From isn at c4i.org Mon May 2 02:27:47 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 2 02:38:29 2005 Subject: [ISN] Ex-CIA chief warns of EMP nuke threat Message-ID: http://wnd.com/news/article.asp?ARTICLE_ID=44069 By Joseph Farah ? 2005 WorldNetDaily.com May 2, 2005 WASHINGTON - Former CIA chief James Woolsey affirms the work of a special commission investigating the threat of a nuclear-bomb generated electromagnetic pulse attack on the U.S. by rogue states or terrorists and is urging the country to take steps necessary to protect against the potentially devastating consequences. In testimony before the House International Terrorism and Non-Proliferation Subcommittee, chaired by Ed Royce, R-Calif., Woolsey, director of the CIA from 1993 through 1995, referred to the nuclear EMP threat, characterized in intelligence circles, he said, as "a SCUD in a bucket." "That is a simple ballistic missile from a stockpile somewhere in the world outfitted on something like a tramp steamer and fired from some distance offshore into an American city or to a high altitude, thereby creating an electromagnetic pulse effect, which could well be one of the most damaging ways of using a nuclear weapon," he said. Woolsey commended the Commission to Assess the Threat to the United States from EMP Attack for its years of work on the subject and for its dire report concluding that it is a means of attack that could lead to the defeat of the U.S. by a much smaller enemy and utter devastation of the country. "That is a very serious threat," he told the committee. "And one thing we need badly to do is to figure out ways to harden our electricity grid and various types of key nodes so that electromagnetic pulse blasts of nuclear weapons, or other ways of generating electromagnetic pulse, even if it knocks out our toaster ovens will not knock out, for example, our electricity grid." Woolsey, like the commission, specifically mentioned the new dimension a nuclear Iran would add to the risk of such an attack. "We do not have the luxury of assuming that Iran, if it develops fissionable materials, for example, would not share it under some circumstances with al-Qaida operatives," he said. "We don't have the luxury of believing that just because North Korea is a communist state, it would not work under some circumstances to sell its fissionable material to Hezbollah or al-Qaida." There is increasing concern within the administration and Congress over Iran's missile program, which has been determined by a commission of U.S. scientists to pose a serious threat to U.S. security. A report first published in Joseph Farah's G2 Bulletin, a weekly, online, premium, intelligence newsletter affiliated with WND, revealed last week that Iran has been seriously considering an unconventional pre-emptive nuclear strike against the U.S. An Iranian military journal publicly floated the idea of launching an electromagnetic pulse attack as the key to defeating the U.S. Congress was warned of Iran's plans last month by Peter Pry, a senior staffer with the Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack in a hearing of Sen. John Kyl's subcommittee on terrorism, technology and homeland security. In an article titled, "Electronics to Determine Fate of Future Wars," the journal explains how an EMP attack on America's electronic infrastructure, caused by the detonation of a nuclear weapon high above the U.S., would bring the country to its knees. "Once you confuse the enemy communication network you can also disrupt the work of the enemy command- and decision-making center," the article states. "Even worse today when you disable a country's military high command through disruption of communications, you will, in effect, disrupt all the affairs of that country. If the world's industrial countries fail to devise effective ways to defend themselves against dangerous electronic assaults then they will disintegrate within a few years. American soldiers would not be able to find food to eat nor would they be able to fire a single shot." WND reported the Iranian threat last Monday, explaining Tehran is not only covertly developing nuclear weapons, it is already testing ballistic missiles specifically designed to destroy America's technical infrastructure. Pry pointed out the Iranians have been testing mid-air detonations of their Shahab-3 medium-range missile over the Caspian Sea. The missiles were fired from ships. "A nuclear missile concealed in the hold of a freighter would give Iran or terrorists the capability to perform an EMP attack against the United States homeland without developing an ICBM and with some prospect of remaining anonymous," explained Pry. "Iran's Shahab-3 medium range missile mentioned earlier is a mobile missile and small enough to be transported in the hold of a freighter. We cannot rule out that Iran, the world's leading sponsor of international terrorism might provide terrorists with the means to executive an EMP attack against the United States." Lowell Wood, acting chairman of the commission, said yesterday that such an attack - by Iran or some other actor - could cripple the U.S. by knocking out electrical power, computers, circuit boards controlling most automobiles and trucks, banking systems, communications and food and water supplies. "No one can say just how long systems would be down," he said. "It could be weeks, months or even years." EMP attacks are generated when a nuclear weapon is detonated at altitudes above a few dozen kilometers above the Earth's surface. The explosion, of even a small nuclear warhead, would produce a set of electromagnetic pulses that interact with the Earth's atmosphere and the Earth's magnetic field. "These electromagnetic pulses propagate from the burst point of the nuclear weapon to the line of sight on the Earth's horizon, potentially covering a vast geographic region in doing so simultaneously, moreover, at the speed of light," said Wood. "For example, a nuclear weapon detonated at an altitude of 400 kilometers over the central United States would cover, with its primary electromagnetic pulse, the entire continent of the United States and parts of Canada and Mexico." The commission, in its work over a period of several years, found that EMP is one of a small number of threats that has the potential to hold American society seriously at risk and that might also result in the defeat of U.S. military forces. "The electromagnetic field pulses produced by weapons designed and deployed with the intent to produce EMP have a high likelihood of damaging electrical power systems, electronics and information systems upon which any reasonably advanced society, most specifically including our own, depend vitally," Wood said. "Their effects on systems and infrastructures dependent on electricity and electronics could be sufficiently ruinous as to qualify as catastrophic to the American nation." From isn at c4i.org Mon May 2 02:28:01 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 2 02:38:32 2005 Subject: [ISN] Oregon man sentenced for hacking NM system Message-ID: http://www.krqe.com/expanded.asp?ID=9747 4/28/2005 Source: AP ALBUQUERQUE -- An Oregon man has been sentenced to five months in prison for hacking into the computer system of Border Area Mental Health Service Incorporated in Silver City. U.S. Magistrate Richard Puglisi also sentenced Timothy Jason Elder to serve five months home detention after he is released from prison and to pay $38,769 in restitution. Elder was a former network administrator for Border Area Mental Health. He pleaded guilty to illegally accessing the company's computer system from a remote location and corrupting several computer files. From isn at c4i.org Mon May 2 02:28:33 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 2 02:38:36 2005 Subject: [ISN] Chinese Hacker Captured After Taunting Law Enforcement Message-ID: http://www.chinatechnews.com/index.php?action=show&type=news&id=2583 May 2, 2005 A Chinese hacker who was responsible for cracking some local Jingmen government websites was captured in a Wuhan hotel last week. The hacker, whose alias is "Yu Hua", posted his contact details on a website, and police used those details to then track him down. Police say that on April 7 Yu Hua posted the names of 11 websites that we was targetting and he said that he could make those sites collapse within ten minutes. Ten minutes later, he cracked those sites and shut them down. After the sites were closed, Yu Hua posted his QQ instant messenger details for others to contact him, but police then used that information to forensically identify his whereabouts. Yu Hua, whose real name has not yet been released, was arrested at the Wuhan hotel where he was employed. The case is currently being processed and the charges against him have not been released. From isn at c4i.org Mon May 2 02:28:53 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 2 02:38:39 2005 Subject: [ISN] Backup tapes are backdoor for ID thieves Message-ID: http://www.theregister.co.uk/2005/04/29/backup_tapes_are_backdoor_for_id_thieves/ By Robert Lemos SecurityFocus 29th April 2005 Large companies are reconsidering their security and backup policies after a handful of financial and information-technology companies have admitted that tapes holding unencrypted customer data have gone missing. Last week, trading firm Ameritrade acknowledged that the company that handles its backup data had lost a tape containing information on about 200,000 customers. The financial firm is now revising its backup policies and, in the interim, has halted all movement of backup tapes, a spokesperson said this week. Iron Mountain, a company that handles large corporations' data storage, also acknowledged that it had lost track of four sets of customer backup tapes since the beginning of this year. While the company points out such incidents are a tiny fraction of its nearly five million pick-ups and deliveries done annually, its top executive has called on clients to revamp their policies and start encrypting critical data. "It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible," Richard Reese, chairman and CEO of the Boston-based data protection service, said in a statement issued last week. "Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy." The reconsideration of backup policies comes as the financial industry is recovering from several high-profile data leaks due to lost or stolen tapes. Bank of America told government officials in February that the company had lost a tape containing account information on a large number of government credit-card holders. A representative of Bank of America could not be reached for comment. It's unknown whether any of the lost tapes resulted in account compromises. "We don't believe that any foul play was involved," said Donna Kush, spokeswoman for Ameritrade. "We were able to recover three (of four) tapes in (our provider's) facility. We think the fourth was lost or destroyed within the facility." Even without evidence of theft, the lack of encryption is disturbing, if entirely expected, said Jon Oltsik, senior research analyst for the Enterprise Strategy Group. The analyst firm polled almost 400 companies and found that, despite renewed focus on securing customer data, more than 60 per cent of the companies do not encrypt any of their backup data, and only seven per cent actually encrypt all their backup data. The financial industry does not set best practices in this case either, Oltsik found. Two-thirds of the financial firms polled by ESG never encrypted the data that they were backing up. The majority of larger firms also failed to encrypt their backup data, with about 56 percent of companies with revenues greater than $5 billion never having encrypted their data before putting it on tape. Online backup services that fail to encrypt information could represent similar security risks as does any information stored on a hard drive that can easily be stolen, Oltsik said, pointing to a recent rash of stolen laptops that contained medical information. The high-profile breaches have executives asking questions about their back up policies and encryption policies. "Two years ago, companies didn't get it," he said. "Now, all the people I know in this business are hearing interest from all quarters." Because backups tend to be done by the least important members of the information technology staff, sometimes disparaged as "tape monkeys," and therefore the tapes are at greater risk of insider attacks as well. Moreover, insiders have the access to know what data is on each tape, information that could help identity thieves target the right tapes. "The process is totally insecure," Oltsik said. "You put you most junior people on this job, and those are the people that are most likely to be bribed and look for another way to make money." While individual companies appear to be tackling the problem, there currently appears to be no federal policy in place, or planned to be implemented, for financial firms according to a representative of the Federal Deposit Insurance Corporation, the government agency that regulates federally insured banks. Following the announcement by the Bank of America of its lost tape, the FDIC and three other federal agencies set guidelines to require that their members notify customers and regulators of any information that might be at risk, essentially adopting a rule similar to the law passed in California that led to the disclosure of so many breaches. However, the rule stopped short of requiring companies to protect such sensitive information with encryption. Yet, those rules may come, as the increasing number of data leaks highlights the insecurity of sensitive information found on backup tapes. "We are working very aggressively to educate our clients about the changing landscape," said Melissa Burman, spokeswoman for Iron Mountain. "The privacy concerns were not there, but now these issues are coming to life." Copyright ? 2005 From isn at c4i.org Mon May 2 02:29:11 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 2 02:38:41 2005 Subject: [ISN] Hushmail DNS Attack Blamed on Network Solutions Message-ID: http://www.eweek.com/article2/0,1759,1791152,00.asp By Ryan Naraine April 29, 2005 Secure e-mail service provider Hushmail Communications plans to pursue a criminal investigation into a hacking attack that redirected users to a defaced Web site. The company pinned the blame for the breach squarely on the shoulders of domain name registrar Network Solutions. Hushmail, which markets PGP-encrypted e-mail, file storage and vanity domain services, has opened a criminal investigation with the Royal Canadian Mounted Police in Vancouver to get to the bottom of a DNS server breach caused by a combination of social engineering, phishing and pharming tactics. Brian Smith, chief technical officer at Hushmail Communications Corp., said in an interview with Ziff Davis Internet News that the attacker or attackers simply called the Network Solutions Inc. support center and gained access to enough customer account information to alter the Hushmail DNS (Domain Name System) settings. "They used a name not associated with Hush Communications and was able to get information from Network Solutions," Smith said. Using the information collected from Network Solutions' customer service, Smith said the DNS information was changed to redirect users visiting the "hushmail.com" URL to a defaced Web site. For a brief period, Hushmail's domain was either unavailable or appeared defaced with an image of Hushmail's logo with the following text: "The Secret Service is watching. - Agent Leth and Clown Jeet 3k Inc." Zone-H.org has archived a screenshot [1] of the defacement. Smith said Network Solutions promised to investigate and issue a statement on the breach, but at press time Friday, Hushmail had yet to receive official communication from the Herndon, Va.-based registrar. Network Solutions spokeswoman Susan Wade confirmed that the breach occurred as a result of certain weaknesses in the registrar's customer-service security measures but declined to provide specifics, citing customer privacy issues. "We're seriously investigating the incident. We are aware that a hacker temporarily altered this customer's [DNS records]. Our security team promptly rectified the situation," Wade told Ziff Davis Internet News. She described the breach as an "isolated incident" and said Network Solutions would immediately institute "additional security measures to ensure it doesn't occur in the future." "We've brought everyone in and gone over the procedures, and we've implemented some additional ones. I can't go into details for obvious reasons, but we are taking this very, very seriously," Wade added. In addition to supporting RCMP's investigation in Vancouver, Wade said a separate criminal investigation is being launched in the United States. At Hushmail's end, Smith said the episode has been frustrating. "We're still waiting for a statement from Network Solutions. We were told by an employee that the attacker was given the DNS information over the telephone, but they've not sent anything official to us. I don't want to comment on what may or may not have happened at their end," Smith said. For now, Hushmail is working to erase the negative perception of an e-mail security provider with a major server breach. "Initially, it was embarrassing but we're pleased that the users and the media have been very sympathetic to what happened here. To nontechnical users, it will take some explaining, but it's quite clear that this could have happened to anyone." "The Internet as a whole is a notoriously nonsecure infrastructure. We're operating within that. This is a big worry for the entire Internet. That's why phishing, pharming and social engineering attacks have become a big issue," Smith said. Hushmail has been upfront about the hacking attack, publishing a daily log [2] with updates for users. "To the best of our knowledge, the DNS issues caused by the caching of the altered addresses should now have ceased. The correct addresses should now have propagated across the Internet, and all users should be able to access Hushmail," the latest entry says. The company said there was no unauthorized access to any of the Hush servers. "Data managed by Hush was not compromised. During this period, e-mail sent to hushmail.com will not have been delivered," Hushmail said. Rick Fleming, chief technology officer at Texas-based security outfit Digital Defense Inc., said the Hushmail nightmare points to a "major weakness" in the way domain name registrars authenticate requests for DNS changes. "We'll continue to see these types of social engineering attacks because it's becoming easier to impersonate someone and collect information. There is definitely a weakness in the way the domain name registrars handle authentication. If they don't have a way to adequately identify who the domain owners are, these attacks will continue to happen," Fleming said. "What's to stop this from affecting a Yahoo or a Google? Nothing. The underlying flaw is the domain name systems work. It's an implied trusted relationship without any authentication or verification and that needs to be fixed," Fleming said. [1] http://www.zone-h.org/defacements/mirror/id=2309823/ [2] http://www.hushmail.com/login-status From isn at c4i.org Mon May 2 02:29:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 2 02:38:43 2005 Subject: [ISN] Hackers to test U.K. lawmakers' systems Message-ID: http://news.com.com/Hackers+to+test+U.K.+lawmakers+systems/2110-7355_3-5690318.html By Andy McCue Special to CNET News.com April 29, 2005 Hackers are to be employed to test the effectiveness of the IT security defences for the computer systems in the House of Commons, home of the British parliament. A three-year IT security contract is up for grabs to conduct internal and external penetration testing on routers, firewalls and critical servers using a range of independent vulnerability assessment techniques. The winning contractor will be required to carry out the tests at least twice a year. The House of Commons is also looking to buy an intrusion prevention system -- a combination of intrusion detection software and a firewall -- to reduce the risk of denial-of-service attacks, virus outbreaks and Trojan horses. Andy McCue of Silicon.com reported from London. From isn at c4i.org Mon May 2 02:29:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 2 02:38:45 2005 Subject: [ISN] Reminder: 4 weeks left - ACSAC 2005 accepting paper submissions! Message-ID: Forwarded from: program_chair@acsac.org 21th Annual Computer Security Applications Conference (ACSAC) December 5-9, 2005 Tucson, Arizona http://www.acsac.org Greetings, There are now four weeks left to submit papers in the technical track to ACSAC 2005. Please note the dates below and submit your papers! Important dates: May 29, 2005 Technical program: paper submission deadline August 14, 2005 Paper acceptance decisions communicated to authors December 5-9, 2005 Conference in Tucson, AZ Online paper submission system: http://www.acsac.org/openconf Call for papers and detailed submission instructions: http://www.acsac.org/cfp http://www.acsac.org/2005/ACSAC_CFP.pdf We look forward to receiving your submissions! Christoph Schuba, Pierangela Samarati, Charlie Payne 2005 ACSAC program chairs program_chair@acsac.org You are receiving this notice because you joined the ACSAC email notification list at http://www.acsac.org/join_ml.html. You can unsubscribe there if you wish. You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at the above URL. ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. From isn at c4i.org Wed May 4 02:36:41 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 4 02:49:32 2005 Subject: [ISN] Bloggers recover classified info from U.S. report Message-ID: http://www.estripes.com/article.asp?section=104&article=28818 By Lisa Burgess Stars and Stripes European edition May 3, 2005 ARLINGTON, Va. - U.S. commanders in Iraq posted a version of the U.S. investigation into the Italian checkpoint shooting from which it was possible to recover classified information by simple manipulation of the electronic file. The report, issued by Multinational Forces-Iraq, or MNF-I, over the weekend, was heavily redacted, with classified sections obscured by black boxes. The report was posted in a "PDF" format, used by the U.S. government to generate documents of various kinds. While downloading the information, however, the global "blogging" community quickly discovered that the classified information could easily be recovered. MNF-I officials said Monday that the report's full release was an accident, but could not pinpoint how it occurred. "The procedures that we used [to safeguard the classified information] were inadequate," Air Force Col. C. Donald Alston, MNF-I?s chief of strategic communications, said Monday. "We consider this a very serious matter." MNF-I officials took the report down from their own site over the weekend. The classified sections of the report have information about the number and type of insurgents attacks on the road to "Route Irish," the 7.5-mile east-west road along south Baghdad that runs from the International Zone in downtown to Baghdad International Airport. The unclassified portion of the report says that the four-lane road is known as "IED Alley" for the large number of improvised explosive devices that have been planted there by insurgents. The report also delves into the securing of checkpoints, as well as specifics concerning how soldiers manned the checkpoint where the Italian intelligence officer was killed. In the past, Pentagon officials have repeatedly refused to discuss such details, citing security concerns. The information technology community quickly began linking to the report site and discussing the security breach. "There have been many reports in the press of how people have published Microsoft Word documents with their history easily revealed through Word's "track changes' feature," blogger David Berlind commented in his Internet technology blog, "Between the Lines" at ZDNet. "But you rarely hear about problems like this when it comes to PDF files." "It will be interesting to see how this security debacle unfolds, where the finger gets pointed, and how it changes the way PDF files get handled in the future [by organizations of all types]," Berlind wrote. From isn at c4i.org Wed May 4 02:37:17 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 4 02:49:35 2005 Subject: [ISN] Woman held over industrial espionage Message-ID: http://www.news.com.au/story/0,10117,15162906-31037,00.html Correspondents in Versailles, France May 03, 2005 A CHINESE woman had been detained in France over claims she was involved in industrial espionage during an internship with car equipment manufacturer Valeo. The woman has denied charges of "intrusion in an automatic data system" and "abuse of confidence" after allegedly copying features of a number of cars that are still on the drawing board. Police alleged that during a search of her home officers found six computers and two hard drives with a "huge capacity" and containing material considered confidential by the Valeo directors. The young woman, who has a number of degrees including mathematics, applied physics and fluid mechanics, had been an intern since February at the Valeo offices in Guyancourt, a suburb of Paris. An executive apparently noticed her frequently walking around the office carrying her portable computer. A source close to the inquiry described the woman, who speaks German, Spanish, English, French and some Arabic, as "brilliant" and of "exceptional competence". From isn at c4i.org Wed May 4 02:37:40 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 4 02:49:38 2005 Subject: [ISN] Time Warner says data on 600,000 workers lost Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,101500,00.html By Lucas Mearian MAY 02, 2005 COMPUTERWORLD Time Warner Inc. reported today that a shipment of backup tapes with personal information of about 600,000 current and former employees went missing more than a month ago during a routine shipment to an offsite storage site. The tapes, part of a routine shipment being taken to the site by off-site data storage company Iron Mountain Inc. didn't include data about Time Warner customers, the company said in a statement. The company told employees today that the data tapes went missing March 22. We are providing current and former employees with resources to monitor their credit reports while our investigation continues. We are working closely and aggressively with law enforcement and the outside data storage firm to get to the bottom of this matter,. said Larry Cockell, Time Warner.s chief security officer. The U.S. Secret Service is working with both Time Warner and Boston-based Iron Mountain to investigate the missing tapes. The $42 billion media company said in a statement that there is no evidence that the data has have been illegally accessed or misused. The company said it has contacted major credit agencies -- Equifax, Experian and Trans Union -- about the data loss. After determining that publicizing the data loss wouldn't interfere with the investigation, Time Warner posted a statement about it on its Web site, as well as a letter to its employees about the incident and an FAQ. In the letter to employees, Time Warner said the missing tapes contained data such as names and Social Security numbers of current and former U.S.-based employees, their dependents and beneficiaries. Cockell said in the statement to employees that the company has made arrangements with Equifax to offer U.S. employees a free subscription to Equifax.s Credit Watch Gold credit monitoring service to help protect identity and credit information for 12 months. Time Warner's disclosure follows on the heels of other high-profile security breaches in the U.S. In March, a laptop containing data on 100,000 graduate students, alumni and applicants from the University of California, Berkeley, was stolen from a campus office. Bart Lazar, a privacy and intellectual property lawyer and partner in the law firm of Seyfarth Shaw Llp. in Chicago, said that as data loss incidents pile up, there?s greater potential that firms found responsible will have to change their data security standards. Most of the pressure, he said, may come not from Congress but from insurance companies that will require more stringent safeguards before signing with a client. Part of the problem, Lazar said, is that companies don't have proper chain-of-custody requirements or encyption technology in place. "I've dealt with many of these companies, and if you ask them what happens with their data ... they can't chart it," he said. "Or the companies know what to do and they just haven't committed the resources to do it. Companies have to deploy their resources. I don't know what SANS [Institute] says the spending on security is, but it's not huge." Lazar said data loss incidents will also likely give rise to more companies turning to internal data protection schemes instead of using third-party service providers or external data processors. These big incidents [are] what leads to consciousness raising and may lead to reasonable security standards, he said. Reuters contributed to this report. From isn at c4i.org Wed May 4 13:26:14 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 4 13:37:29 2005 Subject: [ISN] Hackers start looking at Apple Message-ID: http://www.theinquirer.net/?article=22961 By Nick Farrell 03 May 2005 FOR A LONG time ignored by hackers, Apple's iTune popularity is meaning that the operating system is starting to attract the interest of hackers. According to a survey released on Easter Monday, in the Bulgarian Orthodox calendar, by the SANS institute, hackers are still making hay on VoleWare, but Apple products are starting to become tempting. Hacks of iTunes were an interesting feature of the first three months of 2005, says SANS, along with attacks on RealNetworks RealPlayer, and Nullsoft's Winamp. There more attempts to take on anti-virus software with Symantec, F-Secure, TrendMicro and McAfee as targets. Hackers continued to poke new holes in Microsoft Windows, although SANS seems to think that is becoming harder as more Windows users agreed to receive security upgrades automatically. So instead, hackers are starting to try and take advantage of other software programs that might not be patched as frequently, the survey said. The complete list can be found here [1]. ? [1] http://www.sans.org/top20/Q1-2005update From isn at c4i.org Thu May 5 05:27:37 2005 From: isn at c4i.org (InfoSec News) Date: Thu May 5 05:38:21 2005 Subject: [ISN] IG: Interior faces possible IT security catastrophe Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35743-1.html By Wilson P. Dizard III GCN Staff 05/04/05 Some Interior Department systems that house American Indian trust data are so easy to penetrate, according to the department's inspector general, that they potentially could cause "severe or catastrophic" problems. Poor computer security has been a long-running issue in a federal court case over the government's loss of billions of dollars of assets held in trust for American Indians. An Interior spokesman said she could not comment on legal issues but noted that the department has been consistently upgrading its system security. Interior has released an extensively redacted version of the 86-page report. Computer specialists working for the IG pinpointed 24 servers that hold Indian trust data and said they were able to penetrate two servers and gain full, undetected access to the Bureau of Land Management's internal networks and intranet. The auditors made several systems security recommendations, saying that if BLM did not adopt them quickly, it should disconnect its systems from the department's networks. Scott Miles, a computer security expert Interior hired, earlier this week testified about poor BLM computer security in the case of Cobell vs. Interior secretary Gail Norton. Plaintiffs in the 9-year-old lawsuit contend that the American Indian trust accounts are vulnerable to external attacks as well as a more serious risk of internal theft. Miles said he agreed with Dennis M. Gingold, lead attorney for the plaintiffs, about the severity of the internal threat. Tina Kreisher, Interior's communications director, said, "The thing to remember is that we asked the IG to do this study. We are concerned about IT security. This study was a way of helping to test it. As this plays out and we discover flaws, we fix them." The Cobell plaintiffs seek to convince Judge Royce Lamberth of the U.S. District Court for the District of Columbia that the Interior computers housing trust data should be disconnected from the Internet or shut down until the security flaws are repaired. Gingold and other plaintiff attorneys also contend that the security problems have made it impossible for Interior to properly account for the trust funds. The federal government has been managing revenues from American Indian natural resources such as oil, coal, gas, pipeline rights-of-way and timber since 1887. The Cobell plaintiffs contend that the federal government owes the 500,000 trust beneficiaries upward of $100 billion in restitution for assets stolen or wasted. Lamberth ordered Interior to disconnect almost all its systems from the Internet in December 2001 and considered doing so again last year (see GCN coverage [1]). Lamberth's first disconnection order also was prompted by the discovery of system security flaws. In the intervening years, Interior IT executives have upgraded system security, and Lamberth has progressively allowed more of the systems to be reconnected. [1] http://www.gcn.com/23_6/news/25328-1.html From isn at c4i.org Thu May 5 05:28:39 2005 From: isn at c4i.org (InfoSec News) Date: Thu May 5 05:38:24 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-18 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-04-28 - 2005-05-05 This week : 69 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: Netscape has been found vulnerable to a vulnerability, which was first reported in Mozilla. Currently, no solution is available from the vendor. Refer to referenced Secunia advisory below for additional details. Reference: http://secunia.com/SA15135 -- Apple has released a security update for Mac OS X, which corrects 19 vulnerabilities. Complete details about each issue can be found in referenced Secunia advisory below. References: http://secunia.com/SA15227 VIRUS ALERTS: During the last week, Secunia issued 1 MEDIUM RISK virus alert. Please refer to the grouped virus profile below for more information: Sober.P - MEDIUM RISK Virus Alert - 2005-05-02 22:55 GMT+1 http://secunia.com/virus_information/17688/sober.p/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15103] Netscape GIF Image Netscape Extension 2 Buffer Overflow 2. [SA14654] Mozilla Firefox Three Vulnerabilities 3. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 4. [SA15135] Netscape DOM Nodes Validation Vulnerability 5. [SA15153] Symantec AntiVirus Products RAR Archive Virus Detection Bypass 6. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 7. [SA15064] Microsoft Windows Image Rendering Denial of Service Vulnerability 8. [SA15023] Realplayer/RealOne RAM File Processing Buffer Overflow Vulnerability 9. [SA14938] Mozilla Firefox Multiple Vulnerabilities 10. [SA12889] Microsoft Internet Explorer Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15192] GlobalScape Secure FTP Command Parsing Buffer Overflow [SA15239] ASP Inline Corporate Calendar "Event_ID" SQL Injection [SA15234] Mercur Messaging Multiple Vulnerabilities [SA15214] MaxWebPortal Multiple SQL Injection Vulnerabilities [SA15190] Ecomm Professional Guestbook "AdminPWD" SQL Injection [SA15178] Ocean12 Mailing List Manager Pro SQL Injection Vulnerability [SA15175] Golden FTP Server Pro Directory Traversal Vulnerability [SA15173] enVivo!CMS SQL Injection Vulnerabilities [SA15242] NetWin DMail Server Two Vulnerabilities [SA15231] 602LAN SUITE Local File Detection and Denial of Service [SA15230] 04WebServer Directory Traversal Vulnerability [SA15171] ICUII Disclosure of Passwords [SA15179] Kerio Products Password Brute Force and Denial of Service [SA15184] NotJustBrowsing Disclosure of Lock Password UNIX/Linux: [SA15236] Fedora update for kdelibs [SA15227] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA15210] Slackware update for xine-lib [SA15203] SUSE Updates for Multiple Packages [SA15202] Gentoo update for pound [SA15199] Ubuntu update for kdelibs [SA15189] Mandriva update for xpm [SA15182] Red Hat update for php [SA15180] Red Hat update for mozilla [SA15243] Ubuntu update for cvs [SA15238] Ubuntu update for kommander [SA15225] Open WebMail Shell Command Injection Vulnerability [SA15211] Avaya Kerberos Telnet Client vulnerabilities [SA15193] GnuTLS Record Packet Parsing Denial of Service Vulnerability [SA15188] Red Hat update for kernel [SA15187] Red Hat update for kernel [SA15183] Fedora update for kdewebdev [SA15177] OpenBSD update for cvs [SA15172] Debian update for ethereal [SA15170] Debian update for prozilla [SA15217] PostgreSQL Character Conversion and tsearch2 Module Vulnerabilities [SA15240] MaraDNS Unspecified Random Number Generator Vulnerability [SA15237] Fedora update for tcpdump [SA15229] Debian update for smartlist [SA15221] SmartList confirm Add-On Arbitrary Addresses Subscribe [SA15194] Gentoo update for horde [SA15228] Ubuntu update for libnet-ssleay-perl [SA15224] Mac OS X pty Permission Security Issue [SA15207] Perl Net::SSLeay Module Entropy Source Manipulation [SA15201] Cocktail Exposure of Administrator Password [SA15198] Gentoo phpmyadmin Installation Script Insecure Permissions [SA15197] Ce/Ceterm Privilege Escalation Vulnerabilities [SA15196] ArcInfo Workstation Format String and Buffer Overflow Vulnerabilities [SA15191] Fedora update for Perl [SA15186] Red Hat update for glibc [SA15185] Mandriva update for perl [SA15252] leafnode Two Denial of Service Issues [SA15204] Linux Kernel Local Denial of Service Vulnerabilities Other: [SA15205] BIG-IP / 3-DNS ICMP Handling Denial of Service Vulnerability Cross Platform: [SA15216] osTicket Multiple Vulnerabilities [SA15213] SitePanel Multiple Vulnerabilities [SA15195] Mtp Target Format String and Denial of Service Vulnerabilities [SA15233] LibTomCrypt Unspecified ECC Signature Scheme Vulnerability [SA15232] FishCart Cross-Site Scripting and SQL Injection Vulnerabilities [SA15220] PRADO Unspecified ViewState Data Vulnerability [SA15219] Woltlab Burning Board JGS-Portal "id" SQL Injection [SA15208] eSKUeL "ConfLangCookie" and "lang_config" Local File Inclusion [SA15206] BirdBlog BB Code Script Insertion Vulnerability [SA15181] ViArt Shop Enterprise Cross-Site Scripting and Script Insertion [SA15226] OpenView Event Correlation Services Unspecified Vulnerabilities [SA15223] OpenView Network Node Manager Unspecified Vulnerabilities [SA15218] Web Crossing "webx" Cross-Site Scripting Vulnerability [SA15215] Symantec Products ICMP Handling Denial of Service [SA15235] GraphicsMagick PNM Image Decoding Buffer Overflow Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15192] GlobalScape Secure FTP Command Parsing Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-02 Mati Aharoni has reported a vulnerability in GlobalScape Secure FTP Server, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15192/ -- [SA15239] ASP Inline Corporate Calendar "Event_ID" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-04 Zinho has reported a vulnerability in ASP Inline Corporate Calendar, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15239/ -- [SA15234] Mercur Messaging Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-05-04 Dr_insane has reported some vulnerabilities in Mercur Messaging, which can be exploited by malicious people to manipulate files and disclose sensitive information. Full Advisory: http://secunia.com/advisories/15234/ -- [SA15214] MaxWebPortal Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-03 Soroush Dalili and Crkchat has reported some vulnerabilities in MaxWebPortal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15214/ -- [SA15190] Ecomm Professional Guestbook "AdminPWD" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-29 A vulnerability has been reported in Ecomm Professional Guestbook, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15190/ -- [SA15178] Ocean12 Mailing List Manager Pro SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-29 Zinho has reported a vulnerability in Ocean12 Mailing List Manager Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15178/ -- [SA15175] Golden FTP Server Pro Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2005-05-03 Lachlan. H has reported a vulnerability in Golden FTP Server Pro, which can be exploited by malicious users to access arbitrary files on a vulnerable system. Full Advisory: http://secunia.com/advisories/15175/ -- [SA15173] enVivo!CMS SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-04-29 Diabolic Crab has reported some vulnerabilities in enVivo!CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15173/ -- [SA15242] NetWin DMail Server Two Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, System access Released: 2005-05-04 Tan Chew Keong has reported two vulnerabilities in NetWin DMail Server, which can be exploited by malicious people to bypass certain security restrictions or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15242/ -- [SA15231] 602LAN SUITE Local File Detection and Denial of Service Critical: Less critical Where: From remote Impact: Exposure of system information, DoS Released: 2005-05-03 Dr_insane has discovered a vulnerability in 602LAN SUITE, which can be exploited by malicious people to detect the presence of local files and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15231/ -- [SA15230] 04WebServer Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2005-05-03 Dr_insane has discovered a vulnerability in 04WebServer, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15230/ -- [SA15171] ICUII Disclosure of Passwords Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-04-29 Kozan has discovered a security issue in ICUII, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15171/ -- [SA15179] Kerio Products Password Brute Force and Denial of Service Critical: Not critical Where: From local network Impact: Brute force, DoS Released: 2005-05-02 Javier Munoz has reported two weaknesses in Kerio WinRoute Firewall, Kerio MailServer and Kerio Personal Firewall, which can be exploited by malicious people to potentially cause a DoS (Denial of Service) and brute force passwords. Full Advisory: http://secunia.com/advisories/15179/ -- [SA15184] NotJustBrowsing Disclosure of Lock Password Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-02 Kozan has discovered a security issue in NotJustBrowsing, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15184/ UNIX/Linux:-- [SA15236] Fedora update for kdelibs Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-03 Fedora has issued an update for kdelibs. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15236/ -- [SA15227] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, System access Released: 2005-05-04 Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. Full Advisory: http://secunia.com/advisories/15227/ -- [SA15210] Slackware update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-03 Slackware has issued an update for xine-lib. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15210/ -- [SA15203] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-02 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15203/ -- [SA15202] Gentoo update for pound Critical: Highly critical Where: From remote Impact: System access, DoS Released: 2005-05-02 Gentoo has issued an update for pound. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15202/ -- [SA15199] Ubuntu update for kdelibs Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-03 Ubuntu has issued an update for kdelibs. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15199/ -- [SA15189] Mandriva update for xpm Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-02 Mandriva has issued an update for xpm. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15189/ -- [SA15182] Red Hat update for php Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2005-04-29 Red Hat has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious, local users to access files outside the "open_basedir" root and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15182/ -- [SA15180] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access, Security Bypass Released: 2005-04-29 Red Hat has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information and perform certain actions on a vulnerable system with escalated privileges and by malicious people to conduct spoofing and cross-site scripting attacks, disclose sensitive and system information, bypass certain security restrictions, trick users into downloading malicious files and compromise a user's system. Full Advisory: http://secunia.com/advisories/15180/ -- [SA15243] Ubuntu update for cvs Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-04 Ubuntu has issued an update for cvs. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15243/ -- [SA15238] Ubuntu update for kommander Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-04 Ubuntu has issued an update for kommander. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15238/ -- [SA15225] Open WebMail Shell Command Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-03 A vulnerability has been reported in Open WebMail, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15225/ -- [SA15211] Avaya Kerberos Telnet Client vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-02 Avaya has issued an update for krb5. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15211/ -- [SA15193] GnuTLS Record Packet Parsing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-02 A vulnerability has been reported in GnuTLS, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15193/ -- [SA15188] Red Hat update for kernel Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS Released: 2005-04-29 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited to gain escalated privileges or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15188/ -- [SA15187] Red Hat update for kernel Critical: Moderately critical Where: From remote Impact: DoS, Privilege escalation Released: 2005-04-29 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited to gain escalated privileges or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15187/ -- [SA15183] Fedora update for kdewebdev Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-29 Fedora has issued an update for kdewebdev. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15183/ -- [SA15177] OpenBSD update for cvs Critical: Moderately critical Where: From remote Impact: Unknown, DoS, System access Released: 2005-04-29 OpenBSD has issued an update for cvs. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15177/ -- [SA15172] Debian update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-04-29 Debian has issued an update for ethereal. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15172/ -- [SA15170] Debian update for prozilla Critical: Moderately critical Where: From remote Impact: System access Released: 2005-04-29 Debian has issued an update for prozilla. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15170/ -- [SA15217] PostgreSQL Character Conversion and tsearch2 Module Vulnerabilities Critical: Moderately critical Where: From local network Impact: Unknown, Privilege escalation, DoS Released: 2005-05-04 Two vulnerabilities have been reported in PostgreSQL, which can be exploited by malicious users to cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/15217/ -- [SA15240] MaraDNS Unspecified Random Number Generator Vulnerability Critical: Less critical Where: From remote Impact: Unknown Released: 2005-05-04 A vulnerability with an unknown impact has been reported in MaraDNS. Full Advisory: http://secunia.com/advisories/15240/ -- [SA15237] Fedora update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-03 Fedora has issued an update for tcpdump. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15237/ -- [SA15229] Debian update for smartlist Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-05-04 Debian has issued an update for smartlist. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15229/ -- [SA15221] SmartList confirm Add-On Arbitrary Addresses Subscribe Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-05-04 Jeroen van Wolffelaar has reported a vulnerability in the confirm add-on for SmartList, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15221/ -- [SA15194] Gentoo update for horde Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-02 Gentoo has issued updates for horde, horde-vacation, horde-turba, horde-passwd, horde-nag, horde-mnemo, horde-kronolith, horde-imp, horde-accounts, horde-forwards and horde-chora. These fix a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15194/ -- [SA15228] Ubuntu update for libnet-ssleay-perl Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-05-04 Ubuntu has issued an update for libnet-ssleay-perl. This fixes a vulnerability, which can be exploited by malicious, local users to weaken certain cryptographic operations. Full Advisory: http://secunia.com/advisories/15228/ -- [SA15224] Mac OS X pty Permission Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-04 Matt Johnston has discovered a security issue in Mac OS X, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/15224/ -- [SA15207] Perl Net::SSLeay Module Entropy Source Manipulation Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2005-05-04 Javier Fernandez-Sanguino Pena has reported a vulnerability in the Net::SSLeay module for Perl, which can be exploited by malicious, local users to weaken certain cryptographic operations. Full Advisory: http://secunia.com/advisories/15207/ -- [SA15201] Cocktail Exposure of Administrator Password Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-02 sonderling has reported a security issue in Cocktail, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15201/ -- [SA15198] Gentoo phpmyadmin Installation Script Insecure Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-02 A security issue has been reported in phpmyadmin, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15198/ -- [SA15197] Ce/Ceterm Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-02 Kevin Finisterre has reported some vulnerabilities in Ce/Ceterm, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15197/ -- [SA15196] ArcInfo Workstation Format String and Buffer Overflow Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-02 Kevin Finisterre has reported some vulnerabilities in ArcInfo Workstation, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15196/ -- [SA15191] Fedora update for Perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-03 Fedora has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15191/ -- [SA15186] Red Hat update for glibc Critical: Less critical Where: Local system Impact: Exposure of system information, Privilege escalation Released: 2005-04-29 Red Hat has issued an update for glibc. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of some system information or perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15186/ -- [SA15185] Mandriva update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-02 Mandriva has issued an update for perl. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15185/ -- [SA15252] leafnode Two Denial of Service Issues Critical: Not critical Where: From remote Impact: DoS Released: 2005-05-05 Two issues have been reported in leafnode, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15252/ -- [SA15204] Linux Kernel Local Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2005-05-02 Two vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15204/ Other:-- [SA15205] BIG-IP / 3-DNS ICMP Handling Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-02 F5 Networks has acknowledged a vulnerability in BIG-IP and 3-DNS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15205/ Cross Platform:-- [SA15216] osTicket Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2005-05-03 James Bercegay has reported some vulnerabilities in osTicket, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to conduct cross-site scripting and script insertion attacks, disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15216/ -- [SA15213] SitePanel Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2005-05-03 James Bercegay has reported some vulnerabilities in SitePanel, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15213/ -- [SA15195] Mtp Target Format String and Denial of Service Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-02 Luigi Auriemma has reported two vulnerabilities in Mtp Target, which can be exploited to malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/15195/ -- [SA15233] LibTomCrypt Unspecified ECC Signature Scheme Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-05-04 A vulnerability with an unknown impact has been reported in LibTomCrypt. Full Advisory: http://secunia.com/advisories/15233/ -- [SA15232] FishCart Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-05-04 Diabolic Crab has reported some vulnerabilities in FishCart, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15232/ -- [SA15220] PRADO Unspecified ViewState Data Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-05-04 A vulnerability with an unknown impact has been reported in PRADO. Full Advisory: http://secunia.com/advisories/15220/ -- [SA15219] Woltlab Burning Board JGS-Portal "id" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-03 [R] has reported a vulnerability in the JGS-Portal module for Woltlab Burning Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15219/ -- [SA15208] eSKUeL "ConfLangCookie" and "lang_config" Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-05-04 Gerardo Di Giacomo has reported two vulnerabilities in eSKUeL, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15208/ -- [SA15206] BirdBlog BB Code Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-03 A vulnerability has been reported in BirdBlog, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15206/ -- [SA15181] ViArt Shop Enterprise Cross-Site Scripting and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-02 Lostmon has reported some vulnerabilities in ViArt Shop Enterprise, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/15181/ -- [SA15226] OpenView Event Correlation Services Unspecified Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-05-03 Some vulnerabilities have been reported in OpenView Event Correlation Services, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15226/ -- [SA15223] OpenView Network Node Manager Unspecified Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-05-03 Some vulnerabilities have been reported in HP OpenView Network Node Manager (OV NNM), which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15223/ -- [SA15218] Web Crossing "webx" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-03 Dr_insane has reported a vulnerability in Web Crossing, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15218/ -- [SA15215] Symantec Products ICMP Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-03 Symantec has acknowledged some security issues in various products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15215/ -- [SA15235] GraphicsMagick PNM Image Decoding Buffer Overflow Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2005-05-03 A vulnerability has been reported in GraphicsMagick, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15235/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Thu May 5 14:20:58 2005 From: isn at c4i.org (InfoSec News) Date: Thu May 5 14:32:48 2005 Subject: [ISN] Security, wireless continue to attract investors' money Message-ID: http://www.networkworld.com/news/2005/050405-moneytree.html By Cara Garretson Network World Fusion 05/04/05 Most networking start-ups that received venture capital during the first quarter of 2005 focus on tried-and-true technology, underlining investors' continued apprehension to place risky bets on companies in this sector. According to a special slice done for Network World of the MoneyTree Survey by PricewaterhouseCoopers (PwC), Thomson Venture Economics and the National Venture Capital Association, 335 companies in networking and related sectors received funding during the first quarter, totaling $2 billion. That's down slightly from 2004's fourth-quarter level of 353 companies totaling $2.1 billion. For purposes of this report, the networking industry is defined as companies in telecommunications, networking, software, computer and peripherals. The networking segment "has got a pretty steady-course track record over the last couple years that suggests sustained investments," says Tracy Lefteroff, global managing partner of PwC's venture capital and private equity practice. "The sector is not going away, and is poised to pick up." Areas where investors put their money in the first quarter echoed the trends of the last few years, says Lefteroff. Those areas include just about anything related to security, as well as wireless communications, e-commerce systems and network management and infrastructure. The first quarter's largest deal was a $108 million investment in anti-spyware maker WebRoot, led by Technology Crossover Ventures, Accel Partners and Mayfield, providing evidence that the security sector continues to be a main attraction for investors. Other top investments of the quarter include $32 million in CEH Holdings, an early-stage maker of Internet commerce services, and $30 million in CSM Wireless, an outsourcer of wireless data translation. Despite this continuation of investment trends during the first quarter, some venture capitalists say there are interesting new areas within the networking market that will be worth exploring this year. The convergence of wireless and VoIP networks, as well as the meshing of entertainment and media, will drive the need for innovative start-ups that can produce technology to support these trends, says Lefteroff. While the MoneyTree Survey reports that investments in networking companies remained flat over the past few years, another venture capital report issued last week detailed an up tick in deals involving communications companies. The Quarterly Venture Capital Report by VentureOne and Ernst & Young late last month, tracked 68 investments in communications companies during the first quarter of 2005, a level that hasn't been reached in over two years. This discrepancy among reports is likely caused by differing definitions of the communications sector. From isn at c4i.org Thu May 5 14:21:29 2005 From: isn at c4i.org (InfoSec News) Date: Thu May 5 14:32:51 2005 Subject: [ISN] [HUMOR] Arizona Man Steals Bush's Identity, Vetos Bill, Meets With Mexican President Message-ID: http://www.theonion.com/news/index.php?issue=4118 The Onion VOLUME 41 ISSUE 18 4 MAY 2005 WASHINGTON, DC - Confusion and disbelief reigned at the White House after President Bush announced Monday that an Arizona man, known to authorities only as H4xX0r1337, stole his identity and used it to buy electronic goods, veto a bill, and meet with Mexican President Vicente Fox. "This is incredibly frustrating," Bush told reporters Tuesday. "Not only does this guy have my credit-card information, he has my Social Security number, all my personal information, and the launch codes for a number of ballistic intercontinental nuclear missiles. I almost don't want to think about it." "I feel so violated," Bush added. Bush said he has canceled his credit cards and changed the national-security codes, but he labeled the process a "total nightmare." "It's a huge ordeal," Bush said. "Everything will be straightened out eventually, but my credit rating and political capital are down the tubes. I asked the FBI, and they aren't even sure how long this guy's had my identity. For all I know, he's started up his own oil refinery somewhere in Alaska." Bush said he began to suspect something was wrong when he received a card from Sen. Bill Frist, thanking him for vetoing the Digital Media Consumers' Rights Act of 2005. "I thought I was going crazy," Bush said. "I had no recollection of even reading that piece of legislation, much less killing it. At first, I thought Frist had things mixed up, but I checked the records, and sure enough, someone with my credentials came into the White House in late March while I was on my ranch and vetoed that bill." Bush said he only recognized the full magnitude of the problem last Tuesday, when Mexican President Fox called to thank him for the "incredibly positive and productive summit." "Vicente said I had agreed to an aid package for his country," Bush said. "It was like I was in cuckoo-land. That's when I called [FBI Director Robert] Mueller. I said, 'You may want to sit down for this one, Bob. I think someone stole my identity.'" According to Mueller, examining Bush's recent outgoing e-mail led him to believe that the president's identity was probably stolen about five weeks ago, when he responded to an e-mail from paypal783@hotmail.com asking him to comply with PayPal security measures by entering all 12 of his credit-card numbers, his Social Security number, his passwords, and his personal identification numbers. "It appears that the president is among the many thousands of Americans who have fallen for so-called 'phishing' scams," Mueller said. "One should never give out sensitive personal information in response to an e-mail. If the president had read the memo we sent out a few months ago, he would have known that." Although the FBI has traced H4xX0r1337's now-defunct ISP account to a Mail Boxes, Etc. mailbox in Tempe, AZ, Mueller said apprehending H4xX0r1337 may prove more difficult. "Identity thieves and hackers are notoriously difficult to locate," Mueller said. "They are often highly intelligent and very skilled at covering their tracks. Making it more difficult, H4xX0r1337 seems to have used his credentials to commandeer Air Force One. At this moment, he could be anywhere in the world." Bush said he will likely need to spend the entire week reclaiming his identity, adding that he wished to thank everyone who has already assisted him in the process. "The FBI has been working tirelessly to find this man who hides in the shadows and perpetrates computer terrorism," Bush said. "I'd also like to thank Debrina at Bank One's customer-service center. She was very courteous and super helpful." This is not the first time a hacker has stolen the identity of a political figure. In February 2004, police arrested Columbus, OH's HotGrrrl69 after the 16-year-old was caught campaigning for John Kerry while posing as Sen. Barbara Boxer (D-CA). From isn at c4i.org Fri May 6 09:16:27 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 6 09:28:44 2005 Subject: [ISN] Microsoft revamps security hole approach Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=3612 By Matthew Broersma Techworld 06 May 2005 Microsoft has a new security service that will provide an immediate response when researchers publicise unpatched vulnerabilities. The pilot programme run by the Microsoft Security Research Center (MSRC) and called simply Microsoft Security Advisories, complements the monthly scheduled Security Bulletins ordinarily accompanied by patches. Unlike the bulletins though, advisories will not have to meet any fixed schedule, being issued instead as soon as possible after a vulnerability is disclosed, Microsoft said. The advisories will be used to address various issues arising between the monthly bulletins, including vulnerability disclosures and phishing scams. The advisories "will address security changes that may not require a security bulletin but that may still impact customers? overall security," said Nick McGrath, Microsoft's head of platform strategy. "Customers have told us that they want more prescriptive and timely guidance on security issues." In the past, Microsoft has limited its detailed comments to the monthly bulletins, responding to other issues with short statements. A noticeable shift came last month when MSRC programme manager Stephen Toulouse used the MSRC blog to discuss a flaw that had been disclosed in Windows 2000 systems. Typically, Microsoft uses such discussions to downplay the severity of unpatched flaws. The advisory system is the latest development in an ongoing debate over how software vendors and security researchers should balance the need for users to be aware of vulnerabilities with the need for discretion. Microsoft has criticised security researchers for discussing flaws before a patch has been released. For their part, many researchers have said they only disclose vulnerability information if they are unable to convince Microsoft to take action. From isn at c4i.org Fri May 6 09:18:01 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 6 09:28:47 2005 Subject: [ISN] How Broad a Data Breach Disclosure Law? Message-ID: http://www.internetnews.com/bus-news/article.php/3502781 By Roy Mark May 5, 2005 WASHINGTON -- And now for the hard part: just how would a national data breach disclosure law work? With bills now in the House and the Senate that would force data brokers and financial institutions to inform consumers of a breach, Congress is looking at the nitty-gritty details of the legislation. "One of my concerns, given the dramatic rise in recent reports on data braches, is there will be a headlong rush for notification in every instance," House Financial Services Committee Chairman Michael Oxley (R-Ohio) said at a Capitol Hill hearing. The problem, Oxley suggested, is overkill. "When no evidence surfaces to indicate their information has been misused, consumers may begin to ignore those notices as just that many more pieces of unsolicited junk mail," he said. According to Oxley, only a small percentage of the highly publicized cases of data breaches have actually resulted in any fraudulent activity. For example, Bank of America recently revealed that data backup tapes containing more than a million records were lost during transport to a backup data center. A total of 15 tapes were shipped to the data center with five disappearing. Two of the lost tapes included customer information while the other three tapes held non-sensitive, backup software. "As to the tapes themselves, sophisticated equipment, software and operator expertise are all required to access the information," said Barbara Desoer of Bank of America. "In addition, specific knowledge of the manner in which the data is stored, that is, the fragmented nature of the data and the steps required to reassemble it would be required." Desoer said the Secret Service has informed Bank of America that no evidence exists to indicate the tapes were wrongfully accessed or their content compromised. Nevertheless, Desoer said, Bank of America supports a national disclosure law. "Our recent actions demonstrate our belief that customers have a right to know when there is reason to believe that their information may have been compromised," she said. Data broker ChoicePoint, which has also suffered embarrassing data breaches, also threw its support to a national law. "We support a pre-emptive national law that would provide for notification to consumers and a single law enforcement point of contact when personally identifiable information has fallen into inappropriate hands," Don McGuffy, a ChoicePoint senior vice president, said. The breach disclosure bills in the House and Senate are based on California's new legislation, which requires a business or government agency to notify an individual in writing or by e-mail when it is believed that unencrypted personal information has been compromised. Sen. Diane Feinstein's bill goes beyond the California law to include encrypted data and allows individuals to put a seven-year fraud alert on their credit report. The legislation proposes a $1,000 per individual civil fine for failure to notify or not more than $50,000 per day while the failure to notify continues. From isn at c4i.org Fri May 6 09:18:41 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 6 09:28:50 2005 Subject: [ISN] Linux Advisory Watch - May 6th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 6th, 2005 Volume 6, Number 18a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, perhaps the most interesting articles include ethereal, prozilla, smartlist, kdewebdev, wireless-tools, gimp, bootparamd, tcpdump, kdelibs, vte, php, words, util-linux, lapack, gnuutils, and glibc. The distributors include Conectiva, Debian, Fedora, Gentoo, and Red Hat. --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- Review: The Book of Postfix: State-of-the-Art Message Transport By: Pete O'Hara I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Patrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. The authors have taken the time to clearly answer the key questions that are of real practical value. There is no excessive or superflous material here that, although may good to know, won't divert attention from the topic of configuring a solid MTA. The book is very well focused and the authors' hard work is obvious. There are sections where someone else may have left good enough alone but they went the extra mile to make sure that this book answered the important questions fully. "The Book of Postfix" starts with "A Postmaster's Primer To Email" and continues through all of the key topics in a sensible progression so that even if you are fairly new to administering email you are taught in a sequential manner that promotes understanding. The comprehensive list of topics encompasses single and multiple domain servers, dial-ups, SMTP restrictions, internal and external content filters, mail gateways, SMTP proxy, SMTP authentication, SASL, LDAP, SQL integration, Transport Layer Security, chroots, rate limiting, performance tuning, and trouble shooting. It covers a good amount of ground. The numerous "NOTE" and "CAUTION" sections provide great additional detail to real world scenarious that I found extremely relevant and useful. For each topic there is also an invaluable "TESTING" section so that you can verify for yourself that you are in fact getting the expected behavior. The imperative topic of security is always kept in mind in the confugrations and the accompanying diagrams and flow charts do an excellent job of enhancing the text and providing extra clarity. Read complete review: http://www.linuxsecurity.com/content/view/119027/49/ ---------------------- Measuring Security IT Success In a time where budgets are constrained and Internet threats are on the rise, it is important for organizations to invest in network security applications that will not only provide them with powerful functionality but also a rapid return on investment. In most organizations IT success is generally calculated through effectiveness, resource usage and, most importantly, how quickly the investment can be returned. To correctly quantify the ROI of information technology, organizations usually measure cost savings and increased profits since the initial implementation. Additionally, ROI can also be affected based on the overall impact the investment has on employee productivity and overall work environment of the company. http://www.linuxsecurity.com/content/view/118817/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: kernel Kernel update 2nd, May, 2005 The Linux kernel is responsible for handling the basic functions of the GNU/Linux operating system. http://www.linuxsecurity.com/content/view/119036 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New ethereal packages fix buffer overflow 28th, April, 2005 Updated package. http://www.linuxsecurity.com/content/view/119006 * Debian: New prozilla packages fix arbitrary code execution 28th, April, 2005 Updated package. http://www.linuxsecurity.com/content/view/119007 * Debian: New ethereal packages fix buffer overflow 28th, April, 2005 Updated package. http://www.linuxsecurity.com/content/view/119009 * Debian: New smartlist packages fix unauthorised un/subscription 3rd, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119045 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: kdewebdev-3.3.1-2.1 28th, April, 2005 Updated package http://www.linuxsecurity.com/content/view/119013 * Fedora Core 3 Update: wireless-tools-27-2.2.0.fc3 28th, April, 2005 Fix iwlist command for devices that need more time to scan all their channels (ie Atheros 5212abg cards) http://www.linuxsecurity.com/content/view/119016 * Fedora Core 3 Update: spamassassin-3.0.3-3.fc3 29th, April, 2005 Updated package. http://www.linuxsecurity.com/content/view/119020 * Fedora Core 3 Update: gimp-2.2.6-0.fc3.2 30th, April, 2005 Updated package. http://www.linuxsecurity.com/content/view/119025 * Fedora Core 3 Update: bootparamd-0.17-19.FC3 2nd, May, 2005 Updated package http://www.linuxsecurity.com/content/view/119032 * Fedora Core 3 Update: tcpdump-3.8.2-8.FC3 2nd, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119033 * Fedora Core 3 Update: kdelibs-3.3.1-2.12.FC3 2nd, May, 2005 A buffer overflow was found in the kimgio library for KDE 3.3.1. An attacker could create a carefully crafted PCX image in such a way that it would cause kimgio to execute arbitrary code when processing the image. http://www.linuxsecurity.com/content/view/119034 * Fedora Core 3 Update: vte-0.11.13-1.fc3 2nd, May, 2005 A whole bunch of upstream fixes for speed, rendering glitches and memory use reduction. http://www.linuxsecurity.com/content/view/119037 * Fedora Core 3 Update: perl-5.8.5-12.FC3 2nd, May, 2005 Security and packaging fixes. http://www.linuxsecurity.com/content/view/119038 * Fedora Core 3 Update: php-4.3.11-2.5 3rd, May, 2005 This update fixes a compatibility issue between the PHP "snmp" extension (in the php-snmp package) and the recent upgrade of the net-snmp library=20 to version 5.2.1 http://www.linuxsecurity.com/content/view/119044 * Fedora Core 3 Update: policycoreutils-1.18.1-2.12 3rd, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119046 * Fedora Core 3 Update: words-3.0-2.3 4th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119052 * Fedora Core 3 Update: util-linux-2.12a-24.1 4th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119053 * Fedora Core 3 Update: system-config-bind-4.0.0-11 4th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119054 * Fedora Core 3 Update: dhcp-3.0.1-42_FC3 4th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119055 * Fedora Core 3 Update: lapack-3.0-26.fc3 5th, May, 2005 This update fixes problems in some lapack libraries (problems with compiler optimalization). This version contains all patches present in fc4 lapack version. http://www.linuxsecurity.com/content/view/119060 * Fedora Core 3 Update: system-config-bind-4.0.0-12 5th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119061 * Fedora Core 3 Update: gnutls-1.0.20-3.1.1 5th, May, 2005 New gnutls version fixes CAN-2005-1431 problem (possible DOS attack) http://www.linuxsecurity.com/content/view/119062 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Heimdal Buffer overflow vulnerabilities 28th, April, 2005 Buffer overflow vulnerabilities have been found in the telnet client in Heimdal which could lead to execution of arbitrary code. http://www.linuxsecurity.com/content/view/119008 * Gentoo: Pound Buffer overflow vulnerability 30th, April, 2005 Pound is vulnerable to a buffer overflow that could lead to the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/119022 * Gentoo: eGroupWare XSS and SQL injection vulnerabilities 30th, April, 2005 eGroupWare is affected by several SQL injection and cross-site scripting (XSS) vulnerabilities. http://www.linuxsecurity.com/content/view/119023 * Gentoo: phpMyAdmin Insecure SQL script installation 30th, April, 2005 phpMyAdmin leaves the SQL install script with insecure permissions, potentially leading to a database compromise. http://www.linuxsecurity.com/content/view/119024 * Gentoo: Horde Framework Multiple XSS vulnerabilities 1st, May, 2005 Various modules of the Horde Framework are vulnerable to multiple cross-site scripting (XSS) vulnerabilities. http://www.linuxsecurity.com/content/view/119026 * Gentoo: Oops! Remote code execution 5th, May, 2005 The Oops! proxy server contains a remotely exploitable format string vulnerability, which could potentially lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119063 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: glibc security update 28th, April, 2005 Updated glibc packages that address several bugs are now available. This update has been rated as having low security impact by the Red Hat http://www.linuxsecurity.com/content/view/119010 * RedHat: Important: kernel security update 28th, April, 2005 Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 2.1. This is the seventh regular update. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119011 * RedHat: Important: kernel security update 28th, April, 2005 Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 2.1 for 64-bit architectures. This is the seventh regular update. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119012 * RedHat: Important: Mozilla security update 28th, April, 2005 Updated Mozilla packages that fix various security bugs are now available. This update has been rated as having Important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119014 * RedHat: Moderate: PHP security update 28th, April, 2005 Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119015 * RedHat: Low: nasm security update 4th, May, 2005 An updated nasm package that fixes multiple security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119049 * RedHat: Moderate: evolution security update 4th, May, 2005 Updated evolution packages that fix various security issues are now available. This update has been rated as having moderate security impact by theRed Hat Security Response Team. http://www.linuxsecurity.com/content/view/119050 * RedHat: Moderate: PHP security update 4th, May, 2005 Updated PHP packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/119051 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon May 9 04:23:56 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 9 04:36:00 2005 Subject: [ISN] Whoops! We Seem to Have Misplaced Your Identity Message-ID: Forwarded from: William Knowles http://www.nytimes.com/2005/05/08/business/08digi.html By RANDALL STROSS Published: May 8, 2005 THE diesel-powered utility van is the unappreciated speed demon of the digital age. Even lumbering along city streets in stop-and-go traffic, it can move a trillion bytes of corporate data across town far faster than if they were sent across the Internet. The homely Ford Econoline 350 is the workhorse of Iron Mountain, the dominating presence in the off-site data protection business. Its customers include more than three-fourths of Fortune 500 companies, and it had revenue of $1.82 billion last year, earned largely out of public sight as its unmarked vans shuttled among the back-office operations of its clients. Last week, however, Iron Mountain lost the luxury of going about its rounds invisibly. Time Warner, one of its clients, disclosed that personal information - including names and Social Security numbers for 600,000 current and former employees - had gone missing six weeks earlier while in the care of an unnamed "leader in data storage." The data had been, in fact, in an Iron Mountain van, and the few details about the incident that it and Time Warner have grudgingly divulged - such as the fact that the pick-up at Time Warner was 1 of 19 the van made bouncing around Manhattan on the fateful day - raise all sorts of questions. To begin with, why would such sensitive information be handled less like a guard-this-with-your-life briefcase entrusted to Brinks than like a fungible bundle handed to the Dy-Dee Diaper Service? Why was the data unencrypted? And why were trucks involved at all? Why wasn't the backup done via a secure online connection, an option that Iron Mountain offers as well as physical pickup? Why doesn't Iron Mountain eliminate the risk of midroute problems and retire its fleet of Econolines? Time Warner blamed Iron Mountain for the potential breach of confidential employee information and would say nothing more about the event. Its tapes were last seen on Iron Mountain's vans, so its position is that it's Iron Mountain's responsibility; end of discussion. Iron Mountain, for its part, gallantly declined to take Time Warner to task. It could have done so by saying how foolish Time Warner had been to send out sensitive personnel files in unencrypted form. Then again, Iron Mountain itself had failed to advise clients to encrypt files until April 21, when it issued a press release on the subject. This was too late to help Time Warner, whose tapes had disappeared a month earlier. Time Warner has now publicly vowed to floss regularly and encrypt always. Iron Mountain has adopted a scattershot approach in its public appeal for exoneration. Disappearing tapes - what its chief executive, C. Richard Reese, calls "inadvertent disclosures" - are a rare problem: 12 instances for every five million pick-ups or deliveries. Mr. Reese said he viewed the rarity of error as exemplary. Jim Stickley, one of the founders and the chief technical officer of Trace Security, a consulting firm based in Baton Rouge, La., is not impressed: "Imagine the Secret Service said that about presidents: 'Well, we protected most of them.' " Another argument pressed by Iron Mountain is that it knows of no instance when the loss of tapes has "resulted in the unauthorized access of personal information." Then again, have previous problems involved tapes filled with 600,000 names and matching Social Security numbers thoughtfully left unencrypted? Iron Mountain also takes too much comfort in the fact that the missing tapes are labeled only with a bar code. The company reasons that a thief in search of Time Warner's employees would not know which van to hit and which tapes to grab. But why assume a crime of planning and cunning? If the tapes landed accidentally in the hands of someone, who knew someone with the technical competence to take a look at their contents - in unencrypted form, not a difficult feat - what person of ill motive would toss aside those 600,000 names and Social Security numbers? Iron Mountain's best defense is that its reliance on trucks, which must be loaded and unloaded by all-too-fallible humans, is unavoidable for technical reasons. Online backups are not feasible for large companies, given the sheer mass of data, which has grown faster than the bandwidth of corporate Internet connections. Illustrative numbers provided by Iron Mountain would seem to settle the question. Consider a customer with 22,500 gigabytes (22.5 terabytes) of data that need to be ready for recovery from a disaster. Compressed - and, one hopes, encrypted - these fit onto 300 backup tapes, easily transported by the Econoline. Now consider the challenge of alternatively moving that data over the wire. Even with a pair of OC3 lines, each with 250 times the bandwidth of a home broadband connection, you would need more than 82 hours to send one set - though let's not forget that 8 to 10 hours are saved because tapes do not have to be created. And if disaster were to strike, it would take 82 hours to send these terabytes back over the wire for restoration. That's why "we're not driving the truck out of the equation," Mr. Reese said. THE example, however, best matches a picture in which the computing resources of the largest corporation consist of a single mainframe, all of its many terabytes of data concentrated in one place, susceptible to a single disaster. Bud Stoddard, the chief executive of AmeriVault, a rival company based in Boston that offers online backup services, says corporate data is distributed across thousands of servers and desktops. "Disasters happen every day, but they hit a server, or a department, or a building." he said. "They do not take out an enterprise's total data set." His company - as well as Iron Mountain - offers online disaster protection by copying data via the Internet to off-site servers. This eliminates the problem of limited bandwidth, as only incremental changes to a file, not the entire file, need to be sent. It also eliminates another potential problem: a faulty tape, discovered only when it is needed for restoration. Because of falling storage and bandwidth costs, it's now economically feasible to prepare for disaster by going digital instead of diesel, using a secure Internet connection to make an offsite mirror image of a corporation's vital data. And should catastrophe strike, a company need not wait hours or days for its backup data to return by wire: AmeriVault can load 500 gigabytes of backed-up data onto a portable drive, then speed it to a client. For that rare emergency, the trusty Econoline can be summoned for duty. Had Time Warner used the Internet to back up its data, the company would not now find itself reassuring its millions of subscribers - 21.7 million on AOL alone - that only employee information was in the missing tapes. The company has offered to the individuals listed in the database a one-year subscription to Equifax's Credit Watch service. Iron Mountain has not stepped forward to pick up the bill. It adheres to the same view as photo processors: if something goes wrong when your film is in their possession, they'll replace the film, but they take no responsibility for the lost photos. "Under standard liability, we are not responsible for the information stored on the tape," said Melissa Burman, an Iron Mountain spokeswoman. "That's because we never know what information is stored on any particular backup tape." But when a missing tape could expose hundreds of thousands of people to identity theft through no fault of their own, many of whom may retain lawyers happy to work on contingency, Iron Mountain and similar companies are probably glad they never know the contents. This unfortunate event, seemingly similar to a long list of recently revealed security incidents involving other companies and organizations, should stand apart for one reason: it could have been avoided so easily. It would have been a nonevent had Time Warner encrypted its personnel files before shipping them. Mr. Stickley of Trace Security advocates making encryption a matter of law: "The government should be stepping in and say, 'You must encrypt information that can ruin people's lives,' " he said. "It's that simple." -=- Randall Stross is a historian and author based in Silicon Valley. E-mail: ddomain (at) nytimes.com *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon May 9 04:24:09 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 9 04:36:02 2005 Subject: [ISN] Michigan State's Wharton Center says computer security breached Message-ID: http://www.freep.com/news/statewire/sw115435_20050506.htm May 6, 2005, 11:39 AM EAST LANSING, Mich. (AP) -- Michigan State University has warned more than 40,000 Wharton Center patrons that a hacker broke into a computer server involved in credit card processing for the performing arts venue. But so far, there has been no indication that credit card data was stolen. "There's no definitive evidence that credit card data was accessed or copied," Kent Love, Wharton Center spokesman, told the Lansing State Journal for a Friday story. The letter was sent to Wharton visitors who used their credit cards as far back as September 2003. Love said the intrusion, which is under investigation, was discovered April 26. -=- EDITOR'S NOTE -- For additional information on the security breach, visit the Wharton Center Web site at http://whartoncenter.com and scroll down to the "Information Intrusion FAQ." From isn at c4i.org Mon May 9 04:24:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 9 04:36:05 2005 Subject: [ISN] Google's Accelerator Breaks Web Apps, Security Message-ID: http://www.eweek.com/article2/0,1759,1813761,00.asp By Matt Hicks May 6, 2005 Google's effort to speed the pace of Web browsing quickly aggravated some early users, who say that the software is delivering them Web pages under other users' logins and breaking Web applications. Google Inc.'s Web Accelerator application, launched as a test on Wednesday, uses a combination of local and server-based caching and preloading of Web pages to more quickly serve Web pages to a user's browser. Google's servers, in many ways, act as an intermediary between Web sites and a user's browser. But Google's approach has had some unintended consequences. Google officials Friday confirmed that the company was aware of as many as five sites where Web Accelerator was returning users cached pages under other people's user names. The Mountain View, Calif.-based company has stopped caching pages from those sites, said Marissa Mayer, Google's director of consumer Web. Users of some smaller Web forum sites have complained in online postings that they began receiving Web pages which displayed other people's user names after downloading Web Accelerator. The forum site, Somethingawful.com [1], was among those warning its users to avoid Web Accelerator because of reports that pages from other users' logins were exposed. "It is an unfortunate problem, but it looks worse than it is," Mayer said. "We are caching those pages on the server side with the user name on them- You see it, but it's important to point out that you are not logged in as user and you do not have the session cookies needed to perform operations as [that] user." Mayer said the problem stemmed from the way some sites have implemented their HTTP cache-control headers, which provide information such as language preferences to a browser. Google uses those headers to determine whether a page is meant for an individual user, in which case it would not live on its servers, Mayer said. Google plans to notify the Webmasters of the affected sites about the need to fix their cache-control headers as well as work on a solution within Web Accelerator, Mayer said. Web Accelerator already prevented secure sites using the HTTPS protocol, such as online banking and e-mail sites, from being cached. Web Accelerator's problems appear to extend beyond forum sites, though. Web-based software developer 37Signals LLC began blocking the program after discovering that it was initiating links which performed critical functions, such as account deletions, on 37Signal's Web applications. A few users complained about deleted accounts on 37Signals's Basecamp and Backpack applications, and the company traced the problem to Web Accelerator, said 37Signals President Jason Fried. To make matters worse, the problem occurred the same week that the Chicago-based company launched Backpack, a personal-information management application. "It was serious enough to frighten us, since we had just released a product and it coincided with Google's release," said Fried, who first wrote about the issue in his Weblog [2]. "We became aware of the Web Accelerator issue, and within 30 minutes of figuring it out we instituted a block." As for Web Accelerator's impact on Web applications, Mayer initially said that most of the reports she had seen appeared to be unsubstantiated. When informed about 37Signals' problems, she said that it is possible that some sites are not complying with a Web standard used by Web Accelerator. Web Accelerator ignores links where a question mark appears before the URL string in the HTML code. A question mark is usually included in a string to indicate personally identifiable information such as a user ID and would typically be used in a link that performs a function like a deletion, Mayer said. "The product is in beta," Mayer said. "It could be that our assumption around the question mark and the way sites comply with the standard is incorrect. If that is the case, then we'll have to redesign the prefetch algorithm." Fried acknowledged that the applications do not conform to all standards. For example, functions such as a deletion technically should be handled with buttons rather than links, he said. Google needs to recognize, however, that many sites use methods that vary from standards, he said. "To me, the real test here is not so much that Google may have made mistake but how they respond to it," Fried said. "Are they going to call it a mistake or blame everyone else to [make them] build products the way they should be built in a perfect world?" For other users, Web Accelerator has caused a number of unwanted changes to their Web browsing. Mike Rumble, a Web programmer at U.K.-based Lawton Communications Group Ltd., said he downloaded Web Accelerator on Thursday and soon noticed that about one out of every 20 Web sites were failing to load. Instead, he was redirected to an error page from Web Accelerator, prompting him to try again or to search on Google. Rumble faced more trouble when he visited his Web-based e-mail account from Apple Computer Inc.'s .Mac service. He was continuously logged out of the account, something he blamed on Web Accelerator's preloading of pages. "After signing in it became impossible to get any use out of the service, as every click would lead back to a sign-in page," Rumble said in an e-mail interview. "It appears that the Web Accelerator's prefetching mechanism was signing me out of the service as soon as I had signed in, by 'clicking' on the sign-out link and killing my session." Rumble, who regularly tries out new software for his office, said he decided to disable Web Accelerator because he feared that it could also wreak havoc on his company's Web-based content management system. "Google Web Accelerator appears to be a poorly executed, potentially destructive product," he said. Similar sentiments to Rumble's have been shared in blog postings and online forums across the Web, though other users have said that they are finding that Web Accelerator is saving them time in their Web browsing. To Mayer, part of the backlash against Web Accelerator likely is a result of Google sitting in the middle between users' browsers and Web sites. By caching Web pages on Google's servers, Web Accelerator is following caching methods already in use by ISPs and by many corporate firewalls, Mayer said. But Google is making that activity more visible to users, who often are not aware that their employers or ISP may be serving them earlier versions of a Web page. "It does break the paradigm of how people are used to browsing," Mayer said. "It does change the experience slightly in little ways, and it's worth the tradeoff." [1] http://forums.somethingawful.com/showthread.php?s=935a9fdceab9656b2c04f964336ec06c&threadid=1550986 [2] http://www.37signals.com/svn/ From isn at c4i.org Tue May 10 03:16:13 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 10 03:27:00 2005 Subject: [ISN] Linux Security Week - May 9th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 9th, 2005 Volume 6, Number 20n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Why Snort makes IDS worth the time and effort," "Five Linux Security Myths You Can Live Without," and "Backups tapes a backdoor for identity thieves." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH This week, perhaps the most interesting articles include ethereal, prozilla, smartlist, kdewebdev, wireless-tools, gimp, bootparamd, tcpdump, kdelibs, vte, php, words, util-linux, lapack, gnuutils, and glibc. The distributors include Conectiva, Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/119064/150/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ --- Introduction: Buffer Overflow Vulnerabilities Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. http://www.linuxsecurity.com/content/view/118881/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Review: Deep Inspection Firewalls 6th, May, 2005 If it were on public display, this portion of our Firewall Blowout would be the geek equivalent of the Chicago Auto Show. Our Chicago Neohapsis partner labs focused on the muscle cars: enterprise-class, gigabit-capable network firewall appliances and turnkey systems that support high-availability stateful failover, VPNs and centralized management as well as DI (deep inspection), which we define as having the ability not only to perform stateful packet filtering, but also to inspect packet payloads higher up the OSI model using specific attack signatures and Layer 7 protocol engines. http://www.linuxsecurity.com/content/view/119072 * In praise of Gentoo 2nd, May, 2005 On the server end, you get the best release schedule in the business for security updates and bug fixes. On the desktop, you get the latest and greatest packages (if you enable 'beta' packages to be used) like KDE 3.4 (which I'm running), X.org with awesome openGL support, and a nicely compiled nvidia driver. Wonderful. Absolutely wonderful. http://www.linuxsecurity.com/content/view/119029 * From Operating System to Application: Web Survey Looks at Malware Trends 5th, May, 2005 "Two years ago, this list was dominated completely by weaknesses in operating systems," said SANS Institute Director of Research Alan Paller. "Now we're seeing more and more vulnerabilities in applications being exploited." The data also reveal that, for the first time, some security Latest News about Security and anti-virus software is vulnerable to hackers, creating a dangerous high-level backdoor into users' systems. http://www.linuxsecurity.com/content/view/119058 * Report: IT shops lax about logging 3rd, May, 2005 If a new report from the SANS Institute is any indication, enterprises are jeopardizing security by taking a sloppy approach to log keeping. As a result, the report recommends some companies abandon home-grown logging systems in favor of commercial tools or simply outsource the task. http://www.linuxsecurity.com/content/view/119043 * Why Snort makes IDS worth the time and effort 5th, May, 2005 The decision of whether to implement an intrusion-detection system (IDS) is a complicated one. Unfortunately, IDS has a well-deserved reputation for requiring a lot of "care and feeding" and commercial systems can be very expensive. However, there is an enterprise-grade open source IDS called Snort that may tip the scales over to a "can't lose" position. http://www.linuxsecurity.com/content/view/119057 * BlueCat Networks Previews its Proteus Enterprise IP Address Management 3rd, May, 2005 Networks, Inc., a leading provider of simple, secure and affordable network security appliances, today announced that it is previewing Proteus, its new enterprise class Internet protocol (IP) Address Management (IPAM) system at Networld+Interop in booth # 1124. http://www.linuxsecurity.com/content/view/119041 * Linux Labs International consolidates SELinux with Bproc 6th, May, 2005 Linux Labs International, Inc. ( LLII ), the world leader in Linux-based clustered supercomputer engineering, announced today a key milestone for security in supercomputing technology. With today's release of Nimbus 4.0, its out-of-the-box Linux cluster distribution, the leading Single System Image cluster architecture ( bproc ) is now seamlessly integrated with SELinux, the Security Enhanced Linux platform ( SELinux ). http://www.linuxsecurity.com/content/view/119068 * Backups tapes a backdoor for identity thieves 2nd, May, 2005 Large companies are reconsidering their security and backup policies after a handful of financial and information-technology companies have admitted that tapes holding unencrypted customer data have gone missing. http://www.linuxsecurity.com/content/view/119030 * Netcraft Phishing Site Feed Available 2nd, May, 2005 Netcraft launched an anti-phishing system at the start of 2005: people install a toolbar and effectively become part of a giant neighbourhood watch system whereby the most experienced members of the community can report phishing sites and effectively block them for the rest of the community. http://www.linuxsecurity.com/content/view/119035 * Infosecurity Europe 2005 Interviews 3rd, May, 2005 Rootsecure.net recently recorded a series of interviews with attendees at .Infosecurity Europe 2005., .Europe's number one, dedicated Information Security event.. Those interviewed include representatives from eEye Digital Security, Zone-H, Forensic Computing Ltd, British Computing Society, and a reformed serial website defacer. They are downloadable in MP3 or OGG Vorbis format http://www.linuxsecurity.com/content/view/119039 * China's largest bank switches to Linux 3rd, May, 2005 The Industrial Commercial Bank of China (ICBC) has decided to switch its servers to the Linux operating system after signing an agreement with Turbolinux. http://www.linuxsecurity.com/content/view/119040 * Moving IT management to a new paradigm 4th, May, 2005 IT management software ranges from hundreds of point solutions to huge integrated bundles for high-end enterprises. Aiming for a target in between is Robert Fanini, co-founder and CEO of GroundWork Open Source Solutions Inc., a startup in Emeryville, Calif., that has built its simple, low-priced IT management package on open source code. In this interview, Fanini explains how open source will open the eyes of now-doubting chief information officers (CIOs). http://www.linuxsecurity.com/content/view/119048 * Is VoIP Service the Next Big Target for Hackers? 5th, May, 2005 Internet telephone service's appeal as a cutting-edge technology for cutting phone costs is convincing more and more people to ditch their landlines and go hi-tech with Voice over Internet Protocol. http://www.linuxsecurity.com/content/view/119056 * Five Linux Security Myths You Can Live Without 6th, May, 2005 Before I wrote this article, I went to some Linux newsgroups to find out what typical concerns among security-conscious Linux users might be. I asked, simply, what they felt were the biggest myths surrounding Linux security. http://www.linuxsecurity.com/content/view/119065 * Sober Hasn't Slowed, Still Accounts For Four Of Five Worms And Viruses 6th, May, 2005 Sober.p, the worm that stormed the Internet Monday, showed no signs of fading away as of Thursday morning, an anti-virus vendor said. http://www.linuxsecurity.com/content/view/119066 * Business inaction could lead to data privacy laws 2nd, May, 2005 U.S. businesses for years have urged the government to let them set computer-security standards of their own, but their inability to do so could now prompt Congress to step in, experts say. http://www.linuxsecurity.com/content/view/119031 * House subcommittee elevates cybersecurity position 6th, May, 2005 A bill that would create a high-level cybersecurity official in the U.S. Department of Homeland Security (DHS) was approved Wednesday by a House of Representatives subcommittee. http://www.linuxsecurity.com/content/view/119071 * How a Bookmaker and a Whiz Kid Took On an Extortionist . and Won 3rd, May, 2005 The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors." http://www.linuxsecurity.com/content/view/119042 * Hackers Widen Their Attacks 4th, May, 2005 Hackers continue to develop new ways to infiltrate computer systems, staying one step ahead of software providers by targeting an array of applications, according to a recent report from the SANS Institute Latest News about SANS Institute. http://www.linuxsecurity.com/content/view/119047 * Spying on the spyware makers 5th, May, 2005 The 25-year-old researcher has spent years analyzing how spyware and adware programs work and publicizing his findings. That often results in red faces and, occasionally, lawsuit threats from companies like WhenU and Claria, formerly known as Gator. http://www.linuxsecurity.com/content/view/119059 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue May 10 03:17:50 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 10 03:27:03 2005 Subject: [ISN] Internet Attack Called Broad and Long Lasting by Investigators Message-ID: http://www.nytimes.com/2005/05/10/technology/10cisco.html By JOHN MARKOFF and LOWELL BERGMAN Published: May 10, 2005 SAN FRANCISCO, May 9 - The incident seemed alarming enough: a breach of a Cisco Systems network in which an intruder seized programming instructions for many of the computers that control the flow of the Internet. Now federal officials and computer security investigators have acknowledged that the Cisco break-in last year was only part of a more extensive operation - involving a single intruder or a small band, apparently based in Europe - in which thousands of computer systems were similarly penetrated. Investigators in the United States and Europe say they have spent almost a year pursuing the case involving attacks on computer systems serving the American military, NASA and research laboratories. The break-ins exploited security holes on those systems that the authorities say have now been plugged, and beyond the Cisco theft, it is not clear how much data was taken or destroyed. Still, the case illustrates the ease with which Internet-connected computers - even those of sophisticated corporate and government networks - can be penetrated and also the difficulty in tracing those responsible. Government investigators and other computer experts sometimes watched helplessly while monitoring the activity, unable to secure some systems as quickly as others were found compromised. The case remains under investigation. But attention is focused on a 16-year-old in Uppsala, Sweden, who was charged in March with breaking into university computers in his hometown. Investigators in the American break-ins ultimately traced the intrusions back to the Uppsala university network. The F.B.I. and the Swedish police said they were working together on the case, and one F.B.I. official said efforts in Britain and other countries were aimed at identifying accomplices. "As a result of recent actions" by law enforcement, an F.B.I. statement said, "the criminal activity appears to have stopped." The Swedish authorities are examining computer equipment confiscated from the teenager, who was released to his parents' care. The matter is being treated as a juvenile case. Investigators who described the break-ins did so on condition that they not be identified, saying that their continuing efforts could be jeopardized if their names, or in some cases their organizations, were disclosed. Computer experts said the break-ins did not represent a fundamentally new kind of attack. Rather, they said, the primary intruder was particularly clever in the way he organized a system for automating the theft of computer log-ins and passwords, conducting attacks through a complicated maze of computers connected to the Internet in as many as seven countries. The intrusions were first publicly reported in April 2004 when several of the nation's supercomputer laboratories acknowledged break-ins into computers connected to the TeraGrid, a high-speed data network serving those labs, which conduct unclassified research into a range of scientific problems. The theft of the Cisco software was discovered last May when a small team of security specialists at the supercomputer laboratories, trying to investigate the intrusions there, watched electronically as passwords to Cisco's computers were compromised. After discovering the passwords' theft, the security officials notified Cisco officials of the potential threat. But the company's software was taken almost immediately, before the company could respond. Shortly after being stolen last May, a portion of the Cisco programming instructions appeared on a Russian Web site. With such information, sophisticated intruders would potentially be able to compromise security on router computers of Cisco customers running the affected programs. There is no evidence that such use has occurred. "Cisco believes that the improper publication of this information does not create increased risk to customers' networks," the company said last week. The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The program is used in many computer research centers for a variety of tasks, ranging from administration of remote computers to data transfer over the Internet. The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse, in place of the legitimate program. In many cases the corrupted program is distributed from a single computer and shared by tens or hundreds of users at a computing site, effectively making it possible for someone unleashing it to reel in large numbers of log-ins and passwords as they are entered. Once passwords to the remote systems were obtained, an intruder could log in and use a variety of software "tool kits" to upgrade his privileges - known as gaining root access. That makes it possible to steal information and steal more passwords. The operation took advantage of the vulnerability of Internet-connected computers whose security software had not been brought up to date. In the Cisco case, the passwords to Cisco computers were sent from a compromised computer by a legitimate user unaware of the Trojan horse. The intruder captured the passwords and then used them to enter Cisco's computers and steal the programming instructions, according to the security investigators. A security expert involved in the investigation speculated that the Cisco programming instructions were stolen as part of an effort to establish the intruder's credibility in online chat rooms he frequented. Last May, the security investigators were able to install surveillance software on the University of Minnesota computer network when they discovered that an intruder was using it as a staging base for hundreds of Internet attacks. During a two-day period they watched as the intruder tried to break into more than 100 locations on the Internet and was successful in gaining root access to more than 50. When possible, they alerted organizations that were victims of attacks, which would then shut out the intruder and patch their systems. As the attacks were first noted in April 2004, a researcher at the University of California, Berkeley, found that her own computer had been invaded. The researcher, Wren Montgomery, began to receive taunting e-mail messages from someone going by the name Stakkato - now believed by the authorities to have been the primary intruder - who also boasted of breaking in to computers at military installations. "Patuxent River totally closed their networks," he wrote in a message sent that month, referring to the Patuxent River Naval Air Station in Maryland. "They freaked out when I said I stole F-18 blueprints." A Navy spokesman at Patuxent River, James Darcy, said Monday said that "if there was some sort of attempted breach on those addresses, it was not significant enough of an action to have generated a report." Monte Marlin, a spokeswoman for the White Sands Missile Range in New Mexico, whose computers Stakkato also claimed to have breached, confirmed Monday that there had been "unauthorized access" but said, "The only information obtained was weather forecast information." The messages also claimed an intrusion into seven computers serving NASA's Jet Propulsion Laboratory in Pasadena, Calif. A computer security expert investigating the case confirmed that computers at several NASA sites, including the propulsion laboratory, had been breached. A spokesman said the laboratory did not comment on computer breaches. Ms. Montgomery, a graduate student in geophysics, said that in a fit of anger, Stakkato had erased her computer file directory and had destroyed a year and a half of her e-mail stored on a university computer. She guessed that she might have provoked him by referring to him as a "quaint hacker" in a communication with system administrators, which he monitored. "It was inconvenient," she said of the loss of her e-mail, "and it's the thing that seems to happen when you have malicious teenage hackers running around with no sense of ethics." -=- Walter Gibbs, in Oslo, and Heather Timmons, in London, contributed reporting for this article. From isn at c4i.org Tue May 10 03:18:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 10 03:27:05 2005 Subject: [ISN] Firefox suffers first 'extremely critical' security hole Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=3619 By Matthew Broersma Techworld 09 May 2005 Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned. The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system. A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts. The flaws were confidentially reported to the Foundation on 2 May, but by Saturday details had been leaked and were reported by several security organisations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating. In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser. The exploit, discovered by Paul of Greyhats Security Group and Michael "mikx" Krax, makes use of two separate vulnerabilities. An attacker could create a malicious page using frames and a JavaScript history flaw to make software installations appear to be coming from a "trusted" site. By default, Firefox allows software installations from update.mozilla.org and addons.mozilla.org, but users can add their own sites to this whitelist. The second part of the exploit triggers software installation using an input verification bug in the "IconURL" parameter in the install mechanism. The effect is that a user could click on an icon and trigger the execution of malicious JavaScript code. Because the code is executed from the browser's user interface, it has the same privileges as the user running Firefox, according to researchers. Mozilla Foundation said it has protected most users from the exploit by altering the software installation mechanism on its two whitelisted sites. However, users may be vulnerable if they have added other sites to the whitelist, it warned. "We believe this means that users who have not added any additional sites to their software installation whitelist are no longer at risk," Mozilla Foundation said in a statement published on Mozillazine.org. From isn at c4i.org Fri May 13 07:08:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 13 07:19:32 2005 Subject: [ISN] Security UPDATE -- WPA2 and WSP IE for Windows XP SP2 -- May 11, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority http://list.windowsitpro.com/t?ctl=98F6:4FB69 Integrated Help Desk Services Lead to Greater IT Productivity http://list.windowsitpro.com/t?ctl=98F8:4FB69 ==================== 1. In Focus: WPA2 and WSP IE for Windows XP SP2 2. Security News and Features - Recent Security Vulnerabilities - SANS Reports Most Dangerous Vulnerabilities for Q1 2005 - Sobering Worm Inundates Inboxes 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Server Monitoring Service ==================== ==== Sponsor: Akonix Systems ==== Managing and Securing IM in the Enterprise: Why It Should Be a Top Priority With instant messaging virtually in all corporate environments, and expected to be as prevalent as email in the near future, it has rapidly become an indispensable business communication tool. Yet, IM growth within the enterprise brings an associated increase in security risks to both public and enterprise IM networks. In this free white paper, learn how you can take control of IM use on your network to ensure security and compliance. You'll learn how to protect yourself from Virus & worms attacks, Identity theft, Leakage of confidential information and more. Download now! http://list.windowsitpro.com/t?ctl=98F6:4FB69 ==================== ==== 1. In Focus: WPA2 and WSP IE for Windows XP SP2 ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net If you use wireless networking in your environment, you'll be interested to learn that Microsoft has released an update to improve wireless network security for users of Windows XP with Service Pack 2 (SP2). The update enhances the XP wireless client software with support for Wi-Fi Protected Access 2 (WPA2), which according to the Wi-Fi Alliance "is based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for FIPS 140-2 compliance." http://list.windowsitpro.com/t?ctl=990D:4FB69 WPA2 offers much stronger security than Wireless Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA). WEP has long been known to be vulnerable. I've read at least one account in which a WEP connection was cracked in only a few minutes. The successor to WEP, WPA, isn't as easy to crack as WPA, and the new WPA2 standard offers even better security. The Wi-Fi Alliance said the primary difference between WPA and WPA2 is that WPA2 uses the Advanced Encryption Standard (AES) to encrypt network traffic and WPA uses the Rivest Cipher 4 (RC-4) algorithm. WPA2 Personal supports preshared keys, and WPA2 Enterprise uses 802.1x authentication with the Extensible Authentication Protocol (EAP). Like WPA, WPA2 facilitates roaming access between wireless Access Points (APs). Several manufacturers already make WPA2-certified APs and wireless NICs, and many provide WPA2 hardware and drivers that work with several versions of Windows. For example, Broadcom, Cisco Systems, Devicescape Software (formerly Instant802 Networks), Intel, and Realtek Semiconductor all make WPA2-enabled products that can be used on almost any Windows platform. Other vendors make products based on Atheros Communications chipsets, which are also WPA2-certified. Wireless Provisioning Services Information Element (WPS IE) is also included in the update. Some wireless ISPs are moving from unsecured to secured networks by implementing 802.1x. As the transitions take place, ISPs can configure their APs to broadcast one Service Set Identifier (SSID) for the unsecured network and another SSID for the secure network. The SSIDs for the secured networks aren't visible on systems that don't support WPS IE because of the way some APs broadcast Beacon and Probe Request frames. WPS IE helps computers recognize both types of wireless AP SSIDs. You can learn more about the new update at the link above. You can also learn more about creating secure wireless hotspots in the MSDN Library article "Securing Public Wi-Fi Hotspots" at http://list.windowsitpro.com/t?ctl=98F4:4FB69 Microsoft TechNet also has a new Cable Guy column, "Wi-Fi Protected Access 2 (WPA2) Overview." The column explains WPA2 in a fair amount of detail, including key caching, fast roaming, pre-authentication, and more. http://list.windowsitpro.com/t?ctl=98FD:4FB69 In addition, Microsoft maintains links to numerous other wireless- related articles on its Windows Server 2003 Wi-Fi Web site. http://list.windowsitpro.com/t?ctl=98F7:4FB69 A new white paper, "Deploying Wi-Fi Protected Access (WPA) and WPA2 in the Enterprise," is available in PDF format at The Wi-Fi Alliance's Web site (first URL below). A 60-minute presentation, "Wi-Fi Protected Access: Locking Down the Link," by Michael Disabato of the Burton Group, reviews WEP, WPA, WPA2, implementation, and more and is also available at the Wi-Fi Alliance Web site (second URL below). http://list.windowsitpro.com/t?ctl=98FC:4FB69 http://list.windowsitpro.com/t?ctl=9903:4FB69 ==== In the Web chat "Reality Check: What to Expect with Windows Server 2003 Service Pack 1," Michael Otey will answer your questions about Windows Firewall, Data Execution Prevention (DEP), boot-time protection, the Security Configuration Wizard (SCW), and much more. Thursday, May 12, 12:00 noon Eastern (9:00 A.M. Pacific). http://list.windowsitpro.com/t?ctl=9912:4FB69 ==================== ==== Sponsor: HP ==== Integrated Help Desk Services Lead to Greater IT Productivity As organizations focus on aligning IT infrastructures to support business needs, IT managers must have the processes and tools to ensure that the infrastructure keeps pace with business needs and provides guaranteed levels of service at predetermined costs. This free white paper explores how to meet IT infrastructure's needs and manage crucial support and service processes by implementing Help Desk, problem, change, configuration, and service-level agreement (SLA) management into a single workflow. Improve productivity and service delivery quality while reducing costs, resources, and downtime in your organization. Download now! http://list.windowsitpro.com/t?ctl=98F8:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=9902:4FB69 SANS Reports Most Dangerous Vulnerabilities for Q1 2005 SANS released a list of what it considers the most dangerous vulnerabilities discovered in first quarter 2005. Affected products include multiple Microsoft products; Computer Associates' License software; multiple Oracle servers; media players Nullsoft Winamp, Apple Computer's iTunes Music Store, and RealNetworks' RealPlayer (and Microsoft Windows Media Player); antivirus products from Symantec, Trend Micro, and McAfee; and DNS services in Symantec security products (and Windows OSs). http://list.windowsitpro.com/t?ctl=9905:4FB69 Sobering Worm Inundates Inboxes The latest incarnation of the Sober worm is inundating inboxes in some countries with an enticement to win tickets to the World Cup soccer tournament in Germany. The email message that carries the worm (known as Sober.N, Sober.O, Sober.P, Sober.S, or Sober.V, depending on which antivirus vendor database you check) could also have a different message subject and content. http://list.windowsitpro.com/t?ctl=9907:4FB69 ==================== ==== Resources and Events ==== Improve the Availability of Your Exchange Servers Managing storage growth, providing application resiliency, and handling small errors and problems before they grow are all important aspects of boosting your Exchange uptime. In this free Web seminar, discover how storage and application management techniques for Exchange can be used to improve the resiliency and performance of your Exchange infrastructure. Register now! http://list.windowsitpro.com/t?ctl=98F1:4FB69 Updating Software on Windows Desktops and Servers: WSUS and Beyond In this free Web seminar, join industry expert Dan Holme as he explores options for implementing and managing WSUS and other automated solutions in your organization. You'll learn how WSUS makes it easy to keep Windows systems and Microsoft applications up-to-date with patches, security rollups, drivers, and updates. Plus, you'll discover alternatives to manage the deployment and patching of non-Microsoft software. http://list.windowsitpro.com/t?ctl=98FF:4FB69 Establish a Manageable Desktop Software Configuration and Control IT Costs Managing desktop software configurations is a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this free Web seminar, find out how you can meet software-package- preparation requirements and increase your desktop reliability, user satisfaction, and IT cost effectiveness. You'll learn about the new application process, issue management during package preparation, historical recording and reporting, and more. http://list.windowsitpro.com/t?ctl=98F3:4FB69 Take the Hack IIS 6.0 challenge now! Follow along as industry guru Roger Grimes puts IIS 6.0 to the test. The first hacker to succeed will win an Xbox. http://list.windowsitpro.com/t?ctl=9911:4FB69 Get Ready for SQL Server 2005 Roadshow in a U.S. City Near You--and in Europe Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! For a U.S. city http://list.windowsitpro.com/t?ctl=98FA:4FB69 For Europe http://list.windowsitpro.com/t?ctl=98F9:4FB69 ==================== ==== Featured White Paper ==== Phishing, Viruses, Bot-Nets and More: How to Prevent the "Perfect Storm" from Devastating Your Email System Unfortunately, fragmented appliance-based and software-based antispam solutions operating inside the email gateway can't prevent a potentially devastating impact on your email system and users. In this free white paper, learn how you can protect your email boundary and stop attacks with a multilayered approach that effectively prevents the perfect storm from ever reaching your email gateway. Download your copy now! http://list.windowsitpro.com/t?ctl=98F5:4FB69 ==================== ==== Hot Release ==== Best Practices for Establishing and Enforcing a Security Policy in Your Business With all the viruses, Trojans, spyware, malware, and malicious attacks out there, is your company as prepared as it can be to fend off these threats? This white paper will provide you with detailed information for establishing and enforcing a security policy so that you have a safety net to fall back on and can ensure that you're making the right decisions at a demanding time. Specifically, you'll go through the process of creating a security policy and creating an incident response plan to prepare your organization for the worst-case scenario. Download this free white paper now! http://list.windowsitpro.com/t?ctl=98F2:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: 20 Security Fixes for Mac OS X by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=990C:4FB69 Got Mac? If you do, check Apple Computing's download site to see if you need to install the latest security update. The company released Security Update 2005-005 for Mac OS X 10.3.9 (client and server editions), which contains 20 security fixes. http://list.windowsitpro.com/t?ctl=9908:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=9909:4FB69 Q: How can I create a Microsoft Office 2003 installation source that has an integrated service pack and hotfixes? Find the answer at http://list.windowsitpro.com/t?ctl=9906:4FB69 Security Forum Featured Thread: Guest User Password Required A forum participant writes that he has a Windows 2000-based mixed- mode domain. He wants to know if there's a way to use Group Policy to force a password to be required for the Guest user account at the domain level. If not, how can he set the local policies on each system without having to physically visit each computer? Join the discussion at http://list.windowsitpro.com/t?ctl=98FB:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) SQL Server Magazine Gives DBAs and Developers What They Need With SQL Server 2005 right around the corner, it's important to note that SQL Server Magazine is on target to deliver comprehensive coverage of all betas of the new product and the final release. If you aren't already a subscriber, now is the time to subscribe. Act now and save 47% off the cover price, plus get the new Reporting Services poster. http://list.windowsitpro.com/t?ctl=990B:4FB69 Nominate Yourself or a Friend for the MCP Hall of Fame Are you a top-notch MCP who deserves to be a part of the first-ever MCP Hall of Fame? Get the fame you deserve by nominating yourself or a peer to become a part of this influential community of certified professionals. You could win a VIP trip to Microsoft and other valuable prizes. Enter now--it's easy: http://list.windowsitpro.com/t?ctl=9900:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Server Monitoring Service TAB Computer Systems today announced the availability of PatrolDog 2.0, a monitoring and support service for small businesses' file servers. PatrolDog monitors (over the Internet) critical server items such as Windows event logs, daily backups, disk space usage, power issues, hardware failures, and virus and security issues. TAB is currently offering a trial of PatrolDog, in which it will gather and analyze your server information and then email you a server status report. Pricing is per month: $60 for the first server, $40 for the second server, and $20 for each additional server. For more information, go to http://list.windowsitpro.com/t?ctl=9910:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Converting a Microsoft Access Application to Oracle HTML DB Convert MS Access into a Web application for multiple users. Download now! http://list.windowsitpro.com/t?ctl=9913:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=990E:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=9904:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri May 13 07:08:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 13 07:19:34 2005 Subject: [ISN] Defense Department hacker gets 21-month sentence Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,101670,00.html By Scarlet Pruitt MAY 12, 2005 IDG NEWS SERVICE A 21-year old Indiana resident was slapped with a 21-month jail sentence for his role in a hacking attack that compromised computers at the U.S. Department of Defense, according to law enforcement officials. Raymond Paul Steigerwalt, a former member of the international hacking gang Thr34t Krew (TK), was sentenced last Friday on one count of conspiracy to commit fraud and related activity in connection with computers and one count of possession of child pornography, officials said. In addition to the jail time, he was also ordered to pay restitution of $12,000 to the Defense Department. The hacking attack launched by TK took place between October 2002 and March 2003, according to U.S. Attorney for the Eastern District of Virginia Paul McNulty. Steigerwalt and his gang were accused of creating a worm that infected Internet-connected computers. The worm installed a Trojan software program, allowing TK to control the infected machines. At least two computers at the Defense Department were infected, McNulty's office said. It was not clear what damage was done. Steigerwalt's sentencing came as a result of an investigation involving the Defense Department, the FBI, the U.S. Army Criminal Investigation Command, the U.S. Secret Service, the Air Force Office of Special Investigations, the Riverside California County Sheriff's Office and NASA. Two other men in northeast England were held in 2003 for their part in creating the TK Trojan. At the time, the U.K.'s National Hi-Tech Crime Unit said that the virus had infected approximately 18,000 computers around the world, causing an estimated $10.3 million in damages. Steigerwalt's sentencing last week represents a small victory for law enforcement officials, but the incident could still prove somewhat embarrassing for the Defense Department, according to Graham Cluley, a senior technology consultant at Sophos PLC. "Most of these government agencies are pretty clued in on security threats, but the problem is that they only need to be unlucky once to have egg on their face," he said. International hacking groups like Thr34t Krew appear to be on the rise and are increasingly focusing on moneymaking schemes, Cluley said. Security experts are warning organizations to be aware of sophisticated attacks designed to steal information or conduct extortion by threatening to launch a denial-of-service attack against a Web site unless money is paid, for instance. Earlier this week it was revealed that data theft reported at Cisco Systems Inc. last year is now believed to be part of a larger incident involving the break-in of servers in several countries. Some of the attacks are also thought to have been directed at U.S. government agencies. From isn at c4i.org Fri May 13 07:08:37 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 13 07:19:37 2005 Subject: [ISN] Naval Academy knows its cybersecurity Message-ID: http://www.gcn.com/vol1_no1/daily-updates/35786-1.html By Dawn S. Onley GCN Staff 05/12/05 The United States Naval Academy beat out the four other service academies in the annual Cyber Defense Exercise, designed to equip students with the ability to protect the nation's critical information systems. Sponsored by the National Security Agency, CDX challenges each academy team to design, build and configure a real-world computer network simulating a deployed joint service command. A network operations "red" team, composed of NSA and Defense personnel, then identifies the vulnerabilities and attempts to hack each network over a four-day period. The teams are evaluated on how well they maintain services, as well as on efforts to detect, respond to and recover from network security breaches. "The CDX brings practical experience into the classroom," according to a NSA release. The United States Air Force Academy and the United States Military Academy tied for runners-up. Other participants were the United States Merchant Marine Academy, last year's winner, and the United States Coast Guard Academy. The NSA Information Assurance Director's Trophy will remain at the Naval Academy until next year's exercise. From isn at c4i.org Fri May 13 07:09:44 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 13 07:19:46 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-19 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-05-05 - 2005-05-12 This week : 73 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ======================================================================== 2) This Week in Brief: Secunia issued a rare "Extremely Critical" advisory regarding Mozilla FireFox, as details about a system compromise vulnerability including exploit code had been released on public mailing lists. The Mozilla Foundation has released an updated version, which corrects this vulnerability. Reference: http://secunia.com/SA15135 -- Apple has released an updated version of iTunes, which corrects a vulnerability, that potentially can be exploited to compromise a vulnerable system. Please refer to Secunia advisory below for details. References: http://secunia.com/SA15310 VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profile below for more information: Wurmark-J - MEDIUM RISK Virus Alert - 2005-05-11 13:55 GMT+1 http://secunia.com/virus_information/17848/wurmark-j/ MYTOB.ED - MEDIUM RISK Virus Alert - 2005-05-11 06:46 GMT+1 http://secunia.com/virus_information/17840/mytob.ed/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15292] Mozilla Firefox Two Vulnerabilities 2. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 3. [SA15310] iTunes MPEG-4 File Parsing Buffer Overflow Vulnerability 4. [SA11482] Windows Explorer / Internet Explorer Long Share Name Buffer Overflow 5. [SA15017] Microsoft Windows Explorer Web View Script Insertion Vulnerability 6. [SA14938] Mozilla Firefox Multiple Vulnerabilities 7. [SA15296] Mozilla "IFRAME" JavaScript URL Cross-Site Scripting 8. [SA15227] Mac OS X Security Update Fixes Multiple Vulnerabilities 9. [SA15103] Netscape GIF Image Netscape Extension 2 Buffer Overflow 10. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15330] GeoVision Digital Video Surveillance System Authentication Bypass [SA15329] MaxWebPortal Cross-Site Scripting and SQL Injection [SA15302] Orenosv HTTP/FTP Server Buffer Overflow Vulnerabilities [SA15300] ShowOff! Digital Media Software Two Vulnerabilities [SA15299] NiteEnterprises Remote File Manager Denial of Service [SA15291] datatrac Denial of Service Vulnerability [SA15271] Hosting Controller "addsubsite.asp" Security Bypass [SA15268] PostMaster Multiple Vulnerabilities [SA15288] Subject Search Server "Search for" Field Cross-Site Scripting [SA15274] MyServer Directory Listing and Cross-Site Scripting Vulnerability [SA15287] H-Sphere Exposure of User Credentials UNIX/Linux: [SA15334] Red Hat update for gaim [SA15326] Ubuntu update for mozilla-browser/mozilla-firefox [SA15316] Debian update for xfree86 [SA15314] Mandriva update for ethereal [SA15295] Easy Message Board "print" Shell Command Injection [SA15285] Debian update for smail [SA15284] Ubuntu update for xine-lib [SA15283] Mandriva update for OpenOffice.org [SA15280] Gentoo update for ethereal [SA15277] SGI Advanced Linux Environment Multiple Updates [SA15272] Fedora update for ethereal [SA15264] Mandriva update for XFree86 [SA15256] Ubuntu update for openoffice.org [SA15333] Gentoo update for hteditor [SA15331] Gentoo update for libtiff [SA15320] libTIFF BitsPerSample Tag Buffer Overflow Vulnerability [SA15278] 4D WebSTAR Tomcat Plugin URL Buffer Overflow [SA15270] Fedora update for gnutls [SA15258] Gentoo update for gnutls [SA15318] Fedora update for postgresql [SA15273] Gentoo update for oops [SA15266] Oops! Proxy Server "auth()" Format String Vulnerability [SA15335] IPCop update for various packages [SA15322] Red Hat update for tcpdump [SA15309] Gentoo update for tcpdump [SA15308] Gentoo update for gzip [SA15263] Avaya Intuity Audix TCP Connection Reset Vulnerability [SA15294] Squid DNS Lookup Spoofing Vulnerability [SA15275] Sun Solaris Unspecified NIS+ Service Denial of Service [SA15313] Avaya CMS/IR newgrp Privilege Escalation Vulnerability [SA15303] Avaya CMS dtmail Privilege Escalation Vulnerability [SA15262] FreeBSD Kernel Memory Disclosure Vulnerabilities [SA15261] FreeBSD "i386_get_ldt()" Kernel Memory Disclosure Vulnerability [SA15260] FreeBSD Insecure iir Driver Permissions [SA15301] Mac OS X Mail Account Wizard Exposure of User Credentials [SA15276] Fedora update for libexif [SA15259] libexif EXIF Tag Parsing Denial of Service Vulnerability [SA15323] Sun Solaris automountd Denial of Service Vulnerability [SA15293] Viewglob "vgd" Server Exposure of Directory Information Other: [SA15306] Sun StorEdge 6130 Array Unspecified Unauthorised Access Cross Platform: [SA15292] Mozilla Firefox Two Vulnerabilities [SA15328] Gaim URL Processing Buffer Overflow Vulnerability [SA15312] BoastMachine File Upload Vulnerability [SA15310] iTunes MPEG-4 File Parsing Buffer Overflow Vulnerability [SA15282] e107 Multiple Vulnerabilities [SA15279] PHP Advanced Transfer Manager File Upload Vulnerability [SA15257] Fusion SBX "is_logged" Authentication Bypass [SA15317] Woltlab Burning Board Unspecified Vulnerability [SA15315] PwsPHP Multiple Vulnerabilities [SA15304] HT Editor ELF and PE Parser Vulnerabilities [SA15298] phpBB Unspecified URL / BB Code Vulnerability [SA15296] Mozilla "IFRAME" JavaScript URL Cross-Site Scripting [SA15290] WebAPP Guestbook PRO Module Message Script Insertion [SA15289] AutoTheme and AT-Lite Unspecified Vulnerabilities [SA15286] SiteStudio and H-Sphere "name" Script Insertion Vulnerability [SA15281] CJ Ultra Plus "perm" SQL Injection Vulnerability [SA15269] MidiCart PHP Shopping Cart Cross-Site Scripting and SQL Injection [SA15265] Invision Power Board Cross-Site Scripting and SQL Injection [SA15332] Nuke ET "codigo" Cross-Site Scripting Vulnerability [SA15311] NukeScripts NukeSentinel URL Encoding Filter Bypass [SA15297] Quick.Cart "sWord" Cross-Site Scripting Vulnerability [SA15267] Netscape HTTP Authentication Prompt Spoofing Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15330] GeoVision Digital Video Surveillance System Authentication Bypass Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-05-11 Tirath Rai has reported a security issue in GeoVision Digital Video Surveillance System, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15330/ -- [SA15329] MaxWebPortal Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-05-11 Zinho has reported some vulnerabilities in MaxWebPortal, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15329/ -- [SA15302] Orenosv HTTP/FTP Server Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-05-09 Tan Chew Keong has reported some vulnerabilities in Orenosv HTTP/FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise the system. Full Advisory: http://secunia.com/advisories/15302/ -- [SA15300] ShowOff! Digital Media Software Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2005-05-11 dr_insane has discovered two vulnerabilities in ShowOff! Digital Media Software, which can be exploited by malicious people to cause a DoS (Denial of Service) and disclose sensitive information. Full Advisory: http://secunia.com/advisories/15300/ -- [SA15299] NiteEnterprises Remote File Manager Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-09 eric basher has reported a vulnerability in NiteEnterprises Remote File Manager, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15299/ -- [SA15291] datatrac Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-09 eric basher has reported a vulnerability in datatrac, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15291/ -- [SA15271] Hosting Controller "addsubsite.asp" Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-05-06 Mouse has reported a vulnerability in Hosting Controller, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15271/ -- [SA15268] PostMaster Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information Released: 2005-05-11 Dr_insane has reported some vulnerabilities in PostMaster, which can be exploited by malicious people to detect the presence of local files, enumerate usernames, conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15268/ -- [SA15288] Subject Search Server "Search for" Field Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-10 Dr_insane has discovered a vulnerability in Subject Search Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15288/ -- [SA15274] MyServer Directory Listing and Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2005-05-10 Dr_insane has discovered a vulnerability in MyServer, which can be exploited by malicious people to gain knowledge of certain system information or conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15274/ -- [SA15287] H-Sphere Exposure of User Credentials Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-10 Donnie Werner has reported a security issue in H-Sphere, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15287/ UNIX/Linux:-- [SA15334] Red Hat update for gaim Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-11 Red Hat has issued an update for gaim. This fixes a vulnerability and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/15334/ -- [SA15326] Ubuntu update for mozilla-browser/mozilla-firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, System access Released: 2005-05-11 Ubuntu has issued updates for mozilla-browser and mozilla-firefox. These fix some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/15326/ -- [SA15316] Debian update for xfree86 Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-10 Debian has issued an update for xfree86. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15316/ -- [SA15314] Mandriva update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-11 Mandriva has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15314/ -- [SA15295] Easy Message Board "print" Shell Command Injection Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-09 SoulBlack Security Research has reported a vulnerability in Easy Message Board, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15295/ -- [SA15285] Debian update for smail Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-09 Debian has issued an update for smail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15285/ -- [SA15284] Ubuntu update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-09 Ubuntu has issued an update for xine-lib. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15284/ -- [SA15283] Mandriva update for OpenOffice.org Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-09 Mandriva has issued an update for OpenOffice.org. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15283/ -- [SA15280] Gentoo update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-09 Gentoo has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15280/ -- [SA15277] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-05-09 SGI has issued a patch for SGI Advanced Linux Environment. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information and conduct certain actions on a vulnerable system with escalated privileges, and by malicious people to cause a DoS (Denial of Service), conduct spoofing and cross-site scripting attacks, disclose sensitive and system information, bypass certain security restrictions, trick users into downloading malicious files, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15277/ -- [SA15272] Fedora update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-09 Fedora has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15272/ -- [SA15264] Mandriva update for XFree86 Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-06 Mandriva has issued an update for XFree86. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15264/ -- [SA15256] Ubuntu update for openoffice.org Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-09 Ubuntu has issued an update for openoffice.org. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15256/ -- [SA15333] Gentoo update for hteditor Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-11 Gentoo has issued an update for hteditor. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15333/ -- [SA15331] Gentoo update for libtiff Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-11 Gentoo has issued an update for libtiff. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15331/ -- [SA15320] libTIFF BitsPerSample Tag Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-11 Tavis Ormandy has reported a vulnerability in libTIFF, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15320/ -- [SA15278] 4D WebSTAR Tomcat Plugin URL Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-05-09 Braden Thomas has reported a vulnerability in 4D WebSTAR, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15278/ -- [SA15270] Fedora update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-06 Fedora has issued an update for gnutls. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15270/ -- [SA15258] Gentoo update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-09 Gentoo has issued an update for gnutls. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15258/ -- [SA15318] Fedora update for postgresql Critical: Moderately critical Where: From local network Impact: Unknown, Privilege escalation, DoS Released: 2005-05-11 Fedora has released an update for postgresql. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/15318/ -- [SA15273] Gentoo update for oops Critical: Moderately critical Where: From local network Impact: System access Released: 2005-05-06 Gentoo has issued an update for oops. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15273/ -- [SA15266] Oops! Proxy Server "auth()" Format String Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-05-06 Edisan has reported a vulnerability in Oops!, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15266/ -- [SA15335] IPCop update for various packages Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2005-05-11 An updated version of IPCop has been released. This fixes some vulnerabilities in various packages, which can be exploited to gain escalated privileges, cause a DoS (Denial of Service), or extract files to arbitrary directories. Full Advisory: http://secunia.com/advisories/15335/ -- [SA15322] Red Hat update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-11 Red Hat has issued an update for tcpdump. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15322/ -- [SA15309] Gentoo update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-10 Gentoo has issued an update for tcpdump. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15309/ -- [SA15308] Gentoo update for gzip Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-05-10 Gentoo has issued an update for gzip. This fixes a vulnerability, which potentially can be exploited by malicious people to extract files to arbitrary directories on a user's system. Full Advisory: http://secunia.com/advisories/15308/ -- [SA15263] Avaya Intuity Audix TCP Connection Reset Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-06 Avaya has acknowledged a vulnerability in Intuity Audix, which can be exploited by malicious people to reset established TCP connections on a vulnerable system. Full Advisory: http://secunia.com/advisories/15263/ -- [SA15294] Squid DNS Lookup Spoofing Vulnerability Critical: Less critical Where: From local network Impact: Spoofing Released: 2005-05-11 A vulnerability has been reported in Squid, which can be exploited by malicious people to spoof DNS lookups. Full Advisory: http://secunia.com/advisories/15294/ -- [SA15275] Sun Solaris Unspecified NIS+ Service Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2005-05-09 A vulnerability has been reported in Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15275/ -- [SA15313] Avaya CMS/IR newgrp Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-10 Avaya has acknowledged a vulnerability in Avaya Call Management System (CMS) and Avaya Interactive Response (IR), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15313/ -- [SA15303] Avaya CMS dtmail Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-11 Avaya has acknowledged a vulnerability in Avaya Call Management System (CMS), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15303/ -- [SA15262] FreeBSD Kernel Memory Disclosure Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-06 Christian S.J. Peron has reported some vulnerabilities in FreeBSD, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/15262/ -- [SA15261] FreeBSD "i386_get_ldt()" Kernel Memory Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-06 Christer Oberg has reported a vulnerability in FreeBSD, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/15261/ -- [SA15260] FreeBSD Insecure iir Driver Permissions Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2005-05-06 Christian S.J. Peron has reported a security issue in FreeBSD, which can be exploited by malicious, local users to gain knowledge of sensitive information or corrupt data. Full Advisory: http://secunia.com/advisories/15260/ -- [SA15301] Mac OS X Mail Account Wizard Exposure of User Credentials Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2005-05-10 Markus W?rle has reported a security issue in Mac OS X, which may expose sensitive information to malicious people. Full Advisory: http://secunia.com/advisories/15301/ -- [SA15276] Fedora update for libexif Critical: Not critical Where: From remote Impact: DoS Released: 2005-05-09 Fedora has issued an update for libexif. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15276/ -- [SA15259] libexif EXIF Tag Parsing Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2005-05-09 Matthias Clasen has reported a vulnerability in libexif, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15259/ -- [SA15323] Sun Solaris automountd Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2005-05-11 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15323/ -- [SA15293] Viewglob "vgd" Server Exposure of Directory Information Critical: Not critical Where: Local system Impact: Exposure of system information Released: 2005-05-10 A weakness has been reported in Viewglob, which can be exploited by malicious, local users to disclose system information. Full Advisory: http://secunia.com/advisories/15293/ Other:-- [SA15306] Sun StorEdge 6130 Array Unspecified Unauthorised Access Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2005-05-11 A security issue has been reported in Sun StorEdge 6130 Array, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15306/ Cross Platform:-- [SA15292] Mozilla Firefox Two Vulnerabilities Critical: Extremely critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-05-08 Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/15292/ -- [SA15328] Gaim URL Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-11 A vulnerability and a weakness have been reported in Gaim, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/15328/ -- [SA15312] BoastMachine File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-11 FraMe has reported a vulnerability in BoastMachine, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15312/ -- [SA15310] iTunes MPEG-4 File Parsing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-10 A vulnerability has been reported in iTunes, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15310/ -- [SA15282] e107 Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access Released: 2005-05-10 Heintz has reported some vulnerabilities in e107, which can be exploited by malicious people to disclose sensitive information, conduct SQL injection attacks, and potentially bypass certain security restrictions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15282/ -- [SA15279] PHP Advanced Transfer Manager File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-09 nst has reported a vulnerability in PHP Advanced Transfer Manager, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15279/ -- [SA15257] Fusion SBX "is_logged" Authentication Bypass Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2005-05-10 dave has reported a vulnerability in Fusion SBX, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15257/ -- [SA15317] Woltlab Burning Board Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-05-10 A vulnerability with an unknown impact has been reported in Burning Board and Burning Board Lite. Full Advisory: http://secunia.com/advisories/15317/ -- [SA15315] PwsPHP Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of system information Released: 2005-05-10 fRoGGz has reported some vulnerabilities in PwsPHP, which can be exploited by malicious people to conduct cross-site scripting, spoofing and SQL injection attacks, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15315/ -- [SA15304] HT Editor ELF and PE Parser Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-11 Two vulnerabilities have been reported in HT Editor, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15304/ -- [SA15298] phpBB Unspecified URL / BB Code Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-05-09 A vulnerability with an unknown impact has been reported in phpBB. Full Advisory: http://secunia.com/advisories/15298/ -- [SA15296] Mozilla "IFRAME" JavaScript URL Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-09 A vulnerability has been reported in Mozilla Suite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15296/ -- [SA15290] WebAPP Guestbook PRO Module Message Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-11 SoulBlack Security Research has reported a vulnerability in the Guestbook PRO module for WebAPP, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15290/ -- [SA15289] AutoTheme and AT-Lite Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-05-10 Some vulnerabilities with unknown impacts have been reported in the AutoTheme and AT-Lite modules for PostNuke. Full Advisory: http://secunia.com/advisories/15289/ -- [SA15286] SiteStudio and H-Sphere "name" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-10 Donnie Werner has reported a vulnerability in SiteStudio and H-Sphere, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15286/ -- [SA15281] CJ Ultra Plus "perm" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-09 Kold has reported a vulnerability in CJ Ultra Plus, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15281/ -- [SA15269] MidiCart PHP Shopping Cart Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2005-05-06 Exoduks has reported some vulnerabilities in MidiCart PHP Shopping Cart, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15269/ -- [SA15265] Invision Power Board Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-05-06 James Bercegay has reported two vulnerabilities in Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15265/ -- [SA15332] Nuke ET "codigo" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-11 Suko and Lostmon have reported a vulnerability in Nuke ET, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15332/ -- [SA15311] NukeScripts NukeSentinel URL Encoding Filter Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-05-10 A vulnerability has been reported in NukeSentinel, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15311/ -- [SA15297] Quick.Cart "sWord" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-11 Lostmon has reported a vulnerability in Quick.Cart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15297/ -- [SA15267] Netscape HTTP Authentication Prompt Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Spoofing Released: 2005-05-10 A vulnerability has been reported in Netscape, which can be exploited by malicious people to spoof HTTP authentication prompts. Full Advisory: http://secunia.com/advisories/15267/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Sat May 14 04:06:42 2005 From: isn at c4i.org (InfoSec News) Date: Sat May 14 04:20:23 2005 Subject: [ISN] Linux Advisory Watch - May 13th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 13th, 2005 Volume 6, Number 19a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for squid, smail, XFree86, lapack, system-config-bind, gnutls, util-linux, libexif, ethereal, postgresql, gaim, pygtk, GnuTLS, gzip, TCPDump, libTIFF, HT, and openmotif. The distributors include Debian, Fedora, Gentoo, and Red Hat. --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- Sarbanes Oxley - Section 404 By: Erica R. Thomas The section titled 404 corresponds to the requirements for effective internal controls by corporations falling under the jurisdiction of The Act. According to the Guardian Digital SOX Whitepaper, "Under Section 404 management must institute a comprehensive internal control structure which includes appropriated procedures to ensure accurate and complete financial reporting." Management must conduct an annual assessment regarding the effectiveness of this structure and it must be supportedby documented evidence and validation of management.s assessment by a registered public accounting firm. According to Robert Moeller in his book, "Sarbanes-Oxley and the New Internal Auditing Rules", a system or process has good internal controls if it accomplishes its stated mission, produces accurate and reliable data, complies with applicable laws and organization policies, provides for economical and efficient uses of resources, and provides for appropriate safeguarding of assets. The annual internal controls reports must state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial report and must contain an assessment of the effectiveness of the internal control structure for procedures of the company for financial reporting. The Act affects every level of an organization, however much of the compliance issues will be dealt by the upper-level executives as well as finance and IT departments. Overall, The Act.s main concern is the security and integrity of financial information. As stated by Guardian Digital, "Given that almost all business information today is created, stored, and shared electronically, information technology, with special regard to information security, is a significant component of the effective internal controls mandated by SOX." Any aspect of information technology controls which directly affects the processes or procedures involved in creating and preparing corporate data, including all hardware, software, and IT policies relevant to the preparation and retention of information would then be subject to compliance to the act. According to SOX, all corporations must pass a set of rules for every division within a company that may be involved in the generation, manipulation, and reporting of corporate information. With regard to IT departments, however, these policies will be created to drive security and ensure the integrity of all information contained on the network. Documented policies and procedures set acceptable rules for employees and executives conduct alike and furthermore, provide blueprints on how certain situations should most effectively be handled eliminating guesswork and inadvertent transgressions. Setting information security policies, properly enforcing them and proactively evolving existing policies to adjust to corporate growth is the backbone for SOX compliance and is essential to achieve optimum performance and security on the system. Although properly executed acceptable use policies are a good defense against many of the internal threats facing corporate infrastructure, they cannot protect the integrity of corporate data alone. A solid infrastructure incorporates numerous technologies including those that will protect corporate confidentiality, the continuity of secure network operations, and further assist in enforcing corporate network and Internet policies. These solutions should include firewalls for traffic monitoring, comprehensive auditing features to reveal user and system activity, strong encryption mechanisms to ensure data integrity when transferring pertinent information, user authentication mechanisms such as passwords and digital certification, and a system back-up module to provide critical recovery services. A cohesive collection of all these applications is a step in the right direction for SOX compliance as well as a chance for organizations to empower their IT infrastructure through technologically advanced applications. Such improvements not only provide governmental compliance and greater network protection but can also result in a dramatic performance increase. ---------------------- Measuring Security IT Success In a time where budgets are constrained and Internet threats are on the rise, it is important for organizations to invest in network security applications that will not only provide them with powerful functionality but also a rapid return on investment. In most organizations IT success is generally calculated through effectiveness, resource usage and, most importantly, how quickly the investment can be returned. To correctly quantify the ROI of information technology, organizations usually measure cost savings and increased profits since the initial implementation. Additionally, ROI can also be affected based on the overall impact the investment has on employee productivity and overall work environment of the company. http://www.linuxsecurity.com/content/view/118817/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New squid packages fix ACL bypass 6th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119067 * Debian: New smail packages fix arbitrary code execution 9th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119079 * Debian: New XFree86 packages fix arbitrary code execution 9th, May, 2005 Updated Package. http://www.linuxsecurity.com/content/view/119081 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: lapack-3.0-26.fc3 5th, May, 2005 This update fixes problems in some lapack libraries (problems with compiler optimalization). This version contains all patches present in fc4 lapack version. http://www.linuxsecurity.com/content/view/119060 * Fedora Core 3 Update: system-config-bind-4.0.0-12 5th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119061 * Fedora Core 3 Update: gnutls-1.0.20-3.1.1 5th, May, 2005 New gnutls version fixes CAN-2005-1431 problem (possible DOS attack) http://www.linuxsecurity.com/content/view/119062 * Fedora Core 3 Update: util-linux-2.12a-24.2 6th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119069 * Fedora Core 3 Update: libexif-0.5.12-6.fc3 6th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119073 * Fedora Core 3 Update: ethereal-0.10.11-1.FC3.1 9th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119080 * Fedora Core 3 Update: postgresql-7.4.8-1.FC3.1 10th, May, 2005 This update includes several upstream security fixes and other bug fixes. http://www.linuxsecurity.com/content/view/119093 * Fedora Core 3 Update: gaim-1.3.0-1.fc3 11th, May, 2005 Many bug fixes and two important security fixes. http://www.linuxsecurity.com/content/view/119101 * Fedora Core 3 Update: pygtk2-2.4.1-fc3.1 11th, May, 2005 Updated package. http://www.linuxsecurity.com/content/view/119106 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Oops! Remote code execution 5th, May, 2005 The Oops! proxy server contains a remotely exploitable format string vulnerability, which could potentially lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119063 * Gentoo: Ethereal Numerous vulnerabilities 6th, May, 2005 Ethereal is vulnerable to numerous vulnerabilities potentially resulting in the execution of arbitrary code or abnormal termination. http://www.linuxsecurity.com/content/view/119070 * Gentoo: GnuTLS Denial of Service vulnerability 9th, May, 2005 The GnuTLS library is vulnerable to Denial of Service attacks. http://www.linuxsecurity.com/content/view/119077 * Gentoo: gzip Multiple vulnerabilities 9th, May, 2005 gzip contains multiple vulnerabilities potentially allowing an attacker to execute arbitrary commands. http://www.linuxsecurity.com/content/view/119084 * Gentoo: TCPDump Decoding routines Denial of Service vulnerability 9th, May, 2005 A flaw in the decoding of network packets renders TCPDump vulnerable to a remote Denial of Service attack. http://www.linuxsecurity.com/content/view/119085 * Gentoo: libTIFF Buffer overflow 10th, May, 2005 The libTIFF library is vulnerable to a buffer overflow, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119091 * Gentoo: HT Editor Multiple buffer overflows 10th, May, 2005 Two vulnerabilities have been discovered in HT Editor, potentially leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/119092 * Gentoo: Gaim Denial of Service and buffer overflow vulnerabilties 12th, May, 2005 Gaim contains two vulnerabilities, potentially resulting in the execution of arbitrary code or Denial of Service. http://www.linuxsecurity.com/content/view/119107 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: tcpdump security update 11th, May, 2005 Updated tcpdump packages that fix several security issues are now available. http://www.linuxsecurity.com/content/view/119096 * RedHat: Moderate: tcpdump security update 11th, May, 2005 Updated tcpdump packages that fix several security issues are now available. http://www.linuxsecurity.com/content/view/119097 * RedHat: Critical: gaim security update 11th, May, 2005 An updated gaim package that fixes two security issues is now available. http://www.linuxsecurity.com/content/view/119098 * RedHat: Critical: gaim security update 11th, May, 2005 An updated gaim package that fixes security issues is now available for Red Hat. http://www.linuxsecurity.com/content/view/119099 * RedHat: Moderate: openmotif security update 11th, May, 2005 Updated openmotif packages that fix a flaw in the Xpm image library are now available. http://www.linuxsecurity.com/content/view/119102 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Sat May 14 04:07:50 2005 From: isn at c4i.org (InfoSec News) Date: Sat May 14 04:20:29 2005 Subject: [ISN] Time Warner says data on 600,000 workers lost Message-ID: Forwarded from: Mark Bernard Dear Associates, The recent massive, 600k record, loss of private information by Time Warner truly highlights a threat that every company could be susceptible too. Every business that I've ever worked including Government, Pharmaceutical, Insurance, Banking and even Manufacturing utilizes off site storage, which could prove to be the next weakest link in the chain of information ownership/custodianship. At one time data encryption would never have been considered due to costs, but now that systems are cheaper and more powerful I don't see why it wouldn't be a serious consideration. Of course encryption keys also need to be managed for the future hence Identity Management. Encryption may not an absolute solution, but its a great alternative and most importantly it mitigates risk. The next operational areas to consider with a similar risk exposure to backup media would be hot sites, which handle live data over live communications lines, and development systems where un-sanitized data may be used for testing. It many cases development is handled by third-parties sometimes off shore increasing the exposure rate to these vulnerabilities. Recently I reviewed a Systems Development Department that used a prototyping promotion process. The prototyping promotion process is generally used to speed up the development-to-production time while attempting to reduce errors further improving on quality and reducing operational expenses. Unlike the more traditional and more expensive systems development process that actually utilizes a segregated development environment, the prototype environment allows application programmers to have access to live data and usually live production systems. Hot sites are just that they typically maintain mirrored or duplicate transactions against a full production system. Since a hot site is usually hidden away in an unmarked sometimes unmanned building security precautions may be reduced from that of the production environment. That being said, it could be possible for staff or maintenance people to have access to information otherwise guarded. There are many risks that need to be considered once information assets become digitized. Food for thought !! Best regards, Mark. Mark E. S. Bernard, CISM, CISSP, PM, Principal, Risk Management Services, e-mail: Mark.Bernard@TechSecure.ca Web: http://www.TechSecure.ca Phone: (506) 325-0444 Leadership Quotes by John Quincy Adams: "If your actions inspire others to dream more, learn more, do more and become more, you are a leader." ----- Original Message ----- From: "InfoSec News" To: Sent: Wednesday, May 04, 2005 3:37 AM Subject: [ISN] Time Warner says data on 600,000 workers lost > http://www.computerworld.com/securitytopics/security/story/0,10801,101500,00.html > > By Lucas Mearian > MAY 02, 2005 > COMPUTERWORLD > > Time Warner Inc. reported today that a shipment of backup tapes with > personal information of about 600,000 current and former employees > went missing more than a month ago during a routine shipment to an > offsite storage site. > > The tapes, part of a routine shipment being taken to the site by > off-site data storage company Iron Mountain Inc. didn't include data > about Time Warner customers, the company said in a statement. > > The company told employees today that the data tapes went missing > March 22. > > We are providing current and former employees with resources to > monitor their credit reports while our investigation continues. We > are working closely and aggressively with law enforcement and the > outside data storage firm to get to the bottom of this matter,. said > Larry Cockell, Time Warner.s chief security officer. > > The U.S. Secret Service is working with both Time Warner and > Boston-based Iron Mountain to investigate the missing tapes. From isn at c4i.org Mon May 16 04:14:25 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 16 04:28:10 2005 Subject: [ISN] German hate-spam spread by Sober virus Message-ID: http://www.zdnet.com.au/news/security/0,2000061744,39191987,00.htm [We (C4I.org) got slammed pretty hard by Sober.Q by a Cogeco IP, and since it was a weekend, no one in Cogeco security was working, or oddly enough carries a duty pager alerting them to major virus & security issues. This information gleened from someone in tech support that works with the security department, in Cogeco's defense, they say they give users a $100 F-Secure firewall, but if there is no financial benefit (say in the form of reduced internet service) for users to run the firewall software, its never going to be installed & used. - WK] By Munir Kotadia ZDNet Australia 16 May 2005 Another variant of the Sober virus, which spreads right-wing messages in German and English, appeared over the weekend. Security firms are warning that they have received hundreds of thousands of e-mails generated by Sober.Q in its first 24 hours. Sober is usually a mass-mailing worm that sends a copy of itself to e-mail addresses stored on an infected computer's hard drive. However, in the same week that Germany and Europe celebrate the 60th anniversary of the end of World War II in Europe, the latest variant's sole purpose seems to be to distribute hate mail. Scott Chasin, chief technology officer at e-mail security specialists MX Logic, said the latest variant of Sober was being uploaded to computers infected by previous variants of Sober, which meant the virus authors may have remote control over thousands of PCss. "Sober.Q appears to be downloaded by machines infected by Sober.P - If this is the case, the Sober.P author or authors could have remote command-and-control capabilities over a large network of infected machines. This network would provide not only a megaphone to distribute messages of hate, but a platform for future spam, worm and denial of service attacks, said Chasin. Although spam usually tries to advertise products, Chasin said it is now also being used for spreading propaganda. "Spam has been traditionally regarded as annoying messages that promote Viagra, porn and low cost mortgages... But for the past year we have seen a trend in which worm authors are using spam not to hawk goods, but as a tool for political propaganda," said Chasin. Last week, antivirus firms warned that the previous Sober variant, which was disguised as winning tickets to the Soccer World Cup in 2006, had suddenly modified its behaviour and stopped propagating. The temporary lull in activity seemed to have been planned by the virus writers in preparation for this latest attack. MX Logic's Threat Centre has reported seeing more than 125,000 instances of the Sober.Q worm and categorised it as a high severity threat. Internet security firm SurfControl reported seeing 1,000 spam e-mails within hours of the initial outbreak, which the company said is around 40 times the usual number. From isn at c4i.org Mon May 16 04:14:39 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 16 04:28:18 2005 Subject: [ISN] NOAA ISSUES SPACE WEATHER WARNING Message-ID: http://www.noaanews.noaa.gov/stories2005/s2437.htm May 15, 2005 - Forecasters at the NOAA Space Environment Center in Boulder, Colo., observed a geomagnetic storm on Sunday, May 15, which they classified as an extreme event, measuring G-5 - the highest level - on the NOAA Space Weather Scales. "This event registered a 9 on the K-Index, which measures the maximum deviation of the Earth's magnetic field in a given three-hour period," said Gayle Nelson, lead operations specialist at NOAA Space Environment Center. "The scale ranges from 0 to 9, with 9 being the highest. This was a significant event." Possible impacts from such a geomagnetic storm include widespread power system voltage control problems; some grid systems may experience complete collapse or blackouts. Transformers may experience damage. Spacecraft operations may experience extensive surface charging; problems with orientation; uplink/downlink and tracking satellites. Satellite navigation may be degraded for days, and low-frequency radio navigation can be out for hours. Reports received by the NOAA Space Environment Center indicate that such impacts have been observed in the United States. NOAA forecasters said the probability of another major event of this type is unlikely, however, other minor level (G-1) geomagnetic storms are possible within the next 24 hours. This event was forecast by NOAA as the result of a solar flare that occurred on Friday, May 13. From isn at c4i.org Mon May 16 04:14:56 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 16 04:28:27 2005 Subject: [ISN] Hacker teenager pleads guilty Message-ID: http://www.phillyburbs.com/pb-dyn/news/112-05142005-489320.html By DAVID LEVINSKY Burlington County Times 5/14/2005 Away from the computer, investigators said Jasmine Singh looked and acted like most any other 17-year-old. In cyberspace, however, investigators said Singh was known both by his online aliases "Jatt" and "Pherk" and for his reputation as a hacker capable and willing to inflict havoc on computer systems of his or others choosing. The Middlesex County teenager pleaded guilty in state Superior Court this month to carrying out a series of online attacks between July and December 2004 that targeted a online clothing store based in Delran and other e-commerce businesses, according to the New Jersey Attorney General's Office. The attacks caused the Delran business and some 2,000 other online companies to suffer in excess of $1 million in damages and losses, investigators said. More troubling still, investigators say, is that the number of so-called cyber criminals like Singh are on the rise and their schemes are becoming more sophisticated. "It's becoming a growing problem, and we're taking it very seriously," said Special Agent Timothy Nestor, supervisor of cyber crime investigations at the FBI Field Office in Newark. Hackers are no longer just bored teenagers trying to sneak into computer networks for fun. There are now cyber mobs on the loose that actively try to steal identities or extort companies with the threat of malicious online attacks, he said. Law enforcement has had to adapt, Nestor said, noting that cyber crime is now the FBI's third highest priority behind counter-terrorism and counter-intelligence. "We're pouring lots and lots of resources into this," he said. The Singh case was an example of an online attack called a denial of service or DOS. During a DOS, an attacking computer program, called a "bot net," is used to flood the victim's computer network with large amounts of data or specific commands, causing it to overload and crash. According to a U.S. Department of Justice survey, DOS attacks like the one committed by Singh caused $26 million in losses last year, and Nestor said many hackers now use the threat of them to try to extort money or services. He said Singh's case was one of only a few instances where a hacker was "contracted" to conduct an attack against specific targets. According to investigators and court papers, Singh was hired over the Internet by 18-year-old Jason Arabo of Southfield, Mich., to conduct the DOS attacks against Delran-based Jersey-Joe.com and other online companies that sell retro sports apparel in competition with his own online businesses, www.customleader.com and www.jerseydomain.com. In return for conducting the attacks, Arabo, who used the computer aliases "cl.com" and "Jaytheplaya," paid Singh in sneakers, sports jerseys and jewelry, according to court papers. Officials from Jersey-Joe.com declined to comment on the attacks. FBI investigators were informed of the attacks by Jersey-Joe.com and, with assistance from the New Jersey State High Technology Crimes Unit, were able to trace the attacks to Singh and Arabo. Singh, who was tried as an adult, is scheduled to be sentenced Aug. 12 for second-degree computer theft in connection with the attacks. The charge carries a maximum sentence of 10 years imprisonment. Arabo was charged in March with conspiring to transmit a program to damage a computer. He is currently free on a $50,000 bond, authorities said. Nestor said another problem cyber crime is "phishing" - an identity-theft ruse involving official-looking e-mails and Web sites that solicit personal information such as computer passwords, Social Security numbers, credit-card numbers and other forms of financial data from unsuspecting computer users. A report last year by Gartner Inc., an information technology market research firm, estimated phishing cost U.S. banks and credit card issuers about $1.2 billion in 2003. At least 2,870 active phishing sites were reported in March, according to the Anti-Phishing Working Group, a nonprofit organization of corporations and government agencies trying to eliminate cyber fraud and identity theft. Nestor said most phishing schemes now originate with organized crime syndicates that work and communicate almost solely via the Internet. Members of one such "cyber mob" that was broken up last year were charged with stealing and selling approximately 1.7 million credit card numbers that generated total losses in excess of $4 million. Just as cyber crooks are becoming more sophisticated, Nestor said federal investigators are also developing new methods to detect and trace their infringements. He said state, county, and local law enforcement agencies are also now getting involved in cyber crime crackdowns. From isn at c4i.org Mon May 16 04:15:10 2005 From: isn at c4i.org (InfoSec News) Date: Mon May 16 04:28:34 2005 Subject: [ISN] What Price Security? Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/05/13/AR2005051300459.html By Robert MacMillan washingtonpost.com Staff Writer Friday, May 13, 2005 It's time to give Microsoft credit for doing the right thing, and I am not talking about the Xbox 360. I'll devote a few lines to the new game box/savior of the world, but first let's examine Windows OneCare, the automated repair service that will make computer security a reality for the average PC owner. It contains tools to fight spyware and viruses, a firewall to block sketchy data (incoming and outgoing) and patches security holes. Microsoft is testing the product among its employees now and expects to conduct a public test later this year. The company deserves praise for "un-befuddling" computer users who ignore what they don't understand, but the strategy contains two flaws: It costs extra and is incompatible with competing products. A Microsoft official quoted in the New York Times said OneCare is computer security for the "Jiffy Lube customer." I couldn't put it better myself. But even though computer security is like driving a car, the analogy breaks down (ha ha) when it comes to money. Most people feel that if they shell out thousands of dollars to buy a computer, the accompanying software and a steady Internet connection, the companies that make all the complicated technology work ought to take care of security on their end. That is also true. In an age of phishing, spyware, hackers, denial-of-service attacks and all manner of other digital troubles, Internet security is a requirement. What Microsoft should do is make the service automatic -- and free -- and allow techies and other people who feel they know enough about security to handle it themselves to opt out of receiving it. To be fair, we don't know how much OneCare will cost, but even if it's only an extra $5 or $10 each month, you can double your money by betting $10 that the cost will result in fewer takers. Cost-conscious customers see maintaining a computer and Internet connection as a steady flow of outbound nickels and dimes, and no amount of front-page news stories about hackers and identity theft will persuade all of them to pay yet more money for something that the head office should provide from the get-go. As for compatibility, OneCare will turn Microsoft from a customer of the anti-virus industry into a competitor. This isn't a business column, but it's worth noting that this culminates several years of speculation that the software firm would make just such a move. As for the computer user, this carries important implications. Here's a note from the Wall Street Journal: "Mr. Hamlin said OneCare won't work with competing security programs from the likes of Symantec and McAfee Inc., because Microsoft wants to be able to provide comprehensive support services. He stressed that Microsoft is aiming at users who don't now use security software and may not know they need it." This could prove to be a mistake. Plenty of news sources wrote that as many as 75 percent of computer users don't have updated protection for their computers, but in reality, those people probably don't have a clue what they have -- or don't have. When I use my mother's computer and update the security settings, I don't bother to tell her because she doesn't speak the language. "As long as it works," she would say. Hopefully the testing phase for OneCare will convince Microsoft to let the product play nice with competitors' programs. Competition, even on its own operating system, is something that Microsoft already knows can lead to unpleasant outcomes. [...] From isn at c4i.org Tue May 17 01:56:06 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 17 02:07:11 2005 Subject: [ISN] !! Conference Program Computer Security Mexico 2005 !! Message-ID: Forwarded from: Seguridad en Computo - UNAM -----BEGIN PGP SIGNED MESSAGE----- ======================================================================== Computer Security Mexico 2005 "11th Years celebrating Computer Security Mexico" Palacio de Mineria May 26th - May 27th, 2005 Mexico City, Mexico ======================================================================== The goal of Computer Security 2005 Mexico is to create awareness among the computer user community about security strategies and mechanisms used to protect information systems. Since 1994, Mexico has been organizing this great event through the Computer Security Department at UNAM and UNAM-CERT. Computer Security 2005 Mexico will be an event for all the people who are involved in the use, design and administration of computer systems. For the 2005 Conference Program we will have great Keynote Speakers and we will discuss the present problems in the Computer Security field its implications and possible solutions such as: DNS Hijacking, DNS Cache Poisoning, Phishing SCAM, Information Society and Computer Security Security, among many other issues from different Organizations leadership in the security field. IMPORTANT : The Conference will be English and Spanish. Translation Service Available http://congreso.seguridad.unam.mx -------------------------------------------------- Keynote Speakers 2005 * Preventing Child Neglect in DNSSECbis Using Lookaside Validation Paul Vixie Founder & Chairman of Internet Software Consortium * DNS Hijacking and Security Problems on the Internet Steve Crocker CEO, Shinkuro, Inc. Chair of ICANN's Security and Stability Advisory Committiee * Perils of the Internet Hank Nussbacher Independent Networking Consultant * Computer Security and Information Society Dr. Alejandro Pisanty Baruch Director of Computing Academic Services - UNAM ICANN Board of Directors * Phishing Prevention: Authentication, Visualization, and Open Source Intelligence Rebecca Gurley Bace President of Infidel, Inc * Extortion-Grade DDOS: Tactics for Planning and Response Eric Greenberg Chief Technical Officer and Co-Founder of NetFrameworks, Inc. * Honeynet Proyect Future Ralph Logan Vice President Honeynet Project CEO The Logan Group, Inc. * H?ctor Escalante L?pez SUN Microsystems. * Phishing: More Than Just a Pretty Scam Page Jason Milletary Member of the Technical Staff - CERT/CC * Underground Culture and Economy in Brasil: Facts and Reality Jacomo Dimmit Boca Piccolini Analyst at CAIS/RNP (Centro de Atendimento a Incidentes de Seguranza da Rede Nacional de Ensino e Pesquisa) * Early Warning Systems: The Internet Storm Center and Tar Pits Mike Poor Intrusion Detection Expert SANS Internet Storm Center * Introduction to Microsoft's Customer Security Incident Response Process Greg Lenti Microsoft PSS Security Team * Seguridad en Redes Academicas a traves de CLARA (Cooperacion Latinoamericana de Redes Avanzada) Liliana E. Velasquez Alegre Solha Manager at CAIS/RNP (Centro de Atendimento a Incidentes de Seguranza da Rede Nacional de Ensino e Pesquisa) * Estamos preparados para IPv6: Analisis de seguridad Franciso Jesus Monserrat Coll Coordinador Seguridad RedIRIS RedIRIS, Espa?a -------------------------------------------------- Why should you assist? Because it is the opportunity to find out about what is being developed in the computer security field and it is also a chance to share your own experience and interests with people with the same interest on this field. Also, You can learn about how to manage and respond to computer security incidentswithout exposing your resources. -------------------------------------------------- Further Information: * Web: http://congreso.seguridad.unam.mx * Conference Registration Availalable on website * The Conference Program will be English and Spanish Juan Carlos Guel - -- Departamento Seguridad en Computo UNAM-CERT DGSCA, UNAM E-mail:seguridad@seguridad.unam.mx Circuito Exterior, C. U. Tel.: 5622-81-69 Fax: 5622-80-43 Del. Coyoacan WWW: http://www.seguridad.unam.mx 04510 Mexico D. F. WWW: http://www.unam-cert.unam.mx -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBQolTTnAvLUtwgRsVAQFluQf/cO9zdUjlFVLAvK5iJlUkL6e3wLvdVb85 NtfL/9tH+NY5F1EIz2aobK4b9Q9SPkF+wKEOG1IeOKbh/RnPKYAY/bJmWrHCPZFo 7PXxX2jF81QawEi9K5QPsSe39nW8z8FlPYeY4IPCda8Funw7C8aved+OMqE6EaGi uSrjOwc34oa8GfpyzskjFc4UjRReLd3CXex3N+QIjxIGQe824wDH/r0G4emtpjjS Rq0tKnbmYUcYyzb/JaJB0dS0DZX3zgDpaEPWLqsdiPbAO/nsAXo05nqBtuHbUSaz QJjgAXLeWU1c0mKtGrO0GGlkd5KfZTw5fEkaPtSJXsfxOHNT376xJQ== =a8ee -----END PGP SIGNATURE----- From isn at c4i.org Tue May 17 01:56:22 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 17 02:07:17 2005 Subject: [ISN] Extortion via DDoS on the rise Message-ID: http://www.computerworld.com/networkingtopics/networking/story/0,10801,101761,00.html By Denise Pappalardo and Ellen Messmer MAY 16, 2005 NETWORK WORLD Criminals are increasingly targeting corporations with distributed denial-of-service (DDoS) attacks designed not to disrupt business networks but to be used as tools to extort thousands of dollars from the companies. Those targeted are increasingly deciding to pay the extortionists rather than accept the consequences, experts say. While reports of this type of crime have circulated for several years, most victimized companies remain reluctant to acknowledge the attacks or enlist the help of law enforcement, resulting in limited awareness of the problem and few prosecutions. Extortion is "becoming more commonplace," said Ed Amoroso, chief information security officer at AT&T Corp. "It's happening enough that it doesn't even raise an eyebrow anymore." "In the past eight months we have seen an uptick with the most organized groups of attackers trying to extort money from users," said Rob Rigby, director of managed security services at MCI Inc. "We try to do our best to get [customers] through it, but we leave it up to them to bring such attacks to the attention of law enforcement." While MCI has been asked to help with prosecutions in other cybercrime cases, Rigby says he does not recall a service provider being subpoenaed in a DDoS extortion case. Quantifying the extortion problem is difficult because the FBI, ISPs and third-party research firms can't provide figures on the number of DDoS attacks that include demands for money. The FBI aggressively works daily on cases involving DDoS attacks and extortion, said bureau spokesman Paul Bresson. "Almost all of them have an international connection," he says. "There aren't many cases where people doing this are from the U.S, and many times it is a juvenile subject to the laws of another country." Bresson says such cases have been prosecuted, although he was unable to cite any. The FBI continues to encourage companies to report this crime to law enforcement, he says, yet "we understand there's a reluctance to do so." An indeterminable number of victims are choosing to meet the demands of extortionists rather than turn to law enforcement because they're worried about negative publicity. The law does not prohibit paying, said Kathleen Porter, an attorney at Robinson & Cole LLP in Boston, who has extensive experience with e-commerce and Internet law. "It's illegal to make the demand, but it's not illegal for companies to pay to make the attacks go away. It's analogous to ransom," Porter said. "It's something companies are doing because the costs of denial-of-service attacks are so expensive." "The problem is, if companies keep paying, the attacks will continue," she said. Even those who don't pay and instead work with their service provider to mitigate an attack are leery about reporting the crime. "It's still taboo for users to talk about these attacks," Rigby said. "Users worry that just coming under attack can damage their brand." Companies are not required by law to report these crimes, Porter said, adding that she suspects that many are reticent to do so because they fear being sued over the risks that such an attack might create for their customers. "We've had [extortion attempts] happen to our customers," said Bruce Schneier, chief technology officer at managed security services provider Counterpane Internet Security. "More often than I'd like, they're paying up." Counterpane offers anti-DDoS services, he added, but they "aren't cheap." Anti-DDoS services cost around $12,000 per month from carriers such as AT&T and MCI, said John Pescatore, an analyst at Gartner Inc. The most popular type of anti-DDoS equipment used by service providers is Cisco Systems Inc.'s Riverhead gear and Arbor Networks Inc.'s detection tools. This equipment can filter about 99% of the attack traffic, Pescatore said, although sometimes network response times drop by a few seconds. Gartner advises clients not to pay extortion demands, but some have nonetheless dropped hundreds of thousands of dollars into Swiss or Cayman Island bank accounts controlled by criminals, Pescatore said. "We tell them they're better off going to AT&T and MCI for anti-DDoS protection," he added. However, when a business needs multiple service providers for backup and bandwidth, the cost for obtaining anti-DDoS services from each can be seen as prohibitive. "So they think it's the same amount of money either way, the service provider or the extortionist," Pescatore said. One company that refused to pay, Authorize.Net, also went public about its attack. Last fall, the Bellevue, Wash., payments-processing firm, which authorizes credit card transactions for more than 114,000 merchants, had its Internet-based service disrupted by extortionists demanding payment to cease a massive DDoS attack. Authorize.Net issued a statement apologizing for the intermittent disruption in its service and spoke out about the extortion demands. "Today, we've not yet seen a successful apprehension of anyone involved," said Authorize.Net President Roy Banks. "As a payment-processing platform service, we're prepared in dealing with these threats all the time. We see them regularly." His company has seen "demands from $10,000 to several millions," Banks said. Authorize.Net's policy is not to pay. "We typically engage law enforcement immediately," he said. As for protecting his company against future attacks? "We've invested in [DDoS] equipment," said Banks, who declined to identify the type of equipment, saying he worries that might only help attackers. "It's a combination of hardware and software, both commercial and proprietary," he said. Vendors such as Mazu Networks, Captus Networks and Arbor have products focused on mitigating DDoS attacks. Banks said an important aspect of a DDoS defense is completing service-level agreements with Web hosting and bandwidth providers to create a "framework of cooperation." There are a few ways these attacks get started. In some cases, businesses receive a threatening e-mail or phone call stating if they do not meet certain demands they will be victimized by a DDoS attack. Most often, the DDoS attack begins and then the business is contacted. The perpetrator sometimes stops an attack after 10 minutes or so and then contacts the company saying if it doesn't wire money to a specific account the extortionist will resume the attack. Experts say the demands can be $100,000 or more, but some criminals ask for smaller amounts. The extortionists "want to make it real easy for someone to pay," said AT&T's Amoroso. "Think about it; if you're getting pounded and all you have to do is fork over $6,000 to this account and everything will be fine, it seems easy." Countering the crime spree is likely to prove more difficult, and some say it will take an increased willingness on the part of victims to go to the authorities. "There's been a certain laggardness in addressing this at a more formal level," said Banks. Speaking out might help raise awareness that vendors, online businesses and law enforcement need to work together more closely to catch the extortionists. "This involves countries outside the U.S., too, so we should really be dealing with it internationally." From isn at c4i.org Tue May 17 01:56:39 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 17 02:07:22 2005 Subject: [ISN] Linux Security Week - May 16th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 16th, 2005 Volume 6, Number 21n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "A Gentle Introduction To Cryptography," "The Potential for an SSH Worm," and "Taking the guesswork out of information security." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH This week, advisories were released for squid, smail, XFree86, lapack, system-config-bind, gnutls, util-linux, libexif, ethereal, postgresql, gaim, pygtk, GnuTLS, gzip, TCPDump, libTIFF, HT, and openmotif. The distributors include Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/119112/150/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ --- Introduction: Buffer Overflow Vulnerabilities Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. http://www.linuxsecurity.com/content/view/118881/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * A Gentle Introduction To Cryptography 12th, May, 2005 Let us take the example of scrambling an egg. First, crack the shell, pour the contents into a bowl and beat the contents vigorously until you achieved the needed result - well, a scrambled egg. This action of mixing the molecules of the egg is encryption. Since the molecules are mixed-up, we say the egg has achieved a higher state of entropy (state of randomness). To return the scrambled egg to its original form (including uncracking the shell) is decryption. Impossible? http://www.linuxsecurity.com/content/view/119109 * European security appliance sales soar 12th, May, 2005 Demand for security appliances is going through the roof, with western European sales of the devices predicted to reach over $1.4bn in 2009, up from around $625m in 2004. http://www.linuxsecurity.com/content/view/119110 * Think before deploying Security-Enhanced Linux in RHEL 4 9th, May, 2005 One of the most exciting new features in RHEL v.4 is the implementation of Security-Enhanced Linux (SELinux). In this tip, we'll look at how you can use it to beef up system security. http://www.linuxsecurity.com/content/view/119082 * OS makers: Security is job No. 1 11th, May, 2005 That's the attitude of operating system makers, who aren't just focusing on features such as snazzy graphics and better networking tools when revamping products. Now they're also providing sturdier defenses. http://www.linuxsecurity.com/content/view/119095 * The Potential for an SSH Worm 11th, May, 2005 SSH, or secure shell, is the standard protocol for remotely accessing UNIX systems. It's used everywhere: universities, laboratories, and corporations (particularly in data-intensive back office services). Thanks to SSH, administrators can stack hundreds of computers close together into air-conditioned rooms and administer them from the comfort of their desks. http://www.linuxsecurity.com/content/view/119103 * Hyper-Threading Considered Harmful 13th, May, 2005 Hyper-Threading, as currently implemented on Intel Pentium Extreme Edition, Pentium 4, Mobile Pentium 4, and Xeon processors, suffers from a serious security flaw. This flaw permits local information disclosure, including allowing an unprivileged user to steal an RSA private key being used on the same machine. Administrators of multi-user systems are strongly advised to take action to disable Hyper-Threading immediately; single-user systems (i.e., desktop computers) are not affected. http://www.linuxsecurity.com/content/view/119115 * School Studies Effects of Internet Attacks 9th, May, 2005 A new test laboratory at Iowa State University will allow researchers to study how computer networks respond to massive Internet attacks and could lead to breakthroughs in computer defenses and forensics, said a researcher behind the project. http://www.linuxsecurity.com/content/view/119078 * High-severity vulnerability in IPsec 10th, May, 2005 Attackers could exploit a major flaw in the Internet Protocol Security [IPsec] framework to obtain the plaintext version of IPsec-protected communications "using only moderate effort," the British-based National Infrastructure Security Co-Ordination Centre [NISCC] warned in an advisory. http://www.linuxsecurity.com/content/view/119089 * DDoS: don.t get stuck in denial 13th, May, 2005 Companies have long realised the great business opportunities that the Internet offers and it.s no secret that organisations are shifting more and more of their business processes online. While this move brings many advantages with it, such as widening customer reach and reducing overheads, the emergence of organised crime in the online world means that business needs to be sharper than ever when it comes to security. http://www.linuxsecurity.com/content/view/119113 * Security players shoot an all-in-one 11th, May, 2005 Juniper Networks, Cisco Systems and 3Com's TippingPoint division are integrating a trifecta of security features into all-in-one appliances that give partners new ways to help cut the cost and complexity of security solutions. http://www.linuxsecurity.com/content/view/119104 * Novell snaps up Linux security company 10th, May, 2005 Linux vendor Novell Inc. has acquired Immunix Inc., a security software vendor in Portland, Ore. The 15-person company was bought last week, but terms of the deal aren't being released, according to Novell. http://www.linuxsecurity.com/content/view/119090 * What is Cisco doing with Linux? 12th, May, 2005 While networking giant Cisco has advantages most competitors don't - dominant market share, a multi-billion-dollar R&D budget, thousands of engineers - the vendor is also taking advantage and making the most of resources that are open to everyone: Linux and open source software. http://www.linuxsecurity.com/content/view/119108 * Serious Firefox, Mozilla vulnerabilities surface 10th, May, 2005 Recently discovered "zero-day" exploit code that takes advantage of two vulnerabilities could mean serious trouble for Mozilla Firefox 1.0.3 users, and, to a lesser extent, Mozilla Suite users. Yesterday, Mozilla.org issued an advisory explaining the vulnerabilities and what measures to take to work around them.

{mos_sb_discuss:13}

http://www.linuxsecurity.com/content/view/119086 * Messaging security pros get back to basics 11th, May, 2005 Gone are the days when viruses were the number one concern of messaging administrators. http://www.linuxsecurity.com/content/view/119094 * Taking the guesswork out of information security 13th, May, 2005 Network security practitioners need to base their technology and policy decisions less on what attacks are possible and more on which are probable, according to the chief scientist for Resonance Networks. http://www.linuxsecurity.com/content/view/119114 * Alliance Asks Congress To Consider VoIP Vulnerabilities In Updated Telecom Act 11th, May, 2005 The Cyber Security Industry Alliance (CSIA) has called on Congress to include security recommendations related to securing voice over IP (VoIP) technologies as it reviews the 1996 Telecommunications Act. http://www.linuxsecurity.com/content/view/119100 * Exploit code chases two Firefox flaws 9th, May, 2005 Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them. http://www.linuxsecurity.com/content/view/119083 * Internet Attack Called Broad and Long Lasting by Investigators 10th, May, 2005 The incident seemed alarming enough: a breach of a Cisco Systems network in which an intruder seized programming instructions for many of the computers that control the flow of the Internet. http://www.linuxsecurity.com/content/view/119088 * Cisco Confirms Arrest In Theft Of Its Code 12th, May, 2005 Cisco Systems issued a statement Monday confirming that police in Sweden have arrested a suspect in connection with the theft of its networking equipment source code last year. http://www.linuxsecurity.com/content/view/119111 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue May 17 01:56:30 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 17 02:07:28 2005 Subject: [ISN] Feds eye new cybersecurity post Message-ID: http://news.com.com/Feds+eye+new+cybersecurity+post/2100-7348_3-5709312.html By Declan McCullagh Staff Writer, CNET News.com May 16, 2005 For the last few years, it hasn't always been clear who in the U.S. government is responsible for overseeing national "cybersecurity" efforts--and how long that person will stick around. First there was Richard Clarke, a veteran of the Clinton and first Bush administrations who cashed out with a lucrative book deal. Clarke effectively was succeeded in quick succession by Howard Schmidt, known for testifying in favor of the Communications Decency Act, then Amit Yoran and Robert Liscouski. Now Congress may try to quell some of the turmoil over at the Department of Homeland Security by creating a more prestigious post. On Tuesday, the House of Representatives is scheduled to begin deliberating a proposal for an assistant secretary for cybersecurity. The position, long a favorite of congressional security hawks, would require an appointment by the president and confirmation by Congress. Whoever fills it will be responsible for coordinating with other federal agencies, some of which have had spotty records in the past. In a recent interview with CNET News.com, Rep. Chris Cox, a California Republican, said today's cybersecurity post needs a promotion. "That's of course something that we have been pushing hard for in the Homeland Security committee over the last two years, elevating the profile of cyber inside the Department of Homeland Security and inside the federal government." Repairs under way for server speed tests According to the House bill, the assistant secretary would be charged with creating a "national cybersecurity response system" that would evaluate U.S. critical infrastructure and "aid in the detection and warning of attacks" on it. Currently the department's chief cybersecurity official is a low-to-mid-level official who is two levels of bureaucracy removed from Secretary Michael Chertoff. An assistant secretary would have more access to Chertoff. The assistant secretary proposal is part of a broader homeland security bill for the 2006 fiscal year. It also requires the department to establish a National Terrorism Exercise Program to "prevent" and "recover from" terrorist acts, including cybersecurity breaches. From isn at c4i.org Wed May 18 03:11:05 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 18 03:27:16 2005 Subject: [ISN] Swindle: 'Somebody Has Got to Pay' Message-ID: http://www.internetnews.com/bus-news/article.php/3505826 By Roy Mark May 17, 2005 WASHINGTON -- Corporate America is acting irresponsibly in protecting consumer data, Orson Swindle of the Federal Trade Commission (FTC) said today. The payback for that irresponsibility, he predicted, will be painful. In impromptu comments made during a think-tank panel discussion on international cyber crime, Swindle, a Republican FTC commissioner, took broad swipes at both private enterprise and Congress for their efforts on consumer data protection. "Everybody's screaming, all the political figures up on [Capitol] Hill, about identity theft," he said. "It's not identity theft, it's the theft of information." And, he added, in today's global, digital marketplace, that information is currency. "While politicians raise hell about identity theft, what we're really talking about is the failure to protect valuable currency," Swindle said. "Corporate boards better start paying attention, because they haven't been." The daily headlines of various data breaches from ChoicePoint to Bank of America to several colleges and universities, he said, "Indicates to me the industry has, to a great extent, been irresponsible, and somebody has got to pay." He suggested the first people to pay might be corporate lawyers. The lax data protection, according to Swindle, is "being driven in part by those general counsels who sit around and say, 'Be careful about what you promise in privacy and information security because you might get sued for it.'" Swindle called that attitude and said doing the right thing will minimize the problem. "That is irresponsible. Do the right thing and we'll have a heck of a less problem," he said. "That'll give technology a chance to catch up and keep building better reinforcements in multi-layer defenses." One of the right things to do, according to Entrust (Quote, Chart) CEO Bill Connor, is a uniform national breach notification law to cover consumers exposed to possible ID theft. Connor said he supports disclosure to consumers in breaches of both encrypted and unencrypted data. But, like most in the technology industry, Connor wants the notification law to exempt encrypted data breaches from liability lawsuits or penalties. "Information is what people are after. All encryption does is put some locks on it, granted some pretty strong locks," Connor told internetnews.com. "If they have the right credentials, encryption won Encrypted data, according to Connor, takes away approximately 80 percent of the breach vulnerabilities of unencrypted data. Liability for encrypted data breaches should be limited, or "non-existent," according to Connor, since the company "practiced good safekeeping. You've done duty of care." Sen. Dianne Feinstein (D-Calif.) is proposing a national disclosure law with liability for both encrypted and unencrypted data breaches. "Encryption 'safe harbor' provisions benefit not only consumers and citizens, but also provide incentives for business and organizations to provide greater security throughout their operations," Connor told the panel. "It is a win-win proposition, which ultimately benefits all parties involved." From isn at c4i.org Wed May 18 03:11:24 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 18 03:27:19 2005 Subject: [ISN] Cisco Saves The World -- On TV Message-ID: http://techweb.com/showArticle.jhtml?articleID=163104972 [After you read this article, fans of "24" might get a kick out of this: http://www.salon.com/ent/feature/2005/05/16/24/index_np.html - WK] By Fredric Paul TechWeb.com May 17, 2005 Did anyone happen to see the TV show "24" last week? You know, it's the Monday-night Fox series where counter-terrorist Jack Bauer, played by Kiefer Sutherland, spends a desperate day trying to save America from various forms of annihilation. Well, I've been Tivo-ing the series since it started four years ago, and it's had its share of jump-the-shark [1] moments. But I fell out of my Lay-Z-Boy last Monday night when a nuclear terrorist's attempt to penetrate the show's Counter Terrorist Unit's computer network was foiled by a new security system said to have been just installed the previous night. It wasn't just any security system, you see, it was a CISCO security system. You can see the clip on Cisco's Web site [2], (QuickTime required) and here's a rough transcript of the conversation between Chloe, the show's cranky computer expert, and Buchanan, the suit in charge of CTU: Chloe: How did this happen? Mr. Buchanan, the network security monitor lit up. Someone on the outside is trying to jam our satellite servers. Buchanan: Could this just be high network load? Chloe: No, it's definitely a denial of service attempt. What do you want me to do? Buchanan: Did it do any damage yet? Chloe: No, the Cisco system is self defending. Buchanan: Alright, have one of your people use the security auditor tool. Maybe it'll give us Marwan's network. [Note: Marwan is a terrorist attempting to blow up a stolen nuclear bomb.] Chloe: That was my point from the start. Buchanan: Chloe, we're in active code. We don't have time for your personality disorder. [Note: Lines like this are why I still love the show despite its numerous missteps.] You understand me? Chloe! Yes or no? Chloe: Yes, sir. During this conversation the words "Cisco Security Response System" appear on Chloe's computer screen, and the Cisco logo looms on large wall monitors in CTU's headquarters. After the exchange demonstrates the impregnability of the system, as far as I could tell the whole computer attack plot line is dropped as quickly as it was mentioned, mattering not a whit to the overall plot of the show. Discussion of this remarkably blatant incident is rife on the blogosphere [3], and I can see why. I was so stunned I contacted Cisco about it. A Cisco representative acknowledged it as "a cool placement," but said the VP of corporate marketing chose "not to disclose lots of details around our product placements for competitive reasons." He also declined to mention that Cisco posted the clip on its site; I found that URL via the blogosphere. He did add, though, that "Cisco has provided network technology solutions to the 24 production team for the past four years, since its inception. We believe this is an innovative way to generate awareness of our product solutions while enhancing content of the show." Well, most people don't seem to see it as enhancement of the show, but my annoyance with product placements is not the point. (For instance, a Cisco IP communications placement [4] on "24" didn't bother me hardly at all, nor did the Alienware laptops used by the bad guys.) Instead, I saw this placement as a reason to start worrying about the real state of homeland computer security, and about the false confidence we have concerning the issue. Do we really trust our homeland security to Cisco--or to any company for that matter? I mean, while the "Cisco Security Response System" works perfectly on TV, in real life Cisco--like most other companies--has had numerous security lapses. The company recently acknowledged that its routers, switches, and other products are vulnerable to denial-of-service attacks and that its IOS (Internetwork Operating System) may contain vulnerabilities that could permit an unauthorized user to complete authentication and access network resources and have other issues. Furthermore, Cisco's own source code was stolen last year, and the alleged perps have only recently been arrested. Now, I know Cisco takes security seriously. It's a big money-maker for the company, among other things. But the face it presents on "24" is that this is a problem already solved. The terrorists slink away, their hacking plans swiftly foiled--though it doesn't stop their overall operation. Is that really an accurate refection of the threat we face? And is it responsible of Cisco to present it that way? I'm curious to find out what you think of the product placement, and the message it sends. Feel free to drop me a line [5]. Fredric Paul is editor-in-chief of TechWeb. -0- [1] http://www.jumptheshark.com/t/24.htm [2] http://www.cisco.com/now/24/indexSecurity.html [3] http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-43,GGLD:en&q=%2224%22+chloe+cisco [4] http://www.cisco.com/now/24/ [5] fpaul@cmp.com From isn at c4i.org Wed May 18 03:11:38 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 18 03:27:22 2005 Subject: [ISN] Internet Explorer springs more leaks Message-ID: http://www.vnunet.com/vnunet/news/2135289/internet-explorer-springs-leaks Tom Sanders in California vnunet.com 17 May 2005 Security researchers have reported a high-risk flaw in Microsoft's Outlook and Internet Explorer. The hole could allow malicious code to be executed with minimal user interaction, according to security firm eEye Digital Security. The company claims to have notified Microsoft about the flaw on 5 May. A spokeswoman for Microsoft confirmed that the company has been notified, and is investigating the issue. "At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, and there is no customer impact based on this issue," she said. The defect affects systems running Windows NT, 2000, XP and at least some versions of Windows 2003. EEye notified Microsoft about two other flaws in Internet Explorer and Outlook on 16 March and 29 March, but the software giant has yet to release a patch for the problems. Microsoft usually releases patches on a monthly basis to allow systems administrators to plan for the fixes, although an out-of-cycle patch can be issued in emergencies. From isn at c4i.org Wed May 18 03:11:54 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 18 03:27:27 2005 Subject: [ISN] Web sites get costly lesson in security Message-ID: http://www.asahi.com/english/Herald-asahi/TKY200505180108.html The Asahi Shimbun 05/18/2005 A hacker attack that shut down the nation's top price comparison Web site was a harsh and expensive lesson on the vulnerability of Internet businesses. Kakaku.com Inc. announced Monday that unlawful access to its computer system forced it to close its Web site on Saturday. The company found alterations in its programs and a virus that might have been passed to some users' computers. The online operator will lose about 40 million yen in revenue before it replaces its server computers and restarts site operations next Monday. It projects 2 billion yen in sales for the year ended March. Almost all of the company's revenue comes from its Web business in the form of commissions paid by retailers that have their price lists posted on the site. The company compiles the price data and lists prices of specific products and services so shoppers can easily find the best bargains. The site covers products and services in 22 sectors, such as digital home appliances, personal computers, insurance policies and rates for telecommunication lines. The shutdown has worrisome ramifications for the entire Internet industry. ``If our Web site is suspended, it is the same as losing our head office and all branches to a fire,'' an official of an online business said. Security measures are sometimes complex. At Yahoo Japan Corp., operator of the nation's largest portal Yahoo! Japan, no single engineer can access all of the site's code. By limiting access even to its own personnel, the company hopes to prevent damage to the whole site by a hacker impersonating an authorized programmer. An official at Internet Security Systems K.K. said some online businesses do not expend adequate resources to ensure security because they are continually enhancing their sites to accommodate growth. Therefore, too little attention is given to detecting unauthorized access. Domestic sales of access detection products and services in fiscal 2005 are expected to be about 3 billion yen, far lower than the 40 billion yen in sales of anti-virus software. In April, anti-Japan messages were uploaded to the Web site of a Chinese unit of Sony Corp. Square Enix Co., which operates the online video game Final Fantasy XI, faced a cyber attack on the computer system and was forced to temporarily suspend operation of the online service. The Information-technology Promotion Agency has annually received 400-600 reports of unauthorized accesses at sites operated by individuals and companies over the past few years. In 2004, there were 594 reports, about 40 percent more than in 2003. Of those unauthorized accesses, 72 resulted in substantial damage, including alteration of the site in 15 cases and falsification of files in 21 cases, according to the independent administrative agency. Kakaku.com said client users who accessed its site from Wednesday to Saturday may have been infected with computer viruses. The company has set up a Web site to inform users of the situation and to provide information on countermeasures against the virus. The virus infection surfaced on Wednesday when the company received an e-mail message from a user reporting a virus warning that appeared during legitimate access to the site. About the same time, a company official detected tampering with the site's programs. The company also found that someone had illegally accessed data on customers' e-mail addresses. The site operator filed a complaint with the Tokyo Metropolitan Police Department. From isn at c4i.org Fri May 20 01:10:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 20 01:30:10 2005 Subject: [ISN] Paris Hilton Hack Started With Old-Fashioned Con Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/05/19/AR2005051900711.html By Brian Krebs washingtonpost.com Staff Writer May 19, 2005 The caper had all the necessary ingredients to spark a media firestorm -- a beautiful socialite-turned-reality TV star, embarrassing photographs and messages, and the personal contact information of several young music and Hollywood celebrities. When hotel heiress Paris Hilton found out in February that her high-tech wireless phone had been taken over by hackers, many assumed that only a technical mastermind could have pulled off such a feat. But as it turns out, a hacker involved in the privacy breach said, the Hilton saga began on a decidedly low-tech note -- with a simple phone call. Computer security flaws played a role in the attack, which exploited a programming glitch in the Web site of Hilton's cell phone provider, Bellevue, Wash.-based T-Mobile International. But one young hacker who claimed to have been involved in the data theft said the crime only succeeded after one member of a small group of hackers tricked a T-Mobile employee into divulging information that only employees are supposed to know. The young hacker described the exploit during online text conversations with a washingtonpost.com reporter and provided other evidence supporting his account, including screen shots of what he said were internal T-Mobile computer network pages. Washingtonpost.com is not revealing the hacker's identity because he is a juvenile crime suspect and because he communicated with the reporter on the condition that he not be identified either directly or through his online alias. A senior law enforcement official involved in the case said investigators believe the young hacker's group carried out the Paris Hilton data theft and was also involved in illegally downloading thousands of personal records from database giant LexisNexis Inc. The source asked not to be identified because of his role in this and other ongoing investigations. A third source, a woman who has communicated with the hacker group's members for several years, also confirmed key portions of the young hacker's story and said she saw images and other information downloaded from Hilton's T-Mobile account hours before they were released on several Web sites. T-Mobile declined to comment on the details of the hacker's account of the Paris Hilton incident, saying through a spokesman that the company cannot discuss an ongoing investigation. The spokesman said the company "will work with federal law enforcement agencies to investigate and prosecute anyone that attempts to gain unauthorized access to T-Mobile systems." Getting Access In the months leading up to the Hilton incident, the hacker group freely exploited a security glitch in the Web site of wireless phone giant T-Mobile, according to the hacker, who described himself as the youngest member of the group. The group had found that a tool on the T-Mobile site that allowed users to reset their account passwords contained a key programming flaw. By exploiting the flaw, the group's members were able to gain access to the account of any T-Mobile subscriber who used a "Sidekick," a pricey phone-organizer-camera combination device that stores videos, photos and other data on T-Mobile's central computer servers. The hackers could only exploit the Web site vulnerability if they actually knew a Sidekick user's phone number. The loose-knit group had grown bored of using the flaw to toy with friends and acquaintances who owned Sidekicks and decided to find a high-profile target, one that would ensure their exploits were reported in the press, the young hacker said. They ultimately settled on Hilton, in part because they knew she owned a Sidekick; Hilton had previously starred in a commercial advertising the device. The group's members --- who range in age from their mid-teens to early 20s -- include a handful of "AOLers," a term used in hacker circles to describe youths who honed their skills over the years by tampering with various portions of the network run by Dulles, Va.-based America Online Inc. Four members of the group have all met face-to-face, but as with most hacking groups, the majority of their day-to-day interactions took place online. Before gaining access to Hilton's wireless phone account, the group had spent a year studying weaknesses in T-Mobile's Web sites. The group member interviewed for this story had already written a simple computer program that could reset the password for any T-Mobile user whose phone number the hackers knew. According to the young hacker's account, the Hilton caper started the afternoon of Feb. 19, when a group member rang a T-Mobile sales store in a Southern California coastal town posing as a supervisor from T-Mobile inquiring about reports of slowness on the company's internal networks. The conversation -- which represents the recollection of the hacker interviewed by washingtonpost.com -- began with the 16-year-old caller saying, "This is [an invented name] from T-Mobile headquarters in Washington. We heard you've been having problems with your customer account tools?" The sales representative answered, "No, we haven't had any problems really, just a couple slowdowns. That's about it." Prepared for this response, the hacker pressed on: "Yes, that's what is described here in the report. We're going to have to look into this for a quick second." The sales rep acquiesced: "All right, what do you need?" When prompted, the employee then offered the Internet address of the Web site used to manage T-Mobile's customer accounts -- a password-protected site not normally accessible to the general public -- as well as a user name and password that employees at the store used to log on to the system. To support his story, the hacker provided washingtonpost.com with an image of a page he said was from the protected site. T-Mobile declined to comment on the screenshot, and washingtonpost.com has no way to verify its authenticity. Inside the Walls The hackers accessed the internal T-Mobile site shortly thereafter and began looking up famous names and their phone numbers. At one point, the youth said, the group harassed Laurence Fishburne, the actor perhaps best known for his role in the "Matrix" movies as Morpheus, captain of the futuristic ship Nebuchadnezzar. "We called him up a few times and said, 'GIVE US THE SHIP!'" the youth typed in one of his online chats with a reporter. "He picked up a couple times and kept saying stuff like YOUR ILLEGALLY CALLING ME." Later, using their own Sidekick phone, the hackers pulled up the secure T-Mobile customer records site, looked up Hilton's phone number and reset the password for her account, locking her out of it. Typical wireless devices can only be hacked into by someone physically nearby, but a Sidekick's data storage can be accessed from anywhere in T-Mobile's service area by someone with control of the account. That means the hackers were at that point able to download all of her stored video, text and data files to their phone. "As soon as I went into her camera and saw nudes my head went JACKPOT," the young hacker recalled of his reaction to first seeing the now-public photos of a topless Hilton locked in an intimate embrace with a female friend. "I was like, HOLY [expletive] DUDE ... SHES GOT NUDES. THIS [expletive]'s GONNA HIT THE PRESS SO [expletive] QUICK." The hackers set up a conference call and agreed to spread the news to several friends, all the while plotting ways to get the photos up on various Web sites. Kelly Hallissey, a 41-year-old New York native who has been in contact with the group of hackers for several years, said the group's members showed her evidence that they had gained access to Hilton's phone during these early hours -- before the images made their way online. By early Feb. 20, the pictures, private notes and contact listings from Hilton's phone account -- including phone numbers of celebrities such as Cristina Aguilera, Eminem, Anna Kournikova and Vin Diesel -- had appeared on GenMay.com (short for General Mayhem), an eclectic, no-holds-barred online discussion forum. Within hours of the GenMay posting, Hilton's information was published on Illmob.org, a Web site run by 27-year-old William Genovese of Meriden, Conn., known online as "illwill." (The FBI charged Genovese in November with selling bits of stolen source code for Microsoft Windows 2000 and Windows NT operating systems.) By Monday morning, dozens of news sites and personal Web logs had picked up the story, with many linking to the illmob.org post or mirroring the purloined data on their own. Hallissey, who describes herself as a kind of "den mom" to a cadre of budding hackers, confirmed that the teenage source has been engaged in various hacking activities for several years. Hallissey met a slew of the hacker group's members after a three-year stint during the 1990s as one of thousands of people who helped AOL maintain its online content in exchange for free Internet access and various other perks. Hallissey has since joined a still-active wage lawsuit against AOL and maintains www.observers.net, a Web site critical of the Dulles-based company. Hallissey said her sense of privacy has been erased gradually over the past two years as a result of her association with a number of AOLers who playfully bragged to her about their success with social engineering. They showed her online screen shots of her water, gas and electric bills, her Social Security number, credit card balances and credit ratings, pictures of her e-mail inbox, as well as all of her previous addresses, including those of her children. "This was all done not by skilled 'hackers' but by kids who managed to 'social' their way into a company's system and gain access to it within one or two phone calls," said Hallissey, who asked that her current place of residence not be disclosed. "Major corporations have made social engineering way too easy for these kids. In their call centers they hire low-pay employees to man the phones, give them a minimum of training, most of which usually dwells on call times, canned scripts and sales. This isn't unique to T-Mobile or AOL. This has become common practice for almost every company." AOL officials declined to comment about the young hacker or other "AOLers" for this story. The Weakest Link Security experts say the raiding of Hilton's wireless account highlights one of the most serious security challenges facing corporations -- teaching employees to be watchful for "social engineering," the use of deception to trick people into giving away sensitive data, usually over the phone. In his book "The Art of Deception," notorious ex-hacker Kevin Mitnick says major corporations spend millions of dollars each year on new technologies to keep out hackers and viruses, yet few dedicate significant resources to educating employees about the dangers of old-fashioned con artistry. "The average $10-an-hour sales clerk or call-center employee will tell you anything you want, including passwords," Mitnick said in a telephone interview. "These people are usually not well-trained, but they also interact with people to sell products and services, so they tend to be more customer-friendly and cooperative." During his highly publicized hacking career in the 1990s, Mitnick -- who spent four years in prison and now works as a computer security consultant -- broke into the computer networks of some of the top companies in the technology and telecommunications industries, but rarely targeted computers systems directly. Rather, he phoned employees and simply asked them for user names, passwords or other "insider" data that he could use to sound more authentic in future phone inquiries. "This kind of thing works with just about every mobile carrier," Mitnick said. He said all of the major wireless carriers -- not just T-Mobile -- are popular targets for social engineering attacks. Mitnick said he knows private investigators who routinely obtain phone records of people they are investigating by calling a sales office at the target's wireless carrier and pretending to be an employee from another sales office. Mitnick described how an investigator will claim to have the customer they're investigating in the store, but can't access their data because of computer trouble. Then the investigator asks the sales representative at the other store to look up that person's password, account number and Social Security number. In many cases the employee provides the information without verifying the caller's identity. Armed with that data, he said, investigators usually can create an account at the wireless provider's Web site and pull all of the target's phone records. Large organizations that maintain numerous branches around the country are especially susceptible to social engineering attacks, said Peter Stewart, president of Baton Rouge, La.-based Trace Security, a company that is hired to test the physical and network security for some of the most paranoid companies in the world: banks. More often than not, Stewart says, his people can talk their way into employee-only areas of banks by pretending to be a repairman or just another employee. In most cases, the break-in attempts are aided by information gleaned over the phone. "Usually your corporate headquarters are more stringent and things get more lax the further away from there you get," Stewart said. "The larger you are as a company the more likely it is that you're not going to know everyone by name, and lots of companies have no policy in place of verifying who's calling you and how to respond to that person." 'Web Security 101' Social engineering can be difficult to counter, but the now-infamous Paris Hilton attack follows other recent serious T-Mobile security breaches engineered by hackers. On Feb. 15, Nicolas Jacobsen, 22, of Santa Ana, Calif., pleaded guilty to compromising a T-Mobile Web server that granted access to hundreds of wireless accounts. He faces a maximum of five years in jail and a $250,000 fine at a sentencing hearing originally scheduled for mid-May. Jacobsen was arrested last fall by the U.S. Secret Service as part of a large-scale investigation into an international online credit card fraud ring. According to court records, Jacobsen had hijacked hundreds of T-Mobile accounts, including a mobile phone belonging to a then-active Secret Service agent. Jacobsen had posted to an online bulletin board that he could be hired to look up the name, Social Security number, birth date, and voice-mail and e-mail passwords of any T-Mobile subscriber. T-Mobile later alerted 400 customers that their e-mails, phone records and other data had been compromised as a result of that break-in. The court files don't give details about how it happened, but Jack Koziol, a senior instructor for the Oak Park, Ill.-based InfoSec Institute, said the intruder likely took advantage of security flaws in the company's Web servers. Koziol conducted an informal audit of T-Mobile's site in March and uncovered hundreds of pages run by Web servers vulnerable to well-known security flaws, he said. "It's pretty amazing how poorly secured their Web properties are," said Koziol, whose company offers training to corporate, law enforcement and government clients on the latest techniques and tactics used by hackers. "Most of these flaws are simple Web Security 101, stuff you'd learn about in the first few chapters of a basic book on how to secure Web applications." T-Mobile officials declined to say what steps they took to close the security holes identified by the Hilton hackers or how many other accounts may have been hijacked. "T-Mobile has invested millions of dollars to protect our customers' information, and we continue to reinforce our systems to address the security needs of our subscribers," company spokesman Peter Dobrow wrote in an e-mail. "For our customers' protection, we do not publicly disclose the specific actions taken to reinforce our systems." From isn at c4i.org Fri May 20 01:11:25 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 20 01:30:14 2005 Subject: [ISN] Swindle: 'Somebody Has Got to Pay' Message-ID: Forwarded from: *Hobbit* "Encrypted data breach" ?? What a load of crap. If intruders have gotten in far enough to grab the data, it is very likely they've gotten in far enough to grab the keys, too. Don't most compromises happen at the user's desktop, where the first thing to go in is a keystroke snatcher? After which any "encrypted data" is just as valuable, it just takes one more small step. Leave the lazy corporate shucks a loophole like that, and they'll all immediately respond to a breach by saying "the data was encrypted, everything's okay, don't worry". Yeah, right. XORed against 0xFF, even if they paid *that* much attention, doesn't cut it. _H* From isn at c4i.org Fri May 20 01:11:41 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 20 01:30:16 2005 Subject: [ISN] UK banks ignore security audit findings Message-ID: http://www.theregister.co.uk/2005/05/19/audit_ignoramuses/ By John Leyden 19th May 2005 Some UK corporates routinely ignore the findings of security audits treating them solely as a necessary step to satisfy corporate governance regulations, according to an experienced penetration tester. Tim Ecott, managing consultant at security integrator Integralis, explained that banks and other financial institutions are told they have to carry out a penetration test to comply with audits. In some cases - perhaps five per cent - Ecott and his team discover the same faults every time. "The findings of our reports are not followed up on either by the firms themselves or their auditors. We're not talking about critical security flaws but certainly about things that need fixing and leave firms open to attack," he said. "Some of our clients take our report to pieces and do every thing we advise but with others, it's the same things over and over again. Reports over a period of quarters could be copies of each other with just a different date," Ecott told El Reg. In some cases companies lack the resources to put things right; and often getting new applications up on running is given priority, leaving security concerns neglected, he said. "Firms need to think about security at the beginning of projects rather than as an afterthought. Security and business objectives need to be linked." ? From isn at c4i.org Fri May 20 01:12:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 20 01:30:19 2005 Subject: [ISN] How Dangerous Was The Cisco Code Theft? Message-ID: http://nwc.networkingpipeline.com/showArticle.jhtml?articleID=163105422 By Michael Cohn Courtesy of InternetWeek May 18, 2005 A recent hacker attack that compromised some of the crucial equipment powering the Internet has sparked a debate on whether the stolen Cisco Systems code used to penetrate the complex systems still poses a threat to the web. Experts have argued for years whether software that has its source code freely distributed is more, or less, secure than proprietary applications. Code for the open-source Linux operating system, for example, is available to anyone, and many experts argue that makes it more secure than Microsoft's proprietary Windows. "The availability of source code is a long discussed, unanswered question," said Art Manion, Internet security analyst at the CERT Coordination Center at Carnegie Mellon University, which provides incident response services to sites that have been attacked. "There are arguments for having source code available that, whether intentionally or by misappropriation, may allow someone to break into a system, or it could allow the good guys to find problems and fix them." The debate was rekindled last week when The New York Times reported the arrest of a Swedish teenager suspected of boring into the critical aerospace and academic systems at NASA's Jet Propulsion Laboratory, the Patuxent River Naval Air Station, the White Sands Missile Range, the University of Minnesota, University of California at Berkeley, and other facilities. The teenager allegedly used stolen source code from the operating system of Cisco routers to reach into the supercomputing network known as the TeraGrid. Once there, the suspect allegedly gained access to at least 50 systems throughout the Internet. The teen was arrested by the FBI and Swedish police, and later released to his parents. Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, an analysis service that publishes warnings about security vulnerabilities and bugs, believes it's unlikely a hacker with stolen code could find flaws that Cisco hasn't already found. "It's not easy to analyze that code if you don't know the hardware it's running on," Ullrich said. "It's harder to analyze the Cisco IOS (Internetwork Operating System) than a Linux application that runs on standard hardware." Authorities believe Cisco's stolen code was uploaded to a Russian website, where it may have been distributed to people who would use it to discover more vulnerabilities in Cisco-powered computer systems. "The hackers will find more vulnerabilities with that source code out there," said Jack Koziol, a senior instructor at the Infosec Institute and author of "The Shellcoder's Handbook: Discovering and Exploiting Security Holes." [1] "This kid got into the TeraGrid," Koziol said. "This is supposedly one of the most secure systems in the world and a 16 year old got in. ...It shows just how bad security is in government and in industry all around the world." Koziol investigated a similar break-in at the University of California at Davis, where a hacker also used a publicly known vulnerability to compromise the school's systems. As in the Cisco incident, the hacker inserted a virus that recorded the password whenever someone logged into a university's server. The hacker then used the same password to break into another system. The technique works because people frequently use the same login information on different servers. "He would find one chink in the armor," Koziol said. "If you have just one system or desktop vulnerable, they can really leverage their access to penetrate the organization." A Cisco spokeswoman directed inquiries to a statement on the Cisco website that said in part, "Cisco IOS source code is both copyrighted and protected as proprietary material. It is illegal to post it, make it available to others, download it or use it. Cisco will take all appropriate legal actions to protect its intellectual property." Nevertheless, large companies, even security-minded ones like Cisco, can often have trouble keeping all their intellectual property and potential loopholes buttoned up. "The larger an organization, the harder it is to secure it, with so many sub-companies, external consultants, and former employees still keeping access with their accounts after they quit," said Van Hauser, president of The Hacker's Choice, [2] a website devoted to investigating and analyzing security vulnerabilities. "You have so many systems to secure. It is therefore very hard to defend a company as complexity rises." Hauser pointed out that many prominent technology companies have had their systems compromised and source code stolen, including Microsoft, Sun Microsystems, and Hewlett-Packard. He expects the latest incident won't be the last. "The stance of companies saying, 'We are secure, nobody has our source code' is not true anymore," Hauser said. "Hackers get better and better at reverse engineering software." [1] http://www.amazon.com/exec/obidos/ASIN/0764544683/c4iorg [2] http://www.thc.org From isn at c4i.org Fri May 20 01:13:26 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 20 01:30:21 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-20 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-05-12 - 2005-05-19 This week : 57 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Colin Percival has reported a vulnerability in various operating systems supporting Intel's Hyper-Threading Technology (HTT), which can be exploited by malicious, local users to gain knowledge of sensitive information. More information can be found in referenced Secunia advisories below. Reference: http://secunia.com/SA15348 http://secunia.com/SA15342 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15292] Mozilla Firefox Two Vulnerabilities 2. [SA12979] Mozilla Firefox Download Dialog Spoofing Vulnerabilities 3. [SA15310] iTunes MPEG-4 File Parsing Buffer Overflow Vulnerability 4. [SA14820] Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability 5. [SA15348] FreeBSD Hyper-Threading Support Information Disclosure 6. [SA15341] Linux Kernel ELF Core Dump Privilege Escalation Vulnerability 7. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 8. [SA15340] EnCase Device Configuration Overlay Data Acquisition Weakness 9. [SA15017] Microsoft Windows Explorer Web View Script Insertion Vulnerability 10. [SA15327] phpBB Attachment Mod Module Unspecified Realname Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15397] DotNetNuke Script Insertion Vulnerabilities [SA15379] Sigma ISP Manager SQL Injection Vulnerabilities [SA15363] War Times Nickname Handling Denial of Service Vulnerability [SA15362] ImageGallery system Exposure of User Credentials [SA15394] Fastream NETFile FTP/Web Server FTP Bounce Vulnerability [SA15374] Ultimate Forum Exposure of Encrypted User Credentials [SA15373] GA's Guest Book Exposure of Sensitive Information UNIX/Linux: [SA15407] Red Hat update for kdelibs [SA15387] Pico Server Multiple Vulnerabilities [SA15376] Gentoo update for Mozilla / Mozilla Firefox [SA15370] Conectiva update for kde [SA15367] Mandriva update for mozilla [SA15358] Mandriva update for kdelibs [SA15357] Mandriva update for gaim [SA15350] Red Hat update for openmotif [SA15408] Red Hat update for cyrus-imapd [SA15399] iControl Services Manager Multiple Vulnerabilities [SA15398] SCO OpenServer update for telnet [SA15389] Slackware update for mozilla [SA15388] ignitionServer Access Entry Deletion and Channel Locking Vulnerabilities [SA15381] Fedora update for squid [SA15359] Mandriva update for gnutls [SA15351] Ubuntu update for gnutls [SA15380] Trustix update for postgresql [SA15375] Gentoo update for postgresql [SA15404] Gentoo update for freeradius [SA15403] Ubuntu update for nasm [SA15390] Slackware update for ncftp [SA15378] Gentoo update for phpBB [SA15364] Slackware update for gaim [SA15361] FreeRADIUS Potential SQL Injection and Buffer Overflow Vulnerabilities [SA15356] Mandriva update for tcpdump [SA15352] NASM "ieee_putascii()" Buffer Overflow Vulnerability [SA15383] Trustix update for squid [SA15406] Red Hat update for ncpfs [SA15392] Linux Kernel pktcdvd and raw device Block Device Vulnerabilities [SA15386] Cheetah Insecure Module Importing Vulnerability [SA15384] Avaya CMS/IR Network Port Hijacking Vulnerability [SA15382] Trustix update for kernel [SA15366] Avaya CMS/IR Xsun and Xprt Server Font Handling Vulnerabilities [SA15365] IBM HTTP Server "mod_include" Vulnerability [SA15354] cdrdao Unspecified Privilege Escalation Vulnerability [SA15348] FreeBSD Hyper-Threading Support Information Disclosure Other: [SA15349] Cisco Firewall Services Module TCP Packet URL Filtering Bypass Cross Platform: [SA15410] eDMS Multiple Unspecified Vulnerabilities [SA15405] Serendipity File Upload and Cross-Site Scripting Vulnerabilities [SA15401] Help Center Live Multiple Vulnerabilities [SA15396] Woltlab Burning Board JGS-Portal SQL Injection Vulnerabilities [SA15395] Woltlab Burning Board "email" SQL Injection Vulnerability [SA15391] PostNuke "func" Local File Inclusion Vulnerability [SA15385] NPDS Cross-Site Scripting and SQL Injection Vulnerabilities [SA15377] Skull-Splitter's PHP Guestbook Script Insertion Vulnerability [SA15371] SafeHTML "_writeAttrs()" Quote Handling Security Bypass [SA15360] Kerio MailServer Two Denial of Service Vulnerabilities [SA15355] Bug Report Script Insertion Vulnerability [SA15353] Direct Topics Script Insertion and SQL Injection [SA15400] Shop-Script FREE "categoryID" and "productID" SQL Injection ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15397] DotNetNuke Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-17 Mark Woan has reported some vulnerabilities in DotNetNuke, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15397/ -- [SA15379] Sigma ISP Manager SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-17 last samurai has reported some vulnerabilities in Sigma ISP Manager, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15379/ -- [SA15363] War Times Nickname Handling Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-17 Luigi Auriemma has reported a vulnerability in War Times, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15363/ -- [SA15362] ImageGallery system Exposure of User Credentials Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-05-17 g0rellazz G0r has reported a security issue in ImageGallery system, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15362/ -- [SA15394] Fastream NETFile FTP/Web Server FTP Bounce Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-05-17 Tan Chew Keong has reported a vulnerability in Fastream NETFile FTP/Web Server, which potentially can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15394/ -- [SA15374] Ultimate Forum Exposure of Encrypted User Credentials Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-05-17 eric basher has reported a security issue in Ultimate Forum, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15374/ -- [SA15373] GA's Guest Book Exposure of Sensitive Information Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2005-05-17 eric basher has reported a security issue in GA's Guest Book, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15373/ UNIX/Linux:-- [SA15407] Red Hat update for kdelibs Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-18 Red Hat has issued an update for kdelibs. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15407/ -- [SA15387] Pico Server Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2005-05-17 RedTeam has reported some vulnerabilities Pico Server, which can be exploited by malicious, local users to gain knowledge of sensitive information, or by malicious people to gain knowledge of potentially sensitive information or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15387/ -- [SA15376] Gentoo update for Mozilla / Mozilla Firefox Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-05-16 Gentoo has issued an update for Mozilla / Mozilla Firefox. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/15376/ -- [SA15370] Conectiva update for kde Critical: Highly critical Where: From remote Impact: Spoofing, Privilege escalation, DoS, System access Released: 2005-05-17 Conectiva has issued an update for kde. This fixes multiple vulnerabilities, which can be exploited to cause a DoS (Denial of Service), gain escalated privileges, spoof the URL displayed in the address bar and status bar, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15370/ -- [SA15367] Mandriva update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2005-05-16 Mandriva has issued updates for mozilla. These fix some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, gain knowledge of potentially sensitive information and compromise a user's system. Full Advisory: http://secunia.com/advisories/15367/ -- [SA15358] Mandriva update for kdelibs Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-13 Mandriva has issued an update for kdelibs. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15358/ -- [SA15357] Mandriva update for gaim Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-13 Mandriva has issued an update for gaim. This fixes a vulnerability and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/15357/ -- [SA15350] Red Hat update for openmotif Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-12 Red Hat has issued an update for openmotif. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15350/ -- [SA15408] Red Hat update for cyrus-imapd Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-05-18 Red Hat has issued an update for cyrus-imapd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15408/ -- [SA15399] iControl Services Manager Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-05-18 F5 Networks have acknowledged multiple vulnerabilities in iControl Services Manager, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or malicious people to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15399/ -- [SA15398] SCO OpenServer update for telnet Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-18 SCO has issued an update for telnet. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15398/ -- [SA15389] Slackware update for mozilla Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-16 Slackware has issued an update for mozilla. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15389/ -- [SA15388] ignitionServer Access Entry Deletion and Channel Locking Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-05-17 Two vulnerabilities have been reported in ignitionServer, which can be exploited by malicious users to delete access entries or prevent protected operators from accessing certain channels. Full Advisory: http://secunia.com/advisories/15388/ -- [SA15381] Fedora update for squid Critical: Moderately critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data Released: 2005-05-18 Fedora has issued an update for squid. This fixes some vulnerabilities, which can be exploited by malicious people to spoof DNS lookups and poison the web proxy cache. Full Advisory: http://secunia.com/advisories/15381/ -- [SA15359] Mandriva update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-13 Mandriva has issued an update for gnutls. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15359/ -- [SA15351] Ubuntu update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-13 Ubuntu has issued an update for gnutls. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15351/ -- [SA15380] Trustix update for postgresql Critical: Moderately critical Where: From local network Impact: Unknown, Privilege escalation, DoS Released: 2005-05-16 Trustix has released an update for postgresql. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/15380/ -- [SA15375] Gentoo update for postgresql Critical: Moderately critical Where: From local network Impact: DoS, Privilege escalation, Unknown Released: 2005-05-16 Gentoo has released an update for postgresql. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/15375/ -- [SA15404] Gentoo update for freeradius Critical: Less critical Where: From remote Impact: Unknown, Manipulation of data Released: 2005-05-18 Gentoo has issued an update for freeradius. This fixes some vulnerabilities, where one has an unknown impact and the others potentially can be exploited to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15404/ -- [SA15403] Ubuntu update for nasm Critical: Less critical Where: From remote Impact: System access Released: 2005-05-18 Ubuntu has issued an update for nasm. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15403/ -- [SA15390] Slackware update for ncftp Critical: Less critical Where: From remote Impact: System access Released: 2005-05-16 Slackware has issued an update for ncftp. This fixes an old vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15390/ -- [SA15378] Gentoo update for phpBB Critical: Less critical Where: From remote Impact: Unknown, Cross Site Scripting Released: 2005-05-16 Gentoo has issued an update for phpBB. This fixes a vulnerability, which can be exploited to conduct cross-site scripting or script insertion attacks. Full Advisory: http://secunia.com/advisories/15378/ -- [SA15364] Slackware update for gaim Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-16 Slackware has issued an update for gaim. This fixes two weaknesses, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15364/ -- [SA15361] FreeRADIUS Potential SQL Injection and Buffer Overflow Vulnerabilities Critical: Less critical Where: From remote Impact: Unknown, Manipulation of data Released: 2005-05-18 Primoz Bratanic has reported some vulnerabilities in FreeRADIUS, where one has an unknown impact and the others potentially can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15361/ -- [SA15356] Mandriva update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-13 Mandriva has issued an update for tcpdump. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15356/ -- [SA15352] NASM "ieee_putascii()" Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-05-18 Jindrich Novy has reported a vulnerability in NASM, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15352/ -- [SA15383] Trustix update for squid Critical: Less critical Where: From local network Impact: Spoofing Released: 2005-05-16 Trustix has issued an updated for squid. This fixes a vulnerability, which can be exploited by malicious people to spoof DNS lookups. Full Advisory: http://secunia.com/advisories/15383/ -- [SA15406] Red Hat update for ncpfs Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-18 Red Hat has issued an update for ncpfs. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15406/ -- [SA15392] Linux Kernel pktcdvd and raw device Block Device Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-17 alert7 has reported two vulnerabilities in the Linux kernel, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15392/ -- [SA15386] Cheetah Insecure Module Importing Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-17 Brian Bird has reported a vulnerability in Cheetah, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15386/ -- [SA15384] Avaya CMS/IR Network Port Hijacking Vulnerability Critical: Less critical Where: Local system Impact: Hijacking Released: 2005-05-16 Avaya has acknowledged some vulnerabilities in Avaya Call Management System (CMS) and Avaya Interactive Response (IR), which can be exploited by malicious, local users to hijack network ports. Full Advisory: http://secunia.com/advisories/15384/ -- [SA15382] Trustix update for kernel Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-16 Trustix has issued an update for kernel. This can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15382/ -- [SA15366] Avaya CMS/IR Xsun and Xprt Server Font Handling Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-16 Avaya has acknowledged some vulnerabilities in Avaya Call Management System (CMS) and Avaya Interactive Response (IR), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15366/ -- [SA15365] IBM HTTP Server "mod_include" Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2005-05-17 IBM has acknowledged a vulnerability in IBM HTTP Server, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/15365/ -- [SA15354] cdrdao Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-13 A vulnerability has been reported in cdrdao, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15354/ -- [SA15348] FreeBSD Hyper-Threading Support Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-13 Colin Percival has reported a vulnerability in FreeBSD, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15348/ Other:-- [SA15349] Cisco Firewall Services Module TCP Packet URL Filtering Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-05-12 A security issue has been reported in Cisco Firewall Services Module (FWSM), which can result in certain traffic bypassing configured ACLs. Full Advisory: http://secunia.com/advisories/15349/ Cross Platform:-- [SA15410] eDMS Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-05-18 Some vulnerabilities with unknown impacts have been reported in eDMS. Full Advisory: http://secunia.com/advisories/15410/ -- [SA15405] Serendipity File Upload and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2005-05-18 Some vulnerabilities have been reported in Serendipity, which can be exploited by malicious people to bypass certain security restrictions and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15405/ -- [SA15401] Help Center Live Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-05-18 James Bercegay has reported some vulnerabilities in Help Center Live, which can be exploited by malicious people to conduct cross-site scripting, script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15401/ -- [SA15396] Woltlab Burning Board JGS-Portal SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-17 deluxe89 and the Security-Project Team has reported some vulnerabilities in the JGS-Portal module for Woltlab Burning Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15396/ -- [SA15395] Woltlab Burning Board "email" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-17 James Bercegay has reported a vulnerability in Woltlab Burning Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15395/ -- [SA15391] PostNuke "func" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-05-17 pokleyzz has reported a vulnerability in PostNuke, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/15391/ -- [SA15385] NPDS Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-05-18 Some vulnerabilities have been reported in NPDS, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15385/ -- [SA15377] Skull-Splitter's PHP Guestbook Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-17 Morinex Eneco has reported a vulnerability in Skull-Splitter's PHP Guestbook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15377/ -- [SA15371] SafeHTML "_writeAttrs()" Quote Handling Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-05-17 A vulnerability has been reported in SafeHTML, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15371/ -- [SA15360] Kerio MailServer Two Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-13 Two vulnerabilities have been reported in Kerio MailServer, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15360/ -- [SA15355] Bug Report Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-17 Sylvain Thual has reported a vulnerability in Bug Report, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/15355/ -- [SA15353] Direct Topics Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-05-13 Morinex Eneco has reported two vulnerabilities in Direct Topics, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/15353/ -- [SA15400] Shop-Script FREE "categoryID" and "productID" SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2005-05-18 Censored has reported a vulnerability in Shop-Script FREE, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15400/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Sat May 21 01:13:31 2005 From: isn at c4i.org (InfoSec News) Date: Sat May 21 01:39:52 2005 Subject: [ISN] Security UPDATE -- The Challenge of Data Destruction, Part 2 -- May 18, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Secure and Configure Desktops from One Console http://list.windowsitpro.com/t?ctl=A259:4FB69 Security Management in a Multi-platform World http://list.windowsitpro.com/t?ctl=A243:4FB69 ==================== 1. In Focus: The Challenge of Data Destruction, Part 2 2. Security News and Features - Recent Security Vulnerabilities - Trend Micro Acquires InterMute; Novell Acquires Immunix - What IT Pros Must Know About Sarbanes-Oxley - Microsoft Plans Gatekeeper Security Contest 3. Instant Poll 4. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 5. New and Improved - Stop Buffer Overflow Attacks ==================== ==== Sponsor: ScriptLogic ==== Secure and Configure Desktops from One Console Get a FREE T-shirt when you evaluate NEW Desktop Authority 6.5, now with Anti-Spyware and Patch Management options. With this award-winning desktop management solution, you now have one console to proactively secure, manage and support desktops from a central location. Centrally configure drive mappings, printer deployments and many other settings. Plus use ScriptLogic's patented Validation Logic technology to determine how, when and where spyware is detected and removed – and how, when and where patches are scanned-for and deployed. Significantly reduce total cost of desktop and application ownership with this fully integrated solution. Download and evaluate a 30-day FREE trial of Desktop Authority 6.5 and get a FREE T-shirt. Download today at http://list.windowsitpro.com/t?ctl=A259:4FB69 ==================== ==== 1. In Focus: The Challenge of Data Destruction, Part 2 ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Two weeks ago, I wrote about the challenge of data destruction. Based on the number of responses to that column we received, the issue is something a lot of you have to deal with. A couple of readers wrote to suggest that heating the disks to a high temperature might help destroy the magnetic properties of the platters. One reader in particular said that people who work in universities might find this concept to be an interesting exercise for students working in the physics labs. Two more readers presented what I think is a very economical idea in terms of both time and money. They suggested having the drives crushed in a hydraulic press. One of the readers contracts with a local machine shop to do the work. He stands by while the drives are crushed, and each visit costs less than $100. The other reader said he first wipes disks with a software tool, then takes them to a local automobile scrap yard. A worker at the scrap yard crushes the drives in exchange for beer! The crushed parts could be separated into multiple lots and disposed of at several trash dumps and recycling locations. Another interesting idea is to use an oxyacetylene cutting torch or arc welder to destroy drives. This sort of approach would certainly destroy data, however it could become expensive in terms of time and money depending on who did the work. And as one reader pointed out, the fumes released from burning drive components could be toxic. Yet another reader wrote to suggest driving a nail through each drive. I agree that would work, but it's a lot of hammering if there are a few hundred drives to destroy. The same reader also pointed out an error I made in mentioning liquid hydrogen as a way to freeze a drive. The proper chemical is liquid nitrogen. I apologize for that mistake. A novel solution is to use a shredder. A reader said he contracts with a company that offers an on-site shredding service for documents. As a demonstration of its shredder's ability to shred other materials, the company shredded an old laptop into pieces no bigger than a fingernail! Because the reader already contracts with the shredding company for other shredding needs, having it destroy old disk drives costs the reader nothing extra. What if you want to recycle your hardware so that it can be used again by someone else? A reader suggested using a computer recycling company such as RetroBox, which charges a fee to collect your old systems and wipe the drives of all data using technology that meets Department of Defense specifications. RetroBox then sells the refurbished systems and returns part of the proceeds to your company. Depending on your policies and needs, this could be a reasonable solution. http://list.windowsitpro.com/t?ctl=A25F:4FB69 Finally, another reader suggested using a data encryption solution that requires a hardware-based key to access the data, such as SecureIDE (at the URL below). If no key is available, then in theory the data can't be accessed. This is a reasonable solution for many businesses, and so are data encryption techniques that use software-based keys. However, someone might be able to recover the data if he or she has enough resources to allocate to the task. http://list.windowsitpro.com/t?ctl=A24F:4FB69 Thanks to all of you who contributed to this list of interesting solutions. ==================== ==== Sponsor: BindView ==== Security Management in a Multi-platform World In this free white paper you'll learn how to reduce management overhead when dealing with multiple platforms such as Windows, UNIX, Linux and NetWare, and the costs and benefits of a centralized "holistic" approach to security management. Get the ins and outs of managing multi-platform security and how you can safely, securely, and sanely manage the security infrastructure of complex, multi-platform environments. http://list.windowsitpro.com/t?ctl=A243:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=A24D:4FB69 Trend Micro Acquires InterMute; Novell Acquires Immunix Security solution provider Trend Micro has acquired antispyware maker InterMute for approximately $15 million. Novell acquired Linux application security vendor Immunix, maker of AppArmor. http://list.windowsitpro.com/t?ctl=A253:4FB69 What IT Pros Must Know About Sarbanes-Oxley Chances are you've already been affected by sections 404 and 302 of the Sarbanes-Oxley Act (SOX), whether or not you realize it. SOX has ramifications for everyone in the corporation from the CEO and board of directors down to IT professionals. Randy Franklin Smith examines the various IT areas that SOX affects to help you get a handle on your role in implementing compliance-related mandates from upper management. http://list.windowsitpro.com/t?ctl=A251:4FB69 Microsoft Plans Gatekeeper Security Contest All right, all you European IT pros--it's time to dig into the security resources at http://list.windowsitpro.com/t?ctl=A25B:4FB69 and http://list.windowsitpro.com/t?ctl=A25D:4FB69 and brush up on your security skills because Microsoft is having a contest. The Gatekeeper Test will be open to IT pros in more than 19 European countries and will test security knowledge with 19 multiple-choice questions and one open-ended question. The grand prize winner goes to Microsoft TechEd 2005 Europe in Amsterdam on Bill G's dime. In addition to the TechEd trip, you could win a Windows XP Tablet PC, a Media Center PC, or subscriptions to Microsoft TechNet Magazine and Windows IT Pro magazine. Visit http://list.windowsitpro.com/t?ctl=A25B:4FB69 ==================== ==== Resources and Events ==== Improve Fax Messaging and Application Integration View this on-demand Web seminar and receive a complimentary 30-day software evaluation and industry white paper! Join industry expert David Chernicoff and learn how leading organizations are incorporating fax technologies to empower users and enhance existing investments in infrastructure and applications while providing substantial ROI. Register now! http://list.windowsitpro.com/t?ctl=A249:4FB69 Attend the Black Hat Briefings Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the briefings are designed to be pragmatic regardless of your security environment. Featuring 25 hands- on training courses and 10 conference tracks. Lots of Windows stuff profiled. http://list.windowsitpro.com/t?ctl=A260:4FB69 Get Excited About SQL Server 2005 Reporting Services In this free Web seminar, explore the new features associated with Microsoft SQL Server 2005 Reporting Services. You'll discover how to offer the "single version of truth" in your enterprise reporting environment with the integration of Reporting Services 2005 and the Analysis Service 2005 Unified Dimensional Model (UDM). Plus, you'll discover "Report Builder," and more. Sign up today! http://list.windowsitpro.com/t?ctl=A245:4FB69 Find Out What's New in SQL Server Analysis Services 2005 In this free Web seminar, get an in-depth understanding of the many new features and capabilities Microsoft has introduced in SQL Server 2005 Analysis Services. You'll learn about data source views, user- defined hierarchies, measure groups, KPIs and more! Plus--get all you need to know about integration with Integration Services and Reporting Services and the new deployment and synchronization capabilities in SQL Server 2005 Analysis Services. http://list.windowsitpro.com/t?ctl=A246:4FB69 ==================== ==== Featured White Paper ==== Optimizing Disk-Based Backups for SMBs and Distributed Enterprises In this free white paper, learn how your small or midsized business can optimize disk-based backup. Discover how combining disk-based backups with automated backup technology can deliver easy-to-manage backups, fast restores, and simplified creation and tracking of tape for offsite media rotation. Download this free white paper today! http://list.windowsitpro.com/t?ctl=A244:4FB69 ==================== ==== Hot Release ==== FREE Download – The Next Generation of End-Point Security is Available Today. NEW NetOp Desktop Firewall's fast 100% driver-centric design offers a tiny footprint that protects machines from all types of malware even before Windows loads and without slowing them down. NetOp provides process & application control, real-time centralized management, automatic network detection & profiles, more. Try it FREE. http://list.windowsitpro.com/t?ctl=A242:4FB69 ==================== ==== 3. Instant Poll ==== Results of Previous Poll: Do you map the data you collect during wireless-network audits by using tools such as StumbVerter and MapPoint? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 12 votes: - 25% Yes - 8% I haven't been, but I plan to - 67% No, and I don't plan to New Instant Poll: How will you use WSUS in your enterprise? Go to the Security Hot Topic and submit your vote for - As my patch management infrastructure - As a backup to SMS 2003 or other patch management infrastructure - As a reporting tool to check on compliance with patches - I won't be using WSUS http://list.windowsitpro.com/t?ctl=A254:4FB69 ==== 4. Security Toolkit ==== Security Matters Blog: Firefox 1.0.4 Fixes Three Critical Security Problems by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=A258:4FB69 If you use Mozilla Firefox, it's time to upgrade to the latest version, 1.0.4, released May 11. The new version fixes three critical security problems. http://list.windowsitpro.com/t?ctl=A252:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=A255:4FB69 Q: Are Group Policy Objects (GPOs) inherited by child domains? Find the answer at http://list.windowsitpro.com/t?ctl=A250:4FB69 Security Forum Featured Thread: Blocking Port 220 A forum participant writes, "I have a Dell box running Windows Server 2003 Service Pack 1 (SP1), and my network folks tell me that it's been compromised by a Trojan horse program. They see outbound traffic over port 220. Their solution is to take the machine down and reformat the drive. There has got to be another way. How do I block this port--with an outbound firewall?" Join the discussion at http://list.windowsitpro.com/t?ctl=A24A:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) SQL Server Magazine Gives DBAs and Developers What They Need With SQL Server 2005 right around the corner, it's important to note that SQL Server Magazine is on target to deliver comprehensive coverage of all betas of the new product and the final release. If you aren't already a subscriber, now is the time to subscribe. Act now and save 47% off the cover price, plus get the new Reporting Services poster. http://list.windowsitpro.com/t?ctl=A257:4FB69 Nominate Yourself or a Friend for the MCP Hall of Fame Are you a top-notch MCP who deserves to be a part of the first-ever MCP Hall of Fame? Get the fame you deserve by nominating yourself or a peer to become a part of this influential community of certified professionals. You could win a VIP trip to Microsoft and other valuable prizes. Enter now--it's easy: http://list.windowsitpro.com/t?ctl=A24B:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products@windowsitpro.com Stop Buffer Overflow Attacks SoftSphere Technologies announced the release of Defence Plus, the latest version of its antihacking software tool previously known as Anti-Cracker Shield. Defence Plus detects and stops buffer overflow attacks, protecting Windows, its components, and all software applications installed on the computer. When intrusion-like behavior is detected, Defence Plus blocks it and notifies you with a sound. You can click an icon to view a detailed report on the blocked attack. Defence Plus is designed for Windows NT/2000/XP/2003 and costs $39 for a single-user license. For more information, go to http://list.windowsitpro.com/t?ctl=A25E:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Converting a Microsoft Access Application to Oracle HTML DB Convert MS Access into a Web application for multiple users. Download now! http://list.windowsitpro.com/t?ctl=A261:4FB69 Phishing, viruses, bot-nets and more: How to prevent the "Perfect Storm" from devastating your email system Stop attacks with a multi-layered approach. Download this white paper now! http://list.windowsitpro.com/t?ctl=A248:4FB69 Protecting Your Company by Managing Your Users' Internet Access Internet access within an organization can represent a legal & security risk http://list.windowsitpro.com/t?ctl=A247:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=A25A:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=A24E:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Sat May 21 01:13:58 2005 From: isn at c4i.org (InfoSec News) Date: Sat May 21 01:39:56 2005 Subject: [ISN] PersonalWireless.org has launched Message-ID: Forwarded from: John Announcing the opening of PersonalWireless.org, a site dedicated to the support and proliferation of short-range personal wireless technologies such as Bluetooth, Ultra-Wide-Band, and Wi-Fi networks. You can sign up for our mailing list at http://www.c2security.org/mailman/listinfo/personalwireless Come and join us now at http://www.personalwireless.org From isn at c4i.org Sat May 21 01:14:11 2005 From: isn at c4i.org (InfoSec News) Date: Sat May 21 01:39:59 2005 Subject: [ISN] Sober reloaded Message-ID: http://www.theregister.co.uk/2005/05/20/sober_reloaded/ By John Leyden 20th May 2005 Zombie PCs infected with the Sober-P worm are set to reactivate on Monday, 23 May. Sober-P posed as offers of a free ticket for next year's World Cup and set up backdoor access on compromised PCs, claiming thousands of victims since its first appearance earlier this month. These infected machines were later used to generate a German hate-mail spam outbreak this week. The sheer volume of this deluge illustrated the potential for further mischief. The German Federal Office for Information Security (BSI) warned on Friday that the Sober P worm will become "active' again this Monday, and may launch another Trojan. Email security firm CipherTrust said that virus authors could reprogram this botnet to send out yet more spam, propagate secondary infections or launch a denial of service attack. As CipherTrust notes, just because this might happen doesn't necessarily mean that it will. It will likely turn out to be a damp squib, as previous warnings - notably made during the Code Red hype cycle - turned out to be. Nonetheless the alert illustrates the pressing need to disinfect machines compromised by Sober-P. ? Related links BSI's Sober P warning (in German) http://www.bsi.de/presse/pressinf/200505soberp.htm From isn at c4i.org Tue May 24 04:55:06 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 24 05:06:32 2005 Subject: [ISN] Interior to use wireless despite Internet court battle Message-ID: http://www.fcw.com/article88944-05-23-05-Web By Aliya Sternstein May 23, 2005 Lawyers representing a group of American Indians suing the Interior Department say wireless Internet service could grant unauthorized access to Indian trust fund account information. But Interior plans to issue a solicitation notice for departmentwide wireless service soon. Interior lawyers are reviewing the final version of the notice and would not comment on its contents. Last Tuesday, lawyers gave a federal judge a report published in December by Interior's inspector general on wireless management and security. It details how easily hackers could manipulate trust accounts held by 500,000 American Indians. Between October 2003 and April 2004, inspectors found that Interior networks sometimes intersected with other networks and broadcasted information to inappropriate areas and people. Last month, Interior shut down the Bureau of Land Management's Web site after the IG issued a report warning that its information technology systems were vulnerable to cyberthreats. The shutdown was the latest in a long-running dispute about the security of Indian trust fund information. December's report notes that at the BLM Boise, Idaho, District Office, a wireless network that was supposed to bridge the district office directly to a building about a mile away, broadcasting the network signal to everyone within a mile radius. Inspectors observed that more than 3,000 other commercial and residential wireless networks occupied that radius. Other instances of BLM sloppiness appear throughout the IG's report. "We observed approximately 148 users connecting to [a BLM] wireless network during non-business hours; however, BLM indicated that there were only about 10 authorized users," the report states. The report adds that officials may have alleviated some security concerns by issuing the April 2004 memo that required insecure Interior agencies to disconnect their wireless networks. But the IG report states that the memo is "silent on how DOI should handle what may be the inevitable use of wireless technology in the future." Interior officials have not disclosed information about the new wireless initiative because of the current litigation and bidding protocol. Interior spokespersons released a statement. "To understand our position regarding the commercial wireless [cellular] services program under DOI's Wireless initiative, the Office of the Chief Information Officer and the Office of Acquisition and Property Management offices partnered. Significant progress has been made, and a solicitation will soon be issued. This partnership is the department's direct response to the March 2004 GAO Report ?Agencies Can Achieve Significant Savings on Purchase Card Buys." The project's synopsis states that Interior must establish an enterprisewide contract vehicle to acquire cost-effective nationwide commercial wireless services, coverage and management. The notice pertains to commercial mobile wireless services. The IG report warns that the agency must take steps to improve security of wireless services. The report found, for example, that the wireless signals are available after business hours and are also identifiable. Inspectors quickly recognized that a wireless network was BLM's because it broadcast a unique network name. "Additionally, we found at one BLM and one [Fish and Wildlife Service] location that wireless networks remained in operation during non-business hours," the report stated "This, in conjunction with the networks broadcasting unique identifying information that is easily identifiable to DOI, accelerates a hacker's ability to compromise DOI networks." At a Bureau of Reclamation facility, inspectors identified wireless signals in three parking lots outside the network's perimeter. In addition, Interior could not account for all wireless network devices. Specifically, six network access points at two BLM locations, were not inventoried. An earlier court order disconnected the Bureau of Indian Affairs from the Internet, but the IG report found that contractors at a BIA office used non-Interior laptops that had wireless capabilities. Wireless-enabled laptops could be connected to Interior's wired networks and expose those networks and data to unauthorized users, the report states. From isn at c4i.org Tue May 24 04:55:28 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 24 05:06:35 2005 Subject: [ISN] Aust computer crime impact down, says survey Message-ID: http://www.zdnet.com.au/news/security/0,2000061744,39193086,00.htm By Munir Kotadia ZDNet Australia 23 May 2005 The impact of computer crime and security incidents on organisations has decreased over the past year, but the fight against malware and hackers is far from over, according to the Australian Computer Crime and Security Survey 2005. Only 35 percent of the 540 organisations which responded to the survey this year said the confidentiality, integrity or availability of their networks had been affected by an electronic attack, down from 49 percent of respondents in 2004 and 42 percent in 2003. Kevin Zuccato, director of the Australian High Tech Crime Centre (AHTCC ), told ZDNet Australia the survey -- released today -- revealed that although the overall number of attacks had risen, companies had improved their network defences. "The Internet is generally a more dangerous place to be, but people that put the effort in and put defences in place have screened the bad activity from impacting on their enterprises. These are incidents that have got through and not necessarily representative of the incidents that might be occurring outside. Big business are getting the message -- they are harder targets than they were a year or two ago," said Zuccato. Graham Ingram, general manager of AusCERT, said more organisations seemed to be getting the basics right, but they still paid a high price when the defences fail. "Knowing there are easy things to do -- such as block a certain port -- has helped. A lot of the high impact stuff has been filtered out. However if [the malware] gets in, it is pretty nasty because the payloads are becoming more aggressive," said Ingram. Neil Campbell, a former law enforcement officer who is now the national security manager of IT services company Dimension Data, said he was not surprised that companies are being affected less by attacks as they now had years of experience of being under fire. "Between 2001 and 2003 was the period of the worm and virus -- we really saw some massive infections and that had a huge impact. It increased the level of awareness and preparedness," said Campbell, who also praised Microsoft for strengthening Windows security: "There was a massive effort by Microsoft in particular who increased the security of its operating system. An increased focus on perimeter, desktop and layered security has led to this improvement." Infection by viruses, worms and Trojans was the most common form of attack reported by respondents, with 64 percent of respondents suffering. However, this figure had fallen from 88 percent in 2004 and 80 percent in 2003. Denial of service (DoS) attacks -- where an organisations' Web site or server is inundated with requests to a point where it slows to a crawl or is knocked offline ? were the most costly. Fourteen percent of respondents reported experiencing such attacks which resulted in financial losses -- with the losses themselves accounting for more than half (53 percent) of total losses experienced by survey respondents. The survey did say, however, that figure was skewed by one organisation which reported losses of AU$8 million as a result of DoS attacks. The AHTCC's Zuccato said botnets of compromised or zombie personal computers were increasingly being used to extort money from online businesses. "Botnets are being used to do distributed DoS attacks. Extortion is one of the concern that is no longer on the horizon -- it is with us now. In the UK, extortion with threats to undertake DDoS attacks are part of the course -- the online bookmakers are being hit," said Zuccato. Only seven percent of survey respondents thought they were managing their security issues 'reasonably well'. This has increased compared to last year (five percent) but fallen from 11 percent in 2003 ? the same year as the Blaster and Slammer attacks. Dimension Data's Campbell said the phase of high profile malware attacks was a 'call to action' and led to significant improvements in overall security. "IT security is no different to physical security in that over time, in the absence of incidents, security tends to ease up or if it was never there it does not tend to be put in place. In previous years there have been some fantastic weapons developed by the bad guys and now the good guys have developed some great countermeasures," said Campbell. Apart from improvements in technology, the 'call to action' has also increased the number of companies adopting formal security standards. According to the survey, 65 percent of organisations now follow or use established standards such as the AS 7799, Specification for Information Security Management System and the ISO 17799:2001, Code of Practice for Information Security Management. This compares with 58 percent last year and 37 percent in 2003. AusCERT's Ingram said adherence to security standards has had a positive impact on the corporate world. "It is hard to reliably talk about cause and effect, but there is a positive indicator that with better adherence to computer security policies, practices and technologies, you are going to make an impact in reducing the level of exposure to incidences," said Ingram. According to Dimension Data's Campbell, overall security has improved but he expects malware writers and hackers to continue innovating and finding new ways to compromise security. "We have seen organisations spur themselves and move to improve security but you have to accept that security in any domain is generally an arms race. You certainly cannot say we have hit the worst of it and now it will all improve from here," he added. From isn at c4i.org Tue May 24 04:55:36 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 24 05:06:38 2005 Subject: [ISN] Bank security breach may be biggest yet Message-ID: http://money.cnn.com/2005/05/23/news/fortune500/bank_info/index.htm May 23, 2005 NEW YORK (CNN/Money) - Bank of America Corp. and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security breach to hit the banking industry. Account information on the customers was illegally sold by bank employees to a man identified as Orazio Lembo, whom police said was doing business by illegally posing as a collection agency. When police in Hackensack, N.J., first announced arrests in the case on April 28, they estimated that more than 500,000 people were affected. That number was raised to 676,000 Friday. Because some people have more than one account, Hackensack Police Chief Charles "Ken" Zisa says the number of accounts breached may top 1 million. "As this gets going, these numbers are going to go up and up," Hackensack Detective Capt. Frank Lomia told CNN earlier Monday, adding that more arrests may be coming in the case. The data-theft may have been the biggest ever in banking, the Hackensack, N.J., police department said in a statement, citing an unnamed Treasury Department official. Of the four banks involved in the case, Bank of America (up $0.01 to $46.58, Research), the nation's No. 2 bank, has notified 60,000 customers of the problem. Wachovia (Research) has notified 48,000 customers. Customer account numbers and balances were allegedly sold to Lembo, who then sold the information to collection agencies, the Hackensack police department said in a statement. Wachovia customers whose account information was stolen have received complimentary one-year credit monitoring service and each account will also be monitored by the bank, a Wachovia spokesman told CNN, adding that two former Wachovia employees have been charged in the case. Bank of America spokeswoman Alexandra Liftman said the bank was notifying customers affected, but added there was no evidence of account fraud or identity theft. Customers affected would be offered free credit monitoring, she said, adding Bank of America is cooperating with law enforcement officials and conducting its own internal investigation. One associate who was named by police is "no longer with the bank," Liftman said. Charges filed Last month, New Jersey police arrested and charged nine people, including seven bank employees and Lembo, who operated DRL Associates, the bogus collection agency, Hackensack police said. A tenth person was subsequently arrested. DRL did not qualify as a collection or detective agency, the police said. "Based on forensic examination of Lembo's computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks," the police statement said. "That information was then sold to his clients, which included more than 40 law firms and collection agencies." Lomia told CNN that Lembo paid $10 a name, convincing the bank employees that they wouldn't get caught. He said the department has not yet classified this as an identity theft case but is watching it closely. In addition to confidential bank information, DRL also obtained employment information from the manager of the New Jersey Department of Labor in Jersey City, Hackensack police said. Police estimate that Lembo made several million dollars over the past four years; and that his informants each made tens of thousands of dollars in the scheme. The department said it is continuing its investigation, and the Department of the Treasury and the Internal Revenue Service also are involved. The FBI in Newark told CNN it is not handling the case, but that the Secret Service may become involved. Lomia said the law firms that allegedly sought Lembo's services are part of "phase two" of the investigation. Other banks affected by the theft ring are Commerce Bancorp (Research), based in Cherry Hill, N.J., and PNC Financial Services Group Inc. (Research) PNC said it is cooperating with Hackensack police. From isn at c4i.org Tue May 24 04:56:00 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 24 05:06:40 2005 Subject: [ISN] ITL Bulletin for May 2005 Message-ID: Forwarded from: Elizabeth Lennon ITL BULLETIN FOR MAY 2005 RECOMMENDED SECURITY CONTROLS FOR FEDERAL INFORMATION SYSTEMS: GUIDANCE FOR SELECTING COST-EFFECTIVE CONTROLS USING A RISK-BASED PROCESS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Security controls are the management, operational, and technical safeguards that protect the confidentiality, integrity, and availability of an information system and its information. Organizations face critical decisions in selecting and implementing the right controls and in making the controls an effective part of their information security programs. The Information Technology Laboratory at the National Institute of Standards and Technology (NIST) has developed guidance to help organizations protect their information and information systems and to use security controls that are selected through a risk-based process. Development of NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems The basic questions that organizations should address when selecting security controls are: What controls are needed to protect systems, while supporting their operations and safeguarding their assets? Can the selected controls be implemented? And once implemented, are they effective? NIST SP 800-53, Recommended Security Controls for Federal Information Systems, helps organizations to answer these questions and to maintain effective information security programs. This ITL Bulletin summarizes the special publication. Written by Ron Ross, Stuart Katzke, Arnold Johnson, Marianne Swanson, Gary Stoneburner, George Rogers, and Annabelle Lee, NIST SP 800-53 was developed using input from a variety of sources including published NIST standards and guidance, Department of Defense (DoD) policies, international standards, and other federal government directives and policies. SP 800-53 provides guidance for federal agencies that operate federal information systems other than those systems designated as national security systems, as defined in 44 U.S.C., Section 3542. However, the security controls that are specified in NIST SP 800-53 are complementary to similar guidance that has been issued for national security systems. NIST SP 800-53 was issued in final form in February 2005 after extensive public input and review. The authors received many valuable comments from government and private sectors that helped to shape the final recommendations. While primarily aimed toward helping federal agencies achieve more secure information systems, other activities including state, local and tribal governments, and private sector organizations should find the guide useful in selecting and specifying security controls for their information and information systems. Understanding and Selecting Security Controls Recommended Security Controls for Federal Information Systems provides a foundation for understanding the fundamental concepts of security controls. The introductory material presents the concept of security controls and their use within a well-defined information security program. Some of the issues discussed include the structural components of controls, how the controls are organized into families, and the use of controls to support information security programs. The guide outlines the essential steps that should be followed to determine needed controls, to assure the effectiveness of controls, and to maintain the effectiveness of installed controls. A detailed process for selecting and specifying appropriate security controls is described. The publication's appendices provide additional resources including general references, definitions, explanation of acronyms, a breakdown of security controls for graduated levels of security requirements, a catalog of security controls, and information relating security controls to other standards and control sets. The controls in the catalog are organized into classes of operational, management, and technical controls, and then into families within each class. NIST plans to review and to update the controls in the catalog as technology changes and as new safeguards and new information security countermeasures are identified. NIST SP 800-53 is available in electronic format from the NIST Computer Security Resource Center at http://csrc.nist.gov/publications/nistpubs/index.html. NIST SP 800-53 and FISMA Requirements NIST SP 800-53 is one of the series of standards and guidelines that NIST has developed to help federal agencies implement their responsibilities under the Federal Information Security Management Act (FISMA). FISMA requires that all federal agencies develop, document, and implement agency-wide information security programs to protect the information and information systems that support the operations and assets of the agency, including those systems provided or managed by another agency, contractor, or other source. To support agencies in conducting their information security programs, the FISMA directed NIST to develop: * Standards for categorizing information and information systems collected or maintained by or on behalf of each federal agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; * Guidelines recommending the types of information and information systems to be included in each category; and * Minimum information security requirements for information and information systems in each such category. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, issued in February 2004, addresses the first task specified by FISMA. FIPS 199 requires that agencies categorize their information systems as low-impact, moderate-impact, or high-impact systems for the security objectives of confidentiality, integrity, and availability. In a low-impact system, all security objectives are low. If at least one of the security objectives is moderate and no security objective is greater than moderate, the system is moderate-impact. A high-impact system is one for which at least one security objective is high. This categorization is the first step in the agency?s risk management process, to be followed by the selection of security controls that are appropriate for the impact levels determined in the categorization procedure. Draft FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, which is in the final stages of development, will specify a risk-based approach for agencies to follow in determining their minimum security requirements and for selecting cost-effective security controls. NIST expects to announce FIPS 200 for public review and comment in the near future. In applying the provisions of proposed FIPS 200, agencies will categorize their systems as required by FIPS 199, and then select an appropriate set of security controls from NIST SP 800-53. These controls are the foundation for the selection of adequate controls, but the final determination of the appropriate set of controls depends upon the organization?s assessment of risk. Implementing an Effective Information Security Program To maintain an effective information security program that protects their information and information systems, organizations should follow a systematic process to carry out these tasks: * Periodically assess the risks that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization; * Adopt policies and procedures that are based on risk assessments, reduce risks cost-effectively to an acceptable level, and ensure that information security is addressed throughout the life cycle of the information system; * Develop plans to provide information security for networks, facilities, information systems, or groups of information systems; * Provide security awareness training to educate personnel about information security risks and responsibilities for following policies and procedures that are designed to reduce risks; * Periodically test and evaluate the effectiveness of information security policies, procedures, practices, and security controls; * Use an organizational process to plan, implement, evaluate, and document remedial actions that address identified deficiencies; * Adopt procedures that detect, report, and respond to security incidents; and * Support plans and procedures to ensure continuity of operations. A Risk-Based Approach to Selecting Controls In adopting a risk-based approach to the selection of security controls, organizations should consider the effectiveness and efficiency needed in their systems, and the requirements that are specified in applicable, laws, directives, executive orders, policies, standards, and regulations. The following activities can be applied to new and legacy information systems within the context of overall life-cycle planning, including the planning guides in the System Development Life Cycle and the Federal Enterprise Architecture: * Categorize information systems and their information based on the procedures for categorizing systems that are detailed in FIPS 199. Based on the security categorization, select an initial set of security controls from the catalog of controls listed in Appendix D of SP 800-53. * Adjust the initial set of security controls based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, the availability of compensating controls, or special circumstances. * Document the agreed-upon set of security controls taking into account any adjustments or refinements. The Security Control Catalog The security controls listed in the SP 800-53 catalog represent the current state-of-the-practice safeguards and countermeasures for information systems. These controls will be revised and extended as experience is gained in using the controls, and as requirements and technology change. The security controls should be considered as the foundations or starting points in the selection of controls for low-impact, moderate-impact, and high-impact information systems, based on categorizations done in accordance with FIPS 199. Since the determination of adequate controls is based on the organization?s determination of risk, additional controls may be needed to address specific threats or particular organizational requirements. The security controls cover the following seventeen areas: * Risk assessment - including policies and procedures; security categorization; and management of the risk assessment process. * Certification, accreditation, and security assessments - including policies and procedures; control of system connections; management of the accreditation process; and assessments and monitoring of controls. * System services and acquisition - including policies and procedures; management of resource allocation, life cycle support, acquisitions, and system documentation; and control of software usage and of outsourced information services. * Security planning - including policies and procedures; development and implementation of plans; and management of staff behavior rules and privacy procedures. * Configuration management - including policies and procedures; management of information system components; and control and management of changes to information systems and to system settings. * System and communications protection - including policies and procedures; application partitioning; controls for denial of service protection, resource use, boundary protection, and telecommunications services; and management of cryptography applications and public key infrastructure certificates. * Personnel security - including policies and procedures; and management of staff positions, screening, terminations, and transfers. * Awareness and training - including policies and procedures; and management of the content of training and of training records. * Physical and environmental protection - including policies and procedures; management of access authorizations; controls for access to transmission facilities and display media; management of access logs and visitor controls; and management of power equipment, cabling, lighting, fire protection, and alternate work sites. * Media protection - including policies and procedures; processes for media access, labeling, storage, transport, and sanitization; and destruction and disposal of media. * Contingency planning - including policies and procedures; contingency training; and development, maintenance, and testing of plans; management of alternate processing sites, telecommunications services, and information backup; and management of system recovery. * Maintenance - including policies and procedures; management of periodic maintenance; and control of maintenance tools and maintenance personnel. * System and information integrity - including policies and procedures; management of flaw protection, malicious code protection, and intrusion detection; controls for security alerts, and for software and information integrity; spam and spyware protection; and error handling. * Incident response - including policies and procedures; incident training, testing, handling, monitoring, and reporting. * Identification and authentication - including policies and procedures; management of devices, identifiers, and authenticators; and management of cryptographic processes. * Access control - including policies and procedures; access enforcement; information flow enforcement; management of login attempts; system use notification; remote access controls; and wireless access controls. * Accountability and audit - including policies and procedures; audit processing; audit monitoring, analysis, and reporting; and audit report generation. Using Security Controls to Improve Information System Security NIST SP 800-53 provides detailed information about these seventeen categories of broadly applicable security controls and helps organizations select the controls that are appropriate for a wide variety of security requirements. When correctly implemented and periodically assessed for effectiveness, security controls can contribute to organizational confidence that requirements for the security of information systems are being met. The controls are a starting point for risk assessments and play an important role in the organization?s practices for comprehensive system security planning and life cycle management. The extensive reference list in SP 800-53 includes standards, guidelines, and recommendations that organizations can use for their comprehensive security planning and life cycle management processes. These publications can be accessed from the NIST web pages at http://csrc.nist.gov/. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 840-1357 From isn at c4i.org Wed May 25 03:38:09 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 25 03:52:28 2005 Subject: [ISN] Hacker Hunters Message-ID: Forwarded from: "eric wolbrom, CISSP" http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm Hacker Hunters By Brian Grow, with Jason Bush in Moscow May 30, 2005 In an unmarked building in downtown Washington, Brian K. Nagel and 15 other Secret Service agents manned a high-tech command center, poised for the largest-ever roundup of a cybercrime gang. A huge map of the U.S., spread across 12 digital screens, gave them a view of their prey, from Arizona to New Jersey. It was Tuesday, Oct. 26, 2004, and Operation Firewall was about to be unleashed. The target: the ShadowCrew, a gang whose members were schooled in identity theft, bank account pillage, and the fencing of ill-gotten wares on the Web, police say. For months, agents had been watching their every move through a clandestine gateway into their Web site, shadowcrew.com. To ensure the suspects were at home, a gang member-turned-informant had pressed his pals to go online for a group meeting. At 9 p.m., Nagel, the Secret Service's assistant director for investigations, issued the "go" order. Agents armed with Sig-Sauer 229 pistols and MP5 semi-automatic machine guns swooped in, aided by local cops and international police. The adrenaline was pumping, in part, because several ShadowCrew members were known to own weapons. Twenty-eight members were arrested, most still at their computers. The alleged ringleaders went quietly, but one suspect jumped out a second-story window. Agents nabbed him on the ground. Later, they found a loaded assault rifle in his apartment. The operation was swift and bloodless. "[Cybergangs] always thought they operated with anonymity," says Nagel, a tall, chiseled G-man. "We rattled them." There's a new breed of crime-fighter prowling cyberspace: the hacker hunters. Spurred by big profits, professional cyber-criminals have replaced amateur thrill-seeking hackers as the biggest threat on the Web. Software defenses are improving rapidly, but law enforcement and security companies understand they can no longer rely on technology alone to deal with the plague of virus attacks, computer break-ins, and online scams. Instead, they're marshaling their forces and using gumshoe tactics to fight back -- infiltrating hacker groups, monitoring their chatter on underground networks, and when they can, busting the baddies before they do any more damage. "The wave of the future is getting inside these groups, developing intelligence, and taking them down," says Christopher M.E. Painter, deputy chief of the Computer Crime section of the Justice Dept., who will help prosecute ShadowCrew members at a trial scheduled for October. Step by step, the cops are figuring out how to play the cybercrime game. They're employing some of the same tactics used to crush organized crime in the 1980s -- informants and the cyberworld equivalent of wiretaps. They're also busy coming up with brand new moves. FBI agent Daniel J. Larkin, a 20-year vet who heads up the bureau's Internet Crime Complaint Center, taps online service providers to help pierce the Web's veil of anonymity and track down criminal hackers. In late April, leads supplied by the FBI and eBay Inc. (EBAY ) helped Romanian police round up 11 members of a gang that set up fake eBay accounts and auctioned off cell phones, laptops, and cameras they never intended to deliver. "We're getting smarter every day," says Larkin. Smarter and more collaborative. While the FBI and other investigators have been criticized for fighting each other almost as fiercely as the criminals on traditional cases, they cooperate more than ever when it comes to cybercrime. Local, state, and federal agencies regularly share tips and team up for busts. The FBI and Secret Service, which received jurisdiction over financial crimes when it was part of the Treasury Dept., have even formed a joint cybercrime task force in Los Angeles. Public agencies also are linking with tech companies and private security experts who often are the first to discover crimes and clues. This makes the hacker hunters an eclectic bunch. Larkin ends up working in tandem with people like Mikko H. Hypponen, director of antivirus research at Finnish security outfit F-Secure Corp. Larkin is a straitlaced, 45-year-old native of Indiana, Pa., who honed his skills during Operation Illwind, the 1980s investigation into kickbacks paid to Pentagon officials by defense contractors. Hypponen is a 35-year-old computer whiz who lives on an island southwest of Helsinki populated by fewer than 100 people and a herd of moose. On a Rampage There's a clear reason for this newfound collaboration: The bad guys are winning. They're stealing more money, swiping more identities, wrecking more corporate computers, and breaking into more secure networks than ever before. Total damage last year was at least $17.5 billion, a record -- and 30% higher than 2003, according to research firm Computer Economics Inc. Among the computers compromised were those at NASA, a break-in in which one of the prime suspects is a 16-year-old from the Swedish university town of Uppsala. Part of the problem is that cops don't have all the weapons they need to fight back. They clearly lack the financial resources to match their adversaries' technical skills and global reach. The FBI will spend just $150 million of a $5 billion fiscal 2005 budget on cybercrime -- not including personnel -- in spite of its being given the third-highest priority. (Terrorism and counterintelligence come first.) The Secret Service won't discuss the funding breakdown for cybercrime. Both agencies are aggressively lobbying Congress for more money. Cybercrime laws haven't been much of a help. Hacking into computer networks was long seen as little more than a prank, and punishment was typically a slap on the wrist. That's beginning to change, however. Prosecutors are starting to make aggressive use of the Computer Fraud & Abuse Act, which carries penalties of up to 20 years in prison. The lengthiest sentence so far has been nine years, issued last December. Now prosecutors plan to send a message with the ShadowCrew case. Several members face prison sentences of 5 to 10 years if convicted. "There have to be consequences," says Painter. The wiliest of the hackers still run rings around the cops. A Russian gang called the HangUp Team has been pummeling e-commerce Web sites and taunting its pursuers for two years, police say. The gang plants software bugs in computers that allow it to steal passwords, and it rents out huge networks of computers to others for sending out viruses and spam. HangUp Team hides in plain sight. Its Web site -- rat.net.ru/index.php -- is decorated with a red-and-black swastika firing off lightning bolts. Its blog discusses hacker tactics and rails against Americans. Its motto: In Fraud We Trust. "We think we know what they've done, where they are, and who they are," says Nagel. But authorities haven't been able to nab them so far. The Secret Service won't say why. Trojan Horse Devilish trickery keeps the criminals one step ahead. In January, 2004, a new virus called MyDoom attacked the Web site of the SCO Group Inc. (SCOX ), a software company that claimed the open-source Linux program violated its copyrights. Most security experts suspected the virus writer was a Linux fan seeking revenge. They were wrong. While the SCO angle created confusion, MyDoom acted like a Trojan horse, infecting millions of computers and then opening a secret backdoor for its author. Eight days after the outbreak, the author used that backdoor to download personal data from computer owners. F-Secure's Hypponen figured this out in time to warn his clients. It was too late, however, for many others. MyDoom caused $4.8 billion in damage, the second-most-expensive software attack ever. "The enemy we have been fighting is changing," says Hypponen. Indeed, today's cybercrooks are becoming ever more tightly organized. Like the Mafia, hacker groups have virtual godfathers to map strategy, capos to issue orders, and soldiers to do the dirty work. Their omert?, or vow of silence, is made easier by the anonymity of the Web. And like legit businesses, they're going global. The ShadowCrew allegedly had 4,000 members operating worldwide -- including Americans, Brazilians, Britons, Russians, and Spaniards. "Organized crime has realized what it can do on the street, it can do in cyberspace," says Peter G. Allor, a former Green Beret who heads the intelligence team at Internet Security Systems Inc. (ISSX ) in Atlanta. Yet there may be hope for a shift in the fortunes of battle. Among cybercops, the ShadowCrew case is seen as a model for taking the battle to the Black Hats. Law enforcement officials are often loath to reveal details of their operations, but the Secret Service and Justice Dept. wanted to publicize a still-rare victory. So they agreed to reveal the inner dynamics of their cat-and-mouse chase to BusinessWeek. The case provides a window into the arcane culture of cybercriminals and the methods of their pursuers. The story starts with an unlikely partnership. Andrew Mantovani was a part-time student at Scottsdale Community College in Arizona. David Appleyard was a onetime mortgage broker who lived in Linwood, N.J., just outside of Atlantic City. This is the duo who led the ShadowCrew from 2002 until they were arrested last fall, according to an indictment filed in U.S. District Court in New Jersey -- the state in which their servers were located. The two are believed to have met online, although the details of their first encounters are unknown. >From their home computers, Mantovani, now 23, and Appleyard, 45, allegedly ran shadowcrew.com as an international clearinghouse for stolen credit cards and identity documents. "It was a criminal bazaar," says Nagel, a 22-year veteran who served on the protection teams for Presidents George H.W. Bush and Bill Clinton. ShadowCrew, it appears, was largely Mantovani's creation. A business student at Scottsdale, he became a true entrepreneur in front of his computer screen. He was previously a member of a different cybergang that mainly stored stolen data, Justice Dept. officials say. He then allegedly came up with the idea of bringing together buyers and sellers in an online community so they could auction off stolen goods and share hacking tricks. Once the ShadowCrew site was established, he often reminded members in online chats that he could help them rise or fall in the gang depending on their loyalty to him, says Scott S. Christie, a former assistant U.S. attorney who helped build the legal case. "It was important [to Mantovani] to be recognized as the spiritual leader of ShadowCrew," says Christie. If Mantovani was the brains, Appleyard was the brawn, according to the indictment. The older man adopted the online persona of a former soldier. He went by the nickname "BlackOps" and stood ready to mete out punishment to anyone who stepped out of line. One time, a gang member known as "ccsupplier" failed to deliver merchandise he had sold -- and then failed to refund the money that had been paid. Appleyard allegedly posted the guy's real name, address, and phone numbers on the ShadowCrew Web site, immediately putting him out of business. On another occasion, police say he threatened somebody with physical harm, in an online message. All the while, the former mortgage broker was living with his wife, two kids, and mother, who suffers from Alzheimer's. The ShadowCrew gang got hold of credit-card numbers and other valuable information through all sorts of clever tricks. One of the favorites was sending millions of phishing e-mails -- messages that appeared to be from legit companies such as Yahoo! Inc. (YHOO ) and Juno Online Services Inc. but in fact were fakes designed to steal passwords and credit-card numbers. The gang also excelled at hacking into databases to steal account data. According to sources familiar with the investigation, the ShadowCrew cracked the networks of 12 unnamed companies that weren't even aware their systems had been breached. Because most of the gang members held day jobs, the crew came alive on Sunday nights. From 10 p.m. to 2 a.m. hundreds would meet online, trading credit-card information, passports, and even equipment to make fake identity documents. Platinum credit cards cost more than gold ones. Discounts were offered for package deals. How big was the business? One day in May, 2004, a crew member known as "Scarface" sold 115,695 stolen credit-card numbers in one trade. Overall, the gang made more than $4.3 million in credit-card purchases during its two-year run. The actual tally could be more than twice as large, the feds say. It was like an eBay for the underworld. Too Big to Hide The operation was quite sophisticated. Mantovani, who used the handle "ThnkYouPleaseDie," and Appleyard, who went by "BlackBagTricks" as well as "Black Ops," were the "administrators," according to the government's indictment. They were in charge of strategic planning, determined which ShadowCrew aspirants got access to the Web site, and collected payments from participants to keep it running. "Moderators" hosted online forums where gang members could share tips for making fake IDs or ask questions about creating credible phishing e-mail. Below them were "reviewers," who vetted stolen information such as credit-card numbers for quality and value. The largest group, the "vendors," sold the goods to other gang members, often in online auctions. Speed was essential, since credit-card numbers had to be used quickly before they were canceled. But their operation was too big to escape notice by the cops. In mid-2003, the Secret Service launched Operation Firewall to nab purveyors of fake credit and debit cards. They quickly focused on ShadowCrew, says Nagel, because it was among the largest gangs operating openly on the Web. Within months, agents turned one of ShadowCrew's members into a snitch. While they decline to name the person or detail how he was flipped, an affidavit says he was a high-ranking member of the gang, and one of its moderators. Last August the man helped the Secret Service set up a new electronic doorway for ShadowCrew members to enter their Web site and then spread the word that the new gateway was a more secure way in. It was the first-ever tap of a private computer network under a 1968 crime act that set legal guidelines for wiretaps. "We became shadowcrew.com," says Nagel. This was a big break, since the cops could use the doorway to monitor all the members' communications. Among the communiqu?s: Omar Dhanani, aka Voleur (French for "thief"), bragged he could set up a special payment system for cybercrime transactions, police say. For a 10% commission, he would exchange cash for "eGold," an electronic currency backed by gold bullion. The Secret Service watched as he laundered money from at least a dozen deals for ShadowCrew members. The online taps helped the cops set up real-world stakeouts, too. They started by subpoenaing records from Internet service providers such as Time Warner Inc.'s (TWX ) Road Runner. They then traced the computing addresses to actual houses and apartments so they could observe their prey in person. One target: Rogerio Rodrigues. Investigators say they saw him load a bulging bank-deposit bag into his Ford Explorer and drop it off at a Citibank (C ) branch. Later, he stopped into a Kinko's (FDX ), where agents believe he picked up counterfeit merchandise. Cutting-edge digital monitoring combined with old-fashioned shoe leather resulted in reams of incriminating evidence. At the peak of the investigation, a dozen Secret Service agents worked 18-hour days to sift through the gang's communiqu?s. E-mail, instant messages, and computer addresses led them to the suspected ringleaders. Mantovani, it turned out, lived with another alleged ShadowCrew member, Brandon Monchamp. Dhanani operated from a quaint stucco house in Fountain Valley, Calif. Addresses in hand, the Secret Service was ready to conduct last fall's bust. The ShadowCrew case is far from over, though. Charged with credit-card fraud and identity theft, most of the suspects arrested that day have been released on bail pending trial. Mantovani returned home to live with his parents on Long Island and works as a construction laborer. His lawyer, Pasquale F. Giannetta, insists Mantovani is no criminal. "He is like a normal 23-year-old boy," Giannetta says. Appleyard has not issued a plea in the case, pending additional evidence from the government. His lawyer, William J. Hughes Jr., says Appleyard was just a techie running the ShadowCrew Web site, not a criminal profiting from it. Brandon Monchamp's lawyer, Elizabeth S. Smith, declined to comment. Dhanani's and Rodrigues' attorneys did not return calls seeking comment. Global Reach The bust yielded a treasure trove of evidence. So far the Secret Service has uncovered 1.7 million credit-card numbers, access data to more than 18 million e-mail accounts, and identity data for thousands of people including counterfeit British passports and Michigan driver's licenses. They say the ShadowCrew pillaged more than a dozen companies, from MasterCard Inc. to Bank of America Corp. (BAC ) The bust has yielded evidence against more than 4,000 suspects and links to people in Bulgaria, Canada, Poland, and Sweden. "We will be arresting people for months and months and months," says Nagel. Now, with the ShadowCrew bust as their inspiration, cops and security experts are becoming more aggressive. They're tapping shady Web sites and chat rooms, stepping up cooperation with investigators in other countries, and flipping informants to build cases. In the past six months, the FBI persuaded members of several spam and phishing rings to rat on their accomplices. Larkin says some of these cases will become public in the coming months. Despite these successes, cops face major hurdles as they try to get cybercrime under control. The biggest? Their global scope. Gang members hide out in countries with weak hacking laws and lax enforcement. They can even shelter servers in a separate country, snarling the trail for investigators. Their favorite hideouts: Russia, Eastern Europe, and China. And little wonder. In Russia, the authorities can appear at times to be more interested in protecting cybercrooks than in prosecuting them. In 2000, the FBI lured two Russian hackers to Seattle with job offers, then arrested them. Agents involved in the case later downloaded data from the duo's computers, located in Chelyabinsk, Russia, over the Web. Two years after that, Russia filed charges against the FBI sleuths for hacking -- alleging the downloads were illegal. "When you have a case that involves servers in Russia, you can almost hear the law-enforcement officials sigh," says Hypponen. The HangUp Team has been operating in Russia with impunity for years. Some members are allegedly based in Archangelsk, an Arctic Circle city of rusting Soviet nuclear submarines and nearly perpetual winter. In 2000 the alleged original members of the team, Alexei Galaiko, Ivan Petrichenko, and Sergei Popov, were arrested for infecting two local computer networks with malicious code. But Russian authorities let them off with suspended sentences. Little was heard from the HangUp Team for the next two years. But in 2003 the gang released the viruses Berbew and Webber. Then last year the group infected online stores with a fiendish piece of software called the Scob worm. Scob waited for Web surfers to connect, then planted software in their hard disks that spied on their typing and relayed thousands of passwords and credit-card numbers to a server in Russia, police say. "These guys have set a new standard for sophistication among criminal hackers," says A. James Melnick, 51, director of threat intelligence at iDEFENSE, a Reston (Va.) cybersecurity firm. The HangUp crew isn't even covering its tracks. Each of the three bugs contained a telltale signature: "Coded by HangUp Team." With HangUp operating so publicly, it's not clear why its members have been so hard to catch. Russian authorities say they have been hampered by the red tape of securing warrants, coordinating with U.S. and British police, and translating documents. It's one more sign that the battle for cyberspace has changed forever. Criminals are swarming the Web, and their attacks come from the most remote corners of the globe. There are no easy answers. But one thing is clear: The old practice of erecting defenses out of software isn't enough. "That's a Band-Aid," says Larkin. "If you don't try to take these guys down, they'll come back. You have to find a way to get to the live bodies and take them out at their roots. If you don't, you aren't solving the problem." Investigators scored an impressive success in taking down the hackers behind the ShadowCrew. But the hunt is just beginning. From isn at c4i.org Wed May 25 03:38:25 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 25 03:52:31 2005 Subject: [ISN] Virus authors choosing to infect fewer people Message-ID: http://www.zdnet.com.au/news/security/0,2000061744,39193414,00.htm By Munir Kotadia ZDNet Australia 25 May 2005 Virus authors are choosing not to create global epidemics -- such as Melissa or Blaster -- because that distracts them from their core business of creating and selling zombie networks, according to anti-virus experts. Zombie networks are groups of computers that have been infected by malware that allows the author to control the infected PC and use it to send spam or launch DDoS attacks. Speaking at the AusCERT conference in Australia's Gold Coast on Tuesday, Eugene Kaspersky, founder of Kaspersky Labs, said that the influence of organised crime on the malware industry has led to a change of tactics. Instead of trying to create viruses and worms that infect as many computers as possible, malware authors are instead trying to infect 5,000 or 10,000 computers at a time to create personalised zombie armies. "Do I need a million computers to send spam? No. To do a DDoS attack, 5,000 or 10,000 PCs is more than enough. That is why virus writers and hackers have changed their tactics of infection -- they don't need a global epidemic," said Kaspersky. According to Kaspersky, organised criminals are adverting zombie computers for rent on underground newsgroups and Web pages. When they receive an order for a certain-size army, they set about trying to infect computers using infected e-mail attachments or socially-engineered spam with links to malicious Web pages. As soon as they infect enough computers to fulfil the order, they stop using that particular piece of malware. "It seems that, say the virus author needs 5,000 infected computers, they put the Trojan on a Web page and wait for 5,000 machines to be infected. Then they remove the Trojan because that is enough. When they get a new request for another zombie network, they release a new Trojan -- they are able to control the number of infected computers," said Kaspersky. Adam Biviano, senior systems engineer at anti-virus firm Trend Micro, agrees. He said that by only infecting a relatively small number of computers, the malware has a better chance of flying 'under the radar' and not being spotted by antivirus companies. "It makes sense to have a discreet number of PCs under your control and be able to sell that on," said Biviano, who added: "With 5,000 PCs under your control . none of which are being destroyed or showing actual qualifiable damage as a result -- you will fit under the radar, probably make some money and you probably won't get arrested". Kaspersky said that to fight this new tactic anti-virus companies have to be more thorough by scouring Web pages and e-mail attachments for new and obscure pieces of malware . to ensure as few Trojans as possible escape. "Before releasing the new infected code they test it using anti-virus scanners and they don't release the new Trojan or worm if it is detected. I believe that if only 1,000 machines are infected, anti-virus companies will never receive the infected file. That is why anti-virus companies have to collect data reactively and get samples as quickly as possible," said Kaspersky. Vincent Gullotto, vice president of McAfee AVERT (anti-virus emergency response team), told ZDNet Australia that anti-virus companies are responding to the new threat by proactively seeking out new forms of malware. "It is standard for us, Kaspersky, Symantec and some of the other prominent anti-virus companies scour the Web in many different ways. We go out looking for [malware] with a very aggressive search and we do passive searches where we have machines that are just sitting around waiting to get attacked. When we see a machine getting attacked we grab a sample rather quickly so we can add it to our database," said Gullotto. From isn at c4i.org Wed May 25 03:38:42 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 25 03:52:34 2005 Subject: [ISN] Honeynet traps the unwary Message-ID: http://www.smh.com.au/news/Next/Honeynet-traps-the-unwary/2005/05/23/1116700623833.html By Patrick Gray May 24, 2005 Next Some people just won't learn, according to the University of Washington's David Dittrich, a speaker at this week's AusCERT security conference on the Gold Coast. In his 15 years with the university, Mr Dittrich has had a lot of experience with security incidents but didn't expect computer users to be so reticent to learn about the dark side of computing. "Still people don't understand the power of the computers they have when they're taken over by someone else," Mr Dittrich says. "I thought the education process would happen faster." Mr Dittrich, 43, started work at the University of Washington in an administration role, maintaining Unix machines and coding MS-DOS based applications that controlled nuclear magnetic resonance equipment. Before long, Mr Dittrich moved into Unix support and eventually security administration. Since then he's cemented a reputation as an expert on Distributed Denial of Service (DDoS) attack tools and honeynet research. A honeynet is a computer, or group of computers, designed to be attacked for research and attack detection purposes. During his time in the field, he's seen things change. "In 1996 and 1997 the number of Unix intrusions was going through the roof and Windows wasn't really a problem at that point," he says. That all changed when Microsoft decided to build internet protocol support into its operating system in the mid-'90s. By 1999, the number of attacks had seemingly doubled and attackers weren't just hitting Unix systems. Scores of the university's 60,000 computers were breached every day. These days, Mr Dittrich is a senior security engineer and staff researcher at the university. He has also helped to develop course material taught across all faculties. Under a National Security Agency (NSA) approved program, the University of Washington now teaches non-IT students about the importance of data security. "The NSA definitely has it right when they're trying to convince people to get this education across every program," Mr Dittrich says. "Unless you have everyone up to speed and adequately paranoid, you're not going to have a secure system." And, according to Mr Dittrich, we have plenty to be paranoid about. Automated tools that made the wholesale compromise of thousands of systems first appeared in about 2000, he says, but they're still getting better. "I'm seeing a definite trend in increased sophistication in automation on everything to do with intrusion," Mr Dittrich says. More complicated and harder to detect tools are available to miscreants, he says, and "it's going to make it harder to deal with advanced attacks". In some ways, that's why Mr Dittrich believes in his honeynet research. While aspects of the research are increasingly geared towards forensic analysis, the honeynet can still be a valuable "canary in the coal mine"; a decoy system, which, when hacked into, should set alarm bells ringing. That hasn't stopped some security industry commentators from questioning the usefulness of honeynets in recent times. Greg Shipley, CTO of Chicago-based IT security consultancy Neohapsis, once described honeynets as "the IT security guy's pet rock". While he takes that one on the chin, Mr Dittrich admits honeynets are of limited use for most. But for others, it gives them a way to augment their existing security set-up and spin-off tools with applications in forensics that have been a welcome side-effect. However, Mr Dittrich argues that the answer lies in education and co-operation, not in a specific technology. In response to the next generation of threats, the security industry will have to work more effectively with the security research community and everyone will have to communicate more suitably with upper management, Mr Dittrich says. "That's been changing a lot but there's still a big gap," he says. The fourth annual AusCERT IT security conference started on the Gold Coast on Saturday. It ends on Thursday. From isn at c4i.org Wed May 25 03:39:14 2005 From: isn at c4i.org (InfoSec News) Date: Wed May 25 03:52:37 2005 Subject: [ISN] Linux Security Week - May 23rd 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 23rd, 2005 Volume 6, Number 22n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Security and the Linux process," "Security's shortcoming: Too many machines, not enough training," and "Towards proactive security." --- ## Internet Productivity Suite: Open Source Security ## Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more! http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml --- LINUX ADVISORY WATCH This week, advisories were released for kde, phpsysinfo, fonts-xorg, gaim, phpBB, mozilla suite, PostgreSQL, FreeRADIUS, ncpfs, kdelibs, cyrus-imapd, rsh, glibc, ia32el, and the Red Hat kernel. The distributors include Conectiva, Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/119156/150/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ --- Introduction: Buffer Overflow Vulnerabilities Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities. http://www.linuxsecurity.com/content/view/118881/49/ --- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * SSH hole putting big business at risk 17th, May, 2005 Secure business networks are at risk thanks to a vulnerability in a fundamental protocol, according to security researchers at the Massachusetts Institute of Technology (MIT). Researchers have highlighted the increasing danger of attacks exploiting weaknesses in SSH (Secure Shell), and warned that such attacks are likely to be automated in the near future. http://www.linuxsecurity.com/content/view/119125 * KDE users have to patch twice 20th, May, 2005 Linux and Unix users of KDE who lovingly patched their systems last month to avoid a major security glitch will have to go through the whole process again, it has transpired. http://www.linuxsecurity.com/content/view/119157 * Computer Crime Forensics Get A Boost 19th, May, 2005 Chatsworth CA-based Intelligent Computer Solutions introduces a new portable high-speed hard drive duplicator. Called the Image MASSter Solo 3 Forensic, the device can duplicate hard drives as speeds of up to 3GB per minute. http://www.linuxsecurity.com/content/view/119148 * Security query over Intel hyperthreading 17th, May, 2005 Intel's hyperthreading technology could allow a hacker to steal security keys from a compromised server using a sophisticated timing attack, a researcher has warned. http://www.linuxsecurity.com/content/view/119124 * Security and the Linux process 19th, May, 2005 In his latest entry, Dana asks whether the Linux process is insecure, because it.s not possible to warn the "vendor" before warning the general public about security flaws in Linux. He also notes that "Microsoft has theoretical control of this situation." http://www.linuxsecurity.com/content/view/119149 * Microsoft to buy Red Hat? Say it ain.t so 16th, May, 2005 In Paris, Ontario, there.s a large plaza sign advertising both The Paris Sleep Laboratory and the Canadian Post Office. The synergy there, of course, should be obvious .at least from the point of view of the humorist. Recent revivals of the idea that Microsoft might want to take over Red Hat have a similar quality to them. http://www.linuxsecurity.com/content/view/119121 * IBM bundle service seeks to protect smaller businesses 16th, May, 2005 IBM is looking to make it easier for smaller businesses to protect themselves against spam and viruses that make their way onto the network through e-mail. http://www.linuxsecurity.com/content/view/119122 * Security needs bring redundant systems back in style 17th, May, 2005 Whether you're considering a multifunction appliance, a broad suite of software or a combination of both to secure your Windows infrastructure, security consultants say there is one key principal to keep in mind: Don't rely on a single vendor for everything. http://www.linuxsecurity.com/content/view/119127 * Security.s weakest links 17th, May, 2005 Not a month has gone by in 2005 without a far-reaching computer security breach making the nightly news hour. Headliners compelled to walk the plank of shame include Bank of America . the nation.s second-largest bank . Ameritrade, Polo Ralph Lauren, and LexisNexis. http://www.linuxsecurity.com/content/view/119128 * Before You Fire the Company Geek... 17th, May, 2005 If you notice a fellow employee suddenly freaking out or acting really suspicious, he may be having personal problems -- or he may be in the process of hacking the company. So says a new study on "insider threats" released Monday by the U.S. Secret Service and the Carnegie Mellon Software Engineering Institute's CERT. http://www.linuxsecurity.com/content/view/119133 * The Propaganda War 18th, May, 2005 Linux has gradually become the standard OS on the server and is probably destined to become the desktop standard too. It might seem premature to say this, because the statistics from IDC and other market analysts indicate that Linux hasn't overtaken Windows on the server yet and it does not even have a significant share of the desktop market. Nevertheless, the contest is almost over. The tide is running in Linux's favour. It will take its time to come in, but it will not be stopped. http://www.linuxsecurity.com/content/view/119136 * UK IT bosses confused about governance 18th, May, 2005 IT heads in the UK are convinced that better IT governance will impress senior management, but few of them have the money to invest in better systems. Research from the Economist Intelligence Unit, commissioned by Mercury Interactive, showed that chief information officers around the world think that better IT governance will restore management's faith in IT, with 70 per cent of UK CIOs stating that better IT governance would lead to more accurate financial reporting. http://www.linuxsecurity.com/content/view/119137 * Security's shortcoming: Too many machines, not enough training 18th, May, 2005 Companies can spend all they want on antivirus, intrusion prevention systems and all-in-one appliances. These tools will do nothing for enterprises that ignore the human side of security, said Tara Manzow, product manager for the workforce development group at the Computing Technology Industry Association [CompTIA]. http://www.linuxsecurity.com/content/view/119138 * Criminal IT: Why insecurity is implicit in computing 18th, May, 2005 Some statements are undoubtedly true; I am an adult male. Others undoubtedly false; I can breathe underwater. And some of them need more information; I live in a house with a green-tiled bathroom. You can visit my house, you can ask my family; it is decidable, provided that you can get some more information. http://www.linuxsecurity.com/content/view/119139 * Towards proactive security 18th, May, 2005 To businesses, security is still not equal to paying your electric bill. It is a nuisance, a distraction, a resource drain, and it is expensive. However, when that worm hits, when that hacker attacks, then blame is quick to be assigned. What most organisations do not yet understand is that improving security is not all about buying the latest and greatest products. It is about changing the corporate culture to make security a realistic priority, and to understand that the upfront investment in security resources and processes will be far less costly than the reactionary efforts after an attack. http://www.linuxsecurity.com/content/view/119147 * Keeping kids from succumbing to 'the dark side' 19th, May, 2005 Edward Ajaeb got his first taste of steganography in sixth grade, when he set up a Web site for his teacher's husband to showcase his master's thesis on the subject. By then the Utica, N.Y., youth had designed Web sites for a couple of years, a side business he'd developed in the fourth grade. http://www.linuxsecurity.com/content/view/119150 * Know your Enemy: Phishing 19th, May, 2005 This KYE white paper aims to provide practical information on the practice of phishing and draws on data collected by the German Honeynet Project and UK Honeynet Project. This paper focuses on real world incidents that the Honeynet Project has observed in the wild, but does not cover all possible phishing methods or techniques. Attackers are constantly innovating and advancing, and there are likely to be new phishing techniques already under development or in use today. http://www.linuxsecurity.com/content/view/119154 * Hack attack danger soars in 2005 20th, May, 2005 Security experts have warned of a substantial rise in the number and complexity of hacking attacks during the first half of 2005. http://www.linuxsecurity.com/content/view/119163 * VeriSign to put more backbone into the Net 20th, May, 2005 VeriSign plans to significantly increase the number of DNS servers it operates, a move that it says will make a key part of the Internet's infrastructure more resilient to cyberattacks. http://www.linuxsecurity.com/content/view/119162 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Thu May 26 13:10:15 2005 From: isn at c4i.org (InfoSec News) Date: Thu May 26 13:24:10 2005 Subject: [ISN] CIA Overseeing 3-Day War Game on Internet Message-ID: http://abcnews.go.com/Technology/wireStory?id=792229 By TED BRIDIS The Associated Press WASHINGTON May 26, 2005 - The CIA is conducting a secretive war game, dubbed "Silent Horizon," this week to practice defending against an electronic assault on the same scale as the Sept. 11 terrorism attacks. The three-day exercise, ending Thursday, was meant to test the ability of government and industry to respond to escalating Internet disruptions over many months, according to participants. They spoke on condition of anonymity because the CIA asked them not to disclose details of the sensitive exercise taking place in Charlottesville, Va., about two hours southwest of Washington. The simulated attacks were carried out five years in the future by a fictional alliance of anti-American organizations, including anti-globalization hackers. The most serious damage was expected to be inflicted in the war game's closing hours. The national security simulation was significant because its premise a devastating cyberattack that affects government and parts of the economy with the same magnitude as the Sept. 11, 2001, suicide hijackings contravenes assurances by U.S. counterterrorism experts that such far-reaching effects from a cyberattack are highly unlikely. Previous government simulations have modeled damage from cyberattacks more narrowly. "You hear less and less about the digital Pearl Harbor," said Dennis McGrath, who helped run three similar war games for the Institute for Security Technology Studies at Dartmouth College. "What people call cyberterrorism, it's just not at the top of the list." The CIA's little-known Information Operations Center, which evaluates threats to U.S. computer systems from foreign governments, criminal organizations and hackers, was running the war game. About 75 people, mostly from the CIA, gathered in conference rooms and reacted to signs of mock computer attacks. The government remains most concerned about terrorists using explosions, radiation and biological threats. FBI Director Robert Mueller warned earlier this year that terrorists increasingly are recruiting computer scientists but said most hackers "do not have the resources or motivation to attack the U.S. critical information infrastructures." From isn at c4i.org Thu May 26 13:10:34 2005 From: isn at c4i.org (InfoSec News) Date: Thu May 26 13:24:13 2005 Subject: [ISN] Database Hackers Reveal Tactics Message-ID: http://www.wired.com/news/business/0,1367,67629,00.html By Kim Zetter May 25, 2005 Three young hackers under investigation for unlawfully accessing personal information on thousands of people in a LexisNexis database have characterized their act as a cyberjoyride that got out of hand. The hackers, ages 16, 19 and 20, spoke with Wired News by phone Monday and said that in January and February they accessed LexisNexis data -- which included the Social Security number, birth date, home address and driver's license number of numerous celebrities and hacker friends -- to claim bragging rights, rather than to steal identities or sell the information to identity thieves, as some published reports have stated. "We didn't use the info for bad reasons," said the 16-year-old from Massachusetts, who goes by the handle "Cam0." "It was to have the info and get kicks out of it." Two law enforcement authorities involved in the LexisNexis investigation told Wired News that they have found no evidence, so far, to indicate that the three hackers used the data to steal identities. They cautioned, however, that the investigation was still underway. The hackers, who asked Wired News not to disclose their real names because they haven't been arrested or charged with any crime yet, are suspects in a Secret Service investigation into the breach, called Operation Boca Grande (Spanish for "big mouth"), which resulted in raids last week on nine people in four states. A number of the suspects are members of a hacking group called Defonic Crew, who hang out on a forum at Digitalgangster.com where hackers trade information and brag about exploits. Of the three suspects Wired News spoke with, only Cam0 is a member of Defonic. Hacking began with AOL Cam0 is also a suspect in the recent security breach of socialite Paris Hilton's T-Mobile account and was investigated last summer after admitting to Wired News that he hacked America Online and stole AOL Instant Messaging screen names, among other exploits. He has yet to be charged for the AOL breaches but told Wired News on Monday that the AOL activity, which he began in 1997, was the "gateway drug" that emboldened him and other members of Defonic Crew to graduate to other hacking projects. "If there was a security breach (at AOL), we were all a part of them.... That's how we all started," he said. "We all met up on AOL breaking into their crap. If it wasn't for AOL none of this (LexisNexis stuff) would have happened." "Shasta," a hacker who knows Defonic Crew but isn't a suspect in the LexisNexis breach, said the success of the AOL breaches made Defonic Crew careless about not covering its tracks in LexisNexis. "It made them feel invincible," he said. "And they weren't worried about getting caught." They naturally are circumspect in the face of possible consequences. "I really wish that I hadn't been able to get access to (the LexisNexis database)," said the 20-year-old, who lives in Rhode Island and goes by the name "Krazed." "Curiosity gets you in trouble." Last March, LexisNexis revealed that intruders gained access to a database belonging to one of its subsidiaries and obtained the personal data of as many as 310,000 people through numerous name searches. The breach occurred at Seisint, a Florida-based company that LexisNexis bought last year, which maintains databases for law enforcement, legal professionals and others through a service called Accurint. According to the hackers, none of them knew about LexisNexis or Seisint until they stumbled upon a Florida police officer's Seisint account. A friend of Krazed masqueraded as a 14-year-old girl online and engaged a Florida police officer in a chat session, the hackers said. The friend sent the officer an attachment, which he said was a slideshow containing naked pictures of the girl he was pretending to be. When the officer clicked on it, a Trojan horse downloaded silently to his computer, which gave Krazed complete access to the computer's files. A law enforcement agent confirmed this general account of the breach. Hunting for celebrities Among the data Krazed found on the computer was a password file with information for accessing an Accurint account. Krazed said he gave the account info to several people who searched celebrity names like Ben Affleck, Matt Damon and Arnold Schwarzenegger to obtain Social Security numbers and other data. In the meantime, a 19-year-old hacker who lives near Cam0 in Massachusetts searched for other active Accurint accounts using a Java script. He found an account named Null, which he later learned belonged to a Texas police department. The hacker asked to be identified as "Null" for this story. Posing as a LexisNexis tech administrator, he called Seisint under the guise of running diagnostic tests on the Null account and convinced someone at Seisint to reset the account's password to "Null." Then he used the account to create new accounts under the auspices of the police department. "A whole bunch of user names were made and people were trading them and passing them around like candy," Null said. "It was getting real bad." Null said he ran only a few searches himself then closed the accounts he created when he saw things getting out of hand. In a separate incident, he hacked into a gay website called Manhunt.net, broke into the site's instant messaging server and got caught by the website. The experiences convinced him he was wasting his life, he said. Null said he had a poor education and never made it through high school. He realized he couldn't get a job without a degree and was researching a program that would allow him to attend college for free. He was hoping to study computer science and psychology. "I just decided to stop it all. I was trying to stop being on the internet ... and straighten out my life," he said. He said he threw his computer, which he'd received for free, into the ocean. "It had a lot of things on it and I didn't want (anyone) to associate it with me," he said. Null said "some Russian kids" hacked into LexisNexis and erased the records for the Null account that he'd been using so there was no trace of it in the system. But it was too late. In March, LexisNexis announced that intruders breached its system and stole private data on 32,000 people -- a figure that was later upgraded to more than 310,000 people. On May 16, Secret Service and FBI agents conducted raids on individuals in Minnesota, North Carolina, Massachusetts and California, seizing computer equipment and documents. All search warrants in the investigation have been sealed. The experience wasn't entirely new for Cam0. A year earlier, the FBI had raided his house for his AOL activity and seized his computer. "I always had the feeling that with the AOL (thing) I was eventually going to go to court," he said. But the FBI never filed charges, so Cam0 said he got a new computer and "kept going." He said he began hacking "away from home" so his family wouldn't know. Null wasn't initially hit in the raids -- investigators didn't know where he lived -- but a friend tipped him off with a phone call. Instead of waiting for authorities to find him, he called the Secret Service and asked them not to raid his house. Instead, he met with them and told them what he'd done. "They were really nice about the whole situation," Null said. "But it's still not looking good for me." Multiple, independent breaches? All three hackers say they never sold LexisNexis data to anyone, although Null and Krazed say another hacker may have sold data to someone. This other hacker has not yet been targeted by authorities investigating the LexisNexis breach, according to Null and Krazed. Null said the other hacker first accessed the LexisNexis data while based in California. On May 17, California authorities near San Francisco did arrest three individuals on drug charges -- one for possession of methamphetamine with intent to sell and the others in connection with operating a methamphetamine lab -- in an investigation that may be related to the LexisNexis investigation. The search warrants have been sealed and authorities aren't allowed to discuss them. But a police press release said authorities discovered the drug paraphernalia while executing a federal search warrant on a different matter. And the group that executed the warrant was a high-tech task force called REACT, for Rapid Enforcement Allied Computer Team, composed of people from several law enforcement agencies who investigate high-tech crimes. This indicates that the initial reason for the search was computer-related. Santa Clara County Deputy District Attorney Jim Sibley, project director of REACT, didn't discount that the California arrests were related to the hacker investigation, but said, "To my knowledge the hacker situation in the news has no tie to what we're investigating here." He suggested, however, that the California arrests might involve a separate investigation of LexisNexis breaches, since the scope of the problem was so great. "You start looking at an account that's been logged into 500 times and generated 9,000 reports, for example, that's a lot of information (to examine)," Sibley said. "I'm just saying it's not one group that's compromised LexisNexis. Their security is really bad. This isn't a situation where you're talking about needing an ?berhacker to compromise (the system). Their passwords weren't as secure as your average porn site. I think it didn't take a genius to break them. Although I think the way the hackers did it was creative. We'll give them style points." A separate source indicated that the California investigation began separately from the hacker investigation when a California parole officer discovered Accurint reports in a parolee's house earlier this year. Authorities contacted LexisNexis, which led the company to disclose the breach in March. An investigation revealed that this particular intrusion had begun in November. The Secret Service was already investigating the Paris Hilton T-Mobile hack when LexisNexis contacted the agency about its breach. A source said that when the agency discovered that one of its T-Mobile hacking suspects also breached LexisNexis, they launched an investigation, separate from the California investigation, which eventually led to the hackers. All three of the hackers Wired News interviewed face possible fines and criminal charges in the LexisNexis case for access device fraud and other crimes, which can carry sentences of more than 15 years. Cam0, as a minor, could face possible juvenile detention until the age of 21. When asked if he's afraid, Krazed said, "Yeah, I don't know what I'm looking at here. It kind of just got out of hand." Like Null, he can't afford a lawyer and will have to work with a court-appointed attorney. "Hopefully I get lucky and get a competent one." From isn at c4i.org Thu May 26 13:11:19 2005 From: isn at c4i.org (InfoSec News) Date: Thu May 26 13:24:16 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-21 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-05-19 - 2005-05-26 This week : 48 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Alex Wheeler has reported a vulnerability in various Computer Associates and Zonelabs products, which can be exploited by malicious people to compromise a vulnerable system. Users of Computer Associates and Zonelabs products are advised to review referenced Secunia advisories, to ensure that your systems are updated. Reference: http://secunia.com/SA15470 http://secunia.com/SA15479 -- Apple has issued a security update for Mac OS X v10.4, which fixes various vulnerabilities. Refer to Secunia advisory below for details. Reference: http://secunia.com/SA15436 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA15292] Mozilla Firefox Two Vulnerabilities 2. [SA15470] CA Multiple Products Vet Antivirus Engine Buffer Overflow 3. [SA15479] Zonelabs ZoneAlarm Vet Antivirus Engine Buffer Overflow 4. [SA15422] D-Link DSL Routers "firmwarecfg" Authentication Bypass 5. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 6. [SA15436] Mac OS X Update Fixes Multiple Vulnerabilities 7. [SA15472] Cisco Various Products Compressed DNS Messages Denial of Service 8. [SA15486] BEA WebLogic Multiple Vulnerabilities 9. [SA15393] Cisco Various Products TCP Timestamp Denial of Service 10. [SA14163] Mozilla Products IDN Spoofing Security Issue ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA15483] IMail Server Multiple Vulnerabilities [SA15482] Warrior Kings Denial of Service and Format String Vulnerabilities [SA15479] Zonelabs ZoneAlarm Vet Antivirus Engine Buffer Overflow [SA15470] CA Multiple Products Vet Antivirus Engine Buffer Overflow [SA15501] Halo: Combat Evolved Denial of Service Vulnerability [SA15494] FunkyASP AD System "password" SQL Injection Vulnerability [SA15493] Active News Manager Username and Password SQL Injection [SA15469] NewsletterEz "Password" SQL Injection Vulnerability [SA15443] JiRo's Statistics System "Password" SQL Injection Vulnerability UNIX/Linux: [SA15504] Red Hat update for lesstif [SA15502] Red Hat update for ethereal [SA15461] Red Hat update for firefox [SA15464] Red Hat update for mozilla [SA15462] Debian update for libconvert-uulib-perl [SA15456] WebAPP APage Module Unspecified Vulnerability [SA15451] gxine HTTP URL Hostname Format String Vulnerability [SA15448] Cookie Cart Exposure of Order Notifications and Passwords [SA15440] Red Hat update for evolution [SA15439] Debian update for oops [SA15468] Picasm Error Handling Buffer Overflow Vulnerability [SA15466] Solaris in.ftpd Wildcard Denial of Service Vulnerability [SA15454] GNOME gedit Filename Format String Vulnerability [SA15447] bzip2 Decompression Denial of Service Vulnerability [SA15485] Fedora update for openssl [SA15484] Fedora update for openssl096b [SA15480] Fedora update for kernel [SA15478] Gentoo update for qpopper [SA15476] Gentoo update for net-snmp [SA15475] Qpopper Privilege Escalation Vulnerabilities [SA15473] Iron Bars SHell Format String Vulnerability [SA15471] Net-snmp fixproc Insecure Temporary File Creation [SA15467] Gentoo update for gdb [SA15460] Ubuntu update for kernel [SA15457] Linux Kernel Hyper-Threading Support Information Disclosure [SA15449] GDB Integer Overflow and Insecure Initialisation File Handling [SA15445] Gentoo webapp-config Insecure Temporary File Creation [SA15444] Debian update for ppxp [SA15455] Ubuntu update for imagemagick [SA15453] Gentoo update for imagemagick/graphicsmagick [SA15446] GraphicsMagick XWD Decoding Denial of Service Vulnerability Other: [SA15472] Cisco Various Products Compressed DNS Messages Denial of Service [SA15463] ZyXEL ZyNOS Fragmented IP Packets Denial of Service Cross Platform: [SA15486] BEA WebLogic Multiple Vulnerabilities [SA15458] PortailPHP "id" SQL Injection Vulnerability [SA15450] PostNuke Multiple Vulnerabilities [SA15465] Sambar Server Cross-Site Scripting Vulnerabilities [SA15459] PHPMyCart Multiple Cross-Site Scripting Vulnerabilities [SA15452] Blue Coat Reporter Multiple Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA15483] IMail Server Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2005-05-24 Multiple vulnerabilities have been reported in IMail Server, which can be exploited to gain knowledge of sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15483/ -- [SA15482] Warrior Kings Denial of Service and Format String Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-24 Luigi Auriemma has reported two vulnerabilities in Warrior Kings and Warrior Kings: Battle, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15482/ -- [SA15479] Zonelabs ZoneAlarm Vet Antivirus Engine Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-24 Alex Wheeler has reported a vulnerability in ZoneAlarm Security Suite and ZoneAlarm Antivirus, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15479/ -- [SA15470] CA Multiple Products Vet Antivirus Engine Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-24 Alex Wheeler has reported a vulnerability in various Computer Associates products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15470/ -- [SA15501] Halo: Combat Evolved Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-05-25 Luigi Auriemma has reported a vulnerability in Halo: Combat Evolved, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15501/ -- [SA15494] FunkyASP AD System "password" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-25 Romty has reported a vulnerability in FunkyASP AD System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15494/ -- [SA15493] Active News Manager Username and Password SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-25 Romty has reported a vulnerability in Active News Manager, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15493/ -- [SA15469] NewsletterEz "Password" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-24 Romty has reported a vulnerability in NewsletterEz, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15469/ -- [SA15443] JiRo's Statistics System "Password" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-23 dj romty has reported a vulnerability in JiRo's Statistics System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15443/ UNIX/Linux:-- [SA15504] Red Hat update for lesstif Critical: Highly critical Where: From remote Impact: System access Released: 2005-05-25 Red Hat has issued an update for lesstif. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15504/ -- [SA15502] Red Hat update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-05-25 Red Hat has issued an update for ethereal. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15502/ -- [SA15461] Red Hat update for firefox Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2005-05-23 Red Hat has issued an update for firefox. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/15461/ -- [SA15464] Red Hat update for mozilla Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-23 Red Hat has issued an update for mozilla. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15464/ -- [SA15462] Debian update for libconvert-uulib-perl Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-23 Debian has issued an update for libconvert-uulib-perl. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15462/ -- [SA15456] WebAPP APage Module Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-05-23 A vulnerability with an unknown impact has been reported in the APage module for WebAPP. Full Advisory: http://secunia.com/advisories/15456/ -- [SA15451] gxine HTTP URL Hostname Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-05-23 jsk:exworm has reported a vulnerability in gxine, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15451/ -- [SA15448] Cookie Cart Exposure of Order Notifications and Passwords Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information Released: 2005-05-23 SoulBlack Security Research has reported a security issue in Cookie Cart, which can be exploited by malicious people to disclose system and sensitive information. Full Advisory: http://secunia.com/advisories/15448/ -- [SA15440] Red Hat update for evolution Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2005-05-20 Red Hat has issued an update for evolution. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system or by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15440/ -- [SA15439] Debian update for oops Critical: Moderately critical Where: From local network Impact: System access Released: 2005-05-20 Debian has issued an update for oops. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/15439/ -- [SA15468] Picasm Error Handling Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-05-23 Shaun Colley has reported a vulnerability in Picasm, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15468/ -- [SA15466] Solaris in.ftpd Wildcard Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-23 Sun Microsystems has acknowledged a vulnerability in Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15466/ -- [SA15454] GNOME gedit Filename Format String Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-05-24 jsk:exworm has reported a vulnerability in gedit, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/15454/ -- [SA15447] bzip2 Decompression Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-23 Chris Evans has reported a vulnerability in bzip2, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15447/ -- [SA15485] Fedora update for openssl Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-05-24 Fedora has issued an update for openssl. This fixes two vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information or perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/15485/ -- [SA15484] Fedora update for openssl096b Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-24 Fedora has issued an update for openssl096b. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15484/ -- [SA15480] Fedora update for kernel Critical: Less critical Where: Local system Impact: DoS, Privilege escalation Released: 2005-05-24 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/15480/ -- [SA15478] Gentoo update for qpopper Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-24 Gentoo has issued an update for qpopper. This fixes two vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15478/ -- [SA15476] Gentoo update for net-snmp Critical: Less critical Where: Local system Impact: Manipulation of data, Privilege escalation Released: 2005-05-24 Gentoo has issued an update for net-snmp. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15476/ -- [SA15475] Qpopper Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-24 Two vulnerabilities have been reported in Qpopper, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/15475/ -- [SA15473] Iron Bars SHell Format String Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass, Privilege escalation Released: 2005-05-24 A vulnerability has been reported in Iron Bars SHell, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/15473/ -- [SA15471] Net-snmp fixproc Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-24 Eric Romang has reported a vulnerability in Net-snmp, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/15471/ -- [SA15467] Gentoo update for gdb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-23 Gentoo has issued an update for gdb. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15467/ -- [SA15460] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-05-23 Ubuntu has issued an update for the kernel. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, cause a DoS (Denial of Service), or gain escalated privileges. Full Advisory: http://secunia.com/advisories/15460/ -- [SA15457] Linux Kernel Hyper-Threading Support Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-05-23 A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/15457/ -- [SA15449] GDB Integer Overflow and Insecure Initialisation File Handling Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-23 Tavis Ormandy has reported two vulnerabilities in GDB, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15449/ -- [SA15445] Gentoo webapp-config Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-23 Eric Romang has reported a vulnerability in webapp-config, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/15445/ -- [SA15444] Debian update for ppxp Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-05-20 Debian has issued an update for ppxp. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/15444/ -- [SA15455] Ubuntu update for imagemagick Critical: Not critical Where: From remote Impact: DoS Released: 2005-05-23 Ubuntu has issued an update for imagemagick. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15455/ -- [SA15453] Gentoo update for imagemagick/graphicsmagick Critical: Not critical Where: From remote Impact: DoS Released: 2005-05-23 Gentoo has issued updates for imagemagick and graphicsmagick. These fix a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15453/ -- [SA15446] GraphicsMagick XWD Decoding Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2005-05-23 Tavis Ormandy has reported a weakness in GraphicsMagick, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15446/ Other:-- [SA15472] Cisco Various Products Compressed DNS Messages Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-05-24 A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15472/ -- [SA15463] ZyXEL ZyNOS Fragmented IP Packets Denial of Service Critical: Not critical Where: From local network Impact: DoS Released: 2005-05-24 Federico Kirschbaum has reported a vulnerability in ZyXEL ZyNOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15463/ Cross Platform:-- [SA15486] BEA WebLogic Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS Released: 2005-05-24 Multiple vulnerabilities have been reported in WebLogic, where the most critical can be exploited by malicious people to disclose sensitive information and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/15486/ -- [SA15458] PortailPHP "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-05-24 Censored has reported a vulnerability in PortailPHP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/15458/ -- [SA15450] PostNuke Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2005-05-23 Maksymilian Arciemowicz has reported some vulnerabilities in PostNuke, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and disclose sensitive information. Full Advisory: http://secunia.com/advisories/15450/ -- [SA15465] Sambar Server Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-23 Jamie Fisher has reported some vulnerabilities in Sambar Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15465/ -- [SA15459] PHPMyCart Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-05-23 mircia and Talte Security have reported some vulnerabilities in PHPMyCart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/15459/ -- [SA15452] Blue Coat Reporter Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Privilege escalation Released: 2005-05-23 Oliver Karow has reported some vulnerabilities in Blue Coat Reporter, which can be exploited by to conduct cross-site scripting and script insertion attacks, bypass certain security restrictions, or gain escalated privileges. Full Advisory: http://secunia.com/advisories/15452/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri May 27 03:25:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 27 03:37:59 2005 Subject: [ISN] Underground showdown: defacers take on phishers Message-ID: Forwarded from: security curmudgeon http://www.theregister.co.uk/2005/05/22/defacers_take_on_phishers_in_underground_showdown/ By Robert Lemos, SecurityFocus 22nd May 2005 Groups fighting against online criminals intent on phishing have gained allies from another species of underground miscreant: website defacers. On Thursday, Internet monitoring firm Netcraft reported that some users of the company's anti-phishing toolbar followed links to fake financial sites only to find them defaced with anti-phishing messages. While defacements in the past have consisted mainly of sophomoric messages and political diatribe, the recent attacks by website defacers on phishing fraud could actually help warn online users before they become victims, said Paul Mutton, a services developer for Internet monitoring provider Netcraft. "It is undoubtedly a good thing in that they are helping to protect innocent web users," he said. "On the other hand, it is perhaps unfortunate in that it's probably illegal." The do-good defacements are still rare incidents, but could gain steam as phishing fraud continues to rise and the online scam artists become more organized and professional, Mutton said. Phishing, which uses email and fake websites to lure users into giving up sensitive and financial information, is a growing threat, according to the Anti-Phishing Working Group. The average number of active phishing sites reported to the group has increased an average of 28 per cent per month since July 2004 with 2870 sites discovered in March, the last month for which data is available. While the March data is down from the preceding month, other indicators suggest the problem is worsening, said Dan Hubbard, senior director of security and technology for web-filtering firm Websense and one of eight committee members for the APWG. "Although some of those numbers appear to be flattening, that doesn't mean the problem is getting better," Hubbard said. The technical prowess of phishing groups has gotten better, according to another report released this week. Criminal groups now attack multiple server types with prebuilt tools for controlling compromised computers and sending out spam, according to an analysis done by the Honeynet Project, which uses heaviliy monitored servers as bait for online attackers to gain insight into the techniques of Internet criminals. Using two incidents where honeynets - groups of honeypot servers - were compromised by phishing groups, the Honeynet Project eavesdropped on criminal organizations' methods. One compromised server in Germany, for example, was quickly loaded with multiple sophisticated websites designed to mimic well-known brands. That site had more than 720 victims visit that server's fake website in 36 hours, according to the report. (The Honeynet Project caused the web application to fail so that no user data was compromised.) The increase in fraud activity has apparently irked some web defacers. While website taggers have targeted the criminals behind phishing scams since at least 2003, anecdotal evidence seems to indicate that the number of defacers that have turned their attention to the fake websites is increasing. One group, The Lad Wrecking Crew, has regularly defaced a handful of fraudulent websites in conjunction with flashmob events held by Artists Against 419, a vigilante group that attempts to flood scammers' bandwidth with data requests. The groups target so-called 419 scams, a variant of phishing named after the Nigerian law created to combat them. The modern era of phishing is exemplified by emails messages from Nigerians posing as business partners trying to move money out of the African country. Targeting the websites created by online fraudsters is still not a common practice, however. Following the release of its anti-phishing toolbar for Internet Explorer five months ago, Netcraft users have reported some 6,600 websites that have been part of a phishing scam, but only a few sites have been found to be defaced, Mutton said. However, with the amount of effort being put into defacing the fraudulent sites, Mutton believes that the practice will continue, and likely become more popular. While some defacers, such as Sickophish, replaced scam sites with the simple message "Warning - This was a scam site," the more prolific Lad Wrecking Crew has created complex graphics for their web defacements. A recent example has Star Wars themed graphics and nods to more than 50 other people fighting phishing scams. "That suggests that these people pursue this 'hobby' because they genuinely want to thwart the efforts of phishers, much as open source software developers strongly feel the need to write quality software for free," Mutton said. "I see no reason why they'd want to suddenly stop; if anything, I'd expect it to grow along with phishing in general." Defacement activity on the Internet is certainly increasing, jumping 36 per cent in 2004 compared to the previous year, said Roberto Preatoni, founder of defacement database and security site Zone-h.org. Preatoni thinks that more defacements will not necessarily mean that more defacers will be going after fake websites. He believes that phishing fraudsters will get better at protecting their compromised website resources, essentially outgunning the less technical defacers. "Phishers are usually using high skilled hackers to set up machines - therefore, the same cracker might patch the attacked machine in order to keep it online as much as possible," Preatoni said in an email interview. Complicating the defense of any anti-phishing attack, once a defacer tags a website with digital graffiti, it becomes hard to prove that it was a fraudulent site, he added. Yet, it might be a while before law enforcement puts vigilante defacers in their site, Jennifer Granick, an attorney and executive director for Stanford University's Center for Internet and Society. It's unlikely that many law enforcement officials will go after Web defacers who are posting warnings to potential victims of phishing fraud. Prosecutors can pick and choose the cases in which they want to invest time, and helping out bank fraudsters is not likely a high priority, Granick said. "I don't think authorities are going to want to get their name out there for helping fake banks," she said. However, even a good cause does not make the activity legal, she stressed. There is no exception in the law for good intent. "The law doesn't have an exception for motive," she said. "If you access a computer without authorization, then you are committing unauthorized access." Copyright ? 2005 From isn at c4i.org Fri May 27 03:26:30 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 27 03:38:02 2005 Subject: [ISN] Security UPDATE -- Netscape 8.0 Security -- May 25, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Reduce Costs with Cyclades AlterPath OnSite http://list.windowsitpro.com/t?ctl=AB2B:4FB69 Anti-Spam product not working? What more companies are switching to... and why. http://list.windowsitpro.com/t?ctl=AB14:4FB69 ==================== 1. In Focus: Netscape 8.0 Security 2. Security News and Features - Recent Security Vulnerabilities - Windows TCP/IP Woes - NT OBJECTives Offers Two Free Security Tools 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Control Your Network Traffic ==================== ==== Sponsor: Cyclades ==== Reduce Costs with Cyclades AlterPath OnSite Reduce operational costs by eliminating the need for most remote site visits with the AlterPath OnSite, Cyclades newest out-of-band infrastructure (OOBI) appliance specifically designed for small, remote branch office management. The AlterPath OnSite combines the functionality of Cyclades ACS (advanced console server) and Cyclades KVM/net (KVM over IP) to deliver serial console control, KVM control and power control (through the AlterPath PM power control unit) – in a single, easy-to-use appliance. Visit Cyclades at Microsoft Tech Ed in Orlando, Florida, June 6-9, Booth #228 and #230. http://list.windowsitpro.com/t?ctl=AB2B:4FB69 ==================== ==== 1. In Focus: Netscape 8.0 Security ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Netscape Communications' Netscape Browser 8.0 was released last week. I downloaded a copy and found that it has some impressive features, two of which are great innovations that I think are worth a close look. First, Netscape 8.0 can use both the Mozilla Firefox and Microsoft Internet Explorer (IE) rendering engines, which means that if you use it, you no longer have to open two browsers to get maximum functionality while surfing the Web. The IE engine is enabled by default for "trusted sites," and you can change that setting so that the Firefox engine is used by default instead. A menu option (Tools, Rendering Engine) lets you switch back and forth between the engines on the fly. Second, configuring Netscape 8.0 is fairly simple, especially if you're familiar with Firefox. The Options dialog boxes are nearly identical in both browsers. However, one Netscape 8.0 feature that you won't find in Firefox is the Site Controls, which are similar to IE's security zones. With Site Controls, you can define master settings that determine how the browser will behave for each site you visit. There are four master settings: "I Trust This Site," "I'm Not Sure," "I Don't Trust This Site," and "Local Files." These are equivalent to IE's Trusted Sites, Internet, Restricted Sites, and Local Intranet zones, respectively. For each zone in Netscape 8.0, you can enable or disable various Web features, such as Java, JavaScript, cookies, pop-up windows, and ActiveX controls. You read that last item right--Netscape 8.0 supports ActiveX! You can customize the master settings on a per-site basis for any sites you've added to any of the zones. Adding sites to a zone is simple. After you have a site open in the browser, right-click its tab and select Site Controls. Doing so presents a dialog box in which you can specify the zone the site should belong to and customize individual settings. You can also define a default rendering engine on a per-zone or per-site basis. A third new security feature (also part of Site Controls) is Trust Ratings. If you enable this feature, you're relying on a third party to determine whether you should trust a Web site's content and whether it's OK to enter sensitive information at that Web site. The third party maintains catalogs of trusted and untrusted sites. The catalogs are automatically downloaded to the browser based on a schedule you define. For example, you can refresh the catalogs hourly, daily, or weekly. What Trust Ratings lacks is any information about who creates the catalogs, what classification criteria is used, and a way to view the catalogs. The feature requires that you trust it blindly to decide on your behalf. Thus, I think this feature is less useful than it could be. Netscape 8.0 has other security-related features, some of which are similar to ones in Firefox. For example, Datacard Manager helps store information you might enter in Web forms. Passcard Manager helps you store frequently used passwords. Netscape 8.0 also supports themes and extensions. All those features are found in Firefox. Netscape 8.0 also has a handy toolbar button that erases the browser history and a Web mail manager that lets you configure account information for commonly used services such as MSN Hotmail, Yahoo!, Google's Gmail, America Online (AOL), and others. Those features don't come as standard components of Firefox, but extensions that offer such functionality are probably available. Another feature not found in Firefox is statistics gathering. Netscape 8.0 can gather numbers about customers' browser feature usage, send them back to developers (while preserving customers' anonymity, of course), and use these statistics to improve future versions of the browser. As you would expect, when you install Netscape 8.0, you can import settings (such as preferences, cookies, browsing history) from other installed browsers, including Firefox, IE, and Opera. Although the installation routine did import all my settings, it didn't import all my search engine plug-ins, so that's one area that needs some improvement. One thing I'm not clear about yet is how Netscape 8.0 actually uses the IE rendering engine and ActiveX controls. Does Netscape 8.0 respect the security zone settings as defined in IE? When I configure Netscape 8.0 to use the IE rendering engine, does it somehow map its own zones to IE zones to use the IE zone settings in the registry? Does it respect my IE zone settings for ActiveX behavior, such as disabling the download of unsigned controls? I did some basic testing to try to determine the functionality, and Netscape 8.0 didn't appear to use IE zone settings, but I could be wrong. If you have any information to help explain what goes on under the hood, please send me an email message with the details. Overall, Netscape 8.0 seems like an excellent solution, particularly because of the new Site Controls and its use of both the IE and Firefox rendering engines. You can download a copy at the URL below and take it for a test drive. Note that Netscape 8.0 is based on Firefox 1.0.3 code. As such it inherited the same security problems that were present in that Firefox version. Netscape 8.0.1 has been released to correct those problems. http://list.windowsitpro.com/t?ctl=AB29:4FB69 ==================== ==== Sponsor: Postini ==== Anti-Spam product not working? What more companies are switching to... and why. Many email administrators are experiencing increased frustration with their legacy anti-spam products as they battle new and more dangerous email threats. In-house software, appliances and even some services may no longer work effectively, require too much IT staff time to update and maintain, or satisfy the email security needs of different users. In this free white paper learn why many companies are switching to a managed service solution. You'll find out how to get better accuracy and effectiveness, lower overhead and administrative costs, get more flexible end user controls, improve service and support and more. Download your free copy now! http://list.windowsitpro.com/t?ctl=AB14:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=AB1B:4FB69 Windows TCP/IP Woes The Land attack method has been known to the public at least since November 1997. When a Windows system receives a SYN packet that contains the same source and destination address, the packet could cause a minor Denial of Service (DoS). Microsoft issued a patch to fix the problem in IPv4, but the company's IPv6 implementation is still vulnerable. http://list.windowsitpro.com/t?ctl=AB1E:4FB69 NT OBJECTives Offers Two Free Security Tools NT OBJECTives announced that it has made its ntoinsight 2.0 Web site analysis tool and ntoweb vulnerability assessment tool available as freeware. Ntoinsight catalogs a Web site's content, architecture, and dependencies, and can identify areas that might be used as attack points by intruders. Ntoweb is a plug-in that lets ntoinsight use the Nikto vulnerability database. http://list.windowsitpro.com/t?ctl=AB20:4FB69 ==================== ==== Resources and Events ==== Safeguard Your Exchange Servers--Plus Receive a Free eBook Managing storage growth, providing application resiliency, and handling small errors and problems before they grow are all important aspects of boosting your Exchange Server uptime. In this free Web seminar, discover how storage and application management techniques for Exchange can be used to improve the resiliency and performance of your Exchange infrastructure. Register now and get a free eBook! http://list.windowsitpro.com/t?ctl=AB11:4FB69 Streamline Desktop Deployments Managing desktop software configurations doesn't have to be a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this free Web seminar, find out how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. You'll learn how to simplify the deployment and configuration process, starting with the new-application request, review, and approval process and progressing through software packaging and deployment. http://list.windowsitpro.com/t?ctl=AB16:4FB69 Here's Your Chance To Earn $100 If you're going to TechEd 2005, we want you! Now's the time to tell us what you think--click here to see if you qualify to participate in this exclusive focus group opportunity. http://list.windowsitpro.com/t?ctl=AB1D:4FB69 Get Ready for SQL Server 2005 Roadshow in Europe Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now! http://list.windowsitpro.com/t?ctl=AB17:4FB69 Get on the 64-Bit Bandwagon In this free, on-demand Web seminar, you'll learn the most important factors and best uses of 64-bit technology. Join industry expert Mike Otey as he compares 32-bit and 64-bit technology and reveals the best platform for high performance. You'll also learn how to successfully migrate and manage the two. Register now! http://list.windowsitpro.com/t?ctl=AB18:4FB69 ==================== ==== Featured White Paper ==== Test Your Security Configuration Today, vulnerability-scanning hackers, Internet-traveling worms, and roving bots are common. You should conduct regular vulnerability and penetration testing audits to validate your security policy. In this free white paper, learn how to identify and fix vulnerabilities, discover and use vulnerability assessment tools, evaluate your security investment, and more. Download your free copy now! http://list.windowsitpro.com/t?ctl=AB10:4FB69 ==================== ==== Hot Release ==== Saving Time and Money with Network Faxing Despite the rise of e-mail and the Internet, fax continues to be an important means of business communication. Organizations can save significantly on long distance costs, increase worker productivity, and streamline their business processes simply by connecting a fax server to their local area network. Get this white paper now! http://list.windowsitpro.com/t?ctl=AB15:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Hack IIS 6.0 by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=AB25:4FB69 Feel like testing your hacking skills against IIS? If you can break into the test server, you'll win an Xbox. Head over to http://list.windowsitpro.com/t?ctl=AB2C:4FB69 and read the rules of engagement. The contest ends June 8. http://list.windowsitpro.com/t?ctl=AB21:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=AB23:4FB69 Q: How can I restrict the application of Group Policy Object (GPOs) depending on the client machine's OS? Find the answer at http://list.windowsitpro.com/t?ctl=AB1F:4FB69 Security Forum Featured Thread: Accessing the Security Log on a DC A forum participant writes that he has a third-party audit tool running in Active Directory on Windows Server 2003. The configuring administrators of the audit tool aren't domain administrators, but they must have access to the Security log of the DCs to get the needed events. Is it possible to give access to the Security log on a DC without a membership in Domain Admins? Join the discussion at http://list.windowsitpro.com/t?ctl=AB12:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Why Do You Need the Windows IT Pro Master CD? There are three good reasons to order our latest Windows IT Pro Master CD. One, because it's a lightning-fast, portable tool that lets you search for solutions by topic, author, or issue. Two, because it includes our Top 100 Windows IT Pro Tips. Three, because you'll also receive exclusive, subscriber-only access to our entire online article database. Click here to discover even more reasons: http://list.windowsitpro.com/t?ctl=AB22:4FB69 Nominate Yourself or a Friend for the MCP Hall of Fame Are you a top-notch MCP who deserves to be a part of the first-ever MCP Hall of Fame? Get the fame you deserve by nominating yourself or a peer to become a part of this influential community of certified professionals. You could win a VIP trip to Microsoft and other valuable prizes. Enter now--it's easy: http://list.windowsitpro.com/t?ctl=AB19:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Control Your Network Traffic Lightspeed Systems offers Total Traffic Control (TTC) 5.03 for schools, government departments, and businesses. TTC 5.03 performs content filtering, spam blocking, bandwidth management, and reporting. TTC 5.03 incorporates a Security Agent, which augments virus signature matching with behavior analysis to identify and prevent malicious threats. The Security Agent enables administrators to quickly classify any undesirable application as a known malicious program and distribute that information to systems on the network. TTC 5.03 also has new spam- blocking techniques and can block Web searches on words that you specify. For more information, go to http://list.windowsitpro.com/t?ctl=AB28:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Symantec and Gartner Present Client Resilience Symantec Webcasts: Ensure devices are available and compliant. http://list.windowsitpro.com/t?ctl=AB2D:4FB69 Converting a Microsoft Access Application to Oracle HTML DB Convert MS Access into a Web application for multiple users. Download now! http://list.windowsitpro.com/t?ctl=AB2E:4FB69 Protecting Your Company by Managing Your Users' Internet Access Internet access within an organization can represent a legal & security risk http://list.windowsitpro.com/t?ctl=AB13:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=AB27:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- emedia_opps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=AB1C:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri May 27 03:26:53 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 27 03:38:05 2005 Subject: [ISN] FBI Investigates Stanford Computer Breach Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/05/25/AR2005052501792.html The Associated Press May 25, 2005 PALO ALTO, Calif. -- The FBI is investigating a computer security breach at Stanford University that resulted in the theft of personal data including letters of recommendation and Social Security numbers for nearly 10,000 people. The breach happened May 11, when someone from outside the university gained access to the school's network, Stanford general counsel Debra Zumwalt said Wednesday. The university would not say whether the breach happened as a result of a remote hacker, the physical theft of a laptop or other typical means of network penetration. Stanford began mailing notifications Monday to about 300 recruiters and 9,600 others mostly students who visited the school's Career Development Center since 1996. The electronic dossiers generally did not include financial information such as credit card numbers or driver's license numbers. The mailings complied with a state law that took effect in 2003 and requires organizations to notify California residents whenever personal data has been compromised. So far, school officials say, there's been no evidence of identity theft resulting from the breach. When the university learned that someone had accessed the network, security officials temporarily disabled the career center's computers and reported the incident to the San Jose field office of the FBI. "Protection of confidential information is a high priority of Stanford," Zumwalt said. "Since this incident, we have been working to understand this breach of our system and ways to prevent a reoccurrence." The breach is the latest to affect a major California university. In one of the state's largest security breaches, the University of California, Berkeley warned 1.4 million Californians that a problem in October had exposed the names, addresses, Social Security numbers and birthdays of people who had participated in a state in-home care program. From isn at c4i.org Fri May 27 03:27:09 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 27 03:38:07 2005 Subject: [ISN] GAO: DHS cybersecurity plans need more work Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,102049,00.html By Linda Rosencrance MAY 26, 2005 COMPUTERWORLD The U.S. Department of Homeland Security must do more to protect the nation's critical information infrastructure, according to a report released today by the Government Accountability Office [1]. While the agency has begun efforts to fulfill its cybersecurity duties, "it has not fully addressed any of the 13 [primary] responsibilities, and much needs to be done," the GAO said. Those responsibilities include developing a national plan for critical infrastructure protection that includes cybersecurity; developing partnerships and coordinating efforts with other federal agencies, state and local governments and the private sector; improving public/private sharing of information on cyberattacks, threats and vulnerabilities; and developing and improving national cyberanalysis and warning capabilities. The DHS has already established the U.S. Computer Emergency Readiness Team (U.S. CERT) as a public/private partnership to make cybersecurity a coordinated national effort, the GAO said. And it has established forums designed to build trust and information sharing among federal officials with information security responsibilities and law enforcement entities. But it has not yet developed national cyberthreat and vulnerability assessments or contingency plans for cybersecurity -- including a plan for recovering key Internet functions, the GAO said. The report prompted members of Congress to call on the DHS to get moving. "I am troubled that more progress has not been made," Sen. Joseph I. Lieberman (D-Conn.) said in a statement [2]. "We have a long road ahead before the cyberstructure that underpins our nation's critical infrastructure is secured from pranksters and saboteurs." Rep. Bennie G. Thompson (D-Miss.), ranking member of the House Committee on Homeland Security, said in a statement he is concerned that "the DHS is bogged down by the wrong priorities and is unable to carry out its responsibility to improve the nation's cybersecurity infrastructure protections." Thompson noted that the DHS needs to do more to develop its ability to analyze computer-based threats, something the GAO urged the department to complete in 2001. "As long as the department is not our nation's focal point for cybersecurity, our critical infrastructures remain largely unprepared or unaware of cybersecurity risks and how to respond to cyberemergencies," he said. "This is unacceptable, as so much of our daily lives -- from our banking to our water and electricity supplies -- rely on a strong cyberinfrastructure." Rep. Zoe Lofgren (D-Calif.) said that the GAO report only confirms what Congress has known all along -- that the homeland security agency has failed to meet its responsibility for critical infrastructure protection. Lofgren, the ranking member on the House Homeland Security Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment, is one of the representatives who requested the report. "And even worse, this report proves that a national plan to secure our cybernetworks is virtually nonexistent," said Lofgren in a statement. "There is no doubt that these vulnerabilities will continue to hamper our homeland security efforts if we do not make cybersecurity a major priority." According to the GAO, the department faces a number of challenges that have hindered its efforts to protect the nation's critical information infrastructure. Those challenges include achieving organizational stability; gaining organizational authority; overcoming hiring and contracting issues; increasing awareness about cybersecurity roles and capabilities; establishing effective partnerships with stakeholders; achieving two-way information sharing with those stakeholders; and demonstrating the value it can provide. Although the DHS has identified beginning steps to address cybersecurity challenges, "until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results," according to the report. In written comments based on a draft of the GAO report, DHS officials agreed with the need to prioritize its cybersecurity responsibilities, but disagreed with the recommendations on how best to solve its problems. It asked the GAO for more information on the recommendations and said its strategic plan includes a prioritized list of key activities that are reviewed and updated on a quarterly basis. DHS officials could not be reached for comment today. [1] http://www.gao.gov/new.items/d05434.pdf [2] http://www.house.gov/apps/list/press/ca16_lofgren/pr_052605_GAO_Critical_Infrastructures.html From isn at c4i.org Fri May 27 03:27:24 2005 From: isn at c4i.org (InfoSec News) Date: Fri May 27 03:38:10 2005 Subject: [ISN] Mad as hell, switching to Mac Message-ID: http://www.networkworld.com/columnists/2005/052305schwartau.html By Winn Schwartau Network World 05/23/05 This is my first column written on a Mac - ever. Maybe I should have done it a long time ago, but I never said I was smart, just obstinate. I was a PC bigot. But now, I've had it. I'm mad as hell and I'm not going to take it anymore. In the coming weeks I'm going to keep a diary of an experiment my company began at 6 p.m. April 29, 2005 - an experiment predicated on the hypothesis that the WinTel platform represents the greatest violation of the basic tenets of information security and has become a national economic security risk. I do not say this lightly, and I have never been a Microsoft basher, either. I never criticize a company without a fair bit of explanation, justification and supportive evidence. I have come to the belief that there is a much easier, more secure way to use computers. After having spent several years focusing my security work on Ma, Pa and the Corporate Clueless [1], I also have come to the conclusion that if I'm having such security problems, heaven help the 98% of humanity who merely want a computer for e-mail and multimedia. Even though I'm a security guy going on 22 years now, my day-to-day work is pretty much like everyone else's. I live on laptops and use my desktops at home and the office for geeking and experimenting. My two day-to-day laptops (two, for 24/7 backup) are my business machines. I don't need them to do a whole lot - except work reliably, which is why I am fed up with WinTel. I want my computer to function every time I turn it on. I want my computer to not corrupt data when it does crash. I use a handful of applications: Microsoft Office, e-mail, browser, FTP client and some multimedia toys. Regardless of format, they should work without crashing. I live on the 'Net. I do not want my browser to eat up all of my memory. In the WinTel world I need an assortment of third-party tools to try to keep my PC alive. That's just crazy. Why does WinTel have these problems? I have heard all sorts of explanations, and I don't subscribe to any of them. I've come up with my own (hopefully rational) reasons WinTel will fail - and has to fail: Windows is complex, trying to be everything to everyone. This complexity comes at a terrible price: downtime, help desks, upgrades, patches and the inevitable failures. When a new operating system or service pack is released, there are tons of changes to the functionality. WinTel machines use different versions of BIOS. They are not all equal, nor do they all have the same level of compatibility. Some Windows software applications are well written; others take shortcuts. Shortcuts may work in some environments, but not all, and ultimately the consumer pays in lost time, availability and productivity. Hardware. There are hundreds of "WinTel-compatible" motherboards, each claiming to be better than the next. Whatever. Memory. Not all RAM is equal. Some works well. Cheap stuff doesn't. Hard disks. Same problem: cheap or reliable. Your call. Here's my answer to the WinTel problem: We need an open Simple Operating System (SOS) that meets the needs of the majority of people who buy PCs for everyday home and enterprise tasks. Get rid of the complexity and simplify the interface between SOS, BIOS and hardware. In other words, KISS. You know what it means. KISS SOS. Because SOS doesn't exist yet, my company has given up on WinTel. We have successfully moved to Mac in less than two days. Think about it: a security-friendly alternative that works and doesn't require gobs of third-party utilities to safely perform the most mundane tasks. Please follow the details of our experiment at http://securityawareness.blogspot.com. It's already way more interesting than I thought it would be. [1] http://securityawareness.blogspot.com/ From isn at c4i.org Tue May 31 03:05:39 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 31 03:21:20 2005 Subject: [ISN] DND's new threat: disgruntled bureaucrats Message-ID: Forwarded from: William Knowles http://www.canada.com/ottawa/ottawacitizen/news/story.html?id=60aaa14a-2a5f-47e1-9a8d-3fbb919529cc David Pugliese The Ottawa Citizen May 29, 2005 Step aside terrorists, teenage computer hackers and members of the Chinese military. Once thought of as being the most likely perpetrators in any cyber attack on military computer networks, they have now been replaced by an even more nefarious threat -- disgruntled Ottawa public servants. A war game scenario put together by the Department of National Defence details how federal workers, during a tense and lengthy labour dispute, try to bring down the military's main computer system. In the scenario, the attack comes from inside National Defence headquarters on Colonel By Drive, perpetrated by a civilian employee who embeds a virtually undetectable malicious computer code to disrupt operations. The exercise, dubbed "Scenario 10 -- Defence of North America Cyber Attack Variant," argues that it is entirely plausible that a smaller, deliberate attack by a Defence Department employee, such as corrupting data through various means, might take place during labour negotiations. "However, in a prolonged and vexed strike (like in the one featured in this scenario), a more serious attack (for instance, data contamination by a knowledgeable employee as illustrated in this scenario) could be expected," Scenario 10 states. The document was obtained by the Citizen through the Access to Information law. Defence analysts, as well as military and civilian intelligence reports, tend to focus on terrorists, foreign countries, in particular China, or hackers with no cause except to create chaos, as the usual potential perpetrators of a large-scale disruptive cyber attack. Scenario 10 does briefly mention that other nations, terrorists and hackers out to create problems are all potential culprits. Scenario 10 does not, however, detail why the threat from disgruntled public servants was elaborated on and turned into a threat scenario. "It is also possible that an employee who has been influenced by an outside agency or a hostile country or organization might propagate an internal attack," the documents add. A more serious threat, although less likely, would be if a civilian employee gained access to the department's classified computer networks, according to the records. The Defence department could not respond to a Citizen request for comment. Defence union chief John MacLennan said he was aware of the Scenario 10 report, but he described the events contained in the documents as unlikely to happen. Mr. MacLennan said it is doubtful that a labour organization would do such a thing, although he conceded there could be disgruntled employees either in or out of uniform. "You've got irate military (personnel) in there too," said Mr. MacLennan, national president of the Union of National Defence Employees. Mr. MacLennan noted that, in terms of security issues, his organization supports the department, adding that after the Sept. 11, 2001 attacks on the U.S., his union, then involved in a labour dispute, pulled down its pickets around military bases within 20 minutes. The Professional Institute of the Public Service, which represents some of the department's scientific and technical employees, declined to comment on Scenario 10. In the past, Defence department computers have had their share of hacker attempts. In 2003, hackers were able to gain access to military computers on at least 10 occasions. In other cases, Defence department employees were being targeted by suspicious e-mails designed to plant viruses and other malicious codes inside military computers. At least one computer was compromised by such a mystery e-mail in 2003. In 1999, it took a 17-year-old high school student in the U.S. just 10 minutes to breach the Defence Department's computer system. "The DND site was an easy target," Russell Sanford told the Citizen in 2002. "It was pretty weak." Mr. Sanford said he went in and out of the military computer network over a period of three days. When the Citizen story emerged, Defence officials acknowledged the breach, but claimed the teenager was only able to infiltrate the department's Internet website, which did not contain any classified information. But the teen claimed that he had hacked into one of the department's secure computers via its public website. While he did not access or intercept any classified data, Mr. Sanford said he could have done so if he had wanted to. Instead, he left tips on the website on how the military could improve its computer security. ? The Ottawa Citizen 2005 *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue May 31 03:06:51 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 31 03:21:23 2005 Subject: [ISN] Infrared meets speed and security needs Message-ID: http://www.computerweekly.com/articles/article.asp?liArticleID=138738 By John Earley 31 May 2005 You would be forgiven for believing that infrared data connectivity has been sidelined by the arrival of radio frequency wireless Lan standards-based equipment, which has enjoyed phenomenal exponential growth in recent years. But with more than 500 million infrared interfaces shipping each year, it clearly dwarfs WLan in the volume race. And don't assume that this market is sustained by remote- control units, for nearly half of the interfaces shipped conform to the Infrared Data Association (IRDA) standard, which clearly targets data communication. Famously associated with applications such as personal digital assistant to laptop synchronisation, PDA business card exchange and short-haul mobile phone data transfer; IRDA, with its short range and relatively low 4mbps throughput, was understandably discounted by the IT community as irrelevant for WLan application. Infrared has squared up to recent competition from Bluetooth, an alternative radio frequency communications standard designed to support similar connectivity to IRDA. Simple set-up and good reliability initially secured IRDA's popularity over Bluetooth. More recently, questions about Bluetooth's inherent insecurity have reinforced IRDA's popularity. IRDA, with its range limit of 1m and inability to penetrate walls, is extremely secure. Bluetooth, on the other hand, is mired in controversy, with numerous hacking stories and reminders to users to disable it when not in use. But really, the battle with Bluetooth is small beer in comparison with the prize of ubiquitous connectivity on which IRDA is focused. IRDA is on the move, with activity and initiatives that are likely to further increase the already significant number of unit shipments. Moreover, emerging applications will cause pause for thought and re-evaluation of infrared and its benefits for widespread data communications uses. This even applies to WLan, particularly where security is paramount or third-party interference is affecting the user experience. The infrared supplier community has embraced the challenge to deliver data rates in excess of 100mbps, with talk of possibly achieving 500mbps to accommodate a wide range of imaginative applications for which real demand has already been identified in Japan and the Far East. Two immediate applications that are set to transform our lives are multimedia file transfers and electronic funds transfer at the point of sale. Fast-connect methods allow near instant exchange of high-definition photos between digital cameras, phones, PDAs and, potentially, television sets over infrared transmissions. An interface to television sets of the future will enable home users to simply view their photo albums through their TV where the whole family can gather round. Next generation multimedia file transfer will be more demanding of technology than traditional Jpeg photos or short audio files and ring tones. In the near future consumers will be able to download video films from kiosks, which are already being designed and built and will soon be installed at stores, railway stations and airports. The video rental industry is preparing for change far more significant than the recent migration from video tape to DVD. The concept is simple. Before embarking upon a journey the consumer downloads a film to their phone or PDA for viewing en route. Both radio frequency WLan and Bluetooth are inappropriate vehicles, since it would not take long for people to work out how to share a single download. Infrared, on the other hand, cannot permeate walls or physical barriers and, with the IRDA specification limiting range to 1m, it is ideal for this application. Of course the size of the files in question renders a throughput of 4mbps or 16mbps inadequate, but with potential data rates exceeding 100mbps in the relatively near future IRDA is set to offer sufficient performance to satisfy users rushing for planes and trains. In making a quantum leap in data rates, IRDA has not forgotten the mantra of low power consumption, essential for portable equipment, and another area in which it scores over radio frequency WLan. It is not unreasonable to assume that the same application will migrate to set-top TV boxes where a home user will be able to point a phone or PDA and upload a film for viewing later. When combined with the digital wallet of the future the commercial opportunities are immense. For this vision to become reality it will be necessary for IRDA to review its commitment to short range, but there are pressures to do so from a variety of sources. The mobile phone is fast becoming a digital wallet. If you browse the menu of a modern device, you will see options to store credit card details. At first glance this would appear to be a useful data back-up. However, trials already under way in Japan point to a more functional objective. Currently you carry a wad of credit cards with magnetic stripes and intelligent chips, storing information that allows you to purchase goods and services. In addition to your credit/debit card details, other information that could easily be stored on your phone might include passes for public transport, discount tokens and awards/loyalty points. At the point of sale, you will point and shoot your digital wallet to an Epos terminal, a vending machine, car parking barrier, railway station access gate etc, to pay. There are strong return on investment arguments to support the business case. Retailers are excited by the opportunity to speed up transactions at the point of sale and, along with the banking fraternity, see obvious benefits in digital receipts that will be issued to your phone as opposed to the paper-based, easily misplaced alternative. From a consumer standpoint, ease of use (imagine never having to queue for a train or bus ticket) coupled with the potential personal money management programs that will doubtless accompany the technology, make the proposition equally attractive. IRDA has a special interest group targeting this initiative. The group is already in collusion with other standards bodies, including retail and banking consortia to ensure a universal, dependable and secure service. With security clearly paramount, IRDA wins out as the obvious communications medium with its high speed, low distance and limited field of view, coupled with a low power consumption rate. IRDA has obvious security attractions that cannot be matched by WLan or Bluetooth. Considerable work has been completed by the infrared financial messaging group and trials are under way. Commercially available RS232 to IRDA adaptors ensure low-cost easy upgrade of existing Epos terminals and vending equipment. For sceptics concerned about the ramifications of having a phone stolen it is worth noting that the pilot projects are largely taking place in Japan, where the 40 million strong mobile phone user base is less concerned about phone theft. In any event, it is arguably much easier for credit to be abused with card-based systems than it will be with a digital wallet. A number of emerging applications are likely to move IRDA to endorse a variety of standards in much the same way that the IEEE concerns itself with multiple media for data communications. A practical TV-based photo album, for example, is likely to see consumers demanding communications distances greater than 1m to allow the family to sit around the living room for the show. Pointing and uploading Powerpoint slides one at a time to projectors will doubtless need to afford the presenter an opportunity to move around a stage at will, once again giving cause for reviewing extensions to the 1m limit. An application that has been presented to IRDA supporting distances of 300m or more is already being embraced by highways agencies in Korea, Europe and the US that are seeking low-cost dependable methods for collecting motorway tolls. To date, radio frequency products have dominated this market, but there are attractions to infrared. The lower cost of communications components is not lost on agencies or consumers. Equally important is modern infrared technology's tolerance to third-party interference, notably metallic elements in windscreens, which have the propensity to block radio frequency communication. Add your electronic wallet and it becomes clear that infrared should be actively considered for longer-range communications, which leads to the potential for a WLan architecture based on infrared. About six years ago, I extolled the virtue of infrared WLan at an international press symposium, only to be largely dismissed by a community naturally excited by the success of emerging radio frequency standards. But with the throughput achievements that I predicted at the time now becoming a reality, it begs the question what advantages infrared WLan could bring over radio frequency alternatives. Radio frequency WLans are not utopian. There is third-party interference from microwave ovens, Dect phones and Bluetooth devices. There are security concerns surrounding an inability to trap radio waves within a building, and there are spectrum planning challenges coming to the fore as we begin to saturate the airwaves. Infrared cannot penetrate walls, and this gives a high degree of control over data leakage. It is not subject to spectrum restrictions, as is the case with radio frequency communications, alleviating much of the potential radio planning hassle. Until now data rates, range and field of view limitations have made IRDA-based technology unsuitable for WLan applications. But with the prospect of these issues being addressed in a standards-compliant manner there is a distinct possibility that low-cost infrared products will emerge, where it will have particular appeal in certain environments. Within military and other high security environs, high-speed infrared WLan offers ease of secure implementation. In hospitals, aircraft and other applications where third-party equipment is sensitive to radio frequency interference, an infrared WLan can be safely and easily deployed. And who knows, once infrared WLan equipment becomes commercially available it is not inconceivable that the low-cost arch- itecture of the communications system may make the apparently collapsed prices of radio frequency WLan equipment today seem outrageously expensive. John Earley is general manager at wireless research firm Supergold -0- What is IRDA and what is it for? The Infrared Data Association is a membership-based organisation. It was founded in 1993 and is dedicated to developing standards for wireless, infrared transmission systems between computers. IRDA ports fitted to a laptop or personal digital assistant can exchange data with a desktop computer or use a printer without a cable connection. Just as a TV remote control requires line-of-sight access, IRDA transmissions are restricted by obstacles and walls, which can be a security benefit. The IRDA serial infrared physical layer provides a half-duplex connection of up to 115.2kbps. At this speed a low-cost chip can be used, although more expensive, high-speed extensions up to 4mbps for fast infrared have also been defined. To enable the simultaneous handshaking and multiplexing of several different data streams IRDA uses the infrared link access protocol and the infrared link management protocol. www.irda.org ? 2004 ComputerWeekly.com Ltd. From isn at c4i.org Tue May 31 03:07:13 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 31 03:21:26 2005 Subject: [ISN] Laptop lockdown Message-ID: http://australianit.news.com.au/articles/0,7204,15431809%5E15864%5E%5Enbv%5E,00.html Selina Mitchell The Australian MAY 31, 2005 EMPLOYEES may be able to use a notebook computer almost anywhere, but equally, a laptop can be stolen from almost anywhere. An unexpected destination for a corporate traveller is often the local police station to report a stolen laptop. The handy little lightweights are swiped from cars, homes, airports and hotels as well as businesses. As the rate of notebook use increases in business, so does the number of thefts. The notebook itself may be expensive to replace, but the data on the system is sometimes priceless. Depending on the nature of the data and how well it is protected, the theft could lead to the leaking of state or company secrets and the downfall of a company or even a government. It is impossible to fully protect every laptop-toting individual from thieves, but there are products designed to make theft harder, and to protect data even if the hardware is stolen. The fear of data theft, accidental or intended, has led some laptop purchasers to begin demanding better built-in security from vendors. Figures on notebook thefts in Australia each year can only be estimated, as not all thefts are reported and there is no national tally. The Australian Computer Emergency Response Team's 2004 Australian Computer Crime and Security Survey reports that 58 per cent of respondents experienced laptop theft in the past 12 months, up from 53 per cent in 2003. According to 63 per cent, the laptop theft had resulted in financial loss, ranging from as little as $1000 to as much as $200,000. The average loss was $17,670 ? well down on the $27,500 quoted in last year's survey and perhaps reflecting lower costs of laptops. The total annual loss of $1.5 million accounted for 9 per cent of total losses from computer crime, behind virus infections, computer-facilitated financial fraud, and degradation of network performance because of network scanning. Almost three quarters of those surveyed said they had increased spending on computer security in the past 12 months. "The readiness of organisations to protect their IT systems has improved in three key areas: the use of information security policies, the use of information security standards or guides, and the number of organisations with experienced, trained, qualified or certified staff," the report says. However, despite these improvements, fewer respondent organisations reported they were managing all computer security issues reasonably well (only 5 per cent in 2004 compared with 11 per cent in 2002 and 2003). According to IDC market analyst Michael Sager, company CIOs pay more attention to desktop security than laptop security. Despite 28 per cent growth in sales, laptops made up 31.4 per cent of the combined desktop/laptop market in the first quarter of 2005, he says. In laptops, "CIOs don't know what they want, so they are not necessarily getting what they need from vendors", he says. Some notebook vendors have begun to supply security products, but there's a lot of market particularly among small and medium businesses. "We're on the cusp of companies finding out that notebook security is an issue," Sager says. "There are so many vendors, the market is saturated and something has to give. "Vendors don't want to lose sales, so it may push back their ability to meet customer needs ? or it could really drive change." Toshiba Information Systems general manager Mark Whittard says system and data security now tops the list of his customers' requirements. Enterprise clients are more concerned about data theft, but small business and education buyers are more worried about the loss of the notebook itself, he says. Lenovo offerings manager David Nichol says security is the top consideration for corporate clients, and data security is the increasing focus. "Organisations are realising that, as more of their staff use notebooks, their data is more likely to be in the public domain," Nichol says. "They want notebook-level security, where before they wanted network-level security." Hewlett-Packard enterprise notebooks market development manager Laurie White says the race is on for vendors to supply the best in business anti-theft options. As vendors introduce security measures, notebooks will become like cars, White says. Thieves will target the brands known to be easy to steal. "There will be brands of notebooks that thieves won't touch because they know they won't be able to get them to work." Theft and data protection are becoming more and more important, he says. "The loss of the notebook is minuscule compared with the value of the data that may be held on it. The data is worth 10 times more." The costs of introducing security are minimal ? 5 per cent of the notebook's total cost, White says. Dell senior product marketing manager Jeff Morris says even old, slow notebooks are a target for thieves. "It's not down to how it looks, but how easy it is to take," he says. Nichol says physical security has a lot to do with the user and how they control the notebook in their care, and users are becoming more careful. They also, however, have more devices to help them keep their notebooks safe, including cable locks, alarms, and anti-theft tags that, if removed, disable the system or mark it as stolen. Some insurance options include no-excess cover for theft or damage, and premiums can be lowered if anti-theft measures are in place. If data is protected, there should be little concern that information on a stolen notebook will fall into the wrong hands. Tor Nordhagen, Accenture Asia-Pacific security group director, says all portable devices were a security risk as they involved information in transit, including memory sticks, pieces of paper and notebook computers. All businesses require an information policy that states clearly information pertaining to an enterprise should be treated as classified. "You need to protect all of that information," he says. The contents of the machine should be protected by encryption, and there are a number of ways to authenticate a user before a system can be accessed at all, including basic password protection, smartcard readers and fingerprint readers. Encryption can also be used to secure the network the laptop uses to communicate with its home base. Whittard says the wireless network technology has improved and if all the security levels are set it can be more secure than a wired network. Nordhagen says companies with high security requirements can use a form of mandatory access control, so only de-classified information is allowed in insecure zones. "You can also impose a very simple form of information management on the notebook," he says. "You can check in and out information to the laptop, information that is generally stored on a secure office network but can be released for use on a notebook." He also warns that some security measures can backfire, so it is important to ensure administrators can deal with any technical issue that arises, such as a forgotten password or a lost smartcard used to boot up a notebook. Security measures will only improve, vendors predict. Vendors are working on more security products. For example, Later this year Toshiba will release a privacy screen. When switched on the screen can only be viewed from directly in front, avoiding spying while in airport lounges, on planes or other public places. Handy tips on securing your laptop Physical security * Use a cable lock or alarm device to secure the notebook to the office desk or to permanent structures such as airport seats. * Don't leave an unsecured notebook in the car - lock it in the boot out of sight. * Don't use an obvious laptop bag that may make you a target. * Keep your laptop with you when travelling - take it on planes as carry-on luggage. * Consider products that secretly mark your computer as your own, or as stolen if a business tag is removed. Data security * Develop and enforce an information security policy. * Require passwords for boot-up access. * Encrypt data on the notebook and data that is transferred to and from the notebook when on the road. * Consider insurance that can cover theft or accidental loss ? premiums can be lower if security measures have been adopted. * Back up all data. Examples of products and services available * Software at BIOS level that tracks a reported stolen computer when it is reconnected to a network, or vendor services that provide identity tags that can be tracked when a new user tries to access support or products for a stolen notebook. * Software that ensures a notebook will not work outside a set radius. * Software that locks off sections of the system, or particular devices, such as the DVD writer. * Technology that provides shock protection, spill resistance. * Built-in or external smartcard and fingerprint reader - no card no boot-up. From isn at c4i.org Tue May 31 03:07:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 31 03:21:29 2005 Subject: [ISN] YES, Pele-Phone, Cellcom execs arrested for computer espionage Message-ID: http://www.globes.co.il/serveen/globes/docview.asp?did=918528&fid=942 Noam Sharvit Globes Online 29 May 05 The Tel Aviv Magistrates Court today lifted a gag order concerning a wide-ranging Israel Police investigation into suspected industrial espionage involving some of the country's largest companies. It is suspected that three private investigator firms uploaded a Trojan Horse virus into the targeted companies' computers. Arrests in the affair include Mayer Cars and Trucks CEO Uzi Mor, who is suspected of ordering espionage against Champion Motors (Israel); YES CFO Moriah Kathriel, suspected of ordering espionage against HOT, its cable competitor; office equipment and photocopy company Hamafil Services CEO Yoram Cohen, suspected of ordering espionage against its rival Zilumatik Ltd. Pele-Phone Communications security director Shay Raz has been arrested for ordering industrial espionage against Ran Rahav Communications and PR Ltd., one of whose accounts in Partner Communications Co. Ltd. (Nasdaq: PTNR; TASE:PTNR; LSE:PCCD). Cellcom Israel Ltd. security director Ofer Reichman is suspected of ordering espionage against the ad agency Reuveni-Pridan, which also handles the Partner account. The most prominent private investigator detained is Lt.-Col. (res.) Zvi Krochmal, a former senior Military Police officer who was chief investigator in the Rami Dotan affair (Dotan was the former head of IDF procurement). Krochmal is suspected of uploading Trojan Horses in targeted companies on behalf of his clients. Three investigators from Krochmal's agency have also been arrested: Alex Weinstein, Yitzhak Dekel, and Ofer Fried. Another prominent private investigator who has been arrested is Modi'in Ezrahi CEO Yitzhak Rath, suspected of the same offenses. Three employees from his agency have also been arrested. Eliezer Pelosoff and Avraham Balali of the Pelosoff-Balali investigative agency have also been arrested. Possible invasion at "Globes", too The investigation is being conducted in cooperation with the British, and German police forces, with the support of Interpol. Tana Industries (known as Tami 4) is another company suspected of ordering industrial espionage about competitor Eden Springs (Maayanot Eden) (TASE:MEYD), but no arrests have yet been made. The police also suspect that industrial espionage was ordered by a local high tech company against "Globes". Among the companies known to have been damaged by the industrial espionage case so far: merged cable comany HOT, Strauss-Elite (TASE:STEL), wireless communications company Orange, car importer Champion Motors (Israel), advertising agencies Shalmor-Avnon-Amichay Young & Rubicam, and Reuveni-Pridan, public relations firm Ran Rahav Communications and PR Ltd., Eden Springs (Maayanot Eden), Shekem Electric, ACE Marketing Chains (ACE Israel), Soglowek, the Malam Group, and Zilumatik. Unpleasant surprise for the Jackont family The affair was uncovered in November 2004, when author-consultant and former capital market player Amnon Jackont was shocked to discover that details from a book he was writing had appeared on a website, without him disclosing the material to anyone. Together with his wife, Varda Raziel-Jackont, a marriage counselor, Jackont filed a complaint with the police. The police opened an investigation, eventually code-named "Horse Races", and took Jackont's home computer for testing. The investigation found that a Trojan Horse virus had been uploaded into the computer, which was sending documents and pictures to FTP file-storage servers in Israel and overseas. The virus was highly sophisticated, enabling remote control of Jackont's computer. The police investigation discovered that the virus had been uploaded via e-mail. The police fraud squad computer unit used technological aids to find the source of the virus, Michael Haephrati, 41, a former high-tech expert and resident of Bat Yam, who currently splits his time between the UK and Germany. Haephrati was arrested in London last week. The police were not surprised to discover that Haephrati was the ex-husband of Raziel-Jackont's daughter. The Israeli investigators, in cooperation with Interpol, the London Metropolitan Police, and the German Police, found dozens of FTP servers in Israel and overseas, including the US. Haephrati is suspected of transferring stolen material from other computers to these FTP servers. The police realized the extent of the affair when they examined some of the files. Tailor-made Trojan Horse It is suspected that the Trojan Horse virus was uploaded into the computers of many commercial companies via e-mail or CD, sent as business proposals to the recipients. Merely inserting the CD into a computer was enough to upload the virus without the user's knowledge. The police say that this kind of CD had been found at many companies. After obtaining a warrant, a more thorough investigation of the documents found on the FTP servers revealed that Haephrati had deliberately created the virus for three of Israel's largest private investigator firms: Modi'in Ezrahi, Krochmal Special Investigations, and Pelosoff-Balali. At the same time as the arrests, the police raided the suspects' homes and seized dozens of computers, tens of thousands of documents and photocopies, which are presently being studied. Most of the suspects are being accused of creating and distributing a computer virus, penetrating computer material, wiretapping, criminal conspiracy, aggravated fraud, and infringement of the Protection of Privacy Law (5741-1981). The police emphasize that any direct interception of computer files and documents is considered illegal wiretapping. During the investigation, the police remembered that a few years ago, the same suspects offered the police virus-based technology for legitimate uses, but the technology was unsuited to the police's requirements. The police had held intermittent negotiations lately, during which they examined the software's applications. The State Prosecutor and Tel Aviv District Prosecutor have accompanied the investigation from the beginning, due to its complexity and sensitivity. The police fraud squad had the help of the Israel Police Tel Aviv district central unit, the Israel Police Investigation and Intelligence Department, and computer investigators from all police units. Israel Police National Fraud Unit head, Chief Superintendent Arie Edelman, said the virus was unique because, "It not only penetrated the computer and sent material to wherever you wanted, but it also enabled you to completely control it, to change or erase files, for example. It also enabled you to see what was being typed in real time." He said the extent of those involved in the affair, and the program's capabilities were "exceptional". The police suspect that Haephrati adapted the virus for his clients' needs. He charged his clients .2,000 (NIS 17,000) per computer per month, including support. Since the virus was adapted for each client's purposes, it was not detected by information security systems. Edelman said, "This is not a common software that anti-virus software makers have had to fix." The police say that the virus had been used in Israel for at least the past two years. One of the first things checked was whether it had been used to uncover the internal correspondence of Channel 2 franchisee Tel-Ad Jerusalem Studios Ltd., published before the new Channel 2 tender, allegedly in an attempt to harm the company's chances in the tender. The answer was no. Uniform denials Hamafil Services chairman Yossi Zwillinger said today in response to reports about the investigation, "In business dealings, the company associates only with top-tier companies, where it is clear beyond any doubt that matters are conducted honestly. "We are sure, beyond a shadow of a doubt, in the professional integrity and trustworthiness of CEO Yoram Cohen". Cohen's attorney, Adv. Esther Bar-Zion said that the company's actions were legal, and that Cohen had cooperated fully with his interrogators, providing all evidence and documents they required. "Hamafil's personnel had no reason to suspect that anything was being done improperly or dishonestly," Bar-Zion said. Mor's attorney, Adv. Giora Aderet, said that the Mayer Cars and Trucks and Mor had acted completely within the law. He denied police allegations that Mor should have known that the information being supplied by Modiin Ezrachi was obtained through deceitful means. "Mayer's personnel had no suspicions whatsoever that Modiin Ezrachi operated unlawfully." Mayer's Cars and Trucks owners Shachar and Kass stated that they were sure, beyond all doubt, in Mor's outstanding professional and personal integrity, and his uninvolvement in the affair. Pele-Phone stated in response: "Pele-Phone and its workers have no connection to the illegal obtaining of information. "The company and its workers were surprised by the recent reports, and have cooperated with the police in clarifying the facts in this affair." The victims respond PR man Rani Rahav said, "If it was up to me, the guilty would hang." Partner stated in response, "We are shocked by the findings that are being released. "We are sure that the Israel Police is making every effort to discover the entities that acted to obtain the information, and will uncover the truth." Strauss-Elite stated, "We are examining the ramifications for us, as much as possible. We thank the Israel Police for discovering this affair. At this stage, matters speak for themselves, and we would prefer not to respond any further." HOT stated, "We are shocked by the investigation's findings, as reported by the media, and are studying the details. We expect competition between companies to be fierce and aggressive, but it should be conducted according to a code of ethics, and by law, just as HOT has done in the past, and will continue to do." Ad man Rami Shalmor said, "It is disgraceful that company executives, instead of creating real competition, take short-cuts and give in to temptation, buying commercial material so as to win the market. This is a norm that has got to stop. Competition should be fair." Ad man Udi Pridan said, "At this stage, we are learning, together with the police, what materials were stolen, and will act accordingly." "Globes" editor-in-chief Haggai Golan said, "Obtaining confidential information from the newspaper's computers does serious harm, particularly to the newspaper's freedom of expression, and its obligation to provide reliable information to its customers. We hope that this was an isolated incident. "Globes" will continue to bring its readers the best information possible." From isn at c4i.org Tue May 31 03:09:06 2005 From: isn at c4i.org (InfoSec News) Date: Tue May 31 03:21:30 2005 Subject: [ISN] Army hackers say weapons system safe Message-ID: http://www.newindpress.com/Newsitems.asp?ID=IEH20050526110347 May 27 2005 NEW DELHI: Army has put in force the highest international grade systems to safeguard the country's strategic weapons firing systems as well as armed forces highly classified and high-value communications from tech-savvy hackers. "We are aware of threats posed by tech-savvy hackers to these vital systems," Army chief Gen JJ Singh said making it clear that the top most B-1 security system had been installed for operating these weapons. "These meet the top most international standards," Lt Gen Davinder Singh, the signal officer-in-chief at the Army headquarters said at the inauguration of the two-day Army-CII seminar on "Information Assurance and Risk Management". The Army chief said a frequency-hopping network had recently been inducted into the armed forces making them secure from hacking and jamming both from air as well as from ground transmissions. He said armed forces networks had not only been secured but made multi-layered at all levels for all situations, including strategic, tactical battle area, backbone communications and peace-time systems. "We have developed complete private and dedicated systems, which cannot be tampered with easily," Singh said adding that with India being in the forefront in information technology and software, the armed forces wanted to draw upon this. Asserting that efforts were constantly on to update information assurance and information denial systems, the Army chief said a road map had been set to make Indian Army at par with leading tech-savvy forces in the next decade. Cautioning that in future wars the key to success would lie in information dominance, information denial and information assurance, he said for this efforts had to be made to make soldiers "information warriors". He said cyberspace attacks could be conceived and planted without detectable logistic preparations, hence measures had to be taken to safeguard essential systems from this growing invisible threat. Stressing on having a robust, secure and fail-safe system, the Army chief said to keep pace with strides in technology, there was need to go in for a mix of customised and proprietary military equipment which would be rugged to sustain all kinds of weather and terrain. Earlier, inaugurating the seminar in which 400 experts from the world over and major information warfare equipment makers are participating, Defence Minister Pranab Mukherjee called for working out a national information assurance strategy which would ensure that risks to national information infrastructure was properly managed.