From isn at c4i.org Mon Apr 3 04:24:26 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 3 Apr 2006 03:24:26 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - March 31st 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 31st, 2006 Volume 7, Number 14n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week advisories were released for firebird2, sendmail, evolution, kpdf, flex, netpbm-free, file, man, db4, gok, gedit, epiphany, gnome-power-manager, pyoribit, totem, libglade, gnome-icon-theme, shared-mime-info, libxklavier, gstreamer, cpio, squirrelmail, glibc, mtr, tix, xterm, perl, rpm, scim, mrtg, wpa, samba, bsd-games, mailman, and freeradius. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Linux Command Reference Manual: Linux File Formats By: Suhas Desai Linux File Formats /etc/crontab The syntax of each line in this file is: minute, hour, day of month, Month, day of week, (user name), command /etc/fstab Columns are: device file to mount, directory to mount on, filesystem type, options, backup frequency, and fsck pass number (To specify the order in which filesystems should be checked on boot; 0 means no check.) The noauto option stops this mount from being done automatically on boot. /etc/hosts Sets up host address information for local use. The format is: IPaddress name1 name2. /etc/inittab Sets the init configuration. An entry in the inittab file has the following format: id: runlevels: action: process /etc/passwd The file has one line per username, and is divided into seven colonde limited fields: 1. Username. 2. Password, in an encrypted form. 3. Numeric user id. 4. Numeric group id. 5. Full name or other description of account. This is called gecos. 6. The user's home directory. 7. The user's login shell (program to run at login). /usr/X11R6/lib/X11/XF86Config The main XFree86 configuration file. Read Full Paper http://www.linuxsecurity.com/images/stories/commandref.pdf ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New firebird2 packages fix denial of service 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122058 * Debian: New sendmail packages fix arbitrary code execution 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122059 * Debian: New evolution packages fix arbitrary code execution 23rd, March, 2006 Ulf Hrnhammar discovered several format string vulnerabilities in Evolution, a free groupware suite, that could lead to crashes of the application or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122065 * Debian: New Linux kernel 2.6.8 packages fix several vulnerabilities 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122073 * Debian: New kpdf packages fix several vulnerabilities 24th, March, 2006 Derek Noonburg has fixed several potential vulnerabilities in xpdf, the Portable Document Format (PDF) suite, which is also present in koffice, the KDE Office Suite. http://www.linuxsecurity.com/content/view/122078 * Debian: New Linux kernel 2.4.27 packages fix several vulnerabilities 24th, March, 2006 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122079 * Debian: New flex packages fix insecure code generation 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122126 * Debian: New netpbm-free packages fix arbitrary command execution 28th, March, 2006 Max Vozeler from the Debian Audit Project discovered that pstopnm, a converter from Postscript to the PBM, PGM and PNM formats, launches Ghostscript in an insecure manner, which might lead to the execution of arbitrary shell commands, when converting specially crafted Postscript files. http://www.linuxsecurity.com/content/view/122131 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 5 Update: file-4.17-2.fc5 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122071 * Fedora Core 5 Update: man-1.6c-2.fc5 24th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122089 * Fedora Core 5 Update: db4-4.3.29-3.fc5 24th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122090 * Fedora Core 5 Update: gok-1.0.7-1 24th, March, 2006 A new gok package has been built that fixes several bugs, and adds support for the zh_HK language. http://www.linuxsecurity.com/content/view/122091 * Fedora Core 5 Update: gedit-2.14.1-1 24th, March, 2006 A new version of the gedit package has been built that fixes a problem with tab drag-and-drop when multiple gedit windows are open. http://www.linuxsecurity.com/content/view/122092 * Fedora Core 5 Update: epiphany-2.14.0-1 24th, March, 2006 A new epiphany package has been built that brings the epipany version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122093 * Fedora Core 5 Update: evolution-connector-2.6.0-1 24th, March, 2006 A new evolution-connector package has been built that brings the version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122094 * Fedora Core 5 Update: evolution-data-server-1.6.0-1 24th, March, 2006 A new evolution-data-server package has been built that brings the version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122095 * Fedora Core 5 Update: gnome-power-manager-2.14.0-1 24th, March, 2006 A new gnome-power-manager package has been built that brings the version in Fedora Core 5 in sync with the version that was released for Gnome 2.14. http://www.linuxsecurity.com/content/view/122096 * Fedora Core 5 Update: pyorbit-2.14.0-1 24th, March, 2006 A new pyorbit package has been built that brings the version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122097 * Fedora Core 5 Update: totem-1.4.0-2 24th, March, 2006 A new totem package has been built that brings the version in Fedora Core 5 in sync with the version thats shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122098 * Fedora Core 5 Update: libglade2-2.5.1-4.fc5.1 24th, March, 2006 A new libglade package has been released that fixes a problem when setting the "invisible" character (in password entries) to a non-ASCII character. http://www.linuxsecurity.com/content/view/122099 * Fedora Core 5 Update: gnome-icon-theme-2.14.2-1.fc5.1 24th, March, 2006 An updated gnome-icon-theme package fixes a problem where files with mimetype application/xml would not get the right icon. http://www.linuxsecurity.com/content/view/122100 * Fedora Core 5 Update: shared-mime-info-0.17-1.fc5.1 24th, March, 2006 A new version of the shared-mime-info package has been released that fixes several bugs. http://www.linuxsecurity.com/content/view/122101 * Fedora Core 5 Update: libxklavier-2.2-1 24th, March, 2006 A new libxklavier package has been built that brings the version in Fedora Core 5 in sync with the version that shipped with Gnome 2.14. http://www.linuxsecurity.com/content/view/122102 * Fedora Core 5 Update: gnome-vfs2-2.14.0-2 24th, March, 2006 A new version of the gnome-vfs2 package fixes a packaging error. http://www.linuxsecurity.com/content/view/122103 * Fedora Core 5 Update: gstreamer-plugins-base-0.10.5-1 24th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122104 * Fedora Core 5 Update: gstreamer-0.10.4-1 24th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122105 * Fedora Core 5 Update: cpio-2.6-15.FC5 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122113 * Fedora Core 4 Update: squirrelmail-1.4.6-4.fc4 27th, March, 2006 This update fixes Bug #185767 where we broke Japanese mail sending in our previous update. (I would really appreciate it if Chinese and Korean users would test this and report if it works properly for incoming and outgoing mail.) http://www.linuxsecurity.com/content/view/122114 * Fedora Core 5 Update: squirrelmail-1.4.6-4.fc5 27th, March, 2006 This update fixes Bug #185767 where we broke Japanese mail sending in our previous update. (I would really appreciate it if Chinese and Korean users would test this and report if it works properly for incoming and outgoing mail.) http://www.linuxsecurity.com/content/view/122115 * Fedora Core 4 Update: glibc-2.3.6-3 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122116 * Fedora Core 5 Update: mtr-0.71-0.FC5.1 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122117 * Fedora Core 4 Update: mtr-0.71-0.FC4.1 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122118 * Fedora Core 5 Update: tix-8.4.0-4 27th, March, 2006 The tix-8.4.0-3.1 package that shipped with Fedora Core 5 had libTix8.4.so in the wrong directory. The tix-8.4.0-4 package corrects this problem. The 'package require Tix' command now works as it should. http://www.linuxsecurity.com/content/view/122119 * Fedora Core 5 Update: xterm-211-1.FC5 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122121 * Fedora Core 4 Update: perl-5.8.6-24 27th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122122 * Fedora Core 4 Update: kernel-2.6.16-1.2069_FC4 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122170 * Fedora Core 4 Update: rpm-4.4.1-23 30th, March, 2006 This update fixes an issue with a double free experienced in verification with matchpathcon. http://www.linuxsecurity.com/content/view/122171 * Fedora Core 5 Update: scim-hangul-0.2.2-1.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122172 * Fedora Core 5 Update: scim-anthy-1.0.0-1.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122173 * Fedora Core 5 Update: mrtg-2.13.2-0.fc5.1 30th, March, 2006 Fixes the RouterUptime option. http://www.linuxsecurity.com/content/view/122174 * Fedora Core 5 Update: wpa_supplicant-0.4.8-6.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122175 * Fedora Core 5 Update: samba-3.0.22-1.fc5 30th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122176 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: NetHack, Slash'EM, Falcon's Eye Local privilege escalation 23rd, March, 2006 NetHack, Slash'EM and Falcon's Eye are vulnerable to local privilege escalation vulnerabilities that could potentially allow the execution of arbitrary code as other users. http://www.linuxsecurity.com/content/view/122072 * Gentoo: RealPlayer Buffer overflow vulnerability 26th, March, 2006 RealPlayer is vulnerable to a buffer overflow that could lead to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/122106 * Gentoo: OpenOffice.org Heap overflow in included libcurl 27th, March, 2006 OpenOffice.org contains a vulnerable version of libcurl that may cause a heap overflow when parsing URLs. http://www.linuxsecurity.com/content/view/122124 * Gentoo: bsd-games Local privilege escalation in tetris-bsd 29th, March, 2006 tetris-bsd is prone to local privilege escalation vulnerabilities. http://www.linuxsecurity.com/content/view/122159 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated FreeRADIUS packages fix EAP-MSCHAPv2 module vulnerability 24th, March, 2006 An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/122077 * Mandriva: Updated mailman packages fix DoS from badly formed mime multipart messages. 29th, March, 2006 Scrubber.py, in Mailman 2.1.5 and earlier, when using email 2.5 (part of Python), is susceptible to a DoS (mailman service stops delivering for the list in question) if it encounters a badly formed mime multipart message with only one part and that part has two blank lines between the first boundary and the end boundary. http://www.linuxsecurity.com/content/view/122161 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: RealPlayer security update 23rd, March, 2006 An updated RealPlayer package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux Extras 3 and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122057 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: RealPlayer security problems 23rd, March, 2006 This update fixes the following security problems in Realplayer: CVE-2006-0323, CVE-2005-2922. http://www.linuxsecurity.com/content/view/122060 * SuSE: freeradius authentication bypass 28th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122127 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Apr 3 04:24:48 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 3 Apr 2006 03:24:48 -0500 (CDT) Subject: [ISN] Daughter: DIA security roughed-up mom, 83 Message-ID: http://www.rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_4585114,00.html By Chris Barge Rocky Mountain News March 31, 2006 Sally Moon had to cool off for the better part of this week before she could see straight enough to write a complaint about a security agent's treatment of her elderly mother at Denver International Airport. At first, she couldn't settle on the right words to use. "Horrific," "mind-boggling" and "outrageous" were a few that came to mind. Anyone could see that Bernice "Bea" Bogart, 83, was a fragile woman, Moon said. Bogart had breast cancer surgery in 1997, a total hip replacement after a fall in 1999, a major stroke in 2004 that caused dementia, and is hard of hearing. So when Bogart, who was in a wheelchair, was required by airport security on Saturday to stand against doctor's orders and undergo a rigorous screening by a testy female screener, Moon got furious. "I don't know if she thought my mom had a bomb in her Depends or what," Moon said. A Transportation Security Administration spokeswoman said Thursday that a high level of professionalism and courtesy is expected from its screeners and Moon's complaint is being looked into. But Moon doubts anyone will be held accountable. This week, she sat at her computer in Colorado Springs and e-mailed the TSA's Office of Civil Rights. "Although I imagine this complaint will go straight to the trash and the agent responsible will face no consequences and receive no reprimand, I could not sleep until I at least voiced my outrage," she began. Moon said that at about 6 p.m. Saturday, she and her sister were walking alongside their mother, who was in a wheelchair being pushed by a Frontier Airlines employee to a special screening area at the head of DIA's Concourse A. Just before reaching security, Moon's sister, who did not have gate clearance, was asked to sit in a chair away from the screening area while Moon and their mother proceeded. Bogart was holding an orthopedic card saying that she had a metal plate in her hip. Having been assured that Frontier and the TSA staff would not require Bogart to leave her wheelchair, Moon turned her back to put her mother's bags through the X-ray screener. Moon said she was horrified when she turned around moments later to discover that her mother had been selected for additional screening and was out of her wheelchair and hobbling through a large glass- walled corridor. "There were no grab bars," Moon said. "What I could see really was her fingers trying to hang onto a little ledge." Fearing another hip-shattering fall, Moon instinctively reached out for her mother. "Don't touch her!" Moon says the screener barked. As the elderly woman shuffled along, Moon said she continued to tell the screener that her mother was not to stand without her four- wheeled walker. "You'd better change your attitude," Moon recalls the screener saying. "Or do you want me to make it so you don't fly today?" The screener allowed Bogart to sit down for a moment and then instructed her to stand up and lift her arms, Moon said. Bogart could barely raise her arms due to the breast cancer surgery and so the screener lifted them higher herself, Moon said. Infuriated, Moon protested and said she was told to sit across the room "or else." "I know she prolonged her search because she was mad at me," Moon said. Bogart had been nervous about flying alone for the first time since her husband's death last year. She sat back down in the wheelchair after the screening in shocked silence, her daughter said. Two hours later, Bogart was in the air, en route to Nashville, Tenn., to visit her youngest daughter for a month. Moon marched back to security to give management a piece of her mind. She demanded the name of the young screener in her mid-to-late 20s with darkish hair pulled back in a bun. A TSA manager refused to give her the screener's name, Moon said, and suggested she file a general complaint. Several days later, Moon did just that. "If you've read this far, I'm surprised," she wrote in closing. "But if you have, you can now toss this letter, send me one of those form letters indicating you take these kinds of complaints 'very seriously' and are going to investigate the matter, blah blah blah, and get back to more important activities." Moon can expect a response from the TSA's Office of Civil Rights, Denver TSA spokeswoman Carrie Harmon said. "When we receive complaints, we take them very seriously, we investigate them and we address any personnel issues as appropriate," Harmon said. Reached at her youngest daughter's home in Nashville on Thursday, Bogart said she didn't want to get anyone in trouble and emphasized "they were all kind except for that one girl. I thought she was a little harsh." "I thought it was a little much," she added. "She wouldn't let my daughter help me. And I have a hard time standing very long at a time at all." DIA spokesman Chuck Cannon expressed surprise at Bogart's tale, but said ultimately the airport has no authority to regulate the TSA, which is a federal agency. "I honestly don't know why they would have made a woman in that condition get up and walk through secondary screening," he said. "I'm sure it's all a misunderstanding, but we hate for those things to happen and we wish they wouldn't happen." From isn at c4i.org Mon Apr 3 04:25:04 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 3 Apr 2006 03:25:04 -0500 (CDT) Subject: [ISN] New generation of IE malware now circulating Message-ID: http://www.networkworld.com/news/2006/033106-ie-malware.html By Robert McMillan IDG News Service 03/31/06 Hackers have posted a new version of malicious software that will make it easier for them to exploit an unpatched vulnerability in Microsoft's Internet Explorer (IE) browser. Based on a critical bug disclosed on March 22, the software was posted by hackers Friday to the Milw0rm.com Web site. The code exploits a flaw in the way IE processes Web pages using the createTextRange() method. Hackers have been using malware that takes advantage of this vulnerability to install unauthorized software on victims' computers over the past week, but this new generation is considered to be more dangerous, according to security researchers. Older versions of the malware could freeze victims' browsers for more than a minute, giving them an opportunity to shut down their computers or stop the malicious software before it could complete its work. But the new software works more quickly, meaning it will be particularly effective on older machines with limited memory and processing capabilities, said Craig Schmugar, researcher with McAfee Avert Labs. Though hackers had not widely adopted the new software as of Friday morning, Schmugar said he expected that to change. "It's still pretty early," he said. "I think it's reasonable to expect that people will shift." The software also uses new techniques to avoid certain types of signatures used by anti-virus vendors, said Aviv Raff, a security researcher based in Israel. "It's much more effective," he said. "I think people should know and understand that ... now they are more vulnerable." The fact that the code was released just before the weekend is also worrisome, because it means that "administrators have to wait for Monday to apply their protections and to give warning to users," said Juha-Matti Laurio, a security researcher in Helsinki. With a fix for the problem expected as late as April 11, the date of Microsoft's next scheduled security update, security companies Determina and eEye Digital Security issued unsupported patches for the problem. According to eEye, there have been more than 70,000 downloads of its software since its Monday release. Microsoft does not recommend that users install these patches. Instead, it recommends that users disable IE's Active Scripting feature as a work-around. Despite the severity of the TextRange() bug, McAfee says that the malware that takes advantage of it is not particularly widespread. This software at present ranks No. 13 in McAfee's list of the top 20 pieces of malware being reported, Schmugar said. From isn at c4i.org Mon Apr 3 04:25:29 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 3 Apr 2006 03:25:29 -0500 (CDT) Subject: [ISN] Call For Papers - The 6th Annual Digital Forensic Research Workshop Message-ID: Forwarded from: dfrws2006 (at) dfrws (dot) org Call for Papers The 6th Annual Digital Forensic Research Workshop (DFRWS 2006) August 14-16, 2006 Purdue University Lafayette, Indiana, USA www.dfrws.org dfrws2006 (at) dfrws (dot) org The purpose of this workshop is to bring together researchers, practitioners, and educators interested in digital forensics. We welcome the participation of people in industry, government, law enforcement, and academia who are interested in advancing the state of the art in digital forensics by sharing their results, knowledge, and experiences. The accepted papers will be published in printed proceedings. Topics of Interest We are looking for research papers, demo proposals, and panel proposals. Major areas of interest include, but are not limited to, the following topics: - Incident response and live analysis - OS and application analysis - Multimedia analysis - File system analysis - Memory analysis - Network analysis - Data hiding and recovery - Event reconstruction - Large-scale investigations - Data mining techniques - Automated searching - Tool testing and development - Digital evidence storage formats - Digital evidence and the law - Traceback and attribution - Physical media analysis - Case studies and trend reports - Non-traditional approaches to forensic analysis Important Dates Papers, demo, and panels submission deadline: April 21, 2006 Author notification: May 21, 2006 Camera-ready copies due: June 21, 2006 Workshop dates: August 14-16, 2006 Submission Papers must be written in English and should not be longer than 10 single spaced, double column pages. All papers should illustrate the applicability of their work to practical issues. Papers must not significantly duplicate work that has been presented or published elsewhere. The papers will be published in printed proceedings. The DFRWS 2006 review process will be "double-blind" (the reviewers will not know who the authors are and the authors will not know who the reviewers are). Therefore, the version submitted for review should not contain the names or affiliations of the authors. When referring to one's previous work, the writing should be in the third person instead of the first person (i.e. "Smith and Jones [2] previously determined..." instead of "We [2] previously determined.."). Accepted papers will obviously contain the names and affiliations of authors. Panel proposals should be one to three pages and clearly describe the topic, its relevance and a list of potential panelists and their biographies. Proposals for demonstrations of proof of concept and research-based tools are welcome. Proposals should describe the tool, its relevance to one of the topics listed above, and space/equipment needs (e.g., power, networking, etc.) Paper submissions must be in PDF format. Panel and demo proposals can be in either plain text or PDF. Documents can be submitted via the EDAS system at: http://edas.info/index.php Once you are logged in, select the DFRWS 2006 conference to submit your paper. If you do not already have an account with EDAS you can register at: http://www.edas.info/Conferences.cgi A direct link to the EDAS submission website for DFRWS 2006 is here: http://www.edas.info/home.cgi?c=4771 Organizing Committee Frank Adelstein (ATC-NY) David Baker (MITRE) Brian Carrier (Basis Technology) Eoghan Casey (Stroz Friedberg) Dan Kalil (Air Force Research Lab, Assured Information Security) Chet Maciag (Air Force Research Lab) Daryl Pfeif (Digital Forensics Solutions) Golden G. Richard, III (University of New Orleans) Marcus Rogers (Purdue University) Vassil Roussev (University of New Orleans) Todd Shipley (SEARCH) Wietse Venema (IBM) Program Committee Cory Altheide (Google) Tom Bacon (Southern Oregon University) Nicole Beebe (University of Texas at San Antonio) Florian Buchholz (James Madison University) R. Chandramouli (Stevens Institute of Technology) Olivier De Vel (Australian Department of Defense) Tom Daniels (Iowa State University) Dave Dittrich (University of Washington) Derick Donnelly (Black Bag Technologies) Heather Dussalt (State University of New York Institute of Technology) Knut Eckstein (NATO) Dario Forte (DFLabs Italy) Yun Gao (University of New Orleans) Simson Garfinkel (Harvard University) Yong Guan (Iowa State University) Warren Harrison (Portland State University) Chet Hosmer (Wetsone Technologies) Erin Keneally (San Diego Supercomputer Center) Jesse Kornblum (ManTech CFIA) Michael Losavio (University of Louisville) James Lyle (NIST) Nasir Memon (Polytechnic University) Srinivas Mukkamala (New Mexico Tech) Judie Mulholland (Florida State University) Gilbert Peterson (Air Force Institute of Technology) Steve Romig (Ohio State University) Kulesh Shanmugasundaram (Polytechnic University) JK.P. Subbalakshmi (Stevens Institute of Technology) Duminda Wijesekera (George Mason University) From isn at c4i.org Tue Apr 4 03:02:20 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:20 -0500 (CDT) Subject: [ISN] Payment processor fears credit card crooks Message-ID: http://news.com.com/Payment+processor+fears+credit+card+crooks/2100-7349_3-6057305.html By Joris Evers Staff Writer, CNET News.com April 3, 2006 A major online payment provider said Monday that its processing service had been used in an attempt to charge money to stolen credit and debit cards. Several Web hosting companies that use the Authorize.Net service to accept credit cards online saw a sudden spike in transactions over the weekend. The transactions, most for $500 and $700, were billed to Visa, MasterCard and American Express cards that belong to people across the U.S., representatives for three Web hosts told CNET News.com. "These hackers got their hands on high quality data, and they used merchants of ours to run that data through the merchant's Web site, which goes through our platform," said David Schwartz, a spokesman for Authorize.Net in American Fork, Utah. The company says more than 130,000 merchants use its online payment service. The Web hosting companies discovered the unusual charges through e-mail alerts that Authorize.Net sends after each transaction. Close to 3,000 suspicious transactions were pushed through the merchant accounts of three companies with which CNET News.com spoke, and more likely happened at other Web hosts, these three companies said. Unclear, however, is where the weakness in the transaction chain is, whether it was at the level of the payment processor or the Web hosts. Also unclear is where the culprits obtained the card information they used in the transaction attempts. On Sunday morning, in about an hour-and-a-half time period, fraudsters ran close to 1,500 transactions through the Authorize.Net account of Defender Technologies Group, a Web host in Ashburn, Va., said Tom Kiblin, the company's CEO. "It was just under $1 million that got put through on our account," he said. Kiblin says he has reported the matter to the U.S. Secret Service. Lance Conway, president of Viper Logic in Palm Springs, Calif., and Lisa Willman, billing manager at Vortech in Orlando, Fla., have similar stories. Viper's account was used on Friday to charge $700 to almost 800 cards, Conway said. At Vortech, that same amount was billed on Friday to about 400 cards, Willman said. In all cases, the information that was put through the system included a card number, expiration date, name and address, representatives for the Web hosts said. The episode is another example of credit card and debit card insecurity. Recently, a crime spree forced banks across the nation to replace hundreds of thousands of debit cards. Last year a cyber break-in at a payment processor exposed names, account numbers and verification codes for 40 million credit cards. The three Web hosting companies have all voided the fraudulent transactions, which took up significant time, the company representatives said. Nevertheless, some consumers noticed that their banks had put holds on their credit cards or even charged their debit cards, and they called the Web hosting companies for clarification. "We try to explain to them: 'No we're not thieves, we're not stealing your money, your credit card information was stolen,'" said Kiblin. His company, Defender Technologies, has fielded calls from about 100 cardholders, he added. Conway at Viper Logic received about 30 calls over the weekend, and his phone was ringing often on Monday as well, he said. "What a nightmare. We're just a small company; there are only eight of us here." Though the attackers already had control over a database of credit card numbers, Authorize.Net and the Web hosting companies are pointing fingers as to who is to blame for allowing the mass charges to the accounts. The Web hosts say there are no traces of transactions on their servers, so fraudsters must have accessed Authorize.Net directly. But Authorize.Net denies any blame. "Authorize.Net did not suffer from any sort of security breach whatsoever," Schwartz said. "If someone commits fraud in a physical store using a stolen credit card, the merchant would never hold the manufacturer of the card-swipe terminal accountable for that fraud. In the e-commerce world, a payment gateway is the equivalent." The Web hosting companies may have left open a door to the payment processing service, possibly through their online shopping carts, Schwartz speculated. Opinions also differ on why someone would want to send large amounts of money into the accounts of the Web hosts. "It looks like somebody was fishing with a credit card list, trying to validate credit cards," said Kiblin. "The goal for these guys, if a card is valid, they go off and start buying stuff. All these guys that got hit are going to see other charges." But for that to be true, the transaction amounts are too high, Schwartz said. "Usually, when hackers try to validate whether a card is good or not, they will do an authorization attempt for a dime. If it goes through, they know they have got a good card number, and when it is rejected it is going to reject whether it is a dime or $700," he said. Avivah Litan, an analyst with Gartner, agreed. She suspects the culprits had figured out the Authorize.Net system and intended for the money to go into the merchant account only to siphon it out later. But they were tripped up by the e-mail notifications Authorize.Net sends to its users. "It was on a weekend; they always do this stuff on weekends, when no one is around watching these systems. If there were no e-mail alerts, the money would have gone into the merchant account and they would have redirected it into their account and no one would have known," Litan said. "They got caught with their pants down." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue Apr 4 03:02:32 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:32 -0500 (CDT) Subject: [ISN] Policeman Charged With Cyberstalking Message-ID: http://www.wral.com/apstrangenews/8449104/detail.html April 3, 2006 HAUPPAUGE, N.Y. -- A police officer named Valentine has been charged with hacking into the e-mail account of a woman he met through an online dating service and posing as her in messages sent to himself and to other men. Officer Michael Valentine, 28, met the woman on Match.com last November and dated her for about six weeks before she broke up with him, Suffolk County District Attorney Thomas Spota said in a news release. Valentine is accused of reading her e-mail, changing her Match.com profile and sending e-mails using her name. He went into her account and, posing as her, sent himself an e-mail threatening that her friends would "come out of the bushes with a baseball bat and beat your brains in," prosecutors said. He also sent Match.com messages to 70 men on the dating service to falsely indicate she was romantically interested in them, Spota said. At least twice men showed up at the woman's house to take her out on a date because they were under the mistaken impression she wanted to go out with them, Spota said. Valentine pleaded not guilty. His lawyer, Paul Gianelli, said he planned to "vigorously defend" his client. "It certainly comes as a shock to my client to be charged with a crime," Gianelli said. Spota said computer crimes detectives determined that Valentine used a number of computers, including one that belonged to the Suffolk County Police Department. Valentine, who joined the police force in 2002, was arraigned Monday on a 197-count indictment that included charges of stalking, computer trespassing, official misconduct and tampering with evidence. He was released on his own recognizance and was scheduled to return to court on April 20. He has been suspended from his job without pay. Copyright 2005 by The Associated Press. From isn at c4i.org Tue Apr 4 03:01:51 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:01:51 -0500 (CDT) Subject: [ISN] Yahoo: We need effective cybercrime laws Message-ID: http://news.zdnet.com/2100-1009_22-6056523.html By Tom Espiner ZDNet (UK) ZDNet News March 31, 2006 Yahoo has called for "effective" legislation, combined with industry self-regulation, to deal with online fraud, child abuse and other cybercrime. The Internet services giant appealed on Thursday for policymakers to concentrate on defining illegal use of technology, rather than focus on how an action breaks the law. "Effective policy defines what is legal and what is illegal. If legislation is concerned with how an action is illegal, it creates rigidity, and means the legislation won't keep up with the technology," Robin Pembrooke, the director of product operations for Yahoo Europe, told ZDNet UK. The lack of global legislation adds to the complexity of the situation, Pembroke added. "It's not realistic to have global legislation, but we do need international consistency," he said. "One example is 'child abuse' content, which has a different definition in the U.S. than in the U.K." Pembrooke advocated a combination of legislation and self-regulation of Internet businesses in order to combat cybercrime. "There are some really good examples of where the industry has come together. The Internet Watch Foundation is funded by industry, and without legislation, this approach has achieved fantastic things in the last five years," Pembrooke said. Worldwide cooperation An Interpol officer agreed with Pembroke's remarks, and called for a global legislative structure to make international evidence transfer easier, and international response times quicker. "(Pembrooke) is completely right, we shouldn't overlegislate," said Bernhard Otupal, a crime intelligence officer at the Financial and High Tech Crime Sub-Directorate of Interpol. "In the EU, there are so many different regulations covering different technologies. What we need is real international legislation and a global legislative framework." "There must be a self-regulatory process for the big players, with internal rules, as that is efficient. However, self-regulation is not enough--you need both legislation and self regulation," Otupal said. Yahoo said that over-legislation is incompatible with the needs of its customers, which needed to be balanced with the needs of governments. "We find users want freedom of expression, privacy and ease of use. We have to balance that with the needs of governments looking for increasing access to data," Pembrooke said. Last year, Yahoo was accused of passing data to the Chinese government that led to the arrest and imprisonment of two Chinese Internet users, including a journalist who was sentenced to 10 years in prison. Saying Yahoo felt "horrible" about the political arrests of Internet users in China, Pembroke underlined that the Web company believes it's better to be there and cooperate with the authorities than not be there. "By cooperating with the authorities, we can improve people's lives. By giving them access to the Internet, this raises awareness in differences in government approaches, and increase forces for change," he said. "Our challenge is we have to work inside the laws of the countries we operate in," Pembrooke said. Tom Espiner of ZDNet UK reported from London. From isn at c4i.org Tue Apr 4 03:02:03 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:03 -0500 (CDT) Subject: [ISN] Nuke plant gets new locks after keys lost Message-ID: http://news.scotsman.com/latest.cfm?id=513752006 Reuters 3 Apr 2006 BERLIN (Reuters) - German authorities are changing 150 locks at a nuclear power plant after its owner said they had lost keys to a security area, a ministry spokesman in the south western state of Baden-Wuerttemberg said on Monday. Plant operator EnBW said that in spite of intensive searches and questioning it had not been able to recover 12 keys for its Philippsburg plant after discovering they were lost in March. The environment ministry said EnBW informed it the keys were missing and the operator had put extra safety measures in place to control access to the secure area. "This has never happened anywhere in Germany before," the ministry spokesman said. "The keys have simply disappeared." Prosecutors have launched an investigation for theft. From isn at c4i.org Tue Apr 4 03:02:46 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:46 -0500 (CDT) Subject: [ISN] A Pretty Good Way to Foil the NSA Message-ID: http://www.wired.com/news/technology/0,70524-0.html By Ryan Singel Apr, 03, 2006 How easy is it for the average internet user to make a phone call secure enough to frustrate the NSA's extrajudicial surveillance program? Wired News took Phil Zimmermann's newest encryption software, Zfone, for a test drive and found it's actually quite easy, even if the program is still in beta. Zimmermann, the man who released the PGP e-mail encryption program to the world in 1991 -- only to face an abortive criminal prosecution from the government -- has been trying for 10 years to give the world easy-to-use software to cloak internet phone calls. On March 14, Zimmermann released a beta version of the widely anticipated Zfone. The software is currently available only for OS X (Tiger) and Linux, though a Windows version is due in April. The open-source software manages cryptographic handshakes invisibly, and encrypts and decrypts voice calls as the traffic leaves and enters the computer. Operation is simple, and users don't have to agree in advance on an encryption key or type out long passcodes to make it work. Would-be beta testers must provide Zimmermann with an e-mail address. That seems an odd requirement for a privacy product, but the process itself was painless, and an e-mail with a download code arrived immediately. In our test, Zfone installed easily and quickly on OS X, though there were some mild hitches in actually getting it to work. Zfone is designed to work with VoIP clients that use the industry standard SIP protocol, and has been tested with clients such as X-lite, Free World Dialup and Gizmo Project. Following Zfone's instructions, Wired News was able to fairly quickly configure Gizmo Project to work with the software. But initial efforts to make phone calls with the system failed. Eventually, a little trial and error revealed that Zfone needed to be started before Gizmo Project, and that to see if a secure connection has been created, both Gizmo and Zfone's interface needed to be visible on the desktop. Once that happens, and the caller on the other end also has Zfone installed, the interface cleanly indicates that the call is secure. It also displays two different three-character codes. One party reads his code, e.g. "CF8," while the other says hers, "TKP." This bit of cloak-and-dagger isn't just fun, it helps prevents what is known as a man-in-the-middle attack, in which an eavesdropper sits between two callers, intercepting their cryptographic keys and then relaying the communications between them. If someone tries that with Zfone, the spoken codes won't match what the callers see on their screens. Using Zfone didn't add any noticeable latency or distortion to calls made with Gizmo Project. Once it's up and running, you're simply talking on the phone. But make no mistake: to eavesdroppers, Zfone is anything but routine. The protocol is based on SRTP, a system that uses the 256-bit AES cipher and adds to that a 3,000-bit key exchange that produces the codes callers can read off to one another. It has been submitted to IETF for approval as an internet standard, and by most accounts is strong enough to defy even the most sophisticated code-breaking technologies, from a hacker's packet sniffer to the acres of computers beneath Ft. Meade. That makes Zfone the "most secure telephone system anyone has ever used," according to PGP Corporation's CTO Jon Callas, who worked with Zimmermann on the protocol Of course, security is nice, but the value of an end-to-end crypto system is partially a function of its popularity. If you're the only one using the system, there's nobody to talk to. The Gizmo Project ostensibly uses its own encryption for Gizmo-to-Gizmo calls, though the company won't reveal what algorithms they use. But primarily, Zfone is competing with the built-in crypto that comes with Skype, which is closed-source, uses its own proprietary protocols, and employs its own encryption scheme -- which, significantly, is not available for inspection and peer-review (though some have evaluated (.pdf) it and others purportedly cracked it anyway). Those are all troubling signs for a security system. But as a standard element in Skype's popular VoIP software, this unproven crypto has already achieved a market penetration that will likely elude Zimmerman's system. So as nice as it is, unless Zfone is adopted by mainstream VoIP providers, it will probably occupy the same limited market niche as the hyper-secure PGP program that ruffled so many government feathers over a decade ago. PGP didn't become standard e-mail fare outside of the community of geeks, cypherpunks and those with special privacy needs, like human rights workers and people living in countries where the government routinely spies on its citizens without oversight. Fortunately for Zimmerman, there are a lot more of us these days. From isn at c4i.org Tue Apr 4 03:02:58 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:02:58 -0500 (CDT) Subject: [ISN] Microsoft's Canberra security deal Message-ID: http://australianit.news.com.au/articles/0,7204,18699718%5E15306%5E%5Enbv%5E,00.html Simon Hayes and James Riley The Australian APRIL 04, 2006 MICROSOFT has promised to help Australia tackle threats to "national security, economic strength and public safety" under a deal to allow its engineers to examine attempts to hack into federal government computer networks. Microsoft managing director Steve Vamos and Attorney-General's Department secretary Robert Cornall will sign the Microsoft Security Co-operation Agreement tomorrow in a ceremony to be chaired by Attorney-General Philip Ruddock at federal Parliament House. The deal is to share data on security incidents and information on critical events and security emergencies. Australia follows the US, Canada, Chile and Norway in signing the agreement, aimed at improving the flow of computer security information. The deal builds on Microsoft's 2003 agreement to allow the government to examine source code for Windows and Office. That agreement followed an increase in the popularity of open source software. Microsoft opened its code to select governments to prove its technology was as safe as any other, but not all governments were happy with the access restrictions imposed by Microsoft. China, Russia, Britain and NATO signatory countries are among other nations to have signed that agreement. The new agreement is expected to include access to information on planned software patches, and data about vulnerabilities that Microsoft is investigating, allowing the government to plan ahead for security threats. Also likely is an agreement for Microsoft to provide resources for a joint response to emergencies, and to provide assistance with consumer education campaigns on computer security. A Microsoft Australia spokesman declined to comment on the program. Chairman Bill Gates told a conference in February last year that Microsoft would give governments better access to security information, and would help protect critical infrastructure. "We have 24-hour-a-day surveillance working with other companies, so we see things and we can work with governments around the clock when there is a challenge," he said. "Having these channels of communication open, knowing exactly who to work with, what the messaging should be, that's something we're putting in place." Microsoft public sector corporate vice-president Gerri Elliott last year said the program would make it easier to track and combat security threats to government agencies and critical infrastructure. "The digital age creates some unique challenges for governments to help secure their computing environments," he said. "By taking a collaborative approach with global governments, we can bring to bear the combined expertise from public and private sectors and enable governments to better prepare, manage and mitigate the impact of security incidents." From isn at c4i.org Tue Apr 4 03:03:24 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:03:24 -0500 (CDT) Subject: [ISN] REVIEW: "Snort Cookbook", Angela Orebaugh/Simon Biles/Jacob Babbin Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKSNRTCB.RVW 20051208 "Snort Cookbook", Angela Orebaugh/Simon Biles/Jacob Babbin, 2005, 0-596-00791-4, U$39.95/C$55.95 A% Angela Orebaugh A% Simon Biles A% Jacob Babbin %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2005 %G 0-596-00791-4 %I O'Reilly & Associates, Inc. %O U$39.95/C$55.95 800-998-9938 fax: 707-829-0104 nuts at ora.com %O http://www.amazon.com/exec/obidos/ASIN/0596007914/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596007914/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596007914/robsladesin03-20 %O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 270 p. %T "Snort Cookbook: Solutions and Examples for Snort Administrators" Chapter one covers the installation of Snort on various systems, and even includes a wiring diagram for a passive tap, if you need that sort of application. (The "cookbook" format, with its "Problem/Solution" structure, seems a bit odd, in this case.) An assortment of issues in logging are dealt with in chapter two. The creation and maintenance of rules, in chapter three, is discussed in a very useful fashion. Chapter four is about preprocessing, and is somewhat more demanding of the reader. Administrative tools, for managing Snort sensors, rulesets, and data, are described in chapter five, while utilities for analysis and display of collected information are presented in six. A variety of additional uses for Snort are mentioned in chapter seven. This book outlines the basic use and operation of Snort in a convenient and easy-to-use manner. Aside from the first chapter, the cookbook format is used effectively, and thus the work becomes a handy, quick reference for those interested in using and exploring Snort. copyright Robert M. Slade, 2005 BKSNRTCB.RVW 20051208 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at sun.soci.niu.edu What you see and hear depends a good deal on where you are standing; it also depends on what sort of person you are. - Clive Staples Lewis http://victoria.tc.ca/techrev/rms.htm From isn at c4i.org Tue Apr 4 03:03:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 4 Apr 2006 02:03:59 -0500 (CDT) Subject: [ISN] Linux Security Week - April 4th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 4th, 2006 Volume 7, Number 14n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Steganography FAQ," "IPCop-OpenVPN HOWTO," "International Body Adopts Network Security Standard," and "The Top 10 Information Security Myths." --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Community 3.0.5 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121879/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * (IN)SECURE Issue 6 has been released 30th, March, 2006 The latest edition of this free PDF digital security magazine is packed with content that caters all levels of knowledge. Get your copy today! http://www.linuxsecurity.com/content/view/122162 * Steganography FAQ 29th, March, 2006 Steganography is a subject which is rarely touched upon by most IT Security Enthusiasts. Most people don't see Steganography has a potential threat, some people don't even know what Steganography is. With this FAQ I hope to answer any questions anyone may want to ask about Steganography, and to educate people so they can understand what exactly Steganography is. Is Steganography a potential threat? Well your about to find out. http://www.linuxsecurity.com/content/view/122140 * IPCop-OpenVPN HOWTO 30th, March, 2006 I=E2..m a huge fan of IPCop. It=E2..s a great firewall distro that makes administration a snap using a slick web interface. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home. I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows. If you=E2..ve ever wanted full, secure, encrypted access to your LAN from any remote location, here is your guide. http://www.linuxsecurity.com/content/view/122168 * Defeating the Hacker 31st, March, 2006 Way back in the early 1980s, Robert Schifreen shot to notoriety as one of the hackers who broke into Prince Philip's mailbox on the Prestel service. It was this case that, after the Law Lords ruled that the forgery laws did not cover typing a user name and password into a computer screen, instigated the drafting and passage of the Computer Misuse Act in 1984. Schifreen has spent the intervening years being a respectable computer journalist, and his specialty -- as you might expect -- is security. Defeating the Hacker: A Non-Technical Guide to IT Security is the result of years of writing, research and speaking at conferences on security topics. http://www.linuxsecurity.com/content/view/122178 * International Body Adopts Network Security Standard 25th, March, 2006 The International Organization for Standardization (ISO) approved last month a comprehensive model that identifies critical requirements to ensure end-to-end network security. Specifically, the global standards group formally adopted ISO/IEC 18028-2, which defines a standard security architecture and provides a systematic approach to support the planning, design and implementation of information technology networks. http://www.linuxsecurity.com/content/view/122087 * Look Toward The Future 27th, March, 2006 Just like their larger brethren, small to medium-sized enterprises that wish to garner a competitive advantage must develop an effective IT plan. Increasingly, IT departments are becoming the hub of the company, and more and more companies expect their IT managers to accomplish a variety of tasks with limited resources. In fact, having an established plan goes far to empower smaller firms so they=E2..ll be able to play with the =E2..big boys=E2.=9D in their industry arenas. http://www.linuxsecurity.com/content/view/122123 * Learning An Advanced Skillset 28th, March, 2006 It was almost two years ago now that I wrote the SecurityFocus article on TCP/IP skills required for security analysts. That article offered advice on how one can seek employment in the security field through education, training, and a strong focus on TCP/IP. The idea came about from all of the questions this author has been asked on the subject. There is often a lot of uncertainty as to what one should study to further one=E2..s career in the network security world. Much as I mentioned previously, it can be a daunting task. What was laid out as core skills required for a fully competent security analyst are in reality, but a baseline. From that foundation of skills learnt, and honed over time can you begin to think about acquiring more advanced skills. http://www.linuxsecurity.com/content/view/122133 * Visualization in the Security and New Media World 31st, March, 2006 Information visualization seems to be a growing trend in today's knowledge driven, and information-overloaded society. The following represents a URL tree graph of the Security Mind Streams blog -- looks resourceful! Want to freely graph your site/blog? Take advantage of Texone's tree, just make sure you don't forget to press the ESC key at a certain point. http://www.linuxsecurity.com/content/view/122180 * Are Cyber Criminals Or Bureaucrats The Industry's Top Performer? 28th, March, 2006 Last week, I came across a great article at Forbes.com, "Fighting Hackers, Viruses, Bureaucracy", an excerpt: "Cyber security largely ends up in the backseat," says Kurtz, who prior to lobbying did stints in the State Department, the National Security Council and as an adviser to President George W. Bush on matters relating to computer security. "Our job is to shine a bright light on it, to help people understand it." http://www.linuxsecurity.com/content/view/122136 * Open Source Security Testing Methodology 30th, March, 2006 Truth is made of numbers. Following this golden rule, Federico Biancuzzi interviewed Pete Herzog, founder of ISECOM and creator of the OSSTMM, to talk about the upcoming revision 3.0 of the Open Source Security Testing Methodology Manual. He discusses why we need a testing methodology, why use open source, the value of certifications, and plans for a new vulnerability scanner developed with a different approach than Nessus. http://www.linuxsecurity.com/content/view/122165 * Lundquist's Guide To Not Getting Fired for Losing Your Laptop 2nd, April, 2006 How often do we have to read about someone losing a laptop with a bunch of client data? I've included some links to recent stories: Stolen Fidelity Laptop Exposes HP Workers and=09Lost Fidelity Laptop Stirs Fear of ID Theft. Stop and think for a second. You are a high-powered road warrior jetting around the world making lots of complex but incredibly lucrative financial deals. You lose your laptop with all that important information. You have to call your boss back at the home office. Your next job involves asking customers if they want the large or the super-jumbo Slurpee. http://www.linuxsecurity.com/content/view/122184 * Roll Your Own Firewall 27th, March, 2006 Over the years I have learned how to roll my own firewall script and call it from /etc directory. Of course, my firewall is only INPUT based, instead of INPUT and OUTPUT based, but I find that building an INPUT/OUTPUT based firewall is tremendously difficult and not really all that necessary if you use good download practices on your Linux server or PC and/or if you're already behind a NAT router (such as a home-based DSL or cable router or wireless router) or other firewall. http://www.linuxsecurity.com/content/view/122120 * Domain Registrar Joker Hit by DDoS 27th, March, 2006 Domain registrar Joker.com says its nameservers are under attack, causing outages for customers. More than 550,000 domains are registered with Joker, which is based in Germany. Any of those domains that use Joker's DNS servers are likely to be affected. "Joker.com currently experiences massive distributed denial of service attacks against nameservers," the registrar says in an advisory on its home page. "This affects DNS resolution of Joker.com itself, and also domains which make use of Joker.com nameservers. We are very sorry for this issue, but we are working hard for a permanent solution." http://www.linuxsecurity.com/content/view/122108 * Detecting Botnets Using a Low Interaction Honeypot 26th, March, 2006 This paper describes a simple honeypot using PHP and emulating several vulnerabilities in Mambo and Awstats. We show the mechanism used to 'compromise' the server and to download further malware. This honeypot is 'fail-safe' in that when left unattended, the default action is to do nothing =E2.. though if the operator is present, exploitation attempts can be investigated. IP addresses and other details have been obfuscated in this version. http://www.linuxsecurity.com/content/view/122088 * The e-Crime Congress 2006. March 30 & 31 2006 27th, March, 2006 The e-Crime Congress 2006 will seek to challenge conventional attitudes on e-Crime and examine how business, government and law enforcement can continue to work together in order to tackle a threat that undermines public confidence in the Internet as a viable and secure commercial medium for the future. http://www.linuxsecurity.com/content/view/122112 * The Pathogenesis of Dark Traffic Attacks 29th, March, 2006 As well as straightforward spam, dark traffic comprises directory harvest attacks, email Denial of Service attacks, malformed SMTP packets, invalid recipient addresses, and other requests and communications unrelated to the delivery of valid email messages. http://www.linuxsecurity.com/content/view/122139 * Amanda 2.5 - A major new release of the Open Source Backup Software 27th, March, 2006 Amanda is the world's most popular open source backup and recovery software. Amanda allows system administrators to set up a single server to back up multiple hosts to a tape- or disk-based storage system over the network. It uses native dump and/or GNU tar facilities and can back up a large number of workstations or servers running various versions of Linux, Unix, Mac OS-X or Microsoft Windows operating systems. On March 23rd, 2006, the Amanda team released a major version (2.5) of the software. Overall the focus of the release is on security of the backup process & backed up data, scalability of the backup process and ease of installation & configuration of Amanda. http://www.linuxsecurity.com/content/view/122111 * Users of SELinux Now Have A Choice On Security 27th, March, 2006 The release of a new open-source security package has sparked debate over how many Mandatory Access Control applications Linux really needs, and if more than one would just dilute volunteer efforts. Novell Inc. of Provo, Utah, recently released the source code for its recently acquired Linux security application, AppArmor. It also set up a project site in hopes of attracting outside developers to further refine the program. http://www.linuxsecurity.com/content/view/122125 * Linux Supporters Fiddle While OpenSSH Burns 30th, March, 2006 Once again, the OpenBSD project is asking for donations to keep its operations in motion. It doesn't ask for much -- U.S. $100,000 (small potatoes in the operating system development industry) -- yet it provides so much to the software world. Even if you don't use OpenBSD, you're likely to be benefiting from it unknowingly. If you're using Solaris, SCO UnixWare, OS X, SUSE Linux, or Red Hat Enterprise Linux, chances are you're using the OpenBSD-developed OpenSSH for secure shell access to remote machines. If so many are using this software, why are so few paying for it? Official responses (and non-responses) from Sun Microsystems, IBM, Novell, and Red Hat are below, but if you're one of the freeloaders who hasn't contributed to OpenBSD or OpenSSH, what's your excuse? http://www.linuxsecurity.com/content/view/122166 * Computer Forensics Tool Testing (CFTT) Project 27th, March, 2006 There is a critical need in the law enforcement community to ensure the reliability of computer forensic tools. A capability is required to ensure that forensic software tools consistently produce accurate and objective test results. The goal of the Computer Forensic Tool Testing (CFTT) project at the National Institute of Standards and Technology (NIST) is to establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware. http://www.linuxsecurity.com/content/view/122109 * Version 0.7 of the OSSEC HIDS is now available 29th, March, 2006 OSSEC HIDS is an open source host-based intrusion detection system. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. This is one of the most improved versions so far. It now includes support for squid, pure-ftpd, postfix and AIX ipsec logs (in addition to a lot of improvements to the previous rules). http://www.linuxsecurity.com/content/view/122138 * Secure Coding 27th, March, 2006 The primary cause of commonly exploited software vulnerabilities is software defects that could have been avoided. Through our analysis of thousands of vulnerability reports, the CERT/CC has observed that most of them stemmed from a relatively small number of root causes. If we can identify the root causes of vulnerabilities and develop secure coding practices for illustration, software producers may be able to take practical steps to prevent introduction of vulnerabilities into deployed software systems. http://www.linuxsecurity.com/content/view/122110 * Exegesis of Virtual Hosts Hacking 28th, March, 2006 There is a lot that we can say about finding virtual hosts from a given IP address. Sometimes this task is straightforward, other times a bit of thinking is required. However, in general it is not a mission impossible. During the last few years, domain name databases have emerged like mushrooms after a rainy day. This has certainly increased the awareness among security professionals about the possibility of using virtual hosts as backdoors when testing the security of a given organization. In reality, a good attacker will try to break into your organization by knocking on the not-so-obvious doors. http://www.linuxsecurity.com/content/view/122128 * Ensure data doesn't leave with your staff 28th, March, 2006 With average employee turnover in the UK stable at about 15%, the security implications of staff departures should not be overlooked. While most departing employees are honourable, there is, unfortunately, a sizeable minority who will copy databases, customer requirements, tender documents or, in some cases, copy and remove proprietary code. http://www.linuxsecurity.com/content/view/122130 * Secure Your Applications From The Start 28th, March, 2006 Information security in financial services is one of the highest priorities for C-level executives. CEOs don't want the bad press and liabilities associated with a security breach, and CIOs know that their phones will be the first to ring if data is compromised. Adding to the urgency of the issue, the number of reported security vulnerabilities and the cost per incident continue to rise, according to the 2005 Computer Security Institute/FBI Computer Crime and Security Survey. But most IT shops don't properly test applications for security flaws during the development life cycle, resulting in apps riddled with vulnerabilities. Too often, security and application development are viewed as separate disciplines. Part of the problem is that security teams often are called in to add security to software post-development, rather than working alongside developers during the development process. http://www.linuxsecurity.com/content/view/122135 * Knoppix Hacks: Scanning For Viruses 28th, March, 2006 Ridding a network of Windows computers of a virus or worm can seem impossible. Viruses may cause computers to reboot and infect new machines while you are in the process of removing them. Through the use of the live-software installer, Knoppix provides a solution to this catch-22. http://www.linuxsecurity.com/content/view/122137 * Looking For Love In All The Wrong Places 29th, March, 2006 Despite all the dire warnings about legal liabilities and security risks, a new study indicates one in five workers uses his or her company's Web access for personal use. Among the industries reporting the highest abuse is the male-dominated manufacturing field, where nearly 13% of users try accessing forbidden pornography, dating and gambling sites. Its workforce also tended to chat longest with friends while at work. http://www.linuxsecurity.com/content/view/122160 * Security isn't always perfect, but it doesn't necessarily have to be 30th, March, 2006 A big part of being a security professional, or for that matter an informed citizen, is examining a proposed security control and identifying weaknesses or ways it could potentially bypassed. But there's a logic error frequently committed here, and that's assuming that because a control has some weakness, that it's useless. This is due to a poor understanding of what the goal of the exercise is and a poor understanding of what security is really about. http://www.linuxsecurity.com/content/view/122163 * The Top 10 Information Security Myths 30th, March, 2006 When it comes to information security, there's a lot of popular wisdom available, but much of it is unfounded and won't necessarily improve your organization's security. Only by cutting through the hype to separate reality from myth can IT professionals help take their enterprises to the next level. Here are 10 network security myths that bear further examination. http://www.linuxsecurity.com/content/view/122164 * E-mail Security: Detecting Spam (II) 30th, March, 2006 As spam filters get more advanced, less spam is allowed to enter into user=E2..s inbox so the business model of spammers gets hurt. Instead of thinking that people don=E2..t really like to receive spam and they would prefer less intrusive ways to get publicity, they try to workaround these filters in, sometimes, really clever ways. So, spam filters have to be continually modified and adapted to not fall into these new tricks. http://www.linuxsecurity.com/content/view/122167 * Why Phishing Attacks Work 30th, March, 2006 When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension." http://www.linuxsecurity.com/content/view/122169 * RSA Looks To Drown Phishers In Data Flood 1st, April, 2006 A novel tactic to defeat phishers is being employed by Cyota staff: flooding phishing sites with fake bank details to make the real information harder to find. RSA's Cyota division is helping fight phishing attacks by giving the online fraudsters what they want =E2.. lots of user names, passwords, online banking credentials and credit card numbers. http://www.linuxsecurity.com/content/view/122183 * CYBEREYE: Security: Lots Of Lessons, Nothing Learned 28th, March, 2006 The issues of personal data security and identity theft broke into the national consciousness a year ago, when Choice-Point reported that thieves had established accounts with the data broker to obtain sensitive information on 145,000 people. Outrage was immediate, but the problem has persisted. Despite congressional hearings, a plethora of federal bills and the passage of laws in at least 22 states, data on more than 53 million people was stolen, lost or exposed in 121 more incidents over the next year, according to the Privacy Rights Clearinghouse. By far the largest exposure was at payment processor CardSystems Solutions Inc., which effectively was put out of business after data on 40 million people was hacked. http://www.linuxsecurity.com/content/view/122134 * GAO: Security Accreditation Program a Tough Sell 31st, March, 2006 The federal government's program for testing and accrediting the security of commercial technology has not been proven a success, according to a report by the Government Accountability Office.=09The National Information Assurance Partnership (NIAP), which is sponsored by the National Security Agency and the National Institute of Standards and Technology, was created to make it easier for agencies to find products that meet basic industry standards for security. http://www.linuxsecurity.com/content/view/122181 * Consumer Data Security Bill Passes Out of House Committee 31st, March, 2006 A House committee this week unanimously approved a data security law that would establish federal standards for protecting personal information and would supersede state laws. The Data Accountability and Trust Act, (HR 4127), is one of a spate of bills introduced last year in the wake of publicity about the theft or loss of data that could lead to identity theft. The incidents came to light as a result of state laws requiring consumer notification of security breaches and spurred a consumer demand for tighter regulation. http://www.linuxsecurity.com/content/view/122182 * Industrial espionage worm authors jailed 28th, March, 2006 A married couple accused of using computer worms to conduct industrial espionage has received jail terms of four and two years after pleading guilty in an Israeli court. http://www.linuxsecurity.com/content/view/122129 * Registrar Joker.com Suffers Attack 28th, March, 2006 Domain-name registrar Joker.com acknowledged this weekend that distributed denial-of-service attacks had caused numerous problems for customers that use its domain-name service (DNS) servers to advertise the Internet addresses of their domains. http://www.linuxsecurity.com/content/view/122132 * Two DNS Servers Hit By denial-of-service Attacks 29th, March, 2006 In the second attack of its kind in the past few days, Domain Name System (DNS) servers at Network Solutions Inc. were hit by a denial-of-service attack this afternoon, resulting in a brief performance degradation for customers, according to the company. The attacks, which started at around 2:20 p.m. EST, were targeted at the company's WorldNIC name servers and resulted in a service degradation for about 25 minutes before the server was restored to normal, a spokeswoman for the company said. http://www.linuxsecurity.com/content/view/122142 * Hackers Serve Rootkits with Bagles 31st, March, 2006 Malicious hackers have fitted rootkit features into the newest mutants of the Bagle worm, adding a stealthy new danger to an already virulent threat. According to virus hunters at F-Secure, of Helsinki, Finland, the latest Bagle.GE variant loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. http://www.linuxsecurity.com/content/view/122179 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Wed Apr 5 05:25:29 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:25:29 -0500 (CDT) Subject: [ISN] DHS Spokesman Is Accused of Soliciting Teen Online Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/04/04/AR2006040401973.html By Spencer S. Hsu Washington Post Staff Writer April 5, 2006 The deputy press secretary for the Department of Homeland Security was arrested last night on charges that he used the Internet to seduce an undercover Florida sheriff's detective who he thought was a 14-year-old girl, the Polk County Sheriff's Office said. Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45 p.m. and charged with seven counts of using a computer to seduce a child and 16 counts of transmitting harmful materials to a minor, according to a sheriff's office statement. Agents with the department's Inspector General's Office, the U.S. Secret Service, the Montgomery County police and the Polk County Sheriff's Office served a search warrant and seized his home computer and other materials, the statement said. Doyle was online at the time awaiting what he thought was a nude image of a girl who had lymphoma, Polk County Sheriff Grady Judd said in an interview with Fox News' "On the Record With Greta Van Susteren." "We wanted to make sure he was using that computer and talking to detectives at the time of the arrest," Judd said. In his initial communication last month, Doyle told an undercover computer-crimes detective who he was and that he worked for the Department of Homeland Security, later disclosing numbers for his office phone and government-issued cellphone and using those lines, the sheriff's office said. "If he would provide that kind of information to include a photograph of himself with his identification tags, who else may he be talking to around the world who he thinks to be a 14-year-old girl?" Judd said on CNN's "Anderson Cooper 360." Attempts to reach Doyle, who was booked into the Montgomery County jail on the Polk County charges, on his office and cellphone numbers and by his official e-mail were unsuccessful. He was a TSA spokesman before becoming deputy press secretary last year to Homeland Security Secretary Michael Chertoff. Chertoff press secretary Russ Knocke declined to comment on the case beyond releasing a written statement, saying, "We take these allegations very seriously and we will cooperate fully with this ongoing investigation." Judd said Doyle confessed and waived extradition to Polk County. According to the sheriff's office, Doyle initiated a sexually explicit conversation with the detective on March 12 in response to an Internet profile of a 14-year-old girl. Doyle allegedly sent pornographic movie clips, non-pornographic photos of himself and instant messages from his AOL account, the police statement said. The sheriff's office alleged that Doyle "on many occasions" instructed the undercover detective to perform a sexual act while thinking of him and described explicit acts he wished to perform. Another Homeland Security official -- Frank Figueroa, special agent in charge of U.S. Immigration and Customs Enforcement in Tampa -- faces trial this week on charges of exposing himself to a teenage girl last year at a mall. Figueroa, who has been suspended, pleaded not guilty. From isn at c4i.org Wed Apr 5 05:26:26 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:26:26 -0500 (CDT) Subject: [ISN] Air Force to use Symantec product suite and consulting services Message-ID: http://www.fcw.com/article92832-04-04-06-Web [I wonder if the USAF will be stuck activating and reactivating their security software over and over again [1], and often at the most inopportune times... - WK] By Michael Hardy Apr. 4, 2006 The Air Force has selected Symantec's LiveState Client Management Suite and the company's professional services consulting to support its Air Force Standard Desktop Configuration. The Air Force's effort is a global client device and software management program. Through the five-year contract with Symantec, the service is working to create, deploy and manage applications and settings centrally for hundreds of thousands of users worldwide. "The military's demand for secure and survivable [information technology] assets compliant with policies requires a continuous and integrated approach to asset management spanning security, compliance, administration, and recovery," said David Saunders, vice president of Symantec's public-sector business, in a statement. LiveState provides life cycle management of devices from the time they are acquired until they are discarded. The Air Force agreement came through the Defense Department's Enterprise Software Initiative. [1] http://www.gripe2ed.com/scoop/story/2006/1/6/0331/89933 From isn at c4i.org Wed Apr 5 05:25:10 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:25:10 -0500 (CDT) Subject: [ISN] After attack, Network Solutions knocked down again Message-ID: http://www.computerworld.com/developmenttopics/websitemgmt/story/0,10801,110193,00.html by Robert McMillan APRIL 04, 2006 IDG NEWS SERVICE For the second time in a week, domain-name registrar Network Solutions Inc. has experienced a disruption of service. The company's Web site was inaccessible for more than two hours earlier today because of an outage at the company's Internet service provider, Savvis Inc. "Our collocation provider experienced a global outage, so people could not access their products and services from about 7:56 a.m. to about 10:02 a.m. this morning, Eastern time," said Susan Wade, a Network Solutions spokeswoman. The provider in question was Savvis, she said. The Network Solutions Web site is now operating normally, she said this afternoon. Network Solutions was the first company authorized to register the Internet's domain names, and its Web site is still widely used to register and mange information about domain names. This outage comes a week after the Herndon, Va.-based company's WorldNIC Domain Name System (DNS) servers were hit by a denial-of-service attack, which temporarily disrupted the servers (see "Update: Two DNS servers hit by denial-of-service attacks" [1]). The WorldNIC servers are used to translate domain names such as IDG.com into the numerical Internet Protocol addresses used by computers on the Internet. Savvis officials could not be reached for comment, but discussion early today on a list [2] used by network operators indicated that the company may have had a problem at its data center in Weehawken, N.J. [1] http://www.computerworld.com/networkingtopics/networking/story/0,10801,109972,00.html [2] http://www.merit.edu/mail.archives/nanog/msg16832.html From isn at c4i.org Wed Apr 5 05:28:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:28:17 -0500 (CDT) Subject: [ISN] NHTCU disappears into new crime agency Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=5713 By Matthew Broersma Techworld 04 April 2006 When you're hit by a virus, will SOCA want to know? Home Secretary Charles Clarke has formally launched the Serious Organised Crime Agency (SOCA), which will handle high-tech crime along with drugs trafficking, immigration crime, money laundering and identity fraud. IT industry observers, meanwhile, said criticisms of the previous anti-cybercrime approach had not yet been addressed. SOCA folds in the National High-Tech Crime Unit (NHTCU), formerly the main national UK force tackling cybercrime, along with the National Crime Squad, the National Criminal Intelligence Service and specialists from HM Revenue and Customs and the UK Immigration Service. There is a worry that high-tech crime may be lost at SOCA amid a predominant focus on drugs trafficking and immigration crime, according to industry observers. The new body plans to spend 40 percent of its resources on stopping drug trafficking, 25 percent on immigration, 10 percent on individual and private sector fraud and 15 percent on other types of crime, with another 10 percent spent on assisting other law-enforcement agencies. But anti-cybercrime efforts may also benefit from being included alongside other types of crime. "In some ways it makes sense, since it isn't really distinct from other types of crime," said Graham Cluley, senior technology consultant with Sophos. The main problem under the NHTCU was the lack of a clear structure for the reporting of cybercrime, which means there are no reliable cybercrime statistics for the UK. "A clear structure for how to report computer crimes has been missing all along. If you're hit by a virus, no one in authority wants to know," Cluley said. "They actually say, 'don't tell us, tell the antivirus companies'. With this reshuffling, there is a danger that companies may not be clear whom to report to." Clarke said the new agency will be better able to tackle sophisticated From isn at c4i.org Wed Apr 5 05:28:27 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 5 Apr 2006 04:28:27 -0500 (CDT) Subject: [ISN] Citigroup employee accused of hacking Message-ID: http://www.whas11.com/news/local/stories/WHAS11_local_Citigroupcreditfraud.30ec202.html April 4, 2006 A Citigroup employee is accused of hacking into the accounts of almost a half-dozen customers. Tremice Ralston is charged with misuse of computer information. Police say Ralston illegally obtained access to the credit card accounts of five customers. They say she would then raise the credit limit on the customers' cards, order a new one and then have them sent to relatives. This is the second time in just one week that a Louisville bank employee has been charged with stealing money from customers. Last week, Patricia Jordan pleaded not guilty to embezzling more than 210-thousand dollars from customers of the national city bank on Breckenridge Lane. From isn at c4i.org Thu Apr 6 04:28:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:28:18 -0500 (CDT) Subject: [ISN] Microsoft Says Recovery from Malware Becoming Impossible Message-ID: http://www.eweek.com/article2/0,1895,1945808,00.asp By Ryan Naraine April 4, 2006 LAKE BUENA VISTA, Fla. - In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation. "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here. Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed. He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio added. Danseglio, who delivered two separate presentations at the conference - one on threats and countermeasures to defend against malware infestations in Windows, and the other on the frightening world on Windows rootkits - said anti-virus software is getting better at detecting and removing the latest threats, but for some sophisticated forms of malware, he conceded that the cleanup process is "just way too hard." "We've seen the self-healing malware that actually detects that you're trying to get rid of it. You remove it, and the next time you look in that directory, it's sitting there. It can simply reinstall itself," he said. "Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background." He recommended using PepiMK Software's SpyBot Search & Destroy, Mark Russinovich's RootkitRevealer and Microsoft's own Windows Defender, all free utilities that help with malware detection and cleanup, and urged CIOs to take a defense-in-depth approach to preventing infestations. Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past. "In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money. "At Microsoft, we are fielding 2,000 attacks per hour. We are a constant target, and you have to assume your Internet-facing service is also a big target," Danseglio said. Danseglio said the success of social engineering attacks is a sign that the weakest link in malware defense is "human stupidity." "Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," he said. The most recent statistics from Microsoft's anti-malware engineering team confirm Danseglio's contention. In February alone, the company's free Malicious Software Removal Tool detected a social engineering worm called Win32/Alcan on more than 250,000 unique machines. According to Danseglio, user education goes a long way to mitigating the threat from social engineering, but in companies where staff turnover is high, he said a company may never recoup that investment. "The easy way to deal with this is to think about prevention. Preventing an infection is far easier than cleaning up," he said, urging enterprise administrators to block known bad content using firewalls and proxy filtering and to ensure security software regularly scans for infections. From isn at c4i.org Thu Apr 6 04:27:23 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:27:23 -0500 (CDT) Subject: [ISN] GAO: SEC's info security not up to snuff Message-ID: http://www.fcw.com/article92839-04-05-06-Web By Dibya Sarkar Apr. 5, 2006 Congressional investigators said the Securities and Exchange Commission is not doing a good job of strengthening the security of its information systems, leaving them vulnerable to illegal access or disruption. In a new report released last week, Government Accountability Office investigators said SEC officials have addressed only eight of 51 weaknesses detailed in an earlier GAO report. Among the improvements, SEC officials replaced a publicly accessible workstation and changed control procedures for a major application. "However, SEC did not effectively control remote access to its servers, establish controls over password composition and storage, or manage access to its systems and data," the report states. "Further, the commission did not securely configure all its network devices and servers, nor did it implement auditing and monitoring mechanisms to detect and track security-relevant incidents." The problem is that SEC officials have not yet fully developed, documented and implemented a comprehensive information security program, the report states. The commission still needs to develop or document policies and procedures that assess risks, test and evaluate effectiveness of controls, monitor and report corrective action, and analyze security incidents, according to the report. The commission also needs to ensure that employees have the proper training, the report states. GAO also found 15 security weaknesses in addition to the 43 that still need to be corrected. SEC officials have not implemented consistent and effective access controls over user accounts and passwords, among other problems, according to the report. The commission also needs to do a better job of addressing physical security challenges, software patch management processes, segregation of computer functions and application change controls, which ensure only authorized programs and modifications are implemented, the report states. "These weaknesses increase the risk that financial and sensitive information will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place SEC operations at risk of disruption," the report states. That's not to say the SEC hasn't made some improvements. It has increased the number of security employees, certified and accredited several major applications and established a backup data center, according to the report. According to the GAO report, Christopher Cox, the SEC's chairman, agreed with the findings and said the commission is taking steps to improve the security program. In a March 24 letter to GAO, Cox wrote, for example, that 16 major applications have been certified and accredited, and the remaining four will be accredited during the spring. The commission is maintaining and tracking its "plans of action and milestones" through a new automated system, he added. Cox wrote that GAO's recommendations are appropriate and actionable and that the SEC will implement them before October, the end of fiscal 2006. Those actions include fixing specific weaknesses and implementing an agencywide information security program. From isn at c4i.org Thu Apr 6 04:27:56 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:27:56 -0500 (CDT) Subject: [ISN] IE Exploit; Firewall Tests Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Thawte http://list.windowsitpro.com/t?ctl=2605B:4FB69 8e6 Technologies http://list.windowsitpro.com/t?ctl=26069:4FB69 ==================== 1. In Focus: IE Exploit; Firewall Tests 2. Security News and Features - Recent Security Vulnerabilities - CipherTrust Launches PhishRegistry.org - Black-market Sale on Spyware - Beef Up Security for Your Mobile-Device Fleet 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Password-Protect Your Web Site Logon Information ==================== ==== Sponsor: Thawte ==== Discover how to ensure efficient ongoing management of your digital certificates, how your business will benefit by addressing unique online security issues and more! http://list.windowsitpro.com/t?ctl=2605B:4FB69 ==================== ==== 1. In Focus: IE Exploit; Firewall Tests ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net As you probably know, really dangerous JavaScript-based exploits of Microsoft Internet Explorer (IE) are on the loose. The exploits take advantage of problems in JavaScript processing that allow injection of arbitrary code. Microsoft is working on a patch for the problems that's currently scheduled for release April 11--the company's scheduled monthly patch release date. Several attacks that use the exploits are under way. For example, one attack comes disguised as a BBC News story snippet. When a person clicks the link to read the rest of the story, the exploit is triggered. Ken Pfeil sent me a link to another site hosting an exploit. The exploit includes some shell code, but I didn't completely reverse- engineer the exploit, so I'm not entirely sure what all it does. If you want to take a look, visit 207.5.68.153 on port 80 with a telnet client and enter the command "GET /" to dump out the exploit code. Ken also pointed out that some software, such as Microsoft SharePoint Server, can be configured to load files based on content instead of file extension. This means that an exploit can be packaged inside something as seemingly harmless as a .txt file to get past your defenses and will then be run by the software. This software capability undoubtedly adds to the danger level of the new exploits and other exploits. While you're waiting for Microsoft's patch, you might consider using a third-party patch from Determina or eEye Digital Security. I haven't tested either of these patches so I can't vouch for them, but both companies are reputable. Alternatively, you can disable Active Scripting in IE to stop the execution of JavaScript. I tested one of the JavaScript-based exploits with Mozilla Firefox and found that it caused the system's disk subsystem to go into overdrive. There was so much disk activity that it took me more than 5 minutes to get Task Manager to open so that I could terminate the Firefox process, which stabilized the system. I recently came across an interesting set of desktop firewall test results--at the Firewall Leak Tester Web site. The 2006 results show which desktop firewalls perform best in terms of outbound application filtering and the prevention of information leakage. Coming in dead last out of 16 desktop firewalls is Windows Firewall, which ships as part of Windows XP Service Pack 2 (SP2). This isn't too surprising given that Windows Firewall doesn't do outbound blocking. So which firewalls are the best? When it comes to outbound application filtering, no other firewall beats Jetico Personal Firewall. Kaspersky Lab's firewall is the strongest in terms of preventing information leakage, with Jetico coming in a close second place. Overall, Jetico appears to make the strongest desktop firewall available, beating out other well-known firewalls such as those from Sunbelt Software (Kerio), ZoneLabs (ZoneAlarm Pro and ZoneAlarm Free), and Symantec (Norton). As a bonus, Jetico Personal Firewall is free. Check out the results at the URL below. http://list.windowsitpro.com/t?ctl=2606C:4FB69 Editor's note: Meet Your Favorite IT Experts at Connections Europe in Nice, France, April 24-27 Did you know your favorite Connections conference is coming to Europe in April? Learn from your favorite authors live and in person, and hear directly from Microsoft experts about the next generation of Microsoft technologies. This is an action-packed event with four conferences located together for one rate: ASP.NET, Visual Studio, SQL Server, and Exchange, plus bonus sessions on SharePoint and Windows! I'm going to let you know about a special rate: When you buy your first conference registration at 1,100 euros, you can get additional passes at half off--so partner up with your friends and take advantage of this great rate. The regular price is 1,450 euros, so this is a big bargain, especially when you check out the line-up of speakers! To get this special rate, go to http://list.windowsitpro.com/t?ctl=2606A:4FB69 to register today and enter promocode: SECENL. ==================== ==== Sponsor: 8e6 Technologies ==== Stop Spyware Now - Free White Paper! Spyware remains a problem for most companies, disrupting productivity, wasting time and money. Now 8e6 Technologies' free White Paper proposes breakthrough solutions to counteract the Spyware problem: recognize potential infections, stop unauthorized programs at the source. Get the Free White Paper: http://list.windowsitpro.com/t?ctl=26069:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=2605C:4FB69 CipherTrust Launches PhishRegistry.org CipherTrust launched a new free service, PhishRegistry.org, that aims to alert companies when their Web sites are mimicked for fraudulent purposes. http://list.windowsitpro.com/t?ctl=26064:4FB69 Black-market Sale on Spyware You might think that buying exploit code to create spyware would be expensive. But it's not. Security software maker Sophos reported that it found a site selling a spyware kit, WebAttacker, for $15. Learn more about it in this news article. http://list.windowsitpro.com/t?ctl=26065:4FB69 Beef Up Security for Your Mobile-Device Fleet When a mobile device falls into the wrong hands, so can a lot of corporate information--even the device owner's domain credentials, since most users choose to have the Microsoft ActiveSync client remember their username and password. But help is available in the form of Exchange Server 2003 Service Pack 2 (SP2) and the Messaging and Security Feature Pack (MSFP) for Windows Mobile 5.0. An article by Randy Franklin Smith shows you how to configure this protection. http://list.windowsitpro.com/t?ctl=26062:4FB69 ==================== ==== Resources and Events ==== Learn to secure your IM traffic--don't let your critical business information be intercepted! http://list.windowsitpro.com/t?ctl=2605A:4FB69 Special Offer Ends Soon! Register now for DevConnections Europe, 24-27 April in Nice, France, and get a second registration for half price. http://list.windowsitpro.com/t?ctl=26061:4FB69 Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=26056:4FB69 Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient. http://list.windowsitpro.com/t?ctl=26058:4FB69 Learn the advantages of each alternative to traditional file servers and tape storage solutions, and make the best choice for your enterprise needs. Live event: Thursday, April 13 http://list.windowsitpro.com/t?ctl=26055:4FB69 ==================== ==== Featured White Paper ==== Protect mission-critical business information stored on your high- availability Exchange systems when you implement backup and restore strategies. You'll also learn about key configuration and deployment considerations. http://list.windowsitpro.com/t?ctl=26059:4FB69 ==================== ==== Hot Spot ==== Learn to identify the top 5 IM security risks, and protect your networks and users. http://list.windowsitpro.com/t?ctl=26057:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Microsoft Takes a Page from Open Source Playbooks by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=26068:4FB69 Bugzilla is a great resource for both developers and users of Mozilla products. It lets people submit and track bug reports. Microsoft just launched something similar for Internet Explorer (IE) 7.0. Learn about it in this blog article. http://list.windowsitpro.com/t?ctl=26063:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=26067:4FB69 Q: What is the User Profile Hive Cleanup (UPH Clean) service? Find the answer at http://list.windowsitpro.com/t?ctl=26066:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Exclusive Spring Savings Subscribe to Windows IT Pro and SAVE 58% off! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful articles. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=2605F:4FB69 Save 44% off the Windows Scripting Solutions newsletter For a limited time, order the Windows Scripting Solutions newsletter and SAVE up to $80. You'll get 12 helpful issues loaded with expert- reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article library (more than 500 articles). Subscribe now: http://list.windowsitpro.com/t?ctl=2605E:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Password-Protect Your Web Site Logon Information Siber Systems announced the release of RoboForm 6.6, which automatically fills out online forms for users. New in RoboForm 6.6 is the ability to isolate and protect personal IDs and passwords currently left exposed in Microsoft Internet Explorer's (IE's) AutoComplete directory. Users can convert logon information stored in AutoComplete to RoboForm Passcards that are encrypted with a Master Password. RoboForm 6.6's other new features include support for several new encryption algorithms (AES, Blowfish, and RC6) and the ability to be loaded onto USB drives (from SanDisk, Kingston Technologies, and others) so that users can carry their RoboForm-stored information with them. RoboForm 6.6 is now available for a 30-day trial; personal users with 10 or fewer logons can use RoboForm for free even after the trial. Volume discounts are available. For more information, go to http://list.windowsitpro.com/t?ctl=2606D:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2606B:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=26060:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Apr 6 04:28:34 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:28:34 -0500 (CDT) Subject: [ISN] The NSA's ultra-secure Linux technology evolves for the enterprise Message-ID: http://www.networkworld.com/news/2006/040506-selinux.html By Phil Hochmuth NetworkWorld.com 04/05/06 Boston - Linux and open-source developers are working to make Linux security tools developed by the National Security Agency more accessible and usable by regular system administrators and application developers. Software developers and users discussed how Security Enhanced Linux (SE Linux) is evolving, and the benefits - and potential pitfalls - it could introduce when deployed in an enterprise data center. This discussion took place in a panel on SE Linux at the LinuxWorld Expo this week. SE Linux is not a Linux distribution, such as SuSE or Red Hat, but is instead a set of modifications to the Linux kernel that limit the access that applications have to memory, processors, operating system configuration files and other critical components of a server or PC operating system. SE Linux uses mandatory access controls to limit applications' access only to the minimal amount of resources they need to run. The idea is to prevent hackers from taking over or breaking into a server by exploiting openings in poorly designed code, or by squeezing through small holes in well-designed software. Introduced in 2000 by the NSA, SE Linux "only covered a small subset of the overall [Linux] system," said Stephen Smalley, a research scientist for the NSA. "SE Linux policy has since been expanded to cover more of the system. A year ago we had fairly immature support and a monolithic policy. Today we have support for modular policy, enabling third-party application developers to create policies [for SE Linux] and package them with their applications." A major step in making SE Linux easier to use has been the development of the SE Linux Reference Policy, an open-source project for creating tools that make it easier to create and apply SE Linux policies to software. Smalley says other developments the NSA is working on for SE Linux are ways to apply the technology to desktop Linux systems, as well as to multiple virtualized Linux systems running on top of a single hardware platform. The U.K. Central Government is testing SE Linux with its infrastructure of Linux and IBM WebSphere servers. The goal is to secure the Web services architecture for its municipal-service Web sites and public-facing applications. "We wanted to enforce policies which say that application servers can only talk to the end points that they're authorized to talk to," said Mark Hocking, technical architect for the U.K. Cabinet Office's e-Government Unit. Such mandatory access controls have been used for a long time in government operating systems and highly customized systems, he said. The U.K.'s e-Government Unit wanted to apply SE Linux protection to a range of Java 2 Enterprise Edition (J2EE) applications it uses with minimal changes to the WebSphere servers it has up and running. So far, the group's beta tests have been successful, Hocking says. "We're not saying it will have 100% [security] assurance, but it seems to be working quite well. We believe we can apply SE Linux to commercial off-the-shelf products to give us a higher level of assurance than what we would have had without it." SE Linux has been included in Red Hat Enterprise Linux 4, as well as Red Hat's Fedora Core version 4 and the recently released version 5. However, it has been turned off by default, since the policies can disrupt some commonly used system processes and applications, according to Red Hat developers. And turning on SE Linux can frustrate administrators because the severe limitations to resources it puts on applications can cause applications to fail or act erratically. "SE Linux breaks everything," or so goes the perception of SE Linux, said Daniel Walsh, principal software engineer at Red Hat. "So what we have to figure out is, if SE Linux causes a problem, what are the actions an administrator can take to fix it. Right now an admin has the ability to turn SE Linux on and off; maybe there's another solution." Walsh says Red Hat is working on tools that will allow for modular implementations of SE Linux, and that can give administrators easier feedback on how SE Linux policies are affecting a server. These tools will be included in the upcoming Red Hat Enterprise Linux version 5, which is expected to be released at the end of this year, Walsh said. "The problem with [turning on SE Linux] is that all of the sudden, access that was there before isn't there, and [a system administrator] might not know how to fix it," Walsh said. "Or worse, they may make a change or take an action in order to just get the system up and running that may make security worse on the system overall." In spite of the difficulties that the NSA, Red Hat and other open source developers are working to overcome with SE Linux, the technology itself can be a powerful tool for security an infrastructure based on open-source software - code which is sometimes, and sometimes not, written with security in mind. "The problem is there's so much [sloppy] code out there," Walsh said. "Allowing this crappy code to be out there is a major security problem. What we want to do is lock the memory to make sure that someone does not get into memory to run random code." All contents copyright 1995-2005 Network World, Inc. From isn at c4i.org Thu Apr 6 04:29:06 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:29:06 -0500 (CDT) Subject: [ISN] Anybody remember floppy disks? Message-ID: http://seattlepi.nwsource.com/virgin/265346_virgin04.html By BILL VIRGIN P-I COLUMNIST April 4, 2006 You see them sometimes at garage sales or thrift stores, lying forlornly in a cardboard box, the music of some pop-music star of the early 1970s locked within their plastic cases, never to be heard -- unless someone can track down an eight-track-tape machine. Perhaps that same scene will be played out 35 years from now with boxes of digital cameras going begging because no one has a way of unlocking the photos embedded on compact flash cards or memory sticks or whatever the obsolete media storage technology of the era turns out to be. That the tunes of Three Dog Night or fuzzy photos of a 5-year-old's birthday party are rendered inaccessible by the march of technology represents no great societal tragedy or loss to posterity. But what if the information was something more significant -- such as government or corporate records, personal financial or health data, documents of historic significance? Paper-based records we can preserve and read even if they're centuries old. Presuming that we handle them carefully and still know how to read, we'll be able to read them hundreds of years from now. Jerry Handfield, the state's archivist, recently returned from a trip to Argentina where he viewed paper records dating from 1500. What about records that depend on a specific device or piece of hardware to read them? "The digital information we create is in danger of disappearing on a major scale," says a release from the Digital Futures Alliance, a consortium established last year by University of Washington Libraries. "We think about that a lot," says Feliks Banel, deputy director of Seattle's Museum of History and Industry. Institutions such as MOHAI not only have to sort and store vast amounts of archival material, they have to think about how to access the information, even when the specific technology is no longer in wide use. "We're getting video formats donated to us that we have to go to a studio to get transferred," says Banel, who has hunted down such devices as an eight-track player (located at Goodwill) and a player for 16-inch transcription discs of recordings of 1940s radio broadcasts. In some fields of interest, enthusiasts are doing the job of advancing the material to whatever is the current format. Banel notes that many "Golden Age" radio shows, having been available on records and then cassette tapes, are now available in the MP3 format. But with so much material on formats that have a much shorter lifespan, there's a danger that material may be lost. Says Banel, "I don't know anyone who could play floppy disks." Actually, there is someone who could. The state archivist's office has been compiling, at its facility in Cheney, a library of hardware, software and manuals. Handfield says the collection includes such early-PC-era relics as Commodore 64s, Kaypros and Apple Lisas, all kept in anticipation of the day, he says, when someone finds an 8-inch floppy disk (yes, there were such things) "and says, 'What's this?' " The library also makes sense because Washington has several thousand governmental units and, as Handfield notes, "There's no mandate they use the same equipment." Accessibility is not the only issue with new, old and soon-to-be-obsolete information-storage formats. There's also an issue of whether, even if you have the equipment to read it, anything useful will be left on what you're trying to read. Paper can decay, photographs fade; digital media can be even less permanent. (CDs, for example, are considered unstable. "We don't keep CDs as archival media," Handfield says.) If the issue isn't yet a big concern for many individuals or businesses, at least some people are thinking about the problem. The Digital Futures Alliance includes as charter partners such heavyweights as Microsoft, Amgen and RealNetworks and has set up working groups to tackle specific issues including what to keep and how. Whatever answers the alliance and others come up with, sooner would be preferable. If new formats appear as rapidly as they have been, and obsolete formats prove to be as unstable as forecast, and the flood of data stored digitally continues unabated -- and all of those are quite likely -- a lot of people are going to be discovering very soon they have a problem they didn't expect to have. And when they make that discovery, they'd probably like some better method for data retrieval than holding an eight-track tape up to the ear in hopes of hearing something, or holding a computer floppy up to a bright light in hopes of reading something on it. From isn at c4i.org Thu Apr 6 04:29:20 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:29:20 -0500 (CDT) Subject: [ISN] Cybercrooks ramp up against antivirus firms -- and each other Message-ID: http://news.zdnet.com/2100-1009_22-6057654.html By Tom Espiner ZDNet (UK) April 4, 2006 Cybercriminals are increasingly fighting each other, as well as antivirus vendors, in pursuit of illegal gain, Kaspersky Lab has warned. The antivirus provider said Tuesday that as profits from cybercrime grew in 2005, criminals increasingly tried to prevent antivirus providers from developing protection against the latest threats. "Honeypots," or lightly protected systems set up to collect samples of malicious software for antivirus companies, were a prime target, Kaspersky said. Criminals can use legions of compromised "zombie" computers, called "botnets," to bombard honeypot networks with data to hinder or stop them working, according to Kaspersky's "Malware Evolution: 2005, Part 2" report, published Monday. "If the bad guys are aware of a network that looks suspicious because it's too unprotected--to lure bad code--they can take steps like launching (distributed denial-of-service) attacks against that honeypot network. They can then launch other attacks simultaneously (against other targets)," said David Emm, senior technology consultant for Kaspersky. Worms can also be programmed to avoid domains known to be monitored by antivirus companies. "Criminals will employ whatever evasive techniques they can," Emm said. In 2005, cybercriminals increasingly used techniques such as creating their own packing mechanisms to compress malicious code, so that they could try to avoid detection by antivirus software. Creators of malicious software also now routinely include code that will try to either disable antivirus updating mechanisms on infected machines or remove antivirus software completely, Emm said. Cybercriminals are also increasingly targeting one another to maximize financial gain, according to Kaspersky's research. "It's like any kind of economic venture. Those that get smarter survive. Organized criminal structures are run as businesses, and they take over smaller guys," Emm said. Kaspersky also said that cybercriminals often launch distributed denial-of-service attacks against rivals to stop them from operating, and they attempt to hijack each other's botnets. They also program their software to attempt to disable any other malicious software that has already been installed on an infected PC. "Criminals have realized that it is much simpler to obtain already infected resources than to maintain their own botnets or to spend money on buying parts of botnets which are already in use," Yury Mashevsky, a virus analyst at Kaspersky, said in the report. Kaspersky also reported that it had detected a five-fold increase over 2005 in the amount of malicious software designed to steal financial information. Tom Espiner of ZDNet UK reported from London. From isn at c4i.org Thu Apr 6 04:29:37 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 6 Apr 2006 03:29:37 -0500 (CDT) Subject: [ISN] VSC narrows down personal data exposed by laptop theft Message-ID: http://www.rutlandherald.com/apps/pbcs.dll/article?AID=/20060406/NEWS/604060353/1004/EDUCATION05 By Darren M. Allen Vermont Press Bureau April 6, 2006 MONTPELIER - A month after the theft of a laptop computer containing personal information of thousands of students and employees of the Vermont State Colleges system, officials are narrowing down the types of private information that were exposed. In a system-wide e-mail sent Monday to students, faculty, staff and alumni of the five state colleges, VSC Chancellor Robert Clarke emphasized the colleges' assertion that no personal information has been accessed or compromised from the laptop, which has not been recovered. "We have no evidence to date that personal data were actually retrieved or misused," Clarke said. "The laptop has not been recovered by law enforcement, so our ongoing information requires working with staff who may have exchanged e-mails and attachments with teams including the owner of the stolen laptop." The concealed laptop was stolen Feb. 28 from the chief information officer's car while it was parked on the streets of Montreal. The car, according to Karrin Wilks, the colleges' vice president for academic and strategic planning, was broken into by someone who also stole a pair of skis and other visible valuables. The colleges have been under fire recently because they did not notify the nearly 20,000 people whose personal financial information was potentially available on the laptop until three weeks after the theft occurred. The faculty union has asked its attorney to look into why it took so long to notify its members of the potential information breach, and the state employees union has registered its displeasure as well. In his memo this week, Clarke said the colleges' notified all banks in Vermont, New Hampshire and New York on March 27 of the theft and potential release of financial information. The memo did specify the types of information that was potentially on the laptop. College administrators said access to the system's computer networks from the stolen laptop was immediately blocked as soon as they were notified of the theft. Employee information from June 2002 to November 2005 may have been archived on the laptop. The data, which includes names, addresses, Social Security numbers, salary, taxes, withholding and wage garnishment information, as well as bank account numbers for people with direct-deposit accounts, were not encrypted, the memo said. Admissions information for all students from June 2002 to December 2004 could have been on the computer. That data includes names, addresses, birth dates, Social Security numbers and academic records such as college placement exams. Clarke said that information on parents, spouses and dependents was not on the laptop. Wilks, in a brief interview Wednesday, said the VSC system is in the midst of developing policies for future breaches of information. She said VSC over the weekend also mailed detailed information about the theft to 50,000 students, former students, faculty, staff and former employees. The laptop theft was followed by an incident late last month in which someone hacked into the Lyndon State College e-mail system. Someone pretended to be the school's computer administrator, sending out a mass e-mail in his name and warning about identity theft. The hacker has not been identified, and a Lyndon spokesman on Wednesday said the investigation was continuing. Last fall, the colleges also had a computer security breach in which the Social Security numbers of Vermont Technical College students were posted on a school Web site. Sensitivity to the disclosure of personal financial information is increasing nationwide because of fears of