From isn at c4i.org Mon Oct 3 08:31:44 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:55:52 2005 Subject: [ISN] Interior Dept. Computer System Insecure Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/09/29/AR2005092901862.html By JENNIFER TALHELM The Associated Press September 29, 2005 WASHINGTON -- An investigation of the computer systems in several Interior Department offices found numerous security flaws that threaten the department's overall computer security and must be fixed, according to an internal report. Tests by the Interior Department's Office of the Inspector General found several bureaus and offices "still suffer from serious weaknesses in their security posture," Inspector General Earl Devaney wrote in a Sept. 6 memo to Assistant Secretary Lynn Scarlett. According to the report, obtained by The Associated Press on Thursday, investigators several times were able to masquerade as authorized users, roam the internal networks of some of the department's most sensitive computer systems and manipulate data. The tests were performed in phases beginning in November 2004. But Devaney said the department has balked at fixing the system. "Rather than simply accepting the results of our testing and promptly addressing the underlying vulnerabilities, the department and bureaus have, to date, expended considerable time and energy debating our findings, challenging our methodology and impugning the credentials and integrity of our staff and contractors," Devaney wrote. "I do not wish to repeat this past experience," he added, suggesting the department work to fix the problem. Interior Department spokesman Dan DuBray said the investigation was done as part of an internal effort to identify any "potential weaknesses or conceivable potential vulnerabilities." The department's computer security has been challenged recently as part of a class-action lawsuit in which thousands of American Indians accuse the department of cheating them out of billions of dollars by mismanaging oil, gas, grazing, timber and other royalties from their land since 1887. Plaintiffs have asked that a federal district court judge order Interior Secretary Gale Norton to shut down the information technology systems to protect data. DuBray said the department will continue to aggressively work to strengthen the computer systems, "which are now among the most intricately examined in all of government." -=- On the Net: Interior Department: http://www.doi.gov From isn at c4i.org Mon Oct 3 08:31:59 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:56:13 2005 Subject: [ISN] Trojan rides in on unpatched Office flaw Message-ID: http://news.com.com/Trojan+rides+in+on+unpatched+Office+flaw/2100-1002_3-5886543.html By Joris Evers Staff Writer, CNET News.com September 30, 2005 A new Trojan horse exploits an unpatched flaw in Microsoft Office and could let an attacker commandeer vulnerable computers, security experts have warned. The malicious code takes advantage of a flaw in Microsoft's Jet Database Engine, a lightweight database used in the company's Office productivity software. The security hole was reported to Microsoft in April, but the company has yet to provide a fix for the problem. "Microsoft is aware that a Trojan recently released into the wild may be exploiting a publicly reported vulnerability in Microsoft Office," a company representative said in a statement sent via e-mail on Friday. The software maker is investigating the issue and will take "appropriate action," the representative said. Previous Next The Trojan horse arrives in the guise of a Microsoft Access file, security software maker Symantec said in an advisory. When run on a vulnerable system, it would give a remote attacker full access to a compromised computer, Symantec said. The company calls the pest "Backdoor.Hesive" and notes that it is not widespread. Although exploits had already been released in April when HexView publicly reported the flaw, the Trojan is believed to be the first actual threat to take advantage of the security hole. Security monitoring firm Secunia rates the issue "highly critical," one notch below its most serious rating. "The vulnerability is caused due to a memory handling error when...parsing database files," Secunia said in its April advisory. "This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access." Symantec advises users to be cautious when opening unknown files. The security software maker lists all recent Windows releases as vulnerable to the Trojan attack. From isn at c4i.org Mon Oct 3 08:33:07 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:56:36 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-39 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-09-22 - 2005-09-29 This week : 67 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been discovered in RealPlayer / Helix Player, which potentially can be exploited by malicious people to compromise a user's system. Currently, no solution is available from the vendor. Please see the referenced Secunia advisories for additional details. References: http://secunia.com/SA16961 http://secunia.com/SA16954 -- Apple has release a security update for Mac OS X, which fixes 10 vulnerabilities. A complete list and details about the vulnerabilities fixed can be found in the Secunia advisory below. Reference: http://secunia.com/SA16920 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16869] Firefox Command Line URL Shell Command Injection 2. [SA16901] Thunderbird Command Line URL Shell Command Injection 3. [SA16911] Firefox Multiple Vulnerabilities 4. [SA16942] Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection 5. [SA16922] Sony PSP Photo Viewer TIFF File Handling Buffer Overflow 6. [SA16917] Mozilla Multiple Vulnerabilities 7. [SA16920] Mac OS X Security Update Fixes Multiple Vulnerabilities 8. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 9. [SA16944] Netscape Multiple Vulnerabilities 10. [SA16764] Firefox IDN URL Domain Name Buffer Overflow ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA16958] FL Studio FLP File Handling Buffer Overflow [SA16942] Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection [SA16909] SecureW2 Insecure Pre-Master Secret Generation UNIX/Linux: [SA16965] Fedora update for firefox [SA16960] Slackware update for mozilla [SA16928] Ubuntu update for mozilla/mozilla-firefox [SA16919] Red Hat update for firefox [SA16986] Fedora update for HelixPlayer [SA16980] TWiki "%INCLUDE" Shell Command Injection Vulnerability [SA16976] Gentoo update for php [SA16974] SGI Advanced Linux Environment Multiple Updates [SA16964] Fedora update for mozilla [SA16962] Red Hat update for HelixPlayer [SA16961] RealPlayer Error Message Format String Vulnerability [SA16954] Helix Player Error Message Format String Vulnerability [SA16953] Mandriva update for mozilla [SA16948] Trustix update for clamav [SA16930] SUSE update for clamav [SA16920] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA16918] Red Hat update for mozilla [SA16972] Debian update for python2.3 [SA16968] SUSE update for opera [SA16967] Astaro Security Linux PPTP Denial of Service Vulnerability [SA16957] Gentoo update for qt [SA16945] jPortal Download Search SQL Injection Vulnerability [SA16940] Gentoo update for webmin/usermin [SA16939] Debian update for courier [SA16938] Gentoo update for mantis [SA16936] wzdftpd SITE Command Arbitrary Shell Command Injection [SA16923] Interchange Catalog Skeleton SQL Injection and ITL Injection Vulnerabilities [SA16914] Debian update for python2.1 [SA16943] IBM HMC apache/mod_ssl Vulnerabilities [SA16978] Polipo Disclosure of Sensitive Information [SA16950] Red Hat update for cups [SA16912] Fedora update for cups [SA16969] Linux Kernel URB Handling Denial of Service Vulnerability [SA16959] Slackware update for x11 [SA16955] Sun Solaris Xsun and Xprt Privilege Escalation Vulnerability [SA16935] Qpopper poppassd Insecure Trace File Creation Vulnerability [SA16927] Ubuntu update for kernel [SA16925] SUSE update for XFree86-server/xorg-x11-server [SA16924] SUN Solaris UFS File System Denial of Service [SA16916] Debian update for kdeedu [SA16910] Fedora update for kernel [SA16984] Red Hat update for wget Other: [SA16956] Avaya Products httpd/mod_ssl Vulnerabilities [SA16922] Sony PSP Photo Viewer TIFF File Handling Buffer Overflow [SA16952] Anycom Blue Stereo Headset BSH-100 Pairing Mode Vulnerability [SA16931] Plantronics M2500 Bluetooth Headset Pairing Mode Vulnerability Cross Platform: [SA16944] Netscape Multiple Vulnerabilities [SA16941] AlstraSoft E-Friends "mode" File Inclusion Vulnerability [SA16933] phpMyFAQ Multiple Vulnerabilities [SA16917] Mozilla Multiple Vulnerabilities [SA16911] Firefox Multiple Vulnerabilities [SA16979] PostNuke Local File Inclusion and Comment Bypass Vulnerabilities [SA16949] SEO-Board admin.php SQL Injection Vulnerability [SA16937] Mailgust "email" SQL Injection Vulnerability [SA16929] ContentServ "ctsWebsite" Local File Inclusion Vulnerability [SA16926] MultiTheftAuto Server "motd.txt" Modification and Denial of Service [SA16913] My Little Forum "search" SQL Injection Vulnerability [SA16908] PunBB Two Vulnerabilities [SA16947] RSyslog Syslog Message SQL Injection Vulnerability [SA16970] CJ LinkOut "123" Cross-Site Scripting Vulnerability [SA16966] CJ Tag Board Cross-Site Scripting Vulnerabilities [SA16963] CJ Web2Mail Cross-Site Scripting Vulnerabilities [SA16934] IPB Riverdark RSS Syndicator Module Cross-Site Scripting [SA16971] PHP Trailing Slash "open_basedir" Security Bypass ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA16958] FL Studio FLP File Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-27 varunuppal has discovered a vulnerability in FL Studio, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16958/ -- [SA16942] Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2005-09-26 Amit Klein has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to manipulate certain data and conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/16942/ -- [SA16909] SecureW2 Insecure Pre-Master Secret Generation Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2005-09-26 Simon Josefsson has reported a security issue in SecureW2, which potentially can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/16909/ UNIX/Linux:-- [SA16965] Fedora update for firefox Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-27 Fedora has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16965/ -- [SA16960] Slackware update for mozilla Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-27 Slackware has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16960/ -- [SA16928] Ubuntu update for mozilla/mozilla-firefox Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-26 Ubuntu has issued updates for mozilla and mozilla-firefox. These fix some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16928/ -- [SA16919] Red Hat update for firefox Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-23 Red Hat has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16919/ -- [SA16986] Fedora update for HelixPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-28 Fedora has issued an update for HelixPlayer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16986/ -- [SA16980] TWiki "%INCLUDE" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-28 A vulnerability has been reported in TWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16980/ -- [SA16976] Gentoo update for php Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-28 Gentoo has issued an update for php. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16976/ -- [SA16974] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-28 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16974/ -- [SA16964] Fedora update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-27 Fedora has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16964/ -- [SA16962] Red Hat update for HelixPlayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-27 Red Hat has issued an update for HelixPlayer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16962/ -- [SA16961] RealPlayer Error Message Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-27 c0ntex has discovered a vulnerability in RealPlayer, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16961/ -- [SA16954] Helix Player Error Message Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-27 c0ntex has discovered a vulnerability in Helix Player, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16954/ -- [SA16953] Mandriva update for mozilla Critical: Highly critical Where: From remote Impact: System access, Manipulation of data, Spoofing, Security Bypass Released: 2005-09-27 Mandriva has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16953/ -- [SA16948] Trustix update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-26 Trustix has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16948/ -- [SA16930] SUSE update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-09-26 SUSE has issued an update for clamav. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16930/ -- [SA16920] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, Privilege escalation, System access Released: 2005-09-23 Apple has issued a security update for Mac OS X, which fixes 10 vulnerabilities. Full Advisory: http://secunia.com/advisories/16920/ -- [SA16918] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-23 Red Hat has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16918/ -- [SA16972] Debian update for python2.3 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-28 Debian has issued an update for python2.3. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16972/ -- [SA16968] SUSE update for opera Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Spoofing Released: 2005-09-27 SUSE has issued an update for opera. This fixes two vulnerabilities, which can be exploited by a malicious person to conduct script insertion attacks and to spoof the name of attached files. Full Advisory: http://secunia.com/advisories/16968/ -- [SA16967] Astaro Security Linux PPTP Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-27 A vulnerability has been reported in Astaro Security Linux, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16967/ -- [SA16957] Gentoo update for qt Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-27 Gentoo has issued an update for qt. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/16957/ -- [SA16945] jPortal Download Search SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-27 krasza has discovered a vulnerability in jPortal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16945/ -- [SA16940] Gentoo update for webmin/usermin Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-09-26 Gentoo has issued an update for webmin/usermin. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16940/ -- [SA16939] Debian update for courier Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-26 Debian has issued an update for courier. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/16939/ -- [SA16938] Gentoo update for mantis Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-09-26 Gentoo has issued an update for mantis. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/16938/ -- [SA16936] wzdftpd SITE Command Arbitrary Shell Command Injection Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-26 kcope has discovered a vulnerability in wzdftpd, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16936/ -- [SA16923] Interchange Catalog Skeleton SQL Injection and ITL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data Released: 2005-09-23 Two vulnerabilities have been reported in Interchange, which can be exploited by malicious people to conduct SQL injection attacks, or to perform actions with an unknown impact. Full Advisory: http://secunia.com/advisories/16923/ -- [SA16914] Debian update for python2.1 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-09-23 Debian has issued an update for python2.1. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16914/ -- [SA16943] IBM HMC apache/mod_ssl Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Privilege escalation Released: 2005-09-26 IBM has acknowledged some vulnerabilities in IBM HMC, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges, or by malicious people to bypass certain security restrictions or conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/16943/ -- [SA16978] Polipo Disclosure of Sensitive Information Critical: Less critical Where: From local network Impact: Unknown, Exposure of sensitive information Released: 2005-09-28 A vulnerability has been reported in Polipo, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/16978/ -- [SA16950] Red Hat update for cups Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-27 Red Hat has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16950/ -- [SA16912] Fedora update for cups Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-23 Fedora has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16912/ -- [SA16969] Linux Kernel URB Handling Denial of Service Vulnerability Critical: Less critical Where: Local system Impact: DoS Released: 2005-09-27 A vulnerability and a security issue have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16969/ -- [SA16959] Slackware update for x11 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-27 Slackware has issued an update for x11. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16959/ -- [SA16955] Sun Solaris Xsun and Xprt Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-27 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16955/ -- [SA16935] Qpopper poppassd Insecure Trace File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-26 kcope has discovered a vulnerability in Qpopper, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16935/ -- [SA16927] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: DoS Released: 2005-09-26 Ubuntu has issued an update for the kernel. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16927/ -- [SA16925] SUSE update for XFree86-server/xorg-x11-server Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-26 SUSE has issued an update for XFree86-server/xorg-x11-server. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/16925/ -- [SA16924] SUN Solaris UFS File System Denial of Service Critical: Less critical Where: Local system Impact: DoS Released: 2005-09-23 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16924/ -- [SA16916] Debian update for kdeedu Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-23 Debian has issued an update for kdeedu. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges on a vulnerable system. Full Advisory: http://secunia.com/advisories/16916/ -- [SA16910] Fedora update for kernel Critical: Less critical Where: Local system Impact: DoS, Privilege escalation, Exposure of sensitive information Released: 2005-09-23 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to disclose certain sensitive information, cause a DoS (Denial of Service), and gain escalated privileges. Full Advisory: http://secunia.com/advisories/16910/ -- [SA16984] Red Hat update for wget Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-28 Red Hat has issued an update for wget. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/16984/ Other:-- [SA16956] Avaya Products httpd/mod_ssl Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2005-09-27 Avaya has acknowledged some vulnerabilities in httpd/mod_ssl included in some products, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/16956/ -- [SA16922] Sony PSP Photo Viewer TIFF File Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-26 A vulnerability has been reported in Sony PSP, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/16922/ -- [SA16952] Anycom Blue Stereo Headset BSH-100 Pairing Mode Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, DoS Released: 2005-09-26 KF has reported a vulnerability in Anycom Blue Stereo Headset BSH-100, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose sensitive information, and manipulate certain data. Full Advisory: http://secunia.com/advisories/16952/ -- [SA16931] Plantronics M2500 Bluetooth Headset Pairing Mode Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2005-09-26 KF has reported a vulnerability in Plantronics M2500 Bluetooth Headset, which can be exploited by malicious people to disclose sensitive information and manipulate certain data. Full Advisory: http://secunia.com/advisories/16931/ Cross Platform:-- [SA16944] Netscape Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-26 Some vulnerabilities have been discovered in Netscape, which can be exploited by malicious people to manipulate certain data, conduct spoofing attacks, bypass certain security restrictions and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16944/ -- [SA16941] AlstraSoft E-Friends "mode" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-09-26 Kurdish Hackers Clan has reported a vulnerability in AlstraSoft E-Friends, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16941/ -- [SA16933] phpMyFAQ Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2005-09-26 rgod has discovered some vulnerabilities in phpMyFAQ, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, disclose system and sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16933/ -- [SA16917] Mozilla Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-23 Multiple vulnerabilities have been reported in Mozilla Suite, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16917/ -- [SA16911] Firefox Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-23 Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/16911/ -- [SA16979] PostNuke Local File Inclusion and Comment Bypass Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2005-09-28 Two vulnerabilities have been reported in PostNuke, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/16979/ -- [SA16949] SEO-Board admin.php SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-09-26 foster RST/GHC has reported a vulnerability in SEO-Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16949/ -- [SA16937] Mailgust "email" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-09-26 rgod has reported a vulnerability in Mailgust, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16937/ -- [SA16929] ContentServ "ctsWebsite" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-09-26 qobaiashi has reported a vulnerability in ContentServ, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/16929/ -- [SA16926] MultiTheftAuto Server "motd.txt" Modification and Denial of Service Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS Released: 2005-09-26 Luigi Auriemma has reported two vulnerabilities in MultiTheftAuto Server, which can be exploited by malicious people to modify certain information or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/16926/ -- [SA16913] My Little Forum "search" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-09-23 rgod has discovered a vulnerability in My Little Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/16913/ -- [SA16908] PunBB Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting Released: 2005-09-22 Two vulnerabilities have been reported in PunBB, where one has an unknown impact and the other can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16908/ -- [SA16947] RSyslog Syslog Message SQL Injection Vulnerability Critical: Moderately critical Where: From local network Impact: Manipulation of data, System access Released: 2005-09-26 A vulnerability has been reported in RSyslog, which can be exploited by malicious people to conduct SQL injection attacks, and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/16947/ -- [SA16970] CJ LinkOut "123" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-27 Psymera has discovered a vulnerability in CJ LinkOut, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16970/ -- [SA16966] CJ Tag Board Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-27 Psymera has discovered some vulnerabilities in CJ Tag Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16966/ -- [SA16963] CJ Web2Mail Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-27 Psymera has discovered some vulnerabilities in CJ Web2Mail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16963/ -- [SA16934] IPB Riverdark RSS Syndicator Module Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-09-26 X1NG has reported two vulnerabilities in the Riverdark RSS Syndicator module for Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/16934/ -- [SA16971] PHP Trailing Slash "open_basedir" Security Bypass Critical: Not critical Where: Local system Impact: Security Bypass Released: 2005-09-27 thorben has discovered a security issue in PHP, which can be exploited by malicious, local users to access certain files outside the "open_basedir" root. Full Advisory: http://secunia.com/advisories/16971/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Oct 3 08:33:49 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:57:02 2005 Subject: [ISN] The next IT security leaders - Know the tools to succeed in growing field Message-ID: http://federaltimes.com/index2.php?S=1147134 By JANE SCOTT NORRIS September 30, 2005 The 2002 Federal Information Security Management Act introduced the position of chief information security officer (CISO) to the federal government - albeit with the ungainly moniker of senior agency information security official. Today, as the CISO position is earning widespread recognition and increasing stature in both the public and private sectors, we ask: "Where will the next generation of CISOs come from?" First, we need to pose and answer two other questions: "What is the background and experience of current CISOs?" and "How is the CISO role evolving?" Most, if not all, of those who currently hold CISO positions did not begin their careers with the ambition of becoming the senior information security officer for a large enterprise; rather, they came into their positions through a confluence of skills, innovation and opportunity. In fact, until recently, only a few people worked in this rapidly expanding discipline, so there was no career ladder to the executive suite. However, the importance of information security and the demand for information security professionals are both growing - thanks to ever-increasing connectivity, the rush to market by vendors, expanding threats and readily available hacking tools. The 2004 Work Force Study, conducted by the International Information Systems Security Certification Consortium, projected a compounded annual growth rate for the information security profession, worldwide through 2008, at almost 14 percent, while the information technology profession's growth was projected at only 5 percent to 8 percent over the same period. Today's CISOs have typically worked in information technology, but they have traveled a variety of routes to their current positions. According to the work-force study, information security professionals are very experienced, having worked an average 13 years in IT and seven years in information security. CISOs, however, require broader knowledge than the typical information security practitioner and strong management skills. With varying years of experience in the security arena, the most successful among my colleagues have several nontechnical traits in common. Each can use plain English, rather than "geek-speak," to communicate with business managers and to balance security with mission objectives. The consideration of business requirements is the key factor in evolving the security profession?s attitude from one of risk aversion to one of risk management. With interconnectivity, we've abandoned the search for absolute security and perfectly safe systems as an impossible and impractical quest. We have accepted the need for availability and usability of information and information systems, leading to the creation of the information assurance discipline. But it doesn't stop there. Just as information management is transitioning into knowledge management, with the emphasis shifting from technical outputs to business outcomes, so the former information security profession is maturing from a purely technical approach to one that is mission-focused. To succeed, the CISO must be a strategic partner with business units. Often under the auspices of the National Security Agency's Centers of Academic Excellence program, many colleges and universities have recently established information assurance curricula at the undergraduate and graduate levels, typically in the computer science departments. Graduates from these programs are entering the information assurance work force and expect to spend their entire careers in this discipline. Many will aspire to become CISOs at some point in their professional lives. For junior- and midlevel information security personnel, there is no well-defined CISO model and no clear path to the CISO position. Moreover, by the time they attain the C-level, there probably will not even be a CISO position: It is more likely to be CRO - chief risk officer. My final advice to those aspiring to become a CISO/CRO: * Gain a solid foundation in IT, information security and risk management. * Know pertinent laws and regulations. * Get credentials in information security, project management, and in chief information officer competencies or business administration. * Learn the business of the organization for which you work. * Hone your communication and marketing skills. Think and talk in business terms, and master the art of making your case in one page. -=- Jane Scott Norris is chief information security officer of the State Department. From isn at c4i.org Mon Oct 3 08:34:05 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:58:02 2005 Subject: [ISN] Political hackers deface Novell SUSE sites Message-ID: http://www.theregister.co.uk/2005/10/03/opensuse_hacked/ By John Leyden 3rd October 2005 Three Novell OpenSUSE community web site were defaced on Sunday by politically motivated hackers. Defacement archive Zone-H reports that a group called IHS Iran Hackers Sabotage [1] broke into OpenSUSE.org, wiki.novell.com and forge.novell.com to post a message stating that it was Iran's right to develop nuclear power. All three sites were defaced in the same way (archive here) [2]. OpenSUSE.org and forge.novell.com have since been restored to normal operation and the offending images removed. The wiki.novell.com site has been taken temporarily offline. Although somewhat embarrassing all early indications are that the attack was not serious. Of greater concern are reports that hackers compromised a gaming-related server maintained by Novell and used it to scan for other vulnerable machines. The hacked system - which ran a mail server for a gaming site called Neticus.com - has been scanning for vulnerable SSH systems since 21 September, Computerworld reports [3]. The rogue behaviour was spotted by net security firm Brandon Internet Security which traced attacks against its clients' systems back to the compromised servers. A Novell spokesman played down that incident by saying the hacked servers were part of test systems located outside Novell's corporate network. ? [1] http://www.zone-h.org/defacements/filter/filter_defacer=IHS%20IRAN%20HACKERS%20SABOTAGE [2] http://www.zone-h.org/en/defacements/mirror/id=2917402 [3] http://www.linuxworld.com.au/index.php/id;2128628770;fp;2;fpid;1 From isn at c4i.org Mon Oct 3 08:38:07 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:58:23 2005 Subject: [ISN] InfoSec News List Subscription Information Message-ID: http://www.infosecnews.org/ InfoSec News is a privately run, medium traffic list that caters to the distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. To subscribe to InfoSec News, Click here [1]. The subject line will always contain the title of the article, so that you may quickly and efficiently filter past the articles of no interest. This list will contain: Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. Information on where to obtain articles in current magazines. Security Book reviews and information. Security conference/seminar information. New security product information. And anything else that comes to mind... Feedback is encouraged. The list maintainers would like to hear what you think of the list, What could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Anonymous feedback is always welcome. Please DO NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as 75+ returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). This is not a whim! Other moderators have begun to do the same. Special thanks to the following for continued contribution: William Knowles, Will Spencer, Jay Dyson, Emerson Tan, Nicholas Brawn, Felix von Leitner, Robert G. Ferrell, Eric Wolbrom, Brian Martin, Marjorie Simmons, Richard Forno Darren Reed, Robert Slade, Attrition.org, Curiosity.org and several other contributors. InfoSec News Archives: http://www.landfield.com/isn http://lists.jammed.com/ISN/ http://lists.insecure.org/isn/ http://www.attrition.org/pipermail/isn http://online.securityfocus.com/archive/12 http://marc.theaimsgroup.com/?l=isn&r=1&w=2 InfoSec News is Moderated by William Knowles wk(at)c4i.org. ISN is a private list. Moderation of topics, member subscription, & everything else about the list is solely at his discretion. The InfoSec News membership list is NOT available for sale or disclosure. InfoSec News is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. [1] http://www.infosecnews.org From isn at c4i.org Mon Oct 3 08:50:47 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 3 08:58:40 2005 Subject: [ISN] White hat, gray hat, black hat Message-ID: Forwarded from: William Knowles http://www.fcw.com/article90994-10-03-05 By Michael Arnone Oct. 3, 2005 For a long time, most computer network crackers hacked a system for the same reason George Mallory climbed Mt. Everest: "Because it's there." But that's no longer the only reason or even the dominant one. More hackers now follow the philosophy frequently attributed to Willie Sutton, a bankrobber during the 1930s. According to legend, when asked why he robbed banks, Sutton replied matter-of-factly: "It's where the money is." During the past six years, malicious black-hat hackers have changed from script kiddies who deface Web sites and spread worms to earn glory within the hacker community to professionals sponsored by foreign governments and organized crime. They target specific government and industry victims and commit real crimes, sometimes for significant financial gain. "We're now seeing sociopaths intent on doing...more devious and sophisticated stuff," said Dragos Ruiu, chief organizer of the PacSec, CanSecWest and EUSecWest hacker conferences, which annually draw hundreds of hackers worldwide. But in general, hackers secure their computers better than the rest of the computing community. Government and industry can learn from their hacking techniques and protection skills to improve information technology security, experts say. In addition, government can learn from two other groups: the paid professionals - known as white hats - who research vulnerabilities to protect employers' and customers' data and the unaffiliated tinkerers - known as gray hats - who alert users to vulnerabilities. Government and industry have always learned security techniques from hackers, whether they realize that or not. For example, penetration testing, which is a search for security holes in a computer system, is a common hacker practice that the federal government is using more often, said Steven Manzuik, security product manager at eEye Digital Security. The company provides penetration testing, vulnerability assessment and proactive security services to the Defense Department and federal intelligence agencies. Penetration testing is a good way to demonstrate actual risk and secure systems by patching or applying other protections, Manzuik said. DOD has come to appreciate the value of penetration testing and now has a solid schedule and process in place for it, he said. Because the federal government is a huge target for hackers for political and financial reasons, agency officials have started issuing information security regulations based in part on consultations with ? and learning lessons from ? hackers, said Mark Loveless, a senior security analyst at BindView and a hacker for 25 years. The Graham-Leach-Bliley Act of 1999, Health Insurance Portability and Accountability Act, Federal Information Security Management Act of 2002, and Sarbanes-Oxley Act of 2002 all require fortification of computer networks to protect information based on real-life hacker attacks, Loveless said. He added that following federal regulations can make it easier to fix many common vulnerabilities. Military officials have learned the fastest from hackers and are starting to pay serious attention to software policies to bolster their security, Ruiu said. Civil agencies are the most vulnerable because they don't have money for adequate IT security, let alone improvements to it, he said. DOD and intelligence agencies enjoy talking with hackers who do not have malicious intentions, and the two groups often tip each other off about developments and discoveries, Loveless said. Information analysis and intelligence gathering units are particularly willing to learn from attacks to plug holes in their security, said Marc Maiffret, founder and chief hacking officer at eEye. But not all government agencies listen to hackers, Loveless said. Old-school agents in the FBI and the Secret Service don't trust hackers because they consider many of them to be criminals. Hackers' importance as teachers, though, is increasing. As software insecurity remains the norm, the number of targets increases and the stakes involved in losing control of financial and confidential data rises, experts say. 'Millions of monkeys' A common bond among hackers is curiosity. "What if I try this?" and "What can I do to make it do what I want?" are two hacker mantras, said Martin Roesch, founder and chief technology officer of Sourcefire, a provider of intrusion-prevention systems. But that unrelenting, inquisitive skepticism, sometimes bordering on paranoia, yields superior quality assurance. "Everything you forget, they will find," Roesch said. "It's like the proverbial millions of monkeys typing on typewriters. They have infinite resources and infinite time to find weaknesses in your system." Another hacker tenet is always follow the path of least resistance, said Matthew Gray, founder of and CTO at Newbury Networks. In doing so, hackers use network engineers' desire for efficiency against them to design more effective and stealthy attacks. This path of least resistance is often through the front door, said Paul Proctor, research vice president of security and risk at Gartner. Attackers hack only enough to insert malicious payloads that contain keystroke and network sniffers and other means to collect information they can use to fool the system into thinking the attackers are legitimate users. Once they get that, they can come and go as they please without scrutiny. Nine times out of 10, vigilante gray hats, black hats and cybercriminals follow the path of least resistance, Proctor said. But most government and industry cyberprotectors try to thwart the primary method gray hats use: burrowing into the system code to find flaws. Gray hats, however, pose almost no real risk to computer security because they don't act maliciously, he said. A failure of imagination An obstacle to blocking hackers is the implementation of IT security by network engineers instead of software developers and engineers, said John Viega, founder of and CTO at Secure Software. On the other hand, most hackers are software engineers or use software engineering tools built by software experts. Thus, the primary defenders of IT assets have different perspectives, skills and experiences from the attackers, Viega said. This compounds the problem that most organizations consider IT security only when they are under attack, said Roger Thornton, founder of and CTO at Fortify Software. Few organizations look at their IT capabilities in terms of the risk they face from black hats and cybercriminals, he said. This failure of imagination to ask what would happen if hackers could access their information is the main stumbling block to effective security, Thornton said. "Anything that government and industry learn from hackers must be seen through the lens of their own risk management needs," Proctor said. Another problem is that government and industry have fallen for the negative hacker stereotypes shown on film and television, and are not using valuable, available assets. "Not every hacker is a cracker," which is the old slang for a black hat, Maiffret said. Organizations should invite more white and gray hats to their conferences, Maiffret said. Many government and commercial organizations, such as Microsoft, have already heeded that advice and even pay to be sponsors at hacker conferences. Because talented Internet security professionals, such as hackers, are tough to find and hire, "the greatest defense against hackers is that you can make a mighty good living on the right side of the fence," Thornton said. Government and industry hire white and gray hats who want to have their fun legally, which can defuse part of the threat, Ruiu said. But it's impossible to reach every potential attacker through a job advertisement, he said. Many hackers are willing to help the government, particularly in fighting terrorism. Loveless said that after the 2001 terrorist attacks, several individuals approached him to offer their services in fighting al Qaeda. Hiring black hats, however, is a bad idea. Bruce Murphy, vice president of worldwide security services at Cisco Systems, said he does not hire black hats because they do not appreciate or respect standard business processes and structures. "Somebody with questionable moral judgment isn't someone you want to have control of your networks," said Avi Rubin, a professor of computer science at Johns Hopkins University. A disgruntled hacker with inside knowledge of a company's networks could create a nightmare scenario, he said. Besides, white hats have closed the skill gap between themselves and gray and black hats, said Amit Yoran, president of Yoran Associates and former national cybersecurity director. What the white hats need to learn, he said, is how to sell IT security more persuasively to bureaucracies that still may not see the need for it. More important than the presence of hackers is emulating their skeptical attitude, Maiffret said. Most large organizations do not cultivate the maverick mind-set needed for quality hacking and computer security, he said. "Part of the hard thing in government is that you're not really meant to question how things work," he said, adding the same goes for large companies. "You're expected to take orders and do things...[but] that's what [hackers] are here for, to question." Organizations must encourage employees to question everything about the technology they use, he said. Putting lessons to work The guiding principle for government and commercial IT has been to increase productivity and decrease cost, without much thought about security, Proctor said. Savings are powering the federal government's insistence that contractors and integrators use commercial software. The drive "is like nothing I've ever seen in my life," said Michael Armistead, vice president of products at Fortify Software. Thornton warned that any commercial solution must account for the organization's risk profile, especially risks presented by black hats. Those responsible for implementing commercial products should audit them, line by line if necessary, to see if they provide adequate security. If they don't, the hackers will. Even with the security emphasis since the 2001 terrorist attacks, Thornton and other experts agree that government and industry are not changing fast enough to thwart evolving threats from black hats. But government and industry have attributes that, if used hacker-style, could potentially help them defeat malicious hackers. Government has the advantage of central coordination and the ability to quickly enforce best practices and standards enterprisewide, Ruiu said. It can also share information quickly and effectively ? faster, in fact, than industry and the balkanized hacker community. Industry has the advantages of being able to speedily implement changes and act pragmatically, Ruiu said. If it employs the hacker mind-set while developing products, it would produce software and hardware more resistant to attacks in the first place. Government and industry need research units to discover vulnerabilities, or they should work with someone who has them, Maiffret said. They need to dissect software to find every weakness, just like hackers worldwide do. Until such widespread changes occur, the public and private sectors can protect themselves the way hackers do, said Michael Cantey, a network systems administrator at the Florida Department of Law Enforcement's Computer Crime Center. He said they should learn as much as they can about what's on their systems, how those systems operate and how to fix as many flaws as possible. They can stay current on basic security measures and set up a multilayered defense that goes beyond the perimeter to inside essential systems. The only long-term way to effectively hinder or prevent hacker attacks is to show the same persistence, skepticism and vigilance that hackers do, Roesch said. After all, he said, "the million monkeys are working relentlessly, every day, all day." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Oct 4 01:49:29 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:55:56 2005 Subject: [ISN] WA should beef up security: report Message-ID: http://australianit.news.com.au/articles/0,7204,16769033%5E15319%5E%5Enbv%5E15306,00.html Heather Quinlan SEPTEMBER 30, 2005 WEST Australian government agencies have better control of their postage stamps than they do of confidential personal information stored in their computers, a report by the state's corruption watchdog shows. A Corruption and Crime Commission (CCC) study revealed personal data held on WA government computers was vulnerable to misuse and must be better protected through staff security screening, monitored access and beefed-up criminal laws. The Protecting Personal Data in the Public Sector report, tabled in parliament yesterday, found checks on inappropriate access and leakage of computer-held information were inadequate. CCC spokesman Glenn Ross said examples of data misuse ranged from looking up a friend's address on a work computer, to the murder of former police officer Don Hancock, which was made possible by information provided to an outlaw motorcycle gang by a public servant. Former transport department worker Karen Moore was charged and convicted after providing the name and address to match a car registration number supplied by a bikie associate. The following month, the same car - which belonged to Mr Hancock's friend Lou Lewis - was blown up, killing both men. A Gypsy Joker bike gang member was later convicted of the bombing murders. The CCC study examined the handling of personal data in six state and local government agencies, conducted surveys of 540 public sector staff and considered 17 submissions - 11 from members of the public. The state government, which is in the process of drafting new privacy legislation, said yesterday it would accept many of the CCC's recommendations. WA Treasurer Eric Ripper, commenting on behalf of Premier and Public Sector Management Minister Geoff Gallop, said the government must improve its practices. "Every citizen has the right to expect that confidential information that the government holds will not be used for unauthorised purposes," Mr Ripper told reporters. "Human nature being what is is, it is hard to offer guarantees but we need to do better in this area (of information security). "Many public sector managers feel there are deficiencies in our disciplinary framework and ... if they don't feel they've got the power to take action, then that is something government has to attend to." The report found state and local government agencies had better systems to control use of petty cash and postage stamps than the access to confidential information held on computers. The report, which also supported a privacy commissioner and privacy legislation, also recommended amending the criminal code to prohibit unauthorised access and disclosure of information. Other recommendations included the establishment of uniform definitions and criminal penalties, regular security checks of public sector staff, and the introduction of a public sector oath to maintain the confidentiality of information. AAP From isn at c4i.org Tue Oct 4 01:49:45 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:56:27 2005 Subject: [ISN] Data Scandal Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105065,00.html By Mary Brandel OCTOBER 03, 2005 COMPUTERWORLD A data scandal roll call would include big names in nearly every industry. Bank of America, LexisNexis, Time Warner, DSW Shoe Warehouse, T-Mobile and the University of California, Berkeley, to name a few, have recently experienced data security breaches. And some experts say that there are hundreds if not thousands of other, less-publicized cases in which sensitive personal data has been compromised. "There's the hospital that unwittingly exposes a couple of AIDS patients, or the bank that inadvertently discloses to a creditor someone's complete financial background," says Diana McKenzie, who chairs the IT group at Neal, Gerber & Eisenberg LLP, a Chicago law firm. "There are tons and tons of examples like that." For CIOs, this trend means two things: It may not be a case of whether your company will experience a data security breach but when it will experience such a breach. And, particularly if you're one of the unlucky 10% or less who find their stories blasted throughout the national news media, you'd better know beforehand how you're going to respond when a breach occurs. A New Reality "In days gone by, you could have thrown up your hands and said, 'Geez, this was an accident,'" says Scott Sobel, vice president at Levick Strategic Communications in Washington. "But now people are more familiar with IT processes, and they may believe that if controls weren't in place, someone was negligent or malicious." That's why your immediate response to a security breach is all-important. And it's not enough to lean on processes you've put in place to respond to more traditional threats such as viruses and hacker infiltration. Today, threats can emanate from sources as varied as fraudulent businesses or tape thieves. "The failures in the business processes that have occurred this year are causing organizations to redesign the way they respond to future incidents or anomalies," says Rich Baich, managing director at PricewaterhouseCoopers and former chief information security officer at ChoicePoint Inc. in Alpharetta, Ga. Earlier this year, it was revealed that ChoicePoint had released consumers' personal financial information to data thieves posing as legitimate businesses. One important change worth considering, Baich says, is to create and publicize a central mechanism for employees or the general public to report possible breaches, including incidents involving low-tech actions such as fraud or tape theft. There should be a response team that follows an established set of protocols, not unlike those of customer service hot lines, where a trained group follows a decision tree and escalates its response depending on the nature of the problem. The exact response protocol will be unique to each organization. Some may want to report directly to the general counsel, others to the CISO, and others to the president of the company. However you choose to do it, the escalation procedure should be defined and agreed upon in advance. "It needs to be something that says, 'During Christmas time, from this hour to this day, John Brown is head of the team, and he'll have access to this attorney and this PR person and this decision-maker and this representative of the union, instantly,'" Sobel says. Having a central point of contact would also help avoid the common problem of not taking incident reports seriously, McKenzie says. "If a busy executive gets a call from a person outside the company who doesn't sound sophisticated, or from someone lower in the organization who thinks something odd is happening, there's a tendency to dismiss it," she says. "I can't tell you the number of times I've had a person forget to get the phone number or even the name of the person who called." Teamwork The word team can't be overemphasized, McKenzie says. The days are gone when IT worked in isolation on security incidents. The public relations and legal departments need to be involved as soon as possible, even as you're still figuring out the depth and breadth of the problem. "While you're starting to fix, document and understand the problem, you want to start the lawyers mitigating risk and the PR folks preparing communications," McKenzie says. "The IT guy keeping it to himself is a really bad idea," she adds. Not only are there disclosure requirements, but your public relations people will also need some lead time to fully understand the problem and prepare a response. At Vanguard Managed Solutions LLC, IT works hand in hand with the legal and marketing departments during times of crisis. In the 300-employee managed services provider in Mansfield, Mass., security incidents are escalated to management-level employees in the network operations center, says Eric Welz, senior solutions architect. If the incident is determined to be severe enough, marketing, legal and IT work together to determine how it should be communicated to clients. Now more than ever, lawyers are crucial for correctly interpreting and responding to federal and state privacy laws. For example, California's Senate Bill 1386 requires organizations to disclose security breaches that involve private information about California residents. California Assembly Bill 1950 requires "reasonable security" controls for California residents' data. The Washington state government also recently enacted several bills addressing security breaches, and other states may soon follow. Your legal department might decide to involve local law enforcement, which could affect whether your company is allowed to disclose any information about the breach. If the police ask you to keep mum because they've determined that public disclosure would inhibit the investigation, be sure to get a letter documenting that request to avoid conflicts later, Baich says. Some experts suggest that companies develop boilerplate language to enable a faster response. "Disclosures are sometimes required to happen quickly, and that's not the time to start with a blank piece of paper," says Peter Gregory, chief security strategist at VantagePoint Security LLC in Bellevue, Wash. Deliberate Speed But don't rush. "You don't want to wait two days, but you can wait 20 minutes," says Gregory. "You need to follow the emergency procedures so that when the PR person is in front of the microphone, the information has flowed properly from the point of discovery, through IT management and sideways to PR and legal." Or, as McKenzie puts it, "respond with cautious speed. On the one hand, a delay in responding can be fatal, but on the other, you need to have a reasoned response, because this could be broadcast all over the country." To avoid accusations that you didn't work quickly enough to solve a problem, McKenzie suggests calling in an IT forensics consultant -- even if you think your IT staff is talented enough to analyze Web logs and other records effectively. "It shows you're taking it seriously: 'We hired this gunslinger to help solve the problem expeditiously,'" she says. "If someone sues you for damages, it looks good from a PR standpoint that you hired someone immediately." You should keep a fact-finding log to record any actions that the security team takes and any people it contacts, and that log should include the precise timing of every action. "When that's all logged, it's easier when someone asks what happened," Baich says. Finally, when it comes time to communicate with customers or the general public, "be understanding and reassuring," says McKenzie. "There's a tendency for people harmed by these incidents to sense a lack of empathy for their situation." A kind and caring attitude on your part may lessen the chance of lawsuits and other litigious behavior, she says. "A security disaster will cause many to doubt the company's ability to continue operating," Gregory says, "so you need to respond with well-thought-out statements that give the media and customers confidence that you're in control and are dealing with it." Brandel is a Computerworld contributing writer in Newton, Mass. Contact her at marybrandel at verizon.net. From isn at c4i.org Tue Oct 4 01:49:57 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:56:47 2005 Subject: [ISN] Flaw found in Kaspersky antivirus Message-ID: http://beta.news.com.com/Flaw+found+in+Kaspersky+antivirus/2100-1002_3-5887857.html By Joris Evers Staff Writer, CNET News.com October 3, 2005 A "critical" flaw in Kaspersky Lab's antivirus software could let an attacker commandeer systems that use the products, a security researcher warned Monday. The problem lies in Kaspersky's antivirus library, security researcher Alex Wheeler wrote in an advisory (download PDF of advisory here) [1]. The vulnerability likely affects multiple Kaspersky products on various platforms because the library is used throughout the company's consumer and corporate software, he said. Additionally, third-party products that use Kaspersky's antivirus technology could also be vulnerable, Wheeler said. A remote attacker could exploit the heap overflow flaw by sending a malformed CAB file--a compression file--to a vulnerable system, the French Security Incident Response Team said in an advisory. The CAB file could be sent in an e-mail, for example, and once the Kaspersky antivirus scanner had accepted it, the malicious code would be in the system. No user interaction is required, Wheeler said. FrSirt describes the issue as "critical," its highest rating. A representative for Kaspersky in Moscow could not immediately comment on the issue and said that the Russian company would need to investigate. Antivirus software is like low-hanging fruit to hackers, Yankee Group analysts wrote in a research paper released earlier this year. As the pool of easily exploitable security bugs in Microsoft Windows dries up, attackers are looking to security software for holes to get into systems, the analysts said. At the Black Hat Briefings security conference this summer, researchers at Internet Security Systems outlined vulnerabilities in antivirus products. ISS has discovered bugs in products from security software makers including Symantec, McAfee, Trend Micro and F-Secure. Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. [1] http://www.rem0te.com/public/images/kaspersky.pdf From isn at c4i.org Tue Oct 4 01:49:01 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:57:20 2005 Subject: [ISN] Q&A With 'Wormologist' Vern Paxson Message-ID: http://www.informationweek.com/showArticle.jhtml?articleID=171202582 By Kelly Jackson Higgins Secure Enterprise Oct. 1, 2005 Vern Paxson Senior scientist at the International Computer Science Institute, University of California-Berkeley, and staff scientist at Lawrence Berkeley National Laboratory Paxson, one of the industry's foremost worm experts, developed the open-source intrusion-detection tool Bro and has conducted studies on the genesis and propagation of worms and other malware. He was recently named to the advisory board of start-up ConSentry Networks, which has developed a next-generation, hardware-based IDS. How did you become a renowned 'wormologist'? In part, it was luck. When Code Red came out in 2001, it was fascinating to observe it from the Bro tool, and [the International Computer Science Institute] had forensic logs from it at Lawrence Berkeley National Laboratory. We knew every single probe from the worm, and that allowed me to study its progress. We got Code Red 2 just a couple of weeks later, and then Nimda six weeks later, and it was fascinating seeing all the worms interacting. We had this very rich data ... including an estimate of the total size of the worm, with upward of 300,000 infected [machines]. How have worms evolved since the first one, written in 1988 by Robert T. Morris? It's easier to create them now because there are more toolkits. But the evolution of worms has been surprisingly slow. Slammer in 2003 was different, though--the entire worm fit into a single packet and was connectionless, so it could go fast. It wasn't anything anyone had predicted. Aside from its historical precedent, what was so special about the Morris worm? That worm was brilliantly built and remains the best-designed one ever. It had multiple modes, which we later saw with Nimda are very effective. And it had topological scanning ... It went through the information on the locally infected machine to try to find other machines. The Morris worm also came with its own built-in password cracker. Where do worms go from here? A big threat is the commercialization of malware. The lay of the land is changing, from the equivalent of vandals doing their work to people who will commoditize malware and use it to make money. The rise of this commercially motivated attacker is very disturbing, and inevitable. There's a paper in the research world that talks about how you can specialize in just doing the worm technology without being involved in the exploitation of it. There's going to be some sort of black market where criminals hook up with people with worm access. Also on [the horizon] are blended threats, where a malware writer puts together viruses and botnets and uses a botnet to propagate the keylogger that then feeds into your encrypted point-to-point network and extracts all the goodies. Are there worms against which we can't defend? We published a paper for DARPA [Defense Advanced Research Projects Agency] on the worst-case scenario of a worm. We sketched how it's not implausible that a worm could get 10 million to 15 million desktops in a day. But we could not resolve the question of how much damage this type of worm would really inflict. Still, we're racing against the clock. If I see tomorrow that some huge worm has hit, it won't surprise me. What scares you most about worms? The worms that don't randomly scan--topological worms, which get their target information separate from scanning. And detection-scanning worms--in particular, the ones that can go after Windows or Cisco vulnerabilities. The recent brouhaha over executable code on Cisco routers gave a lot of people pause. If we had a Cisco exploit, it could really do damage. Also in the back of my mind is cyberwarfare. You'd be a fool if you were in the modern military and not planning for cyberattacks and working on defenses to it. What about viruses? Viruses seem like old news today because there's still a huge class of them that don't show much innovation. They're just variants. But I would expect viruses to be a key part of blended attacks, where a virus would be used to cross a firewall, for example. What's the danger of going overboard with security? There's going to be a huge struggle over control of the Internet, which is driven by concerns about security, intellectual property and politics. This could unfold in a lot of ways that wouldn't be pretty. The key question is, can we have an architecture so we get security control without losing the infrastructure and its real power? Regulating that traffic must terminate at a proxy that must be able to see your traffic in clear text to see if the text is allowable, for instance. Now you've created an incredible point of control that has obvious uses for going after criminals, but it also [breeds] political repression and commercial gain, good or bad. There's a new National Science Foundation initiative to rethink Internet architectural notions. [The International Computer Science Institute] and other institutions are thinking about how to get funded to look at new security architectures that provide these controls that are needed, but in a way that doesn't throw out the baby with the bathwater. From isn at c4i.org Tue Oct 4 01:49:14 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:57:55 2005 Subject: [ISN] ASEAN cyber terrorism experts open forum in Cebu Message-ID: http://www.tempo.com.ph/news.php?aid=16816 By MARS W. MOSQUEDA JR. October 04, 2005 CEBU CITY - Media practitioners were barred from entering the function room where diplomats, cyber security and terrorism experts and policy level officials from 25 nations converged to begin the three-day "2nd ASEAN Regional Forum Seminar on Cyber-terrorism." Aside from Asean countries, representatives from the United States, Australia Japan New Zealand are also present in the forum as observers. Behind closed doors, participants openly discussed and shared information and ideas on national policies on cyber terrorism and encouraged ARF participating countries to continuously cooperate and collaborate with each other in effectively addressing diverse cyber related threats and cyber terrorism. A source said that aside from the recommendations on anti-cyberterror and e-counter terrorism, each participating ARF country were asked to come up with a program that will be submitted to the ARF Ministers, it is hoped that a network of contacts will be developed, enlarged, and continuously updated. The three-day seminar aims to build and nurture a level of trust and confidence that will enable continued information sharing and related communications long after the seminar is over. The ARF network on the other hand, can be used as an important conduit for the flow of information that can be used in our daily flight against terror and actual cyber-terrorism-induced crisis situations. The 1st ARF seminar on cyber terrorism was held in Jeju Island, Korea on November 13-15 last year that was co-chaired by the Republic of Korea and the Philippines. The forthcoming second ARF seminar is a follow up forum that will take off from the discussions and recommendations put forward during the first seminar on cyber-terrorism. The ARF ministers during the 11th ASEAN Regional Forum Ministerial Meeting in Jakarta on July 2 last year highlighted the need for a greater regional cooperation to counter terrorism particularly in the area of law enforcement and intelligence sharing and to address the emotional and psychological reasons behind extremism and terrorism. One of the measures approved by the ARF ministers is a series of ARF seminars and workshops on counter-terrorism. From isn at c4i.org Tue Oct 4 01:50:07 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:58:40 2005 Subject: [ISN] Symantec buys BindView Development for $209 million Message-ID: http://www.networkworld.com/news/2005/100305-symantec-bindview.html By Peter Sayer IDG News Service 10/03/05 Symantec Monday anounced it plans to buy security compliance software vendor BindView Development for $209 million in cash. The deal will close in the first quarter of 2006, subject to approval from regulators and shareholders, Symantec said. The two companies provide software that may help businesses and government organizations comply with regulatory requirements such as the Sarbanes-Oxley Act and the Federal Information Security Management Act in the U.S., or the Basel II financial regulations in Europe. Symantec's security systems use software agents to ensure compliance with security policies, while BindView's approach is agentless, Symantec said. The two approaches are complementary, it said. The agent-based approach is more suited to complex, mixed IT environments, while the agent-less model requires fewer staff to manage and is suited to companies with large numbers of similar systems spread across many sites, it said. Last month, Symantec announced its intention to buy WholeSecurity , a company in Austin, Texas, that develops software for detecting new viruses based on their behavior, rather than their code. In August, it bid for another security compliance software developer, Sygate Technologies of Fremont, Calif. From isn at c4i.org Tue Oct 4 01:50:21 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 4 01:59:17 2005 Subject: [ISN] IT security requirements now part of the FAR Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37162-1.html By Jason Miller GCN Staff 09/30/05 One of the final pieces to improving agency IT security across the government finally is in place: Starting today, contracting officers must include cybersecurity requirements in acquisition planning. The Federal Acquisition Regulations Council issued an interim rule [1] today outlining five new steps acquisition workers must take to ensure IT security is incorporated into all purchases. As an interim rule taking effect now, the FAR Council will accept comments until Nov. 29. This rule has been in the works for some time. The E-Government Act of 2002, which included the Federal Information Security Management Act of 2002, called for increased security in all phases of the system's lifecycle. And the FAR Council has been writing this rule since 2003 [2]. "The intent of adding specific guidance in the FAR is to provide clear, consistent guidance to acquisition officials and program managers," the rule said, "and to encourage and strengthen communication with IT security officials, CIOs and other affected parties." The rule: * Requires acquisition professionals to seek the advice of IT security specialists * Defines information security * Incorporates security requirements in acquisition planning and when describing agency needs * Requires contracting officers to adhere to Federal Information Processing Standards * Requires contracting officers to include appropriate agency security policy and requirements in IT acquisitions. "The Councils recognize that IT security standards will continue to evolve and that agency-specific policy and implementation will evolve differently across the spectrum of federal agencies," the rule said. "Agencies will customize IT security policies and implementations to meet mission need[s]." [1] http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/05-19468.htm [2] http://www.gcn.com/21_25/news/19772-1.html From isn at c4i.org Wed Oct 5 00:43:09 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:50:26 2005 Subject: [ISN] AusCERT2006 - Call for Presentations and Tutorials Message-ID: Forwarded from: auscert@auscert.org.au Greetings, This is a call for papers and tutorials for AusCERT2006, the AusCERT Asia Pacific Information Technology Security Conference. The conference will take place from 21st - 25th May 2006 at Royal Pines Resort, Gold Coast, Australia. Accepted presentations will be included in the business, technical or tutorial streams. The theme for AusCERT2006 is - IT Security: It's everyone's business. For details on how to submit your presentation please refer to: http://conference.auscert.org.au/conf2006/cfp2006.html Note that this is not an academic refereed call for papers. A separate refereed stream for research and development is available for this purpose. For further details about the academic stream please refer to: http://www.isi.qut.edu.au/events/auscert2006/ We look forward to receiving your submissions. Regards, The AusCERT2006 Conference Programme Committee =========================================================================== AusCERT (The Australian Computer Emergency Response Team) The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== From isn at c4i.org Wed Oct 5 00:43:22 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:50:53 2005 Subject: [ISN] Government creates network to fight hackers Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39225753,00.htm Kablenet October 03, 2005 The Office of the Deputy Prime Minister has approved the creation of nine regional IT security information sharing networks to cover all English councils, officials said on 29 September, 2005. The networks, which are likened to a virtual neighbourhood-watch service, enable council IT security specialists to share information on hackers, software vulnerabilities and online threats. Known as Warning Advice and Reporting Points (Warps) they are to be initiated by the nine regional government offices, although it is hoped that the networks will eventually spring up "organically" among groups of local authorities. The Warps concept has been under development for some time in Whitehall but is now set to be promoted across the wider public sector and small businesses as well as councils. Speaking to Government Computing News, Peter Burnett, head of information sharing and international strategy at the National Infrastructure Security Co-ordination Centre (NISCC) said that the new networks go beyond the capabilities of the existing warning service. Until now, authorities across the public sector have had to rely upon the Unified Incident Reporting and Alert Scheme (Uniras) to get updates on Internet threats. "The reason we conceived the Warps was because Uniras was asked to look at local authorities, but that is not really its area of expertise," he said. "We had the choice of allocating more staff to Uniras, but we felt that it was trying to do too many things for too many people. Having these local communities run by and for the people who need the information would be the best way." Burnett said that the aim was not to replace Uniras, but that the local Warps would supplement the central service. "The approach is to find the right champion in each region. We need leading local authorities to take this forward ? we've already got Birmingham on board for example." The scheme is being rolled out following extensive piloting involving the London Connects e-government organisation and local authorities in Kent. Each region is to get ?50,000 to set up the network, which is being matched by local funds. NISCC is also in initial talks with the NHS to set up similar IT security communities, and is looking to extend the service to police forces via the Police IT Organisation (Pito). A Pito Warp is already in place, as is one covering emergency services in the north-west. Burnett had earlier promoted the service at an event organised by Kable on behalf of the Cabinet Office Central Sponsor for Information Assurance. He told delegates that he hopes people would use the network to share information on IT security and build trust. "Once one person takes the risk and donates something to others it will hopefully start a whole process of sharing," he said. "The whole idea is that its relevant to local needs, it allows a community to deliver notifications in any format so that its relevant and easily understandable. "We want them to become endemic, to just pop up all over the place and to help protect the critical national infrastructure and everyone else," he said. Burnett was speaking at the first of a series of three road shows - the two other events are at Leeds on 25 October and Cardiff on 31 October. Copyright ? 2005 CNET Networks, Inc. All Rights Reserved. From isn at c4i.org Wed Oct 5 00:43:34 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:51:16 2005 Subject: [ISN] Gurgaon cops get NASSCOM cyber crime tips Message-ID: http://cities.expressindia.com/fullstory.php?newsid=151629 Express News Service October 05, 2005 Gurgaon, October 4: Faced with increasing incidents of cyber crime coupled with criticism over the lack of ability of it's officials to effectively deal with such cases, Haryana Police have finally decided to get help from NASSCOM which is holding a seven-day Special Training programme train the policemen from Gurgaon Range. The programme, which began today at Dronacharya Engineering College will train a total of 30 police official from districts Gurgaon, Faridadad, Rewari and Narnaul in the fields of Computer Basics, storage devices, computer communications, internet and intranet, email, mobile phone forensics, Electronic Environment and legal issues. Along with NASSCOM experts, several CBI officers will also interact with the trainees. The first major case of alleged cyber-crime that rocked Gurgaon was after an expose by a British tabloid claiming that it's reporter had managed to buy confidential information like credit card and health details of British nationals from a computer software worker employed with a web-designing company. Following a furore over the matter, Haryana Chief Minister Bhupinder Singh Hooda ordered an inquiry into the matter, the results of which are still not known. Ill-equipped to investigate the case, Gurgaon Police apparently pushed the case into cold-storage. Of late, Gurgaon has witnessed two cyber-crime cases, that of data theft and hacking and misuse of e-mail ID. From isn at c4i.org Wed Oct 5 00:42:12 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:52:00 2005 Subject: [ISN] Hack attack linked to annular eclipse Message-ID: http://www.theregister.co.uk/2005/10/04/hacker_eclipse/ By John Leyden 4th October 2005 Are hackers affected by lunar cycles? The question arises after we were sent a screenshot [1] of the defacement of space.com yesterday morning. The attack happened hours before an annular eclipse [2] reached Europe. Coincidence? We think not. There's a lot of talk about zombie bots (PC infected by malware and under the control of hackers) but what of werewolves? Admittedly the defacement of space.com made no mention of lycanthropy but security vendors are always fond of talking about "silver bullet solutions" to hacker threats. There's even been a werewolf virus. This might all sound a bit thin but if college profs can get financing to do studies on gay cows then surely the links between malicious hackers and shape shifting merit closer inspection. And while they're at it the putative study might also want to consider why the major virus outbreaks of the year (Nimda, Blaster, Zotob etc.) always hit in August. We suspect virus writers getting bored during their summer holidays from school or college might be behind this one. ? [1] http://www.theregister.co.uk/2005/10/04/space_hack.jpg [2] http://sunearth.gsfc.nasa.gov/eclipse/SEmono/ASE2005/ASE2005tab/ASE2005-Tab14.html From isn at c4i.org Wed Oct 5 00:42:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:52:45 2005 Subject: [ISN] "Teach them a healthy dose of fear" Message-ID: http://news.ft.com/cms/s/8dfd0dfa-34ed-11da-9e12-00000e2511c8.html By Kevin Allison October 4 2005 Browsing through the array of personal security services available to top executives and other wealthy people can feel a bit like watching a James Bond film. Small arms training and evasive driving lessons may sound over the top to the average observer. However, for the very wealthy, and especially for those whose wealth brings notoriety, risks to personal security can be very real. Earlier this year, a former painter at David Letterman's Montana ranch was arrested after he bragged to an acquiaintance about a plot to kidnap the talk show host's son and nanny and demand $5m in ransom. Thanks to the would-be kidnapper's big mouth, Mr Letterman and his family were spared a terrible ordeal, and the man was sentenced to 10 years in prison. Other cases have ended in tragedy. In a notorious indicent in 1992, Sidney Reso, a wealthy Exxon executive, was kidnapped at gunpoint in his driveway by a disgruntled former employee. Mr Reso, who was wounded during his abduction, was kept bound in a tiny storage locker for days before he died of a heart attack. But don't pick up the phone and order that kevlar-reinforced panic room and team of bodyguards just yet. Although kidnapping remains an issue for those who travel to global hot spots, experts say most security threats are more mundane. "Bodyguards are one layer of protection, but we like to suggest to our clients to pre-empt and avoid problems." says Gary Noesner, senior vice president of crisis and security management at Control Risks Group, a risk consultancy. Improving personal security starts with a basic risk assessment. These can cost a wealthy client anywhere between $12,000 and $24,000, according to security experts. Consultants performing a risk assessment evaluate factors ranging from the physical security of a client's primary and secondary homes, to their personal habits and the frequency of their international travel to get a feel for potential vulnerabilities. Some risks are no-brainers. "The flamboyant risk-taker that's out clubbing every night is probably at the greatest risk," says Mr Noesner. "Notoriety is a big issue. You don't want to be marked as someone who has wealth." This especially applies to children who may not realise that their family wealth may make them a target. "You want to teach them a healthy dose of fear," Mr Noesner says. "They may not understand that they may be subject to special interest because of how wealthy their father is. They have to realise that not everybody who asks questions about that is a good person." One of the most basic mistakes high net worth people make is not paying enough attention to who they allow to come into close contact with their family, whether they are friends of toubled relatives or improperly vetted domestic help. "Everybody has something in their closet, whether it's a crazy nephew or something like that, that can create problem for them," says Donald Henne, a senior director at Kroll, the risk consultants. Moreover, "a lot of these high net worth individuals have personal confidants that know everything about them. There are risks there on the financial side and on the personal side." Simple precautions can go a long way toward lowering these risks. A routine background check on Kelly Frank, the painter behind the Letterman kidnapping plot, would have revealed that he had been placed under police supervision after a run-in with the law in 1999. For risk-taking entrepreneurs unaccustomed to the attention their new-found fortune can bring, such insights may not come naturally. The rise of the internet and other electronic technologies has opened the floodgates to new security threats from tech-savvy thieves and fraudsters. Although identity theft is a problem at all levels of the economic ladder, the wealthy make particularly tempting targets. Chubb Group, the insurance company, says that one in five Americans has reported an indicent of identity theft, but "we believe that there are potentially twice as many victims as have been reported." Most identity theft is confined to a few unauthorized credit card purchases. But in extreme cases, a fraudster who stumbles onto the right information can assume another person's identity and travel, sign contracts or commit other fraud in their name. Chubb says its identity theft insurance policy, which covers up to $25,000 in expenses related to an indicent of identity theft, such as the cost of restoring one's credit rating, has been a hit among wealthy customers. Security consultants can analyse how clients handle sensitive information to help prevent such things happening in the first place. "A lot of clients, when you talk to them about shredding, they think there's no chance that anyone is going to get ahold of their bank account statements or stock statments," says Mr Odom at the Ackerman Group. "We tell clients not to give away information about themselves gratuitously when travelling and about the advantages of using cash instead of credit when travelling overseas." And what about kidnappings? People who travel to Latin America and, increasingly, the Middle East, have the most to worry about in that department. Mr Noesner at CRG says that the threat posed by kidnappers is directly linked to the efficiency of a country's police services. Thus, in the US, kidnapping for ransom is almost non-existent. Most kidnappings in the US involve sexual motives instead. "If it's in Mexico City, it's about ransom. If it's in the US, it's about rape, and if it's in Iraq, it's about political theatre and execution," Mr Noesner says. When traveling abroad, the key to mitigating kidnapping risk is what the professionals call "situational awareness" - a good understanding of where you are and what is happening around you. Wealthy executives who travel abroad should perform due diligence to make sure they are aware of customs regulations, local laws and security arrangements. An array of services exists to ensure that at-risk travellers have access to good medical care and, if necessary, a quick way out of trouble. In extreme cases, a client may require "close protection" - industry slang for bodyguards. But for most, a quiet investigation into the handyman's poker habit and a review of methods for disposing of bank reciepts will have to do. From isn at c4i.org Wed Oct 5 00:42:52 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:53:34 2005 Subject: [ISN] October Named National Cyber Security Awareness Month Message-ID: http://www.govtech.net/magazine/channel_story.php/96846 By Corey McKenna Oct. 03, 2005 Sunday marked the first day of October and the start of National Cyber Security Awareness Month with state, local and federal government officials joining industry groups and computer security companies to highlight efforts that will be taken this month to educate consumers in how to stay safe online. New York State, the University of North Carolina and the city of Charlotte, N.C., are joining the Department of Homeland Security, the National Cyber Security Alliance and numerous companies from the computer security industry to promote educational initiatives and free software giveaways to encourage the adoption of good cyber security practices in small businesses and citizens' homes. New York Governor George Pataki is one of the first governors to accept an invitation by the National Cyber Security Alliance to sign a proclamation setting aside this month in recognition of the importance of cyber security. On its Web site, the New York Office of Cyber Security and Critical Infrastructure Coordination offers a link to a calendar of cyber security awareness events for the month. One of those events is a two-day cyber security summit in the state capital of Albany hosted by Government Technology Conference and the State of New York on October 19th and 20th. The summit includes sessions focused on teaching children to stay safe online and how state and local government officials can improve the state of cyber security in the agencies they manage. The mayor of Charlotte, N.C., Pat McCrory has joined Pataki in issuing a proclamation recognizing October as National Cyber Security Awareness Month. In addition, University of North Carolina at Charlotte graduate students will conduct free public workshops at Charlotte-Mecklenburg County Public Library branches the week of Oct. 3-9. Workshops are scheduled for 6 p.m., Oct. 3, at the Main Library, 310 North Tryon St.; 6 p.m., Oct. 4 at the Beatties Ford Road Branch Library, 2412 Beatties Ford Road; 2 p.m., Oct. 6 at the South County Regional Library, 5801 Rea Road; and 3 p.m., Oct. 9 at the North County Regional Library, 16500 Holly Crest Lane in Huntersville. In addition, the annual 2005 Fall Computer Security Symposium for computer security professionals will be held Wednesday Oct. 12, at UNC Charlotte's University Cone Center. The conference is open to cyber security professionals, including business continuity professionals, IT managers, software developers, systems administrators, information security professionals and policy makers. Speakers will include Pulitzer Prize finalist Robert O'Harrow, author of "No Place to Hide," as well as industry leaders, the Department of Homeland Security, and the FBI. San Diego State University has also planned cyber security-related educational activities for the month of October. The National Cyber Security Alliance and the Department of Homeland Security will be airing a public service announcement titled "Stop, Think, Click" to encourage consumers to protect their personal information through safe Internet browsing practices. NCSA and DHS will also be sponsoring a variety of regional events such as small business workshops and cyber security bootcamps as well as student assemblies, Web casts and events at college campuses to raise awareness of cyber security among the academic community. "Cyber Security Awareness Month is an opportunity to raise awareness of the importance of cyber security and empower all Americans to protect themselves online and ensure that their computers are not used to attack others," said Andy Purdy, acting director of the National Cyber Security Division at the Department of Homeland Security. "We share a common goal with Homeland Security and our industry partners, to provide Americans with the tools and information they need to practice safe online behaviors during National Cyber Security Awareness Month and throughout the year," said Ron Teixeira, Executive Director of the National Cyber Security Alliance. McAfee and RSA Security are among the companies participating in National Cyber Security Awareness Month. Recognition of the importance of cyber security during the month of October isn't limited to the United States. The conference, "Cyber Security: Dimensions of Critical Infrastructure Protection" is taking place in Munich, Germany October 25-28 where over 150 information security experts and government officials will meet to discuss the challenges of cyber security and the protection of critical information infrastructure. This year, public officials have been pushing hard on promoting Internet safety and cyber security. Earlier this year, the U.S. Senate passed a resolution recognizing June as National Internet Safety Month, which led to a series of educational events aimed at keeping kids and teens safe online. From isn at c4i.org Wed Oct 5 00:43:56 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 5 00:54:15 2005 Subject: [ISN] Text Hackers Could Jam Cellphones, a Paper Says Message-ID: http://www.nytimes.com/2005/10/05/technology/05phone.html By JOHN SCHWARTZ October 5, 2005 Malicious hackers could take down cellular networks in large cities by inundating their popular text-messaging services with the equivalent of spam, said computer security researchers, who will announce the findings of their research today. Such an attack is possible, the researchers say, because cellphone companies provide the text-messaging service to their networks in a way that could allow an attacker who jams the message system to disable the voice network as well. And because the message services are accessible through the Internet, cellular networks are open to the denial-of-service attacks that occur regularly online, in which computers send so many messages or commands to a target that the rogue data blocks other machines from connecting. By pushing 165 messages a second into the network, said Patrick D. McDaniel, a professor of computer science and engineering at Pennsylvania State University and the lead researcher on the paper, "you can congest all of Manhattan." Professor McDaniel and the other faculty author, Thomas F. La Porta, have extensive experience in computer security, including work in the telecommunications industry. The findings are expected to be released today at Penn State, and as a formal research paper at a computer security conference next month. Cellular companies acknowledge that such attacks are possible, but say that they have developed systems to prevent effective ones. "If you're not prepared, that could happen," said Brian Scott, senior manager for wireless messaging operations at Sprint. "If you are prepared and you have means in place to identify, detect and mitigate that, it's not as much of a concern." Other specialists said such systems would face many of the same obstacles as those that try to block denial-of-service attacks, one of the thorniest problems in countering hackers. "The solutions don't tend to be very elegant" in the Internet world, said Gary McGraw, chief technical officer of Cigital, a security consultant to the computing and telecommunications industries. "And I believe it will be the same thing on cellphones." In their research, the authors concluded that all major cellular networks were vulnerable, and that a single computer with a cable modem could do the job. The researchers do not appear to believe that anyone has deliberately disrupted cellphone networks in this way, although it appears to have occurred by accident in other nations. The text-messaging system, called S.M.S. for short messaging service, is an increasingly important part of the cellular network. Aside from its popularity with users, especially teenagers, it has gained prominence as a way to communicate when voice networks fail, as in emergencies like the terrorist attacks on Sept. 11, 2001. The system works even when cellular calls do not because text messages are small packets of data that are easy to send, and because the companies transmit them on the high-priority channel whose main purpose is to set up cellphone calls. But therein lies part of the vulnerability, Professor McDaniel said. The control channel cannot handle large amounts of data, he said, so by flooding the channel with messages, it is possible to prevent voice calls from going through. "This is a traffic-jam problem," he said. "You're sending too many cars down a two-lane road." Specialists not connected with the study said that weak link, combined with computers' ability to automatically repeat Internet processes at blinding speed, added up to a serious threat. "Any time a vulnerability in the physical world exists that can be exploited via computer programs running on the Internet, we have a recipe for disaster," said Aviel D. Rubin, technical director of the Information Security Institute at Johns Hopkins. "It is as though those who wish to harm us have a magic switch that can turn off the cellular network." The Penn State researchers said that once they began exploring the vulnerabilities of the network, they proved their concepts on a small scale by using their own cellphones. "We were very, very careful," Professor McDaniel said. "We never sent more traffic than was necessary." Their research proved that blocking networks was possible, a conclusion they later verified in private conversations with telephone company engineers and government regulators, he said. One challenge for would-be attackers, according to the paper, is pulling together a list of working cellphones in a specific geographical area. But that, too, is made simpler via the Internet; the authors describe a process using Google and some search tricks that allowed them to collect 7,308 cellular numbers in New York City and 6,184 from Washington "with minimal time and effort." Though the vulnerability is serious, Professor McDaniel said, it is still the kind of thing that could only be carried out by skilled attackers, at least for now. "It seems to me unlikely that a small number of unsophisticated users would be able to mount this attack effectively," he said. The paper, to be posted online at www.smsanalysis.org, also offers suggestions for heading off the problem. The most direct solution, simply disconnecting the short messaging services from the Internet gateways, is not practical, Professor McDaniel said. But technologies to limit the messages being inserted into the network could provide some protection. Among the other recommendations is separating the voice and data in the next generation of cellphone technology so data jams cannot affect voice calls. Cellular companies said they were moving forward on this and other security issues. A spokesman for Cingular, Mark Siegel, said his company "constantly and aggressively monitors potential threats to the integrity and security of its network," but added, "As a rule, we don't comment on the defensive measures we have put in place or may put in place." Dave Oberholzer, a marketing manager for information at Verizon WirelessVerizon Communications, said the company was well protected against this kind of attack because of software the company had put in place to insulate users from cellphone message spam. "We have fairly robust spam filters on those gateways," he said. "All of that is pretty much automated at this point." Mr. McGraw, the chief technical officer of Cigital, said the goal of research like the Penn State paper was not to help hackers scale new heights, but to alert companies to problems before someone exploited them. Getting the word out "has to be done very responsibly and very carefully," he said. "You don't want people to panic, but you do want them to sit up take notice and do something about it." From isn at c4i.org Thu Oct 6 00:07:20 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:18:19 2005 Subject: [ISN] Espionage Case Breaches the White House Message-ID: Forwarded from: William Knowles http://abcnews.go.com/WNT/story?id=1187030&page=1 By BRIAN ROSS and RICHARD ESPOSITO ABCNews Oct. 5, 2005 Both the FBI and CIA are calling it the first case of espionage in the White House in modern history. Officials tell ABC News the alleged spy worked undetected at the White House for almost three years. Leandro Aragoncillo, 46, was a U.S. Marine most recently assigned to the staff of Vice President Dick Cheney. "I don't know of a case where the vetting broke down before and resulted in a spy being in the White House," said Richard Clarke, a former White House advisor who is now an ABC News consultant. Federal investigators say Aragoncillo, a naturalized citizen from the Philippines, used his top secret clearance to steal classified intelligence documents from White House computers. In 2000, Aragoncillo worked on the staff of then-Vice President Al Gore. When interviewed by Philippine television, he remarked how valued Philippine employees were at the White House. "I think what they like most is our integrity and loyalty," Aragoncillo said. Classified Material Transferred by E-Mail Officials say the classified material, which Aragoncillo stole from the vice president's office, included damaging dossiers on the president of the Philippines. He then passed those on to opposition politicians planning a coup in the Pacific nation. "Even though it's not for the Russians or some other government, the fact that it occurred at the White House is a matter of great concern," said John Martin, who was the government's lead espionage prosecutor for 26 years. Last year, after leaving the Marines, Aragoncillo was caught by the FBI while he worked for the Bureau at an intelligence center at Fort Monmouth, N.J. According to a criminal complaint, Aragoncillo was arrested last month and accused of downloading more than 100 classified documents from FBI computers. "The information was transferred mostly by e-mails," said U.S. Attorney Christopher J. Christie at the time of Aragoncillo's arrest. Since that arrest, officials say Aragoncillo has started to cooperate. He has admitted to spying while working on the staff of Vice President Cheney's office. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Thu Oct 6 00:07:32 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:18:45 2005 Subject: [ISN] Bug spotted in Symantec antivirus Message-ID: http://news.com.com/Bug+spotted+in+Symantec+antivirus/2100-1002_3-5889518.html By Joris Evers Staff Writer, CNET News.com October 5, 2005 A serious security flaw in part of Symantec's antivirus products puts enterprise systems running the software at risk of intrusion. A buffer overflow flaw in the Symantec AntiVirus Scan Engine could let remote attackers run code on vulnerable machines, Symantec said in an advisory Tuesday. The problem affects various versions of the engine, which is the part of the security software that actually scans for threats. Security patches are available to correct the problem, which Symantec rates "high" on its risk impact scale. "Symantec strongly recommends all customers immediately apply the latest updates for their supported product versions to protect against these types of threats," the company said in its alert. No attacks that use the flaw have been reported, Symantec said. The security hole lies in the Web-based administrative interface of the Symantec Antivirus Scan Engine, the company said. This interface is part of several of the company's corporate antivirus products. An attacker could exploit it by sending a malformed request to the interface, security intelligence company iDefense said in an advisory. iDefense reported the flaw to Symantec. Symantec advises people to check their installation. The administrative interface should be accessible only via a secure segment of the network and should never be open outside a company's network, Symantec said. Disclosure of the Symantec issue is further evidence that researchers are increasingly looking for holes in security products. Protective technology is commonly installed on PCs, servers, network gateways and mobile devices. As it becomes more widespread, the more attractive a target security software becomes to cybercriminals, experts have said. Earlier this week a serious flaw in Kaspersky's antivirus products was disclosed. Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. From isn at c4i.org Thu Oct 6 00:06:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:20:03 2005 Subject: [ISN] Security UPDATE -- More Flexible Security Control in IIS 7.0 -- October 5, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free Webcast from Postini: Risks of Unmanaged IM http://list.windowsitpro.com/t?ctl=15605:4FB69 Panda Software http://list.windowsitpro.com/t?ctl=155F8:4FB69 ==================== 1. In Focus: More Flexible Security Control in IIS 7.0 2. Security News and Features - Recent Security Vulnerabilities - Latest Office Updates Improve Outlook Security - Symantec to Acquire WholeSecurity 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - A Security Partner ==================== ==== Sponsor: Postini ==== Free Webcast from Postini: Risks of Unmanaged IM Join noted electronic messaging expert and author Michael Osterman on Thursday, October 20, 2005 as he explores the growing threats associated with Instant Messaging (IM) in your enterprise and what to do about them. In one short hour you'll learn how to find out where your enterprise is vulnerable ... protect against IM-borne threats ... and ensure regulatory compliance within IM. Register today and learn why IM is the "next frontier" for hackers, spammers, and phishers ... what IM means to your compliance initiatives ... why you can't stop IM threats with typical network safeguards ... and how an integrated message management strategy provides IM threat prevention and compliance. Free white paper and technology overview when you attend. Register now. http://list.windowsitpro.com/t?ctl=15605:4FB69 ==================== ==== 1. In Focus: More Flexible Security Control in IIS 7.0 by Mark Joseph Edwards, News Editor, mark at ntsecurity / net At the recent Microsoft Professional Developers Conference (PDC 2005), IIS Program Manager Chris Adams talked about upcoming features of IIS 7.0, some of which are security related. IIS 7.0 is built on the IIS 6.0 platform, which is far more secure than previous versions of IIS. Adams said that IIS developers learned over time, particularly because of worms such as Code Red and Nimda, how to improve the Web server's security. Adams said that no security vulnerabilities have been discovered in what he calls the "IIS critical core" since the release of IIS 6.0. Therefore IIS 6.0 serves as a good base to build on. IIS 7.0 brings new security features such as delegation of authority, which is a significant improvement. This means that people can perform delegated tasks without having administrator-level authority. So for example, in the course of developing a new Web page, a Web developer might want to use a new file extension type. Traditionally, an administrator would need to add that type to the server. But the new delegation features let an administrator delegate that authority to the developer. This capability will improve security administration and increase productivity. If you've spent a lot of time developing secure applications that run on IIS 6.0, you won't have to spend much time moving them to IIS 7.0. Adams said Microsoft has made sure that IIS 7.0 will support "legacy applications." Unlike Windows XP, which includes IIS 5.1, and Windows Server 2003, which includes IIS 6.0, Windows Vista and Longhorn Server will ship with IIS 7.0. The different IIS versions on XP and Windows 2003 posed some developmental and security problems; Microsoft is aiming to avoid those problems in the new Windows client and server OSs. With previous versions of IIS, developers typically used Internet Server API (ISAPI) and Common Gateway Interface (CGI) to develop custom functionality. But IIS 7.0 will be more modular, which brings at least two benefits: Administrators will be able to deploy IIS 7.0 with only the modules that they require, and developers will be able to replace functionality that they might not like. For example, if you want to use an authentication method other than connecting to the SAM database, you can write a replacement for IIS 7.0's authentication module. The ability to replace this module means that developers can not only create their own means of authenticating users but developers can also more easily integrate support for other OSs such as Linux, BSD, and Mac OS X. IIS 7.0 also has a new UI that exposes more of the central configuration (metabase) properties, possibly including some security properties. In previous versions, administrators had to modify some aspects of the metabase by using command-line tools or by manually editing configuration files with Notepad or the Microsoft MetaEdit tool. That's a brief summary of what you can expect. Development tools and additional information for IIS 7.0 should be available on Microsoft Developer Network (MSDN) by the end of the year. In addition, Paul Thurrott will provide a more extensive review of IIS 7.0 on our Web site sometime in the near future. ==================== ==== Sponsor: Panda Software ==== Stopping Crimeware and Malware Computer users can no longer wait for a new vaccine every time a new security threat appears. How do you defend your network in a world of smarter, faster, Internet-borne zero-day attacks? Find out about Intrusion Prevention that can detect and destroy unknown malware with virtually zero false positives. http://list.windowsitpro.com/t?ctl=155F8:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=155FC:4FB69 Latest Office Updates Improve Outlook Security Microsoft released Office 2003 Service Pack 2 (SP2) and junk email filter updates for Office Outlook 2003. Together they can help protect against phishing attacks. Read more about the updates in this news story on our Web site. http://list.windowsitpro.com/t?ctl=15602:4FB69 Symantec to Acquire WholeSecurity Symantec announced that it entered into an agreement to acquire privately held WholeSecurity. The deal is scheduled to close in October. WholeSecurity offers behavior-based security solutions and antiphishing technology. http://list.windowsitpro.com/t?ctl=15604:4FB69 ==================== ==== Resources and Events ==== Get Ready for the SQL Server 2005 Roadshow in Europe Back By Popular Demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now. http://list.windowsitpro.com/t?ctl=155F7:4FB69 Windows Connections 2005 Conference--October 31 - November 3, 2005 At the Manchester Grand Hyatt in San Diego, Microsoft and Windows experts present more than 40 in-depth sessions with real-world solutions you can take back and apply today. Register now and attend two conferences for the price on one! http://list.windowsitpro.com/t?ctl=1560B:4FB69 Discover SQL Server 2005 for the Enterprise. Are you prepared? In this free half-day event, you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical enterprise database applications and make your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today! http://list.windowsitpro.com/t?ctl=155F9:4FB69 Deploy VoIP and FoIP Technologies Voice over Internet Protocol (VoIP) is the future of telecommunications, and many companies are already enjoying the benefits of transporting voice over IP networks to significantly reduce telephone and facsimile costs. Join industry expert David Chernicoff for this free Web seminar to learn the "ins and outs" of boardless fax in IP environments, tips for rolling out fax and integrating fax with telephony technologies, and more! http://list.windowsitpro.com/t?ctl=155FB:4FB69 Microsoft IT Forum 2005 November 15-17, Barcelona, Spain Microsoft's European conference for IT professionals on planning, deploying, and managing the secure connected enterprise. Three days of learning, one year of solutions. With a choice of 325+ Technical Learning Sessions, increase your productivity and support your business with new opportunities and ideas. See the Web site for registration information http://list.windowsitpro.com/t?ctl=15608:4FB69 ==================== ==== Featured White Paper ==== Build a Superior Windows File Serving Environment In this free white paper, get the tools you need to provide a scalable, highly available CIFS file service using inexpensive, industry-standard servers that you can add to incrementally as demands require, while retaining the management simplicity of a single server and a single pool of exported file systems. http://list.windowsitpro.com/t?ctl=155F6:4FB69 ==================== ==== Hot Release ==== Maximizing Network Security Against Spyware and Other Threats Spyware installation usually exploits an underlying security vulnerability in the OS. You can remove spyware, but if you don't also patch the underlying vulnerability, you don't solve the real problem. By leaving your systems open to reinfestation, you risk surging bandwidth consumption, system instability, overwhelmed Help desks, lost user productivity, and other consequences. Unauthorized applications can even result in noncompliance with regulatory requirements. This free white paper addresses the need to manage both the threats and vulnerabilities from one console as a comprehensive security solution. http://list.windowsitpro.com/t?ctl=155FA:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Synopsis of MS Security Bulletin Creation by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=15607:4FB69 Ever wonder what goes on during the creation of a Microsoft security bulletin? Read this blog article to get a synopsis. http://list.windowsitpro.com/t?ctl=15603:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=15606:4FB69 Q: Can I change the type of logging that Active Directory (AD) uses? Find the answer at http://list.windowsitpro.com/t?ctl=15601:4FB69 Security Forum Featured Thread: Too Many Security Log Entries A forum participant writes that he needs to identify user logon and logoff events. However he needs to know only logon and logoff times and wants to log the minimum number of related events. He wants to know what policies to adjust to make that happen. Join the discussion at http://list.windowsitpro.com/t?ctl=155F5:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Become a VIP Subscriber! Get inside access to ALL the articles, tools, and helpful resources published in Windows IT Pro, SQL Server Magazine, Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security-- that's more than 26,000 articles at your fingertips. Your VIP subscription also includes a valuable one-year print subscription to Windows IT Pro and two VIP CDs (includes the entire article database on CD). Sign up now: http://list.windowsitpro.com/t?ctl=155FF:4FB69 Windows IT Pro Has Answers You won't want to miss any of the fall issues! Subscribe now and discover the best ways to plan for Longhorn, what you need to know about VBScript, ways to make sense of SQL Server, the 10 Security Tools You Can't Live Without, and much more. You'll also gain exclusive access to the entire Windows IT Pro online article database (more than 9000 articles) and you'll SAVE 44% off the cover price. Click here: http://list.windowsitpro.com/t?ctl=155FE:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com A Security Partner Integralis announced Secure Watch, a co-managed security service in two levels: Level 1 for small businesses and Level 2 for large businesses. Secure Watch lets customers work with Integralis Security professionals to protect their corporate networks. For Secure Watch Level 2, Integralis uses its Security Service Appliance (SSA) to monitor customer networks for thousands of unique problems. When it finds a problem, it alerts the customer's security team, which can then solve the problem or consult with Integralis professionals. Secure Watch Level 1 monitors system health and availability without the need for customer-premises equipment. For more information, go to http://list.windowsitpro.com/t?ctl=1560C:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Admins rush to install BLOG servers How to run your own blog server. Free 5-user license. http://list.windowsitpro.com/t?ctl=1560A:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=15609:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=15600:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Oct 6 00:07:53 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:20:29 2005 Subject: [ISN] Nematodes: The Making of 'Beneficial' Network Worms Message-ID: http://www.eweek.com/article2/0,1895,1867317,00.asp By Ryan Naraine October 5, 2005 Convinced that businesses will use nonmalicious worms to cut down on network security costs, a high-profile security researcher is pushing ahead with a new framework for creating a "controlled worm" that can be used for beneficial purposes. Dave Aitel, vulnerability researcher at New York-based Immunity Inc., unveiled a research-level demo [1] of the "Nematode" framework at the Hack In The Box confab in Kuala Lumpur, Malaysia, insisting that good worms will become an important part of an organization's security strategy. "We're trying to change the way people think," Aitel said in an interview with Ziff Davis Internet News. "We don't want people to think this is impossible. It's entirely possible to create and use beneficial worms and it's something businesses will be deploying in the future." For years, security experts have debated the concept of using good worms to seek and destroy malicious worms. Some believe that it's time to use the worms' tactics against them [2] and build good worms that fix problems but the chaos and confusion associated with self-propelled replicating programs have left others unconvinced. Aitel is among those who believe it is "inevitable" that worm technology can significantly reduce the cost of disinfecting and maintaining a corporate network. "We already have a proof-of-concept that can take a very simple exploit, go through a few steps and, in a matter of minutes, create a working nematode," Aitel said. He took the name for the concept from the pointy-ended worm used to control pests in crops. "We can generate a nematode any way we want. You can make one that strictly controls, programmatically, what the worm does," Aitel explains. Aitel, who did a six-year stint as a computer scientist at the NSA (National Security Agency) before moving on to work as a code-breaker for research outfit @Stake Inc., is adamant that nematodes can provide the answer for lowering security costs. He sees a world where "strictly controlled" nematodes are used by ISPs, government organizations and large companies to show significant cost savings. During his Hack In The Box presentation, Aitel outlines the reasons for creating nematodes and displayed strict protocols that can be used to control the beneficial worms. He said nematodes can be automatically created from available vulnerability information and even showed off a new programming language to create the worms. Aitel acknowledged potential problems with the concept, noting that worms are very hard to write and use large amounts of network bandwidth. Because worms are harder to target and control, he noted that IT administrators live in constant fear. The concept includes the use of "Nematokens," servers that are programmed to only respond to requests from networks cleared for attacks and the NIL (Nematode Intermediate Language) that can be used as a specialized and simplified "assembly for worms." The NIL can be used to convert exploits into nematodes quickly and easily. In some cases, Aitel believes that exploits can be written to NIL directly to simplify the process even more. This will be part of your security team's toolkit," Aitel argues, noting that his company's work is "research-level proof of concept" that details the theory and theology of using beneficial worms. "If you look at the security cost of maintaining a large network, most CIOs agree its way above what they want to pay. With this [nematode] concept, you can take advantage of automating technologies to get protection for pennies on the dollar. That's the drive behind developing a lot of these new forward-looking technologies," Aitel said. "Nematodes are a step beyond the next step. We're two stages away from using this," he added. "The goal has always been to build the network that protects itself automatically with automated technologies. We're certainly not more than five years away from this sort of technology becoming something that you can buy." "We already have an engine that takes exploits and turns them into worms and does it in a way that allows you to inject control mechanisms into that. That's something that will appeal to businesses. [1] http://www.immunityinc.com/downloads/nematodes.pdf [2] http://www.eweek.com/article2/0,1895,1037004,00.asp From isn at c4i.org Thu Oct 6 00:08:04 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:20:49 2005 Subject: [ISN] 'DEC hacking' trial opens Message-ID: http://www.theregister.co.uk/2005/10/05/dec_case/ By John Oates 5th October 2005 Horsferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December. Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004. He had earlier pleaded not guilty. Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee. Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a ?30 donation to the site, after clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site. The case continues tomorrow. ? From isn at c4i.org Thu Oct 6 00:08:16 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:21:11 2005 Subject: [ISN] Audit follows attack on FSU computers Message-ID: http://www.tallahassee.com/mld/tallahassee/news/local/12819487.htm By Rocky Scott DEMOCRAT STAFF WRITER Oct. 05, 2005 A campuswide audit of computers at Florida State University will start this month after hackers gained access to two servers on the campus but did no apparent damage, FSU officials said Tuesday. "We have not had a single person indicate they have had a problem," said Browning Brooks, an FSU spokeswoman, after hackers found their way into computer servers belonging to the FSU Foundation and an internal financial-management server. Larry Conrad, associate vice president and FSU's chief information officer , said the attacks came from off campus and that FSU police were investigating the incidents. No suspects have been identified, Conrad said. Joe Lazor, director of university computer systems, said the intrusion into the financial-management server was found in mid-July, and illegal access to the foundation computer was discovered in the second week of August. Both intrusions were discovered during routine monitoring procedures, Conrad said. Brooks said about 27,000 names of young FSU alumni were in the foundation computer and may have been exposed to the hackers. She said the exposed files were not the entire alumni data base, which contains about 450,000 names. Conrad said the names involved were heavily encrypted, and there was no indication the names had been tampered with or accessed. "We sent a letter to all the young alumni telling them their files had been exposed" to an attack by a hacker, Browning said. Conrad said it could not be determined whether any data were gleaned from the financial management server. He said both servers were replaced, the data were reinstalled, and newer firewalls and other forms of protection were installed on the new servers. Lazor said it appeared in both instances the hackers were using FSU computers to store large files, the most common reason for most hacker attacks. College campus computers generally have a lot of room to send large files over the Internet, making them attractive targets, Conrad said. Hackers generally find a way to gain access to a large computer by stealing someone's password or identity, then installing a "kit" in the system that provides entry for the hacker but remains invisible to people using the server. "They put big files on our computers," Conrad said, "and we don't see them until they (open) the file." He said attacks on the FSU computer system - there are more than 20,000 computers on campus - have become more common and more complex in the past five or six years. The latest attacks have "Joe and I fundamentally rethinking computer security for the entire campus," Conrad said. "We are rethinking our approach," he said. From isn at c4i.org Thu Oct 6 00:06:05 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 6 00:21:34 2005 Subject: [ISN] DHS site offers security tools, tips for software developers Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37218-1.html By Patience Wait GCN Staff 10/05/05 The Homeland Security Department has launched a secure portal to provide best practices, tools and other resources for creating more reliable and secure software for developers and security professionals. The new Web site, Build Security In [1], was developed in conjunction with the Carnegie Mellon Software Engineering Institute. It was unveiled at a software assurance forum this week co-hosted by DHS and the Defense Department. The site takes a building-block approach, with content areas separated into different phases of the software development life cycle such as architecture and design, systems analysis and testing, and implementation. Within each area, articles are compiled discussing best practices for that particular aspect of software development. Andy Purdy, acting director of DHS' National Cyber Security Division, told forum participants that improving the security and reliability of software is a critical element in protecting the nation's infrastructure. Software assurance efforts have to "shift the paradigm from patch management to true software assurance," Purdy said. "Our objectives are to raise the awareness on software quality and security by improving software development and acquisition processes and practices." [1] http://buildsecurityin.us-cert.gov/ From isn at c4i.org Mon Oct 10 00:09:15 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:21:05 2005 Subject: [ISN] Nessus security tool closes its source Message-ID: http://news.com.com/Nessus+security+tool+closes+its+source/2100-7344_3-5890093.html By Renai LeMay Special to CNET News.com October 6, 2005 The source code of one of the world's most popular free security tools will no longer be available to all, its creator has announced, saying the software's open-source license was fueling competition. Renaud Deraison, the primary author of the Nessus vulnerability scanner, broke the news in a message to the software's e-mail list Wednesday. "Nessus 3 will be available free of charge...but will not be released under the GPL," or General Public License, Deraison wrote. Nessus, which Deraison says is used by 75,000 organizations worldwide, scans networks for vulnerabilities. The developer, who has been working on the product since at least 1998, said commercial pressures facing Tenable Network Security, the company he started in 2002 around Nessus, was forcing him to stop making the software's source code available. "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL," he wrote in a later e-mail, justifying his decision. "So in that regard, we have been fueling our competition, and we want to put an end to that. Nessus 3 contains an improved engine, and we don't want our competition to claim to have improved 'their' scanner." The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license. "Virtually nobody has ever contributed anything to improve the scanning engine over the last six years," he wrote, noting that there had been minor exceptions. Deraison said the existing version 2 of Nessus would continue to be available under the GPL license and receive bug fixes and regular updates. The large library of plug-ins to the software would also continue to distributed in a way that would allow parties to examine their source code. Tenable will also cut down the number of system architectures that version 3 of Nessus will support, and one core part of Nessus--its graphical user interface will be split off into a separate, open-source project, Deraison added. The developer's decision attracted immediate criticism, notably from the security expert known only as Fyodor. The programmer is the author of Nmap, a complementary network-scanning tool to Nessus, which is widely used among security professionals. "Tenable argues that this move is necessary to further improve Nessus and/or make more money. Perhaps so, but the Nmap project has no plans to follow suit," Fyodor wrote in an e-mail, alerting his software's user base of the license change. "Nmap has been GPL since its creation more than eight years ago, and I am happy with that license," he continued. Another critic posted concerns to the Nessus mailing list that Tenable would eventually get tired of supporting the open-source version 2 of the software and simply forget about it. He raised the possibility that the community could "fork" version 2 of the software--that is, start developing a divergent version of Nessus from the one officially supported by Tenable. New kid on the block Deraison said version 3 of Nessus would contain several noteworthy improvements but be broadly backwards-compatible with version 2. The two will be able to share most of the plug-ins that are crucial to the software's operation. "Nessus 3 is much faster than Nessus 2 and less resource-intensive," the developer wrote. "Your mileage may vary, but when scanning a local network, Nessus 3 is, on average, twice as fast as Nessus 2, with spikes going as high as five times faster when scanning desktop Windows systems." "Nessus 3 also contains a lot of built-in features and checks to debug crashes and misbehaving plug-ins more easily, and to catch inconsistencies earlier," he wrote. Renai LeMay of ZDNet Australia reported from Sydney. Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. From isn at c4i.org Mon Oct 10 00:09:54 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:21:27 2005 Subject: [ISN] Glitch forces fix to cockpit doors Message-ID: http://seattletimes.nwsource.com/html/businesstechnology/2002542572_cockpit06.html By Dominic Gates Seattle Times aerospace reporter October 6, 2005 For more than two years, U.S. airplane passengers have flown more securely because high-tech cockpit doors created a barrier to prevent a repeat of 9/11, when terrorists entered the cockpit and commandeered four planes. But, the doors were not foolproof. In December 2003, a Northwest Airlines maintenance mechanic inside an Airbus A330 jet on the ground in Minneapolis pushed the microphone button to talk into his handheld radio. Though he hadn't touched the cockpit door, he heard the sound of its lock operating. Radio interference from his walkie-talkie had scrambled the electronics inside the door's locking mechanism. The discovery sparked a secretive and expensive engineering effort that started with Airbus and eventually hit Boeing, and is only now nearing completion. The security glitch affected all A330 and A340 jets - about 400 - that had installed an Airbus-designed fortified door. In May 2004, Boeing learned from three airline customers that it, too, had the same problem, affecting some 1,700 jets. All Boeing wide-bodies with fortified cockpit doors designed by the jet maker were vulnerable. Boeing and Airbus insist there was no immediate danger. The mechanic had to be standing in precise spots with a particular walkie-talkie tuned to a specific frequency and with a certain signal strength. "It's an extraordinarily limited issue," said Airbus spokeswoman Mary Anne Greczyn. Federal Aviation Administration spokeswoman Laura Brown said the agency was unable to replicate the problem on airplanes in flight. Regardless, top experts at both airplane manufacturers have spent nearly two years working quietly with the FAA to redesign the door lock. Boeing completed fixing the latches on all its affected jets last month. The FAA this week is expected to issue an airworthiness directive, a formal, after-the-fact order to all U.S. registered airlines with Boeing jets that they must install a fix designed by Boeing. All affected Airbus jets registered in the United States, about 20 airplanes, were fixed by September 2004. "All the foreign carriers that fly [into the U.S.] are fixed, too," said Brown. She said the FAA did not issue an airworthiness directive for Airbus because so few jets in the U.S. were affected. Airbus' Greczyn said last week the fix is now "nearly completed" on all affected jets worldwide. Four months after 9/11, the FAA mandated that cockpit doors on all jets flying in the U.S. be strengthened. The design demands were extraordinarily tricky. The doors had to be strong enough to withstand bullets, yet engineered to burst open to avoid a catastrophic twisting of the airframe in the event of a sudden loss of cabin pressure. The airlines had just 15 months to change the doors on about 7,000 U.S.-operated aircraft and some 2,000 foreign-owned. Boeing and Airbus each developed designs using door-locking mechanisms from a California supplier. In both cases, the cockpit door is secured by aluminum rods that slide into the lock or unlock positions when activated by an electronic signal. Rapid decompression would also unlock the door. A technical expert familiar with the intricacies of radio frequency, or RF, agreed to discuss the interference issue on condition he not be identified. He works for the government and believes he could lose his job for speaking publicly about a sensitive security topic, even in general terms. The expert said it is difficult to build any electronic product that's protected from radio interference in a wide range of frequency bands. He said a door controller is typically activated via a numeric code, which produces an electronic signal to unlock the door. A strong-enough external signal of the right frequency flooding the circuit could fool the mechanism into thinking it was the "unlock the door" signal. "The world is filled with RF signals, and lots of times signals mix. It's mathematically feasible to come up with a combination of frequencies that could mix just enough to be right on target," said the expert. "The world of RF is black magic." The expert expressed concern that if "an educated electrical engineer with a terrorist mind twist" could get hold of a door-lock controller, it might be possible to reverse-engineer the mechanism and find the frequency that would unlock it. "It wouldn't take long to break down an engineering formula," the expert said. "It could be done in 30 minutes." But the chief engineer who led Boeing's effort to fix the problem on its jets said the interference happens only in very narrow circumstances, and that even an electronics expert would have great difficulty exploiting this vulnerability. Boeing asked that the engineer not be named to ensure his personal safety. "I'd have to have equipment. I'd have to get it through security. I'd have to know the right channel," the chief engineer said. "I'd need to know quite a lot about where parts are installed on the airplane. I'd need to do a lot of things I couldn't actually do" on a commercial flight. When Boeing first learned of the issue last year, the FAA issued a secret security-sensitive airworthiness directive alerting airlines. After initially coming up with a quick fix, Boeing decided to go for a longer-term, more-robust solution developed in cooperation with a top FAA specialist based in Seattle. Team worked in secrecy A team of about five engineers secretly worked on the problem for more than a year. "We deliberately kept the wraps on it within Boeing," the chief engineer said. "If people didn't need to know, they didn't know." Boeing did not provide an estimate of the costs. "Cost didn't come into it," said the chief engineer. "My concern was making sure we got a good technical solution." Originally, airlines paid $29,000 for each of the Airbus wide-body door kits and between $40,000 and $100,000 for the Boeing wide-body kits, depending on the plane's model and configuration. The government provided a $97 million subsidy to defray costs, about $13,000 per door. The FAA tested and certified both door designs; the tests failed to reveal the radio frequency interference issue. "We did testing for every scenario you can imagine," the FAA's Brown said. "You don't know what you don't know." Airbus supplied the majority of fortified doors in its own aircraft, and Boeing won 60 percent of the market to install the fortified doors in its jets. After the glitch was discovered, the FAA examined the doors made by third-party vendors and found no similar interference problem. Both Boeing and Airbus used the same supplier, Adams Rite Aerospace of Fullerton, Calif., for their in-house door control. Supplier passed tests Airbus' Greczyn and Boeing spokesman Jim Proulx both stressed the supplier had met certification requirements and passed the interference tests then in place. Executives at Adams Rite did not return repeated calls or respond to e-mail requests for comment. Following the scramble to fix the electronic locks, both plane makers are also providing a backup option. Boeing already had provided a manual bolt lock as a backup. A pilot could use it in case of a perceived threat. Airbus does not install a mechanical backup lock as standard. But as a result of the locking incident, Greczyn said "a mechanical backup ... has been designed and certified and is available to customers to apply at their discretion." Copyright ? 2005 The Seattle Times Company From isn at c4i.org Mon Oct 10 00:10:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:21:46 2005 Subject: [ISN] Linux Advisory Watch - October 7th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 7th, 2005 Volume 6, Number 41a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gtkdiskfree, util-linux, ClamAV, loop-aes, helix-player, backupninja, squid, mysql, ntlmaps, mysql-dfsg, gopher, prozilla, cfengine, mozilla-firefox, apachetop, drupal, mailutils, egroupware, arc, mod-auth-shadow, mason, slocate, vixie-cron, net-snmp, kernel, openssh, binutils, perl, and gdb. The distributors include Debian, Gentoo, and Red Hat. --- Denial of Service Attacks By: Dave Wreski A "Denial of Service" (DoS) attack is one where the attacker tries to make some resource too busy to answer legitimate requests, or to deny legitimate users access to your machine. Denial of service attacks have increased greatly in recent years. Some of the more popular and recent ones are listed below. Note that new ones show up all the time, so this is just a few examples. Read the Linux security lists and the bugtraq list and archives for more current information. * SYN Flooding - SYN flooding is a network denial of service attack. It takes advantage of a "loophole" in the way TCP connections are created. The newer Linux kernels (2.0.30 and up) have several configurable options to prevent SYN flood attacks from denying people access to your machine or services. See Section 7 for proper kernel protection options. * Ping Flooding - Ping flooding is a simple brute-force denial of service attack. The attacker sends a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. A variation on this attack, called "smurfing", sends ICMP packets to a host with your machine's return IP, allowing them to flood you less detectably. * Ping o' Death - The Ping o' Death attack sends ICMP ECHO REQUEST packets that are too large to fit in the kernel data structures intended to store them. Because sending a single, large (65,510 bytes) "ping" packet to many systems will cause them to hang or even crash, this problem was quickly dubbed the "Ping o' Death." This one has long been fixed, and is no longer anything to worry about. * Teardrop / New Tear - One of the most recent exploits involves a bug present in the IP fragmentation code on Linux and Windows platforms. It is fixed in kernel version 2.0.33, and does not require selecting any kernel compile-time options to utilize the fix. Linux is apparently not vulnerable to the "newtear" exploit. Read more from the Linux Security Howto: http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New gtkdiskfree packages fix insecure temporary file 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120472 * Debian: New util-linux packages fix privilege escalation 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120473 * Debian: New ClamAV packages fix denial of service 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120477 * Debian: New loop-aes-utils packages fix privilege escalation 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120478 * Debian: New helix-player packages fix multiple vulnerabilities 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120479 * Debian: New backupninja packages fix insecure temporary file 29th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120480 * Debian: New squid packages fix denial of service 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120482 * Debian: New squid packages fix denial of service 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120483 * Debian: New mysql packages fix arbitrary code execution 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120484 * Debian: New ntlmaps packages fix information leak 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120485 * Debian: New mysql-dfsg packages fix arbitrary code execution 30th, September, 2005 Update package. http://www.linuxsecurity.com/content/view/120490 * Debian: New gopher packages fix several buffer overflows 30th, September, 2005 Updated package. http://www.linuxsecurity.com/content/view/120492 * Debian: New mysql-dfsg-4.1 packages fix arbitrary code execution 1st, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120494 * Debian: New prozilla packages fix arbitrary code execution 1st, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120495 * Debian: New cfengine packages fix arbitrary file overwriting 1st, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120496 * Debian: New cfengine2 packages fix arbitrary file overwriting 1st, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120497 * Debian: New Mozilla Firefox packages fix denial of service 2nd, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120498 * Debian: New mozilla-firefox packages fox multiple vulnerabilities 2nd, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120500 * Debian: New apachetop packages fix insecure temporary file 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120507 * Debian: New drupal packages fix remote command execution 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120508 * Debian: New mailutils packages fix arbitrary code execution 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120514 * Debian: New egroupware packages fix arbitrary code execution 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120515 * Debian: New mysql-dfsg-4.1 package fixes arbitrary code execution 4th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120518 * Debian: New arc packages fix insecure temporary files 5th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120520 * Debian: New mod-auth-shadow packages fix authentication bypass 5th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120521 * Debian: New mason packages fix missing init script 6th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120537 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: AbiWord RTF import stack-based buffer overflow 30th, September, 2005 AbiWord is vulnerable to a stack-based buffer overflow during RTF import, making it vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120486 * Gentoo: Hylafax Insecure temporary file creation in xferfaxstats 30th, September, 2005 Hylafax is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120491 * Gentoo: Mozilla Suite, Mozilla Firefox Multiple 30th, September, 2005 This advisory was originally released to fix the heap overflow in IDN headers. However, the official fixed release included several other security fixes as well. http://www.linuxsecurity.com/content/view/120493 * Gentoo: gtkdiskfree Insecure temporary file creation 3rd, October, 2005 gtkdiskfree is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120505 * Gentoo: Berkeley MPEG Tools Multiple insecure temporary 3rd, October, 2005 The Berkeley MPEG Tools use temporary files in various insecure ways, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120506 * Gentoo: Uim Privilege escalation vulnerability 4th, October, 2005 Under certain conditions, applications linked against Uim suffer from a privilege escalation vulnerability. http://www.linuxsecurity.com/content/view/120517 * Gentoo: Texinfo Insecure temporary file creation 5th, October, 2005 Texinfo is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/120524 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: slocate security update 5th, October, 2005 An updated slocate package that fixes a denial of service and various bugs is available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120528 * RedHat: Low: vixie-cron security update 5th, October, 2005 An updated vixie-cron package that fixes various bugs and a security issue is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120529 * RedHat: Low: net-snmp security update 5th, October, 2005 Updated net-snmp packages that fix two security issues and various bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120530 * RedHat: Updated kernel packages available for Red Hat 5th, October, 2005 Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version. http://www.linuxsecurity.com/content/view/120531 * RedHat: Moderate: openssh security update 5th, October, 2005 Updated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4. http://www.linuxsecurity.com/content/view/120532 * RedHat: Low: binutils security update 5th, October, 2005 An updated binutils package that fixes several bugs and minor security issues is now available. http://www.linuxsecurity.com/content/view/120533 * RedHat: Low: perl security update 5th, October, 2005 Updated Perl packages that fix security issues and contain several bug fixes are now available for Red Hat Enterprise Linux. http://www.linuxsecurity.com/content/view/120534 * RedHat: Low: mysql security update 5th, October, 2005 Updated mysql packages that fix a temporary file flaw and a number of bugs are now available http://www.linuxsecurity.com/content/view/120535 * RedHat: Low: gdb security update 5th, October, 2005 An updated gdb package that fixes several bugs and minor security issues is now available. http://www.linuxsecurity.com/content/view/120536 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Oct 10 00:06:05 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:22:16 2005 Subject: [ISN] The Zombie Hunters: On the trail of cyberextortionists Message-ID: Forwarded from: Brian Reilly http://www.newyorker.com/fact/content/articles/051010fa_fact by EVAN RATLIFF The New Yorker October 10, 2005 One afternoon this spring, a half-dozen young computer engineers sat in the headquarters of Prolexic, an Internet-security company in Hollywood, Florida, puzzling over an attack on one of the company's clients, a penile enhancement business called MensNiche.com. The engineers, gathered in the company's network operations center, or noc, on the fourth floor of a new office building, were monitoring Internet traffic on fifty-inch wall-mounted screens. Anna Claiborne, one of the company's senior network engineers, wandered into the noc in jeans and a T-shirt. The MensNiche attacker had launched an assault on the company's Web site at 4 a.m., and Claiborne had spent the night in the office fending it off. "Hence," she said, "I look like hell today." MensNiche's problems had begun a week earlier, with a flood of fake data requests?what is known as a distributed denial-of-service attack?from computers around the world. Although few, if any, of those computers' owners knew it, their machines had been hijacked by hackers; they had become what programmers call "zombies," and had been set loose on MensNiche. The result was akin to what occurs when callers jam the phone lines during a television contest: with so many computers trying to connect, almost none could get through, and the company was losing business. The first wave of the attack was easily filtered by Prolexic's automated system. The assailant then disguised his zombies as legitimate Web users, fooling the filters so well that Claiborne refused to tell me how it was done, for fear that others would adopt the same tactic. She spent the night examining the requests one by one as they scrolled by?interrogating each zombie, trying to find a key to the attacker's strategy. "He's clever, and he's been trying everything," Claiborne said. "If we ever find out who it is, seriously, I'd be willing to buy a plane ticket, fly over, and punch him in the face." Prolexic, which was founded in 2003 by a twenty-seven-year-old college dropout named Barrett Lyon, is a twenty-four-hour, seven-days-a-week operation. An engineer is posted in the noc at all times, to monitor Prolexic's four data hubs, which are in Phoenix, Vancouver, Miami, and London. The hubs contain powerful computers designed to absorb the brunt of data floods and are, essentially, massive holding pens for zombies. Any data travelling to Prolexic's clients pass through this hardware. The company, which had revenues of four million dollars in its first year, now has more than eighty customers. Lyon's main business is protecting his clients from cyberextortionists, who demand payments from companies in return for leaving them alone. Although Lyon is based in Florida, the attackers he deals with might be in Kazakhstan or China, and they usually don't work alone. "It's an insanely stressful job," Claiborne told me. "You are the middleman between people who are losing thousands or millions of dollars and somebody who really wants to make that person lose thousands or millions of dollars." When the monitors' graphs begin to spike, indicating that an attack is under way, she said, "it's like looking at the ocean and seeing a wall of water three hundred feet high coming toward you." Only a few years ago, online malfeasance was largely the province of either technically adept hackers (or "crackers," as ill-intentioned hackers are known), who were in it for the thrill or for bragging rights, or novices (called "script kiddies"), who unleashed viruses as pranks. But as the Web's reach has expanded real-world criminals have discovered its potential. Mobsters and con men, from Africa to Eastern Europe, have gone online. Increasingly, cyberextortionists are tied to gangs that operate in several countries and hide within a labyrinth of anonymous accounts. "When the attack starts, the ticker starts for that company," Lyon said. "It's a mental game that you've been playing, and if you make a mistake it causes the whole thing to go down. You are terrified." Lyon, as usual, was wearing shorts and flip-flops. He has blond hair and a trim build, with narrow hazel eyes that were framed by dark circles of fatigue. A poster for the 1983 movie "WarGames"?a major influence?hung above his desk, on which were four computer monitors: one for writing program code, one for watching data traffic, one for surfing the Web, and one for chatting with customers. Lyon leaned over and showed me a program that he had created to identify the zombies attacking MensNiche. When he ran it, a list of countries scrolled up the screen: the United States, China, Cambodia, Haiti, even Iraq. Examining the list of zombie addresses, Lyon picked one and ran a command called a "traceroute." The program followed the zombie's path from MensNiche back to a computer called NOCC.ior.navy.mil?part of the United States Navy's Network Operations Center for the Indian Ocean Region. "Well, that's great," he said, laughing. Lyon's next traceroute found that another zombie was on the Department of Defense's Military Sealift Command network. The network forces of the United States military had been conscripted in an attack on a Web site for penis enlargement. Michael Alculumbre's first communication from the extortionists arrived on a Thursday evening in August, 2004. An e-mail message was sent to him just after 8 p.m. at Protx, an online-payment processing company based in London, where he is the chief executive officer. The subject line read, simply, "Contact us," and the return address?commerce_protection@yahoo.com?offered no clues to the message's origin. The note was cordial and succinct, written in stilted English. "Hello," it began. "We attack your servers for some time. If you want save your business, you should pay 10.000$ bank wire to our bank account. When we receive money, we stop attack immediately. If we will not receive money, we will attack your business 1 month." The note said that ten thousand dollars would buy Protx a year's worth of protection. "Think about how much money you lose, while your servers are down. Thanks John Martino." Alculumbre had never heard of John Martino. He decided to ignore the demand. Two months later, Alculumbre's network technician called him at home. He said that customers were complaining that the system was off-line. By the time Alculumbre arrived at the office, the source of the disruption was clear. Thousands of computers were inundating Protx's Web site with fake data requests. Many of Protx's legitimate customers received the Internet equivalent of a busy signal?a message saying that the company's servers weren't responding. Every minute that the Web site remained off-line, Protx's business suffered. As the company's engineers struggled to contain the attack, another ten-thousand-dollar e-mail demand arrived, this time signed "Tony Martino." Again, Alculumbre ignored it. He had received a call from an agent of the British National Hi-Tech Crime Unit, which had been monitoring the attack. The agent let him know that paying Martino wasn't an option; the extortionist would only return. Beyond that advice, there wasn't much that the N.H.T.C.U. could do to help. By the time Alculumbre's engineers were able to get the site running, it had been disabled for almost two days. Alculumbre heard from Tony Martino again the following April, when he received a message offering a thousand-dollar-a-month protection-money payment plan. Before he could respond, an army of up to seventy thousand zombies ripped through Protx's defenses and knocked its Web site off-line. This time, it took Protx's engineers three days to fight off the attack. The company now spends roughly five hundred thousand dollars a year to protect itself?fifty times what Martino had asked for. This includes a hundred-thousand-dollar-a-year security contract with Prolexic. Martino, it turned out, had been targeting Lyon's clients for months before he hit Protx. "This is very similar to the pubs and clubs in London forty years ago that used to pay money to not have their premises smashed up," Mick Deats, the deputy head of the N.H.T.C.U., told me. "It's just a straight, old-fashioned protection racket, with a completely new method." The cyberextortionists also make use of an elaborate money-laundering system, Deats said. "They have companies registered all over the place, passing the money through them." "I started prosecuting network-attack cases in 1992, and back then it was more the sort of lone hackers," said Christopher Painter, the deputy chief of the Computer Crime and Intellectual Property Section at the Department of Justice. Today, he says, "you have organized criminal groups that are adopting technical sophistication." The most potent weapon for Web gangsters is the botnet. A bot, broadly speaking, is a remote-controlled software program that is installed on a computer without the owner's knowledge. Hackers use viruses, worms, or automated programs to scan the Internet in search of potential zombies. One recent study found that a new P.C., attached to the Internet without protective software, will on average be infected in about twenty minutes. In the most common scenario, the bots surreptitiously connect hundreds, or thousands, of zombies to a channel in a chat room. The process is called "herding," and a herd of zombies is called a botnet. The herder then issues orders to the zombies, telling them to send unsolicited e-mail, steal personal information, or launch attacks. Herders also trade, rent, and sell their zombies. "The botnet is the little engine that makes the evil of the Internet work," Chris Morrow, a senior network-security engineer at M.C.I., said. "It makes spam work. It makes identity fraud work. It makes extortion, in this case, work." Less than five years ago, experts considered a several-thousand-zombie botnet extraordinary. Lyon now regularly faces botnets of fifty thousand zombies or more. According to one study, fifteen per cent of new zombies are from China. A British Internet-security firm, Clearswift, recently predicted that "botnets will, unless matters change dramatically, proliferate to the point where much of the Internet . . . comes to resemble a mosaic of botnets." Meanwhile, the resources of law enforcement are limited?the N.H.T.C.U., for example, has sixty agents handling everything from child pornography to identity theft. Extortionists often prefer to target online industries, such as pornography and gambling, that occupy a gray area, and may be reluctant to seek help from law enforcement. Such businesses account for most of Prolexic's clients. I asked Lyon how he felt about the companies he defended. "Everybody makes a living somehow," he said. "It's not my job to worry about how they do it." I asked whether that applied to extortionists as well. After a pause, he said, "I guess I'm partial to dot-commers." Several weeks later, he called me to say that he'd reconsidered his answer. "The Internet is all about connecting things, communicating and sharing information, bits, pieces of data," he said. "A denial-of-service attack is the exact opposite of that. It is taking one person's will and imposing it on a bunch of others." In any case, Lyon added, his clients now included mainstream businesses?a Japanese game company, foreign-exchange traders, and a multibillion-dollar corporation that wanted to have additional security in the days before its I.P.O. Lyon first gained a measure of online fame in 2003, with a project called Opte, in which he created a visual map of the entire Internet?its backbone, transfer points, major servers. After reading that a similar project had taken several months to complete, he bet a friend that he could do it in a day, and won. (A gorgeously rendered print of the map?which Lyon licenses free of charge?appeared in a travelling exhibition on the future of design.) Lyon's obsessive interest in computer networks began early. In the third grade at a Sacramento, California, private school for learning-disabled children?Prolexic's name derives from Lyon's pride in overcoming severe dyslexia?he and a friend hacked a simple computer game. In junior high school, Lyon discovered the Internet, and with a friend, Peter Avalos, he soon founded a company called TheShell.com, which provided accounts to chat-room users. But his grades suffered, and, after high school, he failed a year's worth of classes at California State University at Chico. When a friend he met online, Robert Brown, offered Lyon a job at his computer-security company, Network Presence, he quit school and took it. Brown sent him off to secure the network of a large insurance company in the Midwest. Lyon was nineteen and, he said, "I looked thirteen. So I wore a suit every day, and I worked my ass off for those guys." He burned out after two years?"I didn't know you had to meter yourself"?and returned to school, this time at California State University at Sacramento. There, Lyon signed up for philosophy classes, dumped his computers in a closet, and joined the rowing team. But he couldn't get away from computers entirely; he still took assignments from his old employer, and he and Avalos (who graduated from the United States Naval Academy and has recently returned from flying P-3s in Iraq) continued to operate TheShell.com. The company's clients tended to be advanced Internet users, and this had the effect of bringing the site to the attention of hackers. At one point, Lyon was fighting off several zombie attacks a day. In August, 2002, Dana Corbo, the C.E.O. of Don Best Sports, called Network Presence for help. Don Best, which is based in Las Vegas, is a kind of Bloomberg for the gambling world, providing betting lines for both real-world and online casinos. The company had ignored an e-mailed extortion demand for two hundred thousand dollars, and it was under attack. Network Presence sent Lyon. The next day, Lyon and another engineer flew to Las Vegas and helped Don Best's engineers set up powerful new servers. Lyon's strategy worked: the attackers gave up. Corbo treated them to a night out in Vegas, with dinner in front of the Bellagio fountains. (He also paid Network Presence a fee.) Lyon still wanted to find out who was behind the attacks. He and Brown scanned the traffic data, found a zombie, and, thanks to an opening in Microsoft Windows, were able to see what other computers it had been connected to. This led them to a chat server in Kazakhstan; when they connected to it, they saw more attacks in progress. They notified the F.B.I. and the Secret Service, but, Brown said, "they sort of threw up their arms, because it was in Kazakhstan." To Lyon, however, the lesson was clear: with clever techniques and a little luck, any attacker could be found. In the late spring of 2003, Mickey Richardson, the general manager of Betcris, a Costa Rican-based gambling firm, received an extortion e-mail. (Online bookmaking, which is illegal in the United States, has flourished in Costa Rica and the Caribbean since the mid-nineteen-nineties.) The letter requested five hundred dollars in eGold?an online currency?and was followed by an attack that crippled Betcris's Web site, its main source of revenue. Richardson couldn't afford to have the site disabled. He paid the five hundred dollars. The extortionists began hitting other offshore bookmakers. One firm after another paid up, anywhere from three thousand to thirty-five thousand dollars, which they wired to addresses in Russia and Latvia. Richardson expected that he, too, would be hit again. He heard about Don Best's successful defense and called Lyon. But Lyon was back in school, and reluctant to take the job. Instead, he told Richardson to buy a server that was specially designed to filter out attacks. "The box," as Richardson called it, cost about twenty thousand dollars. Over the phone, Lyon helped Richardson's information-technology manager, Glenn Lebumfacil, configure it. A few months later, Richardson got another e-mail from the extortionists. It arrived just before Thanksgiving, one of the busiest betting periods of the year, and it asked for forty thousand dollars. The e-mail said: If you choose not to pay for our help, then you will probably not be in business much longer, as you will be under attack each weekend for the next 20 weeks, or until you close your doors. Richardson believed that he had "everything in place to protect the store," and he refused to pay. When the attack came, it took less than twenty minutes to overwhelm the box. The data flood brought down both Betcris and its Internet service provider. After a few days of trying in vain to make the box work, Lebumfacil called Lyon in a panic. "Hey, man, remember that thing you set up for us?" he said. "It just got blown away." Lyon saw a business opportunity. He quit school again and started a company, with Betcris as his first customer. He knew that he couldn't just add capacity to Betcris's system to capture the zombies, as he had with Don Best, because Costa Rica wasn't wired for that sort of system?there wasn't enough capacity in the entire country. So he decided to build his own network in the United States and use it to draw the attackers away from Betcris. The extortionists would think they were attacking a relatively defenseless system in Central America but would find themselves up against Lyon's machines instead. Richardson, meanwhile, was stalling for time with the extortionists, claiming a medical emergency. "I guess you did not take my warning seriously," came the reply. "The excuse that you were in the hospital does not matter to me." The correspondence became increasingly belligerent. "Sorry moron but I am just having so much fun fucking with you," one e-mail said, raising the price to sixty thousand dollars. Richardson responded by offering the extortionists jobs in Betcris's I.T. department. "I appreciate the offer to do work for you, but we are completely booked until the football season is over," one of them replied. As Lyon brought his system online, the confrontation turned into a chess match. "Every time Barrett would change something, these guys would change something else," Brian Green, the C.E.O. of Digital Solutions, Betcris's Internet service provider, said. "They threw wrenches, they threw everything they could at Betcris." Finally, after three weeks, the attacker gave up. "I bet you feel real stupid that you did not keep your word," he wrote. "I figure by now you have lost 5 times what we asked and by the end of the year your decision will cost you more than 20 times what we asked." Richardson says that those numbers may not have been far off. By then, everyone in the insular gaming world seemed to have heard that Lyon could stop zombie attacks, and he was getting calls from Jamaica, Costa Rica, and Panama. "It was kind of like stumbling into this strange little community in the middle of nowhere, where everybody worships a weird stone," Lyon said. "They all had superstitions about when they were going to be attacked." Lyon decided, once again, to trace the source of the attack. He and Dayton Turner, a goateed twenty-four-year-old engineer he had hired, allowed one of their own machines to become a zombie and watched as it was drawn into the botnet; by early January they had found the chat channel that controlled the zombies. Logging on as "hardcore," Turner pretended to be a bot herder who had been out of the game for a while. "i want to get back into it," he wrote. "i ha[v]e a small group of zombies so far which is why i came back looking." Turner had spent years in chat rooms, and communicated easily in the emoticon-heavy shorthand common to hackers. He gradually ingratiated himself with a Russian who called himself eXe and often logged in from a server that he'd named "exe.is.wanted.by.the.FBI.gov." Other members were not so welcoming; when Turner wrote, "i wanna help," one of them, uhdfed, replied, "we don't need ur HELP," and set his zombies on him. But Lyon and Turner kept returning, establishing their technical credibility and becoming a part of the scene. They continued the ruse for weeks, occasionally with an F.B.I. agent on the phone helping to direct the conversation. As bait, Turner described a program he had written that would help eXe to collect zombies, which he promised to give him as soon as he could rewrite it in a different programming language. "It was a matter of simply befriending the guy and making him think that he could trust us," Lyon said. Piece by piece, eXe revealed himself: hardcore: its pretty cold here right now, what's russia like? hehe eXe: i'm good eXe: something hot eXe: =) eXe: Russia is like the Russian Vodka=) hardcore: hehehe eXe: u give me code? At one point, during an exchange about the number of computers each had infected, eXe asked Turner how old he was. Turner replied that he was twenty-three, and added, "How about you? :)." eXe told him that he was a twenty-one-year-old Russian student named Ivan. Turner said that his name was Matt and he lived in Canada. Then, trying to provoke a confession, he told Ivan that he made money from extortion: "They always pay because they want their business back and they don't want to admit they have a weakness . . . stupid Americans." Turner then asked Ivan about a specific attack: "I figured it would be you since you have so many bots :P." "Good idea . . . hehe," Ivan replied. Before they signed off, Ivan wrote, "Bye friend." In February, 2004, Lyon and Turner submitted a thirty-six-page report to the F.B.I. and the N.H.T.C.U., outlining their profile of Ivan and their correspondence with his crew. At this point, they were operating as DigiDefense International, which Lyon had founded, hiring Turner and Lebumfacil as his first employees. At the company's temporary headquarters, in an office building in Costa Rica, paranoia about reprisals from Russian mobsters reigned, even though there were armed guards in the lobby. Meanwhile, Lyon and Turner kept chatting with Ivan. A few weeks later, on a Saturday in March, Ivan slipped up: he logged in to the chat room without disguising his home Internet address. The same day, Turner happened to be online, and decided to look up eXe's registration information. To his astonishment, he found what appeared to be a real name, address, and phone number: Ivan Maksakov, of Saratov, Russia. Lyon dashed off an e-mail to the authorities with the subject line "eXe made a HUGE mistake!" A few months later, the Russian police, accompanied by agents from the N.H.T.C.U., swept into Maksakov's home, where they found him sitting at his computer. In television footage of the arrest, Maksakov looks like a clean-cut kid, with brown hair and a teenager's face. He sits glumly on his bed in shorts and a T-shirt as the police rummage through his room and carry out his equipment. The video shows the officers walking him to the local station and slamming the door shut on his cell. In simultaneous raids in St. Petersburg and Stavropol, the police picked up four other Russians whom the N.H.T.C.U. had traced by setting up a sting at a bank in Riga, Latvia, where a British company that was co?perating with the authorities had been directed to send its payment. "We were waiting for people to come pick the money up," Mick Deats, of the N.H.T.C.U., told me. "But that didn't happen immediately. What did happen was that the bad guys we were watching picked up lots of different payments?not ours. We were seeing them pick up Australian dollars, U.S. dollars, and denominations from all over the world. And we're thinking, Whose money is that?" The N.H.T.C.U. has never explicitly credited Prolexic's engineers with Maksakov's arrest. "The identification of the offenders in this came about through a number of lines of inquiry," Deats said. "Prolexic's was one of them, but not the only one." In retrospect, Lyon said, "The N.H.T.C.U. and the F.B.I. were kind of using us. The agents aren't allowed to do an Nmap, a port scan"?techniques that he and Dayton Turner had used to find Ivan's zombies. "It's not illegal; it's just a little intrusive. And then we had to yank the zombie software off a computer, and the F.B.I. turned a blind eye to that. They kind of said, 'We can't tell you to do that?we can't even suggest it. But if that data were to come to us we wouldn't complain.' We could do things outside of their jurisdiction." He added that although his company still maintained relationships with law-enforcement agencies, they had grown more cautious about accepting help. When the authorities picked up Ivan Maksakov, he was one semester away from graduation at a technical college in Saratov. He spent five months in prison before being released on bail, and now awaits trial. According to the authorities, he was a lower-level operative in the gang, which paid him about two thousand dollars a month for his services. A source close to the investigation told me that Maksakov, who faces fifteen years in jail, is co?perating with the Russian police. One afternoon in Prolexic's offices, I asked Turner if he had felt a sense of justice when Ivan was arrested. "I suppose," he said halfheartedly. "It was a difficult situation for me when I saw his picture, because I kind of felt for the kid. He wasn't necessarily a bad kid." Perhaps, Turner told me, Ivan had "just said, 'Let's see if it works. Hey, it works, and people pay me for it.' " Lyon, too, was one semester from graduation when he dropped out of college to start his company. He was, in his own way, unable to resist the challenge, and he, too, had discovered that people would pay him for what he did. I asked him if he'd ever done anything illegal on the Net. He thought for a minute, and then told me that once, as a teen-ager, he had poked around and discovered a vulnerability at Network Solutions, the company that at the time registered all the Web's addresses. "I went in and manipulated some domain names," he said. "A month later, I got a call from somebody with a badge," who had traced the intrusion back to Lyon's computer. In the end, Lyon said, the authorities let it go. Those were simpler times. "I was scared shitless, but I learned my lesson," he said. "If something like that happened now, I can't imagine what would happen to me." From isn at c4i.org Mon Oct 10 00:06:24 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:22:38 2005 Subject: [ISN] Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Message-ID: Forwarded from: security curmudgeon ---------- Forwarded message ---------- From: David Litchfield To: bugtraq@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com Date: Thu, 6 Jan 2005 16:01:26 -0000 Subject: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Dear security community and Oracle users, Many of my customers run Oracle. Much of the U.K. Critical National Infrastructure relies on Oracle; indeed this is true for many other countries as well. I know that there's a lot of private information about me stored in Oracle databases out there. I have good reason, like most of us, to be concerned about Oracle security; I want Oracle to be secure because, in a very real way, it helps maintain my own personal security. As such, I am writing this open letter Extract from interview between Mary Ann Davidson and IDG http://www.infoworld.com/article/05/05/24/HNoraclesecurityhed_1.html IDGNS: "What other advice do you have for customers on security?" Davidson: "Push your vendor to tell you how they build their software and ask them if they train people on secure coding practices. " Now some context has been put in place I can continue. On the 31st of August 2004, Oracle released a security update (Alert 68 [ http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf ]) to address a large number of major security flaws in their database server product. The patches had been a long time in coming [ http://www.eweek.com/article2/0,1759,1637213,00.asp ] and we fully expected that these patches would actually fix the problems but, unfortunately this is not the case. To date, these flaws are still not fixed and are still fully exploitable. I reported this to Oracle a long time ago. The real problem with this is not that the flaws Alert 68 supposedly fixed are still exploitable, but rather the approach Oracle took in attempting to fix these issues. One would expect that, given the length of time they took to deliver, these security "fixes" would be well considered and robust; fixes that actually resolve the security holes. The truth of the matter though is that this is not the case. Some of Oracle's "fixes" simply attempt to stop the example exploits I sent them for reprodcution purposes. In other words the actual flaw was not addressed and with a slight modification to the exploit it works again. This shows a slapdash approach with no real consideration for fixing the actual problem itself. As an example of this, Alert 68 attempts to fix some security holes in some triggers; the flaws could allow a low privileged user to gain SYS privileges - in other words gain full control of the database server. The example exploit I sent to Oracle contained a space in it. Oracle's fix was to ignore the user's request if the input had a space. What Oracle somehow failed to see or grasp was that no space is needed in the exploit. This fix suggests no more than a few minutes of thought was given to the matter. Why did it take 8 months for this? Further, how on earth did this get through QA? More, why are we still waiting for a proper fix for this? Here is another class of thoughtless "fix" implemented by Oracle in Alert 68. Some Oracle PL/SQL procedures take an arbitrary SQL statement as a parameter which is then executed. This can present a security risk. Rather than securing these procedures properly Oracle chose a security through obscurity mechanism. To be able to send the SQL query and have it executed one needs to know a passphrase. This passphrase is hardcoded in the procedure and can be extracted with ease. So all an attacker needs to do now is send the passphrase and their arbitrary SQL will still be executed. In other cases Oracle have simply dropped the old procedures and added new ones - with the same vulnerable code! I ask again, why does it take two years to write fixes like this? Perhaps the fixes take this long because Oracle pore through their code looking for similar flaws? Does the evidence bear this out. No - it doesn't. In those cases where a flaw was fixed properly, we find the same flaw a few lines further down in the code. The DRILOAD package "fixed" in Alert 68 is an example of this; and this is not an isolated case. This is systemic. Code for objects in the SYS, MDSYS, CTXSYS and WKSYS schemas all have flaws within close range of "fixed" problems. These should have been spotted and fixed at the time. I reported these broken fixes to Oracle in February 2005. It is now October 2005 and there is still no word of when the "real" fixes are going to be delivered. In all of this time Oracle database servers have been easy to crack - a fact Oracle are surely aware of. What about the patches since Alert 68 - the quarterly Critical Patch Updates? Unfortunately it is the same story. Bugs that should have been spotted left in the code, brand new bugs being introduced and old ones reappearing. This is simply NOT GOOD ENOUGH. As I stated at the beginning of this letter, I'm concerned about Oracle security because it impinges upon me and my own personal security. What is apparent is that Oracle has no decent bug discovery/fix/response process; no QA, no understanding of the threats; no proactive program of finding and fixing flaws. Is anyone in control over at Oracle HQ? A good CSO needs to more than just a mouthpiece. They need to be able to deliver and execute an effective security strategy that actually deals with problems rather than sweeping them under the carpet or waste time by blaming others for their own failings. Oracle's CSO has had five years to make improvements to the security of their products and their security response but in this time I have seen none. It is my belief that the CSO has categorically failed. Oracle security has stagnated under her leadership and it's time for change. I urge Oracle customers to get on the phone, send a email, demand a better security response; demand to see an improvement in quality. It's important that Oracle get it right. Our national security depends on it; our companies depend on it; and we all, as individuals depend on it. Cheers, David Litchfield From isn at c4i.org Mon Oct 10 00:08:14 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:23:03 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-40 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-09-29 - 2005-10-06 This week : 67 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: During the last week 3 antivirus vendors Symantec, Kaspersky, and Bitdefender suffered vulnerabilities, which potentially can be exploited by malicious people to gain system access on a vulnerable system. Additional details can be found in the referenced Secunia advisories below. References: http://secunia.com/SA17049 http://secunia.com/SA17024 http://secunia.com/SA16991 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16942] Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection 2. [SA16901] Thunderbird Command Line URL Shell Command Injection 3. [SA16869] Firefox Command Line URL Shell Command Injection 4. [SA14789] Gentoo update for limewire 5. [SA16911] Firefox Multiple Vulnerabilities 6. [SA16766] Netscape IDN URL Domain Name Buffer Overflow 7. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 8. [SA14896] Microsoft Jet Database Engine Database File Parsing Vulnerability 9. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 10. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17024] Kaspersky Anti-Virus CAB Archive Handling Buffer Overflow [SA17010] MailEnable W3C Logging Buffer Overflow Vulnerability [SA17046] IceWarp Web Mail Multiple Vulnerabilities [SA17032] Citrix Metaframe Presentation Server Policy Filtering Bypass [SA17049] Symantec AntiVirus Scan Engine Administrative Interface Buffer Overflow UNIX/Linux: [SA17042] Fedora update for thunderbird [SA17066] Debian update for egroupware [SA17057] HP-UX Mozilla Multiple Vulnerabilities [SA17053] Debian update for drupal [SA17027] SUSE Updates for Multiple Packages [SA17026] Debian update for mozilla-firefox [SA17014] SUSE update for mozilla/MozillaFirefox [SA17065] IBM Tivoli Monitoring Web Health Console HTTP Server Vulnerabilities [SA17062] UW-imapd Mailbox Name Parsing Buffer Overflow Vulnerability [SA17059] Ubuntu update for dia-common [SA17054] CVS zlib Vulnerabilities [SA17052] Fedora update for abiword [SA17050] Ubuntu update for squid [SA17047] Dia SVG File Import Arbitrary Code Execution Vulnerability [SA17035] Debian update for prozilla [SA17034] Virtools Web Player Buffer Overflow and Directory Traversal Vulnerabilities [SA17021] ProZilla "ftpsearch" Buffer Overflow Vulnerability [SA17020] Debian update for mailutils [SA17016] Debian update for gopher [SA17015] Debian update for squid [SA17012] Gentoo update for abiword [SA17039] OpenView Event Correlation Services Unspecified Privileged Access Vulnerability [SA17077] Red Hat update for openssh [SA17073] Red Hat update for kernel [SA17069] Avaya Products "ls" Denial of Service Vulnerabilities [SA17067] Debian update for mod-auth-shadow [SA17060] Apache mod_auth_shadow Module "require group" Incorrect Authentication [SA17030] Bugzilla Two Information Disclosure Security Issues [SA17029] AIX tcpdump BGP Denial of Service Vulnerability [SA17003] 4D WebSTAR IMAP Access Potential Denial of Service [SA17028] Weex "log_flush()" Format String Vulnerability [SA17007] Ubuntu update for net-snmp [SA17080] Red Hat update for mysql [SA17079] Red Hat update for perl [SA17072] Red Hat update for gdb [SA17070] Gentoo update for texinfo [SA17068] Debian update for arc [SA17063] Avaya Products cpio Insecure File Creation Vulnerability [SA17058] Gentoo update for uim [SA17056] Gentoo update for gtkdiskfree [SA17051] Gentoo update for mpeg-tools [SA17044] Sun Java Desktop System XFree86 Pixmap Creation Integer Overflow [SA17043] uim Environment Variable Privilege Escalation Vulnerability [SA17040] Debian update for cfengine2 [SA17038] Debian update for cfengine [SA17037] Cfengine Insecure Temporary File Creation Vulnerabilities [SA17025] storeBackup Insecure Temporary File Creation and Insecure Backup Root Permissions [SA17022] Gentoo update for hylafax [SA17018] Debian update for backupninja [SA17017] Debian update for ntlmaps [SA17009] Macromedia Breeze Password Reset Security Issue [SA17008] Berkeley MPEG Tools Multiple Insecure Temporary File Creation [SA17005] Debian update for gtkdiskfree [SA17045] Trustix update for unzip [SA17023] GNOME libzvt "gnome-pty-helper" Hostname Spoofing [SA17006] Ubuntu update for unzip [SA17004] Debian update for util-linux Other: [SA17033] NetFORCE NAS Information Disclosure Security Issue Cross Platform: [SA17048] PHP-Fusion "album" and "photo" SQL Injection Vulnerabilities [SA17019] Hitachi Cosminexus Request Body Disclosure of Personal Information [SA17013] Blender Command Line Buffer Overflow Vulnerability [SA17011] Serendipity Cross-Site Request Forgery Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17024] Kaspersky Anti-Virus CAB Archive Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-04 Alex Wheeler has reported a vulnerability in Kaspersky Anti-Virus, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17024/ -- [SA17010] MailEnable W3C Logging Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-04 A vulnerability has been reported in MailEnable, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17010/ -- [SA17046] IceWarp Web Mail Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2005-10-03 ShineShadow has discovered some vulnerabilities in IceWarp Web Mail, which can be exploited by malicious people to conduct cross-site scripting attacks, delete arbitrary files, and disclose system and sensitive information. Full Advisory: http://secunia.com/advisories/17046/ -- [SA17032] Citrix Metaframe Presentation Server Policy Filtering Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-03 Gustavo Gurmandi has reported a vulnerability in Citrix MetaFrame Presentation Server, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17032/ -- [SA17049] Symantec AntiVirus Scan Engine Administrative Interface Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-10-05 A vulnerability has been reported in Symantec AntiVirus Scan Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17049/ UNIX/Linux:-- [SA17042] Fedora update for thunderbird Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-10-03 Fedora has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17042/ -- [SA17066] Debian update for egroupware Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-05 Debian has issued an update for egroupware. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17066/ -- [SA17057] HP-UX Mozilla Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, DoS, System access Released: 2005-10-05 HP has acknowledged multiple vulnerabilities in Mozilla for HP-UX, which can be exploited by malicious people to bypass certain security restrictions, conduct spoofing and cross-site scripting attacks, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17057/ -- [SA17053] Debian update for drupal Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-04 Debian has issued an update for drupal. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17053/ -- [SA17027] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2005-09-30 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which potentially can be exploited by malicious, local users to gain access to sensitive information or perform certain actions on a vulnerable system with escalated privileges, or by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/17027/ -- [SA17026] Debian update for mozilla-firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-10-03 Debian has issued an update for mozilla-firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17026/ -- [SA17014] SUSE update for mozilla/MozillaFirefox Critical: Highly critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-09-30 SUSE has issued updates for mozilla and MozillaFirefox. These fix some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17014/ -- [SA17065] IBM Tivoli Monitoring Web Health Console HTTP Server Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-10-05 IBM has acknowledged some vulnerabilities in IBM Tivoli Monitoring, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17065/ -- [SA17062] UW-imapd Mailbox Name Parsing Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-05 infamous41md has reported a vulnerability in UW-imapd, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17062/ -- [SA17059] Ubuntu update for dia-common Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-04 Ubuntu has issued an update for dia-common. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17059/ -- [SA17054] CVS zlib Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-04 Two vulnerabilities have been reported in CVS, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17054/ -- [SA17052] Fedora update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-03 Fedora has issued an update for abiword. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17052/ -- [SA17050] Ubuntu update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-10-03 Ubuntu has issued an update for squid. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17050/ -- [SA17047] Dia SVG File Import Arbitrary Code Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-03 Joxean Koret has reported a vulnerability in Dia, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17047/ -- [SA17035] Debian update for prozilla Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-03 Debian has issued an update for prozilla. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17035/ -- [SA17034] Virtools Web Player Buffer Overflow and Directory Traversal Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2005-10-03 Luigi Auriemma has reported two vulnerabilities in Virtools Web Player, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17034/ -- [SA17021] ProZilla "ftpsearch" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-03 Tavis Ormandy has reported a vulnerability in ProZilla, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17021/ -- [SA17020] Debian update for mailutils Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-05 Debian has issued an update for mailutils. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17020/ -- [SA17016] Debian update for gopher Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-30 Debian has issued an update for gopher. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17016/ -- [SA17015] Debian update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-09-30 Debian has issued an update for squid. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17015/ -- [SA17012] Gentoo update for abiword Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-30 Gentoo has issued an update for abiword. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17012/ -- [SA17039] OpenView Event Correlation Services Unspecified Privileged Access Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-10-05 A vulnerability has been reported in OpenView Event Correlation Services, which can be exploited by malicious people to gain access with escalated privileges. Full Advisory: http://secunia.com/advisories/17039/ -- [SA17077] Red Hat update for openssh Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2005-10-05 Red Hat has issued an update for openssh. This fixes a security issue, which can be exploited malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17077/ -- [SA17073] Red Hat update for kernel Critical: Less critical Where: From remote Impact: Exposure of sensitive information, Privilege escalation, DoS Released: 2005-10-05 Red Hat has issued an update for the kernel. This fixes some vulnerabilities which can be exploited by malicious, local users to disclose certain sensitive information, cause a DoS (Denial of Service) and gain escalated privileges, or by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/17073/ -- [SA17069] Avaya Products "ls" Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-05 Avaya has acknowledged some vulnerabilities in the "ls" program included in some products, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17069/ -- [SA17067] Debian update for mod-auth-shadow Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-05 Debian has issued an update for mod-auth-shadow. This fixes a security issue, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17067/ -- [SA17060] Apache mod_auth_shadow Module "require group" Incorrect Authentication Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-05 David Herselman has reported a security issue in the mod_auth_shadow module for Apache, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17060/ -- [SA17030] Bugzilla Two Information Disclosure Security Issues Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2005-10-03 Two security issues have been reported in Bugzilla, which can be exploited by malicious people to disclose system and potentially sensitive information. Full Advisory: http://secunia.com/advisories/17030/ -- [SA17029] AIX tcpdump BGP Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-03 A vulnerability has been reported in AIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17029/ -- [SA17003] 4D WebSTAR IMAP Access Potential Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2005-09-30 A vulnerability has been reported in 4D WebSTAR, which potentially can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17003/ -- [SA17028] Weex "log_flush()" Format String Vulnerability Critical: Less critical Where: From local network Impact: DoS, System access Released: 2005-10-03 Emanuel Haupt has reported a vulnerability in Weex, which potentially can be exploited by malicious users to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17028/ -- [SA17007] Ubuntu update for net-snmp Critical: Less critical Where: From local network Impact: DoS Released: 2005-09-30 Ubuntu has issued an update for net-snmp. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17007/ -- [SA17080] Red Hat update for mysql Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Red Hat has issued an update for mysql. This fixes a vulnerability, which can be exploited by malicious, local users to conduct various actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17080/ -- [SA17079] Red Hat update for perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Red Hat has issued an update for perl. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17079/ -- [SA17072] Red Hat update for gdb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Red Hat has issued an update for gdb. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17072/ -- [SA17070] Gentoo update for texinfo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Gentoo has issued an update for texinfo. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17070/ -- [SA17068] Debian update for arc Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-10-05 Debian has issued an update for arc. This fixes a security issue and a vulnerability, which can be exploited by malicious, local users to gain access to sensitive information and perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17068/ -- [SA17063] Avaya Products cpio Insecure File Creation Vulnerability Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information Released: 2005-10-05 Avaya has acknowledged a vulnerability in cpio included in some products, which can be exploited by malicious, local users to disclose and manipulate information. Full Advisory: http://secunia.com/advisories/17063/ -- [SA17058] Gentoo update for uim Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-05 Gentoo has issued an update for uim. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17058/ -- [SA17056] Gentoo update for gtkdiskfree Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Gentoo has issued an update for gtkdiskfree. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17056/ -- [SA17051] Gentoo update for mpeg-tools Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Gentoo has issued an update for mpeg-tools. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17051/ -- [SA17044] Sun Java Desktop System XFree86 Pixmap Creation Integer Overflow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Sun Microsystems has acknowledged a vulnerability in Sun JDS (Java Desktop System), which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17044/ -- [SA17043] uim Environment Variable Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Masanari Yamamoto has reported a vulnerability in uim, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17043/ -- [SA17040] Debian update for cfengine2 Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-03 Debian has issued an update for cfengine2. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17040/ -- [SA17038] Debian update for cfengine Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-03 Debian has issued an update for cfengine. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17038/ -- [SA17037] Cfengine Insecure Temporary File Creation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-03 Javier Fernandez-Sanguino Pena has reported some vulnerabilities in Cfengine, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17037/ -- [SA17025] storeBackup Insecure Temporary File Creation and Insecure Backup Root Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information, Privilege escalation Released: 2005-09-30 A vulnerability and a security issue have been reported in storeBackup, which potentially can be exploited by malicious, local users to gain access to sensitive information or perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17025/ -- [SA17022] Gentoo update for hylafax Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-30 Gentoo has issued an update for hylafax. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17022/ -- [SA17018] Debian update for backupninja Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-30 Debian has issued an update for backupninja. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17018/ -- [SA17017] Debian update for ntlmaps Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-09-30 Debian has issued an update for ntlmaps. This fixes a security issue, which can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17017/ -- [SA17009] Macromedia Breeze Password Reset Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2005-09-30 A security issue has been reported in Macromedia Breeze, which can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17009/ -- [SA17008] Berkeley MPEG Tools Multiple Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-04 Mike Frysinger has reported some vulnerabilities in Berkeley MPEG Tools, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17008/ -- [SA17005] Debian update for gtkdiskfree Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-09-29 Debian has issued an update for gtkdiskfree. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17005/ -- [SA17045] Trustix update for unzip Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-10-03 Trustix has issued an update for unzip. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17045/ -- [SA17023] GNOME libzvt "gnome-pty-helper" Hostname Spoofing Critical: Not critical Where: Local system Impact: Spoofing Released: 2005-10-03 Paul Szabo has reported a security issue in GNOME libzvt, which can be exploited by malicious, local users to spoof the hostname that is recorded into "utmp". Full Advisory: http://secunia.com/advisories/17023/ -- [SA17006] Ubuntu update for unzip Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-30 Ubuntu has issued an update for unzip. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17006/ -- [SA17004] Debian update for util-linux Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-09-29 Debian has issued an update for util-linux. This fixes a security issue, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17004/ Other:-- [SA17033] NetFORCE NAS Information Disclosure Security Issue Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-03 bambenek has reported a security issue in NetFORCE NAS (Network Attached Storage), which potentially can be exploited by malicious people to gain knowledge of certain sensitive information. Full Advisory: http://secunia.com/advisories/17033/ Cross Platform:-- [SA17048] PHP-Fusion "album" and "photo" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2005-10-04 Critical Security has discovered two vulnerabilities in PHP-Fusion, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17048/ -- [SA17019] Hitachi Cosminexus Request Body Disclosure of Personal Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-03 A vulnerability has been reported in Hitachi Cosminexus, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17019/ -- [SA17013] Blender Command Line Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-09-30 Qnix has reported a vulnerability in Blender, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17013/ -- [SA17011] Serendipity Cross-Site Request Forgery Vulnerability Critical: Less critical Where: From remote Impact: Hijacking Released: 2005-09-30 Nenad Jovanovic has reported a vulnerability in Serendipity, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/17011/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Oct 10 00:08:27 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:23:31 2005 Subject: [ISN] Banks step up security plans Message-ID: http://www.vnunet.com/computing/news/2143320/banks-step-security-plans James Watson Computing 06 Oct 2005 SEVERAL UK high-street banks are expected to announce plans to authenticate online transactions with some form of physical security device before the end of the year. But any such move will come in advance of publication of an industry standard, which banking industry body Apacs had planned to release in May, and has now pushed back to the end of the year. Lloyds TSB will this month start trials of a "revolutionary new line of defence in the fight against online fraud", with customers testing a new way to log on to internet banking. In May HSBC started a one-year rollout of security devices for its 870,000 Hong Kong customers, which industry sources regard as a prelude to rollouts in other countries. And earlier this year Barclaycard completed a six-month trial of a security device (Computing, 17 March). Any progress with so-called two-factor authentication from individual banks will not necessarily be based on the industry-wide standard. But Martha Bennett, research director at Forrester Research, says the industry realises that security needs to be tightened, and some banks feel they cannot afford to wait for the standard to arrive. "Many of the banks are working on a two-track strategy: what's happening with Apacs, and what they can do immediately," she said. Bennett says several banks were set to launch products earlier this year, but stopped when Apacs started work on a standard. "Now they're realising that the risk is growing, and action needs to be taken," she said. Apacs says if its standard does not make the first phase of a particular bank's project, it is confident it will be included in the second phase. "The aim is not just to secure online banking, but also about securing other online transactions," said a spokeswoman. But not all banks are willing to go ahead without a standard: Barclaycard will wait to ensure interoperability between banks. "We're looking at how to use it in the real world, in a number of banking applications," said a spokesman for the bank. Some 600,000 of the UK's 15 million internet banking users have stopped banking online because of security fears, says Forrester. From isn at c4i.org Mon Oct 10 00:08:39 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:23:51 2005 Subject: [ISN] Tsunami hacker convicted Message-ID: http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ By John Oates 6th October 2005 Daniel James Cuthbert was convicted today of breaking Section 1 of the Computer Misuse Act of 1990 by hacking into a tsunami appeal website last New Year's Eve. District Judge Mr Quentin Purdy said: "For whatever reason Mr Cuthbert intended to secure access, in an unauthorised way, to that computer...it is with some considerable regret...I find the case proved against Mr Cuthbert." He was fined ?400 for the offence and must pay a further ?600 in costs. Cutbert, 28, of Whitechapel, London, told Horseferry Road Magistrates Court yesterday that he had made a donation on the site, but when he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check its security. This action set off an Intruder Detection System in a BT server room and the telco contacted the police. The prosecution made an application for costs but declined to seize Cuthbert's Apple notebook on which the offences were committed. They made no further claim for compensation. The defence asked for some sort of discharge because the case came close to "strict liability" - it was his responsibility but not his "fault". Mr Harding, for the defence, said: "His reasoning was not reprehensible. He was convicted because of the widely-drafted legislation that could catch so many." Mr Purdy, speaking to Cuthbert in the dock, said: "I appreciate the consequences of this conviction for you are considerably graver than any I can impose. But you crossed an inappropriate line, time and expense was expended and anxiety caused. That aside, the price may be a heavy one for you to pay." Cuthbert lost his job as security consultant at ABN Amro as a result of his arrest and has only recently been able to find work. DC Robert Burls of the Met's Computer Crime Unit said afterwards: "We welcome today's verdict in a case which fully tested the computer crime legislation and hope it sends a reassuring message to the general public that in this particular case the appropriate security measures were in place thus enabling donations to be made securely to the Tsunami Appeal via the DEC website." Peter Sommer, who was an expert witness for the defence, said he thought the judge had a good understanding of the issues involved but "took a very strict view of the wording of the legislation." Sommer added that he thought the policing of minor offences should "not involve taking people to court but rather talking, warning and slapping wrists." Asked if he thought the verdict would make it harder for the police to get help and cooperation from security professionals Sommer said: "It will certainly make them more wary." Speaking after the verdict an upset Daniel Cuthbert told the Reg: "They've now set the bar so high that there should be thousands of convictions for people doing things like these. There will be lot of anger from security professionals and the police will find it harder to get help in future." Cuthbert is considering a career outside the IT industry. For the full text of Section 1 of the Act click here [1]. ? [1] http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_2.htm#mdiv1 From isn at c4i.org Mon Oct 10 00:08:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:24:15 2005 Subject: [ISN] Sun to pull plug on Trusted Solaris Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37225-1.html By Joab Jackson GCN Staff 10/06/05 Sun Microsystems Inc. plans to phase out its Trusted Solaris secure operating system and replace it with security extension software that can be used with its Open Solaris operating system, said Mark Thacker, product line manager of Solaris security. Open Solaris and the Solaris Trusted Extensions software will provide the full functionality of Trusted Solaris, according to Thacker. "This product will simply layer on top of Solaris 10. It will run on top of any piece of hardware that Solaris 10 runs on," Thacker said. Trusted Extensions should be available by mid-2006. Long used by agencies with classified and sensitive data networks, the current version of Trusted Solaris, version 8, has been certified to Common Criteria Level 4+ Evaluation Assurance for three different protection profiles. Recently, Sun submitted its Solaris 10 operating system for Common Criteria Evaluation for two of those profiles. The Solaris Trusted Extensions will cover the third profile and will also undergo Common Criteria evaluation starting later this year, Thacker said. The reason behind the rearrangement is to consolidate the code base for Solaris, according to Thacker. Trusted Solaris has a different operating system kernel than the more widely used Solaris 10, though the two are similar. When Sun upgraded Solaris to version 10, it incorporated about 85 percent of the security features in Trusted Solaris. "We took some of the concepts in Trusted Solaris, like process rights management, user rights profiles, [and] process containments and built them into Solaris," Thacker said. The major missing component was a feature called labeled security, which applies a tag identifying the appropriate security level to each data file. Although this feature is not widely used, it is valued by intelligence agencies, Thacker said. It has a set of labels that map directly to sensitivity levels from agencies such as the National Security Agency and the Central Intelligence Agency. The labels allow the operating system to handle the data with appropriate controls. "Because of that classification and their relationships with one another, I can express how data can flow up and down the chain of command," Thacker said. The feature allows computers to handle data from networks with differing security levels. It eliminates the need to keep multiple computers, each for a different security level, for each user's desk. Trusted Extensions will include this labeled security feature. Government users who would have purchased Trusted Solaris will instead purchase Solaris 10 and the Solaris Trusted Extensions software. The National Information Assurance Partnership's Common Criteria Evaluation and Validation Scheme is a collection of Protection Profiles and Evaluation Assurance Levels. A Protection Profile is a list of specifications of what a system should do in a given area. Solaris 10 is currently being evaluated against the Controlled Access Protection Profile and the Role Based Access Control Protection Profile, at Evaluation Assurance Level 4+. CGI Information Systems and Management Consultants Inc. of Ottawa will conduct the evaluations. Last Week, Red Hat Inc. of Raleigh, N.C., announced its Red Hat Enterprise Linux was undergoing Evaluation Assurance Level 4 evaluation for IBM servers. That evaluation will include the Labeled Security Protection Profile, the Controlled Access Protection Profile and Role-Based Access Control Protection Profile. The combination of Solaris 10 and the Trusted Extensions will be available for all the platforms that Sun supports, including its own SPARC line of processors and x86 line of AMD and Intel processors as well, Thacker said. From isn at c4i.org Mon Oct 10 00:09:03 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:24:27 2005 Subject: [ISN] Sourcefire Sold to Israeli Company Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2005/10/06/AR2005100601857.html By Ellen McCarthy Washington Post Staff Writer October 7, 2005 Sourcefire Inc., a Columbia software firm that began as a pet project of computer-coding hobbyists, is being bought by Israeli security giant Check Point Software Technologies Ltd. for $225 million, marking one of the area's most prominent recent start-up successes and a victory for the open-source software movement. Check Point, which sells firewall software to nearly 80,000 customers worldwide, will pay cash. Sourcefire's roots go back to 1998, when software programmer Martin Roesch sat in his Carroll County apartment and wrote a few lines of code he thought might help detect a computer virus or hacking attempt. Over the years, Roesch's online friends and fans added to the code -- which he has kept out in the open on the Internet for all to see -- to create an advanced network security system that has been downloaded by more than 2 million people. "This was a little weekend and rainy day project that kind of ran amok," said Roesch, 35, who will work for Check Point after the acquisition. "It's incredible." The technology, called Snort, has developed a following of loyalists who watch for new versions and spend hours discussing how to advance the software. Like most intrusion detection systems, Snort patrols computer networks looking for worms, viruses and other potential threats, and alerts security personnel when it finds one. The basic version of Snort remains free, but Sourcefire has attracted about 800 paying customers by packaging it into a more user-friendly product that includes reporting capabilities, analysis technology and customer support features. Sourcefire executives compare the arrangement to giving away an engine, but offering a whole car for sale. That and similar methods of marketing around open source software are changing the dynamics of an industry that traditionally guarded its trade secrets closely, lowering prices and increasing competition in a way that has forced even technology giants like Microsoft to pay attention. "It is probably the biggest movement and impact on software since what happened with the Internet in the 1990s," said Gary Hein, a senior analyst at the Burton Group who has studied the open-source movement. Companies such as International Business Machines Corp., Apple Computer Inc. and Hewlett-Packard Co. have developed strategies to adopt open-source technologies. Microsoft Corp., long seen as the chief rival of the open source community, has established a lab at its Redmond, Wash., headquarters to study Linux, the most widely used open-source operating system. By 2008 the impact of open-source technologies -- including sales of open-source-based products and money lost by traditional vendors -- will exceed $5 billion, according to Garner Inc., and analysts say that is just the beginning. Roesch turned Snort from a hobby into a company in 2001. At the time, he recalled, he had "heard of business models, but never seen one." With $100,000 in angel funding, Sourcefire began selling a more polished version of Snort that came with service guarantees and help with installation. After Sourcefire landed some major clients it was able to raise $33.65 million in three rounds of venture funding. Its investors include Greylock Partners of San Mateo, Calif.; Sierra Ventures of Menlo Park, Calif.; and New Enterprise Associates of Baltimore. Wayne Jackson, a seasoned technology entrepreneur, joined Sourcefire in 2002 to steer the company toward fast growth. "When I first heard it I thought it was a crazy idea," said Jackson, the chief executive. "The notion of taking something that was otherwise free and commercializing it wasn't intuitive." Licenses for Sourcefire's products, some of which have been developed on a proprietary basis, start around $4,000 and go as high as $120,000, depending on the complexity of the product. Check Point's chief executive, Gil Shwed, said Sourcefire's technology will eventually be embedded in all its products. The Israeli firm's firewall systems work to block the same attacks that Sourcefire's software detects. The market for computer security systems has boomed in recent years. But analysts caution that the market for firewalls is now largely saturated, forcing Check Point to branch into new lines of business. In 2004, Check Point earned $248.4 million, up only slightly from the $243.9 million profit it recorded the previous year. "The firewall market isn't going anywhere," said William R. Becklean, an analyst with Oppenheimer & Co. The Sourcefire purchase is a way for Check Point "to try and maintain the growth of the company," Becklean said. Some investors balked at the price of the acquisition, sending shares of Check Point down $2.20, to $21.50. Under the terms of the deal, which is expected to close in the first quarter of next year, Check Point will also assume Sourcefire's stock option plan. No layoffs are expected among Sourcefire's 150 employees. ? 2005 The Washington Post Company From isn at c4i.org Mon Oct 10 00:09:36 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 10 00:24:55 2005 Subject: [ISN] A Real Remedy for Phishers Message-ID: http://www.wired.com/news/politics/0,1283,69076,00.html By Bruce Schneier Oct. 06, 2005 Last week California became the first state to enact a law specifically addressing phishing. Phishing, for those of you who have been away from the internet for the past few years, is when an attacker sends you an e-mail falsely claiming to be a legitimate business in order to trick you into giving away your account info -- passwords, mostly. When this is done by hacking DNS, it's called pharming. Financial companies have until now avoided taking on phishers in a serious way, because it's cheaper and simpler to pay the costs of fraud. That's unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers -- they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers' assets. Unfortunately, the California law does nothing to address this. The new legislation was enacted because phishing is a new crime. But the law won't help, because phishing is just a tactic. Criminals phish in order to get your passwords, so they can make fraudulent transactions in your name. The real crime is an ancient one: financial fraud. These attacks prey on the gullibility of people. This distinguishes them from worms and viruses, which exploit vulnerabilities in computer code. In the past, I've called these attacks examples of "semantic attacks" because they exploit human meaning rather than computer logic. The victims are people who get e-mails and visit websites, and generally believe that these e-mails and websites are legitimate. These attacks take advantage of the inherent unverifiability of the internet. Phishing and pharming are easy because authenticating businesses on the internet is hard. While it might be possible for a criminal to build a fake bricks-and-mortar bank in order to scam people out of their signatures and bank details, it's much easier for the same criminal to build a fake website or send a fake e-mail. And while it might be technically possible to build a security infrastructure to verify both websites and e-mail, both the cost and user unfriendliness means that it'd only be a solution for the geekiest of internet users. These attacks also leverage the inherent scalability of computer systems. Scamming someone in person takes work. With e-mail, you can try to scam millions of people per hour. And a one-in-a-million success rate might be good enough for a viable criminal enterprise. In general, two internet trends affect all forms of identity theft. The widespread availability of personal information has made it easier for a thief to get his hands on it. At the same time, the rise of electronic authentication and online transactions -- you don't have to walk into a bank, or even use a bank card, in order to withdraw money now -- has made that personal information much more valuable. The problem of phishing cannot be solved solely by focusing on the first trend: the availability of personal information. Criminals are clever people, and if you defend against a particular tactic such as phishing, they'll find another. In the space of just a few years, we've seen phishing attacks get more sophisticated. The newest variant, called "spear phishing," involves individually targeted and personalized e-mail messages that are even harder to detect. And there are other sorts of electronic fraud that aren't technically phishing. The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names. The institutions make a lot of money because it's easy to make a transaction, open an account, get a credit card and so on. For years I've written about how economic considerations affect security problems. They can put security countermeasures in place to prevent fraud, detect it quickly and allow victims to clear themselves. But all of that's expensive. And it's not worth it to them. It's not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress and hassle are entirely borne by the victims. And in one in four cases, the victims have not been able to completely restore their good name. In economics, this is known as an externality: It's an effect of a business decision that is not borne by the person or organization making the decision. Financial institutions have no incentive to reduce those costs of identity theft because they don't bear them. Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses. If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses -- they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work. From isn at c4i.org Tue Oct 11 00:00:50 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:10:23 2005 Subject: [ISN] Microsoft Details Antivirus And Anti-Spyware Timetable Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=171204119 By Larry Greenemeier and Aaron Ricadela InformationWeek Oct. 10, 2005 Microsoft is stepping up efforts to become part of the solution to businesses' computer-security woes and overcome a reputation for being part of the problem. The company will begin offering a test version of a new anti-spyware product to businesses by the end of the year and will test new antivirus and anti-spam software next year, CEO Steve Ballmer said at a news conference in Munich, Germany, last week. Ballmer appeared at the event in the technology-heavy German city with corporate VP Mike Nash, who heads Microsoft's security unit. The software vendor is developing what it calls Client Protection technology that can guard desktops, laptops, and file servers against spyware, malware, and tools used by hackers to break into operating systems and applications. It's testing an anti-spyware product for home PC users, but Client Protection, which includes technology it acquired from GeCAD Software Srl. and Giant Company Software Inc., will offer management features for IT departments and integration with Windows Active Directory. Microsoft is working out details such as pricing and whether it will make the software available via the Web or CD. The new antivirus and anti-spam security software, called Antigen, will run on messaging and collaboration servers, including Microsoft Exchange. Antigen is based on technology from Sybari Software Inc., which Microsoft acquired in June. Microsoft also plans to form an industry group called the Secure IT Alliance with Symantec, Trend Micro, VeriSign, and other companies. The group will build a development lab to design computer-security technology, according to Microsoft. Michael Cherry, an analyst at technology consulting company Directions on Microsoft, says that Microsoft has an incentive to help its business customers avoid computer-security problems since they deplete resources that could otherwise go toward new technology. "IT departments have fixed budgets," Cherry says. "If, out of the blue, they have to spend three unbudgeted weeks fixing security problems, that's 1,000 man-hours lost from other projects. That has to be paid for with real money." Microsoft has faced criticism in the past over the number of bugs in its software that cause rampant security problems for its customers. Nearly four years ago, in an effort to overhaul its development processes, the company halted development on Windows and other products to give its programmers remedial training on writing secure code. It also has established policies to close off avenues of attack in subsequent products. But Microsoft must build its credibility in security products before it can challenge established players McAfee Inc. and Symantec for big business clients, says John Pescatore, Gartner's VP for Internet security. The Client Protection anti-spyware software is likely to have a more immediate impact on small and midsize businesses, particularly those that haven't yet invested in this type of security, he says. Still, Microsoft's announced entry into the market for antivirus and anti-spyware software already is having an impact on competitors. Symantec has been diversifying its business and last week completed its acquisition of anti-phishing software maker WholeSecurity Inc. "A big giant is throwing a rock in the pond and creating innovation and pricing pressure," Pescatore says. "For years, the laws of competition and pricing didn't apply to the antivirus market; the companies were getting fat and slow." Just don't expect customers to jump on the first version of Client Protection or Antigen. Says Pescatore, "Most enterprises will wait 18 months at least after Microsoft announces a product so they can judge the quality." Copyright ? 2005 CMP Media LLC From isn at c4i.org Tue Oct 11 00:01:13 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:10:54 2005 Subject: [ISN] Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers Message-ID: Forwarded from: security curmudgeon There have been two good responses to this, both supporting David Litchfield's stance and citing more examples. : ---------- Forwarded message ---------- : From: David Litchfield : To: bugtraq@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com : Date: Thu, 6 Jan 2005 16:01:26 -0000 : Subject: Opinion: Complete failure of Oracle security response and utter neglect : of their responsibility to their customers : : Dear security community and Oracle users, : : Many of my customers run Oracle. Much of the U.K. Critical National : Infrastructure relies on Oracle; indeed this is true for many other : countries as well. I know that there's a lot of private information : about me stored in Oracle databases out there. I have good reason, like : most of us, to be concerned about Oracle security; I want Oracle to be : secure because, in a very real way, it helps maintain my own personal : security. As such, I am writing this open letter http://archives.neohapsis.com/archives/bugtraq/2005-10/0060.html From: Cesar (cesarc56 @yahoo.com) To: David Litchfield (davidl@ngssoftware.com), bugtraq@securityfocus.com, tbugtraq@listserv.ntbugtraq.com Date: Thu, 6 Oct 2005 11:41:33 -0700 (PDT) Subject: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers I support David 100% and I would like to add a few comments (I cant avoid doing this :)): I remember reading an article where Larry Ellison said that Oracle database server were used by FBI, CIA, USSR goverment, etc. he referenced that as saying our software is the most secure, top goverment agencies from the most powerful nations use it. If you hear or read that it sounds great and if you were looking for a database server at that moment maybe you would run to buy Oracle software, the same when you hear and read Oracle Unbreakable everywhere. What Larry Ellison says it is very easy to say but it is also very difficult to prove. It seems that this kind of statements have been useful for Oracle since the company continues doing the same, just talking. I can say that we at Argeniss break Oracle database server all the time, we are tired of breaking Oracle, its so easy, Oracle software is full of security vulnerabilities and this is nothing new, most security researchers know about this and also the bad guys who are actively exploiting the vulnerabilities. But I can say this and I can also prove it, we have found more than a hundred vulnerabilities and we can show them to people. I wonder if Larry Ellison can prove all the statements he says or Oracle people say. [..] http://archives.neohapsis.com/archives/bugtraq/2005-10/0079.html From: ak@red-database-security.com To: bugtraq@securityfocus.com Date: 7 Oct 2005 20:13:13 -0000 Subject: Re: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers I agree with Davids and Cesars opinion. Here are 3 examples how Oracle is dealing with security: [..] From isn at c4i.org Tue Oct 11 00:01:38 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:11:12 2005 Subject: [ISN] Linux Security Week - October 10th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 10th, 2005 Volume 6, Number 42n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Details from the Anti-Phishing Act of 2005," "Nessus security tool closes its source," and "A legal shield for pen-test results." --- ## EnGarde Secure Linux 3.0 - Download Now! ## * Linux 2.6 kernel featuring SELinux Mandatory Access Control * Guardian Digital Secure Network features free access to all system and security updates (to be available shortly through an updated release) * Support for new hardware, including 64-bit AMD architecture * Web-based management of all functions, including the ability to build a complete web presence with FTP, DNS, HTTP, SMTP and more. * Apache v2.0, BIND v9.3, MySQL v5.0(beta) * Completely new WebTool, featuring easier navigation and greater ability to manage the complete system * Integrated firewall with ability to manage individual firewall rules, control port forwarding, and creation of IP blacklists * Built-in UPS configuration provides ability to manage an entire network of battery-backup devices * RSS feed provides ability to display current news and immediate access to system and security updates * Real-time access to system and service log information LEARN MORE: http://www.guardiandigital.com/products/software/community/esl.html --- LINUX ADVISORY WATCH This week, advisories were released for gtkdiskfree, util-linux, ClamAV, loop-aes, helix-player, backupninja, squid, mysql, ntlmaps, mysql-dfsg, gopher, prozilla, cfengine, mozilla-firefox, apachetop, drupal, mailutils, egroupware, arc, mod-auth-shadow, mason, slocate, vixie-cron, net-snmp, kernel, openssh, binutils, perl, and gdb. The distributors include Debian, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120542/150/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * 2005 Semi-Annual Web Security Trends Report 3rd, October, 2005 Websense released the 2005 Semi-Annual Web Security Trends Report issued by Websense Security Labs. The new report summarizes findings for the first half of 2005 and presents projections for the upcoming year. http://www.linuxsecurity.com/content/view/120504 * Details from the Anti-Phishing Act of 2005 5th, October, 2005 California is the first US state to pass anti phishing laws. Finally someone went a step further into, at least, trying to create a more secure cyberspace are some of the most important snippets from the act. http://www.linuxsecurity.com/content/view/120525 * Common Malware Enumeration Initiative 6th, October, 2005 The Common Malware Enumeration Initiative was just announced. Headed by the United States Computer Emergency Readiness Team US-CERT and supported by an editorial board of anti-virus vendors and related organizations it should provide a neutral, shared identification method for malware outbreaks. http://www.linuxsecurity.com/content/view/120526 * Check Point to Acquire Makers of Snort 6th, October, 2005 Check Point Software Technologies Ltd. and Sourcefire, Inc., developers of Snort, today announced that they have signed a definitive agreement for Check Point to acquire privately held Sourcefire for a total consideration of approximately $225 million. http://www.linuxsecurity.com/content/view/120538 * What is the most challenging Sarbanes-Oxley issue facing Enterprises today? 7th, October, 2005 Companies are now finding that log management is a cornerstone best practice in their compliance efforts. Sarbanes-Oxley 404 Internal IT Control requirements infer rigorous end-to-end Log Management and Archival. Net Report helps companies face this issue. http://www.linuxsecurity.com/content/view/120527 * But Wait, There's More 4th, October, 2005 The ink is barely dry on all of the Red Hat Enterprise Linux 4 materials, and the company is already gearing up for the launch of RHEL 5. While Red Hat is not being terribly specific about what is in RHEL 5 just yet, the company did announce last week that it is working with server maker IBM and security expert Trusted Computer Solutions to begin the Common Criteria security certification for the forthcoming RHEL 5, which is due in late 2006. http://www.linuxsecurity.com/content/view/120509 * Pass on Passwords with scp 7th, October, 2005 In this article, I show you how to use the scp (secure copy) command without needing to use passwords. I then show you how to use this command in two scripts. One script lets you copy a file to multiple Linux boxes on your network, and the other allows you to back up all of your Linux boxes easily. http://www.linuxsecurity.com/content/view/120543 * Firefox 1.5 gets the sniff test 3rd, October, 2005 First came all the praise about Firefox 1.0 being more secure than Internet Explorer (IE). Then came headlines about mega-downloads chipping away at Microsoft's market share. Then came months of uncovered flaws and security updates that now has Firefox up to version 1.0.7. http://www.linuxsecurity.com/content/view/120503 * RealNetworks Fixes Linux RealPlayer Flaw 4th, October, 2005 RealNetworks has patched the Linux media players that were susceptible to a zero-day attack for much of last week. http://www.linuxsecurity.com/content/view/120513 * SanDisk embeds DRM engine in Flash cards 5th, October, 2005 Flash memory pioneer SanDisk has embedded DRM and copy protection functions into several flash card form factors. "TrustedFlash" will allow users to buy music, movies, and games on flash cards for use interchangeably in mobile phones, PDAs, laptops, and other devices, according to the company. http://www.linuxsecurity.com/content/view/120522 * Nessus security tool closes its source 7th, October, 2005 The source code of one of the world's most popular free security tools will no longer be available to all, its creator has announced, saying the software's open-source license was fueling competition. http://www.linuxsecurity.com/content/view/120546 * The Open Source Highway 4th, October, 2005 Open source is the foundation for the future. By definition, open source is code accessible to all. The free re-distribution of code allows anyone to download code and take advantage of it. The community of open source contributors depicts a truely collaborative environment. Developers around the globe donate to the code repository resulting in accelerated advancement and cleanliness of the available code. The Internet encouraged this open source movement by providing a breeding ground for collaboration. http://www.linuxsecurity.com/content/view/120511 * PortAuthority Updates Data-Fingerprinting Technology 5th, October, 2005 While no two fingerprints are alike for people, the same cannot be said for digital data. But new data-fingerprinting technologies have cropped up to take traditional watermarking strategies to the next level in preventing theft of intellectual property. PortAuthority 3.5 is one such technology. The newly updated data-fingerprinting software from PortAuthority Technologies examines the content of documents to give customers the ability to prevent information leaks and data theft. http://www.linuxsecurity.com/content/view/120523 * A legal shield for pen-test results 7th, October, 2005 Routine network penetration testing may shed light on exposures to external threats, but it can also put damning evidence in the hands of competitors and plaintiffs who sue your organization. Attorneys caution that pen tests generate lengthy reports of system inaccuracies and vulnerabilities that could be used in court against a company. http://www.linuxsecurity.com/content/view/120544 * Court Rules in Favor of Anonymous Blogger 7th, October, 2005 In a decision hailed by free-speech advocates, the Delaware Supreme Court on Wednesday reversed a lower court decision requiring an Internet service provider to disclose the identity of an anonymous blogger who targeted a local elected official. http://www.linuxsecurity.com/content/view/120545 * Learning To Hack Just Got Easier 4th, October, 2005 Now you can learn hacking in the comfort of your own home. Training company Learn Security Online (LSO) teaches hacking techniques online at a low cost. LSO teaches computer security with interactive simulators, hacking games, and security challenges that require students to break into real servers. http://www.linuxsecurity.com/content/view/12051 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Oct 11 00:01:53 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:11:43 2005 Subject: [ISN] Tsunami 'hacker' is innocent, say readers Message-ID: http://news.zdnet.co.uk/internet/0,39020369,39228025,00.htm Colin Barker ZDNet UK October 10, 2005 Last Thursday's conviction of a computer security consultant for illegally accessing a Web site set up to aid victims of the Boxing Day Asian tsunami prompted a wide range of opinions from readers of ZDNet UK. While many sympathised with a man who, even the judge agreed, had done "no real harm", others argued that a computer professional who knowingly accessed a Web site he had no permission to enter should have been aware of the possible consequences. Daniel Cuthbert from London was found guilty of breaching Section One of the Computer Misuse Act (1990), which makes it an offence for someone to secure unauthorised access to a computer when they know that they are not permitted to do so. Cuthbert, who at the time of his arrest was employed by ABN Amro to carry out security testing, pleaded not guilty to the charge. He was fined ?400 plus ?600 costs. An application for damages from the plaintiffs was thrown out by the judge on the grounds that by being found guilty, and already having lost his employment, Cuthbert had suffered enough. The vast majority of ZDNet UK readers believe that Cuthbert has been treated unfairly. We conducted an online poll and asked readers if they believe Cuthbert "should have been convicted of gaining unauthorised access" to a computer under the Act. Over 1,000 people took part, and 92 percent said the conviction handed out by district judge Mr Q. Purdy was wrong. While a vast majority of readers reckoned that Cuthbert was not guilty of a crime, there was a wide variety of opinion in the issue in our TalkBack pages. It's understood that Cuthbert added ../../../ to the URL, hoping to get access to higher directories in the hope of confirming whether or not the Web site was genuine. He argued in his case that when he set off an intruder alarm he was checking the site out as he feared that rather than actually donating he had been taken in by a phishing scam. "Breaking in is not a means of making that determination," argued an anonymous security consultant. "[Does that mean] if you cannot break in the site is legit, or is it legit if you CAN break in?" But another reader argued that Cuthbert's actions were like "walking around trying everyone's front doors and car doors to see which ones are locked...You wouldn't do that, would you?" But whether it is trying doorknobs or the front (or back) doors of systems, can computer professionals do their jobs if they are no longer allowed to test systems as they might like to? "I'm not sure how I could perform my duties as a security professional if it suddenly became unlawful to test security in a very passive manner," argued Shaun Walter, a Unix system administrator. "[Cuthbert] didn't seem to employ any brute-force attacks or elegant procedures to check security at this site." A US security consultant also felt the case could have serious consequences. "Pretty scary to think that only a government-authorised security company can legally test a site's security or integrity. You can bet I'll be accepting no more contracts to verify ANY corporate networks." But that wasn't everybody's view, and at least one correspondent believed that Cuthbert was not acting particularly professionally when he tried to crack the appeal site. . "Professional testers know better than to go out and attempt to crack Web sites out of curiosity," argued another anonymous security specialist. "They use their skills to break into systems only after signing lengthy contractual stipulations that allow them to do so without repercussion. The simple fact is that [Cuthbert] tried to gain unauthorised access into a system." Copyright ? 2005 CNET Networks, Inc. All Rights Reserved. From isn at c4i.org Tue Oct 11 00:02:05 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:12:11 2005 Subject: [ISN] Cops smash 100,000 node botnet Message-ID: http://www.vnunet.com/vnunet/news/2143475/dutch-police-foil-100-node Tom Sanders in California vnunet.com 10 Oct 2005 Dutch authorities arrested three individuals last week accused of running one of the largest ever hacker botnets comprising over 100,000 zombie PCs. The three men, aged 19, 22 and 27, were not named. Police confiscated computers, cash and a sports car during searches of the suspects' homes. A botnet is a collection of hacked computers at the disposal of a hacker without the owner's knowledge. Botnets are commonly used to launch distributed denial of service (DDoS) attacks or to send spam. With over 100,000 infected systems, the network is one of the largest ever detected, prosecutors claimed. The suspects will be charged with computer hacking, destructing automated networks, and installing adware and spyware. The trio used the W32.toxbot internet worm to recruit systems for their botnet army. The worm was first detected early this year and infected systems all over the world. Antivirus software to detect and remove the software is available, but the suspects kept changing their malware to avoid detection. The authorities are also investigating the group's involvement in a blackmail attempt on an unnamed enterprise in the US. It is common practice among online crime gangs to extort the owners of websites, forcing them to pay to prevent a DDoS attack on their networks. It is also suspected that the group was involved in crafting internet worms with keystroke logging software to gather login names to commit credit card fraud and identity theft. From isn at c4i.org Tue Oct 11 00:02:41 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:12:53 2005 Subject: [ISN] Justice IG report: Protect laptop data Message-ID: http://www.fcw.com/article91061-10-10-05-Web By Michael Arnone Oct. 10, 2005 Justice Department field agents and analysts are keeping classified information secure by using their wits and their training - and by carrying two laptop computers each. One is strictly for processing classified data. The other is for handling unclassified data and using unclassified applications, such as word processors and Web browsers. Justice employees use the decades-old setup to prevent the accidental shift of classified information to an unclassified environment or the Internet. It works, but it's bulky and inconvenient. Justice's Office of the Inspector General investigated how the department uses laptops to process classified information. At the suggestion of the department's information technology and security staff, the IG also evaluated governmentwide policy on IT security certification for all computer systems. Justice increasingly relies on laptops to process classified information. But the department's rules governing those resources do not encourage "innovative practices to improve the use of portable computers for processing classified information while adequately safeguarding classified information," the IG's office concluded in a July report. The report states that Justice's chief information officer should alter Standard 1.6, which dictates the departmentwide IT security management controls for all desktop and laptop computers that handle classified information. The IG said the rules should allow the creation of new, accredited computer configurations that permit the introduction of security-enhancing safeguards. Some of the recommendations the report suggests aren't new, such as encrypting data and limiting the data kept on classified hard drives. But others would be new for Justice, including the use of small removable hard drives. "The use of removable hard drives that can process both unclassified and classified information in the same computer shell is an area that the department should consider," the report states. Justice should consider authorizing the use of removable hard drives and developing appropriate security policies for them, it adds. Justice organizations are open to the idea of using removable hard drives, but some worry that employees might not always follow security procedures. IT security experts don't agree on whether the recommendations would help or damage the security of Justice's classified information. A pocket-sized solution The policy recommendation on removable hard drives is the IG's principal improvement to Justice's management of classified information on laptops. Measuring roughly 2 inches by 3 inches, each drive weighs about 2 ounces and fits into the Type II PC card slots found on most laptops. Justice's IG consulted the CIA, the National Security Agency, the Defense Department's National Reconnaissance Office and the Energy Department about their policies on removable hard drives. The first three agencies use laptops with two removable hard drives, one each for classified and unclassified information. NSA officials told the IG's office that a computer's shell does not retain data once users remove the hard drive, adding that no data remains in the computer's RAM when users turn the machine off. Thus, Standard 1.6 should state that the shell of the computer becomes unclassified when someone removes the classified hard drive, according to the report. In addition to halving the number of laptops that Justice employees must carry to handle classified information, removable hard drives would provide a number of benefits, the report states. For example, storing classified data would be easier. Justice policies require computers that handle classified data to be double-wrapped in paper to show tampering, the report states. Users must unhook all peripheral devices and place the computer in a specially designed, secure container when they are not using the computers. All devices that could possibly store classified information must have warning labels on them stating so. If the department used removable hard drives, only the drives would have to be double-wrapped instead of the whole laptop. That arrangement would improve security, the IG's office said, because the small drives are easier to secure and are less conspicuous than textbook-sized laptops. Removable hard drives would also save Justice money because the drives are cheaper than new computers, according to the report. The IG's office shopped for 5G drives and found at least two manufacturers that sell models for less than $200. The drives could hold a multiuser operating system, application software and 4.1G of memory. For roughly $400 per user, the report states, "this computer configuration would allow both unclassified and classified information processing on the same computer." Mixed opinions The IG office asked three Justice organizations ? the Drug Enforcement Administration, the FBI and the Executive Office for U.S. Attorneys (EOUSA) ? whether they authorize their employees to use separate hard drives, and if not, whether they would consider doing so. None of those agencies authorizes the use of removable hard drives, the report states. The FBI said the idea has merit, but it would have to evaluate the specifics through the certification and accreditation process. EOUSA expressed interest in pursuing the idea as long as employees understood the security requirements. The DEA had a mixed reaction, saying that the idea could save money, but the risk of failing to switch hard drives when necessary could outweigh those benefits. Paul Martin, Justice's deputy IG, said the report speaks for itself and declined to comment. IT security experts have mixed opinions about the IG's recommendations. Bruce Schneier, chief technology officer at Counterpane Internet Security, said the report was well-conceived. He liked the idea of removable hard drives and the suggestion to install tracking devices in laptops to help find lost and stolen computers. Peter Lindstrom, research director at Spire Security, had more reservations about the report's implications. "I don't see a clear positive or negative impact on security at all, but it seems to have a pretty positive impact on costs - and on [Justice employees'] shoulders as well because they only have to carry one laptop," he said. Schneier and Lindstrom said they were amazed that Justice had not already made such changes. Lindstrom said he was disappointed that Justice didn't think of the idea on its own. The department is starting to understand that its employees need to do both classified and unclassified work on their computers, Schneier said. But if those recommendations are an improvement, he added, "it must be an absolute mess out there." Frying pan to fire? Lindstrom and Schneier disagree on whether removable hard drives present a definite security improvement or add as many problems as they solve. Because it's so easy to make a mistake, "maintaining two sets of policies, switching back and forth, is a losing proposition over time," Lindstrom said. "I'm not sure that a user in the normal course of business would shift back and forth between their behavior around classified and unclassified information. You're better off configuring the system to force that behavior." Schneier disagreed, saying a hardware solution is the best solution because hardware is more reliably secure than software. That's why Justice's current system of securing and storing classified information has worked so well for decades, he said. "The best way to make sure classified information doesn't get taken out of the building is not to take it out of the building" and keep it locked in a safe when not in use, Schneier said. Schneier said running two removable hard drives with separate operating systems and applications on the same computer shell is a great idea, especially if Justice follows the IG's suggestion to bar access to unclassified information and the Internet while the classified drive is in use. "That's the best separation you can do," Schneier said. "You might as well share a screen, keyboard and CPU." Schneier said he wondered whether laptops enabled for such configurations are available and how much they cost. He could see Justice's proposed practices spreading to DOD and other countries. On the other hand, Lindstrom isn't sold on the idea of two hard drives. To make the system work, Justice would presumably have to buy laptops that don't have hard drives, he said. That would force users to use the security settings on each removable drive. But if the removable drives supplemented the laptop's drive, users could accidentally transfer classified information to the unprotected drive, he said. "As soon as you mount drives at the same time, the fact that they are physical devices doesn't matter anymore" because the two are logically connected, Lindstrom said. That gives attackers ways to crack the unclassified applications to access the classified drive. Logical security is the best way to protect data, Lindstrom said. Justice could encrypt all data and set up a host intrusion- prevention system and digital rights management system, he said. Instead of worrying about where to put data, the department should protect its data regardless of its location, Lindstrom said. By using only one hard drive with adequate security protections, Lindstrom said, Justice could potentially save even more money by not implementing the IG's recommendations. [1] http://www.usdoj.gov/oig/reports/plus/a0532/final.pdf -=- 8 ways to improve security The Justice Department's inspector general has suggested the following eight changes for improving the security of laptop PCs that process classified information. 1. Alter Standard 1.6 - the departmentwide security management controls for all desktop and laptop machines that store, process or transmit national security information - to allow the creation of new accredited computer configurations that permit the introduction of security-enhancing safeguards. 2. Consider using removable hard drives and define them as classifiable devices rather than the computer shell on which users process data. Justice should create appropriate security policies for them. 3. Modify user profiles to forbid access to unclassified hard drives and the Internet when using a classified drive. 4. Change Standard 1.6 to support mandatory encryption of classified data. 5. Keep only a minimal amount of classified data on hard drives, in accordance with National Security Agency practices. 6. Develop a warning system to alert systems administrators if a computer processing classified information connects to the Internet. 7. Install tracking devices in laptop PCs to more easily locate lost or stolen computers. 8. Create new labels for computers that process both classified and unclassified data. - Michael Arnone From isn at c4i.org Tue Oct 11 00:02:58 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:13:39 2005 Subject: [ISN] U.S. cybersecurity due for FEMA-like calamity? Message-ID: http://news.com.com/U.S.+cybersecurity+due+for+FEMA-like+calamity/2100-7348_3-5891219.html By Declan McCullagh and Anne Broache Staff Writer, CNET News.com October 10, 2005 In the wake of Hurricane Katrina, the Federal Emergency Management Agency has been fending off charges of responding sluggishly to a disaster. Is the cybersecurity division next? Like FEMA, the U.S. government's cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago. Auditors had warned months before Hurricane Katrina that FEMA's internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies. "When you look at the events of Katrina, you kind of have to ask yourself the question, 'Are we ready?'" said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. "Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no." The department, not surprisingly, begs to differ. "Cybersecurity has been and continues to be one of the department's top priorities," said Homeland Security spokesman Kirk Whitworth. But more so than FEMA, the department's cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups. The department is charged with developing a "comprehensive" plan for securing key Internet functions and "providing crisis management in response to attacks"--but it's been more visible through press releases such as one proclaiming October to be "National Cyber Security Awareness Month." Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials. First there was Richard Clarke, a veteran of the Clinton and first Bush administrations who left his post with a lucrative book deal. Clarke was followed in quick succession by Howard Schmidt, known for testifying in favor of the Communications Decency Act, then Amit Yoran and Robert Liscouski. The top position has been vacant since Liscouski quit in January. In July, Homeland Security Secretary Michael Chertoff pledged to fill the post but has not named a successor. "I sure wouldn't take that job," said Avi Rubin, a professor specializing in cybersecurity at Johns Hopkins University. "It only has a downside." If an Internet meltdown happened--perhaps a present-day rendition of the 1988 worm created by Robert Morris, which forced administrators to disconnect their computers from the network to try to stop the worm from spreading--Homeland Security's cybersecurity official would wield little power yet shoulder all the blame, Rubin said. "The person who was cybersecurity czar would be out of a job and would be blamed, even though it might have been someone else not following a policy." Other top-level staff have been departing: The deputy director of Homeland Security's National Cyber Security Division, a top official at the Computer Emergency Response Team, the undersecretary for infrastructure protection and the assistant secretary responsible for information protection have all left in the past year. A promotion in the works Raising the profile of cybersecurity efforts inside Homeland Security has garnered some support in the U.S. House of Representatives. Earlier this year, Rep. Zoe Lofgren, a California Democrat, and Rep. Mac Thornberry, a Texas Republican, reintroduced legislation from the previous congressional session that would create an assistant secretary for cybersecurity. The much talked-about position would report directly to the Homeland Security secretary, on equal footing with posts that oversee the nation's physical infrastructure. Under current department structure, the top cybersecurity official is buried in a few levels of bureaucracy beneath the Homeland Security chief. "Creating an assistant secretary is far more than just an organizational change," Thornberry said when introducing the bill. "It is an essential move to assure that cybersecurity is not buried among the many homeland security challenges we face." The proposal was ultimately wrapped up in the broader Homeland Security Authorization Act for 2006 and has been approved by the House. But since May, it has been sitting in front of the Senate Homeland Security committee, which has not indicated when further action will occur. Outside observers are holding out hope for Chertoff's departmental reorganization announced in July. As part of the reshuffling, he hired Stewart Baker, former general counsel to the National Security Agency and a well-respected technology lawyer, to be assistant secretary for policy. Baker is waiting for Senate confirmation. "It's been a mess for over four years, and hopefully the new folks will fix this," said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "In the previous incarnation, DHS and the Homeland Security Council didn't really know what to do with cyber--it's been a deer-in-the-headlights experience for them," Lewis said. "It's not clear who's even in charge. When you look at all the different committees who assert they have a role in cybersecurity, it's about a dozen. Whenever you have 12 committees in charge, that means no one's in charge." The Sept. 11 switch The most likely reason for the federal government's lack of focus on cybersecurity is straightforward: the attacks of Sept. 11, 2001. While Internet and computer security may not have been a top priority before the attacks, the topic did draw a smattering of attention from the White House. In February 2000, President Clinton convened a meeting on cybersecurity with technology executives. He returned to the topic in a speech to the Coast Guard Academy a few months later, cautioning that "critical systems like power structures, nuclear plants, air traffic control, computer networks, they're all connected and run by computers." Then Sept. 11 shifted the Bush administration's attention from hypothetical threats of Internet saboteurs to military action, al-Qaida and the invasion of Iraq. "Cybersecurity clearly fell off the radar screen when they set up the department, and the department is trying to find its way," said Kurtz, president of the Cyber Security Industry Alliance, which counts as members companies such as Symantec, McAfee, RSA Security, PGP and Computer Associates. Even before Sept. 11, however, the federal government's cybersecurity efforts were being described as slipshod. In a blistering 108-page report released in early 2001, government auditors said the FBI's National Infrastructure Protection Center had become a bureaucratic backwater that was surprisingly ineffective in pursuing malicious hackers or devising a plan to shield the Internet from attacks. When Congress created Homeland Security two years later, the FBI's NIPC was unceremoniously mashed together with the Defense Department's National Communications System, the Commerce Department's Critical Infrastructure Assurance Office, an Energy Department analysis center and the Federal Computer Incident Response Center. The results have been mixed. A May 2005 report by the Government Accountability Office warned that bot networks, criminal gangs, foreign intelligence services, spammers, spyware authors and terrorists were all "emerging" threats that "have been identified by the U.S. intelligence community and others." Even though Homeland Security has 13 responsibilities in this area, it "has not fully addressed any," the GAO said. Other analyses have said the agency is plagued by incompatible computer systems, and another found that Homeland Security was woefully behind in terms of sharing computer security information with private companies. The department has argued that it has not been idle. Last year, it created the National Cyber Alert System, billed as a public-private, nationally coordinated method of dispensing information about Internet threats and vulnerabilities. Other plans include a staged cyberattack exercise scheduled for November. "Placing responsibility for cybersecurity within the Department of Homeland Security was a necessary move because it recognized how integrated cybersecurity is with other physical security, and to remove it from the department would hurt security in both," said Homeland Security's Whitworth. "An inappropriately small focus" But the right tools and funding have to be in place, too, said Ed Lazowska, a computer science professor at the University of Washington. He co-chaired the president's Information Technology Advisory Committee, which published a report in February that was critical of federal cybersecurity efforts. "DHS has an appropriately large focus on weapons of mass destruction but an inappropriately small focus on critical infrastructure protection, and particularly on cybersecurity," Lazowska said in an e-mail interview. The department is currently spending roughly $17 million of its $1.3 billion science-and-technology budget on cybersecurity, he said. His committee report calls for a $90 million increase in National Science Foundation funding for cybersecurity research and development. Until then, Lazowska said, "the nation is applying Band-Aids, rather than developing the inherently more secure information technology that our nation requires." From isn at c4i.org Tue Oct 11 00:00:37 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 11 00:14:38 2005 Subject: [ISN] State data systems upgraded after hack Message-ID: http://www.adn.com/news/alaska/story/7069608p-6974390c.html By SEAN COCKERHAM Anchorage Daily News October 10, 2005 JUNEAU -- The state is in the midst of a $7 million computer security upgrade as a result of a cyber-assault that sliced through the defenses of the state network. The Jan. 18 attack affected about 110 state computer servers and prompted an investigation by the FBI and a specialist unit of the U.S. Department of Homeland Security. The attack appeared to come from Brazil, state officials said. The hackers were "data mining" -- looking for information to steal -- according to Kevin Brooks, the deputy commissioner of the state Department of Administration. Brooks said no information was stolen. But, if it had been, the attack could have led to identity theft using personal information on the state network. "It was kind of a wake-up call," Brooks said. The state and federal governments will say little about the attack. What is known is that a Department of Health and Social Services server was found to be "defaced," meaning its security was breached. The state investigation then discovered about 110 other servers with similar signs of hacking. That's when the FBI and the Homeland Security Department's United States Computer Emergency Readiness Team got involved. State officials on Wednesday refused to release the report that resulted from the investigation, citing the federal Department of Homeland Security's demand that it remain confidential. State officials said they planned before the attack to ask the Legislature for money to upgrade the computer network. But the attack prompted them to speed it up. They drew up a proposal that would spend $41 million on upgrades over five years. Brooks said the state has $7 million to spend on immediate security work before the end of the fiscal year next June. Measures are now in place that should prevent the kind of attack that hit in January, he said. Brooks said part of the work is to replace technology. An analysis after the attack revealed some of the servers and switches on the network were outdated, he said. Thousands of state computers are getting Cisco security software installed, he said. The Department of Administration provided a statement about the ongoing work from Darrell Davis, the state's chief security officer. "It would be counterproductive to tell those involved in fraud and terrorism exactly what we are doing to make their criminal acts far more difficult," he said. "(It) includes replacing significant amounts of aging infrastructure, hardening of routers and servers, deploying firewalls, establishing security policies and other extra intrusion prevention measures." ? Copyright 2005, The Anchorage Daily News From isn at c4i.org Wed Oct 12 00:06:37 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:15:41 2005 Subject: [ISN] 3rd Annual High Technology Crime Investigation Association Seminar Presented by the Atlantic Canada Chapter HTCIA Message-ID: Forwarded from: Mark Bernard 3rd Annual High Technology Crime Investigation Association Seminar Presented by the Atlantic Canada Chapter HTCIA When: November 25th, 2005 Where: Howard Johnson Brunswick Plaza Hotel, 1005 Main St., Moncton N.B. Why: Fraud, telephone scams, phishing, identity theft, hacking... You see these terms daily in the media. With the presence of the Internet throughout Atlantic Canada, the danger of high technology crime impacting on your life, your family and business without warning is growing. This one day seminar will draw back the shadows and let you see the methods / techniques used to scam thousands of people each year. At the event we will show you how to detect, identify and counter these threats. John Weigelt, CISSP, CISM - Chief Security Advisor, Microsoft As the Chief Security Advisor and Privacy Compliance Officer for Microsoft Canada, John is responsible for the development and communication of Microsoft Canada's security and privacy strategies. Barry Elliott, PhoneBusters PhoneBusters is a national anti-fraud call centre jointly operated by the Ontario Provincial Police and the Royal Canadian Mounted Police. The Atlantic Canada HTCIA Seminar is the premier source of cyber-crime information for individuals, businesses and organizations in the region. As an unbiased source you will get the facts you need to protect yourself. For more details visit Atlantic Canada's - High Tech Crime Investigation Association at; http://atl-htcia.org/ From isn at c4i.org Wed Oct 12 00:07:22 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:16:19 2005 Subject: [ISN] Justice IG report: Protect laptop data Message-ID: Forwarded from: matthew patton wow, nobody mentioned using VMWARE? Granted it's less desirable and clean cut (think KISS) than 2 hard drives but the "classified" VM can be stripped of it's ability to cut/paste and share network/devices with the host OS. All files could be saved on an AES/3DES encrypted disk "image". Even better to require a fingerprint and/or say the CAC card to unlock the filesystem. Let's see, slim-line 80GB USB hard drives cost what, $160 from CompUSA et. al? USB hard drives are bootable now from moderately recent BIOS ROMs and even if they weren't, it would not be very hard to create one of those credit-card CDROM images that will bootstrap enough of a kernel to get access to the USB subsystem and then invoke the bootloader of the red or green disk that's plugged in. Along the lines of "specialized" hardware, there's the ol' KVM trick applied to hard drives. Say the onboard HD is UNCLASS and there is a little toggle switch that electrically activates the inside or slotted one. I think I've seen 2" HD slots in place of (or in addition to) PCMCIA slots in some laptops. Even if not, I'm sure at least one big player would jump at the opportunity to offer a product to the US Govt. The easiest circuit to turn on/off would be the power feed. So even if both HDs were plugged into their bays only one would have electricity. Pin them both "master" and there'd be no way for them to coexist even if both managed to get power. But the article makes a vital point throughout - it ALL depends on a userbase that doesn't screw it up. Something tells me not to ever underestimate the creativity of the stupid. From isn at c4i.org Wed Oct 12 00:08:06 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:16:54 2005 Subject: [ISN] CodeCon 2006 Call For Papers Message-ID: Forwarded from: Len Sassaman CodeCon 2006 February 10-12, 2006 San Francisco CA, USA www.codecon.org Call For Papers CodeCon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what's going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presentations must be done by one of the active developers of the code in question. We emphasize that demonstrations be of *working* code. We hereby solicit papers and demonstrations. * Papers and proposals due: December 15, 2005 * Authors notified: January 1, 2006 Possible topics include, but are by no means restricted to: * community-based web sites - forums, weblogs, personals * development tools - languages, debuggers, version control * file sharing systems - swarming distribution, distributed search * security products - mail encryption, intrusion detection, firewalls Presentations will be 45 minutes long, with 15 minutes allocated for Q&A. Overruns will be truncated. Submission details: Submissions are being accepted immediately. Acceptance dates are November 15, and December 15. After the first acceptance date, submissions will be either accepted, rejected, or deferred to the second acceptance date. The conference language is English. Ideally, demonstrations should be usable by attendees with 802.11b connected devices either via a web interface, or locally on Windows, UNIX-like, or MacOS platforms. Cross-platform applications are most desirable. Our venue will be 21+. To submit, send mail to submissions-2006@codecon.org including the following information: * Project name * url of project home page * tagline - one sentence or less summing up what the project does * names of presenter(s) and urls of their home pages, if they have any * one-paragraph bios of presenters, optional, under 100 words each * project history, under 150 words * what will be done in the project demo, under 200 words * slides to be shown during the presentation, if applicable * future plans General Chair: Jonathan Moore Program Chair: Len Sassaman Program Committee: * Bram Cohen, BitTorrent, USA * Jered Floyd, Permabit, USA * Ian Goldberg, Zero-Knowledge Systems, CA * Dan Kaminsky, Avaya, USA * Ben Laurie, The Bunker Secure Hosting, UK * Nick Mathewson, The Free Haven Project, USA * David Molnar, University of California, Berkeley, USA * Jonathan Moore, Mosuki, USA * Meredith L. Patterson, University of Iowa, USA * Len Sassaman, Katholieke Universiteit Leuven, BE Sponsorship: If your organization is interested in sponsoring CodeCon, we would love to hear from you. In particular, we are looking for sponsors for social meals and parties on any of the three days of the conference, as well as sponsors of the conference as a whole and donors of door prizes. If you might be interested in sponsoring any of these aspects, please contact the conference organizers at codecon-admin@codecon.org. Press policy: CodeCon provides a limited number of passes to qualifying press. Complimentary press passes will be evaluated on request. Everyone is welcome to pay the low registration fee to attend without an official press credential. Questions: If you have questions about CodeCon, or would like to contact the organizers, please mail codecon-admin@codecon.org. Please note this address is only for questions and administrative requests, and not for workshop presentation submissions. From isn at c4i.org Wed Oct 12 00:08:29 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:17:33 2005 Subject: [ISN] The Four Most Dangerous Security Myths Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=172300043 By Matthew Friedman Networking Pipeline Oct. 10, 2005 Network security is all about nightmares. As organizations have become increasingly dependent on their networks and the Internet to provide that essential link of data, capital and business intelligence, they have also opened themselves up to potential risk - potentially immense risks. The litany of companies that have been burned by hackers, worms, viruses and simple human error has made organizations wary of the perils of the networked economy. There's so much out there in the digital ether that can jump up and bite you. On the other hand, says Justin Peltier, a senior security consultant with Peltier Associates and leader of Web hacking seminars for the Computer Security Institute, there are also a lot of myths out there. "Network security has a particularly affinity for myths," he says. "It's hard to change an opinion once it's made, and a lot of IT and security professionals have based their opinions on received wisdom. They've heard about security risks, but they haven't tried it for themselves. Some of these opinions might have been based on reality but are no longer valid, and some is just based on what we've been told." What they've been told is often only partly true, if at all, he says. It's often based on misconceptions and preconceptions. These myths can lull organizations into a false sense of security or distract them from the real business at hand. Either way, they are legion, though Peltier says that any organization serious about security can address the handful the biggest and most egregious myths through a combination of experience and common sense. "If you look at most other disciplines, you see facts and statistics to back things up," he says. "That's not always true about security. It's not enough to just hear about something, you have to check it out for yourself." To help you separate truth from fiction, here are four of the most dangerous security myths. 1. Patches always fix the security hole: Peltier is particularly troubled by the complacency he sees surrounding patching. "An awful lot of people think that, once you've applied a security patch, you'll be okay," he says. "That just isn't true. Sometimes it works, sometimes it moves the vulnerability somewhere else, and sometimes it creates a new hole." Above all, patches only address published exploits and just because the hole hasn't been published doesn?t mean it isn't there. The problem is that networking is based on technologies developed in an earlier, more innocent time, and many of the biggest vulnerabilities are inherent flaws in the architecture of TCP/IP. Network miscreants are probing networks right now, looking for weaknesses, and there is "almost inevitably" a lag between what they know and what vendors and security professionals know. "You need to find the holes before the bad guys do," he says. "Most people think defensively, but you have to think offensively. It's jujitsu." The bottom line is that the only thing that will improve the situation is a new architecture -- specifically IPv6. Peltier expects that wholesale migration to the new version of TCP/IP will be motivated by an inevitable wave of distributed denial of service attacks, "and that's a good thing. Organizations have to start to plan for migration now." 2. SSL is secure: Secure sockets layer (SSL) encryption has become so ubiquitous that the last thing anyone wants to hear is that it's fundamentally insecure, but Peltier says that our faith is unfounded. "No one is getting burned yet, but they will be," he says. "You see the lock icon, and you assume you're safe -- but you're not." The problem is that it's a negotiated security standard with two major flaws, both of which can be exploited by man-in-the-middle attacks. "The first thing is that SSL depends on a negotiated certificate, but when there is a problem in the negotiation, the only thing that happens is that an alert window pops up. SSL hijacking is so easy because of the implicit trust we have in the digital certificate." The other problem is that SSL still supports export-grade 40-bit encryption. The SSL transaction will negotiate down to the lowest common level, Peltier says. "That's a big problem," he says. "Security people don't get into SSL because they think it's a Web thing. But it can open up the network, so it's really a network thing." 3. Theoretical vulnerabilities don't pose a danger: There are, Peltier says, any number of vulnerabilities that are theoretically known, "but can't yet be proven through proof of concept code." The operative term, of course, is "yet," and even though door hasn't been pried open, doesn't mean it won't be. The problem is that you never know. "Vendors will often ignore theoretical vulnerabilities until they become a really high profile thing." Peltier says. "The best known one recently was the Windows password hashes vulnerability." Because it's impossible to say when a theoretical flaw will become an exploit, Peltier says that organizations can't wait for vendors to notify them of vulnerabilities. A complete security plan should include keeping tabs on what the hacker and security research community is talking about. "These things don't come out of left field," he says. "There's always a warning. There are always people jumping up and down saying 'there's a hole here, there's a hole here,' when someone discovers an exploit. If you don't stay on top of this stuff, you're going to take six times as long to fix the vulnerability because you won't know what part of your anatomy to cover with your hand." 4. Wireless networks are inherently insecure: Wireless networking gets a bad rap. The conventional wisdom holds that Wi-Fi is inherently less secure than wired networks because in its early days, Peltier concedes, the Wired Equivalency Privacy (WEP) protocol had more security holes than Swiss cheese. The point, however, is that wireless security has gone far beyond WEP; users just have to enable these security features. "Properly configures, wireless is actually much more secure than wired networking," he says. "Proper configuration is everything, of course, and you have to turn on WPA (Wi-Fi Protected Access) shared key security, but it's not exactly difficult. You just have to select the option from a drop-down menu." With the Institute of Electrical and Electronics Engineers (IEEE) 802.11i wireless security specification finalized and products already shipping, Peltier hopes that Wi-Fi's bad rap will be laid to rest. "So many people have been brainwashed to believe that wireless is insecure, though," he muses. From isn at c4i.org Wed Oct 12 00:08:41 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:17:52 2005 Subject: [ISN] Energy Department auditors cite cybersecurity flaws at FERC Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37284-1.html By Wilson P. Dizard III GCN Staff 10/11/05 The Energy Department's inspector general has found fault with cybersecurity procedures in the Federal Energy Regulatory Commission's unclassified cybersecurity program. In a report [1] issued today, the IG noted that FERC officials have continued to improve their cybersecurity program, and cited improvements since a previous review in 2002. However, the IG staff found several areas in which FERC was deficient, including: * Access controls had in some cases not been implemented via strong password management * Some software with known security flaws was not replaced, and some users were at times provided access at higher levels than their duties required * Not all cybersecurity weaknesses were traced and resolved. Auditors said FERC had overlooked the problems because officials had failed to complete compliance evaluations required by general federal requirements and agency-specific rules. The report, however, omitted information on specific vulnerabilities and how they might be fixed. FERC management said that it generally concurred with the IG's findings and recommendations. [1] http://www.ig.doe.gov/pdf/ig-0704.pdf From isn at c4i.org Wed Oct 12 00:04:16 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 12 00:18:15 2005 Subject: [ISN] Windows 2000 vulnerability could lead to new outbreak Message-ID: http://www.networkworld.com/news/2005/101105-windows-vulnerability.html By Robert McMillan IDG News Service 10/11/05 Microsoft has released nine security updates for vulnerabilities in its software products, including three critical fixes for Windows and Internet Explorer. Among the updates is a patch for bugs in two separate components of the Windows operating system that security researchers believe could be exploited in by attackers in much the same way that the Zotob family of worms were used two months ago. The software patches, called updates in Microsoft parlance, were released Tuesday as part of the company's monthly security software release. Two of the critical updates concern Internet Explorer and Microsoft's DirectShow media streaming software. A third update, described in Microsoft Security Bulletin MS05-051, concerns the COM+ services included with Windows as well as the Microsoft Distributed Transaction Coordinator (MSDTC), a component of the operating system that is commonly used by database software to help manage transactions. It is these last two vulnerabilities that have security researchers concerned because of their similarity to the Windows Plug and Play (PnP) system vulnerability reported last August. Within a week of its disclosure, that flaw was exploited by the authors of the Zotob worm. Variations of this attack eventually knocked hundreds of thousands of machines offline, primarily affecting Windows 2000 users. Microsoft has rated the MSDTC vulnerability as "critical" for users of Windows 2000, meaning the vulnerability could be used by attackers to seize control of any unpatched system. The COM+ bug is rated critical for Windows 2000 and Windows XP, Service Pack 1. Security researchers say that another Zotob-style worm outbreak is now a possibility. "The COM+ and MSDTC vulnerabilities have a very similar appearance to the PnP vulnerability that caused Zotob," said Mike Murray, director of vulnerability and exposure research for security vendor nCircle Network Security. Internet Security Systems' Neel Mehta, agreed that there were similarities between the PnP bug exploited by Zotob and MS05-051. "The scope of the affected platform is exactly the same and these services are run by default on Windows 2000," said Mehta, who is team leader of the company's X-Force research team. "In terms of ease of exploitation, they're not incredibly difficult to exploit, but they're not as easy as the Plug and Play vulnerability" Mehta is also concerned with the DirectShow bug. By tricking users into viewing malicious programs that appeared to be legitimate multimedia files, attackers could seize control of unpatched Windows systems, he said. "It requires user interaction of some sort, which takes it down a notch from MS05-051, but it is still a serious vulnerability." Microsoft has rated the DirectShow flaw "critical" for a wider range of Windows systems than the COM+ and MSDTC bugs. It has been rated critical for Windows XP, Windows 2000, Windows Server 2003, Windows 98 and Windows ME. Though the COM+ and MSDTC bugs will probably get a lot of attention, because they could be used in worm attacks, the DirectShow or IE flaws are also dangerous, and could be used by thieves as the basis of a targeted attack, said Marc Maiffret, chief hacking officer with eEye Digital Security. "The other vulnerabilities I think of as worse in a way because it's an easier way to target a specific corporate user," he said. The other security updates released Tuesday include "important" patches for Client Services for NetWare, the Windows Plug and Play system, Microsoft Collaboration Data Objects, and the Windows Shell. "Moderate" bugs have also been patched in the Windows FTP (File Transfer Protocol) client and the Network Connection manager. Tuesday's flurry of releases comes after a very quiet September for Microsoft's security team. Last month, Microsoft had planned to release only one security patch, but ended up scrapping the update at the last minute due to "quality issues." Though Microsoft executives were unavailable for additional comment on the October security updates, the company said that the critical Internet Explorer vulnerability, covered in Security Bulletin MS05-052, was the bug the company had planned to fix in September. Microsoft has been told that this IE bug is already being exploited by hackers, the company said in a statement attributed to Stephen Toulouse, security program manager with the Microsoft Security Response Center. More information on the October Security Bulletins can be found here [1]. [1] http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx From isn at c4i.org Thu Oct 13 00:03:18 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:09:45 2005 Subject: [ISN] Ten steps to secure networking Message-ID: http://www.techworld.com/security/features/index.cfm?FeatureID=1862 By Pamela Warren Nortel October 12, 2005 Secure networking ensures that the network is available to perform its appointed task by protecting it from attacks originating inside and outside the organisation. Traditional thinking equates this to a handful of specific requirements, including user authentication, user device protection and point solutions. However, the move to convergence, together with greater workforce mobility, exposes networks to new vulnerabilities, as any connected user can potentially attack the network. Application traffic must be securely delivered across the network, avoiding threats such as theft of intellectual property or private data. In addition, the underlying infrastructure must be protected against service disruption (in which the network is not available for its intended use) and service theft (in which an unauthorised user accesses network bandwidth, or an authorised user accesses unauthorised services). While most organisations focus on securing the application traffic, few put sufficient infrastructure focus beyond point solutions such as firewalls. To protect the total network, security must be incorporated in all layers and the complete networking lifecycle. Secure networking layers Secure networking involves securing the application traffic as it traverses the network. It should encompass these areas: Perimeter security protects the network applications from outside attack, through technologies such as firewall and intrusion detection. Communications security provides data confidentiality, integrity and non-repudiation, typically through the use of Secure Sockets Layer or IPsec virtual private networks (VPN). Secure networking extends this by protecting the underlying infrastructure from attack. Platform security ensures that each device is available to perform its intended function and doesn't become the network's single point of failure. The network security plan should include antivirus checking and host-based intrusion detection, along with endpoint compliance, to ensure that security policies check user devices for required security software. Access security ensures that each user has access to only those network elements and applications required to perform his job. Physical security protects the network from physical harm or modification, and underlies all security practices. The most obvious forms of physical security include locked doors and alarm systems. Secure networking lifecycle Providing a secure network is not a one-time event, but rather a lifecycle that must be continually reviewed, updated and communicated. There are three distinct stages to be considered: How can security breaches be prevented? Along with hardening of operating systems and antivirus software, prevention includes processes to regularly review the network's security posture, which is particularly important as new convergence and mobility solutions or new technologies and platforms are added to the network. How can security breaches be detected? Although some breaches are obvious, others are much more subtle. Detection techniques include product-level and network-wide intrusion-detection systems, system checks and logs for misconfigurations or other suspicious activity. What is the appropriate response to a security breach? A range of preparations must be made to respond to a successful breach, some of which may include the removal of infected devices or large-scale disaster recovery. Standards for secure networking To ensure a consistent set of requirements, lower training costs and speed the introduction of new security capabilities, IT managers should use these 10 security techniques across their networks. 1. Use a layered defence. Employ multiple complementary approaches to security enforcement at various points in the network, therefore removing single points of security failure. 2. Incorporate people and processes in network security planning. Employing effective processes, such as security policies, security awareness training and policy enforcement, makes your programme stronger. Having the people who use the network (employees, partners and even customers) understand and adhere to these security policies is critical. 3. Clearly define security zones and user roles. Use firewall, filter and access control capabilities to enforce network access policies between these zones using the least privileged concept. Require strong passwords to prevent guessing and/or machine cracking attacks, as well as other strong forms of authentication. 4. Maintain the integrity of your network, servers and clients. The operating system of every network device and element management system should be hardened against attack by disabling unused services. Patches should be applied as soon as they become available, and system software should be regularly tested for viruses, worms and spyware. 5. Control device network admission through endpoint compliance. Account for all user device types, wired and wireless. Don't forget devices such as smart phones and handhelds, which can store significant intellectual property and are easier for employees to misplace or have stolen. 6. Protect the network management information. Ensure that virtual LANs (VLAN) and other security mechanisms (IPsec, SNMPv3, SSH, TLS) are used to protect network devices and element management systems so only authorised personnel have access. Establish a backup process for device configurations, and implement a change management process for tracking. 7. Protect user information. WLAN/Wi-Fi or Wireless Mesh communications should use VPNs or 802.11i with Temporal Key Integrity Protocol for security purposes. VLANs should separate traffic between departments within the same network and separate regular users from guests. 8. Gain awareness of your network traffic, threats and vulnerabilities for each security zone, presuming both internal and external threats. Use antispoofing, bogon blocking and denial-of-service prevention capabilities at security zone perimeters to block invalid traffic. 9. Use security tools to protect from threats and guarantee performance of critical applications. Ensure firewalls support new multimedia applications and protocols, including SIP and H.323. 10. Log, correlate and manage security and audit event information. Aggregate and standardise security event information to provide a high-level consolidated view of security events on your network. This allows correlation of distributed attacks and a network-wide awareness of security status and threat activity. The International Telecommunication Union and Alliance for Telecommunications Industry Solutions provide standards that enterprises can use in their vendor selection process. However, no single set of technologies is appropriate for all organisations. Regardless of the size of the organisation or the depth of the capabilities required, secure networking must be an inherent capability, designed into the DNA of every product. By following the steps described above, companies will have the right approach for securing their increasingly mobile, converged networks. -=- Pamela Warren is a senior security solutions manager at Nortel, currently responsible for strategic security initiatives in the office of the chief technology officer. From isn at c4i.org Thu Oct 13 00:01:34 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:10:04 2005 Subject: [ISN] Nessus scanner code forked Message-ID: http://www.smh.com.au/news/breaking/nessus-scanner-code-forked/2005/10/11/1128796513799.html By Sam Varghese October 11, 2005 A group of British security researchers has decided to start a fork of the popular Nessus vulnerability scanner, following a decision by the owner of Nessus to change the licence under which the scanner was released. Nessus was released under the General Public License (GPL) which means its code was freely available. The change of licensing terms was announced last week by Renaud Deraison, who began the Nessus Project in 1998. Four years later, Deraison co-founded a company named Tenable Network Security which now develops Nessus. Last week, Deraison said [1] the forthcoming version of Nessus, version 3.0, would be available free, but not under the GPL. He said the current version, Nessus 2.0, would continue to be maintained under the GPL with bug fixes. The British team is headed by Tim Brown who, in a posting [2] to the Full-Disclosure vulnerability mailing list, said the fork would be called GNessUs. "As a result of recent announcements by Tenable, we believe a fork of Nessus is required to allow future free development of this tool," he wrote. Brown said the decision had been taken after consulting colleagues from within the security industry. "While we would like to believe that we will be able to continue to take updates of the Nessus 2 source code from the Nessus website, we will be endeavouring to add fresh functionality and plugins as part of the GNessUs project," he wrote. "The fork will be based on the current nessus 2.2.5 packages from GNU/Debian (sic), the source of which can be found above in a slightly modified form. We would welcome contact from any interested developers." [1] http://mail.nessus.org/pipermail/nessus/2005-October/msg00035.html [2] http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/037863.html From isn at c4i.org Thu Oct 13 00:02:38 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:10:26 2005 Subject: [ISN] Security UPDATE -- Copying Files Securely Between Systems -- October 12, 2005 Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. CDW. The Technology You Need When You Need It. http://list.windowsitpro.com/t?ctl=1619A:4FB69 Speed up your systems--try Diskeeper 9 free http://list.windowsitpro.com/t?ctl=1617B:4FB69 ==================== 1. In Focus: Copying Files Securely Between Systems 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Releases 9 Security Bulletins in October - Microsoft Announces New Products and New Consortium - Microsoft Brings Antimalware Tech to Corporations - Symantec to Acquire BindView - 10 Network Security Assessment Tools You Can't Live Without 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread 4. New and Improved - Freeze Workstation Configurations ==================== ==== Sponsor: CDW ==== CDW. The Technology You Need When You Need It. It takes a lot to keep up with today's business. Starting with today's technology. Our account managers and product specialists can get you quick answers to any questions you might have. So visit us online and find out first hand how we make it happen. Every order, every visit, every time. No matter what you need in technology, you can count on CDW for the right technology, right away. http://list.windowsitpro.com/t?ctl=1619A:4FB69 ==================== ==== 1. In Focus: Copying Files Securely Between Systems by Mark Joseph Edwards, News Editor, mark at ntsecurity / net If you need to copy files from one system to another over an unprotected network, you can do it in a few ways. For example, you can employ the RRAS component that comes with Windows Server 2003 and Windows 2000 Server to establish a VPN that uses PPTP; you can use Microsoft IIS and Secure Sockets Layer (SSL) connections along with a custom Web interface; or you can use Secure Shell (SSH). There are other ways to accomplish this task, but these are probably the most common solutions. If you're interested in setting up RRAS and PPTP, you can find instructions in the Microsoft article "Step-by-Step Guide for Setting Up a PPTP-based Site-to-Site VPN Connection in a Test Lab" (URL below). This is a good solution, especially if you want to use the VPN for other tasks. http://list.windowsitpro.com/t?ctl=16179:4FB69 Using IIS and SSL is simple enough, but it does require you to design a Web interface that meets your needs. For example, designing for downloading files is easy enough, but you'll need a script or ActiveX control for uploading files. This method also requires that you expose the IIS system to some extent, which you might not want to do. The third method, using an SSH server, might be a better solution. SSH servers provide encrypted transports between clients and servers by using a variety of encryption methods, including Triple DES (3DES), Blowfish, CAST (named after its developers Carlisle Adams and Stafford Tavares), Advanced Encryption Standard (AES), and possibly others, depending on the software you use. Another benefit is that SSH can use public keys instead of passwords to authenticate a session. Plus, SSH servers offer cross-platform support--versions are available for just about every popular OS, including Linux and BSD, as well as Sun Microsystems and Apple platforms. By using SSH, you can not only copy files securely, you can also open a secure Telnet session (using a special shell client) to a remote server, which might come in handy for remote administration. In addition, you can tunnel unencrypted services over SSH connections. For example, by using port forwarding, you can run SQL traffic, POP3 traffic, and many other types of service traffic over SSH connections. Several commercial and open-source SSH servers are available for Windows. If you want a robust commercial solution, check out the products at SSH Communications Security (at the first URL below) or AttachmateWRQ (at the second URL below). If you want an open-source solution, consider OpenSSH for Windows (at the third URL below) or freeSSHd (at the fourth URL below). Both open-source solutions can run as a system service; freeSSHd offers a simple GUI interface, OpenSSH doesn't. http://list.windowsitpro.com/t?ctl=16190:4FB69 http://list.windowsitpro.com/t?ctl=16193:4FB69 http://list.windowsitpro.com/t?ctl=16197:4FB69 http://list.windowsitpro.com/t?ctl=1619C:4FB69 If you run Windows 2003, a step-by-step tutorial is available to help you install OpenSSH for Windows. "Installing OpenSSH for Windows 2003 Server - How to get it working," by Steve Pillinger, senior computer officer at the School of Computer Science at the University of Birmingham in England, describes how to set up user accounts, assign user rights, set file permissions, and configure authentication. http://list.windowsitpro.com/t?ctl=1618F:4FB69 If you run Win2K Server, you can use Beau Monday's step-by-step guide, "Configuring OpenSSH (Win32) for Public Key Authentication." His guide is equally detailed and includes information about how to configure PuTTY, which is an open-source SSH command-line client for Windows platforms. The PuTTY package also includes a PuTTY Secure Copy (PSCP) client. If you use Monday's guide, take note that his link to OpenSSH for Windows is broken. The project has relocated to SourceForge, and you can find it by using the second URL below. http://list.windowsitpro.com/t?ctl=16195:4FB69 http://list.windowsitpro.com/t?ctl=16197:4FB69 I've used the PuTTY PSCP client quite a bit, and even though it's a good tool, I prefer a GUI because it saves me a whole lot of typing. With a GUI, you can copy files using simple drag-and-drop techniques, and you can typically navigate directories in a treeview similar to that of Windows Explorer. As an alternative to PuTTY, you might consider WinSCP (at the URL below) for file-copying tasks. WinSCP supports both Secure Copy (SCP) and Secure FTP (SFTP). http://list.windowsitpro.com/t?ctl=16199:4FB69 ==================== ==== Sponsor: Diskeeper ==== Speed up your systems--try Diskeeper 9 free The secret to maximum computer speed is simple: Eliminate disk fragmentation entirely. Diskeeper 9, the Number One Automatic Defragmenter, features a high-speed defragmentation engine that runs in the background. It's so fast and so transparent that you can run it on active servers and PCs, keeping your systems defragmented while your users work. All you do is "Set It and Forget It", and fragmentation- related problems are gone for good. Don't settle for less performance than your servers and PCs can deliver. See the benefits for yourself-- download your FREE evaluation version of Diskeeper 9 now! http://list.windowsitpro.com/t?ctl=1617B:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=16183:4FB69 Microsoft Releases 9 Security Bulletins in October Microsoft released nine security bulletins yesterday. Eight of them relate to patches for Windows and one relates to a patch for Windows and Microsoft Exchange Server. Of the nine, Microsoft considers at least one to be critical. http://list.windowsitpro.com/t?ctl=1618A:4FB69 Microsoft Announces New Products and New Consortium After acquiring antivirus, antispyware, and antispam solution makers, Microsoft has finally announced its new antimalware product plans along with a new security consortium. http://list.windowsitpro.com/t?ctl=1618E:4FB69 Microsoft Brings Antimalware Tech to Corporations As promised, Microsoft will soon introduce a beta version of its antispyware and antivirus tools for managed corporate networks, giving enterprises the tools they need to remove malware on client PCs and file servers. http://list.windowsitpro.com/t?ctl=1618B:4FB69 Symantec to Acquire BindView Further strengthening its position in the security market space, Symantec announced a deal to acquire BindView. The acquisition, which is expected to close in first quarter 2006, better positions Symantec to offer end-to-end security solutions for policy compliance and vulnerability management. http://list.windowsitpro.com/t?ctl=1618D:4FB69 10 Network Security Assessment Tools You Can't Live Without Jerry Cochran describes his favorite penetration-testing tools, including Nmap and SNMPWalk, and encourages you to use them on your network--before the hackers do. After you read this article, tell us your network security assessment story and win a Windows IT Pro T-shirt. Just click in the Interact! box on the article Web page. http://list.windowsitpro.com/t?ctl=16188:4FB69 ==================== ==== Resources and Events ==== Discover SQL Server 2005 for the Enterprise. Are you prepared? In this free half-day event, you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical enterprise database applications--making your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today! http://list.windowsitpro.com/t?ctl=16180:4FB69 Get the Most from Your Infrastructure by Consolidating Servers and Storage Improved utilization of existing networking resources and server hardware enable allocation of scarce financial and time resources where they're needed most. In this free Web seminar, learn to optimize your existing infrastructure with the addition of server and storage consolidation software and techniques. You'll get the jumpstart you need to evaluate the suitability and potential of your computing environments for the added benefits that consolidation technology can provide. http://list.windowsitpro.com/t?ctl=1617D:4FB69 Deploy VoIP and FoIP Technologies Voice over Internet Protocol (VoIP) is the future of telecommunications, and many companies are already enjoying the benefits of transporting voice over IP networks to significantly reduce telephone and facsimile costs. Join industry expert David Chernicoff for this free Web seminar to learn the ins and outs of boardless fax in IP environments, tips for rolling out fax and integrating fax with telephony technologies, and more! http://list.windowsitpro.com/t?ctl=16182:4FB69 Exploit the Opportunities of a Wireless Fleet With the endless array of mobile and wireless devices and applications, it's hard to decide what you can do with the devices beyond providing mobile email access. It's even tougher to know how to keep it all secure. Join industry guru Randy Franklin Smith in this free Web seminar and discover what you should do to leverage your mobile and wireless infrastructure, how to pick devices that are right for you, and more! http://list.windowsitpro.com/t?ctl=1617C:4FB69 The Conference & Expo on Mobile and Wireless Security The must-attend event for securing your wireless applications and networks, the Conference & Expo on Mobile and Wireless Security is designed to navigate you through today's high-threat landscape. Discover real-world security solutions from practitioners winning the battle against hackers, undisciplined users, and the occasional villainous virus. Click here for details: http://list.windowsitpro.com/t?ctl=16194:4FB69 Cut Your Windows XP Migration Time by 60% or More! If your organization is considering--or has already begun migrating your operating system to Windows XP, then this Web seminar is for you. Sign up for this free event, and you'll learn how to efficiently migrate your applications into the Windows Installer (MSI) format, how to prepare them for error-free deployment, what steps you need to follow to package your applications quickly and correctly, and more! http://list.windowsitpro.com/t?ctl=16181:4FB69 ==================== ==== Featured White Paper ==== Stopping Crimeware and Malware: How to Close the Vulnerability Window Computer users can no longer wait for a new vaccine every time a new security threat appears. How do you defend your network in a world of smarter, faster, Internet-borne zero-day attacks? Find out about Intrusion Prevention that can detect and destroy unknown malware with virtually zero false positives. http://list.windowsitpro.com/t?ctl=1617F:4FB69 ==================== ==== Hot Release ==== Meeting Enterprise Management Needs: The Integration of Microsoft SMS 2003 and Afaria Learn about the capabilities offered by the integration of Microsoft SMS 2003 and Afaria. In this free white paper you'll learn about new functionality and benefits of Microsoft SMS specifically targeted to improving management of remote and mobile devices, challenges of managing frontline systems, how the combined solution creates value around the successful use of technology at the front lines of business and more. http://list.windowsitpro.com/t?ctl=1617E:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Nematodes: Worms That Help Your Networks by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=16192:4FB69 Would you unleash a worm on your networks if that worm was designed to protect the networks instead of infiltrate them? Dave Aitel thinks you would, and that was the subject of his presentation at the latest Hack in the Box conference in Malaysia. Read more about it in this blog entry. http://list.windowsitpro.com/t?ctl=16189:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=16191:4FB69 Q: Can I change the type of logging that Active Directory (AD) uses? Find the answer at http://list.windowsitpro.com/t?ctl=1618C:4FB69 Security Forum Featured Thread: How to Automate Setting ACLs on Folders Drew is trying to verify folder security on his file servers. He's running into many inconsistencies with folder permissions and wants to know if there's a script he can run to adjust the permissions. For example, all his users have a home directory on one of his file servers. He wants to set the ACL on each home directory folder to allow the user, administrators, and System account to have full control. Join the discussion at: http://list.windowsitpro.com/t?ctl=1617A:4FB69 ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Become a VIP Subscriber! Get inside access to ALL the articles, tools, and helpful resources published in Windows IT Pro, SQL Server Magazine, Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security-- that's more than 26,000 articles at your fingertips. Your VIP subscription also includes a valuable 1-year print subscription to Windows IT Pro and two VIP CDs (that contain the entire article database). Sign up now: http://list.windowsitpro.com/t?ctl=16184:4FB69 SQL Server Magazine Has Answers You won't want to miss any of the fall issues! Subscribe now and discover the best tools to keep SQL Server tuned, the ins and outs of SQL Server 2005, ways ADO.NET 2.0 solves your problems, and much more. You'll also gain exclusive access to the entire SQL Server Magazine online article database (more than 2300 articles) and you'll SAVE 44% off the cover price. Click here: http://list.windowsitpro.com/t?ctl=16187:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products@windowsitpro.com Freeze Workstation Configurations Faronics Technologies announces the official release of Deep Freeze 5.5 Standard, Professional, and Enterprise editions. Deep Freeze protects original computer configurations. No matter what changes a user makes to a workstation, when he or she restarts the system, Deep Freeze eradicates all the changes and resets the computer to its original state. Deep Freeze 5.5's new features include enhanced compatibility when deployed as part of a master image, the ability to specify login information for executing custom scripts during scheduled maintenance periods, and enhanced password security. For more information, go to http://list.windowsitpro.com/t?ctl=1619B:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec@windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Sponsored Links ==== Admins rush to install BLOG servers How to run your own blog server. Free 5-user license. http://list.windowsitpro.com/t?ctl=16198:4FB69 ==================== ==== Contact Us ==== About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=16196:4FB69 About product news -- products@windowsitpro.com About your subscription -- windowsitproupdate@windowsitpro.com About sponsoring Security UPDATE -- salesopps@windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=16186:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2005, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Oct 13 00:03:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:10:53 2005 Subject: [ISN] Princeton a hacker target, Symantec survey finds Message-ID: http://www.dailyprincetonian.com/archives/2005/10/12/news/13434.shtml Mark Stefanski Princetonian Contributor October 12, 2005 Princeton had the second-highest percentage of computers controlled by hackers among cities worldwide between Aug. 24 and Sept. 23, according to a recent Symantec Monthly Security Update, though OIT security officer Anthony Scaturro disputed the findings. The security update ranked Princeton second only to Cambridge, UK, in its report on hacker-controlled computers, also called bots. It attributed these two college towns' unusually high percentage of bots to an influx of users - returning and new faculty and students ? connecting to the school networks. "Education was the number one target because [universities] are mini service providers, serving in some cases 10,000 students," said Dean Turner, senior manager at Symantec Security Response. "There's often more money spent on building infrastructure and less time or money paid to security precautions, which is also a concern with small businesses, enterprises and users themselves." Princeton's bot problem, according to the Symantec report, is daunting. As of September, the town was home to seven percent of the world's bots, well ahead of Seoul, which ranked third with three percent. New York City, the American city with the next-highest ranking, came in 12th with one percent of the world's bots. Symantec compiled the rankings based on information from 120 million computers running its antivirus products. Since bots themselves are difficult to detect, Turner said Symantec had to look for activity indicative of bots, which yields only an estimate of their prevalence. But Scaturro said he thinks the ranking is not just an estimate but outright inaccurate, since the origin of such attacks, often carried out under false addresses, is difficult to pinpoint. Though Scaturro said he generally agreed with Symantec's ranking of the most frequent types of attacks, he said he didn't believe the ranking of the town as the second-biggest hub of bot activity was at all reflective of the University. "The intrusion prevention system sees attacks going both ways," Scaturro said. "If we were to look at our numbers [of attacks] going out, they would be very low. I think the figures are flawed. I can't say that definitively until I could review [Symantec's] method of determining the source of each attack." If anything, Scaturro added, the University should have a low density of bots because of its early adoption of an intrusion protection system, which intercepts and examines every message entering or exiting the University. "Anything that is a known attack that is coming out of our machines we are dropping at the front door and preventing from going out," he said. "That should skew our ranking down." The results are also suspect, Scaturro noted, due to the University's record of safe computing habits, including regular system security updates. It is unlikely that the density of bots in the rest of town could make Princeton the most bot-ridden city in the U.S. Symantec did not respond to Scaturro's concerns about the validity of its report. Hackers typically gain control of computers by infecting them with trojans, which execute a malicious code almost always unbeknownst to the computers' owners. Infected computers then become bots, communicating through backdoor channels with other bots and the hacker, who coordinates their activity. "[Bots are] zombie machines," Turner said. "They are machines that have been compromised by an attacker and are sort of sitting there waiting for commands from a remote attacker. They do the botmaster's bidding." Hackers often use the bots to bombard websites' servers with useless requests to the extent that the servers are either too busy to handle regular Internet traffic or shut down altogether. Bots also allow online criminals to assume a new identity - that of the bot computer's owner - and thereby lower the risk of getting caught. However damaging a bot can be, it is easy to prevent a computer from becoming one. Turner said he recommends antivirus software, a firewall and intrusion detection software. He added that emails should be opened with caution, since only an email that is opened can release a Trojan. By taking these precautions and actively addressing the problem, Princeton can further reduce its susceptibility to bots, Turner said. "Users become educated, and they become aware of the fact that they need an antivirus program and safe computing habits," he said. "It's part of the University's job, part of our job as a vendor and part of the student's job. Once word gets out we would expect that, if appropriate measures are taken, this [bot problem] will drop off." From isn at c4i.org Thu Oct 13 00:03:33 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:11:05 2005 Subject: [ISN] GAO: Defense agency not fully protecting information systems Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105358,00.html By Linda Rosencrance OCTOBER 12, 2005 COMPUTERWORLD The U.S. Defense Logistics Agency isn't fully protecting its information systems, according to a report released yesterday by the Government Accountability Office (GAO) (download PDF) [1]. The Defense Logistics Agency, or DLA, is responsible for providing food, fuel, medical supplies, clothing, spare parts for weapon systems and construction materials to support the country's military forces. The GAO had been asked to review the effectiveness of its operations -- including the DLA's information security program -- by members of the congressional Committee on Armed Services. According to the report, the DLA has made some progress in implementing elements of its information security program but needs to do more. Although the agency has established a central security management group and appointed a senior information security officer to manage the program, it has not consistently assessed risks to its systems from unauthorized access, use, disclosure or destruction of information, GAO officials said. In addition, employees responsible for the agency's information security haven't gotten enough training; annual security testing and evaluation of management and operational controls haven't been done; and plans to mitigate known IS deficiencies haven't been completed, the GAO said. The weaknesses in the agency's management and oversight of its security program "place DLA's information and information systems at risk," the agency concluded. It also said that until the DLA addresses the weaknesses and implements an agencywide information security program, it may not be able to protect its information or systems, according to the report. The GAO made a number of recommendations, calling on the DLA to: * Consistently assess risks that could result from the unauthorized access, use, disclosure or destruction of information and information systems; * Provide training for employees with major responsibilities for information security; * Make sure that security training plans are updated and maintained; * Ensure that annual security evaluations include management, operational and technical controls of every information system in DLA's inventory. In a written response to the GAO, Paul Brinkley, deputy undersecretary of defense, agreed with most of the GAO's recommendations and described the agency's efforts to address them. Brinkley said the DLA is working to fully implement an effective agencywide information security program, including publication of a Department of Defense manual that gives detailed guidance for training employees responsible for information security. Defense Department officials disagreed with other recommendations, including the need to annually test the effectiveness of security controls for all systems. According to Brinkley, that recommendation amounts to annual recertification, and is neither practical nor cost-effective. The GAO countered that it doesn't expect all information assurance controls for all systems to be evaluated annually, but to ensure that DLA's testing efforts include management, operational and technical controls of every information system in its inventory. [1] http://www.gao.gov/new.items/d0631.pdf From isn at c4i.org Thu Oct 13 00:03:47 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:11:25 2005 Subject: [ISN] Officials: How much security is enough? Message-ID: http://www.fcw.com/article91086-10-12-05-Web By Florence Olsen Oct. 12, 2005 In the White House situation room and in corporate boardrooms, people debate how much information security is enough - without reaching consensus. But a panel of national security experts said today that federal standards can help manage the country's considerable risk of a disruptive cyber event. Standards that the National Institute of Standards and Technology are developing provide the basics of due diligence for federal agencies and businesses, said Ronald Ross, a senior computer scientist and information security researcher at NIST. He spoke today at an event in Washington, D.C., sponsored by the Wall Street Journal. Businesses are not required by law to follow those information security standards, but Ross said many are doing so voluntarily because they can reduce the risk of a major cyber incident disrupting companies' business. The federal standards include one for categorizing information systems assets based on whether their loss would pose a high, medium or low risk to the agency or business. Ross said people are spending too much time and money to protect low-risk systems and not enough on high-risk systems. He said NIST will soon issue another federal standard requiring specific security settings and controls for protecting low-, medium- and high-risk systems. Roger Cressey, president of Good Harbor Consulting and a former counter-terrorism official, said the Homeland Security Department was slow to focus on cybersecurity vulnerabilities. To an extent, he added, the department is still reactive and "preparing to prevent the last attack." But Cressey said DHS Secretary Michael Chertoff has correctly adopted a risk management approach to the country's cyber vulnerabilities. Whether Chertoff can gain support in Congress and elsewhere for that approach remains to be seen, Cressey said. From isn at c4i.org Thu Oct 13 00:04:00 2005 From: isn at c4i.org (InfoSec News) Date: Thu Oct 13 00:11:41 2005 Subject: [ISN] Securing mobile data more important than viruses Message-ID: http://www.networkworld.com/news/2005/101205-mobile-data.html By Nancy Gohring IDG News Service 10/12/05 Enterprises with workers that can access corporate data from mobile devices should be less concerned about mobile viruses and more focused on setting and enforcing rules for securing the data, said speakers at Symbian's Smartphone Show in London on Tuesday. Very few real mobile viruses have actually proliferated in the market, said Morton Graubelle, executive vice president of marketing at Red Bend Software, a company that offers products that allow over-the-air installation and management of firmware for mobile devices. Instead, the companies whipping up fear around mobile viruses are largely looking after themselves. "We have companies making money out of scaring people, warning them about viruses," he said. Industry leaders also blamed mobile operators for the growing concern over mobile viruses. "I have a sense that there's hysteria from the operators," said Ben Wood, research vice president for mobile devices at Gartner. Geoff Preston, head of marketing technology at Symbian, agreed that operators are getting "agitated" about the prospect of mobile viruses and thus are furthering the hype around such potential problems. Ultimately, these speakers were optimistic that the wireless industry could continue to aggressively push security in order to stem the possibility of viruses becoming a real problem in the mobile world. "The mobile world should not just follow the PC paradigm by being reactive. We should be proactive to prevent getting to the point the PC world is in today," said Preston. Rather than worrying so much about potential mobile viruses, IT departments can do a better job of securing data that is stored on devices. A simple education process for mobile workers can help, said Chris Atwell, sales director at Extended Systems, a company that offers software that secures mobile access to corporate data. IT departments should emphasize that users should keep their devices locked and use an authentication process to access data. With such policies in place, workers will begin to recognize that the data stored or accessible on the phone has value and that may make them think twice about downloading suspicious files, for example, Atwell said. Companies can also deploy platforms that allow them to remotely erase or kill a device that might be lost or stolen, thus helping to protect sensitive data from getting into the wrong hands. Graubelle also stressed that mobile operators can implement device management platforms that can allow them to revoke applications that users may download, thus stemming the spread of potentially harmful viruses. While some operators are beginning to police such downloads, all have a responsibility to do so, he said. From isn at c4i.org Fri Oct 14 00:11:40 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:24:13 2005 Subject: [ISN] US cybersecurity all at sea Message-ID: http://www.theregister.co.uk/2005/10/13/us_cybersecurity_analysis/ By John Leyden 13th October 2005 ... without a paddle US cybersecurity risks are being poorly managed by the Department of Homeland Security, according to a former US presidential information security advisor. Peter Tippett, who recently served a two-year term on the President's Information Technology Advisory Committee, said a lack of leadership on electronic security left the US at a greater risk of electronic attack. Tippett, who is now chief technology officer with managed security firm CyberTrust, compared Homeland Security's posture in defending against electronic attacks to the lack of preparation by FEMA (Federal Emergency Management Agency) in managing relief efforts for Hurricane Katrina. "Something similar happened when Homeland Security got responsibility for both FEMA and computer security. When responsibility was transferred from the White House to Homeland Security good people left the top. There's confusion over reporting lines and no leadership," Tippett told El Reg. US government's cybersecurity responsibilities - along with those of FEMA - were transferred from the White House to the Department of Homeland Security during a reshuffle of 22 federal agencies three years ago. Tippett's criticisms are echoed by accusations that Homeland Security is illprepared for emergencies and beset by bureaucratic bungling by auditors and segments of the security industry. However, Howard Schmidt, chief exec of R&H Security and a former senior White House cyber security advisor, defended the Homeland Security agency's record. "There's been a lot of criticisms but they don't take into account the good work that the Homeland Security agency is doing. It is doing all it can to improve government systems whithin the priorities it has. We are getting incrementally better systems. Improvements will take time." Back to basics Schmidt made the comments at the SecureLondon conference, organised by security training and certification body ISC(2), in London earlier this week. Both Schmidt and Tippett have radical ideas for improving cybersecurity in the IT industry. Schmidt wants to see software developers held personally accountable for the security of the code they write. This is a radical idea idea but who is to blame for a Win XP security bug, for example? It would take the brain of Sherlock Holmes to apportion personal blame for that on any one developer, we suspect. Tippett advocates the wider adoption of basic security defences rather than government standards, which "don't translate into fewer hacker attacks". It would be better if PCs denied actions by default rather than permitting anything that was not known to be bad, he argued. Tippett is credited with creating one of the first commercial anti-virus products, which later became Symantec's Norton Anti- Virus. He is highly critical of the industry he helped create. "The anti-virus industry is not interested in default deny because if they did that they wouldn't be able to sell updates," he said. "Information security problems are getting worse, even though people are spending more. Throwing money at the problem isn't helping. All the market wants to do is sell new gizmos," he added. ? From isn at c4i.org Fri Oct 14 00:11:55 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:24:32 2005 Subject: [ISN] DDoS attacks still biggest threat Message-ID: http://www.techworld.com/networking/news/index.cfm?NewsID=4570 By John E. Dunn, Techworld 13 October 2005 Companies should devote more resources to countering old-fashioned DDoS attacks when investing in security, a survey of global ISPs (pdf) [1] has argued. The figures from Arbor Networks in its Worldwide ISP Security Report came from questionnaires sent to 36 large ISPs in the US, Europe and Asia. Over 90 percent of ISPs surveyed cited simple "brute force" TCP SYN and UDP datagram DDoS floods from zombie PC networks as their biggest day-to-day hassle, a finding which should apply equally to their corporate clients. This puts DDoS ahead of more recent attack types such as fast-spreading worms and DNS poisoning, which were ranked second and third respectively, in terms of prevalence. Even then, worm attacks were often most hazardous in terms of their original effect on traffic. "The primary threat from worms is not the payloads but the network congestion they cause," the report noted. Surprisingly, given the prevalence of this type of attack in recent years, only 29 percent of ISPs offered services to counter and trace DDoS in an automated way at the ISP level. The majority only discovered such events when a customer contacted them for help. The main means of defending against DDoS remains the use of Access Control Lists (ACLs), but these come with the downside of shutting off network access. The DDoS attack is stopped but only by replicating much the same effect as the original traffic blocking. The reported motivations for DDoS attacks clusters around issues such as cyber-extortion, electronic protests against companies, and even corporate espionage. Few, if any, of such attacks are reported to result in criminal action against the instigator, which could account for its continued popularity. [1] http://www.arbor.net/downloads/Arbor_Worldwide_ISP_Security_Report.pdf From isn at c4i.org Fri Oct 14 00:13:13 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:24:52 2005 Subject: [ISN] Secunia Weekly Summary - Issue: 2005-41 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-10-06 - 2005-10-13 This week : 85 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released their monthly security updates, which corrects several vulnerabilities in various Microsoft products. All users of Microsoft products are advised to check Windows Update for available security updates. Additional details can be found in the referenced Secunia advisories below. References: http://secunia.com/SA17168 http://secunia.com/SA17167 http://secunia.com/SA17166 http://secunia.com/SA17165 http://secunia.com/SA17163 http://secunia.com/SA17161 http://secunia.com/SA17160 -- A vulnerability has been reported in Kaspersky Anti-Virus, which can be exploited by malicious people to cause a DoS (Denial of Service), or compromise a vulnerable system. Additional details and information about the solution can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA17130 -- Secunia Research has discovered two vulnerabilities in WinRAR, which can be exploited by malicious people to compromise a user's system. The vendor has released an updated version, which fixes these vulnerabilities. Reference: http://secunia.com/SA16973 VIRUS ALERTS: During the last week, Secunia issued 2 MEDIUM RISK virus alerts. Please refer to the grouped virus profiles below for more information: SOBER.AC - MEDIUM RISK Virus Alert - 2005-10-08 06:46 GMT+1 http://secunia.com/virus_information/22224/sober.ac/ Sober.R - MEDIUM RISK Virus Alert - 2005-10-06 12:55 GMT+1 http://secunia.com/virus_information/22225/sober.r/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA17071] Mozilla Firefox Iframe Size Denial of Service Weakness 2. [SA17062] UW-imapd Mailbox Name Parsing Buffer Overflow Vulnerability 3. [SA17064] Microsoft Windows XP Wireless Zero Configuration Wireless Profile Disclosure 4. [SA16560] Windows Registry Editor Utility String Concealment Weakness 5. [SA17167] Microsoft Collaboration Data Objects Buffer Overflow Vulnerability 6. [SA16901] Thunderbird Command Line URL Shell Command Injection 7. [SA16869] Firefox Command Line URL Shell Command Injection 8. [SA12758] Microsoft Word Document Parsing Buffer Overflow Vulnerabilities 9. [SA17049] Symantec AntiVirus Scan Engine Administrative Interface Buffer Overflow 10. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA17172] Avaya Various Products Multiple Vulnerabilities [SA17167] Microsoft Collaboration Data Objects Buffer Overflow Vulnerability [SA17160] Microsoft Windows DirectShow AVI Handling Vulnerability [SA17168] Microsoft Windows Shell and Web View Three Vulnerabilities [SA17163] Microsoft Windows FTP Client Filename Validation Vulnerability [SA17117] aeNovo Cross-Site Scripting and SQL Injection Vulnerabilities [SA17091] aspReady FAQ Manager Login SQL Injection Vulnerability [SA17166] Microsoft Windows Plug-and-Play Service Arbitrary Code Execution [SA17165] Microsoft Windows Client Service for NetWare Buffer Overflow [SA17161] Microsoft Windows MSDTC and COM+ Vulnerabilities [SA17136] GFI MailSecurity HTTP Management Interface Buffer Overflow [SA17096] CheckMark Payroll DUNZIP32.dll Buffer Overflow Vulnerability UNIX/Linux: [SA17149] Ubuntu update for mozilla-thunderbird [SA17090] Red Hat update for thunderbird [SA17179] Mandriva update for xine-lib [SA17171] Ubuntu update for koffice-libs/kword [SA17162] Debian update for xine-lib [SA17145] KOffice KWord RTF Importer Buffer Overflow Vulnerability [SA17144] F-Secure Anti-Virus for Linux CHM File Parsing Buffer Overflow [SA17135] SGI Advanced Linux Environment Multiple Updates [SA17132] Slackware update for xine-lib [SA17127] SUSE update for realplayer [SA17116] Gentoo update for realplayer / helixplayer [SA17111] Gentoo update for xine [SA17102] Debian update for ethereal [SA17099] xine-lib CDDB Client Format String Vulnerability [SA17097] Ubuntu update for libxine1 [SA17177] Mandriva update for squid [SA17156] Ubuntu update for sqwebmail [SA17152] Gentoo update for uw-imap [SA17148] Debian update for uw-imap [SA17147] Red Hat update for ruby [SA17143] Fedora update for xloadimage [SA17140] Debian update for xloadimage [SA17139] Debian update for xli [SA17129] Debian update for ruby [SA17124] xli NIFF Image Title Handling Buffer Overflow [SA17120] Debian update for up-imapproxy [SA17108] Debian update for dia [SA17103] Debian update for openvpn [SA17100] imapproxy "ParseBannerAndCapability" Format String Vulnerability [SA17098] Ubuntu update for ruby1.8 [SA17095] Gentoo update for dia [SA17094] Gentoo update for ruby [SA17088] HP-UX Apache mod_ssl "SSLVerifyClient" Security Bypass Security Issue [SA17087] Xloadimage NIFF Image Title Handling Buffer Overflow [SA17128] OpenVMPS Logging Functionality Format String Vulnerability [SA17106] Debian update for py2play [SA17092] Sun Java System Directory Server HTTP Admin Interface Unspecified Vulnerability [SA17180] Gentoo update for openssl [SA17178] Mandriva update for openssl [SA17169] Sun Solaris OpenSSL SSL 2.0 Rollback Vulnerability [SA17153] Red Hat update for openssl [SA17146] FreeBSD update for openssl [SA17123] Debian update for cpio [SA17118] Debian update for tcpdump [SA17101] Debian update for tcpdump [SA17114] Linux Kernel Potential Denial of Service and Information Disclosure [SA17113] Ubuntu update for shorewall [SA17112] Gentoo update for weex [SA17110] Debian update for shorewall [SA17154] Red Hat update for util-linux/mount [SA17142] Ubuntu update for cfengine [SA17131] SGI IRIX "runpriv" Arbitrary Shell Command Injection Vulnerability [SA17125] Debian update for graphviz [SA17121] Graphviz "dotty.lefty" Insecure Temporary File Creation [SA17109] Debian update for masqmail [SA17107] Mandriva update for hylafax [SA17093] Ubuntu update for texinfo [SA17141] Ubuntu update for kernel [SA17133] Sun Java Desktop System umount "-r" Re-Mounting Security Issue Other: Cross Platform: [SA17158] WebGUI Unspecified Arbitrary Code Execution Vulnerability [SA17130] Kaspersky Anti-Virus Engine CHM File Parsing Buffer Overflow [SA17174] versatileBulletinBoard Cross-Site Scripting and SQL Injection [SA17173] Zope Unspecified docutils Security Issue [SA17164] Sun Java System Application Server JSP Source Code Disclosure [SA17159] Xeobook Guestbook Script Insertion Vulnerability [SA17138] BEA WebLogic 24 Vulnerabilities and Security Issues [SA17137] phpMyAdmin "subform" Local File Inclusion Vulnerability [SA17134] PHP Advanced Transfer Manager HTML Upload Vulnerability [SA17115] Utopia News Pro Cross-Site Scripting and SQL Injection [SA17104] Cyphor Cross-Site Scripting and SQL Injection Vulnerabilities [SA17175] ZeroBlog "threadID" Cross-Site Scripting Vulnerability [SA17151] OpenSSL Potential SSL 2.0 Rollback Vulnerability [SA17089] Paros hsqldb Exposure of Database Content ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA17172] Avaya Various Products Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2005-10-12 Avaya has acknowledged some vulnerabilities in various products, which can be exploited by malicious, local users to gain escalated privileges, or by malicious people to cause a DoS (Denial of Service) or compromise a user's system or vulnerable system. Full Advisory: http://secunia.com/advisories/17172/ -- [SA17167] Microsoft Collaboration Data Objects Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 Gary O'leary-Steele has reported a vulnerability in Microsoft Windows and Microsoft Exchange 2000 Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17167/ -- [SA17160] Microsoft Windows DirectShow AVI Handling Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 eEye Digital Security has been reported a vulnerability in Microsoft Windows DirectShow, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17160/ -- [SA17168] Microsoft Windows Shell and Web View Three Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 Three vulnerabilities has been reported in Microsoft Windows, allowing malicious people to compromise a users system. Full Advisory: http://secunia.com/advisories/17168/ -- [SA17163] Microsoft Windows FTP Client Filename Validation Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17163/ -- [SA17117] aeNovo Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-10-10 KAPDA has reported some vulnerabilities in aeNovo, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17117/ -- [SA17091] aspReady FAQ Manager Login SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-10-10 Preben Nyloekken has discovered a vulnerability in aspReady FAQ Manager, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/17091/ -- [SA17166] Microsoft Windows Plug-and-Play Service Arbitrary Code Execution Critical: Moderately critical Where: From local network Impact: Privilege escalation, System access Released: 2005-10-11 eEye Digital Security has reported a vulnerability in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges, or by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17166/ -- [SA17165] Microsoft Windows Client Service for NetWare Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2005-10-11 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious users, or by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17165/ -- [SA17161] Microsoft Windows MSDTC and COM+ Vulnerabilities Critical: Moderately critical Where: From local network Impact: Privilege escalation, DoS, System access Released: 2005-10-11 Some vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges, or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17161/ -- [SA17136] GFI MailSecurity HTTP Management Interface Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-10-12 Gary O'leary-Steele has reported a vulnerability in GFI MailSecurity, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerability system. Full Advisory: http://secunia.com/advisories/17136/ -- [SA17096] CheckMark Payroll DUNZIP32.dll Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2005-10-12 Juha-Matti Laurio has reported a vulnerability in CheckMark Payroll, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17096/ UNIX/Linux:-- [SA17149] Ubuntu update for mozilla-thunderbird Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-10-11 Ubuntu has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17149/ -- [SA17090] Red Hat update for thunderbird Critical: Extremely critical Where: From remote Impact: Security Bypass, Spoofing, Manipulation of data, System access Released: 2005-10-07 Red Hat has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, manipulate certain data, bypass certain security restrictions, and compromise a user's system. Full Advisory: http://secunia.com/advisories/17090/ -- [SA17179] Mandriva update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-12 Mandriva has issued an update for xine-lib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17179/ -- [SA17171] Ubuntu update for koffice-libs/kword Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-12 Ubuntu has issued an update for koffice-libs/kword. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17171/ -- [SA17162] Debian update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-12 Debian has issued an update for xine-lib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17162/ -- [SA17145] KOffice KWord RTF Importer Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 A vulnerability has been reported in KOffice, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17145/ -- [SA17144] F-Secure Anti-Virus for Linux CHM File Parsing Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 A vulnerability has been reported in F-Secure Anti-Virus for Linux, which can be exploited by malicious people to cause a DoS, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17144/ -- [SA17135] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, Privilege escalation, DoS, System access Released: 2005-10-11 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, or by malicious people to cause a DoS (Denial of Service), overwrite arbitrary files on a user's system, gain knowledge of various information, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17135/ -- [SA17132] Slackware update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-11 Slackware has issued an update for xine-lib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17132/ -- [SA17127] SUSE update for realplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 SUSE has issued an update for realplayer. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17127/ -- [SA17116] Gentoo update for realplayer / helixplayer Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 Gentoo has issued an update for realplayer / helixplayer. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17116/ -- [SA17111] Gentoo update for xine Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 Gentoo has issued an update for xine-lib. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17111/ -- [SA17102] Debian update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-10-10 Debian has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17102/ -- [SA17099] xine-lib CDDB Client Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 Ulf Harnhammar has reported a vulnerability in xine-lib, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17099/ -- [SA17097] Ubuntu update for libxine1 Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-10 Ubuntu has issued an update for libxine1. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17097/ -- [SA17177] Mandriva update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-10-12 Mandriva has issued an update for squid. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17177/ -- [SA17156] Ubuntu update for sqwebmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-12 Ubuntu has issued an update for sqwebmail. This fixes some vulnerabilities, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17156/ -- [SA17152] Gentoo update for uw-imap Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-11 Gentoo has issued an update for uw-imap. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17152/ -- [SA17148] Debian update for uw-imap Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2005-10-11 Debian has issued an update for uw-imap. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17148/ -- [SA17147] Red Hat update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-12 Red Hat has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17147/ -- [SA17143] Fedora update for xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 Fedora has issued an update for xloadimage. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17143/ -- [SA17140] Debian update for xloadimage Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 Debian has issued an update for xloadimage. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17140/ -- [SA17139] Debian update for xli Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 Debian has issued an update for xli. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17139/ -- [SA17129] Debian update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-11 Debian has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17129/ -- [SA17124] xli NIFF Image Title Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-11 A vulnerability has been reported in xli, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17124/ -- [SA17120] Debian update for up-imapproxy Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-10 Debian has issued an update for up-imapproxy. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17120/ -- [SA17108] Debian update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-10 Debian has issued an update for dia. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17108/ -- [SA17103] Debian update for openvpn Critical: Moderately critical Where: From remote Impact: DoS Released: 2005-10-10 Debian has issued an update for openvpn. This fixes some vulnerabilities, which can be exploited by malicious people and users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17103/ -- [SA17100] imapproxy "ParseBannerAndCapability" Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-10 Steve Kemp has reported a vulnerability in imapproxy, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17100/ -- [SA17098] Ubuntu update for ruby1.8 Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-10 Ubuntu has issued an update for ruby1.8. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17098/ -- [SA17095] Gentoo update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-07 Gentoo has issued an update for dia. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17095/ -- [SA17094] Gentoo update for ruby Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-07 Gentoo has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17094/ -- [SA17088] HP-UX Apache mod_ssl "SSLVerifyClient" Security Bypass Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2005-10-07 HP has acknowledged a vulnerability in Apache for HP-UX which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17088/ -- [SA17087] Xloadimage NIFF Image Title Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2005-10-07 Ariel Berkman has reported a vulnerability in xloadimage, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17087/ -- [SA17128] OpenVMPS Logging Functionality Format String Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2005-10-11 mazahaquer has reported a vulnerability in OpenVMPS, which potentially can be exploited by malicious people to cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17128/ -- [SA17106] Debian update for py2play Critical: Moderately critical Where: From local network Impact: System access Released: 2005-10-10 Debian has issued an update for py2play. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/17106/ -- [SA17092] Sun Java System Directory Server HTTP Admin Interface Unspecified Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2005-10-07 Peter Winter-Smith has reported a vulnerability in Sun Java System Directory Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17092/ -- [SA17180] Gentoo update for openssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-12 Gentoo has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17180/ -- [SA17178] Mandriva update for openssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-12 Mandriva has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17178/ -- [SA17169] Sun Solaris OpenSSL SSL 2.0 Rollback Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-12 Sun Microsystems has acknowledged a vulnerability in Solaris, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17169/ -- [SA17153] Red Hat update for openssl Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation Released: 2005-10-12 Red Hat has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17153/ -- [SA17146] FreeBSD update for openssl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-11 FreeBSD has issued an update for openssl. This fixes a vulnerability, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17146/ -- [SA17123] Debian update for cpio Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2005-10-10 Debian has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious people to cause files to be unpacked to arbitrary locations on a user's system. Full Advisory: http://secunia.com/advisories/17123/ -- [SA17118] Debian update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-10 Debian has issued an update for tcpdump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17118/ -- [SA17101] Debian update for tcpdump Critical: Less critical Where: From remote Impact: DoS Released: 2005-10-10 Debian has issued an update for tcpdump. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17101/ -- [SA17114] Linux Kernel Potential Denial of Service and Information Disclosure Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2005-10-11 Two vulnerabilities and a security issue have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service), or by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17114/ -- [SA17113] Ubuntu update for shorewall Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-10-10 Ubuntu has issued an update for shorewall. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17113/ -- [SA17112] Gentoo update for weex Critical: Less critical Where: From local network Impact: DoS, System access Released: 2005-10-10 Gentoo has issued an update for weex. This fixes a vulnerability, which potentially can be exploited by malicious users to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17112/ -- [SA17110] Debian update for shorewall Critical: Less critical Where: From local network Impact: Security Bypass Released: 2005-10-10 Debian has issued an update for shorewall. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17110/ -- [SA17154] Red Hat update for util-linux/mount Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-12 Red Hat has issued updates for util-linux and mount. These fix a security issue, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17154/ -- [SA17142] Ubuntu update for cfengine Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-11 Ubuntu has issued an update for cfengine. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17142/ -- [SA17131] SGI IRIX "runpriv" Arbitrary Shell Command Injection Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass, Privilege escalation Released: 2005-10-11 A vulnerability has been reported in IRIX, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17131/ -- [SA17125] Debian update for graphviz Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-10 Debian has issued an update for graphviz. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17125/ -- [SA17121] Graphviz "dotty.lefty" Insecure Temporary File Creation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-10 Javier Fernandez-Sanguino Pena has reported a vulnerability in Graphviz, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17121/ -- [SA17109] Debian update for masqmail Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-10 Debian has issued an update for masqmail. This fixes two vulnerabilities, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17109/ -- [SA17107] Mandriva update for hylafax Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-10 Mandriva has issued an update for hylafax. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17107/ -- [SA17093] Ubuntu update for texinfo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2005-10-07 Ubuntu has issued an update for texinfo. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/17093/ -- [SA17141] Ubuntu update for kernel Critical: Not critical Where: From remote Impact: DoS Released: 2005-10-11 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users, or by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/17141/ -- [SA17133] Sun Java Desktop System umount "-r" Re-Mounting Security Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2005-10-11 Sun Microsystems has acknowledged a security issue in Sun JDS (Java Desktop System) which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/17133/ Other: Cross Platform:-- [SA17158] WebGUI Unspecified Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2005-10-12 A vulnerability has been reported in WebGUI, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17158/ -- [SA17130] Kaspersky Anti-Virus Engine CHM File Parsing Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2005-10-11 A vulnerability has been reported in Kaspersky Anti-Virus, which can be exploited by malicious people to cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/17130/ -- [SA17174] versatileBulletinBoard Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2005-10-12 rgod has discovered some vulnerabilities and a security issue in versatileBulletinBoard, which can be exploited by malicious people to disclose system information, and conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17174/ -- [SA17173] Zope Unspecified docutils Security Issue Critical: Moderately critical Where: From remote Impact: Unknown Released: 2005-10-12 A security issue with an unknown impact has been reported in Zope. Full Advisory: http://secunia.com/advisories/17173/ -- [SA17164] Sun Java System Application Server JSP Source Code Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-12 A vulnerability has been reported in Sun Java System Application Server, which can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/17164/ -- [SA17159] Xeobook Guestbook Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-12 rjonesx has discovered a vulnerability in Xeobook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17159/ -- [SA17138] BEA WebLogic 24 Vulnerabilities and Security Issues Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Brute force, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS Released: 2005-10-11 24 vulnerabilities and security issues have been reported in WebLogic Server and WebLogic Express, where the most critical ones potentially can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting and HTTP request smuggling attacks, cause a DoS (Denial of Service), and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17138/ -- [SA17137] phpMyAdmin "subform" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2005-10-11 Maksymilian Arciemowicz has discovered a vulnerability in phpMyAdmin, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/17137/ -- [SA17134] PHP Advanced Transfer Manager HTML Upload Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-11 Hamed Bazargani has discovered a vulnerability in PHP Advanced Transfer Manager, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/17134/ -- [SA17115] Utopia News Pro Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-10-10 rgod has discovered some vulnerabilities in Utopia News Pro, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17115/ -- [SA17104] Cyphor Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2005-10-10 rgod has discovered some vulnerabilities in Cyphor, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/17104/ -- [SA17175] ZeroBlog "threadID" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2005-10-12 trueend5 has discovered a vulnerability in ZeroBlog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/17175/ -- [SA17151] OpenSSL Potential SSL 2.0 Rollback Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2005-10-11 A vulnerability has been reported in OpenSSL, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17151/ -- [SA17089] Paros hsqldb Exposure of Database Content Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information Released: 2005-10-10 A security issue has been reported in Paros, which can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/17089/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Oct 14 00:13:34 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:25:14 2005 Subject: [ISN] Military foundation's website hacked Message-ID: http://www.koreaherald.co.kr/SITE/data/html_dir/2005/10/14/200510140034.asp By Jin Dae-woong 2005.10.14 Personal information taken by computer hackers from the website of an organization affiliated to the Defense Ministry may have been used to aid criminal acts, the Defense Security Command said yesterday. The Command said many attempts to hack into the website of the M.N.D Ho Guk Foundation were made during the past two months. The command said two attempts were successful - one apparently from inside Korea, the other possibly from abroad. The foundation controls scholarships and welfare grants for soldiers' families and stores huge amounts of personal information about troops and their dependents on its database. The command raised the possibility during initial investigations that the cyber raiders gathered information such as personal identity numbers and addresses to carry out a variety of crimes. The website is now closed to prevent additional hacking. The government's security systems - designed to protect personal information - were gravely tested in July when information from more than 250 computers in 10 government organizations was stolen through large-scale hacking. The National Police Agency, the National Assembly, Korea Institute for Defense Analyses and USFK were among the organizations hacked. The command has also launched an investigation into claims made by a lawmaker based on classified military information. Rep. Kwon Young-ghil, a lawmaker of the Labor Democratic Party, said Monday in a press release that South Korea and the United States agreed a war plan, code-named Operation Plan 5027-04, against North Korea in 2002. Kwon cited a classified document taken from the Security Consultative Meeting when this plan was agreed. Defense Minister Yoon Kwang-ung said Tuesday in the wake of this disclosure that the ministry will soon launch an investigation into how the confidential information leaked out. Rep. Kwon and his secretaries have already been summoned to appear at the investigation. From isn at c4i.org Fri Oct 14 00:13:51 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:25:35 2005 Subject: [ISN] Security fix assures long election nights Message-ID: http://www.ajc.com/metro/content/metro/1005/13metvote.html By RICHARD WHITT The Atlanta Journal-Constitution Published on: 10/13/05 Software installed to improve security in Georgia's new touch-screen voting machines has significantly slowed the process of counting ballots - and it might not get much faster for next month's municipal elections or statewide and U.S. House elections in 2006. Although election officials believe adjustments could yet improve the speed, some local officials aren't so sure. "We have actually taken steps backward," says Gwinnett Election Supervisor Lynn Ledford. "We may go from five or six hours [counting votes] to maybe getting results the next day." Several metro Atlanta counties have experienced the slowdown in local elections. Last month, it took Cobb County more than four hours to count votes for a sales tax referendum - an election in which one in 10 eligible voters cast ballots and fewer than half of the county's voting machines were in use. In June, Fulton County election officials didn't finish counting votes on the Sandy Springs referendum until nearly midnight. And in Coweta County, counting ballots in a June special election went so slowly that election officials first thought something was wrong with the system. Led by Secretary of State Cathy Cox, Georgia election officials began considering touch-screen voting following the debacle of the 2000 presidential election in Florida. "The fact we now have a slight delay over what we had two years ago is, I think, a worthy trade-off for enhanced security," Cox says. Expect long nights Cox, who is running for governor, says county election officials are sharing information on how to speed up the process, and they hope counting will go faster as election workers become more familiar with the the new system. But some local election officials worry that a general election requiring all of their voting machines will be excruciatingly slow, particularly in larger counties. All of this is bad news for candidates waiting for results at parties or people watching TV or scouring the Internet for returns on election night. "The balloons won't fall ... I'd miss that," says Miranda Dillard, a registered voter and a music teacher at Paideia School in Atlanta. "I want votes to be counted correctly - we don't want a repeat of Florida - but there ought to be a balance between security and speed so we can enjoy the excitement of election night." 30 seconds per ballot The problem can be traced to new security software, given to Georgia by Diebold Elections Systems of Ohio, which has a $54 million contract to supply the state with the touch-screen machines. The software was added to all voting machines last spring. It encrypts the transmission of election data from precincts to county election headquarters, making electronic vote tampering, internally or externally, more difficult. Votes from machines are now coded onto a data card. Then, those cards have to be decoded and counted by a computer before the vote is official. Before the new security measures, computers decoded the data cards almost instantly. Now, it takes about 30 seconds to process each data card - and keep in mind, there are about 2,000 data cards used in Cobb County alone. All of this explains why Sandy Springs residents waited - and waited - for results on that new city's incorporation vote. "It was just a shocker for us to have that type of delay in June," says Fulton County's elections chief Cynthia Welch, who watched the painstaking process. Speed or security? Cox admits it's a balancing act between speed and security. "I'm sure you will talk to people in this state who think we can never have too much security," she says. "Certainly I think this enhancement was a good thing for our machines." Even though there hasn't been a recorded incident of fraud involving the system, some people simply don't trust it. Since touch-screen voting debuted, Cox has faced steady criticism from a small but vocal group of Georgians who say the system is vulnerable to manipulation. And several respected computer security experts have suggested the machines' software can be tampered with to change the outcome of elections. To pacify uneasy voters, the state is considering retrofitting the machines with printers so voters could double-check their on-screen choices. Creating a paper trail could slow the vote count even more ? if those ballots were used in the official count, says Cox's spokesman Chris Riggall. Georgia is the only state that uses the Diebold machines in every precinct. Some counties and cities in other states that use Diebold machines have the enhanced security system, but others do not, says David Bear, a spokesman for Diebold. Maryland, Ohio, Mississippi and Utah are phasing in Diebold touch-screen machines. Computer consultants in Maryland first raised security concerns, resulting in the new software. Linda Lamone, Maryland's administrator of elections, says she's unaware of any complaints of slow vote counts during statewide elections in 2004. In the meantime, in Georgia, the debate over speed and security continues. Cox remains confident Beth Kish, Cobb County's elections supervisor, says glitches were expected because of the new security software. But, she warned we shouldn't expect quick counts in next month's municipal elections. "Candidates are going be frustrated," she says. "When we had optical scanners we were done in an hour or an hour-and-a-half. That will not happen again. It just won't happen." Looking forward to next year's governor's race, Cox expects to know the outcome before midnight on election night. "I don't think anybody is telling you it's going to be the next day," says Cox. "We are so far away from the nightmarish days of waiting for those punch cards to come in, I'm not the least bit afraid of going back to that." Even if there is a wait, it won't bother Marietta Mayor Bill Dunaway, who is running for re-election in November. "I'm so old I date back to the old paper ballot," says Dunaway, who is 66. "So anything is faster than what I grew up with." From isn at c4i.org Fri Oct 14 00:14:05 2005 From: isn at c4i.org (InfoSec News) Date: Fri Oct 14 00:26:05 2005 Subject: [ISN] Staff 'need reasons' to believe in security Message-ID: http://www.zdnet.com.au/news/security/soa/Staff_need_reasons_to_believe_in_security/0,2000061744,39217156,00.htm By Tom Espiner ZDNet UK 14 October 2005 Companies must ensure that their staff understand the reasons behind security policies and support them, rather than just dictating them from on high, a government consultant said at Secure London 2005 on Tuesday. Paul Hansford, class consultant for GCHQ and senior consultant at Insight Consulting, said that many security procedures fail because staff don't understand what their company is trying to do. "It is not enough to get staff to literally 'sign up' to procedures -- they must fully appreciate their purpose," he said. He recalled an apocryphal story illustrating the point: "A colleague went into a government agency and at one cluster of desks saw a line of 'bobbing bird' toys. The system locked out the user if they didn't touch the keyboard for a certain length of time, and required them to re-input their password. The 'bobbing birds' were lined up next to everyone's computer so that they would tap the 'enter' key every 30 seconds." The underlying beliefs of staff can be at odds with security policy, he said. "People tend to have a 'What's in it for me?' attitude. For example, some people may feel that it's fine to share passwords if it makes the business tick over, their attitude being that business is more important than security," Hansford said. "Companies need to assess people's security training needs, which includes having to elicit how security 'aware' they are," he said. "Awareness is not just about education and training, but is also an appreciation of, and a motivation to support, an issue." An IBM security expert emphasised the need to monitor personnel to maintain security levels. "Personnel security is not just about initially screening and vetting employees, but it's also about monitoring the guy who might have personal problems," said Julian Lander, IT security programme manager with IBM. "If their work performance isn't right, they may be involved in drug or alcohol abuse, or if they have an overelaborate lifestyle -- which I've seen in the past -- that can indicate possible security problems." Lander argued that security procedures need to recognise the human factor. "Security is about people. Speaking generally, the way to address the problem is by coaching, mentoring or counselling -- all the soft skills that HR has. You have to work with HR to maintain a successful security policy," Lander said. According to Hansford, security standards become harder to maintain as more staff work remotely - noting that more than half of all UK businesses currently allow staff remote access. "As more staff work remotely, physical security is difficult to achieve. At the end of the day (employers and security professionals) won't be there, so procedural security needs to be got right," he said. From isn at c4i.org Mon Oct 17 00:01:59 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:11:47 2005 Subject: [ISN] Critical Windows patch may wreak PC havoc Message-ID: http://news.com.com/Critical+Windows+patch+may+wreak+PC+havoc/2100-1002_3-5896041.html By Joris Evers Staff Writer, CNET News.com October 14, 2005 A Microsoft patch meant to fix critical security flaws in Windows 2000, Windows XP and Windows Server 2003 is causing trouble for some users, the company said Friday. The patch was released Tuesday to fix four Windows flaws, including one that experts predict will be exploited by a worm in the coming days. The flaw, tagged "critical" by Microsoft, lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC. Installing the patch can cause serious problems, Microsoft said in an advisory posted to its Web site Friday. The patch could lock users out of their PC, prevent the Windows Firewall from starting, block certain applications from running or installing, and empty the network connections folder, among other things, the software maker said. The trouble appears to occur only when default permission settings on a Windows directory have been changed, according to Microsoft. The software maker has received "limited reports" of problems from customers but is still investigating the issue, a representative said. Even if users experience PC trouble after installing the patch, they will still be protected against any attack exploiting the Windows flaw, a Microsoft representative said. The patch was delivered with Microsoft security bulletin MS05-051. To resolve any problems caused by the MS05-051 patch, users should restore the default permissions for the Windows folder and the COM+ catalog. A guide is available on the Microsoft Web site, and steps start with changing the permissions on the "registration" folder in the Windows directory. From isn at c4i.org Mon Oct 17 00:03:58 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:13:32 2005 Subject: [ISN] Lock-picking club feels responsibility is key Message-ID: http://www.utdmercury.com/media/paper691/news/2005/10/17/News/LockPicking.Club.Feels.Responsibility.Is.Key-1022034.shtml By Roman Starsky October 17, 2005 After he was denied permission to start a lock-picking club in high school, electrical engineering freshman Doug Farre decided to try his luck at UTD. "When I came to UTD, I toyed with the idea again and started talking to my roommates about it. They agreed that it was a good idea, we started collaborating, and things took off from there," Farre said. Within the first two weeks of the semester, Farre's club received official approval and sponsorship from Brian Berry, dean of social sciences. "I had convinced myself there was no way the university would let me have the club. I was prepared to fight for it, but when the time came and they told me it was approved, I was very excited," Farre said. Farre created an outline of club activities and set new member dues, which cover a personal lock-picking kit, at $20. "The name says it all. We will be picking locks. We hope to have competitions, guest speakers and learn a lot about bypassing locks," Farre said. Farre said many students expressed an interest in his organization, and the club currently boasts 30 lock pickers and 30 more potential members who have expressed interest in the club. "Lots of different people decided to join. Members have a love for technology and are not the type of people that are going to give up an opportunity to learn something as intriguing as lock picking. We also have many girl members," Farre said. Farre envisions the Lock Picking Club as doing more than just teaching members to pick locks. "I think that having the Lock Picking Club on campus will get people involved who aren't normally involved in other activities. It also gives people a chance to learn an extremely important skill and educates people so they aren't ignorant about their surroundings," Farre said. Despite Farre's enthusiasm, several Waterview Park residents have complained about the potential privacy risks associated with having an organized lock-picking group. "While I can see how the club may be a good thing, I can definitely see how this can be a security risk too," psychology freshman Mayra Artega said. Farre argues that only irresponsible lock pickers present a danger to residents' privacy. According to Farre, lock picking should be allowed if jujitsu, which teaches deadly combat techniques, is permissible. "I don't think there is anything to fear. Anyone can buy lock picks and use them for criminal purposes. All Lock Picking Club members are required to sign a code of ethics and will be made aware of the responsibilities that go along with being a member of our organization," Farre said. The club plans to hold its first meeting on Oct. 4 from 6-7 p.m., followed by another meeting on Oct. 5 from 7-8 for those unable to attend the first meeting. The location has not been determined. "The club will meet twice a week, so members will be able to attend at least one meeting. The meetings will be on Tuesdays from 6- 7 p.m. and on Wednesdays from 7- 8 p.m. bi-weekly," Farre said. Eventually, Farre said he hopes the Lock Picking Club will grow enough to offer services to UTD. "We hope to offer a discounted locksmithing service to the university for people locked out of their apartments and cars," Farre said. While previous lock-picking clubs at UTD failed long before they could offer an organized service to UTD students, Farre claims this club is going to be different. "I can guarantee that the new Lock Picking Club is going to be much bigger and better," Farre said. From isn at c4i.org Mon Oct 17 00:04:23 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:14:04 2005 Subject: [ISN] Interview: Fyodor Message-ID: http://www.whitedust.net/article/41/Interview:_Fyodor/ By Mark Hinge and Peter Prickett 17 Oct 2005 WD> What first drew you into the world of computing? My father is a hobbyist programmer, so I grew up with computers. In the early days I used an Apple ][ and Vic-20. By the time I really learned how to program, we had a PC XT. I thought DOS was cool, so UNIX really blew my mind when I discovered it in high school. That was where I got into security, too, as my friend David and I had shell accounts on the same ISP and would continually hack each others' accounts :). WD> Why did you create Nmap? [1] In The Cathedral and the Bazaar [2], Eric Raymond notes that 'every good work of software starts by scratching a developer's personal itch.' That was certainly my motivation for creating Nmap. I had a whole directory of scanners, including Julian Assange's Strobe, the reflscan SYN scanner, the UDP scanner from SATAN, a FIN scanner from Uriel Maimon, and many more. They all have very different options and limitations. I would want to use one scanner with an option from another. So initially I made my own modified versions of each scanner. Eventually, I decided the best approach was to create my own scanner from scratch. It would support all of the major scan types while being fast and efficient against large networks. Thus, Nmap was born. I used it myself for a while, and then released it to the public in a 1997 Phrack Article [3]. I hoped people would find it useful, but considered the project 'done' at that point and was ready to move onto new things. So much for that! I was overwhelmed with the response to Nmap, with so many people sending improvements that I released a new version. That cycle has continued for more than 8 years now :). WD> Have you ever been concerned that Nmap is used for blackhat purposes? I doubt that Nmap has ever been used for blackhat purposes. OK, maybe once or twice :). But seriously -- there is no way I can write a program that allows you to audit your own networks for security risks without also enabling bad guys to do the same. And trying to limit distribution to only 'good guys' is a lost cause. I believe that on balance, Nmap is a major net benefit to Internet security. If that ever becomes untrue, I will cease development. Another tool I have written is an advanced denial of service utility named Ndos, which I have used effectively to briefly disable the web presence of major corporations (at their request and under controlled circumstances). I have not publicly released Ndos because I fear that it would be used more for abuse than for constructive purposes. WD> Your most famous piece of software is, obviously, Nmap. What over pieces of software have you created? How successful have they been? I used to work for an Internet startup company, which was purchased by Netscape, which was then purchased by AOL, which then merged with Time Warner. Phew! I created (and helped create) a number of popular online applications during that period, though none are really relevant to the security community. Most of the time I write something new, I try to architect it so that it fits into Nmap. For example, OS detection [4] and version detection [5] could easily be standalone applications, but I decided to build them into Nmap instead. This summer, Google generously agreed to sponsor 10 student Nmap developers [6] as part of their Summer of Code program. One of the most exciting projects is Ncat by Chris Gibson. This is a reinvention of Ncat with cool features such as IPv6, better portability and documentation, connection encryption and authentication, inetd-like capability to spawn multiple concurrent applications, connection redirection, and more. One neat feature is connection brokering, which allows multiple hosts behind NAT gateways to communicate with each other through a centralized Ncat server. It shares a lot of code I wrote for Nmap, including the Nsock and Nbase portable networking libraries. Other interesting Summer of Code projects include: * Doug Hoyte nearly tripled the size of the version detection database and added OS/device type/hostname detection to the system. The database now contains about 3,000 entries for more than 350 service protocols (X11, SNMP, SMTP, etc.) * Zhao Lei added more than 350 OS detection fingerprints to Nmap [7], bringing the total to 1684. He also helped design a 2nd generation OS detection (stack fingerprinting) system * Adriano Monteiro designed and implemented an advanced Nmap GUI and results viewer named UMIT [8] (screenshots) [9]. * Ole Morten Grodaas designed and implemented another advanced Nmap GUI and results viewer (its nice to have choices in open source!) named NmapGUI. Further details and download links are here) [10]. It is worth noting that these GUIs aren't simple wrapper scripts for people who have trouble remembering Nmap command-line options. They offer powerful features for visualizing and searching large scan results. While the program is over, all of these developers have continued active development to improve their projects, which aren't yet fully polished and debugged. People interested in helping with development and testing of these or any other Nmap-related projects are encouraged to join the nmap-dev [11] (high volume, unmoderated) and nmap-hackers [12] (low volume announcements) lists. WD> How long did Exploit World [13] run for? What were it's aims? What caused it to come to an end? I launched Exploit World in 1995 and updated it regularly until the summer of 1998. The aim was to catalog vulnerabilities in a full-disclosure manner that includes bug details and even exploits. This was another 'scratch an itch' project -- I kept such a database for my own purposes anyway, so I decided to put it up online so everyone could benefit from it. While the exploits are all ancient, the site is still pretty popular because it is the first Google hit for various phrases such as 'ping of death'. The problem, as so many exploit and vulnerability archives have learned over the years, is that maintenance is hard and tedious work. As the Nmap project grew to take up most of my time, I lost the motivation to continue with Exploit World. Plus, there were other good archives by that point in time and so redirecting the effort to Nmap was more useful. WD> We have been asking the question is hacking an art or a science? What is your opinion? The question makes it sounds like these are exclusive. Science can be creative and beautiful like art. Also, the term 'hacking' is overburdened with meanings. But I'll try to answer anyway. I consider programming and vulnerability research and exploitation to be more science/engineering than art. You are drawing upon a large base of knowledge and using a methodology to achieve a desired practical and verifiable result (such as busting root). That is not to say that hacking is pure methodology that could be reproduced by a robot or shell script. True breakthroughs usually require great creativity. But this also is true of biology, chemistry and just about any other science. My major in college was molecular and cellular biology until I switched it to computer science, and there were many parallels. WD> On your site you claim 'there are aspects of the hacker community that disgust me', can you give us examples? I hate to see people out there causing wanton damage just for attention. Compromising some school network just so that you can delete their web pages and post some self-aggrandizing rant about how skilled you are and how dumb the admin must be does not help make the world a better place. Such antics won't impress anyone worth impressing either. Illegal activity motivated by money is at least as bad. I hate to see security tools and information misused for spamming, propagating worms, extortion, etc. One of the Google SoC applicants listed on his resume that 'I am the leader of small programming band that developes ... email retrive application (from sites, newsgroups, brut force selection) for spam distribution'. WTF? Since when is that something to be proud of? I'm not saying that these people are part of the hacker community per se, but they are often using some of our tools and techniques. While conducting illegal/hurtful activity for money makes my blood boil, I'm not anti-capitalist. Sourcefire was recently acquired for $225,000,000, and I say good for them! Especially if they keep their commitment to continue GPL Snort development. WD> How do you feel about Tenable's announcement [14] that Nessus 3 will be closed source? I am disappointed by that move, as I feel that source code availability is critical for trusting important security tools. Nessus' open source nature was one of its biggest advantages over a myriad of commercial competitors. Heck -- their official slogan was 'the open-source vulnerability scanner' until this month. This leaves a vacuum in the security community for a new open source vulnerability scanner (or fork of Nessus 2.2). Several groups (Gnessus, Sussen, Porz-Wahn [15]) have stepped up to the plate in launching these forks, and I hope that at least one of them succeeds. One of Tenable's justifications for closing the Nessus source was that few people contributed. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar software model doesn't work so well with everyone taking and not contributing back. In my Nessus response [16], I suggest a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted. Note that I have no plans to change the license for Nmap. It has been distributed under the GPL for more than eight years and I am happy with that license. WD> Do you consider yourself to be a hacker? Yes. WD> In order to be a hacker do you need to be part of the 'scene'? Absolutely not. Some of the smartest guys I know are your stereotypical anti-social nerds that spend all of their time hacking, driven by an insatiable passion for technology. Yet they don't care for attention, recognition, or the whole social scene. That doesn't make them any less of a hacker. WD> Do you know Tony Watson? Yes. I live in Palo Alto, a few miles from Google's headquarters in Mountain View. While Google has screwed up the already obscenely high housing values around here by minting so many millionaires, a side benefit is that they have recruited many great security minds from around the world. Niels Provos, Paul (Tony) Watson, 0100, and other cool hackers now call the area home. While I'm glad that Tony moved here, I've knew him previously from his CanSecWest appearances. Speaking of Tony, I hear that he gave a great interview for Whitedust [17] :) [Yeah we really liked talking to him he's one cool cat :) -psg]. WD> Do you have a day job? I work for my own company, Insecure.Com LLC. The primary business is licensing Nmap technology for inclusion in commercial products. Companies are welcome to use Nmap for free if they comply with the GPL (make their product open source), but those wanting to use Nmap in proprietary products must pay a license fee. This allows me to work on Nmap full time. It also benefits users of those proprietary tools, which are often specialized for different purposs than Nmap. The code these companies get is exactly the same as GPL Nmap. I also do some pen-testing and vulnerability assessment gigs, though I'm too busy to take on new clients for the next year or so. WD> You co-authored a best selling book last year named Stealing the Network: How to Own a Continent. What is it about? This was an exciting project because it is hacker fiction, as opposed to the technical documentation that I usually write. I teamed up with FX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale and several other hackers to write individual stories that combine to describe a massive electronic financial heist. Unlike your average Hollywood portrayal (Swordfish, Hackers, The Net, etc.), we portrayed realistic attacks and technology. For example, my character Sendai uses Nmap, Hping2, Ndos, and similar tools to exploit network configuration and software vulnerabilities commonly found in the wild. Syngress (the publisher) was cool enough to let me post my chapter online for free [18]. I am also working on a book on network scanning with Nmap. I only have a couple chapters left to draft, though the editing and publishing phase will take months. [1] http://www.insecure.org/nmap/p51-11.txt [2] http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ [3] http://www.insecure.org/nmap/p51-11.txt [4] http://www.insecure.org/nmap/nmap-fingerprinting-article.html [5] http://www.insecure.org/nmap/versionscan.html [6] http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0000.html [7] http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0002.html [8] http://sourceforge.net/projects/umit [9] http://umit.sourceforge.net/screenshots/umit_pics/ [10] http://seclists.org/lists/nmap-dev/2005/Jul-Sep/0125.html [11] http://cgi.insecure.org/mailman/listinfo/nmap-dev [12] http://cgi.insecure.org/mailman/listinfo/nmap-hackers [13] http://www.insecure.org/sploits.html [14] http://mail.nessus.org/pipermail/nessus/2005-October/msg00035.html [15] http://www.gnessus.org/ [15] http://sussen.sourceforge.net/ [15] http://porz-wahn.berlios.de/homepage/about.php [16] http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html [17] http://www.whitedust.net/article/31/Interview:_Paul_Watson/ [18] http://www.insecure.org/stc/ From isn at c4i.org Mon Oct 17 00:04:38 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:14:35 2005 Subject: [ISN] Incredulous ranking: 'Adbots' love Princeton Message-ID: http://www.zwire.com/site/news.cfm?newsid=15387510&BRD=1091&PAG=461&dept_id=425695&r By: George Spohr Business Editor 10/14/2005 Talk about a dubious honor. In its most recent "Security Update" report, Symantec - a provider of anti-virus software - lists Princeton as the hemisphere's most "adbot"-ridden city. The company said it traced 17 percent of adbot attacks in the Americas to computers in the Princetons. That number is so high, it makes the second- and third-place cities in North and South America - New York and Sao Paulo, Brazil - look like also-rans. Both cities played host to 3 percent of adbot attacks in the Americas, Symantec said. When all continents are taken into consideration, Princeton is the second-most adbot-ridden city, with 7 percent of all adbot attacks being traced here. Cambridge, in the United Kingdom, topped the list at 8 percent. New York was in 12th place, credited with just 1 percent of the world's attacks. Adbots, short for "advertisement-driven robots," are programs that are covertly installed on your computer, allowing hackers to remotely control it for a wide variety of malicious purposes, said Brian Watkins, a Symantec spokesman. The end result sometimes is referred to as a "payload." Attackers often command large groups of bot-controlled systems known as bot networks, Mr. Watkins explained. Those networks, which often are available for rent by Internet thieves, can be used to conduct coordinated attacks. College networks are particularly vulnerable. "As Princeton University is located there, Symantec believes that this may be related to the beginning of a new school year," the company said in explaining Princeton's rank. But that explanation - indeed, the very findings themselves - are baffling, said Anthony Scaturro, Princeton University's IT security officer. "The report stated that the city of Princeton has the second-largest bot population - 7 percent of the world's bots, to be exact," Mr. Scaturro said. "All of New York City, with its 8 million-plus population, paled at a mere 1 percent. Clearly, with results such as these, the credibility of the Symantec report is questionable." The report's methodology also leaves much to be desired, he said. Symantec traces the origin of adbots by examining the bits of identifying data that attach themselves to whatever kind of file the bots produce - an e-mail message, a Web page or malicious piece of software. When you receive an e-mail, for example, a quick check of the message's "header" can tell you the general area from which the e-mail was sent. "In today's modern attacks, the source of many attacks is forged," Mr. Scaturro explained. "So if the hacker programmed in the address of a Princeton computer in the bot program, when it spreads to a million computers and they start sending out their payload, it will appear that all of the attacking computers are from Princeton, even though 50 are in Tokyo, 100 are in Los Angeles, three are in Vermont, et cetera." That Symantec, which - perhaps ironically - is the provider of computer security software for all Princeton University faculty, staff and student computers, would publish this report without mentioning its questionable methodology is surprising, Mr. Scaturro said. Mr. Scaturro said the university has taken a multi-pronged approach to protecting those computers from worms, viruses and adbots by: * Being an early adopter of technology that examines the network traffic going to and from the Internet on the campus. "Any piece of network traffic that appears to carry a destructive virus or worm is blocked - both coming into the campus and going out to the Internet," Mr. Scaturro said. * Using firewall technology to protect critical devices. * Constantly monitoring for the latest security-related updates from computer vendors. * Communicating with the campus about the importance of using strong passwords and installing anti-virus and anti-spyware software. "I am very proud of the technical staff that we have at Princeton University and have personally never worked with a team that has been more security aware," Mr. Scaturro said. "Their efforts in setting up and maintaining our systems in a secure manner and ensuring that any offending computer is removed from the network as soon as it is detected are the primary reason that we do not see a lot of attack traffic exiting our network." From isn at c4i.org Mon Oct 17 00:04:53 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:14:57 2005 Subject: [ISN] FBI puts stop to spam king Message-ID: http://www.detnews.com/2005/technology/0510/16/B01-349738.htm By Joel Kurth and David Shepardson The Detroit News October 16, 2005 Michigan's unapologetic king of bulk e-mail is in trouble again. This time, an FBI raid has closed what some consider one of the world's largest houses of spam. Warrants unsealed last week revealed that agents in September seized computers, laptops, financial records and disks from the 8,000-square-foot home of Alan M. Ralsky. The $750,000 West Bloomfield mini-mansion was built off profits from the 100 million electronic offers for everything from Botox to mortgages that Ralsky sends every day. FBI agents even took a copy of a 2002 Detroit News story that called Ralsky the "poster boy for spam." "We're out of business at this point in time," Ralsky said last week. "They didn't shut us down. They took all our equipment, which had the effect of shutting us down." The raid is the latest episode in a cat-and-mouse game between anti-spammers and Ralsky, 60, a gregarious, heavy-smoking ex-convict considered Public Enemy No. 1 in some pockets of the Internet. In 2002, Ralsky agreed to an undisclosed cash settlement to end a landmark lawsuit from Verizon Internet Services, which alleged he twice paralyzed its network in 2000 with his pitches for diet pills, vacations and such. The deal forbade Ralsky's companies from sending spam on its networks. Last year, Michigan lawmakers passed legislation that allows parents to put their children's e-mail addresses on do-not-spam lists. Even though he insists he doesn't target kids, Ralsky was an inspiration for the bills. "Michigan has been called a cesspool for Internet spam, and Ralsky is recognized as one of the worst," said the bills' sponsor, Sen. Mike Bishop, R-Rochester. "I've been waiting for this moment. I knew it was a matter of time before the law caught up to him." Terry Berg, the top deputy in the U.S. Attorney's Detroit office, declined to comment on the probe. The home of Ralsky's son-in-law, Scott Bradley, also of West Bloomfield, was also raided in September. The federal CAN-SPAM law that took effect last year tries to make spammers play fair. It bans tricks, such as misleading subject lines or e-mails that appear to be from friends. Commercial e-mail must be clearly identified as such, and must label porn pitches as "sexually explicit." The law also forbids spammers from using multiple e-mail addresses or domain names to camouflage their identities. Penalties include up to 20 years' imprisonment and an $11,000 fine per offense. Warrants show FBI agents sought evidence Ralsky and Bradley sent commercial e-mail using at least 14 domain names. "I'm not a spammer," Ralsky said. "I'm a commercial e-mailer." Ralsky spent "tens of thousands of dollars" on software to comply with the law, said Philip Kushner, his Cleveland lawyer. "Alan Ralsky believes he's complied with the laws," Kushner said. "These are new laws that, in some cases, have never been interpreted by any courts or used before." During previous discussions with The News, Ralsky called bulk e-mail "the greatest business in the world." It's revived his life and won him many foes. A former insurance agent who made $500,000 a year in the 1980s, Ralsky hit the skids in the 1990s. He lost his license in Illinois, declared bankruptcy and served three years' probation on a felony related to falsified bank records. In the late 1990s, Ralsky sold his used car, bought two computers and reinvented himself on the Internet. He makes money sending bulk e-mail on behalf of clients selling products or services -- a gig he's said puts small merchants on equal footing with giant companies. As he's become more outspoken, Ralsky claims he's received numerous death threats. A few years ago, Ralsky was deluged with hundreds of unwanted magazines at his house, after anti-spammers signed him up for subscriptions. "Ralsky is quite public about his activities," said Lih-Tah Wong, president of Computer Mail Services, a Southfield company that sells anti-spam software to companies. "For every one like Ralsky, there are thousands of others who are hiding in the shadows and scurrying away like cockroaches when the light is shone upon them." A recent study by the research firm International Data Corp. predicted spam would increase to 7.6 trillion messages this year from 4.5 trillion in 2003. The investigation by the FBI's cyber crimes unit is one of several ongoing in Michigan. None has come to trial. John Mozena, a Grosse Pointe Woods anti-spam activist, said the weak law only allows authorities to crack down on the "most egregious" spammers. He said he helped FBI agents with technical expertise before the Ralsky raid. You can reach Joel Kurth at (313) 222-2610 or jkurth at detnews.com From isn at c4i.org Mon Oct 17 00:05:50 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:15:33 2005 Subject: [ISN] Linux Advisory Watch - October 14th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 14th, 2005 Volume 6, Number 42a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mason, cpio, dia, masqmail, shorewall, tcpdump, openvpn, up-imapproxy, ethereal, weex, py2play, graphviz, xloadimage, xli, xine-lib, hylafax, Ruby, SVG, hexlix player, uw-imap, openssl, thunderbird, binutils, and libuser. The distributors include Debian, Gentoo, and Red Hat. --- System Accounting By: Dave Wreski It is very important that the information that comes from syslog not be compromised. Making the files in /var/log readable and writable by only a limited number of users is a good start. Be sure to keep an eye on what gets written there, especially under the auth facility. Multiple login failures, for example, can indicate an attempted break-in. Where to look for your log file will depend on your distribution. In a Linux system that conforms to the "Linux Filesystem Standard", such as Red Hat, you will want to look in /var/log and check messages, mail.log, and others. You can find out where your distribution is logging to by looking at your /etc/syslog.conf file. This is the file that tells syslogd (the system logging daemon) where to log various messages. You might also want to configure your log-rotating script or daemon to keep logs around longer so you have time to examine them. Take a look at the logrotate package on recent Red Hat distributions. Other distributions likely have a similar process. If your log files have been tampered with, see if you can determine when the tampering started, and what sort of things appeared to be tampered with. Are there large periods of time that cannot be accounted for? Checking backup tapes (if you have any) for untampered log files is a good idea. Intruders typically modify log files in order to cover their tracks, but they should still be checked for strange happenings. You may notice the intruder attempting to gain entrance, or exploit a program in order to obtain the root account. You might see log entries before the intruder has time to modify them. You should also be sure to separate the auth facility from other log data, including attempts to switch users using su, login attempts, and other user accounting information. If possible, configure syslog to send a copy of the most important data to a secure system. This will prevent an intruder from covering his tracks by deleting his login/su/ftp/etc attempts. See the syslog.conf man page, and refer to the @ option. Finally, log files are much less useful when no one is reading them. Take some time out every once in a while to look over your log files, and get a feeling for what they look like on a normal day. Knowing this can help make unusual things stand out. Read more from the Linux Security Howto: http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New mason packages fix missing init script 6th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120537 * Debian: New cpio packages fix several vulnerabilities 7th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120548 * Debian: New dia packages fix arbitrary code execution 8th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120550 * Debian: New masqmail packages fix several vulnerabilities 8th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120551 * Debian: New shorewall packages fix firewall bypass 8th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120552 * Debian: New tcpdump packages fix denial of service 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120555 * Debian: New openvpn packages fix denial of service 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120556 * Debian: New up-imapproxy packages fix arbitrary code execution 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120557 * Debian: New ethereal packages fix several vulnerabilities 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120558 * Debian: New tcpdump packages fix denial of service 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120559 * Debian: New weex packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120561 * Debian: New py2play packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120562 * Debian: New graphviz packages fix insecure temporary file 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120563 * Debian: New xloadimage packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120568 * Debian: New xli packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120570 * Debian: New Ruby packages fix safety bypass 11th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120571 * Debian: New uw-imap packages fix arbitrary code execution 11th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120572 * Debian: New Ruby 1.6 packages fix safety bypass 11th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120573 * Debian: New xine-lib packages fix arbitrary code execution 12th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120583 * Debian: New Ruby 1.8 packages fix safety bypass 13th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120589 * Debian: New hylafax packages fix insecure temporary files 13th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120590 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Ruby Security bypass vulnerability 6th, October, 2005 Ruby is vulnerable to a security bypass of the safe level mechanism. http://www.linuxsecurity.com/content/view/120539 * Gentoo: Dia Arbitrary code execution through SVG import 6th, October, 2005 Improperly sanitised data in Dia allows remote attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/120540 * Gentoo: RealPlayer, Helix Player Format string vulnerability 7th, October, 2005 RealPlayer and Helix Player are vulnerable to a format string vulnerability resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120549 * Gentoo: xine-lib Format string vulnerability 8th, October, 2005 xine-lib contains a format string error in CDDB response handling that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/120553 * Gentoo: Weex Format string vulnerability 8th, October, 2005 Weex contains a format string error that may be exploited by malicious servers to execute arbitrary code. http://www.linuxsecurity.com/content/view/120554 * Gentoo: uw-imap Remote buffer overflow 11th, October, 2005 uw-imap is vulnerable to remote overflow of a buffer in the IMAP server leading to execution of arbitrary code. http://www.linuxsecurity.com/content/view/120575 * Gentoo: OpenSSL SSL 2.0 protocol rollback 12th, October, 2005 When using a specific option, OpenSSL can be forced to fallback to the less secure SSL 2.0 protocol. http://www.linuxsecurity.com/content/view/120586 * RedHat: Important: thunderbird security update 6th, October, 2005 An updated thunderbird package that fixes various bugs is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120541 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: binutils security update 11th, October, 2005 An updated binutils package that fixes minor security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120578 * RedHat: Low: libuser security update 11th, October, 2005 Updated libuser packages that fix various security issues are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120579 * RedHat: Moderate: util-linux and mount security update 11th, October, 2005 Updated util-linux and mount packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120580 * RedHat: Moderate: ruby security update 11th, October, 2005 Updated ruby packages that fix an arbitrary command execution issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120581 * RedHat: Moderate: openssl security update 11th, October, 2005 Updated OpenSSL packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120582 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Oct 17 00:02:28 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:16:15 2005 Subject: [ISN] Glitch forces fix to cockpit doors Message-ID: Forwarded from: matthew patton > The design demands were extraordinarily tricky. The doors had to be > strong enough to withstand bullets, yet engineered to burst open to > avoid a catastrophic twisting of the airframe in the event of a > sudden loss of cabin pressure. I'll show my ignorance of aircraft construction and ponder why a fixed door is somehow going to contribute to airframe twist. How is the cockpit door any different than a bulkhead? Albeit a leaky one? With all the walls in the cockpit vicinity (food galley, bathroom) that section of the plane should be quite heavily reinforced and structurally sound in the first place. Or is the concern that the door and/or door frame warpage arising from the pressure differential will prevent them from opening the door and thus seal the pilots into the cockpit? This is a problem, why? Couldn't they design the door with a couple of pressure-cooker or air-compressor style over-pressure relief plugs that blow out? > In both cases, the cockpit door is secured by aluminum rods that > slide into the lock or unlock positions when activated by an > electronic signal. Rapid decompression would also unlock the door. Says me the amateur terrorist, I have one of my buddies get one of them car escape hammers and bust out a window in the back of the plane and when the pilot declares an emergency and makes for 10,000 ft avail myself of the now unlocked (and/or open) cockpit door. If I'm on a suicide mission (what terrorist isn't) I probably don't much care if I succeed at getting into the cockpit and taking control. 2 shots or a flick of my wrist and my work is done. > "I'd have to have equipment. I'd have to get it through security. > I'd have to know the right channel," the chief engineer said. How about I just get a job as a maint guy - you know for like Boeing or whoever they subcontract out the door installation/testing/maint to. Or bribe somebody who has access to the information. > "I'd need to know quite a lot about where parts are installed on the > airplane. I'd need to do a lot of things I couldn't actually do" on > a commercial flight. well duh. I'm not going to try to create an exploit while being watched by a hundred passengers. > Originally, airlines paid $29,000 for each of the Airbus wide-body > door kits and between $40,000 and $100,000 for the Boeing wide-body > kits, depending on the plane's model and configuration. wouldn't it be cheaper to have a guy with a welding torch on standby at both ends to just weld and unweld a plate of 1/2" steel? Or put the pilot entrance hatch in the cargo hold and forget about having cockpit doors at all? Pilots in the military get in and out thru a hatch in the bottom... > Both Boeing and Airbus used the same supplier, Adams Rite Aerospace > of Fullerton, Calif., for their in-house door control. So who's up for a smash and grab? All one would need is 1 unit, defective or otherwise to reverse engineer at one's leisure. I wonder if it uses a rolling code like a garage opener... > Boeing already had provided a manual bolt lock as a backup. A pilot > could use it in case of a perceived threat. I'm flat-out amazed the PRIMARY let alone only means of activation isn't manual. 3 or 4 hardened steel slides, like you see on bathroom stalls (albeit beefier) should about do it. > Airbus does not install a mechanical backup lock as standard. NUTS! From isn at c4i.org Mon Oct 17 00:03:30 2005 From: isn at c4i.org (InfoSec News) Date: Mon Oct 17 00:16:58 2005 Subject: [ISN] Staff 'need reasons' to believe in security Message-ID: Forwarded from: Harlan Carvey Cc: edit@zdnet.com.au > http://www.zdnet.com.au/news/security/soa/Staff_need_reasons_to_believe_in_security/0,2000061744,39217156,00.htm > > By Tom Espiner > ZDNet UK > 14 October 2005 > > Companies must ensure that their staff understand the reasons behind > security policies and support them, rather than just dictating them > from on high, Here it is...the latter half of 2005, and this is being reported as "news"? Sorry, but security professionals have been saying this since the early days of infosec. It doesn't take a rocket scientist or a brain surgeon to understand what you see when senior management dictates any sort of policy to the assembled masses, and doesn't bother to follow it themselves. Wow. HC ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------ From isn at c4i.org Tue Oct 18 02:33:40 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:47:37 2005 Subject: [ISN] Homeland Security inches toward makeover Message-ID: http://news.com.com/Homeland+Security+inches+toward+makeover/2100-7348_3-5898244.html By Anne Broache Staff Writer, CNET News.com October 17, 2005 The U.S. Department of Homeland Security is on its way to an organizational makeover, thanks to a bill that President Bush is scheduled to sign on Tuesday. According to a final report that accompanies the Homeland Security Appropriations Act of 2006, lawmakers from both houses agreed to move all "infrastructure protection and information security programs," which include cybersecurity, into a "Preparedness Directorate" proposed in July as part of Secretary Michael Chertoff's plan to restructure the department. The directorate is slated to include a medley of new officials, including an assistant secretary for cybersecurity and telecommunications. The bill makes no direct mention of money for the cybersecurity secretary role. But it's not up to the committee to design the makeup of Homeland Security offices, a U.S. Senate Appropriations committee aide said Monday. She said the department could use its allotment to create the position if it wishes to do so. The department declined to elaborate on its plans. "We continue to anticipate that the proposals put forward by the secretary under the Second Stage Review will be enacted," Kirk Whitworth, a Homeland Security spokesman, said in an e-mail. Since the department's creation, its top cybersecurity official has held a low to midlevel role several layers below the secretary. Some members of Congress and industry representatives have been clamoring for a more powerful post, but so far, action has stalled. The latest spending bill allocates $93.3 million under the broad heading of cybersecurity, earmarking $30 million for "national cybersecurity exercises and outreach." An unspecified portion is supposed to fund the U.S. Computer Emergency Readiness Team, a group charged with analyzing cyberthreats and coordinating incident-response activities in public and private sectors. The bill also sets aside a separate $16.7 million to fund cybersecurity research, placing the category third from the bottom of the list for research and development spending. The biggest chunk for the upcoming year, $380 million, would go to financing work on "biological countermeasures." Copyright ?1995-2005 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue Oct 18 02:32:19 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:47:59 2005 Subject: [ISN] At Microsoft, Interlopers Sound Off on Security Message-ID: http://www.nytimes.com/2005/10/17/technology/17hackers.html By JOHN MARKOFF October 17, 2005 REDMOND, Wash., Oct. 14 - In a windowless war room where Microsoft manages worldwide computer security crises, George Stathakopoulos, the general manager for security, opened a small refrigerator, revealing three bottles of Champagne. "These are for the arrests," he said, with a brief smile. Locked in a struggle with a shadowy "black hat" computer underground that exploits any flaw in its software, Microsoft has spent three and a half years trying to transform its engineering culture to make security the company's priority. Recently there have indeed been some arrests for computer attacks that capitalized on Microsoft software flaws. But more important, during the last year the company has made measurable progress in improving the quality of its software code, according to many computer security specialists and customers. That has in effect raised the bar for the computer outlaws seeking to exploit the company's software for data theft, extortion or simple mischief. It now appears that Microsoft can begin to celebrate - a little. Last Thursday and Friday, the company held its second Blue Hat briefing, a meeting with a small group of about a dozen independent computer security specialists invited to the company's headquarters here to share detailed research on vulnerabilities in Windows software. Microsoft managers chose the term blue hat to distinguish their outreach campaign from the usual division in the computer security world between warring communities of white hats and black hats. Whatever their hats, those invited here were a group not generally inclined to think highly of Microsoft. On the first day of the meeting, the visitors made presentations to some of the company's top executives. The sessions were repeated on Friday for more than 500 of the company's approximately 9,000 programmers. David Maynor, an intrusion detection expert at Internet Security Systems, based in Atlanta, began by giving Microsoft good marks for addressing conventional computer threats. But Mr. Maynor cited a fundamental design error in the way Windows operating systems handle peripherals, making it theoretically possible for an attacker to insert a malicious program into a personal computer by attaching a hand-held device to a computer port. "You trust stuff way too much," he said. Microsoft had also erred in public assertions about the security of its coming Xbox 360 game console, he said, adding, "You're a huge target, and when you challenge people, they will prove you wrong." It was clear from the presentations that Microsoft still has work to do to secure its programs, which are the most widely used on the Internet. But it was also the consensus of those attending that the company might have made progress in slowing the deluge of viruses, worms, spam and spyware that plagues its customers. "It's not perfect, but compared to the competition, they've made significant progress," said Dan Kaminsky, a prominent independent computer security researcher who attended the meeting. For the first time, Microsoft executives allowed a reporter to attend the meeting, although one research group making a presentation was unwilling to speak publicly. Microsoft's decision to reach out to critics it would once have shunned shows its change in attitude about computer security. The effort began four years ago when Mr. Stathakopoulos, a veteran Microsoft security executive, attended Black Hat, an annual computer security conference focused on software vulnerabilities, in Las Vegas. Although he found that Microsoft was broadly attacked at the meetings, Mr. Stathakopoulos returned the next year and even sponsored a party for the researchers to begin to build bridges. He said he had second thoughts after scheduling the event. "I turned to another Microsoft executive and said: 'What did we do? This is going to be a disaster,' " he said. In the end, disaster was averted. The Microsoft executives and the Black Hat researchers talked until 7 the next morning. This year Microsoft has gone further. In March and again last week, it invited the outside specialists to its campus in an effort to learn more from an insular community that studies the company's software for chinks in its armor. Microsoft had previously resisted efforts to open a dialogue even with "white hat" hackers like those in attendance here - computer security researchers who expose vulnerabilities but do not exploit them, and who have frequently been bitterly critical of Microsoft as indifferent to security. Microsoft's stance changed in 2002 and 2003 when computer worms like Blaster and Slammer, preying on flaws in Microsoft software, spread worldwide and began to threaten the company's relations with consumers and corporate customers alike. The situation became so grave that in 2002 Microsoft suspended its programming development for more than two months and sent all of its programmers to remedial security classes. The wrenching change the company has gone through was an absolute necessity, said Mr. Kaminsky, the security researcher. "Security issues can kill Windows; you can't say it any other way," he said. And Microsoft's willingness to engage its security critics directly has made a significant impression on many of them. "The battleship is starting to turn," said George Spillman, a computer security researcher who calls himself Geo and whose card describes him as the minister of propaganda for the Toorcon Computer Security Conference. "The fact that I am here is a good indication of how much Microsoft has changed. They are starting to understand that our community cares as much about security as they do." But Mr. Maynor cautioned that the company was on the brink of an era of threats that would prove far more vexing. He pointed to a world of mobile devices that make today's defense concepts obsolete. Such devices would allow remote attackers to leap past firewalls guarding corporate borders and jump from one network to another to get access to corporate networks. The nature of attacks, he said, will also shift away from global Internet worms such as Blaster because of the increasing profitability of computer crime. A single bug can now bring as much as $50,000 in the computer underground and is likely to be used for data theft or extortion, not unleashed simply for widespread chaos. "We're seeing the rise of designer malware," or malicious software, he said. "There will be a shift toward targeted attacks." Another attendee, Brett Moore, chief technology officer of Security Assessment, a consulting firm in Auckland, New Zealand, said he had success in finding undiscovered vulnerabilities in some versions of Windows by looking for known bugs in different parts of programs or in other applications. "In a couple of hours I found four vulnerabilities," he said. Microsoft executives responded that they were trying to improve their code by using a similar technique in their development process. Known as fuzzing, it involves automatically testing tens of thousands of combinations in programs to hunt for flaws. Microsoft executives and the independent researchers said that the company had bolstered security significantly with the release of Windows XP Service Pack 2 in 2004. The update, a free download, made the operating system much less vulnerable. Microsoft executives also cite a decline in the number of security bulletins issued for major products like Windows Server and Office as evidence that the new engineering discipline is having an impact. There were 69 such bulletins issued for Windows 2000 Server in two and a half years and only 41 for Windows Server 2003 in a comparable period, the company said. Eleven bulletins were issued for the 2001 version of Office XP during the first 594 days after its introduction; for Office 2003, there were six bulletins in the same period. For the last two Windows XP updates, 35 bulletins were issued for Service Pack 1 in the year ended last June but only 18 for Service Pack 2. Mr. Stathakopoulos takes pride in the achievement, as when he notes that he has been involved in shipping more compact discs - Windows software - than the Beatles, Rolling Stones and Madonna combined. From isn at c4i.org Tue Oct 18 02:32:33 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:48:14 2005 Subject: [ISN] Avoid costly clearance delays - Field investigator cautions that a security clearance is not a resume Message-ID: http://www.fcw.com/article91121-10-17-05-Web By Florence Olsen Oct. 17, 2005 Delays in getting security clearances to satisfy critical staffing needs frustrate many agency officials and federal contractors. Although Congress enacted an intelligence reform law last year to help reduce a backlog of security clearance applications, experienced field investigators say the problems remain. Some say the law's 90-day deadline for completing investigations was never realistic, and agencies have been slow to comply with the law's reciprocity provision, which requires them to accept one another's security clearances. But businesses and agencies can prevent many delays and find skilled technology employees with security clearances, according to several investigative experts who spoke at a September meeting of the Business Forum for HR Professionals in the Washington, D.C., area. A security clearance can take as long as two years to process, said Earl Gould, a special investigator under contract with the FBI. Gould is president of the Association of Certified Background Investigators. The Intelligence Reform and Terrorism Prevention Act of 2004 mandates that by Dec. 17, 2006, agencies must be able to complete 80 percent of background investigations for security clearances within 90 days. Gould said that time frame is unreasonable. The law allows an additional 30 days for three independent adjudicators to decide whether the field investigators' findings justify granting a security clearance. Although the new law requires all agencies to accept security clearances completed by an authorized investigative or adjudicative agency, few have rushed to comply, Gould said. "It's just been recently that the CIA, National Security Agency and FBI have agreed to accept each other's clearances," he said. Other agencies have not embraced reciprocity. In 2004, background investigations for most agencies became the Office of Personnel Management's responsibility, but OPM has been slow to find ways to eliminate the backlog and delays, Gould said. He said agencies will eventually solve those problems. In the meantime, however, he and other experts advise agencies and businesses needing employees with clearances to avoid delays they can control. One way to facilitate clearances is to hire a part-time or full-time security clearance officer, said Roger Campbell, who worked at the CIA for 25 years as an HR manager and director. He is now human capital strategy director at Monster Government Solutions, which sells online HR staffing services. A security clearance officer would track applications as they are processed. In addition, guidance from a knowledgeable professional could help employees verify that all information submitted on a clearance application is accurate and complete, which speeds the process, Campbell said. "Any hiccup at all takes your candidate from the front of the line to the back of the line," he said. Another way to avoid delays is to begin the recruiting and security clearance processes early, Campbell said. "Build bench strength," he said, by initiating the security clearance process or validating existing security clearances before hiring people. Campbell said a security clearance officer is invaluable to companies and agencies that need to hire hundreds of employees to fill national security and public trust positions. A clearance officer who knows the right questions to ask could make the difference in whether a security clearance investigation moves quickly or slowly. Such officers, for example, know to ask if an employee was born in a foreign country. To get a security clearance, a person must renounce any foreign citizenship and produce a naturalization certificate from Citizenship and Immigration Services, the former Immigration and Naturalization Service. If applicants collect all that paperwork in advance, a field investigator could save many hours, Gould said. "Trying to find a naturalization certificate in INS is like trying to find Osama bin Laden," he said. "Those people are really understaffed." Sometimes the simplest way to maneuver around the processing backlog is to hire an ex-military employee with an active security clearance, said Carl Savino, president of Competitive Edge Services, a company that finds jobs for military veterans. Nearly 250,000 people leave active military duty each year, he said, and many of them have clearances. Through several steps, agencies and businesses can avoid unnecessary clearance delays. But Gould said agencies cannot control delays rooted in OPM's HR culture. For its expanded role in conducting security clearances, he said, the agency needs to replace its mentality with a national security mind-set. "National security is not a human resources chore." An HR official, for example, cannot explore someone's marital status during a hiring interview, whereas a security investigator "will explore this area rather deeply in some cases," Gould said. "You would not like the questions we ask," he said, addressing the audience of HR officials. But for security clearances, background investigators need to ask personal questions, he said. "We have a lot more to lose if we screw up." From isn at c4i.org Tue Oct 18 02:33:07 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:48:32 2005 Subject: [ISN] Linux Security Week - October 17th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 17th, 2005 Volume 6, Number 43n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin D. Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Web Application Firewall Evaluation Criteria Announced," "Perform due diligence with RFID security," and "Government must push on IT security." --- ## EnGarde Secure Linux 3.0 - Download Now! ## * Linux 2.6 kernel featuring SELinux Mandatory Access Control * Guardian Digital Secure Network features free access to all system and security updates (to be available shortly through an updated release) * Support for new hardware, including 64-bit AMD architecture * Web-based management of all functions, including the ability to build a complete web presence with FTP, DNS, HTTP, SMTP and more. * Apache v2.0, BIND v9.3, MySQL v5.0(beta) * Completely new WebTool, featuring easier navigation and greater ability to manage the complete system * Integrated firewall with ability to manage individual firewall rules, control port forwarding, and creation of IP blacklists * Built-in UPS configuration provides ability to manage an entire network of battery-backup devices * RSS feed provides ability to display current news and immediate access to system and security updates * Real-time access to system and service log information LEARN MORE: http://www.guardiandigital.com/products/software/community/esl.html --- LINUX ADVISORY WATCH This week, advisories were released for mason, cpio, dia, masqmail, shorewall, tcpdump, openvpn, up-imapproxy, ethereal, weex, py2play, graphviz, xloadimage, xli, xine-lib, hylafax, Ruby, SVG, hexlix player, uw-imap, openssl, thunderbird, binutils, and libuser. The distributors include Debian, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120593/150/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Guardian Digital launches new edition of award-winning EnGarde Secure Linux platform 10th, October, 2005 Guardian Digital, Inc., the world's premier provider of open source security solutions, today announced the latest innovation of its product portfolio with the launch of EnGarde Secure Linux: Community Edition, a freely-available version of its award-winning enterprise product. EnGarde is the first product to bring complete Web-based management capability, Security-Enhanced Linux functionality, and the ability to control a complete Internet presence in one platform. http://www.linuxsecurity.com/content/view/120566 * How to keep instant messaging off the record 13th, October, 2005 Sometimes encryption isn't enough to keep your conversations private. With standard encryption, it's theoretically possible for someone to steal your secret encryption keys and decipher the conversation. For conversations that need to be kept confidential, the Off-the-Record (OTR) plugin for Gaim saves the day. It leaves no trace of a conversation ever having taken place. http://www.linuxsecurity.com/content/view/120591 * What Are Digital Vaults? 11th, October, 2005 A major challenge that is faced by all organisations selecting IT technology is trying to clearly understand how a particular solution may address the challenges they are tasked with solving. And this often involves trying to understand what various vendors mean when using generic terminology. http://www.linuxsecurity.com/content/view/120574 * Insider Security Threats Q&A 12th, October, 2005 We conducted a brief Q&A session with David Lynch, CMO at Apani Networks, a global network security software provider focused on securing inside the network perimeter. He discusses the security breach in White House, internal security attacks in general and how to prevent them. http://www.linuxsecurity.com/content/view/120584 * Red Hat Certified Security Specialist 14th, October, 2005 Red Hat yesterday announced the availability of a new security certification for IT professionals: Red Hat Certified Security Specialist (RHCSS). The announcement of the RHCSS certification is the Company's latest milestone in its "Security in a Networked World" initiative lanched in August. http://www.linuxsecurity.com/content/view/120599 * Web Application Firewall Evaluation Criteria Announced 10th, October, 2005 The Web Application Firewall Evaluation Criteria project announced its first public release. The goal of the project is to develop a testing methodology that can be used by any reasonably skilled technician to independently assess quality of a web application firewall. http://www.linuxsecurity.com/content/view/120564 * Playing Nice With Physical Security 10th, October, 2005 At a small company, the information security manager is sometimes also responsible for physical security. At very large corporations, the physical security - sometimes called safety and security - is a completely separate department, responsible for hardware such as biometric ID or badge systems, security cameras and the management of guards. Safety and security departments handle investigations of physical breaches, such as theft, and workplace violence. http://www.linuxsecurity.com/content/view/120565 * Google fixes Web site security bug 11th, October, 2005 Google has fixed a security flaw on its Web site that opened the door to phishing scams, account hijacks and other attacks, security researchers said Monday. http://www.linuxsecurity.com/content/view/120577 * Perform due diligence with RFID security 12th, October, 2005 Most notably, EPCglobal Gen 2 standards currently lack over-the-air data-stream encryption between passive RFID tags and readers, though there are provisions for locking RFID tag memory and disabling tags. EPCglobal Gen 2 is the current standard for how passive tags affixed to items and encoded with information about them communicate wirelessly with readers, which collect that information and pass it to upstream applications. http://www.linuxsecurity.com/content/view/120585 * Developers 'should be liable' for security holes 12th, October, 2005 Security expert Howard Schmidt wants coders to be held responsible for vulnerabilities in their code, but others say their employers should be held to account http://www.linuxsecurity.com/content/view/120587 * I get a right good fisking 13th, October, 2005 Is Windows inherently less secure than Linux, or just more popular? Presently available data is inconclusive, because Windows still holds the bulk of consumer and small business market http://www.linuxsecurity.com/content/view/120592 * Government must push on IT security 14th, October, 2005 IT security has matured significantly over the past few years. An increase in the number of viruses such as Slammer, the advent of phishing, and a spate of high-profile attacks on organisations such as Sumitomo Bank, have pushed security to the top of many company agendas. http://www.linuxsecurity.com/content/view/120594 * Hacking for Dollars 11th, October, 2005 Threats to information security come in all shapes and sizes, and from all directions: blended threats, mass-mailer worms, Trojans, phishing attacks, spyware, keystroke loggers, etc. Every day, one or more of these threats put critical information at risk in Internet-connected corporations and businesses around the globe. http://www.linuxsecurity.com/content/view/120576 * Basic Bluetooth Security 14th, October, 2005 Bluetooth has been around since the 90s, and even today, most mobile devices come with the technology embedded in them. Bluetooth provides a wireless, point-to-point, "personal area network" for personal digital assistants (PDAs), notebooks, printers, mobile phones, audio components, and other devices. The wireless technology can be used anywhere if you have two or more devices that are Bluetooth-enabled. And as with any wireless connectivity, there are bound to be security issues since data is being sent over the air invisibly from device to device. http://www.linuxsecurity.com/content/view/120595 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Oct 18 02:33:25 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:48:58 2005 Subject: [ISN] Addressing the Human Security Vulnerability Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,105395,00.html Opinion by Douglas Schweitzer OCTOBER 17, 2005 COMPUTERWORLD So, you have the best firewall, intrusion-detection and antivirus systems technology has to offer. Yet, despite your Fort Knox approach, you're still hit with security breaches and the occasional malware du jour. One reason for this may be the lack of motivation by your workers. Unlike owners, they don't have a direct interest in the success of the company. Or do they? How far are they willing to go to ensure corporate success? Usually, not very. In fact, in most cases, they don't put much additional effort into executing their duties -- just enough to get the work done and retain their jobs. According to Ken Shaurette, information security solutions manager at MPC Technology Solutions, however, "a too-often overlooked way to improve these attitudes is to include information security in the job descriptions of employees." When your organization makes security awareness and policy compliance mandatory, the apathetic trend can be reversed. When management requires security policy compliance to be a key part of an employee's job, interest is generated. An added benefit is that security becomes part of the corporate culture. With performance reviews (hence, possible raises) looming periodically, employees are more apt to fit compliance into their daily routine. Knowing that they're being graded encourages employees to comply with policies. Shaurette encourages employers to include a wider cross section of employees in the interview portion of security assessment and in compliance reviews. These additional personnel will automatically gain a better awareness of security issues simply as a result of their exposure to security professionals. Not only will they add their input as to what data should be gathered for analysis, but they'll also come away with a better appreciation of the need for assessments. When they're a part of the compliance review, employees "will get a sense of ownership of the final results from the assessment," says Shaurette. Inclusion alone won't always solve employee-apathy problems, however. Here are some other ways to reduce security risks created by employees who just don't care. Monitoring. One solution that maybe isn't palatable but certainly is effective is employee usage monitoring. Tracking employee PC use can result in negative repercussions for the company, but it's one sure way to establish control over the network. Monitoring needs to be carried out in such a way that employee dignity is protected -- a daunting task because few tools are available to automate the process. "Doing the monitoring can become a very heavy administrative burden or require many application modifications that are often not even possible because applications are vendor-maintained," says Shaurette. Restricted access. Limiting or retracting network access can also reduce (if not prevent) the impact of employee apathy, according to Simon Heron, managing director of Network Box. With the IT manager in control, "signatures for antivirus and antispam can be pushed to the gateway and to the desktop from central company servers," says Heron. The manager is in control of downloading the signatures, and the manufacturer can push software updates onto the gateway to ensure that it's up to date. "This means that the apathetic employee can't get in the way of updating their systems; it takes them out of the equation," says Heron. Unified threat management. Heron points out, however, that limiting access may not prevent infections altogether. Therefore, many organizations are turning to unified threat management systems. Deploying this type of technology restricts employee access to the Internet for browsing and using e-mail and instant messaging applications. Endpoint security. It's important to realize that careless use of endpoint devices like laptops and handhelds is one of the biggest causes of compromised security. Recent surveys have found that -- because of outright ignorance of or, even worse, apathy toward security -- roughly a third of users don't even bother using password protection on their devices. This, of course, leaves data vulnerable to hackers and other opportunists, especially if the devices are lost or stolen. Moreover, remote users and mobile workers have been known to pick up viruses and worms on the road, then infect the corporate network when they return to the office. It's imperative that endpoint devices be checked for compliance with your network security policy. Mandate that all endpoint devices have the latest patches and antivirus software. In addition, your policy should restrict the use of file-sharing and peer-to-peer applications and require certain operating system, browser and application security settings. -=- Douglas Schweitzer is a freelance writer and Internet security specialist in Nesconset, N.Y. He can be reached at dougneak at juno.com. From isn at c4i.org Tue Oct 18 02:34:24 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:49:15 2005 Subject: [ISN] Hackers no hassle: Hoff Message-ID: http://www.theage.com.au/news/people/hackers-no-hassle-hoff/2005/10/18/1129401238164.html By Jane Holroyd October 18, 2005 Baywatch star David Hasselhoff, who arrived in Australia this morning, says he's flattered by his cult hero status among hackers. Hackers have defaced websites worldwide - including the Fremantle Dockers homepage this year - with images of the the US actor and singer. The practice is known as 'Hoffing'. "I don't really know how the whole thing started but I take no offence," he told theage.com.au at Melbourne Airport this morning. "I think it's a wonderful form of flattery and it's a lot of fun. And it's nice to be recognised for doing shows that actually save lives and not take lives," Hasselhoff said. "Knight Rider and Baywatch have always been synonymous with heroes and are about love, and about action, and humour, and I think that's what the world is about. "I think people want to smile and be happy and that's what it's all about." A thin-looking Hasselhoff emerged from the airport about 10.45am - wearing lime green cord trousers and a matching jumper - with his arm around his wife. Chewing gum while he spoke, he seemed quite relaxed. When asked by the small group of waiting reporters to name his favourite Australian musicians, he replied: "Johnny Farnham and the Little River Band. He was then whisked away by men in suits to a waiting white car. Hasselhoff will appear on Rove Live tonight and is a guest at the ARIA music awards in Sydney on Sunday night. He is also set to appear on the Australian Idol live verdict show next Monday night, but Channel Ten would only say he would chat with the contestants. Hasselhoff is a close friend of Idol judge Mark Holden, who produced a number of the star's songs during the 1990s, which skyrocketed up the German charts. - theage.com.au, with Jano Gibson From isn at c4i.org Tue Oct 18 02:34:36 2005 From: isn at c4i.org (InfoSec News) Date: Tue Oct 18 02:49:42 2005 Subject: [ISN] Microsoft: Unauthorized Windows XP SP3 'Preview' Bad News Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=172301710 By Gregg Keizer TechWeb News Oct. 17, 2005 Microsoft warned users to stay away from an unauthorized "preview" of Windows XP Service Pack 3, just as the site which hosts the collection updated the package to version 3. "Anyone who installs this thinking they are getting SP3 (even as a preview) is being grossly mislead and is posing a significant potentially non-recoverable risk to their PC and data," wrote Mike Brannigan, who identified himself on a Microsoft newsgroup as an employee of the Redmond, Wash.-based developer. Microsoft has not released an SP3 update to Windows XP, although it recently confirmed it would do so sometime after Windows Vista launches late in 2006. "Frankly this 'package' should be avoid [sic] and you should continue to use Windows Update and the download site to get the most up-to-date and correctly issued Microsoft fixes and patches," he added. The preview -- dubbed Windows XP SP3 Preview Pack -- is a collection of hotfixes and other updates that Microsoft has released since the debut of SP2 more than a year ago. The pack, which was updated to version 3 on Monday, can be downloaded from the Hotfix.net Web site. Brannigan dismissed the preview, saying that it also included a number of private hotfixes generated for users with very specific problems. "The hotfixes are not as rigorously tested at public released ones," he wrote. Installing all the 'privates' may make your machine LESS stable and will also put you out of support from Microsoft or an OEM as you are installing incorrectly issued private hotfixes." For his part, Ethan Allen, the creator and administrator of Hotfix.net, defended the 'preview' in a posting on his site. "This is NOT an official SP3 package from Microsoft, but rather just a collection of hotfixes that will most likely be in SP3 releasing in 2006. Use at your own risk." From isn at c4i.org Wed Oct 19 03:02:13 2005 From: isn at c4i.org (InfoSec News) Date: Wed Oct 19 03:11:36 2005 Subject: [ISN] Packet analysis beats off hackers Message-ID: http://www.theinquirer.net/?article=27026 By Tony Dennis 18 October 2005 ALTHOUGH THEY don't like to admit it, online gambling companies are frequently the victims of denial of service attacks. And, since they can lose significant amounts of revenue during such events, this opens them up to blackmail from hackers. Naturally, such companies have deployed state-of-the-art firewalls and intrusion protection systems. However, one such operator - Bet365 - has found a new weapon. Namely real-time packet analysis. The technology has been developed to enable the typical corporate network management to discover why a LAN is slowing down and who or what is causing it. Bet386 has acquired this technology from network analysis specialists,