between $4000 and $5000 worth of calls to South America and the Asia Pacific region in 24 hours from 1.30am on March 22. Telstra technical staff who monitor irregular spikes in calls notified the hospital and the system was shut down. Hospital chief executive Phil Lowen said that if it was not for the warning from Telstra it was possible a bill of $50,000 to $100,000 could have been run up over the Easter break. Experts say older Private Automatic Branch Exchange systems, or PABX, which are used in many companies and organisations across the country are vulnerable to such attacks. ACT Policing spokesman Sandi Logan said it had been the first big attack of its kind in Canberra this year, but there had been two others last year. Mr Logan said an investigation into the two previous matters found it was likely the attackers were based overseas. But the location of the offenders could not be determined and the investigations hit a dead end. "What we are resigned to accepting on the cases thus far is that it may just be impossible to determine a jurisdiction so that we can seek assistance on formal basis from telecommunications providers or law enforcement agencies," he said. "But we are treating the matter seriously and we continue to do our best to assist victims within our own jurisdiction." Telstra and police have warned PABX users to fix any vulnerabilities in their systems. "They've got to harden the target," Mr Logan said. ACT police are awaiting a report from Telstra before the John James Hospital investigation goes any further. Telstra estimates that up to 20 organisations are attacked by "phreaks", as the telephone hackers are known, every month. But the extent of damage varies depended on whether the phreaks made calls, or simply listened in to other calls or changed messages on phone systems. Mr Lowen said the hospital's PABX had a facility which allowed someone to dial in from outside the hospital to check the system. It appeared that hackers had dialled into the line and then made international calls. "It looks like it was some sort of organised group," Mr Lowen said. "It was ... like we were being used for someone else's business for a while." The director of the Australian High Tech Crime Centre, Federal Agent Kevin Zuccato, said it was hard to put a figure on the impact of hacking, but there was no doubt criminals were becoming more astute. "I think that that type of crime is only limited by the imagination of the criminals who perpetrate them," Mr Zuccato told ABC radio. "I think we are going to see some far greater sophistication in terms of the attacks." From isn at c4i.org Wed Mar 30 01:37:25 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 30 01:50:41 2005 Subject: [ISN] Mitnick sequel fails to hack it Message-ID: http://www.theregister.co.uk/2005/03/29/mitnick_sequel_review/ [ http://www.amazon.com/exec/obidos/ASIN/0764569597/c4iorg - WK] By Charles Arthur 29th March 2005 Book review Sequels are hard. Just ask John Travolta, currently being panned by the critics for his efforts in Be Cool, the would-be follow-up to the tremendously successful film Get Shorty. In books, as in films and music, following instant success is often harder than achieving it, because the former may be the labour of years but the latter has to be built from what's immediately available. Thus one can imagine the challenge Kevin Mitnick, and his co-author (and already published author) William D. Simon, faced after the plaudits showered on their first product, the 2002 book The Art Of Deception. We need not go over the merits of that book (though you can read them up)[1]. Suffice to say they were many, principally because it focussed on social engineering - the technique of getting your victims to help you to break in, rather than sitting whey-faced in a darkened room staring at a screen running Netstat. Social engineering is really, really hard to defend against, because you can't just plug in something and feel safe. It's about people, and people can be persuaded to do and say almost anything. But Mitnick clearly poured much of his life experiences before prison into that book. Now he's a security consultant, whose clients would likely be unhappy about having exploits or weaknesses broadcast to the world. So what to do when the publishers suggest a followup? And what to call it? The solution: pull together tales from other hackers of how they did what they did, and call it something similar to the first book - specifically, The Art of Intrusion (subtitled 'The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers'). Thus the first chapter describes how a team of clever programmers set out to empty the computer-controlled poker-playing machines in Las Vegas by working out how the underlying code worked, and thus a winning hand was on the way. It's Ocean's Eleven sans George Clooney, Julia Roberts, and swish locations; instead there's firmware reverse-engineering and miniature computers concealed in shoes. But the team made a million, at least, and weren't caught. The next chapter is the tale of some hackers who may, or may not, have been encouraged by a terrorist - from al-Q'aeda? - to download details from Boeing, and break into the White House website. The hackers got busted; but what's not clear is whether the person who urged them on truly was a Pakistani terrorist, or an FBI plant to smoke out disloyal (or just dumb) hackers, or perhaps a double agent. It was around this point I got that 'sequel discomfort'. Whereas Art of Deception had a simple theme - how social engineering gets around your computer defences - Art of Intrusion is less sure of its ground. Is it about hacking? But there's plenty of stuff out there, from Clifford Stoll's The Cuckoo's Egg [2] onwards, about that. This didn't have the tidiness of the first book; like real life, it had too many loose ends and uncertainty. My unease continued with the story of some prisoners who had been allowed to get almost unlimited use of computers while inside a US state prison, and the trailing of a hacker through Boeing (again), and the saga of Adrian Lamo [3], the "Robin Hood hacker" who got hit hard by the FBI when he was found to have - gasp - hacked into the New York Times and even done some unauthorised Lexis/Nexis searches, as well as - shock! - cheekily added his name to the list of op-ed ("leader page", in the UK) contributors. The stories are diverting enough, but what do they tell us? Mitnick does make the useful point that the charges hackers face often bear little relation to the actual damage or cost done; in Lamo's case, he was charged among other things with making $300,000 worth of Lexis/Nexis searches via his intrusion to the NYT. But as Mitnick notes, the NYT pays a monthly fee for unlimited Lexis/Nexis searches, so Lamo didn't cost a penny extra. The injustice of hacking charges, while being a perennial Mitnick bonnet-bee, is however hardly a theme on which to hang a whole book. Only towards the end does a message emerge, and even then I'm not sure it's quite what Mitnick intended. Chapter 8 details how one lone hacker broke into a film software company and stole its latest product's source code. Doing so took months, or years; he then posted the code to one of the underground warez sites. To what end? None, really, since only a specialist could use the program, and would need very powerful machines to create anything usable. The next chapter describes a team who, for fun, hacked the mobile system used by a security company which ferries around prisoners and large amounts of money (not in the same van). Having cracked it, what did they do? Nothing - and they didn't tell the company either. The nihilism of hacking is thus laid bare. Unless it's tied to the task of protecting people and what they do against real criminals, then hacking here lies exposed as a pointless activity, as useful as kicking in the windows of bus shelters; it keeps glaziers employed, but is a disservice to most everyone else. I'm pretty sure that's not the message Mitnick intended. Although there's no sense that he delights in what hackers do, he doesn't question the ethics or sense in stealing a program that few can use to distribute for underground kudos. The point that is made, again and again, is that hackers will find a way in if one exists, and that any sort of communication will somehow be compromised. Against determined hackers, the gods themselves contend in vain. Yes, you should read this if you're nominally in charge of the security of a company system where you value any of your information. The "tips" at the end of each chapter might offer some assistance, but they're less useful than those in the first book. More helpful would be to show a couple of the chapters - particularly Chapter 8 - to whoever holds the purse-strings for your company's computer security. It'll either prompt a huge boost in the budget, or a 100 per cent cut, on the basis that there's no point protecting against obsessives. Then again, you could follow the example of one systems manager who asked Lamo to show him the weaknesses in the system. As Lamo tells it, "They said to me, 'How would you secure this machine?' I pulled out my pocketknife, one of those snazzy one-handed little openers. And I just went ahead and cut the cable and said, 'Now the machine's secure.' "They said 'That's good enough.' The engineer wrote out a note and pasted it to the machine. The note said, 'Do not reattach'." I'd like to think it'll be a while before Mitnick reattaches to the task of writing about hacking. He has a unique perspective, and in Simon, a powerful co-writer. But the problem (and at the criminal end, it's a severe one) needs a mature outlook. Mitnick helps us get inside the minds of hackers. But he needs to get them to see outside their heads too - and realise their actions don't exist in an ethical vacuum. That will be what musicians call "the difficult third one". If I were his publishers, I wouldn't be pushing too hard for it just yet. The Art of Intrusion by Kevin Mitnick and William Simon, publ Wiley, ISBN 0-7645-6959-7 [1] http://www.theregister.co.uk/2003/01/13/kevin_mitnicks_lost_bio/ [2] http://www.amazon.com/exec/obidos/ASIN/0743411463/c4iorg [3] http://en.wikipedia.org/wiki/Adrian_Lamo From isn at c4i.org Wed Mar 30 01:42:59 2005 From: isn at c4i.org (InfoSec News) Date: Wed Mar 30 01:50:43 2005 Subject: [ISN] Tuck considers apps from accused hackers Message-ID: http://www.thedartmouth.com/article.php?aid=2005032901040 By AnnMary Matthew The Dartmouth Staff March 29, 2005 Dartmouth's Tuck School of Business chose last week not to follow Harvard Business School's lead in automatically denying admission to applicants accused of hacking into an admissions processing website to learn the decision on their applications early, Tuck Dean Paul Danos said in a press release. "The involvement in this incident was deemed a very important, negative factor, but only one of many factors in our admissions decisions," Danos said. Dartmouth is one of over ten business schools that used an online application system build by ApplyYourself.com. The website was programmed such that an applicant could view his or her decision early simply by manually navigating to a webpage containing a system-supplied identification number. A committee of Tuck faculty and staff examined the situation last week after Harvard announced that it would be automatically rejecting all applicants who had been found guilty of hacking into the website. Danos said he considered the committee's deliberations in arriving at the final decision. "We concluded that the actions did not reach the level that would necessarily bar a person from being a valued member of the Tuck community," Danos said. Guilty applicants will be given an opportunity to explain their actions in statements supplementing their application, and each case will still be considered individually with the applicant's actions and explanation considered as important factor. If a guilty applicant does receive admission, he will be monitored and counseled while enrolled. Applicants who were not admitted will still be allowed to re-apply in the future. The decision sharply contrasted with Harvard's decision to automatically reject the 119 applicants to its business school who had accessed its website early. MIT's Sloan School of Management and Carnegie Mellon's Tepper School of Business followed suit with similar decisions. Stanford, on the other hand, chose a course of action similar to that announced by Danos, calling on applicants who exploited the software loophole to come forward and explain their actions. Harvard Business School Dean Kim Clark called the applicants' actions "a serious breach of trust that cannot be countered by rationalization," especially at a time when a myriad of corporate scandals have called the integrity of those at the top of the business world into question. But others have accused Harvard of ethical grandstanding and maintain that automatic rejection is far too harsh for the crime committed. "Trying to maintain proportionality between transgressions and consequences was a strong guiding principle," Danos said of Tuck's policy. The controversy brings forward a question that is only beginning to be asked: whether someone who does something wrong while sitting in front of a computer should face the same consequences as someone who does something wrong in real life. For Harvard and the other schools that made similar decisions, the answer is an unambiguous yes. "To us, an ethical breach is an ethical breach whether it happens digitally or in the real world," Clark told the New York Times. An MIT Sloan School dean told the Washington Post that the applicants' actions were like breaking into an admissions office at night to see how his or her application fared. Instructions for hacking into ApplyYourself were posted on a BusinessWeek message board in early March. Most business schools' decisions are scheduled to go out around March 30. The poster, who called himself "brookbond" wrote, "I know everyone is getting more and more anxious to check status of their apps to [Harvard Business School] so I looked around their site and found a way." Some believe that the procedure doesn't even pass the bar for what would be considered "hacking" while others maintain that it would become evident to anyone going through the steps that they were doing something wrong. But one of the business-savvy applicants who was rejected from Harvard has tried to create business success from educational and ethical failure. He is selling shirts featuring the slogan "Ethical, Shmethical: save the HBS 119." From isn at c4i.org Thu Mar 31 01:37:41 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 31 01:47:03 2005 Subject: [ISN] Security UPDATE -- In Focus: pGina Open Source GINA Replacement -- March 30, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free Info Kit on Automating Patch Management http://list.windowsitpro.com/t?ctl=6511:4FB69 New NetOp Remote Control v 8.0 http://list.windowsitpro.com/t?ctl=64FE:4FB69 ==================== 1. In Focus: pGina Open Source GINA Replacement 2. Security News and Features - Recent Security Vulnerabilities - Altiris to Acquire Pedestal Software - BMC Acquires OpenNetwork - Consolidated Security Event IDs in Windows 2003 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Encryption with Two-Factor Authentication ==================== ==== Sponsor: PatchLink==== Free Info Kit on Automating Patch Management Now, in a free information kit, learn how easily you can identify, deploy, and maintain patches critical to the security and availability of your network. You'll also discover how you can maintain bulletproof security -- against a range of threats -- at every network endpoint. This information-packed kit, from the pros at PatchLink, also shows you how to reduce IT workload by automating the installation of critical patches while being confident that all installed patches are pre-tested ?- without having to do the testing. Click here to get your Free "Automating Patch Management" Kit now, and learn how to ease one of your biggest IT burdens. Download your Free Kit at: http://list.windowsitpro.com/t?ctl=6511:4FB69 ==================== ==== 1. In Focus: pGina Open Source GINA Replacement ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net You're probably aware that Windows Graphical Identification and Authentication (GINA) DLL is the interface used for logons during user authentication. You might also be aware that you can install a GINA replacement if you need to use nonstandard authentication methods or to integrate additional authentication types, such as a fingerprint logon system. It's probably not wise to replace GINA unless you really need to because doing so could weaken both your system and network security. But in some cases, that might not matter to you as much as the management headache that you'd incur if you didn't replace GINA. Some vendors--particularly those that make alternative authentication systems--offer GINA replacements to help integrate their products into a Windows platform. But there are undoubtedly some network architectures in which you'd really like to a have a GINA replacement, yet haven't found anything suitable that can address all your needs. Recently in SecurityFocus's Focus-MS mailing list, someone mentioned an open-source GINA replacement, pGina, that seems like it could be helpful to those with diverse authentication needs. pGina, from XPA Systems, is unique in that it uses a plug-in architecture that lets you add just about any kind of authentication mechanism you can imagine. If there isn't a plug-in that meets your needs, then you can use the source code to develop one or have someone develop a plug-in for you. Depending on your needs and network architecture, pGina might let you centralize all your user credentials, which could save a lot of time and effort in management. http://list.windowsitpro.com/t?ctl=6514:4FB69 Numerous plug-ins are already available for pGina. For example, the Remote Authentication Dial-in User Service (RADIUS) plug-in lets you authenticate users to any RADIUS server. The ACE plug-in lets you use RSA Security's RSA SecureID two-factor authentication system for Windows logons--although last I heard, RSA does offer its own GINA replacement. Another interesting plug-in works with MySQL open-source database servers, which could be used to store user credentials. Yet another plug-in works with the Bluesocket architecture, which is very useful for authenticating mobile users. There are also plug-ins for Network Information Service (NIS) servers, Lightweight Directory Access Protocol (LDAP) servers, OpenAFS (based on the Andrew File System), and more. GINA replacements are also available from other sources. FrontMotion sells source code to a GINA replacement that supports most versions of Windows and includes domain support and Active Directory (AD) support. Doug Scoular offers a free GINA replacement that helps integrate Windows with Unix or Linux platforms by using FTP as an authentication mechanism. Deakin University offers free GINA source code that can be used to authenticate with NIS servers. http://list.windowsitpro.com/t?ctl=6512:4FB69 http://list.windowsitpro.com/t?ctl=6510:4FB69 http://list.windowsitpro.com/t?ctl=6515:4FB69 ==================== ==== Sponsor: CrossTec ==== FREE Download ? The Next Generation of End-Point Security is Available Today. NEW NetOp Desktop Firewall's fast 100% driver-centric design offers a tiny footprint that protects machines even before Windows loads - without slowing them down. NetOp is also the only solution to provide process control as well as application control to give you the highest level of security. The NetOp Desktop Firewall utilizes real-time centralized management and control, intelligent network detection, stateful packet filtering, port blocking, protection from process hijacking, and much more. Try it FREE. http://list.windowsitpro.com/t?ctl=64FE:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=6504:4FB69 Altiris to Acquire Pedestal Software Altiris announced that it will acquire Pedestal Software in a deal valued at $65 million. Altiris further said that after the deal closes at the end of March, the company will immediately begin integrating Pedestal products into its distribution channels and will continue offering Pedestal's SecurityExpressions and AuditExpress products as standalone solutions. http://list.windowsitpro.com/t?ctl=6509:4FB69 BMC Acquires OpenNetwork BMC Software announced that it has reached an agreement to acquire OpenNetwork, makers of Web application management and single sign-on (SSO) technology. BMC said OpenNetwork's solutions will allow BMC to expand its browser-based authentication and authorization offerings, which compliment its existing offerings for workflow, audit and compliance, enterprise-enabled SSO, provisioning, and directory content management. http://list.windowsitpro.com/t?ctl=650B:4FB69 Consolidated Security Event IDs in Windows 2003 Randy Franklin Smith tells why Windows Server 2003 domain controllers (DCs) don't report domain-account authentication failures, except for bad password attempts. http://list.windowsitpro.com/t?ctl=650A:4FB69 ==================== ==== Resources and Events ==== The Essential Guide to Active Directory Management Migrating from NDS and/or eDirectory to AD means changes in the way you manage your network, users, and network resources. Download this Essential Guide to Active Directory Management and learn hands-on approaches that reduce management complexity, IT workload, and costs and improve security--all with minimal impact on your organization. Download this guide today. http://list.windowsitpro.com/t?ctl=6503:4FB69 Get Chapter 2 of "SQL Server Administration for Oracle DBAs" Learn the key concepts that give Oracle DBAs a firm foundation in mapping Oracle database-management skills, knowledge, and experience to SQL Server database management. Chapter 2 of this free eBook discusses SQL Server management, including managing memory, processes, storage, sessions and transactions, and low-level structures (e.g., locks, latches). Download Chapter 2 now! http://list.windowsitpro.com/t?ctl=6500:4FB69 Attend This Free Web Seminar for a Chance to Win a $1000 American Express Gift Check! Achieve High Availability and Disaster Recovery for Microsoft Servers. In this Web seminar, discover what it takes to minimize the likelihood of downtime through reliability and resilience in your Microsoft server environment, including Exchange Server, SQL Server, File Server, IIS, and SharePoint. Sign up today! http://list.windowsitpro.com/t?ctl=64FF:4FB69 Hey Europe! Get Ready to Become the Next Gatekeeper Champion Get a leg up on your fellow European IT pros by getting all the study materials you'll need to help you prepare for the next Gatekeeper competition on April 4. Windows IT Pro will help you hone your security skills and become the ultimate IT security expert. Start preparing now by visiting: http://list.windowsitpro.com/t?ctl=6505:4FB69 Sensible Best Practices for Exchange Availability On-Demand Web Seminar If you're discouraged about not having piles of money for improving the availability of your Exchange server, join Exchange MVP Paul Robichaux for this free Web seminar and learn how to maximize your existing configuration. Survive unexpected outages, plan for the unplannable, and evaluate what your real business requirements are without great expense. Register now! http://list.windowsitpro.com/t?ctl=6501:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=650F:4FB69 Patching with WSUS If you're interested in using Windows Server Update Services (WSUS-- formerly Windows Update Services), then you might consider watching Microsoft's new on-demand TechNet Webcast, "Introduction to Security Patching Using Windows Update Services." The Webcast offers insight into WSUS's new features and offers planning and deployment guidance. Microsoft also released a WSUS release candidate (RC) and said that after April 22, WUS beta 2 will no longer receive updates. So if you were testing the beta, you need to update your copy to the RC. http://list.windowsitpro.com/t?ctl=6508:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=650D:4FB69 Q: How can I deploy missing patches to my Microsoft Systems Management Server (SMS) clients? Find the answer at http://list.windowsitpro.com/t?ctl=6507:4FB69 Security Forum Featured Thread: Password Control Via IIS A forum participant has an intranet that requires domain authentication for access to data on one Windows 2000 Server machine. He's set a password timeout period for x number of days. But users don't see a password expiration warning because they log on via an IIS site. In addition, passwords seem to stop working for some time before they expire. How can he deliver a password expiration notification to the users? Join the discussion at http://list.windowsitpro.com/t?ctl=6502:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Get Windows IT Pro at 44% Off! Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now: http://list.windowsitpro.com/t?ctl=650C:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Encryption with Two-Factor Authentication Mobile Armor announced that its PolicyServer and DataArmor products have "RSA SecurID Ready" certification, meaning that they now integrate with RSA SecurID two-factor authentication technology. DataArmor software provides preboot authentication and high-speed full-device encryption, especially for mobile devices; PolicyServer integrates DataArmor with other security software such as antivirus solutions, VPNs, and firewalls. For more information, go to http://list.windowsitpro.com/t?ctl=6516:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=6513:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=6506:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Mar 31 01:38:29 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 31 01:47:08 2005 Subject: [ISN] Stolen UC Berkeley Laptop Exposes Personal Data of Nearly 100,000 Message-ID: Forwarded from: Adam Shostack On Wed, Mar 30, 2005 at 12:36:35AM -0600, InfoSec News wrote: | Forwarded from: Mark Bernard | | Dear Associates, | | I'm sorry but Universities and Colleges aren't very good gages on the | growth of identity theft. The incident is more likely to be a measure | of stupidity. | | These institutions are high risk for attacks because they need to be | open to share information, so I wouldn't even consider it a good | measure of some student hacker's skills. I hope that whoever | perpetrated this crime doesn't think that s/he's accomplished | something. Open to share financial and administrative information? Are the registrar's offices also open? There are substantial differences between research and academic needs and the operational/business needs of a university. | What I would like to see is students take more responsibility and | control over their private information. I know the thought that the | words 'student' and 'responsibility' are in the same sentence doesn't | make sense to some of us. I also think that student bodies need to | step up to the plate here and show some leadership by helping their | constituency protect themselves. Huh? The students are legally mandated to provide the information that's stolen. That information is verified at several different steps: Financial aid, foreign student tracking, tax payments, etc. What, precisely, would you suggest a student do to take more responsibility? Choose not to go to school at UC Berkeley, Harvard, Stanford, or any of the other schools hit by hackers/who exposed their admissions data via careless use of Apply Yourself software? Adam | ----- Original Message ----- | From: "InfoSec News" | To: | Sent: Tuesday, March 29, 2005 8:54 AM | Subject: [ISN] Stolen UC Berkeley Laptop Exposes Personal Data of Nearly | 100,000 | | | > http://www.washingtonpost.com/wp-dyn/articles/A7653-2005Mar28.html | > | > By MICHAEL LIEDTKE | > AP Business Writer | > March 28, 2005 | > | > SAN FRANCISCO (AP) -- A thief has stolen a computer laptop | > containing personal information about nearly 100,000 University of | > California, Berkeley alumni, graduate students and past applicants, | > continuing a recent outbreak of security breakdowns that has | > illustrated society's growing vulnerability to identity theft. | > | > University officials announced the March 11 theft on Monday under a | > state law requiring that consumers be notified whenever their Social | > Security numbers or other sensitive information has been breached. | > | > Notifying all of the 98,369 people affected by the UC Berkeley | > laptop theft could prove difficult because some of the students | > received their doctorate degrees nearly 30 years ago, university | > officials said. | > | > The laptop -- stolen from a restricted area of a campus office -- | > contained the Social Security numbers of UC Berkeley students who | > received their doctorates from 1976 through 1999, graduate students | > enrolled at the university between fall 1989 and fall 2003 and | > graduate school applicants between fall 2001 and spring 2004. Some | > graduate students in other years also were affected. From isn at c4i.org Thu Mar 31 01:38:48 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 31 01:47:12 2005 Subject: [ISN] Teen hacker behind 'Blaster' worm won't have to pay $500, 000 penalty Message-ID: http://www.startribune.com/stories/789/5320240.html Associated Press March 31, 2005 SEATTLE -- First, it was a federal judge who took pity on Jeffrey Lee Parson. Now, it's Microsoft Corp. The 19-year-old from Hopkins won't have to pay the $500,000 in restitution he owes the company for releasing a version of the Blaster Internet worm that attacked Microsoft's Web site in the summer of 2003. Instead, the company said in court documents filed late Tuesday, he can work it off: 225 hours of community service that won't involve computers. U.S. District Judge Marsha Pechman still must sign the agreement. Pechman sentenced Parson in January to a year and a half in prison -- half the time prosecutors had asked for -- followed by 100 hours of community service and three years of supervised release. The judge blamed his parents for not taking more of an interest in his life. The parties earlier stipulated that the restitution owed was $500,000. Parson apologized to the court and to Microsoft at his sentencing. Versions of the Blaster worm, also known as the LovSan virus, crippled computer networks worldwide. Parson pleaded guilty last summer to one count of intentionally causing or attempting to cause damage to a protected computer for modifying the Blaster worm and using it to launch a distributed denial-of-service attack against a Microsoft Windows update Web site as well as personal computers. Parson's version crippled an estimated 48,000 computers. Parson is to work off his debt to Microsoft during his three years of supervised release -- 75 hours per year. The service is not to involve computers or the Internet, and is to benefit less fortunate members of his community, the agreement said. "We're pleased this prosecution has been fully resolved with a prison sentence and appropriate restitution," said Tim Cranton, senior attorney with the Internet Safety Enforcement group at Microsoft. "Mr. Parson's additional community service will have a stronger impact on him in serving his sentence." From isn at c4i.org Thu Mar 31 01:39:10 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 31 01:47:15 2005 Subject: [ISN] Ten questions about Sarbanes-Oxley compliance Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,100646,00.html Opinion by Kim Getgen Reconnex MARCH 30, 2005 COMPUTERWORLD Imagine this scenario: You are a CIO at a publicly traded company in turmoil, and your chief financial officer was forced to resign at the end of last quarter after material weakness concerns were raised by your external auditors. Three months ago, the Securities and Exchange Commission got involved and launched a formal investigation, and your company is now constantly scrutinized. It's time for your CEO to report earnings, and it's not good news. Now your general counsel adds more bad news. Under the Sarbanes-Oxley Act, your management must demonstrate that adequate internal controls have been established to safeguard confidential information from being compromised during the "blackout." With the rumor mill running rampant, you know the likelihood of an internal disclosure concerning earnings information is high. However, you have no means to detect these communications if they are leaked in a Web mail or a post to an Internet bulletin board. Even if you could detect this, what information should you protect? Is there a blueprint compliance strategy that could be deployed in a way that could detect all electronic disclosures? There are solutions available, but first you must understand Sarbanes-Oxley, how it affects your business and what information -- by law -- needs to be protected. You and your CEO must know the answers to the following 10 questions in order to prepare and prove that you have deployed the right mix of internal controls: 1. What types of information must be protected by internal controls according to Sarbanes-Oxley? Information should be considered nonpublic if it isn't widely disseminated to the general public, including electronic information. Unauthorized disclosure of nonpublic data is a violation of federal securities laws. This information should be protected, but it should also be monitored to ensure it isn't disclosed inappropriately. Section 404 describes management's responsibility for building internal controls around the safeguarding of assets related to the timely detection of unauthorized acquisition, use or disposition of an entity's assets that could have a material effect on the financial statements. You need to demonstrate that you have the capabilities to monitor, detect and record electronic information disclosures. 2. Since so much nonpublic information is communicated beyond e-mail based on the Simple Mail Transfer Protocol, how can we build internal controls to adequately detect the timely disclosure of information flowing over Web mail, chat, or HTTP? In today's networked world, it's not just about e-mail. Management can't ensure the truthfulness or accuracy of financial data if it doesn't have the means to monitor the movement of sensitive information across the entire corporate network 24 hours a day, seven days a week. Demand more from technology. New products are available that can monitor electronic disclosure of nonpublic information and aren't limited to SMTP-based e-mail. These technologies can monitor, record and provide alerts on electronic disclosures by analyzing all information flowing over the corporate network from Web mail and chat to file transfer protocol and HTTP. This type of monitoring technology combined with a storage system that allows forensic searches into stored information can prove invaluable if an investigation is required. 3. What are the penalties for exposing nonpublic information? The use of nonpublic information concerning a company or any of its affiliates (a.k.a. "inside information") in securities transactions ("insider trading"), may violate federal securities laws. Penalties can include: * Exposure to investigations by the SEC. * Criminal and civil prosecution. * Relinquishing profits realized or losses avoided through use of the information. * Penalties up to $1 million or three times the amount of any profits or losses, whichever is greater. * Prison terms of up to 10 years. 4. What action should a company take if nonpublic information is inappropriately exposed on its network? If nonpublic information is inappropriately disclosed on your network, you must rapidly execute a response program to identify the extent of the exposure, assess the effect on the corporation and its customers, and notify all affected parties. Section 409 of Sarbanes-Oxley mandates that companies publicly disclose additional information concerning material changes in the company's financial condition or operations. While Sarbanes-Oxley contains many reporting requirements, real-time identification of material changes and disclosures (the consensus being 48 hours) is the most significant challenge. 5. Who is personally liable if there is a compliance violation? The CEO and the CFO must certify all financial statements filed with the SEC. The maximum penalty for Securities Exchange Act violations has increased to $5 million for individuals and $25 million for entities, as well as imprisonment of up to 20 years. Section 802 of Sarbanes-Oxley states, "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any records, documents, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any department or agency of the U.S. ... or contemplation of any such matter or case, shall be fined ... imprisoned not more than 20 years, or both." 6. How long is the "reach back" on compliance violations? Section 804 of Sarbanes-Oxley extends the statute of limitations in private securities fraud actions to the earlier of two years after the discovery of the facts constituting the violation or five years from the violation. 7. Are there compliance strategies I can deploy to help prove due diligence if our company is investigated? Today, an offensive rather than a defensive compliance program is important. Deploy strategies that provide you with the evidentiary support you need when things go wrong. New network security appliances designed to capture and record all electronic communication can provide forensic capabilities with automated reporting that corresponds to compliance needs. These solutions must be deployed within an overarching compliance strategy that aligns with the business to continuously: * Identify and monitor risks. * Establish effective internal controls. * Test the validity of the controls. * Support CEO and CFO certifications. * Conduct third-party audits. * Monitor for changes in risks, controls and compliance needs. * Adjust proactively, as needed. 8. What role should external auditors play in compliance? The Public Company Accounting Oversight Board was created through the Sarbanes-Oxley Act to oversee the auditors of public companies. The board recently approved Auditing Standard No. 2, an audit of internal control over financial reporting conducted with an audit of financial statements. The new standard highlights the benefits of strong internal controls over financial reporting and furthers the objectives of Sarbanes-Oxley. 9. Will I need to prevent electronic disclosures from occurring? No compliance program can ever prevent 100% of misconduct by corporate employees. Nor do the regulations state that you must prevent internal disclosures --including electronic disclosures -- from happening. If investigated, you will need to show due diligence that you have the ability for an appropriate and rapid response to detect and deter misconduct that exposes your company to operational risk that may have a material effect on your business. 10. What happens if I am investigated? Compliance programs should be designed to detect the particular types of operational risks most likely to occur in a corporation's lines of business. Management must be able to answer two fundamental questions: 1. Is the corporation's compliance program well-designed? 2. Does the corporation's compliance program work? How does your story end? Because you understood the connection between electronic disclosure and the need to monitor disclosure across your corporate network, you deployed technology that could monitor, analyze and store all communications for after-the-fact investigations. Every session traversing every network egress point was analyzed. The monitoring system that was put in place stored terabytes of information during the blackout period -- all retained in the event of an audit. Your company sent an e-mail from the CEO to all employees specifically stating that the disclosure of earnings information during the blackout period wouldn't be tolerated. On the first day, you detected 129 occurrences of the CEO's internal memo being leaked. Further investigation revealed that 16 employees also disclosed inappropriate information or traded stock during the blackout. You communicated with the general counsel, who was able to take the appropriate action to remediate the situation and report it according to compliance mandates. Your CEO kept his job. A walk on the wild side? Believe it or not, this case study wasn't just a walk on the wild side; it's based on events that are occurring inside many organizations. If you haven't evaluated the effectiveness of your internal controls in light of the new reality of electronic disclosure, start thinking about it. Don't wait for the first Sarbanes-Oxley convictions or for Standard & Poor's to downgrade your company's credit rating. These controls can be the difference between companies that recover from material weaknesses and companies that go bankrupt trying to bounce back. Don't just ask yourself the 10 questions above; take the answers to heart and begin applying them to your organization before it's too late. Kim Getgen is vice president of strategy at Reconnex Corp., a provider of risk management and security products in Mountain View, Calif. From isn at c4i.org Thu Mar 31 01:39:34 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 31 01:47:21 2005 Subject: [ISN] Cybersecurity standardization moves forward Message-ID: http://www.govexec.com/dailyfed/0305/033005p2.htm By Daniel Pulliam March 30, 2005 The Office of Management and Budget launched a task force on cybersecurity consolidation last week with the goal of increasing computer security and cutting costs. Tim Young, OMB's associate administrator for e-government and information technology, said at a conference in Falls Church, Va., Tuesday that the consolidation effort has strong support among agencies. He said that the question of whether agencies can share common processes associated with information technology security is meant to spark a dialogue in the IT security community. "We want to improve our security, but we want to spend fewer dollars," Young said at a conference sponsored by Reston, Va.-based IT consulting firm INPUT. "It's a good story if you're a taxpayer, but maybe not a good story if you're supporting these back-office functions." The task force consists of two representatives from each Cabinet-level agency. An information and budget data request is due in April. Specific goals include identifying problems and solutions for cybersecurity risks, improving cybersecurity processes and reducing costs by eliminating duplication. The task force will analyze various elements, including training activities, threat awareness, program management and the implementation of security products. In September 2005, the task force will send agencies' business cases to OMB as part of the fiscal 2007 budget process. By December, OMB will have reviewed the business cases and will make resource decisions. Agencies have struggled to improve the security of their information technology systems while surveys have shown cybersecurity to be a top priority for agencies' chief information officers. A score card from the House Government Reform Committee showed that across government, cybersecurity improved slightly, but agencies such as the Energy and Homeland Security departments failed dismally. Cybersecurity experts have said that compliance with the 2002 Federal Information Security Management Act is an expensive and frustrating process for agencies, but the results are intended to provide significant benefits to computer security. Young said a reason for exploring cybersecurity standardization is the vastly different sums of money that agencies of similar size are spending on FISMA compliance. Despite OMB's optimism that consolidating back-office functions such as payroll and human resources will improve services and reduce costs, Young said he does not know whether cybersecurity ever will be fully consolidated. "We'll see what the task force says," he said, suggesting that a hybrid approach might be the end result. Young said the administration's fiscal 2006 budget request--in which the percentage of funds requested for back office functions fell slightly from 32 percent to 31 percent and spending for mission areas increased slightly from 55 percent to 56 percent--shows a shift in priorities. Young said the consolidations that started last year are seeing results, and that total spending on OMB's consolidation projects is projected to increase from $11 billion to $12.1 billion. "Agencies are adopting the concept of shared services," Young said. "Are we outsourcing all of this? No, but in the long term? Not really, but there will be more opportunities for the private sector to offer solutions." From isn at c4i.org Thu Mar 31 01:39:21 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 31 01:47:27 2005 Subject: [ISN] Computer containing classified data stolen from IDF Message-ID: http://www.haaretz.com/hasen/spages/558776.html By Haaretz Staff March 30, 2005 / Adar2 19, 5765 A laptop computer containing classified military information was apparently stolen from the commander of an elite Israel Defense Forces unit while he was on vacation, Israel Radio reported Wednesday morning. The lieutenant colonel, who was on a field trip with his soldiers at the time of the apparent theft, said he left his computer at his desk in his office. However, an officer who was on-call at the time the computer was stolen says it was not in the office. According to military protocol, a laptop computer containing classified material must be kept locked in the base's vault. The commander was sentenced to two weeks in a military prison. Military police are investigating the circumstances that led to the disappearance of the computer. From isn at c4i.org Thu Mar 31 01:40:08 2005 From: isn at c4i.org (InfoSec News) Date: Thu Mar 31 01:47:33 2005 Subject: [ISN] =?iso-8859-1?q?Hackers_Steal_Russian_Central_Bank_Transacti?= =?iso-8859-1?q?ons=97-_Paper_?= Message-ID: http://www.mosnews.com/news/2005/03/30/stolentransactions.shtml MosNews 30.03.2005 Russian hackers have stolen the database of Central Bank transactions from April 2003 to September 2004, the Vedomosti newspaper wrote on Wednesday. In February an advert appeared on the Internet offering copies of the Russian Central Bank database detailing transactions over a period of 18 months. The database was offered for $800-1000, according to one of those selling the information, the paper said. A month ago, the database was selling at $1500-2000. A representative of www.tschoice.com, currently unavailable, said the database could not become a popular item because of the high price. The executive secretary of the Moscow government's Business Council Information Market Security Commission, Oleg Yashin, was quoted by the paper as saying there were several people selling the databases. The transactions database is 60 gigabytes and is sold with a hard disk. Adverts says the database has detailed information on transactions: payers, addressees, banks and the payment purpose. A database fragment bought by the paper for 1,500 rubles in a month said the biggest payment of Vneshtorgbank in February 2004 (2.96 billion rubles) was made for a transfer of AvtoVAZ bonds. The paper was unable to get information from AvtoVAZ. The information technology director of Vneshtorgbank said the bank does not make deals it wants to keep a secret, but "the appearance of such a database cannot but disturb. I will put serious questions to the colleagues of the agencies that are supposed to control data security." The Central Bank Interregional Information Technology Center that keeps data on bank transactions did not respond to the paper?s request for comments on the reports. The Federal Finance Monitoring Service?s press secretary said it does not have full information on transactions. The Russian Criminal Code stipulates a two-year prison term for collecting secret banking or commercial information and three years for the use of it. Illegal access to computer information can lead to five years in prison. Similar information on telephone users, mobile telephone users, and wanted criminals has been sold in the past after computer databases were also hacked.